The Samba-Bugzilla – Attachment 12986 Details for
Bug 12598
winbindd (as member) requires kerberos against trusted ad domain, while it shouldn't
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-4-test
tmp44.diff.txt (text/plain), 11.21 KB, created by
Stefan Metzmacher
on 2017-02-27 19:20:40 UTC
(
hide
)
Description:
Patches for v4-4-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-02-27 19:20:40 UTC
Size:
11.21 KB
patch
obsolete
>From b68ce11e07c63b086dd05e49a514b4b0cefb0476 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 20:07:25 +0100 >Subject: [PATCH 1/5] s3:passdb: use cli_credentials_set_kerberos_state() for > trusts in pdb_get_trust_credentials() > >Trust accounts can only use kerberos when contacting other AD domains, >using NTLMSSP will fail. > >At the same time it doesn't make sense to try kerberos for NT4 domains, >still NTLMSSP will fail, but the callers has to deal with that >case and just fallback to an anonymous SMB connection. > >In all cases we should be able to use NETLOGON SCHANNEL >over any anonymous smb or tcp transport. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit d961ae9d14b46708d2693ca91ace04f9f1a53ca2) >--- > source3/passdb/passdb.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c >index f48c317..e7a9b43 100644 >--- a/source3/passdb/passdb.c >+++ b/source3/passdb/passdb.c >@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, > status = NT_STATUS_NO_MEMORY; > goto fail; > } >+ >+ /* >+ * It's not possible to use NTLMSSP with a domain trust account. >+ */ >+ cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); >+ } else { >+ /* >+ * We can't use kerberos against an NT4 domain. >+ * >+ * We should have a mode that also disallows NTLMSSP here, >+ * as only NETLOGON SCHANNEL is possible. >+ */ >+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); > } > > ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); >@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, > status = NT_STATUS_NO_MEMORY; > goto fail; > } >+ /* >+ * We currently can't do kerberos just with an NTHASH. >+ */ >+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); > goto done; > } > >-- >1.9.1 > > >From d453303dc6c9f633d9651e15ec0880a2ca9a7d63 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 23 Feb 2017 11:54:21 +0100 >Subject: [PATCH 2/5] s3:winbindd: add more debugging to > cm_prepare_connection() > >Any fallbacks to other authentication methods should be logged. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit ba9d139ec3d71af184a24daf24356304c2e49144) >--- > source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++++++---------- > 1 file changed, 31 insertions(+), 10 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 6669dc2..f8e4607 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -1135,8 +1135,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto session_setup_done; > } > >- DEBUG(4,("failed kerberos session setup with %s\n", >- nt_errstr(result))); >+ DEBUG(1, ("Failed to use kerberos connecting to %s from %s " >+ "with kerberos principal [%s]\n", >+ controller, lp_netbios_name(), >+ machine_krb5_principal)); > } > > if (krb5_state != CRED_MUST_USE_KERBEROS) { >@@ -1154,10 +1156,15 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > machine_password, > strlen(machine_password)+1, > machine_domain); >- } > >- if (NT_STATUS_IS_OK(result)) { >- goto session_setup_done; >+ if (NT_STATUS_IS_OK(result)) { >+ goto session_setup_done; >+ } >+ >+ DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " >+ "with username [%s]\\[%s]\n", >+ controller, lp_netbios_name(), >+ machine_domain, machine_account)); > } > > /* >@@ -1182,8 +1189,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto anon_fallback; > } > >- DEBUG(4, ("authenticated session setup failed with %s\n", >- nt_errstr(result))); >+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", >+ controller, >+ cli_credentials_get_unparsed_name(creds, talloc_tos()), >+ nt_errstr(result))); > > goto done; > >@@ -1222,6 +1231,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto session_setup_done; > } > >+ DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " >+ "with username " >+ "[%s]\\[%s]\n", controller, lp_netbios_name(), >+ machine_domain, machine_account)); >+ > /* > * If we are not going to validiate the conneciton > * with SMB signing, then allow us to fall back to >@@ -1236,8 +1250,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto anon_fallback; > } > >- DEBUG(4, ("authenticated session setup failed with %s\n", >- nt_errstr(result))); >+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", >+ controller, >+ cli_credentials_get_unparsed_name(creds, talloc_tos()), >+ nt_errstr(result))); > > goto done; > >@@ -1249,7 +1265,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > } > > /* Fall back to anonymous connection, this might fail later */ >- DEBUG(10,("cm_prepare_connection: falling back to anonymous " >+ DEBUG(5,("cm_prepare_connection: falling back to anonymous " > "connection for DC %s\n", > controller )); > >@@ -1261,6 +1277,9 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > goto session_setup_done; > } > >+ DEBUG(1, ("anonymous session setup to %s failed