From e69334385b7e09625f0e8c65282f5c952785dd5b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Mar 2018 17:40:07 +0100 Subject: [PATCH 01/19] s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f) --- source3/torture/proto.h | 1 + source3/torture/test_smb2.c | 42 ++++++++++++++++++++++++++++++++++++++++++ source3/torture/torture.c | 1 + 3 files changed, 44 insertions(+) diff --git a/source3/torture/proto.h b/source3/torture/proto.h index 7ab2fe1..45870c9 100644 --- a/source3/torture/proto.h +++ b/source3/torture/proto.h @@ -95,6 +95,7 @@ bool run_nttrans_create(int dummy); bool run_nttrans_fsctl(int dummy); bool run_smb2_basic(int dummy); bool run_smb2_negprot(int dummy); +bool run_smb2_anonymous(int dummy); bool run_smb2_session_reconnect(int dummy); bool run_smb2_tcon_dependence(int dummy); bool run_smb2_multi_channel(int dummy); diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c index 297c3ab..897d034 100644 --- a/source3/torture/test_smb2.c +++ b/source3/torture/test_smb2.c @@ -24,6 +24,7 @@ #include "../libcli/smb/smbXcli_base.h" #include "libcli/security/security.h" #include "libsmb/proto.h" +#include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth_generic.h" #include "../librpc/ndr/libndr.h" @@ -274,6 +275,47 @@ bool run_smb2_negprot(int dummy) return true; } +bool run_smb2_anonymous(int dummy) +{ + struct cli_state *cli = NULL; + NTSTATUS status; + struct cli_credentials *anon_creds = NULL; + bool guest = false; + + printf("Starting SMB2-ANONYMOUS\n"); + + if (!torture_init_connection(&cli)) { + return false; + } + + status = smbXcli_negprot(cli->conn, cli->timeout, + PROTOCOL_SMB2_02, PROTOCOL_LATEST); + if (!NT_STATUS_IS_OK(status)) { + printf("smbXcli_negprot returned %s\n", nt_errstr(status)); + return false; + } + + anon_creds = cli_credentials_init_anon(talloc_tos()); + if (anon_creds == NULL) { + printf("cli_credentials_init_anon failed\n"); + return false; + } + + status = cli_session_setup_creds(cli, anon_creds); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_session_setup returned %s\n", nt_errstr(status)); + return false; + } + + guest = smbXcli_session_is_guest(cli->smb2.session); + if (guest) { + printf("anonymous session should not have guest authentication\n"); + return false; + } + + return true; +} + bool run_smb2_session_reconnect(int dummy) { struct cli_state *cli1; diff --git a/source3/torture/torture.c b/source3/torture/torture.c index ae502f28..df6604d 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -11588,6 +11588,7 @@ static struct { { "NOTIFY-ONLINE", run_notify_online }, { "SMB2-BASIC", run_smb2_basic }, { "SMB2-NEGPROT", run_smb2_negprot }, + { "SMB2-ANONYMOUS", run_smb2_anonymous }, { "SMB2-SESSION-RECONNECT", run_smb2_session_reconnect }, { "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence }, { "SMB2-MULTI-CHANNEL", run_smb2_multi_channel }, -- 1.9.1 From db9be3905afc4d9820ea7a21c1d64b2a66cd845f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Mar 2018 18:04:21 +0100 Subject: [PATCH 02/19] s3:selftest: run SMB2-ANONYMOUS This fails against a non AD DC smbd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2) --- selftest/knownfail.d/anonymous-guest | 1 + source3/selftest/tests.py | 1 + 2 files changed, 2 insertions(+) create mode 100644 selftest/knownfail.d/anonymous-guest diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest new file mode 100644 index 0000000..a134cec --- /dev/null +++ b/selftest/knownfail.d/anonymous-guest @@ -0,0 +1 @@ +^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 54969f8..8c5b744 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -78,6 +78,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7" "UID-REGRESSION-TEST", "SHORTNAME-TEST", "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT", "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE", + "SMB2-ANONYMOUS", "CLEANUP1", "CLEANUP2", "CLEANUP4", -- 1.9.1 From 1a6152595f5343dfd5b3d6fe5db0aa1aca830a32 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 14 Mar 2018 11:44:49 +0100 Subject: [PATCH 03/19] libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3) --- libcli/security/session.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libcli/security/session.c b/libcli/security/session.c index 0fbb87d..f17e884 100644 --- a/libcli/security/session.c +++ b/libcli/security/session.c @@ -26,6 +26,9 @@ enum security_user_level security_session_user_level(struct auth_session_info *session_info, const struct dom_sid *domain_sid) { + bool authenticated = false; + bool guest = false; + if (!session_info) { return SECURITY_ANONYMOUS; } @@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ANONYMOUS; } - if (security_token_has_builtin_guests(session_info->security_token)) { - return SECURITY_GUEST; + authenticated = security_token_has_nt_authenticated_users(session_info->security_token); + guest = security_token_has_builtin_guests(session_info->security_token); + if (!authenticated) { + if (guest) { + return SECURITY_GUEST; + } + return SECURITY_ANONYMOUS; } if (security_token_has_builtin_administrators(session_info->security_token)) { @@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_DOMAIN_CONTROLLER; } - if (security_token_has_nt_authenticated_users(session_info->security_token)) { - return SECURITY_USER; - } - - return SECURITY_ANONYMOUS; + return SECURITY_USER; } -- 1.9.1 From b64d8225815095543bee4907335a68ecefcc91d0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Mar 2018 18:05:28 +0100 Subject: [PATCH 04/19] s3:auth: remove unused auth_serversupplied_info->system BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9) --- source3/auth/auth_util.c | 1 - source3/include/auth.h | 1 - 2 files changed, 2 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f543b33..e28fd2a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1019,7 +1019,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO SMB_ASSERT(src->unix_info); dst->guest = true; - dst->system = false; /* This element must be provided to convert back to an * auth_serversupplied_info. This needs to be from the diff --git a/source3/include/auth.h b/source3/include/auth.h index b7223c1..d305537 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -30,7 +30,6 @@ struct extra_auth_info { struct auth_serversupplied_info { bool guest; - bool system; struct security_unix_token utok; -- 1.9.1 From 29a0209692cb74efea9d203a10e7d19c40f81355 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 16:37:58 +0100 Subject: [PATCH 05/19] s3:auth: add the "Unix Groups" sid for the primary gid The primary gid might not be in the gid array. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405) --- source3/auth/auth_util.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e28fd2a..b486362 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -633,7 +633,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, */ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); + add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); add_sid_to_array_unique(session_info->security_token, &tmp_sid, &session_info->security_token->sids, &session_info->security_token->num_sids); -- 1.9.1 From 998c8622a2032341af9ca5e1fb2df026961d2a39 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 17:14:34 +0100 Subject: [PATCH 06/19] s3:auth: move add_local_groups() out of finalize_local_nt_token() finalize_local_nt_token() will be used in another place, were we don't want to add local groups in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8) --- source3/auth/token_util.