The Samba-Bugzilla – Attachment 12985 Details for
Bug 12598
winbindd (as member) requires kerberos against trusted ad domain, while it shouldn't
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-5-test
tmp45.diff.txt (text/plain), 14.03 KB, created by
Stefan Metzmacher
on 2017-02-27 19:20:05 UTC
(
hide
)
Description:
Patches for v4-5-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-02-27 19:20:05 UTC
Size:
14.03 KB
patch
obsolete
>From c00e18c63ab89fc23e9ffd8d56369b582d63652a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 20:07:25 +0100 >Subject: [PATCH 1/6] s3:passdb: use cli_credentials_set_kerberos_state() for > trusts in pdb_get_trust_credentials() > >Trust accounts can only use kerberos when contacting other AD domains, >using NTLMSSP will fail. > >At the same time it doesn't make sense to try kerberos for NT4 domains, >still NTLMSSP will fail, but the callers has to deal with that >case and just fallback to an anonymous SMB connection. > >In all cases we should be able to use NETLOGON SCHANNEL >over any anonymous smb or tcp transport. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit d961ae9d14b46708d2693ca91ace04f9f1a53ca2) >--- > source3/passdb/passdb.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c >index f48c317..e7a9b43 100644 >--- a/source3/passdb/passdb.c >+++ b/source3/passdb/passdb.c >@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, > status = NT_STATUS_NO_MEMORY; > goto fail; > } >+ >+ /* >+ * It's not possible to use NTLMSSP with a domain trust account. >+ */ >+ cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); >+ } else { >+ /* >+ * We can't use kerberos against an NT4 domain. >+ * >+ * We should have a mode that also disallows NTLMSSP here, >+ * as only NETLOGON SCHANNEL is possible. >+ */ >+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); > } > > ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); >@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, > status = NT_STATUS_NO_MEMORY; > goto fail; > } >+ /* >+ * We currently can't do kerberos just with an NTHASH. >+ */ >+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); > goto done; > } > >-- >1.9.1 > > >From f76de9679593b136128249c37b8dc3f6a4a03194 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 23 Feb 2017 11:54:21 +0100 >Subject: [PATCH 2/6] s3:winbindd: add more debugging to > cm_prepare_connection() > >Any fallbacks to other authentication methods should be logged. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit ba9d139ec3d71af184a24daf24356304c2e49144) >--- > source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++++++---------- > 1 file changed, 31 insertions(+), 10 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 3bb2fb4..610464d 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -1137,8 +1137,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto session_setup_done; > } > >- DEBUG(4,("failed kerberos session setup with %s\n", >- nt_errstr(result))); >+ DEBUG(1, ("Failed to use kerberos connecting to %s from %s " >+ "with kerberos principal [%s]\n", >+ controller, lp_netbios_name(), >+ machine_krb5_principal)); > } > > if (krb5_state != CRED_MUST_USE_KERBEROS) { >@@ -1156,10 +1158,15 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > machine_password, > strlen(machine_password)+1, > machine_domain); >- } > >- if (NT_STATUS_IS_OK(result)) { >- goto session_setup_done; >+ if (NT_STATUS_IS_OK(result)) { >+ goto session_setup_done; >+ } >+ >+ DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " >+ "with username [%s]\\[%s]\n", >+ controller, lp_netbios_name(), >+ machine_domain, machine_account)); > } > > /* >@@ -1184,8 +1191,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto anon_fallback; > } > >- DEBUG(4, ("authenticated session setup failed with %s\n", >- nt_errstr(result))); >+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", >+ controller, >+ cli_credentials_get_unparsed_name(creds, talloc_tos()), >+ nt_errstr(result))); > > goto done; > >@@ -1224,6 +1233,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto session_setup_done; > } > >+ DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " >+ "with username " >+ "[%s]\\[%s]\n", controller, lp_netbios_name(), >+ machine_domain, machine_account)); >+ > /* > * If we