Attachment 12985 Details for Bug 12598 – Patches for v4-5-test

[patch] Patches for v4-5-test

tmp45.diff.txt (text/plain), 14.03 KB, created by Stefan Metzmacher on 2017-02-27 19:20:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2017-02-27 19:20:05 UTC

Size: 14.03 KB

patch

obsolete

>From c00e18c63ab89fc23e9ffd8d56369b582d63652a Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 22 Feb 2017 20:07:25 +0100
>Subject: [PATCH 1/6] s3:passdb: use cli_credentials_set_kerberos_state() for
> trusts in pdb_get_trust_credentials()
>
>Trust accounts can only use kerberos when contacting other AD domains,
>using NTLMSSP will fail.
>
>At the same time it doesn't make sense to try kerberos for NT4 domains,
>still NTLMSSP will fail, but the callers has to deal with that
>case and just fallback to an anonymous SMB connection.
>
>In all cases we should be able to use NETLOGON SCHANNEL
>over any anonymous smb or tcp transport.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>(cherry picked from commit d961ae9d14b46708d2693ca91ace04f9f1a53ca2)
>---
> source3/passdb/passdb.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
>diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
>index f48c317..e7a9b43 100644
>--- a/source3/passdb/passdb.c
>+++ b/source3/passdb/passdb.c
>@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
> 			status = NT_STATUS_NO_MEMORY;
> 			goto fail;
> 		}
>+
>+		/*
>+		 * It's not possible to use NTLMSSP with a domain trust account.
>+		 */
>+		cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
>+	} else {
>+		/*
>+		 * We can't use kerberos against an NT4 domain.
>+		 *
>+		 * We should have a mode that also disallows NTLMSSP here,
>+		 * as only NETLOGON SCHANNEL is possible.
>+		 */
>+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
> 	}
> 
> 	ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
>@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
> 			status = NT_STATUS_NO_MEMORY;
> 			goto fail;
> 		}
>+		/*
>+		 * We currently can't do kerberos just with an NTHASH.
>+		 */
>+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
> 		goto done;
> 	}
> 
>-- 
>1.9.1
>
>
>From f76de9679593b136128249c37b8dc3f6a4a03194 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 23 Feb 2017 11:54:21 +0100
>Subject: [PATCH 2/6] s3:winbindd: add more debugging to
> cm_prepare_connection()
>
>Any fallbacks to other authentication methods should be logged.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>(similar to commit ba9d139ec3d71af184a24daf24356304c2e49144)
>---
> source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++++++----------
> 1 file changed, 31 insertions(+), 10 deletions(-)
>
>diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
>index 3bb2fb4..610464d 100644
>--- a/source3/winbindd/winbindd_cm.c
>+++ b/source3/winbindd/winbindd_cm.c
>@@ -1137,8 +1137,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 			goto session_setup_done;
> 		}
> 
>-		DEBUG(4,("failed kerberos session setup with %s\n",
>-			 nt_errstr(result)));
>+		DEBUG(1, ("Failed to use kerberos connecting to %s from %s "
>+			  "with kerberos principal [%s]\n",
>+			  controller, lp_netbios_name(),
>+			  machine_krb5_principal));
> 	}
> 
> 	if (krb5_state != CRED_MUST_USE_KERBEROS) {
>@@ -1156,10 +1158,15 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 					   machine_password,
> 					   strlen(machine_password)+1,
> 					   machine_domain);
>-	}
> 
>-	if (NT_STATUS_IS_OK(result)) {
>-		goto session_setup_done;
>+		if (NT_STATUS_IS_OK(result)) {
>+			goto session_setup_done;
>+		}
>+
>+		DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s "
>+			  "with username [%s]\\[%s]\n",
>+			  controller, lp_netbios_name(),
>+			  machine_domain, machine_account));
> 	}
> 
> 	/*
>@@ -1184,8 +1191,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 		goto anon_fallback;
> 	}
> 
>-	DEBUG(4, ("authenticated session setup failed with %s\n",
>-		nt_errstr(result)));
>+	DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
>+		  controller,
>+		  cli_credentials_get_unparsed_name(creds, talloc_tos()),
>+		  nt_errstr(result)));
> 
> 	goto done;
> 
>@@ -1224,6 +1233,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 		goto session_setup_done;
> 	}
> 
>+	DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s "
>+		  "with username "
>+		  "[%s]\\[%s]\n",  controller, lp_netbios_name(),
>+		  machine_domain, machine_account));
>+
> 	/*
> 	 * If we are not going to validiate the conneciton
> 	 * with SMB signing, then allow us to fall back to
>@@ -1238,8 +1252,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 		goto anon_fallback;