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 03c4b64..e5a12db 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -208,6 +208,8 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, return NT_STATUS_OK; } +static NTSTATUS add_local_groups(struct security_token *result, + bool is_guest); static NTSTATUS finalize_local_nt_token(struct security_token *result, bool is_guest); @@ -323,6 +325,13 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, } } + status = add_local_groups(usrtok, is_guest); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Failed to add local groups\n")); + TALLOC_FREE(usrtok); + return status; + } + status = finalize_local_nt_token(usrtok, is_guest); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Failed to finalize nt token\n")); @@ -392,6 +401,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } } + status = add_local_groups(result, is_guest); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return NULL; + } + status = finalize_local_nt_token(result, is_guest); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); @@ -502,13 +517,6 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, NTSTATUS status; struct acct_info *info; - /* Add any local groups. */ - - status = add_local_groups(result, is_guest); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - /* Add in BUILTIN sids */ status = add_sid_to_array(result, &global_sid_World, -- 1.9.1 From 0d2674e21679fcc5aa8c24aa05839b0dff6db17d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Mar 2018 21:35:48 +0100 Subject: [PATCH 07/19] s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}() We should not crash if we're called with NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102) --- source3/passdb/pdb_util.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c index bf7b2b8..309eb89 100644 --- a/source3/passdb/pdb_util.c +++ b/source3/passdb/pdb_util.c @@ -130,8 +130,9 @@ NTSTATUS create_builtin_users(const struct dom_sid *dom_sid) } /* add domain users */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && + (dom_sid != NULL) && + sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) { status = add_sid_to_builtin(&global_sid_Builtin_Users, &dom_users); @@ -159,8 +160,9 @@ NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid) } /* add domain admins */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && + (dom_sid != NULL) && + sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) { status = add_sid_to_builtin(&global_sid_Builtin_Administrators, &dom_admins); -- 1.9.1 From af020e97fc9814b48fb9429e792a6879eb751bd1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Mar 2018 21:38:27 +0100 Subject: [PATCH 08/19] s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308) --- source3/auth/token_util.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e5a12db..f3d24cd 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, if ( IS_DC ) { sid_copy( &domadm, get_global_sam_sid() ); } else { + if (dom_sid == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } sid_copy(&domadm, dom_sid); } sid_append_rid( &domadm, DOMAIN_RID_ADMINS ); @@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result, static NTSTATUS finalize_local_nt_token(struct security_token *result, bool is_guest) { - struct dom_sid dom_sid; + struct dom_sid _dom_sid = { 0, }; + struct dom_sid *domain_sid = NULL; NTSTATUS status; struct acct_info *info; + bool ok; /* Add in BUILTIN sids */ @@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + become_root(); + ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); + if (ok) { + domain_sid = &_dom_sid; + } else { + DEBUG(3, ("Failed to fetch domain sid for %s\n", + lp_workgroup())); + } + unbecome_root(); + info = talloc_zero(talloc_tos(), struct acct_info); if (info == NULL) { DEBUG(0, ("talloc failed!\n")); @@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, if (!NT_STATUS_IS_OK(status)) { become_root(); - if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { - status = NT_STATUS_OK; - DEBUG(3, ("Failed to fetch domain sid for %s\n", - lp_workgroup())); - } else { - status = create_builtin_administrators(&dom_sid); - } + status = create_builtin_administrators(domain_sid); unbecome_root(); if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { /* Add BUILTIN\Administrators directly to token. */ - status = add_builtin_administrators(result, &dom_sid); + status = add_builtin_administrators(result, domain_sid); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(3, ("Failed to check for local " "Administrators membership (%s)\n", @@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, if (!NT_STATUS_IS_OK(status)) { become_root(); - if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { - status = NT_STATUS_OK; - DEBUG(3, ("Failed to fetch domain sid for %s\n", - lp_workgroup())); - } else { - status = create_builtin_users(&dom_sid); - } + status = create_builtin_users(domain_sid); unbecome_root(); if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) && -- 1.9.1 From 529b41d92ae63d57c82a657fd6d6b6315797f01b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:26:28 +0100 Subject: [PATCH 09/19] s3:auth: add add_builtin_guests() handling to finalize_local_nt_token() We should add Builtin_Guests depending on the current token not based on 'is_guest'. Even authenticated users can be member a guest related group and therefore get Builtin_Guests. Sadly we still need to use 'is_guest' within create_local_nt_token() as we only have S-1-22-* SIDs there and still need to add Builtin_Guests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7) --- source3/auth/token_util.c | 122 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 114 insertions(+), 8 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index f3d24cd..30f2f8d3 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -211,6 +211,74 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, return NT_STATUS_OK; } +static NTSTATUS add_builtin_guests(struct security_token *token, + const struct dom_sid *dom_sid) +{ + struct dom_sid tmp_sid; + NTSTATUS status; + + /* + * First check the local GUEST account. + */ + sid_copy(&tmp_sid, get_global_sam_sid()); + sid_append_rid(&tmp_sid, DOMAIN_RID_GUEST); + + if (nt_token_check_sid(&tmp_sid, token)) { + status = add_sid_to_array_unique(token, + &global_sid_Builtin_Guests, + &token->sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + /* + * First check the local GUESTS group. + */ + sid_copy(&tmp_sid, get_global_sam_sid()); + sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); + + if (nt_token_check_sid(&tmp_sid, token)) { + status = add_sid_to_array_unique(token, + &global_sid_Builtin_Guests, + &token->sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + if (lp_server_role() != ROLE_DOMAIN_MEMBER) { + return NT_STATUS_OK; + } + + if (dom_sid == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + /* + * First check the domain GUESTS group. + */ + sid_copy(&tmp_sid, dom_sid); + sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); + + if (nt_token_check_sid(&tmp_sid, token)) { + status = add_sid_to_array_unique(token, + &global_sid_Builtin_Guests, + &token->sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + return NT_STATUS_OK; +} + static NTSTATUS add_local_groups(struct security_token *result, bool is_guest); static NTSTATUS finalize_local_nt_token(struct security_token *result, @@ -416,6 +484,29 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } + if (is_guest) { + /* + * It's ugly, but for now it's + * needed to add Builtin_Guests + * here, the "local" token only + * consist of S-1-22-* SIDs + * and finalize_local_nt_token() + * doesn't have the chance to + * to detect it need to + * add Builtin_Guests via + * add_builtin_guests(). + */ + status = add_sid_to_array_unique(result, + &global_sid_Builtin_Guests, + &result->sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Failed to add SID to nt token\n")); + TALLOC_FREE(result); + return NULL; + } + } + return result; } @@ -535,14 +626,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return status; } - if (is_guest) { - status = add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->sids, - &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - } else { + if (!is_guest) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, &result->sids, @@ -613,6 +697,28 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + /* + * Add BUILTIN\Guests directly to token. + * But only if the token already indicates + * real guest access by: + * - local GUEST account + * - local GUESTS group + * - domain GUESTS group + * + * Even if a user was authenticated, it + * can be member of a guest related group. + */ + status = add_builtin_guests(result, domain_sid); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Failed to check for local " + "Guests membership (%s)\n", + nt_errstr(status))); + /* + * This is a hard error. + */ + return status; + } + TALLOC_FREE(info); /* Deal with local groups */ -- 1.9.1 From d84d939eb211fcabc2a2cebc95d8d062984db2c9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:36:03 +0100 Subject: [PATCH 10/19] s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6) --- source3/auth/token_util.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 30f2f8d3..6ebfa54 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, struct acct_info *info; bool ok; + result->privilege_mask = 0; + result->rights_mask = 0; + + if (result->num_sids == 0) { + return NT_STATUS_INVALID_TOKEN; + } + /* Add in BUILTIN sids */ status = add_sid_to_array(result, &global_sid_World, @@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return status; } + /* + * Don't expand nested groups of system, anonymous etc + * + * Note that they still get SID_WORLD and SID_NETWORK + * for now in order let existing tests pass. + * + * But SYSTEM doesn't get AUTHENTICATED_USERS + * and ANONYMOUS doesn't get BUILTIN GUESTS anymore. + */ + if (security_token_is_anonymous(result)) { + return NT_STATUS_OK; + } + if (security_token_is_system(result)) { + result->privilege_mask = ~0; + return NT_STATUS_OK; + } + if (!is_guest) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, -- 1.9.1 From 62055c21acb0297488902c47037ec3dc447bc681 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:40:10 +0100 Subject: [PATCH 11/19] s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b) --- source3/auth/token_util.c | 58 +++++++++++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 19 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 6ebfa54..acb916a 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -282,7 +282,7 @@ static NTSTATUS add_builtin_guests(struct security_token *token, static NTSTATUS add_local_groups(struct security_token *result, bool is_guest); static NTSTATUS finalize_local_nt_token(struct security_token *result, - bool is_guest); + uint32_t session_info_flags); NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, const struct extra_auth_info *extra, @@ -313,6 +313,7 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, struct security_token **ntok) { struct security_token *usrtok = NULL; + uint32_t session_info_flags = 0; NTSTATUS status; int i; @@ -403,7 +404,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, return status; } - status = finalize_local_nt_token(usrtok, is_guest); + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!is_guest) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = finalize_local_nt_token(usrtok, session_info_flags); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Failed to finalize nt token\n")); TALLOC_FREE(usrtok); @@ -427,6 +433,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, struct security_token *result = NULL; int i; NTSTATUS status; + uint32_t session_info_flags = 0; DEBUG(10, ("Create local NT token for %s\n", sid_string_dbg(user_sid))); @@ -478,7 +485,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } - status = finalize_local_nt_token(result, is_guest); + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!is_guest) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = finalize_local_nt_token(result, session_info_flags); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); return NULL; @@ -605,7 +617,7 @@ static NTSTATUS add_local_groups(struct security_token *result, } static NTSTATUS finalize_local_nt_token(struct security_token *result, - bool is_guest) + uint32_t session_info_flags) { struct dom_sid _dom_sid = { 0, }; struct dom_sid *domain_sid = NULL; @@ -620,17 +632,17 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return NT_STATUS_INVALID_TOKEN; } - /* Add in BUILTIN sids */ - - status = add_sid_to_array(result, &global_sid_World, - &result->sids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - status = add_sid_to_array(result, &global_sid_Network, - &result->sids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - return status; + if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { + status = add_sid_to_array(result, &global_sid_World, + &result->sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + status = add_sid_to_array(result, &global_sid_Network, + &result->sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } } /* @@ -650,7 +662,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return NT_STATUS_OK; } - if (!is_guest) { + if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, &result->sids, @@ -660,6 +672,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + /* Add in BUILTIN sids */ + become_root(); ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); if (ok) { @@ -772,10 +786,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, unbecome_root(); } - /* Add privileges based on current user sids */ - get_privileges_for_sids(&result->privilege_mask, result->sids, - result->num_sids); + if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { + if (security_token_has_builtin_administrators(result)) { + result->privilege_mask = ~0; + } + } else { + /* Add privileges based on current user sids */ + get_privileges_for_sids(&result->privilege_mask, result->sids, + result->num_sids); + } return NT_STATUS_OK; } -- 1.9.1 From f730e5eee6b06224afbcb93d11c4b3fdb7cff14d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:45:30 +0100 Subject: [PATCH 12/19] s3:auth: remove static from finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870) --- source3/auth/proto.h | 2 ++ source3/auth/token_util.c | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source3/auth/proto.h b/source3/auth/proto.h index ca851c2..9fcd272 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -357,6 +357,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, bool is_guest, int num_groupsids, const struct dom_sid *groupsids); +NTSTATUS finalize_local_nt_token(struct security_token *result, + uint32_t session_info_flags); NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, const struct extra_auth_info *extra, struct dom_sid *sid); diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index acb916a..f015f8d 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -281,8 +281,6 @@ static NTSTATUS add_builtin_guests(struct security_token *token, static NTSTATUS add_local_groups(struct security_token *result, bool is_guest); -static NTSTATUS finalize_local_nt_token(struct security_token *result, - uint32_t session_info_flags); NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, const struct extra_auth_info *extra, @@ -616,8 +614,8 @@ static NTSTATUS add_local_groups(struct security_token *result, return NT_STATUS_OK; } -static NTSTATUS finalize_local_nt_token(struct security_token *result, - uint32_t session_info_flags) +NTSTATUS finalize_local_nt_token(struct security_token *result, + uint32_t session_info_flags) { struct dom_sid _dom_sid = { 0, }; struct dom_sid *domain_sid = NULL; -- 1.9.1 From ca446a3000df3b86de857dd26340719d132754a5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 16:38:10 +0100 Subject: [PATCH 13/19] auth: add auth_user_info_copy() function BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb) --- auth/auth_sam_reply.c | 35 +++++++++++++++++++++++++++++++++++ auth/auth_sam_reply.h | 3 +++ 2 files changed, 38 insertions(+) diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 15d17b0..bd69515 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src) +{ + struct auth_user_info *dst = NULL; + + dst = talloc_zero(mem_ctx, struct auth_user_info); + if (dst == NULL) { + return NULL; + } + + *dst = *src; +#define _COPY_STRING(_mem, _str) do { \ + if ((_str) != NULL) { \ + (_str) = talloc_strdup((_mem), (_str)); \ + if ((_str) == NULL) { \ + TALLOC_FREE(dst); \ + return NULL; \ + } \ + } \ +} while(0) + _COPY_STRING(dst, dst->account_name); + _COPY_STRING(dst, dst->user_principal_name); + _COPY_STRING(dst, dst->domain_name); + _COPY_STRING(dst, dst->dns_domain_name); + _COPY_STRING(dst, dst->full_name); + _COPY_STRING(dst, dst->logon_script); + _COPY_STRING(dst, dst->profile_path); + _COPY_STRING(dst, dst->home_directory); + _COPY_STRING(dst, dst->home_drive); + _COPY_STRING(dst, dst->logon_server); +#undef _COPY_STRING + + return dst; +} + /** * Make a user_info_dc struct from the info3 returned by a domain logon */ diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index 4aa3096..e4b26e9 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, bool authenticated, struct auth_user_info **_user_info); +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src); + NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, struct netr_SamInfo6 **_sam6); -- 1.9.1 From c01c74a04777353f2a7cc9cbb4bbb4e79ad8de1a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 7 Mar 2018 00:21:13 +0100 Subject: [PATCH 14/19] s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create() These functions make it possible to construct a full auth_session_info from the information available from an auth_user_info_dc structure. This has all the logic from create_local_token() that is used to transform a auth_serversupplied_info to a full auth_session_info. In order to workarround the restriction that auth_user_info_dc doesn't contain hints for the unix token/name, we use the special S-1-5-88 (Unix_NFS) sids: - S-1-5-88-1-Y gives the uid=Y - S-1-5-88-2-Y gives the gid=Y - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* The currently implemented flags are: - AUTH3_UNIX_HINT_QUALIFIED_NAME unix_name = DOMAIN+ACCOUNT - AUTH3_UNIX_HINT_ISLOLATED_NAME unix_name = ACCOUNT - AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS Don't translate the nt token SIDS into uid/gids using sid mapping. - AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS Don't translate the unix token uid/gids to S-1-22-X-Y SIDS - AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS The unix token won't get expanded gid values from getgroups_unix_user() By using the hints it is possible to keep the current logic where an authentication backend provides uid/gid values and the unix name. Note the S-1-5-88-* SIDS never appear in the final security_token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3) --- source3/auth/auth_util.c | 552 +++++++++++++++++++++++++++++++++++++++++++++++ source3/auth/proto.h | 32 +++ 2 files changed, 584 insertions(+) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b486362..b2cc003 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -665,6 +665,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, + uid_t uid, + gid_t gid, + uint32_t flags) +{ + uint32_t orig_num_sids = user_info_dc->num_sids; + struct dom_sid tmp_sid = { 0, }; + NTSTATUS status; + + /* + * We add S-5-88-1-X in order to pass the uid + * for the unix token. + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Users, + (uint32_t)uid); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + /* + * We add S-5-88-2-X in order to pass the gid + * for the unix token. + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Groups, + (uint32_t)gid); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + /* + * We add S-5-88-3-X in order to pass some flags + * (AUTH3_UNIX_HINT_*) to auth3_create_session_info(). + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Mode, + flags); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + return NT_STATUS_OK; + +fail: + user_info_dc->num_sids = orig_num_sids; + return status; +} + +NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + const char *original_user_name, + uint32_t session_info_flags, + struct auth_session_info **session_info_out) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct auth_session_info *session_info = NULL; + uid_t hint_uid = -1; + bool found_hint_uid = false; + uid_t hint_gid = -1; + bool found_hint_gid = false; + uint32_t hint_flags = 0; + bool found_hint_flags = false; + bool need_getpwuid = false; + struct unixid *ids = NULL; + uint32_t num_gids = 0; + gid_t *gids = NULL; + struct dom_sid tmp_sid = { 0, }; + fstring tmp = { 0, }; + NTSTATUS status; + size_t i; + bool ok; + + *session_info_out = NULL; + + if (user_info_dc->num_sids == 0) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (user_info_dc->info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (user_info_dc->info->account_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (session_info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + /* keep this under frame for easier cleanup */ + talloc_reparent(mem_ctx, frame, session_info); + + session_info->info = auth_user_info_copy(session_info, + user_info_dc->info); + if (session_info->info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + session_info->security_token = talloc_zero(session_info, + struct security_token); + if (session_info->security_token == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* + * Avoid a lot of reallocations and allocate what we'll + * use in most cases. + */ + session_info->security_token->sids = talloc_zero_array( + session_info->security_token, + struct dom_sid, + user_info_dc->num_sids); + if (session_info->security_token->sids == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) { + struct security_token *nt_token = session_info->security_token; + int cmp; + + /* + * S-1-5-88-X-Y sids are only used to give hints + * to the unix token construction. + * + * S-1-5-88-1-Y gives the uid=Y + * S-1-5-88-2-Y gives the gid=Y + * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_* + */ + cmp = dom_sid_compare_domain(&global_sid_Unix_NFS, + &user_info_dc->sids[i]); + if (cmp == 0) { + bool match; + uint32_t hint = 0; + + match = sid_peek_rid(&user_info_dc->sids[i], &hint); + if (!match) { + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Users, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_uid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_uid = true; + hint_uid = (uid_t)hint; + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_gid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_gid = true; + hint_gid = (gid_t)hint; + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_flags) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_flags = true; + hint_flags = hint; + continue; + } + + continue; + } + + status = add_sid_to_array_unique(nt_token->sids, + &user_info_dc->sids[i], + &nt_token->sids, + &nt_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + } + + /* + * We need at least one usable SID + */ + if (session_info->security_token->num_sids == 0) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + /* + * We need all tree hints: uid, gid, flags + * or none of them. + */ + if (found_hint_uid || found_hint_gid || found_hint_flags) { + if (!found_hint_uid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (!found_hint_gid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (!found_hint_flags) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + } + + if (session_info->info->authenticated) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = finalize_local_nt_token(session_info->security_token, + session_info_flags); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + /* + * unless set otherwise, the session key is the user session + * key from the auth subsystem + */ + if (user_info_dc->user_session_key.length != 0) { + session_info->session_key = data_blob_dup_talloc(session_info, + user_info_dc->user_session_key); + if (session_info->session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + + if (!(session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)) { + goto done; + } + + session_info->unix_token = talloc_zero(session_info, struct security_unix_token); + if (session_info->unix_token == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + session_info->unix_token->uid = -1; + session_info->unix_token->gid = -1; + + session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); + if (session_info->unix_info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* Convert the SIDs to uid/gids. */ + + ids = talloc_zero_array(frame, struct unixid, + session_info->security_token->num_sids); + if (ids == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + if (!(hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS)) { + ok = sids_to_unixids(session_info->security_token->sids, + session_info->security_token->num_sids, + ids); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + + if (found_hint_uid) { + session_info->unix_token->uid = hint_uid; + } else if (ids[0].type == ID_TYPE_UID) { + /* + * The primary SID resolves to a UID only. + */ + session_info->unix_token->uid = ids[0].id; + } else if (ids[0].type == ID_TYPE_BOTH) { + /* + * The primary SID resolves to a UID and GID, + * use it as uid and add it as first element + * to the groups array. + */ + session_info->unix_token->uid = ids[0].id; + + ok = add_gid_to_array_unique(session_info->unix_token, + session_info->unix_token->uid, + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } else { + /* + * It we can't get a uid, we can't imporsonate + * the user. + */ + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (found_hint_gid) { + session_info->unix_token->gid = hint_gid; + } else { + need_getpwuid = true; + } + + if (hint_flags & AUTH3_UNIX_HINT_QUALIFIED_NAME) { + session_info->unix_info->unix_name = + talloc_asprintf(session_info->unix_info, + "%s%c%s", + session_info->info->domain_name, + *lp_winbind_separator(), + session_info->info->account_name); + if (session_info->unix_info->unix_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } else if (hint_flags & AUTH3_UNIX_HINT_ISLOLATED_NAME) { + session_info->unix_info->unix_name = + talloc_strdup(session_info->unix_info, + session_info->info->account_name); + if (session_info->unix_info->unix_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } else { + need_getpwuid = true; + } + + if (need_getpwuid) { + struct passwd *pwd = NULL; + + /* + * Ask the system for the primary gid + * and the real unix name. + */ + pwd = getpwuid_alloc(frame, session_info->unix_token->uid); + if (pwd == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + if (!found_hint_gid) { + session_info->unix_token->gid = pwd->pw_gid; + } + + session_info->unix_info->unix_name = + talloc_strdup(session_info->unix_info, pwd->pw_name); + if (session_info->unix_info->unix_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + TALLOC_FREE(pwd); + } + + ok = add_gid_to_array_unique(session_info->unix_token, + session_info->unix_token->gid, + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* This is a potentially untrusted username for use in %U */ + alpha_strcpy(tmp, original_user_name, ". _-$", sizeof(tmp)); + session_info->unix_info->sanitized_username = + talloc_strdup(session_info->unix_info, tmp); + if (session_info->unix_info->sanitized_username == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i < session_info->security_token->num_sids; i++) { + + if (ids[i].type != ID_TYPE_GID && + ids[i].type != ID_TYPE_BOTH) { + struct security_token *nt_token = + session_info->security_token; + + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", + sid_string_dbg(&nt_token->sids[i]))); + continue; + } + + ok = add_gid_to_array_unique(session_info->unix_token, + ids[i].id, + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + TALLOC_FREE(ids); + + /* + * Now we must get any groups this user has been + * added to in /etc/group and merge them in. + * This has to be done in every code path + * that creates an NT token, as remote users + * may have been added to the local /etc/group + * database. Tokens created merely from the + * info3 structs (via the DC or via the krb5 PAC) + * won't have these local groups. Note the + * groups added here will only be UNIX groups + * (S-1-22-2-XXXX groups) as getgroups_unix_user() + * turns off winbindd before calling getgroups(). + * + * NB. This is duplicating work already + * done in the 'unix_user:' case of + * create_token_from_sid() but won't + * do anything other than be inefficient + * in that case. + */ + if (!