are not going to validiate the conneciton > * with SMB signing, then allow us to fall back to >@@ -1238,8 +1252,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto anon_fallback; > } > >- DEBUG(4, ("authenticated session setup failed with %s\n", >- nt_errstr(result))); >+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", >+ controller, >+ cli_credentials_get_unparsed_name(creds, talloc_tos()), >+ nt_errstr(result))); > > goto done; > >@@ -1251,7 +1267,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > } > > /* Fall back to anonymous connection, this might fail later */ >- DEBUG(10,("cm_prepare_connection: falling back to anonymous " >+ DEBUG(5,("cm_prepare_connection: falling back to anonymous " > "connection for DC %s\n", > controller )); > >@@ -1263,6 +1279,9 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto session_setup_done; > } > >+ DEBUG(1, ("anonymous session setup to %s failed with %s\n", >+ controller, nt_errstr(result))); >+ > /* We can't session setup */ > goto done; > >@@ -1308,6 +1327,8 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > } > > if (!NT_STATUS_IS_OK(result)) { >+ DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n", >+ controller, nt_errstr(result))); > winbind_add_failed_connection_entry(domain, controller, result); > if ((*cli) != NULL) { > cli_shutdown(*cli); >-- >1.9.1 > > >From 59ae3c5f1415adf8a5b5a650d1bde71b9182a50e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 20:07:25 +0100 >Subject: [PATCH 3/6] s3:winbindd: rely on the kerberos_state from > pdb_get_trust_credentials() > >The implementation of pdb_get_trust_credentials() should have all >the details to set the kerberos_state to a useful value. > >This should enable the fallback to NTLMSSP again, when using our >machine account against trusted domains. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 51caeb7c538b7546e5feccf27a735bb803c78a0b) >--- > source3/winbindd/winbindd_cm.c | 11 ----------- > 1 file changed, 11 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 610464d..d1dce73 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -936,17 +936,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, > goto ipc_fallback; > } > >- if (domain->primary && lp_security() == SEC_ADS) { >- cli_credentials_set_kerberos_state(creds, >- CRED_AUTO_USE_KERBEROS); >- } else if (domain->active_directory) { >- cli_credentials_set_kerberos_state(creds, >- CRED_MUST_USE_KERBEROS); >- } else { >- cli_credentials_set_kerberos_state(creds, >- CRED_DONT_USE_KERBEROS); >- } >- > if (creds_domain != domain) { > /* > * We can only use schannel against a direct trust >-- >1.9.1 > > >From 4ab71955867ae12dfde22b5051d1647384adb780 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 23 Feb 2017 11:54:21 +0100 >Subject: [PATCH 4/6] s3:libads: add more debugging to ads_sasl_spnego_bind() > >Any fallbacks to other authentication methods should be logged. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86) >--- > source3/libads/sasl.c | 25 ++++++++++++++++++++++++- > 1 file changed, 24 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c >index 39c60c3..c2564cb 100644 >--- a/source3/libads/sasl.c >+++ b/source3/libads/sasl.c >@@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > #ifdef HAVE_KRB5 > bool got_kerberos_mechanism = False; > #endif >+ const char *mech = NULL; > > rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); > >@@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && > got_kerberos_mechanism) > { >+ mech = "KRB5"; >+ > if (ads->auth.password == NULL || > ads->auth.password[0] == '\0') > { >@@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > blob); > if (!ADS_ERR_OK(status)) { > DEBUG(0,("kinit succeeded but " >- "ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n", >+ "ads_sasl_spnego_gensec_bind(KRB5) failed: " >+ "for %s/%s user[%s] realm[%s]: %s\n", >+ p.service, p.hostname, >+ ads->auth.user_name, >+ ads->auth.realm, > ads_errstr(status))); > } > } >@@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { > goto done; > } >+ >+ DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s " >+ "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n", >+ p.service, p.hostname, >+ ads->auth.user_name, >+ ads->auth.realm, >+ ads_errstr(status))); > } > #endif > > /* lets do NTLMSSP ... this has the big advantage that we don't need > to sync clocks, and we don't rely on special versions of the krb5 > library for HMAC_MD4 encryption */ >+ mech = "NTLMSSP"; > status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", > CRED_DONT_USE_KERBEROS, > p.service, p.hostname, > data_blob_null); > done: >+ if (!ADS_ERR_OK(status)) { >+ DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s " >+ "with user[%s] realm=[%s]: %s\n", mech, >+ p.service, p.hostname, >+ ads->auth.user_name, >+ ads->auth.realm, >+ ads_errstr(status))); >+ } > ads_free_service_principal(&p); > TALLOC_FREE(frame); > if (blob.data != NULL) { >-- >1.9.1 > > >From 559d39e557999313c8fa1ef0b88df8a8c983aaf9 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 21:18:32 +0100 >Subject: [PATCH 5/6] s3:winbindd: allow a fallback to NTLMSSP for LDAP > connections > >This matches the behaviour of pdb_get_trust_credentials() for >our machine account and allows us to fallback to NTLMSSP >when contacting trusted domains. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 4e9a0894cd977585ccc94e7c1811de1b0293382d) >--- > source3/winbindd/winbindd_ads.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c >index dc92a4a..febde5e 100644 >--- a/source3/winbindd/winbindd_ads.c >+++ b/source3/winbindd/winbindd_ads.c >@@ -119,6 +119,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, > ads->auth.renewable = renewable; > ads->auth.password = password; > >+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; >+ > ads->auth.realm = SMB_STRDUP(auth_realm); > if (!strupper_m(ads->auth.realm)) { > ads_destroy(&ads); >-- >1.9.1 > > >From 30b701149ec35519b53e4fa6babd266ec669f9c1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 21:29:50 +0100 >Subject: [PATCH 6/6] s3:idmap_ad: make use of pdb_get_trust_credentials() to > get the machine account creds > >This is mostly a cosmetic change currently. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Feb 24 22:34:48 CET 2017 on sn-devel-144 > >(cherry picked from commit 3d7fed0f2883d529bb635fc6df86f39d5a434d25) >--- > source3/winbindd/idmap_ad.c | 36 +++++++++++++----------------------- > 1 file changed, 13 insertions(+), 23 deletions(-) > >diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c >index c385cf0..94de255 100644 >--- a/source3/winbindd/idmap_ad.c >+++ b/source3/winbindd/idmap_ad.c >@@ -22,7 +22,7 @@ > #include "idmap.h" > #include "tldap_gensec_bind.h" > #include "tldap_util.h" >-#include "secrets.h" >+#include "passdb.h" > #include "lib/param/param.h" > #include "utils/net.h" > #include "auth/gensec/gensec.h" >@@ -243,7 +243,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > const char *domname, > struct tldap_context **pld) > { >- struct db_context *db_ctx; > struct netr_DsRGetDCNameInfo *dcinfo; > struct sockaddr_storage dcaddr; > struct cli_credentials *creds; >@@ -294,11 +293,19 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > return NT_STATUS_NO_MEMORY; > } > >- creds = cli_credentials_init(dcinfo); >- if (creds == NULL) { >- DBG_DEBUG("cli_credentials_init failed\n"); >+ /* >+ * Here we use or own machine account as >+ * we run as domain member. >+ */ >+ status = pdb_get_trust_credentials(lp_workgroup(), >+ lp_realm(), >+ dcinfo, >+ &creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n", >+ nt_errstr(status)); > TALLOC_FREE(dcinfo); >- return NT_STATUS_NO_MEMORY; >+ return status; > } > > lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers()); >@@ -308,23 +315,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, > return NT_STATUS_NO_MEMORY; > } > >- cli_credentials_set_conf(creds, lp_ctx); >- >- db_ctx = secrets_db_ctx(); >- if (db_ctx == NULL) { >- DBG_DEBUG("Failed to open secrets.tdb.\n"); >- return NT_STATUS_INTERNAL_ERROR; >- } >- >- status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx, >- db_ctx); >- if (!NT_STATUS_IS_OK(status)) { >- DBG_DEBUG("cli_credentials_set_machine_account " >- "failed: %s\n", nt_errstr(status)); >- TALLOC_FREE(dcinfo); >- return status; >- } >- > rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx, > GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); > if (!TLDAP_RC_IS_SUCCESS(rc)) { >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 12598
:
12984
| 12985 |
12986