The Samba-Bugzilla – Attachment 13995 Details for
Bug 13206
Unable to authenticate with an empty string domain ''
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.8 cherry-picked from master
bug13206-v48.patch (text/plain), 11.56 KB, created by
Ralph Böhme
on 2018-02-27 10:30:30 UTC
(
hide
)
Description:
Patch for 4.8 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2018-02-27 10:30:30 UTC
Size:
11.56 KB
patch
obsolete
>From 6967eb208e095ce78ac43e1dcfafd19181b3cd60 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 9 Jan 2018 08:55:48 +0100 >Subject: [PATCH 1/5] s3:libsmb: allow -U"\\administrator" to work > >cli_credentials_get_principal() returns NULL in that case. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87) >--- > source3/libsmb/cliconnect.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 26bf56962ad..f5bf68f0938 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > > auth_requested = cli_credentials_authentication_requested(creds); > if (auth_requested) { >+ errno = 0; > user_principal = cli_credentials_get_principal(creds, frame); >- if (user_principal == NULL) { >+ if (errno != 0) { > TALLOC_FREE(frame); > return NT_STATUS_NO_MEMORY; > } >@@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, > try_kerberos = true; > } > >+ if (user_principal == NULL) { >+ try_kerberos = false; >+ } >+ > if (target_hostname == NULL) { > try_kerberos = false; > } else if (is_ipaddress(target_hostname)) { >-- >2.13.6 > > >From d02cec203dd0e17c273d3b7873582096973d4792 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 9 Jan 2018 08:57:05 +0100 >Subject: [PATCH 2/5] s3:cliconnect.c: remove useless ';' > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3) >--- > source3/libsmb/cliconnect.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index f5bf68f0938..7689910fae9 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1289,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send( > > status = cli_session_creds_prepare_krb5(cli, creds); > if (tevent_req_nterror(req, status)) { >- return tevent_req_post(req, ev);; >+ return tevent_req_post(req, ev); > } > > subreq = cli_session_setup_gensec_send(state, ev, cli, creds, >-- >2.13.6 > > >From 848409bdc38ca0c4ad8d2530a9da66368cc3bedf Mon Sep 17 00:00:00 2001 >From: Garming Sam <garming@catalyst.net.nz> >Date: Mon, 8 Jan 2018 13:36:59 +1300 >Subject: [PATCH 3/5] tests/py_creds: Add a SamLogonEx test with an empty > string domain > >This test passes against 4.6, but failed against 4.7.5 and master. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 > >Signed-off-by: Garming Sam <garming@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18) >--- > python/samba/tests/py_credentials.py | 27 +++++++++++++++++++++++++++ > selftest/knownfail.d/empty-domain-samlogon | 1 + > 2 files changed, 28 insertions(+) > create mode 100644 selftest/knownfail.d/empty-domain-samlogon > >diff --git a/python/samba/tests/py_credentials.py b/python/samba/tests/py_credentials.py >index ff017ec7b7b..2f5a7d61a12 100644 >--- a/python/samba/tests/py_credentials.py >+++ b/python/samba/tests/py_credentials.py >@@ -129,6 +129,33 @@ USER_NAME = "PCTU" > else: > raise > >+ def test_SamLogonEx_no_domain(self): >+ c = self.get_netlogon_connection() >+ >+ self.user_creds.set_domain('') >+ >+ logon = samlogon_logon_info(self.domain, >+ self.machine_name, >+ self.user_creds) >+ >+ logon_level = netlogon.NetlogonNetworkTransitiveInformation >+ validation_level = netlogon.NetlogonValidationSamInfo4 >+ netr_flags = 0 >+ >+ try: >+ c.netr_LogonSamLogonEx(self.server, >+ self.user_creds.get_workstation(), >+ logon_level, >+ logon, >+ validation_level, >+ netr_flags) >+ except NTSTATUSError as e: >+ enum = ctypes.c_uint32(e[0]).value >+ if enum == ntstatus.NT_STATUS_WRONG_PASSWORD: >+ self.fail("got wrong password error") >+ else: >+ self.fail("got unexpected error" + str(e)) >+ > def test_SamLogonExNTLM(self): > c = self.get_netlogon_connection() > >diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon >new file mode 100644 >index 00000000000..925a03ad40f >--- /dev/null >+++ b/selftest/knownfail.d/empty-domain-samlogon >@@ -0,0 +1 @@ >+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain >-- >2.13.6 > > >From 9a2945a3987008c1efcf91cfe98fbfeb3a24f0e9 Mon Sep 17 00:00:00 2001 >From: Garming Sam <garming@catalyst.net.nz> >Date: Mon, 8 Jan 2018 16:34:02 +1300 >Subject: [PATCH 4/5] tests/bind.py: Add a bind test with NTLMSSP with no > domain > >Confirmed to pass against Windows 2012 R2. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 > >Signed-off-by: Garming Sam <garming@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0) >--- > auth/credentials/tests/bind.py | 26 +++++++++++++++++++++++++- > selftest/knownfail.d/empty-domain-bind | 1 + > 2 files changed, 26 insertions(+), 1 deletion(-) > create mode 100644 selftest/knownfail.d/empty-domain-bind > >diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py >index 91e493df7e7..4aa44985cc1 100755 >--- a/auth/credentials/tests/bind.py >+++ b/auth/credentials/tests/bind.py >@@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds) > creds_user1 = copy.deepcopy(creds) > creds_user2 = copy.deepcopy(creds) > creds_user3 = copy.deepcopy(creds) >+creds_user4 = copy.deepcopy(creds) > > class BindTests(samba.tests.TestCase): > >@@ -64,7 +65,7 @@ creds_user3 = copy.deepcopy(creds) > self.config_dn = self.info_dc["configurationNamingContext"][0] > self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn > self.password = "P@ssw0rd" >- self.username = "BindTestUser_" + time.strftime("%s", time.gmtime()) >+ self.username = "BindTestUser" > > def tearDown(self): > super(BindTests, self).tearDown() >@@ -113,6 +114,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ > expression="(samAccountName=%s)" % self.username) > self.assertEquals(len(ldb_res), 1) > user_dn = ldb_res[0]["dn"] >+ self.addCleanup(delete_force, self.ldb, user_dn) > > # do a simple bind and search with the user account in format user@realm > creds_user1.set_bind_dn(self.username + "@" + creds.get_realm()) >@@ -138,5 +140,27 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ > lp=lp, ldap_only=True) > res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) > >+ def test_user_account_bind_no_domain(self): >+ # create user >+ self.ldb.newuser(username=self.username, password=self.password) >+ ldb_res = self.ldb.search(base=self.domain_dn, >+ scope=SCOPE_SUBTREE, >+ expression="(samAccountName=%s)" % self.username) >+ self.assertEquals(len(ldb_res), 1) >+ user_dn = ldb_res[0]["dn"] >+ self.addCleanup(delete_force, self.ldb, user_dn) >+ >+ creds_user4.set_username(self.username) >+ creds_user4.set_password(self.password) >+ creds_user4.set_domain('') >+ creds_user4.set_workstation('') >+ print "BindTest (no domain) with: " + self.username >+ try: >+ ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4, >+ lp=lp, ldap_only=True) >+ except: >+ self.fail("Failed to connect without the domain set") >+ >+ res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) > > TestProgram(module=__name__, opts=subunitopts) >diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind >new file mode 100644 >index 00000000000..99d71c1cf39 >--- /dev/null >+++ b/selftest/knownfail.d/empty-domain-bind >@@ -0,0 +1 @@ >+^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.* >-- >2.13.6 > > >From 8cf7883070c3a5e8f8decaf019855d9639c32efa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 9 Jan 2018 08:54:11 +0100 >Subject: [PATCH 5/5] s4:auth_sam: allow logons with an empty domain name > >It turns out that an empty domain name maps to the local SAM. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144 > >(cherry picked from commit 57762229da971e837b923f09ca01bad6151f9419) >--- > selftest/knownfail.d/empty-domain-bind | 1 - > selftest/knownfail.d/empty-domain-samlogon | 1 - > source4/auth/ntlm/auth_sam.c | 16 ++++++++++------ > 3 files changed, 10 insertions(+), 8 deletions(-) > delete mode 100644 selftest/knownfail.d/empty-domain-bind > delete mode 100644 selftest/knownfail.d/empty-domain-samlogon > >diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind >deleted file mode 100644 >index 99d71c1cf39..00000000000 >--- a/selftest/knownfail.d/empty-domain-bind >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.* >diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon >deleted file mode 100644 >index 925a03ad40f..00000000000 >--- a/selftest/knownfail.d/empty-domain-samlogon >+++ /dev/null >@@ -1 +0,0 @@ >-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain >diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c >index 5e2a5843fc4..8c5ebd747e7 100644 >--- a/source4/auth/ntlm/auth_sam.c >+++ b/source4/auth/ntlm/auth_sam.c >@@ -739,6 +739,10 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, > return NT_STATUS_NOT_IMPLEMENTED; > } > >+ if (effective_domain == NULL) { >+ effective_domain = ""; >+ } >+ > is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx, > effective_domain); > >@@ -784,7 +788,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, > return NT_STATUS_NOT_IMPLEMENTED; > } > >- if (effective_domain != NULL && !strequal(effective_domain, "")) { >+ if (!strequal(effective_domain, "")) { > DBG_DEBUG("%s is not one domain name (DC)\n", > effective_domain); > return NT_STATUS_NOT_IMPLEMENTED; >@@ -792,11 +796,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, > > p = strchr_m(user_info->mapped.account_name, '@'); > if (p == NULL) { >- if (effective_domain == NULL) { >- return NT_STATUS_OK; >- } >- DEBUG(6,("authsam_check_password: '' without upn not handled (DC)\n")); >- return NT_STATUS_NOT_IMPLEMENTED; >+ /* >+ * An empty to domain name should be handled >+ * as the local domain name. >+ */ >+ return NT_STATUS_OK; > } > > effective_domain = p + 1; >-- >2.13.6 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 13206
:
13895
|
13896
|
13897
| 13995 |
14060
|
14061