(hint_flags & AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS)) { + ok = getgroups_unix_user(frame, + session_info->unix_info->unix_name, + session_info->unix_token->gid, + &gids, &num_gids); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + } + + for (i=0; i < num_gids; i++) { + + ok = add_gid_to_array_unique(session_info->unix_token, + gids[i], + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + TALLOC_FREE(gids); + + if (hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS) { + /* + * We should not translate the unix token uid/gids + * to S-1-22-X-Y SIDs. + */ + goto done; + } + + /* + * Add the "Unix Group" SID for each gid to catch mapped groups + * and their Unix equivalent. This is to solve the backwards + * compatibility problem of 'valid users = +ntadmin' where + * ntadmin has been paired with "Domain Admins" in the group + * mapping table. Otherwise smb.conf would need to be changed + * to 'valid user = "Domain Admins"'. --jerry + * + * For consistency we also add the "Unix User" SID, + * so that the complete unix token is represented within + * the nt token. + */ + + uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); + status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); + status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + for (i=0; i < session_info->unix_token->ngroups; i++ ) { + struct security_token *nt_token = session_info->security_token; + + gid_to_unix_groups_sid(session_info->unix_token->groups[i], + &tmp_sid); + status = add_sid_to_array_unique(nt_token->sids, + &tmp_sid, + &nt_token->sids, + &nt_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + } + +done: + security_token_debug(DBGC_AUTH, 10, session_info->security_token); + if (session_info->unix_token != NULL) { + debug_unix_user_token(DBGC_AUTH, 10, + session_info->unix_token->uid, + session_info->unix_token->gid, + session_info->unix_token->ngroups, + session_info->unix_token->groups); + } + + status = log_nt_token(session_info->security_token); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + *session_info_out = talloc_move(mem_ctx, &session_info); + TALLOC_FREE(frame); + return NT_STATUS_OK; +} + /*************************************************************************** Make (and fill) a server_info struct from a 'struct passwd' by conversion to a struct samu diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 9fcd272..96b08e3 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -221,6 +221,38 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, DATA_BLOB *session_key, const char *smb_name, struct auth_session_info **session_info_out); + +/* + * The unix name should be constructed as DOMAIN+ACCOUNT, + * while '+' will be the "winbind separator" character. + */ +#define AUTH3_UNIX_HINT_QUALIFIED_NAME 0x00000001 +/* + * The unix name will be just ACCOUNT + */ +#define AUTH3_UNIX_HINT_ISLOLATED_NAME 0x00000002 +/* + * Don't translate the nt token SIDS into uid/gids + */ +#define AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS 0x00000004 +/* + * Don't translate the unix token uid/gids to S-1-22-X-Y SIDS + */ +#define AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS 0x00000008 +/* + * The unix token won't get expanded gid values + * from getgroups_unix_user() + */ +#define AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS 0x00000010 +NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, + uid_t uid, + gid_t gid, + uint32_t flags); +NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + const char *original_user_name, + uint32_t session_info_flags, + struct auth_session_info **session_info_out); NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, bool is_guest, uid_t *uid, gid_t *gid, -- 1.9.1 From 5ae7aff6eefecd14a0bcc24f43125b8b3086ad57 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 7 Mar 2018 00:51:51 +0100 Subject: [PATCH 15/19] s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info() The changes in the resulting token look like this: unix_token : * unix_token: struct security_unix_token uid : 0x0000000000000000 (0) gid : 0x0000000000000000 (0) - ngroups : 0x00000000 (0) - groups: ARRAY(0) + ngroups : 0x00000001 (1) + groups: ARRAY(1) + groups : 0x0000000000000000 (0) ... domain_name : * domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'System' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'SLOWSERVER' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4) --- source3/auth/auth_util.c | 123 +++++++++++++++++------------------------------ 1 file changed, 43 insertions(+), 80 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b2cc003..4c9f384 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -37,6 +37,7 @@ #include "lib/param/loadparm.h" #include "../lib/tsocket/tsocket.h" #include "rpc_client/util_netlogon.h" +#include "source4/auth/auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -1268,31 +1269,6 @@ done: return status; } -static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, - struct netr_SamInfo3 *info3) -{ - NTSTATUS status; - - /* Set account name */ - init_lsa_String(&info3->base.account_name, "SYSTEM"); - - /* Set domain name */ - init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY"); - - - status = dom_sid_split_rid(mem_ctx, &global_sid_System, - &info3->base.domain_sid, - &info3->base.rid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - /* Primary gid is the same */ - info3->base.primary_gid = info3->base.rid; - - return NT_STATUS_OK; -} - static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx, struct netr_SamInfo3 *info3) { @@ -1421,80 +1397,67 @@ done: static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info) { + TALLOC_CTX *frame = talloc_stackframe(); + struct auth_user_info_dc *user_info_dc = NULL; + uid_t uid = -1; + gid_t gid = -1; + uint32_t hint_flags = 0; + uint32_t session_info_flags = 0; NTSTATUS status; - struct auth_serversupplied_info *server_info; - TALLOC_CTX *tmp_ctx; - - tmp_ctx = talloc_stackframe(); - if (tmp_ctx == NULL) { - return NT_STATUS_NO_MEMORY; - } - - server_info = make_server_info(tmp_ctx); - if (!server_info) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("failed making server_info\n")); - goto done; - } - server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3); - if (!server_info->info3) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("talloc failed setting info3\n")); - goto done; - } - - status = get_system_info3(server_info, server_info->info3); + status = auth_system_user_info_dc(frame, lp_netbios_name(), + &user_info_dc); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed creating system info3 with %s\n", + DEBUG(0, ("auth_system_user_info_dc failed: %s\n", nt_errstr(status))); goto done; } - server_info->utok.uid = sec_initial_uid(); - server_info->utok.gid = sec_initial_gid(); - server_info->unix_name = talloc_asprintf(server_info, - "NT AUTHORITY%cSYSTEM", - *lp_winbind_separator()); - - if (!server_info->unix_name) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("talloc_asprintf failed setting unix_name\n")); - goto done; - } + /* + * Just get the initial uid/gid + * and don't expand the unix groups. + */ + uid = sec_initial_uid(); + gid = sec_initial_gid(); + hint_flags |= AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS; - server_info->security_token = talloc_zero(server_info, struct security_token); - if (!server_info->security_token) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("talloc failed setting security token\n")); - goto done; - } + /* + * Also avoid sid mapping to gids, + * as well as adding the unix_token uid/gids as + * S-1-22-X-Y SIDs to the nt token. + */ + hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS; + hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS; - status = add_sid_to_array_unique(server_info->security_token->sids, - &global_sid_System, - &server_info->security_token->sids, - &server_info->security_token->num_sids); + /* + * The unix name will be "NT AUTHORITY+SYSTEM", + * where '+' is the "winbind separator" character. + */ + hint_flags |= AUTH3_UNIX_HINT_QUALIFIED_NAME; + status = auth3_user_info_dc_add_hints(user_info_dc, + uid, + gid, + hint_flags); if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", + nt_errstr(status))); goto done; } - /* SYSTEM has all privilages */ - server_info->security_token->privilege_mask = ~0; - - /* Now turn the server_info into a session_info with the full token etc */ - status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info); - talloc_free(server_info); - + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + status = auth3_session_info_create(mem_ctx, user_info_dc, + user_info_dc->info->account_name, + session_info_flags, + session_info); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("create_local_token failed: %s\n", + DEBUG(0, ("auth3_session_info_create failed: %s\n", nt_errstr(status))); goto done; } - talloc_steal(mem_ctx, *session_info); - done: - TALLOC_FREE(tmp_ctx); + TALLOC_FREE(frame); return status; } -- 1.9.1 From 6182849ddc0854e86c5a4815316d8a9e719888df Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 17:07:11 +0100 Subject: [PATCH 16/19] s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token() We only need to adjust sanitized_username in order to keep the same behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906) --- source3/auth/auth_util.c | 51 ++++++++++++++++++++---------------------------- source3/include/auth.h | 5 ++--- 2 files changed, 23 insertions(+), 33 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4c9f384..2de7f3b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -472,6 +472,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (server_info->cached_session_info != NULL) { + session_info = copy_session_info(mem_ctx, + server_info->cached_session_info); + if (session_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* This is a potentially untrusted username for use in %U */ + alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); + session_info->unix_info->sanitized_username = + talloc_strdup(session_info->unix_info, tmp); + if (session_info->unix_info->sanitized_username == NULL) { + TALLOC_FREE(session_info); + return NT_STATUS_NO_MEMORY; + } + + *session_info_out = session_info; + return NT_STATUS_OK; + } + session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!session_info) { return NT_STATUS_NO_MEMORY; @@ -526,30 +546,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return status; } - if (server_info->security_token) { - /* Just copy the token, it has already been finalised - * (nasty hack to support a cached guest/system session_info - */ - - session_info->security_token = dup_nt_token(session_info, server_info->security_token); - if (!session_info->security_token) { - TALLOC_FREE(session_info); - return NT_STATUS_NO_MEMORY; - } - - session_info->unix_token->ngroups = server_info->utok.ngroups; - if (server_info->utok.ngroups != 0) { - session_info->unix_token->groups = (gid_t *)talloc_memdup( - session_info->unix_token, server_info->utok.groups, - sizeof(gid_t)*session_info->unix_token->ngroups); - } else { - session_info->unix_token->groups = NULL; - } - - *session_info_out = session_info; - return NT_STATUS_OK; - } - /* * If winbind is not around, we can not make much use of the SIDs the * domain controller provided us with. Likewise if the user name was @@ -1560,12 +1556,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO * to take the wrong path */ SMB_ASSERT(src->security_token); - dst->security_token = dup_nt_token(dst, src->security_token); - if (!dst->security_token) { - TALLOC_FREE(dst); - return NULL; - } - dst->session_key = data_blob_talloc( dst, src->session_key.data, src->session_key.length); @@ -1588,6 +1578,7 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO return NULL; } + dst->cached_session_info = src; return dst; } diff --git a/source3/include/auth.h b/source3/include/auth.h index d305537..31a1f20 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -34,15 +34,14 @@ struct auth_serversupplied_info { struct security_unix_token utok; /* - * NT group information taken from the info3 structure + * A complete auth_session_info * * This is not normally filled in, during the typical * authentication process. If filled in, it has already been * finalised by a nasty hack to support a cached guest/system * session_info */ - - struct security_token *security_token; + const struct auth_session_info *cached_session_info; /* These are the intermediate session keys, as provided by a * NETLOGON server and used by NTLMSSP to negotiate key -- 1.9.1 From 38372cbe11abd01e0a9dd7219cba0736b7e08b5b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 14:39:44 +0100 Subject: [PATCH 17/19] s3:auth: add make_{server,session}_info_anonymous() It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). The following is the difference between guest and anonymous token: security_token: struct security_token - num_sids : 0x0000000a (10) - sids: ARRAY(10) - sids : S-1-5-21-3793881525-3372187982-3724979742-501 - sids : S-1-5-21-3793881525-3372187982-3724979742-514 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 + num_sids : 0x00000009 (9) + sids: ARRAY(9) + sids : S-1-5-7 sids : S-1-1-0 sids : S-1-5-2 - sids : S-1-5-32-546 sids : S-1-22-1-65533 + sids : S-1-22-2-65534 + sids : S-1-22-2-100004 sids : S-1-22-2-100002 sids : S-1-22-2-100003 + sids : S-1-22-2-65533 privilege_mask : 0x0000000000000000 (0) ... unix_token : * unix_token: struct security_unix_token uid : 0x000000000000fffd (65533) gid : 0x000000000000fffe (65534) - ngroups : 0x00000004 (4) - groups: ARRAY(4) + ngroups : 0x00000005 (5) + groups: ARRAY(5) groups : 0x000000000000fffe (65534) - groups : 0x000000000000fffd (65533) + groups : 0x00000000000186a4 (100004) groups : 0x00000000000186a2 (100002) groups : 0x00000000000186a3 (100003) + groups : 0x000000000000fffd (65533) info: struct auth_user_info account_name : * - account_name : 'nobody' + account_name : 'ANONYMOUS LOGON' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * - domain_name : 'SAMBA-TEST' + domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'Anonymous Logon' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'LOCALNT4DC2' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x00 (0) security_token: struct security_token num_sids : 0x00000006 (6) sids: ARRAY(6) + sids : S-1-5-7 + sids : S-1-1-0 + sids : S-1-5-2 sids : S-1-22-1-65533 sids : S-1-22-2-65534 sids : S-1-22-2-65533 - sids : S-1-1-0 - sids : S-1-5-2 - sids : S-1-5-32-546 privilege_mask : 0x0000000000000000 (0) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d) --- source3/auth/auth_util.c | 143 ++++++++++++++++++++++++++++++++++++++++++++++- source3/auth/proto.h | 4 ++ 2 files changed, 146 insertions(+), 1 deletion(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2de7f3b..c6fd5da 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1457,6 +1457,87 @@ done: return status; } +static NTSTATUS make_new_session_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *guest_account = lp_guest_account(); + struct auth_user_info_dc *user_info_dc = NULL; + struct passwd *pwd = NULL; + uint32_t hint_flags = 0; + uint32_t session_info_flags = 0; + NTSTATUS status; + + /* + * We use the guest account for the unix token + * while we use a true anonymous nt token. + * + * It's very important to have a separate + * nt token for anonymous. + */ + + pwd = Get_Pwnam_alloc(frame, guest_account); + if (pwd == NULL) { + DBG_ERR("Unable to locate guest account [%s]!