From 6967eb208e095ce78ac43e1dcfafd19181b3cd60 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 9 Jan 2018 08:55:48 +0100 Subject: [PATCH 1/5] s3:libsmb: allow -U"\\administrator" to work cli_credentials_get_principal() returns NULL in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87) --- source3/libsmb/cliconnect.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 26bf56962ad..f5bf68f0938 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, auth_requested = cli_credentials_authentication_requested(creds); if (auth_requested) { + errno = 0; user_principal = cli_credentials_get_principal(creds, frame); - if (user_principal == NULL) { + if (errno != 0) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } @@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, try_kerberos = true; } + if (user_principal == NULL) { + try_kerberos = false; + } + if (target_hostname == NULL) { try_kerberos = false; } else if (is_ipaddress(target_hostname)) { -- 2.13.6 From d02cec203dd0e17c273d3b7873582096973d4792 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 9 Jan 2018 08:57:05 +0100 Subject: [PATCH 2/5] s3:cliconnect.c: remove useless ';' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f5bf68f0938..7689910fae9 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1289,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send( status = cli_session_creds_prepare_krb5(cli, creds); if (tevent_req_nterror(req, status)) { - return tevent_req_post(req, ev);; + return tevent_req_post(req, ev); } subreq = cli_session_setup_gensec_send(state, ev, cli, creds, -- 2.13.6 From 848409bdc38ca0c4ad8d2530a9da66368cc3bedf Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Mon, 8 Jan 2018 13:36:59 +1300 Subject: [PATCH 3/5] tests/py_creds: Add a SamLogonEx test with an empty string domain This test passes against 4.6, but failed against 4.7.5 and master. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18) --- python/samba/tests/py_credentials.py | 27 +++++++++++++++++++++++++++ selftest/knownfail.d/empty-domain-samlogon | 1 + 2 files changed, 28 insertions(+) create mode 100644 selftest/knownfail.d/empty-domain-samlogon diff --git a/python/samba/tests/py_credentials.py b/python/samba/tests/py_credentials.py index ff017ec7b7b..2f5a7d61a12 100644 --- a/python/samba/tests/py_credentials.py +++ b/python/samba/tests/py_credentials.py @@ -129,6 +129,33 @@ USER_NAME = "PCTU" else: raise + def test_SamLogonEx_no_domain(self): + c = self.get_netlogon_connection() + + self.user_creds.set_domain('') + + logon = samlogon_logon_info(self.domain, + self.machine_name, + self.user_creds) + + logon_level = netlogon.NetlogonNetworkTransitiveInformation + validation_level = netlogon.NetlogonValidationSamInfo4 + netr_flags = 0 + + try: + c.netr_LogonSamLogonEx(self.server, + self.user_creds.get_workstation(), + logon_level, + logon, + validation_level, + netr_flags) + except NTSTATUSError as e: + enum = ctypes.c_uint32(e[0]).value + if enum == ntstatus.NT_STATUS_WRONG_PASSWORD: + self.fail("got wrong password error") + else: + self.fail("got unexpected error" + str(e)) + def test_SamLogonExNTLM(self): c = self.get_netlogon_connection() diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon new file mode 100644 index 00000000000..925a03ad40f --- /dev/null +++ b/selftest/knownfail.d/empty-domain-samlogon @@ -0,0 +1 @@ +^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain -- 2.13.6 From 9a2945a3987008c1efcf91cfe98fbfeb3a24f0e9 Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Mon, 8 Jan 2018 16:34:02 +1300 Subject: [PATCH 4/5] tests/bind.py: Add a bind test with NTLMSSP with no domain Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0) --- auth/credentials/tests/bind.py | 26 +++++++++++++++++++++++++- selftest/knownfail.d/empty-domain-bind | 1 + 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 selftest/knownfail.d/empty-domain-bind diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py index 91e493df7e7..4aa44985cc1 100755 --- a/auth/credentials/tests/bind.py +++ b/auth/credentials/tests/bind.py @@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds) creds_user1 = copy.deepcopy(creds) creds_user2 = copy.deepcopy(creds) creds_user3 = copy.deepcopy(creds) +creds_user4 = copy.deepcopy(creds) class BindTests(samba.tests.TestCase): @@ -64,7 +65,7 @@ creds_user3 = copy.deepcopy(creds) self.config_dn = self.info_dc["configurationNamingContext"][0] self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn self.password = "P@ssw0rd" - self.username = "BindTestUser_" + time.strftime("%s", time.gmtime()) + self.username = "BindTestUser" def tearDown(self): super(BindTests, self).tearDown() @@ -113,6 +114,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ expression="(samAccountName=%s)" % self.username) self.assertEquals(len(ldb_res), 1) user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) # do a simple bind and search with the user account in format user@realm creds_user1.set_bind_dn(self.username + "@" + creds.get_realm()) @@ -138,5 +140,27 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ lp=lp, ldap_only=True) res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + def test_user_account_bind_no_domain(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username) + self.assertEquals(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + creds_user4.set_username(self.username) + creds_user4.set_password(self.password) + creds_user4.set_domain('') + creds_user4.set_workstation('') + print "BindTest (no domain) with: " + self.username + try: + ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4, + lp=lp, ldap_only=True) + except: + self.fail("Failed to connect without the domain set") + + res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) TestProgram(module=__name__, opts=subunitopts) diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind new file mode 100644 index 00000000000..99d71c1cf39 --- /dev/null +++ b/selftest/knownfail.d/empty-domain-bind @@ -0,0 +1 @@ +^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.* -- 2.13.6 From 8cf7883070c3a5e8f8decaf019855d9639c32efa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 9 Jan 2018 08:54:11 +0100 Subject: [PATCH 5/5] s4:auth_sam: allow logons with an empty domain name It turns out that an empty domain name maps to the local SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144 (cherry picked from commit 57762229da971e837b923f09ca01bad6151f9419) --- selftest/knownfail.d/empty-domain-bind | 1 - selftest/knownfail.d/empty-domain-samlogon | 1 - source4/auth/ntlm/auth_sam.c | 16 ++++++++++------ 3 files changed, 10 insertions(+), 8 deletions(-) delete mode 100644 selftest/knownfail.d/empty-domain-bind delete mode 100644 selftest/knownfail.d/empty-domain-samlogon diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind deleted file mode 100644 index 99d71c1cf39..00000000000 --- a/selftest/knownfail.d/empty-domain-bind +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.* diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon deleted file mode 100644 index 925a03ad40f..00000000000 --- a/selftest/knownfail.d/empty-domain-samlogon +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 5e2a5843fc4..8c5ebd747e7 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -739,6 +739,10 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } + if (effective_domain == NULL) { + effective_domain = ""; + } + is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx, effective_domain); @@ -784,7 +788,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } - if (effective_domain != NULL && !strequal(effective_domain, "")) { + if (!strequal(effective_domain, "")) { DBG_DEBUG("%s is not one domain name (DC)\n", effective_domain); return NT_STATUS_NOT_IMPLEMENTED; @@ -792,11 +796,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, p = strchr_m(user_info->mapped.account_name, '@'); if (p == NULL) { - if (effective_domain == NULL) { - return NT_STATUS_OK; - } - DEBUG(6,("authsam_check_password: '' without upn not handled (DC)\n")); - return NT_STATUS_NOT_IMPLEMENTED; + /* + * An empty to domain name should be handled + * as the local domain name. + */ + return NT_STATUS_OK; } effective_domain = p + 1; -- 2.13.6