> 	}
> 
>-	DEBUG(4, ("authenticated session setup failed with %s\n",
>-		nt_errstr(result)));
>+	DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
>+		  controller,
>+		  cli_credentials_get_unparsed_name(creds, talloc_tos()),
>+		  nt_errstr(result)));
> 
> 	goto done;
> 
>@@ -1251,7 +1267,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 	}
> 
> 	/* Fall back to anonymous connection, this might fail later */
>-	DEBUG(10,("cm_prepare_connection: falling back to anonymous "
>+	DEBUG(5,("cm_prepare_connection: falling back to anonymous "
> 		"connection for DC %s\n",
> 		controller ));
> 
>@@ -1263,6 +1279,9 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 		goto session_setup_done;
> 	}
> 
>+	DEBUG(1, ("anonymous session setup to %s failed with %s\n",
>+		  controller, nt_errstr(result)));
>+
> 	/* We can't session setup */
> 	goto done;
> 
>@@ -1308,6 +1327,8 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
> 	}
> 
> 	if (!NT_STATUS_IS_OK(result)) {
>+		DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n",
>+			  controller, nt_errstr(result)));
> 		winbind_add_failed_connection_entry(domain, controller, result);
> 		if ((*cli) != NULL) {
> 			cli_shutdown(*cli);
>-- 
>1.9.1
>
>
>From 59ae3c5f1415adf8a5b5a650d1bde71b9182a50e Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 22 Feb 2017 20:07:25 +0100
>Subject: [PATCH 3/6] s3:winbindd: rely on the kerberos_state from
> pdb_get_trust_credentials()
>
>The implementation of pdb_get_trust_credentials() should have all
>the details to set the kerberos_state to a useful value.
>
>This should enable the fallback to NTLMSSP again, when using our
>machine account against trusted domains.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>(cherry picked from commit 51caeb7c538b7546e5feccf27a735bb803c78a0b)
>---
> source3/winbindd/winbindd_cm.c | 11 -----------
> 1 file changed, 11 deletions(-)
>
>diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
>index 610464d..d1dce73 100644
>--- a/source3/winbindd/winbindd_cm.c
>+++ b/source3/winbindd/winbindd_cm.c
>@@ -936,17 +936,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
> 		goto ipc_fallback;
> 	}
> 
>-	if (domain->primary && lp_security() == SEC_ADS) {
>-		cli_credentials_set_kerberos_state(creds,
>-						   CRED_AUTO_USE_KERBEROS);
>-	} else if (domain->active_directory) {
>-		cli_credentials_set_kerberos_state(creds,
>-						   CRED_MUST_USE_KERBEROS);
>-	} else {
>-		cli_credentials_set_kerberos_state(creds,
>-						   CRED_DONT_USE_KERBEROS);
>-	}
>-
> 	if (creds_domain != domain) {
> 		/*
> 		 * We can only use schannel against a direct trust
>-- 
>1.9.1
>
>
>From 4ab71955867ae12dfde22b5051d1647384adb780 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 23 Feb 2017 11:54:21 +0100
>Subject: [PATCH 4/6] s3:libads: add more debugging to ads_sasl_spnego_bind()
>
>Any fallbacks to other authentication methods should be logged.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>(similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86)
>---
> source3/libads/sasl.c | 25 ++++++++++++++++++++++++-
> 1 file changed, 24 insertions(+), 1 deletion(-)
>
>diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
>index 39c60c3..c2564cb 100644
>--- a/source3/libads/sasl.c
>+++ b/source3/libads/sasl.c
>@@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
> #ifdef HAVE_KRB5
> 	bool got_kerberos_mechanism = False;
> #endif
>+	const char *mech = NULL;
> 
> 	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
> 
>@@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
> 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
> 	    got_kerberos_mechanism) 
> 	{
>+		mech = "KRB5";
>+
> 		if (ads->auth.password == NULL ||
> 		    ads->auth.password[0] == '\0')
> 		{
>@@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
> 							blob);
> 			if (!ADS_ERR_OK(status)) {
> 				DEBUG(0,("kinit succeeded but "
>-					"ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n",
>+					"ads_sasl_spnego_gensec_bind(KRB5) failed: "
>+					"for %s/%s user[%s] realm[%s]: %s\n",
>+					p.service, p.hostname,
>+					ads->auth.user_name,
>+					ads->auth.realm,
> 					ads_errstr(status)));
> 			}
> 		}
>@@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
> 		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
> 			goto done;
> 		}
>+
>+		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s "
>+			 "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n",
>+			 p.service, p.hostname,
>+			 ads->auth.user_name,
>+			 ads->auth.realm,
>+			 ads_errstr(status)));
> 	}
> #endif
> 
