From e989778d9b53ef183a2f692c4aa2f71128b81dab Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Mar 2018 17:40:07 +0100 Subject: [PATCH 01/19] s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f) --- source3/torture/proto.h | 1 + source3/torture/test_smb2.c | 42 ++++++++++++++++++++++++++++++++++++++++++ source3/torture/torture.c | 1 + 3 files changed, 44 insertions(+) diff --git a/source3/torture/proto.h b/source3/torture/proto.h index 4c3e540..6f12ff7 100644 --- a/source3/torture/proto.h +++ b/source3/torture/proto.h @@ -95,6 +95,7 @@ bool run_nttrans_create(int dummy); bool run_nttrans_fsctl(int dummy); bool run_smb2_basic(int dummy); bool run_smb2_negprot(int dummy); +bool run_smb2_anonymous(int dummy); bool run_smb2_session_reconnect(int dummy); bool run_smb2_tcon_dependence(int dummy); bool run_smb2_multi_channel(int dummy); diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c index 297c3ab..897d034 100644 --- a/source3/torture/test_smb2.c +++ b/source3/torture/test_smb2.c @@ -24,6 +24,7 @@ #include "../libcli/smb/smbXcli_base.h" #include "libcli/security/security.h" #include "libsmb/proto.h" +#include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth_generic.h" #include "../librpc/ndr/libndr.h" @@ -274,6 +275,47 @@ bool run_smb2_negprot(int dummy) return true; } +bool run_smb2_anonymous(int dummy) +{ + struct cli_state *cli = NULL; + NTSTATUS status; + struct cli_credentials *anon_creds = NULL; + bool guest = false; + + printf("Starting SMB2-ANONYMOUS\n"); + + if (!torture_init_connection(&cli)) { + return false; + } + + status = smbXcli_negprot(cli->conn, cli->timeout, + PROTOCOL_SMB2_02, PROTOCOL_LATEST); + if (!NT_STATUS_IS_OK(status)) { + printf("smbXcli_negprot returned %s\n", nt_errstr(status)); + return false; + } + + anon_creds = cli_credentials_init_anon(talloc_tos()); + if (anon_creds == NULL) { + printf("cli_credentials_init_anon failed\n"); + return false; + } + + status = cli_session_setup_creds(cli, anon_creds); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_session_setup returned %s\n", nt_errstr(status)); + return false; + } + + guest = smbXcli_session_is_guest(cli->smb2.session); + if (guest) { + printf("anonymous session should not have guest authentication\n"); + return false; + } + + return true; +} + bool run_smb2_session_reconnect(int dummy) { struct cli_state *cli1; diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 72efcb2..1709e94 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -11644,6 +11644,7 @@ static struct { { "NOTIFY-ONLINE", run_notify_online }, { "SMB2-BASIC", run_smb2_basic }, { "SMB2-NEGPROT", run_smb2_negprot }, + { "SMB2-ANONYMOUS", run_smb2_anonymous }, { "SMB2-SESSION-RECONNECT", run_smb2_session_reconnect }, { "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence }, { "SMB2-MULTI-CHANNEL", run_smb2_multi_channel }, -- 1.9.1 From a4fc7236ffb004b747faaf12a612e3142159172c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Mar 2018 18:04:21 +0100 Subject: [PATCH 02/19] s3:selftest: run SMB2-ANONYMOUS This fails against a non AD DC smbd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2) --- selftest/knownfail.d/anonymous-guest | 1 + source3/selftest/tests.py | 1 + 2 files changed, 2 insertions(+) create mode 100644 selftest/knownfail.d/anonymous-guest diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest new file mode 100644 index 0000000..a134cec --- /dev/null +++ b/selftest/knownfail.d/anonymous-guest @@ -0,0 +1 @@ +^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 108d0c4..e40150b 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -78,6 +78,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7" "GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST", "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT", "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE", + "SMB2-ANONYMOUS", "CLEANUP1", "CLEANUP2", "CLEANUP4", -- 1.9.1 From 644243f876ffe8d55e2edb554d189fbb5f63e902 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 14 Mar 2018 11:44:49 +0100 Subject: [PATCH 03/19] libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3) --- libcli/security/session.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libcli/security/session.c b/libcli/security/session.c index 0fbb87d..f17e884 100644 --- a/libcli/security/session.c +++ b/libcli/security/session.c @@ -26,6 +26,9 @@ enum security_user_level security_session_user_level(struct auth_session_info *session_info, const struct dom_sid *domain_sid) { + bool authenticated = false; + bool guest = false; + if (!session_info) { return SECURITY_ANONYMOUS; } @@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ANONYMOUS; } - if (security_token_has_builtin_guests(session_info->security_token)) { - return SECURITY_GUEST; + authenticated = security_token_has_nt_authenticated_users(session_info->security_token); + guest = security_token_has_builtin_guests(session_info->security_token); + if (!authenticated) { + if (guest) { + return SECURITY_GUEST; + } + return SECURITY_ANONYMOUS; } if (security_token_has_builtin_administrators(session_info->security_token)) { @@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_DOMAIN_CONTROLLER; } - if (security_token_has_nt_authenticated_users(session_info->security_token)) { - return SECURITY_USER; - } - - return SECURITY_ANONYMOUS; + return SECURITY_USER; } -- 1.9.1 From cead3f4419dd14f1334a4cf54e82612a0aece68b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 1 Mar 2018 18:05:28 +0100 Subject: [PATCH 04/19] s3:auth: remove unused auth_serversupplied_info->system BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9) --- source3/auth/auth_util.c | 1 - source3/include/auth.h | 1 - 2 files changed, 2 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1021f2a..4ae9dad 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1045,7 +1045,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO SMB_ASSERT(src->unix_info); dst->guest = true; - dst->system = false; /* This element must be provided to convert back to an * auth_serversupplied_info. This needs to be from the diff --git a/source3/include/auth.h b/source3/include/auth.h index b7223c1..d305537 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -30,7 +30,6 @@ struct extra_auth_info { struct auth_serversupplied_info { bool guest; - bool system; struct security_unix_token utok; -- 1.9.1 From 30ff9f3609870ffd949e6653da3b008bdce4cda1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 16:37:58 +0100 Subject: [PATCH 05/19] s3:auth: add the "Unix Groups" sid for the primary gid The primary gid might not be in the gid array. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405) --- source3/auth/auth_util.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4ae9dad..2aa4038 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -660,7 +660,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, */ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); + add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); add_sid_to_array_unique(session_info->security_token, &tmp_sid, &session_info->security_token->sids, &session_info->security_token->num_sids); -- 1.9.1 From 6b1be02ff52365047fbed761c64f3f51c08af0c5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 17:14:34 +0100 Subject: [PATCH 06/19] s3:auth: move add_local_groups() out of finalize_local_nt_token() finalize_local_nt_token() will be used in another place, were we don't want to add local groups in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8) --- source3/auth/token_util.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 03c4b64..e5a12db 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -208,6 +208,8 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, return NT_STATUS_OK; } +static NTSTATUS add_local_groups(struct security_token *result, + bool is_guest); static NTSTATUS finalize_local_nt_token(struct security_token *result, bool is_guest); @@ -323,6 +325,13 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, } } + status = add_local_groups(usrtok, is_guest); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Failed to add local groups\n")); + TALLOC_FREE(usrtok); + return status; + } + status = finalize_local_nt_token(usrtok, is_guest); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Failed to finalize nt token\n")); @@ -392,6 +401,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } } + status = add_local_groups(result, is_guest); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return NULL; + } + status = finalize_local_nt_token(result, is_guest); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); @@ -502,13 +517,6 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, NTSTATUS status; struct acct_info *info; - /* Add any local groups. */ - - status = add_local_groups(result, is_guest); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - /* Add in BUILTIN sids */ status = add_sid_to_array(result, &global_sid_World, -- 1.9.1 From 043a82d1564c2c545f96c4c13f66b8a2ae418031 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Mar 2018 21:35:48 +0100 Subject: [PATCH 07/19] s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}() We should not crash if we're called with NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102) --- source3/passdb/pdb_util.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c index bf7b2b8..309eb89 100644 --- a/source3/passdb/pdb_util.c +++ b/source3/passdb/pdb_util.c @@ -130,8 +130,9 @@ NTSTATUS create_builtin_users(const struct dom_sid *dom_sid) } /* add domain users */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && + (dom_sid != NULL) && + sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) { status = add_sid_to_builtin(&global_sid_Builtin_Users, &dom_users); @@ -159,8 +160,9 @@ NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid) } /* add domain admins */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && + (dom_sid != NULL) && + sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) { status = add_sid_to_builtin(&global_sid_Builtin_Administrators, &dom_admins); -- 1.9.1 From e81904d64c5c92f2f682387bccff7da8ac906ff8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 13 Mar 2018 21:38:27 +0100 Subject: [PATCH 08/19] s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308) --- source3/auth/token_util.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e5a12db..f3d24cd 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, if ( IS_DC ) { sid_copy( &domadm, get_global_sam_sid() ); } else { + if (dom_sid == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } sid_copy(&domadm, dom_sid); } sid_append_rid( &domadm, DOMAIN_RID_ADMINS ); @@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result, static NTSTATUS finalize_local_nt_token(struct security_token *result, bool is_guest) { - struct dom_sid dom_sid; + struct dom_sid _dom_sid = { 0, }; + struct dom_sid *domain_sid = NULL; NTSTATUS status; struct acct_info *info; + bool ok; /* Add in BUILTIN sids */ @@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + become_root(); + ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); + if (ok) { + domain_sid = &_dom_sid; + } else { + DEBUG(3, ("Failed to fetch domain sid for %s\n", + lp_workgroup())); + } + unbecome_root(); + info = talloc_zero(talloc_tos(), struct acct_info); if (info == NULL) { DEBUG(0, ("talloc failed!\n")); @@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, if (!NT_STATUS_IS_OK(status)) { become_root(); - if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { - status = NT_STATUS_OK; - DEBUG(3, ("Failed to fetch domain sid for %s\n", - lp_workgroup())); - } else { - status = create_builtin_administrators(&dom_sid); - } + status = create_builtin_administrators(domain_sid); unbecome_root(); if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { /* Add BUILTIN\Administrators directly to token. */ - status = add_builtin_administrators(result, &dom_sid); + status = add_builtin_administrators(result, domain_sid); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(3, ("Failed to check for local " "Administrators membership (%s)\n", @@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, if (!NT_STATUS_IS_OK(status)) { become_root(); - if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { - status = NT_STATUS_OK; - DEBUG(3, ("Failed to fetch domain sid for %s\n", - lp_workgroup())); - } else { - status = create_builtin_users(&dom_sid); - } + status = create_builtin_users(domain_sid); unbecome_root(); if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) && -- 