with %s\n", >+ controller, nt_errstr(result))); >+ > /* We can't session setup */ > goto done; > >@@ -1306,6 +1325,8 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain, > } > > if (!NT_STATUS_IS_OK(result)) { >+ DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n", >+ controller, nt_errstr(result))); > winbind_add_failed_connection_entry(domain, controller, result); > if ((*cli) != NULL) { > cli_shutdown(*cli); >-- >1.9.1 > > >From cd678fdf8ce74656429760fcf537449bf41fdb54 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 20:07:25 +0100 >Subject: [PATCH 3/5] s3:winbindd: rely on the kerberos_state from > pdb_get_trust_credentials() > >The implementation of pdb_get_trust_credentials() should have all >the details to set the kerberos_state to a useful value. > >This should enable the fallback to NTLMSSP again, when using our >machine account against trusted domains. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 51caeb7c538b7546e5feccf27a735bb803c78a0b) >--- > source3/winbindd/winbindd_cm.c | 11 ----------- > 1 file changed, 11 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index f8e4607..b83b5c9 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -936,17 +936,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, > goto ipc_fallback; > } > >- if (domain->primary && lp_security() == SEC_ADS) { >- cli_credentials_set_kerberos_state(creds, >- CRED_AUTO_USE_KERBEROS); >- } else if (domain->active_directory) { >- cli_credentials_set_kerberos_state(creds, >- CRED_MUST_USE_KERBEROS); >- } else { >- cli_credentials_set_kerberos_state(creds, >- CRED_DONT_USE_KERBEROS); >- } >- > if (creds_domain != domain) { > /* > * We can only use schannel against a direct trust >-- >1.9.1 > > >From dd66ca6906b5cc9e91640611b50c5dee03136a22 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 23 Feb 2017 11:54:21 +0100 >Subject: [PATCH 4/5] s3:libads: add more debugging to ads_sasl_spnego_bind() > >Any fallbacks to other authentication methods should be logged. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86) >--- > source3/libads/sasl.c | 25 ++++++++++++++++++++++++- > 1 file changed, 24 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c >index 39c60c3..c2564cb 100644 >--- a/source3/libads/sasl.c >+++ b/source3/libads/sasl.c >@@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > #ifdef HAVE_KRB5 > bool got_kerberos_mechanism = False; > #endif >+ const char *mech = NULL; > > rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); > >@@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && > got_kerberos_mechanism) > { >+ mech = "KRB5"; >+ > if (ads->auth.password == NULL || > ads->auth.password[0] == '\0') > { >@@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > blob); > if (!ADS_ERR_OK(status)) { > DEBUG(0,("kinit succeeded but " >- "ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n", >+ "ads_sasl_spnego_gensec_bind(KRB5) failed: " >+ "for %s/%s user[%s] realm[%s]: %s\n", >+ p.service, p.hostname, >+ ads->auth.user_name, >+ ads->auth.realm, > ads_errstr(status))); > } > } >@@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) > !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { > goto done; > } >+ >+ DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s " >+ "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n", >+ p.service, p.hostname, >+ ads->auth.user_name, >+ ads->auth.realm, >+ ads_errstr(status))); > } > #endif > > /* lets do NTLMSSP ... this has the big advantage that we don't need > to sync clocks, and we don't rely on special versions of the krb5 > library for HMAC_MD4 encryption */ >+ mech = "NTLMSSP"; > status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", > CRED_DONT_USE_KERBEROS, > p.service, p.hostname, > data_blob_null); > done: >+ if (!ADS_ERR_OK(status)) { >+ DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s " >+ "with user[%s] realm=[%s]: %s\n", mech, >+ p.service, p.hostname, >+ ads->auth.user_name, >+ ads->auth.realm, >+ ads_errstr(status))); >+ } > ads_free_service_principal(&p); > TALLOC_FREE(frame); > if (blob.data != NULL) { >-- >1.9.1 > > >From accf145cfa3d8e846f6a2f2ba55e32ab2d378fba Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Feb 2017 21:18:32 +0100 >Subject: [PATCH 5/5] s3:winbindd: allow a fallback to NTLMSSP for LDAP > connections > >This matches the behaviour of pdb_get_trust_credentials() for >our machine account and allows us to fallback to NTLMSSP >when contacting trusted domains. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 4e9a0894cd977585ccc94e7c1811de1b0293382d) >--- > source3/winbindd/winbindd_ads.c | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c >index a9a23db..808986d 100644 >--- a/source3/winbindd/winbindd_ads.c >+++ b/source3/winbindd/winbindd_ads.c >@@ -119,6 +119,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, > ads->auth.renewable = renewable; > ads->auth.password = password; > >+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; >+ > ads->auth.realm = SMB_STRDUP(auth_realm); > if (!strupper_m(ads->auth.realm)) { > ads_destroy(&ads); >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
metze
:
review?
(
gd
)
Actions:
View
Attachments on
bug 12598
:
12984
|
12985
| 12986