> 	/* lets do NTLMSSP ... this has the big advantage that we don't need
> 	   to sync clocks, and we don't rely on special versions of the krb5 
> 	   library for HMAC_MD4 encryption */
>+	mech = "NTLMSSP";
> 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
> 					     CRED_DONT_USE_KERBEROS,
> 					     p.service, p.hostname,
> 					     data_blob_null);
> done:
>+	if (!ADS_ERR_OK(status)) {
>+		DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s "
>+			 "with user[%s] realm=[%s]: %s\n", mech,
>+			  p.service, p.hostname,
>+			  ads->auth.user_name,
>+			  ads->auth.realm,
>+			  ads_errstr(status)));
>+	}
> 	ads_free_service_principal(&p);
> 	TALLOC_FREE(frame);
> 	if (blob.data != NULL) {
>-- 
>1.9.1
>
>
>From 559d39e557999313c8fa1ef0b88df8a8c983aaf9 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 22 Feb 2017 21:18:32 +0100
>Subject: [PATCH 5/6] s3:winbindd: allow a fallback to NTLMSSP for LDAP
> connections
>
>This matches the behaviour of pdb_get_trust_credentials() for
>our machine account and allows us to fallback to NTLMSSP
>when contacting trusted domains.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>(cherry picked from commit 4e9a0894cd977585ccc94e7c1811de1b0293382d)
>---
> source3/winbindd/winbindd_ads.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
>index dc92a4a..febde5e 100644
>--- a/source3/winbindd/winbindd_ads.c
>+++ b/source3/winbindd/winbindd_ads.c
>@@ -119,6 +119,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
> 	ads->auth.renewable = renewable;
> 	ads->auth.password = password;
> 
>+	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
>+
> 	ads->auth.realm = SMB_STRDUP(auth_realm);
> 	if (!strupper_m(ads->auth.realm)) {
> 		ads_destroy(&ads);
>-- 
>1.9.1
>
>
>From 30b701149ec35519b53e4fa6babd266ec669f9c1 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 22 Feb 2017 21:29:50 +0100
>Subject: [PATCH 6/6] s3:idmap_ad: make use of pdb_get_trust_credentials() to
> get the machine account creds
>
>This is mostly a cosmetic change currently.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Ralph Boehme <slow@samba.org>
>
>Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
>Autobuild-Date(master): Fri Feb 24 22:34:48 CET 2017 on sn-devel-144
>
>(cherry picked from commit 3d7fed0f2883d529bb635fc6df86f39d5a434d25)
>---
> source3/winbindd/idmap_ad.c | 36 +++++++++++++-----------------------
> 1 file changed, 13 insertions(+), 23 deletions(-)
>
>diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
>index c385cf0..94de255 100644
>--- a/source3/winbindd/idmap_ad.c
>+++ b/source3/winbindd/idmap_ad.c
>@@ -22,7 +22,7 @@
> #include "idmap.h"
> #include "tldap_gensec_bind.h"
> #include "tldap_util.h"
>-#include "secrets.h"
>+#include "passdb.h"
> #include "lib/param/param.h"
> #include "utils/net.h"
> #include "auth/gensec/gensec.h"
>@@ -243,7 +243,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
> 				       const char *domname,
> 				       struct tldap_context **pld)
> {
>-	struct db_context *db_ctx;
> 	struct netr_DsRGetDCNameInfo *dcinfo;
> 	struct sockaddr_storage dcaddr;
> 	struct cli_credentials *creds;
>@@ -294,11 +293,19 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
> 		return NT_STATUS_NO_MEMORY;
> 	}
> 
>-	creds = cli_credentials_init(dcinfo);
>-	if (creds == NULL) {
>-		DBG_DEBUG("cli_credentials_init failed\n");
>+	/*
>+	 * Here we use or own machine account as
>+	 * we run as domain member.
>+	 */
>+	status = pdb_get_trust_credentials(lp_workgroup(),
>+					   lp_realm(),
>+					   dcinfo,
>+					   &creds);
>+	if (!NT_STATUS_IS_OK(status)) {
>+		DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n",
>+			  nt_errstr(status));
> 		TALLOC_FREE(dcinfo);
>-		return NT_STATUS_NO_MEMORY;
>+		return status;
> 	}
> 
> 	lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
>@@ -308,23 +315,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
> 		return NT_STATUS_NO_MEMORY;
> 	}
> 
>-	cli_credentials_set_conf(creds, lp_ctx);
>-
>-	db_ctx = secrets_db_ctx();
>-	if (db_ctx == NULL) {
>-		DBG_DEBUG("Failed to open secrets.tdb.\n");
>-		return NT_STATUS_INTERNAL_ERROR;
>-	}
>-
>-	status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx,
>-							    db_ctx);
>-	if (!NT_STATUS_IS_OK(status)) {
>-		DBG_DEBUG("cli_credentials_set_machine_account "
>-			  "failed: %s\n", nt_errstr(status));
>-		TALLOC_FREE(dcinfo);
>-		return status;
>-	}
>-
> 	rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
> 			       GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
> 	if (!TLDAP_RC_IS_SUCCESS(rc)) {
>-- 
>1.9.1
>

Flags:

slow: review+

Actions: View

Attachments on bug 12598: 12984 | 12985 | 12986