1.9.1 From 7893d5084cf7834916b05d381d4e47dc042d0575 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:26:28 +0100 Subject: [PATCH 09/19] s3:auth: add add_builtin_guests() handling to finalize_local_nt_token() We should add Builtin_Guests depending on the current token not based on 'is_guest'. Even authenticated users can be member a guest related group and therefore get Builtin_Guests. Sadly we still need to use 'is_guest' within create_local_nt_token() as we only have S-1-22-* SIDs there and still need to add Builtin_Guests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7) --- source3/auth/token_util.c | 122 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 114 insertions(+), 8 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index f3d24cd..30f2f8d3 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -211,6 +211,74 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, return NT_STATUS_OK; } +static NTSTATUS add_builtin_guests(struct security_token *token, + const struct dom_sid *dom_sid) +{ + struct dom_sid tmp_sid; + NTSTATUS status; + + /* + * First check the local GUEST account. + */ + sid_copy(&tmp_sid, get_global_sam_sid()); + sid_append_rid(&tmp_sid, DOMAIN_RID_GUEST); + + if (nt_token_check_sid(&tmp_sid, token)) { + status = add_sid_to_array_unique(token, + &global_sid_Builtin_Guests, + &token->sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + /* + * First check the local GUESTS group. + */ + sid_copy(&tmp_sid, get_global_sam_sid()); + sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); + + if (nt_token_check_sid(&tmp_sid, token)) { + status = add_sid_to_array_unique(token, + &global_sid_Builtin_Guests, + &token->sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + if (lp_server_role() != ROLE_DOMAIN_MEMBER) { + return NT_STATUS_OK; + } + + if (dom_sid == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } + + /* + * First check the domain GUESTS group. + */ + sid_copy(&tmp_sid, dom_sid); + sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); + + if (nt_token_check_sid(&tmp_sid, token)) { + status = add_sid_to_array_unique(token, + &global_sid_Builtin_Guests, + &token->sids, &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + return NT_STATUS_OK; +} + static NTSTATUS add_local_groups(struct security_token *result, bool is_guest); static NTSTATUS finalize_local_nt_token(struct security_token *result, @@ -416,6 +484,29 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } + if (is_guest) { + /* + * It's ugly, but for now it's + * needed to add Builtin_Guests + * here, the "local" token only + * consist of S-1-22-* SIDs + * and finalize_local_nt_token() + * doesn't have the chance to + * to detect it need to + * add Builtin_Guests via + * add_builtin_guests(). + */ + status = add_sid_to_array_unique(result, + &global_sid_Builtin_Guests, + &result->sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Failed to add SID to nt token\n")); + TALLOC_FREE(result); + return NULL; + } + } + return result; } @@ -535,14 +626,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return status; } - if (is_guest) { - status = add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->sids, - &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - } else { + if (!is_guest) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, &result->sids, @@ -613,6 +697,28 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + /* + * Add BUILTIN\Guests directly to token. + * But only if the token already indicates + * real guest access by: + * - local GUEST account + * - local GUESTS group + * - domain GUESTS group + * + * Even if a user was authenticated, it + * can be member of a guest related group. + */ + status = add_builtin_guests(result, domain_sid); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Failed to check for local " + "Guests membership (%s)\n", + nt_errstr(status))); + /* + * This is a hard error. + */ + return status; + } + TALLOC_FREE(info); /* Deal with local groups */ -- 1.9.1 From 26ff4a3a602632a2133f7763225c707e6b192d1d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:36:03 +0100 Subject: [PATCH 10/19] s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6) --- source3/auth/token_util.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 30f2f8d3..6ebfa54 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, struct acct_info *info; bool ok; + result->privilege_mask = 0; + result->rights_mask = 0; + + if (result->num_sids == 0) { + return NT_STATUS_INVALID_TOKEN; + } + /* Add in BUILTIN sids */ status = add_sid_to_array(result, &global_sid_World, @@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return status; } + /* + * Don't expand nested groups of system, anonymous etc + * + * Note that they still get SID_WORLD and SID_NETWORK + * for now in order let existing tests pass. + * + * But SYSTEM doesn't get AUTHENTICATED_USERS + * and ANONYMOUS doesn't get BUILTIN GUESTS anymore. + */ + if (security_token_is_anonymous(result)) { + return NT_STATUS_OK; + } + if (security_token_is_system(result)) { + result->privilege_mask = ~0; + return NT_STATUS_OK; + } + if (!is_guest) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, -- 1.9.1 From af7414ac236e7f26ae1acbd19e13dd79ee778e8a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:40:10 +0100 Subject: [PATCH 11/19] s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b) --- source3/auth/token_util.c | 58 +++++++++++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 19 deletions(-) diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index 6ebfa54..acb916a 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -282,7 +282,7 @@ static NTSTATUS add_builtin_guests(struct security_token *token, static NTSTATUS add_local_groups(struct security_token *result, bool is_guest); static NTSTATUS finalize_local_nt_token(struct security_token *result, - bool is_guest); + uint32_t session_info_flags); NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, const struct extra_auth_info *extra, @@ -313,6 +313,7 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, struct security_token **ntok) { struct security_token *usrtok = NULL; + uint32_t session_info_flags = 0; NTSTATUS status; int i; @@ -403,7 +404,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, return