\n", + guest_account); + status = NT_STATUS_NO_SUCH_USER; + goto done; + } + + status = auth_anonymous_user_info_dc(frame, lp_netbios_name(), + &user_info_dc); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth_anonymous_user_info_dc failed: %s\n", + nt_errstr(status))); + goto done; + } + + /* + * Note we don't pass AUTH3_UNIX_HINT_QUALIFIED_NAME + * nor AUTH3_UNIX_HINT_ISOLATED_NAME here + * as we want the unix name be found by getpwuid_alloc(). + */ + + status = auth3_user_info_dc_add_hints(user_info_dc, + pwd->pw_uid, + pwd->pw_gid, + hint_flags); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", + nt_errstr(status))); + goto done; + } + + /* + * In future we may want to remove + * AUTH_SESSION_INFO_DEFAULT_GROUPS. + * + * Similar to Windows with EveryoneIncludesAnonymous + * and RestrictAnonymous. + * + * We may introduce AUTH_SESSION_INFO_ANON_WORLD... + * + * But for this is required to keep the existing tests + * working. + */ + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + status = auth3_session_info_create(mem_ctx, user_info_dc, + "", + session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth3_session_info_create failed: %s\n", + nt_errstr(status))); + goto done; + } + +done: + TALLOC_FREE(frame); + return status; +} + /**************************************************************************** Fake a auth_session_info just from a username (as a session_info structure, with create_local_token() already called on @@ -1637,15 +1718,30 @@ bool session_info_set_session_key(struct auth_session_info *info, } static struct auth_session_info *guest_info = NULL; +static struct auth_session_info *anonymous_info = NULL; static struct auth_serversupplied_info *guest_server_info = NULL; bool init_guest_info(void) { + NTSTATUS status; + if (guest_info != NULL) return true; - return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info)); + status = make_new_session_info_guest(&guest_info, + &guest_server_info); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + status = make_new_session_info_anonymous(NULL, + &anonymous_info); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + return true; } NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, @@ -1666,6 +1762,51 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } +NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info) +{ + if (anonymous_info == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + + /* + * This is trickier than it would appear to need to be because + * we are trying to avoid certain costly operations when the + * structure is converted to a 'auth_session_info' again in + * create_local_token() + * + * We use a guest server_info, but with the anonymous session info, + * which means create_local_token() will return a copy + * of the anonymous token. + * + * The server info is just used as legacy in order to + * keep existing code working. Maybe some debug messages + * will still refer to guest instead of anonymous. + */ + *server_info = copy_session_info_serverinfo_guest(mem_ctx, anonymous_info, + guest_server_info); + if (*server_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + if (anonymous_info == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + + *session_info = copy_session_info(mem_ctx, anonymous_info); + if (*session_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + static struct auth_session_info *system_info = NULL; NTSTATUS init_system_session_info(void) diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 96b08e3..85f5698 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -280,6 +280,10 @@ NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **server_info); NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, struct auth_session_info **server_info); +NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info); +NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_session_info **psession_info); NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info); const struct auth_session_info *get_session_info_system(void); -- 1.9.1 From 8c6b77116578b1dda63ad1b681ba45d0e5f85f29 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 14:40:19 +0100 Subject: [PATCH 18/19] s3:rpc_server: make use of make_session_info_anonymous() For unauthenticated connections we should default to a session info with an anonymous nt token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c) --- source3/rpc_server/rpc_server.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index 94335b3..73a334a 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -1107,14 +1107,11 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx, } if (ncacn_conn->session_info == NULL) { - /* - * TODO: use auth_anonymous_session_info() here? - */ - status = make_session_info_guest(ncacn_conn, - &ncacn_conn->session_info); + status = make_session_info_anonymous(ncacn_conn, + &ncacn_conn->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(2, ("Failed to create " - "make_session_info_guest - %s\n", + "make_session_info_anonymous - %s\n", nt_errstr(status))); talloc_free(ncacn_conn); return; -- 1.9.1 From 8e4b2b458daaac82bef399c4eaa9177e136e1cb9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 14:40:19 +0100 Subject: [PATCH 19/19] s3:auth: make use of make_{server,session}_info_anonymous() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). When it's really an anonymous connection, we should reflect that in the resulting session info. This should fix a problem where Windows 10 tries to join a Samba hosted NT4 domain and has SMB2/3 enabled. We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST for true anonymous connections. The commit message from a few commit before shows the resulting auth_session_info change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 (cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b) --- selftest/knownfail.d/anonymous-guest | 1 - source3/auth/auth_builtin.c | 2 +- source3/auth/auth_ntlmssp.c | 5 +---- 3 files changed, 2 insertions(+), 6 deletions(-) delete mode 100644 selftest/knownfail.d/anonymous-guest diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest deleted file mode 100644 index a134cec..0000000 --- a/selftest/knownfail.d/anonymous-guest +++ /dev/null @@ -1 +0,0 @@ -^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 0fa95d9..a2d95a7 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, break; } - return make_server_info_guest(NULL, server_info); + return make_server_info_anonymous(NULL, server_info); } /* Guest modules initialisation */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index fd629fd..2e345e1 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, cmp = dom_sid_compare(sid, &global_sid_Anonymous); if (cmp == 0) { - /* - * TODO: use auth_anonymous_session_info() here? - */ - return make_session_info_guest(mem_ctx, session_info); + return make_session_info_anonymous(mem_ctx, session_info); } return NT_STATUS_INTERNAL_ERROR; -- 1.9.1