From c00e18c63ab89fc23e9ffd8d56369b582d63652a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Feb 2017 20:07:25 +0100 Subject: [PATCH 1/6] s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials() Trust accounts can only use kerberos when contacting other AD domains, using NTLMSSP will fail. At the same time it doesn't make sense to try kerberos for NT4 domains, still NTLMSSP will fail, but the callers has to deal with that case and just fallback to an anonymous SMB connection. In all cases we should be able to use NETLOGON SCHANNEL over any anonymous smb or tcp transport. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit d961ae9d14b46708d2693ca91ace04f9f1a53ca2) --- source3/passdb/passdb.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f48c317..e7a9b43 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, status = NT_STATUS_NO_MEMORY; goto fail; } + + /* + * It's not possible to use NTLMSSP with a domain trust account. + */ + cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); + } else { + /* + * We can't use kerberos against an NT4 domain. + * + * We should have a mode that also disallows NTLMSSP here, + * as only NETLOGON SCHANNEL is possible. + */ + cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); } ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); @@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, status = NT_STATUS_NO_MEMORY; goto fail; } + /* + * We currently can't do kerberos just with an NTHASH. + */ + cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); goto done; } -- 1.9.1 From f76de9679593b136128249c37b8dc3f6a4a03194 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 23 Feb 2017 11:54:21 +0100 Subject: [PATCH 2/6] s3:winbindd: add more debugging to cm_prepare_connection() Any fallbacks to other authentication methods should be logged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher (similar to commit ba9d139ec3d71af184a24daf24356304c2e49144) --- source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 3bb2fb4..610464d 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1137,8 +1137,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto session_setup_done; } - DEBUG(4,("failed kerberos session setup with %s\n", - nt_errstr(result))); + DEBUG(1, ("Failed to use kerberos connecting to %s from %s " + "with kerberos principal [%s]\n", + controller, lp_netbios_name(), + machine_krb5_principal)); } if (krb5_state != CRED_MUST_USE_KERBEROS) { @@ -1156,10 +1158,15 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, machine_password, strlen(machine_password)+1, machine_domain); - } - if (NT_STATUS_IS_OK(result)) { - goto session_setup_done; + if (NT_STATUS_IS_OK(result)) { + goto session_setup_done; + } + + DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " + "with username [%s]\\[%s]\n", + controller, lp_netbios_name(), + machine_domain, machine_account)); } /* @@ -1184,8 +1191,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto anon_fallback; } - DEBUG(4, ("authenticated session setup failed with %s\n", - nt_errstr(result))); + DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", + controller, + cli_credentials_get_unparsed_name(creds, talloc_tos()), + nt_errstr(result))); goto done; @@ -1224,6 +1233,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto session_setup_done; } + DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " + "with username " + "[%s]\\[%s]\n", controller, lp_netbios_name(), + machine_domain, machine_account)); + /* * If we are not going to validiate the conneciton * with SMB signing, then allow us to fall back to @@ -1238,8 +1252,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto anon_fallback; } - DEBUG(4, ("authenticated session setup failed with %s\n", - nt_errstr(result))); + DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", + controller, + cli_credentials_get_unparsed_name(creds, talloc_tos()), + nt_errstr(result))); goto done; @@ -1251,7 +1267,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } /* Fall back to anonymous connection, this might fail later */ - DEBUG(10,("cm_prepare_connection: falling back to anonymous " + DEBUG(5,("cm_prepare_connection: falling back to anonymous " "connection for DC %s\n", controller )); @@ -1263,6 +1279,9 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, goto session_setup_done; } + DEBUG(1, ("anonymous session setup to %s failed with %s\n", + controller, nt_errstr(result))); + /* We can't session setup */ goto done; @@ -1308,6 +1327,8 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, } if (!NT_STATUS_IS_OK(result)) { + DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n", + controller, nt_errstr(result))); winbind_add_failed_connection_entry(domain, controller, result); if ((*cli) != NULL) { cli_shutdown(*cli); -- 1.9.1 From 59ae3c5f1415adf8a5b5a650d1bde71b9182a50e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Feb 2017 20:07:25 +0100 Subject: [PATCH 3/6] s3:winbindd: rely on the kerberos_state from pdb_get_trust_credentials() The implementation of pdb_get_trust_credentials() should have all the details to set the kerberos_state to a useful value. This should enable the fallback to NTLMSSP again, when using our machine account against trusted domains. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 51caeb7c538b7546e5feccf27a735bb803c78a0b) --- source3/winbindd/winbindd_cm.c | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 610464d..d1dce73 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -936,17 +936,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, goto ipc_fallback; } - if (domain->primary && lp_security() == SEC_ADS) { - cli_credentials_set_kerberos_state(creds, - CRED_AUTO_USE_KERBEROS); - } else if (domain->active_directory) { - cli_credentials_set_kerberos_state(creds, - CRED_MUST_USE_KERBEROS); - } else { - cli_credentials_set_kerberos_state(creds, - CRED_DONT_USE_KERBEROS); - } - if (creds_domain != domain) { /* * We can only use schannel against a direct trust -- 1.9.1 From 4ab71955867ae12dfde22b5051d1647384adb780 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 23 Feb 2017 11:54:21 +0100 Subject: [PATCH 4/6] s3:libads: add more debugging to ads_sasl_spnego_bind() Any fallbacks to other authentication methods should be logged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher (similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86) --- source3/libads/sasl.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 39c60c3..c2564cb 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) #ifdef HAVE_KRB5 bool got_kerberos_mechanism = False; #endif + const char *mech = NULL; rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); @@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && got_kerberos_mechanism) { + mech = "KRB5"; + if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { @@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) blob); if (!ADS_ERR_OK(status)) { DEBUG(0,("kinit succeeded but " - "ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n", + "ads_sasl_spnego_gensec_bind(KRB5) failed: " + "for %s/%s user[%s] realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, ads_errstr(status))); } } @@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { goto done; } + + DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s " + "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); } #endif /* lets do NTLMSSP ... this has the big advantage that we don't need to sync clocks, and we don't rely on special versions of the krb5 library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", CRED_DONT_USE_KERBEROS, p.service, p.hostname, data_blob_null); done: + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s " + "with user[%s] realm=[%s]: %s\n", mech, + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); + } ads_free_service_principal(&p); TALLOC_FREE(frame); if (blob.data != NULL) { -- 1.9.1 From 559d39e557999313c8fa1ef0b88df8a8c983aaf9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Feb 2017 21:18:32 +0100 Subject: [PATCH 5/6] s3:winbindd: allow a fallback to NTLMSSP for LDAP connections This matches the behaviour of pdb_get_trust_credentials() for our machine account and allows us to fallback to NTLMSSP when contacting trusted domains. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 4e9a0894cd977585ccc94e7c1811de1b0293382d) --- source3/winbindd/winbindd_ads.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index dc92a4a..febde5e 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -119,6 +119,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, ads->auth.renewable = renewable; ads->auth.password = password; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + ads->auth.realm = SMB_STRDUP(auth_realm); if (!strupper_m(ads->auth.realm)) { ads_destroy(&ads); -- 1.9.1 From 30b701149ec35519b53e4fa6babd266ec669f9c1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Feb 2017 21:29:50 +0100 Subject: [PATCH 6/6] s3:idmap_ad: make use of pdb_get_trust_credentials() to get the machine account creds This is mostly a cosmetic change currently. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Feb 24 22:34:48 CET 2017 on sn-devel-144 (cherry picked from commit 3d7fed0f2883d529bb635fc6df86f39d5a434d25) --- source3/winbindd/idmap_ad.c | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c index c385cf0..94de255 100644 --- a/source3/winbindd/idmap_ad.c +++ b/source3/winbindd/idmap_ad.c @@ -22,7 +22,7 @@ #include "idmap.h" #include "tldap_gensec_bind.h" #include "tldap_util.h" -#include "secrets.h" +#include "passdb.h" #include "lib/param/param.h" #include "utils/net.h" #include "auth/gensec/gensec.h" @@ -243,7 +243,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, const char *domname, struct tldap_context **pld) { - struct db_context *db_ctx; struct netr_DsRGetDCNameInfo *dcinfo; struct sockaddr_storage dcaddr; struct cli_credentials *creds; @@ -294,11 +293,19 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - creds = cli_credentials_init(dcinfo); - if (creds == NULL) { - DBG_DEBUG("cli_credentials_init failed\n"); + /* + * Here we use or own machine account as + * we run as domain member. + */ + status = pdb_get_trust_credentials(lp_workgroup(), + lp_realm(), + dcinfo, + &creds); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n", + nt_errstr(status)); TALLOC_FREE(dcinfo); - return NT_STATUS_NO_MEMORY; + return status; } lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers()); @@ -308,23 +315,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - cli_credentials_set_conf(creds, lp_ctx); - - db_ctx = secrets_db_ctx(); - if (db_ctx == NULL) { - DBG_DEBUG("Failed to open secrets.tdb.\n"); - return NT_STATUS_INTERNAL_ERROR; - } - - status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx, - db_ctx); - if (!NT_STATUS_IS_OK(status)) { - DBG_DEBUG("cli_credentials_set_machine_account " - "failed: %s\n", nt_errstr(status)); - TALLOC_FREE(dcinfo); - return status; - } - rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); if (!TLDAP_RC_IS_SUCCESS(rc)) { -- 1.9.1