status; } - status = finalize_local_nt_token(usrtok, is_guest); + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!is_guest) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = finalize_local_nt_token(usrtok, session_info_flags); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Failed to finalize nt token\n")); TALLOC_FREE(usrtok); @@ -427,6 +433,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, struct security_token *result = NULL; int i; NTSTATUS status; + uint32_t session_info_flags = 0; DEBUG(10, ("Create local NT token for %s\n", sid_string_dbg(user_sid))); @@ -478,7 +485,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, return NULL; } - status = finalize_local_nt_token(result, is_guest); + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!is_guest) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = finalize_local_nt_token(result, session_info_flags); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); return NULL; @@ -605,7 +617,7 @@ static NTSTATUS add_local_groups(struct security_token *result, } static NTSTATUS finalize_local_nt_token(struct security_token *result, - bool is_guest) + uint32_t session_info_flags) { struct dom_sid _dom_sid = { 0, }; struct dom_sid *domain_sid = NULL; @@ -620,17 +632,17 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return NT_STATUS_INVALID_TOKEN; } - /* Add in BUILTIN sids */ - - status = add_sid_to_array(result, &global_sid_World, - &result->sids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - status = add_sid_to_array(result, &global_sid_Network, - &result->sids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - return status; + if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { + status = add_sid_to_array(result, &global_sid_World, + &result->sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + status = add_sid_to_array(result, &global_sid_Network, + &result->sids, &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } } /* @@ -650,7 +662,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, return NT_STATUS_OK; } - if (!is_guest) { + if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { status = add_sid_to_array(result, &global_sid_Authenticated_Users, &result->sids, @@ -660,6 +672,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + /* Add in BUILTIN sids */ + become_root(); ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); if (ok) { @@ -772,10 +786,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, unbecome_root(); } - /* Add privileges based on current user sids */ - get_privileges_for_sids(&result->privilege_mask, result->sids, - result->num_sids); + if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { + if (security_token_has_builtin_administrators(result)) { + result->privilege_mask = ~0; + } + } else { + /* Add privileges based on current user sids */ + get_privileges_for_sids(&result->privilege_mask, result->sids, + result->num_sids); + } return NT_STATUS_OK; } -- 1.9.1 From ee10f0abc2170dbc8a0744d1c79fcef624df0d66 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 23:45:30 +0100 Subject: [PATCH 12/19] s3:auth: remove static from finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870) --- source3/auth/proto.h | 2 ++ source3/auth/token_util.c | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 3942815..d3403f1 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -359,6 +359,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, bool is_guest, int num_groupsids, const struct dom_sid *groupsids); +NTSTATUS finalize_local_nt_token(struct security_token *result, + uint32_t session_info_flags); NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, const struct extra_auth_info *extra, struct dom_sid *sid); diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index acb916a..f015f8d 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -281,8 +281,6 @@ static NTSTATUS add_builtin_guests(struct security_token *token, static NTSTATUS add_local_groups(struct security_token *result, bool is_guest); -static NTSTATUS finalize_local_nt_token(struct security_token *result, - uint32_t session_info_flags); NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, const struct extra_auth_info *extra, @@ -616,8 +614,8 @@ static NTSTATUS add_local_groups(struct security_token *result, return NT_STATUS_OK; } -static NTSTATUS finalize_local_nt_token(struct security_token *result, - uint32_t session_info_flags) +NTSTATUS finalize_local_nt_token(struct security_token *result, + uint32_t session_info_flags) { struct dom_sid _dom_sid = { 0, }; struct dom_sid *domain_sid = NULL; -- 1.9.1 From 99462351acf766662859ab4d1bb43417a5ff71d8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 6 Mar 2018 16:38:10 +0100 Subject: [PATCH 13/19] auth: add auth_user_info_copy() function BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb) --- auth/auth_sam_reply.c | 35 +++++++++++++++++++++++++++++++++++ auth/auth_sam_reply.h | 3 +++ 2 files changed, 38 insertions(+) diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 15d17b0..bd69515 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src) +{ + struct auth_user_info *dst = NULL; + + dst = talloc_zero(mem_ctx, struct auth_user_info); + if (dst == NULL) { + return NULL; + } + + *dst = *src; +#define _COPY_STRING(_mem, _str) do { \ + if ((_str) != NULL) { \ + (_str) = talloc_strdup((_mem), (_str)); \ + if ((_str) == NULL) { \ + TALLOC_FREE(dst); \ + return NULL; \ + } \ + } \ +} while(0) + _COPY_STRING(dst, dst->account_name); + _COPY_STRING(dst, dst->user_principal_name); + _COPY_STRING(dst, dst->domain_name); + _COPY_STRING(dst, dst->dns_domain_name); + _COPY_STRING(dst, dst->full_name); + _COPY_STRING(dst, dst->logon_script); + _COPY_STRING(dst, dst->profile_path); + _COPY_STRING(dst, dst->home_directory); + _COPY_STRING(dst, dst->home_drive); + _COPY_STRING(dst, dst->logon_server); +#undef _COPY_STRING + + return dst; +} + /** * Make a user_info_dc struct from the info3 returned by a domain logon */ diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index 4aa3096..e4b26e9 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, bool authenticated, struct auth_user_info **_user_info); +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src); + NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, struct netr_SamInfo6 **_sam6); -- 1.9.1 From ded4a03e8d1dd81c0bf1ca138fbf02fdd5acb0e3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 7 Mar 2018 00:21:13 +0100 Subject: [PATCH 14/19] s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create() These functions make it possible to construct a full auth_session_info from the information available from an auth_user_info_dc structure. This has all the logic from create_local_token() that is used to transform a auth_serversupplied_info to a full auth_session_info. In order to workarround the restriction that auth_user_info_dc doesn't contain hints for the unix token/name, we use the special S-1-5-88 (Unix_NFS) sids: - S-1-5-88-1-Y gives the uid=Y - S-1-5-88-2-Y gives the gid=Y - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* The currently implemented flags are: - AUTH3_UNIX_HINT_QUALIFIED_NAME unix_name = DOMAIN+ACCOUNT - AUTH3_UNIX_HINT_ISLOLATED_NAME unix_name = ACCOUNT - AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS Don't translate the nt token SIDS into uid/gids using sid mapping. - AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS Don't translate the unix token uid/gids to S-1-22-X-Y SIDS - AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS The unix token won't get expanded gid values from getgroups_unix_user() By using the hints it is possible to keep the current logic where an authentication backend provides uid/gid values and the unix name. Note the S-1-5-88-* SIDS never appear in the final security_token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3) --- source3/auth/auth_util.c | 552 +++++++++++++++++++++++++++++++++++++++++++++++ source3/auth/proto.h | 32 +++ 2 files changed, 584 insertions(+) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2aa4038..9d6e802 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -692,6 +692,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, + uid_t uid, + gid_t gid, + uint32_t flags) +{ + uint32_t orig_num_sids = user_info_dc->num_sids; + struct dom_sid tmp_sid = { 0, }; + NTSTATUS status; + + /* + * We add S-5-88-1-X in order to pass the uid + * for the unix token. + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Users, + (uint32_t)uid); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + /* + * We add S-5-88-2-X in order to pass the gid + * for the unix token. + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Groups, + (uint32_t)gid); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + /* + * We add S-5-88-3-X in order to pass some flags + * (AUTH3_UNIX_HINT_*) to auth3_create_session_info(). + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Mode, + flags); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + return NT_STATUS_OK; + +fail: + user_info_dc->num_sids = orig_num_sids; + return status; +} + +NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + const char *original_user_name, + uint32_t session_info_flags, + struct auth_session_info **session_info_out) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct auth_session_info *session_info = NULL; + uid_t hint_uid = -1; + bool found_hint_uid = false; + uid_t hint_gid = -1; + bool found_hint_gid = false; + uint32_t hint_flags = 0; + bool found_hint_flags = false; + bool need_getpwuid = false; + struct unixid *ids = NULL; + uint32_t num_gids = 0; + gid_t *gids = NULL; + struct dom_sid tmp_sid = { 0, }; + fstring tmp = { 0, }; + NTSTATUS status; + size_t i; + bool ok; + + *session_info_out = NULL; + + if (user_info_dc->num_sids == 0) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (user_info_dc->info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (user_info_dc->info->account_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (session_info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + /* keep this under frame for easier cleanup */ + talloc_reparent(mem_ctx, frame, session_info); + + session_info->info = auth_user_info_copy(session_info, + user_info_dc->info); + if (session_info->info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + session_info->security_token = talloc_zero(session_info, + struct security_token); + if (session_info->security_token == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* + * Avoid a lot of reallocations and allocate what we'll + * use in most cases. + */ + session_info->security_token->sids = talloc_zero_array( + session_info->security_token, + struct dom_sid, + user_info_dc->num_sids); + if (session_info->security_token->sids == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) { + struct security_token *nt_token = session_info->security_token; + int cmp; + + /* + * S-1-5-88-X-Y sids are only used to give hints + * to the unix token construction. + * + * S-1-5-88-1-Y gives the uid=Y + * S-1-5-88-2-Y gives the gid=Y + * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_* + */ + cmp = dom_sid_compare_domain(&global_sid_Unix_NFS, + &user_info_dc->sids[i]); + if (cmp == 0) { + bool match; + uint32_t hint = 0; + + match = sid_peek_rid(&user_info_dc->sids[i], &hint); + if (!match) { + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Users, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_uid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_uid = true; + hint_uid = (uid_t)hint; + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_gid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_gid = true; + hint_gid = (gid_t)hint; + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_flags) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_flags = true; + hint_flags = hint; + continue; + } + + continue; + } + + status = add_sid_to_array_unique(nt_token->sids, + &user_info_dc->sids[i], + &nt_token->sids, + &nt_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + } + + /* + * We need at least one usable SID + */ + if (session_info->security_token->num_sids == 0) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + /* + * We need all tree hints: uid, gid, flags + * or none of them. + */ + if (found_hint_uid || found_hint_gid || found_hint_flags) { + if (!found_hint_uid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (!found_hint_gid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (!found_hint_flags) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + } + + if (session_info->info->authenticated) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = finalize_local_nt_token(session_info->security_token, + session_info_flags); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + /* + * unless set otherwise, the session key is the user session + * key from the auth subsystem + */ + if (user_info_dc->user_session_key.length != 0) { + session_info->session_key = data_blob_dup_talloc(session_info, + user_info_dc->user_session_key); + if (session_info->session_key.data == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + + if (!(session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)) { + goto done; + } + + session_info->unix_token = talloc_zero(session_info, struct security_unix_token); + if (session_info->unix_token == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + session_info->unix_token->uid = -1; + session_info->unix_token->gid = -1; + + session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); + if (session_info->unix_info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* Convert the SIDs to uid/gids. */ + + ids = talloc_zero_array(frame, struct unixid, + session_info->security_token->num_sids); + if (ids == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + if (!(hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS)) { + ok = sids_to_unixids(session_info->security_token->sids, + session_info->security_token->num_sids, + ids); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + + if (found_hint_uid) { + session_info->unix_token->uid = hint_uid; + } else if (ids[0].type == ID_TYPE_UID) { + /* + * The primary SID resolves to a UID only. + */ + session_info->unix_token->uid = ids[0].id; + } else if (ids[0].type == ID_TYPE_BOTH) { + /* + * The primary SID resolves to a UID and GID, + * use it as uid and add it as first element + * to the groups array. + */ + session_info->unix_token->uid = ids[0].id; + + ok = add_gid_to_array_unique(session_info->unix_token, + session_info->unix_token->uid, + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } else { + /* + * It we can't get a uid, we can't imporsonate + * the user. + */ + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (found_hint_gid) { + session_info->unix_token->gid = hint_gid; + } else { + need_getpwuid = true; + } + + if (hint_flags & AUTH3_UNIX_HINT_QUALIFIED_NAME) { + session_info->unix_info->unix_name = + talloc_asprintf(session_info->unix_info, + "%s%c%s", + session_info->info->domain_name, + *lp_winbind_separator(), + session_info->info->account_name); + if (session_info->unix_info->unix_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } else if (hint_flags & AUTH3_UNIX_HINT_ISLOLATED_NAME) { + session_info->unix_info->unix_name = + talloc_strdup(session_info->unix_info, + session_info->info->account_name); + if (session_info->unix_info->unix_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } else { + need_getpwuid = true; + } + + if (need_getpwuid) { + struct passwd *pwd = NULL; + + /* + * Ask the system for the primary gid + * and the real unix name. + */ + pwd = getpwuid_alloc(frame, session_info->unix_token->uid); + if (pwd == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + if (!found_hint_gid) { + session_info->unix_token->gid = pwd->pw_gid; + } + + session_info->unix_info->unix_name = + talloc_strdup(session_info->unix_info, pwd->pw_name); + if (session_info->unix_info->unix_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + TALLOC_FREE(pwd); + } + + ok = add_gid_to_array_unique(session_info->unix_token, + session_info->unix_token->gid, + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* This is a potentially untrusted username for use in %U */ + alpha_strcpy(tmp, original_user_name, ". _-$", sizeof(tmp)); + session_info->unix_info->sanitized_username = + talloc_strdup(session_info->unix_info, tmp); + if (session_info->unix_info->sanitized_username == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i < session_info->security_token->num_sids; i++) { + + if (ids[i].type != ID_TYPE_GID && + ids[i].type != ID_TYPE_BOTH) { + struct security_token *nt_token = + session_info->security_token; + + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", + sid_string_dbg(&nt_token->sids[i]))); + continue; + } + + ok = add_gid_to_array_unique(session_info->unix_token, + ids[i].id, + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + TALLOC_FREE(ids); + + /* + * Now we must get any groups this user has been + * added to in /etc/group and merge them in. + * This has to be done in every code path + * that creates an NT token, as remote users + * may have been added to the local /etc/group + * database. Tokens created merely from the + * info3 structs (via the DC or via the krb5 PAC) + * won't have these local groups. Note the + * groups added here will only be UNIX groups + * (S-1-22-2-XXXX groups) as getgroups_unix_user() + * turns off winbindd before calling getgroups(). + * + * NB. This is duplicating work already + * done in the 'unix_user:' case of + * create_token_from_sid() but won't + * do anything other than be inefficient + * in that case. + */ + if (!(hint_flags & AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS)) { + ok = getgroups_unix_user(frame, + session_info->unix_info->unix_name, + session_info->unix_token->gid, + &gids, &num_gids); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + } + + for (i=0; i < num_gids; i++) { + + ok = add_gid_to_array_unique(session_info->unix_token, + gids[i], + &session_info->unix_token->groups, + &session_info->unix_token->ngroups); + if (!ok) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + TALLOC_FREE(gids); + + if (hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS) { + /* + * We should not translate the unix token uid/gids + * to S-1-22-X-Y SIDs. + */ + goto done; + } + + /* + * Add the "Unix Group" SID for each gid to catch mapped groups + * and their Unix equivalent. This is to solve the backwards + * compatibility problem of 'valid users = +ntadmin' where + * ntadmin has been paired with "Domain Admins" in the group + * mapping table. Otherwise smb.conf would need to be changed + * to 'valid user = "Domain Admins"'. --jerry + * + * For consistency we also add the "Unix User" SID, + * so that the complete unix token is represented within + * the nt token. + */ + + uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); + status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); + status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + for (i=0; i < session_info->unix_token->ngroups; i++ ) { + struct security_token *nt_token = session_info->security_token; + + gid_to_unix_groups_sid(session_info->unix_token->groups[i], + &tmp_sid); + status = add_sid_to_array_unique(nt_token->sids, + &tmp_sid, + &nt_token->sids, + &nt_token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + } + +done: + security_token_debug(DBGC_AUTH, 10, session_info->security_token); + if (session_info->unix_token != NULL) { + debug_unix_user_token(DBGC_AUTH, 10, + session_info->unix_token->uid, + session_info->unix_token->gid, + session_info->unix_token->ngroups, + session_info->unix_token->groups); + } + + status = log_nt_token(session_info->security_token); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + *session_info_out = talloc_move(mem_ctx, &session_info); + TALLOC_FREE(frame); + return NT_STATUS_OK; +} + /*************************************************************************** Make (and fill) a server_info struct from a 'struct passwd' by conversion to a struct samu diff --git a/source3/auth/proto.h b/source3/auth/proto.h index d3403f1..84e2009 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -225,6 +225,38 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, DATA_BLOB *session_key, const char *smb_name, struct auth_session_info **session_info_out); + +/* + * The unix name should be constructed as DOMAIN+ACCOUNT, + * while '+' will be the "winbind separator" character. + */ +#define AUTH3_UNIX_HINT_QUALIFIED_NAME 0x00000001 +/* + * The unix name will be just ACCOUNT + */ +#define AUTH3_UNIX_HINT_ISLOLATED_NAME 0x00000002 +/* + * Don't translate the nt token SIDS into uid/gids + */ +#define AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS 0x00000004 +/* + * Don't translate the unix token uid/gids to S-1-22-X-Y SIDS + */ +#define AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS 0x00000008 +/* + * The unix token won't get expanded gid values + * from getgroups_unix_user() + */ +#define AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS 0x00000010 +NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, + uid_t uid, + gid_t gid, + uint32_t flags); +NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + const char *original_user_name, + uint32_t session_info_flags, + struct auth_session_info **session_info_out); NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, bool is_guest, uid_t *uid, gid_t *gid, -- 1.9.1 From bc9c8fce5d8bfbf4941a093206aa513ab9bd6fb4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 7 Mar 2018 00:51:51 +0100 Subject: [PATCH 15/19] s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info() The changes in the resulting token look like this: unix_token : * unix_token: struct security_unix_token uid : 0x0000000000000000 (0) gid : 0x0000000000000000 (0) - ngroups : 0x00000000 (0) - groups: ARRAY(0) + ngroups : 0x00000001 (1) + groups: ARRAY(1) + groups : 0x0000000000000000 (0) ... domain_name : * domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'System' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'SLOWSERVER' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (similar to commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4) --- source3/auth/auth_util.c | 123 +++++++++++++++++------------------------------ 1 file changed, 43 insertions(+), 80 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9d6e802..7fc3da2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -36,6 +36,7 @@ #include "../librpc/gen_ndr/idmap.h" #include "lib/param/loadparm.h" #include "../lib/tsocket/tsocket.h" +#include "source4/auth/auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -1295,31 +1296,6 @@ done: return status; } -static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, - struct netr_SamInfo3 *info3) -{ - NTSTATUS status; - - /* Set account name */ - init_lsa_String(&info3->base.account_name, "SYSTEM"); - - /* Set domain name */ - init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY"); - - - status = dom_sid_split_rid(mem_ctx, &global_sid_System, - &info3->base.domain_sid, - &info3->base.rid); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - /* Primary gid is the same */ - info3->base.primary_gid = info3->base.rid; - - return NT_STATUS_OK; -} - static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx, struct netr_SamInfo3 *info3) { @@ -1448,80 +1424,67 @@ done: static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info) { + TALLOC_CTX *frame = talloc_stackframe(); + struct auth_user_info_dc *user_info_dc = NULL; + uid_t uid = -1; + gid_t gid = -1; + uint32_t hint_flags = 0; + uint32_t session_info_flags = 0; NTSTATUS status; - struct auth_serversupplied_info *server_info; - TALLOC_CTX *tmp_ctx; - - tmp_ctx = talloc_stackframe(); - if (tmp_ctx == NULL) { - return NT_STATUS_NO_MEMORY; - } - - server_info = make_server_info(tmp_ctx); - if (!server_info) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("failed making server_info\n")); - goto done; - } - server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3); - if (!server_info->info3) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("talloc failed setting info3\n")); - goto done; - } - - status = get_system_info3(server_info, server_info->info3); + status = auth_system_user_info_dc(frame, lp_netbios_name(), + &user_info_dc); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed creating system info3 with %s\n", + DEBUG(0, ("auth_system_user_info_dc failed: %s\n", nt_errstr(status))); goto done; } - server_info->utok.uid = sec_initial_uid(); - server_info->utok.gid = sec_initial_gid(); - server_info->unix_name = talloc_asprintf(server_info, - "NT AUTHORITY%cSYSTEM", - *lp_winbind_separator()); - - if (!server_info->unix_name) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("talloc_asprintf failed setting unix_name\n")); - goto done; - } + /* + * Just get the initial uid/gid + * and don't expand the unix groups. + */ + uid = sec_initial_uid(); + gid = sec_initial_gid(); + hint_flags |= AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS; - server_info->security_token = talloc_zero(server_info, struct security_token); - if (!server_info->security_token) { - status = NT_STATUS_NO_MEMORY; - DEBUG(0, ("talloc failed setting security token\n")); - goto done; - } + /* + * Also avoid sid mapping to gids, + * as well as adding the unix_token uid/gids as + * S-1-22-X-Y SIDs to the nt token. + */ + hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS; + hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS; - status = add_sid_to_array_unique(server_info->security_token->sids, - &global_sid_System, - &server_info->security_token->sids, - &server_info->security_token->num_sids); + /* + * The unix name will be "NT AUTHORITY+SYSTEM", + * where '+' is the "winbind separator" character. + */ + hint_flags |= AUTH3_UNIX_HINT_QUALIFIED_NAME; + status = auth3_user_info_dc_add_hints(user_info_dc, + uid, + gid, + hint_flags); if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", + nt_errstr(status))); goto done; } - /* SYSTEM has all privilages */ - server_info->security_token->privilege_mask = ~0; - - /* Now turn the server_info into a session_info with the full token etc */ - status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info); - talloc_free(server_info); - + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + status = auth3_session_info_create(mem_ctx, user_info_dc, + user_info_dc->info->account_name, + session_info_flags, + session_info); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("create_local_token failed: %s\n", + DEBUG(0, ("auth3_session_info_create failed: %s\n", nt_errstr(status))); goto done; } - talloc_steal(mem_ctx, *session_info); - done: - TALLOC_FREE(tmp_ctx); + TALLOC_FREE(frame); return status; } -- 1.9.1 From d9706a8c5b720876b4c40e8f71ca41f49911ab30 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 17:07:11 +0100 Subject: [PATCH 16/19] s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token() We only need to adjust sanitized_username in order to keep the same behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906) --- source3/auth/auth_util.c | 51 ++++++++++++++++++++---------------------------- source3/include/auth.h | 5 ++--- 2 files changed, 23 insertions(+), 33 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7fc3da2..a151ac1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -500,6 +500,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (server_info->cached_session_info != NULL) { + session_info = copy_session_info(mem_ctx, + server_info->cached_session_info); + if (session_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* This is a potentially untrusted username for use in %U */ + alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); + session_info->unix_info->sanitized_username = + talloc_strdup(session_info->unix_info, tmp); + if (session_info->unix_info->sanitized_username == NULL) { + TALLOC_FREE(session_info); + return NT_STATUS_NO_MEMORY; + } + + *session_info_out = session_info; + return NT_STATUS_OK; + } + session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!session_info) { return NT_STATUS_NO_MEMORY; @@ -554,30 +574,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return status; } - if (server_info->security_token) { - /* Just copy the token, it has already been finalised - * (nasty hack to support a cached guest/system session_info - */ - - session_info->security_token = dup_nt_token(session_info, server_info->security_token); - if (!session_info->security_token) { - TALLOC_FREE(session_info); - return NT_STATUS_NO_MEMORY; - } - - session_info->unix_token->ngroups = server_info->utok.ngroups; - if (server_info->utok.ngroups != 0) { - session_info->unix_token->groups = (gid_t *)talloc_memdup( - session_info->unix_token, server_info->utok.groups, - sizeof(gid_t)*session_info->unix_token->ngroups); - } else { - session_info->unix_token->groups = NULL; - } - - *session_info_out = session_info; - return NT_STATUS_OK; - } - /* * If winbind is not around, we can not make much use of the SIDs the * domain controller provided us with. Likewise if the user name was @@ -1586,12 +1582,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO * to take the wrong path */ SMB_ASSERT(src->security_token); - dst->security_token = dup_nt_token(dst, src->security_token); - if (!dst->security_token) { - TALLOC_FREE(dst); - return NULL; - } - dst->session_key = data_blob_talloc( dst, src->session_key.data, src->session_key.length); @@ -1612,6 +1602,7 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO return NULL; } + dst->cached_session_info = src; return dst; } diff --git a/source3/include/auth.h b/source3/include/auth.h index d305537..31a1f20 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -34,15 +34,14 @@ struct auth_serversupplied_info { struct security_unix_token utok; /* - * NT group information taken from the info3 structure + * A complete auth_session_info * * This is not normally filled in, during the typical * authentication process. If filled in, it has already been * finalised by a nasty hack to support a cached guest/system * session_info */ - - struct security_token *security_token; + const struct auth_session_info *cached_session_info; /* These are the intermediate session keys, as provided by a * NETLOGON server and used by NTLMSSP to negotiate key -- 1.9.1 From 0fbc61d19bf40addb2fbb9408cacd419e8142b7f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 14:39:44 +0100 Subject: [PATCH 17/19] s3:auth: add make_{server,session}_info_anonymous() It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). The following is the difference between guest and anonymous token: security_token: struct security_token - num_sids : 0x0000000a (10) - sids: ARRAY(10) - sids : S-1-5-21-3793881525-3372187982-3724979742-501 - sids : S-1-5-21-3793881525-3372187982-3724979742-514 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 + num_sids : 0x00000009 (9) + sids: ARRAY(9) + sids : S-1-5-7 sids : S-1-1-0 sids : S-1-5-2 - sids : S-1-5-32-546 sids : S-1-22-1-65533 + sids : S-1-22-2-65534 + sids : S-1-22-2-100004 sids : S-1-22-2-100002 sids : S-1-22-2-100003 + sids : S-1-22-2-65533 privilege_mask : 0x0000000000000000 (0) ... unix_token : * unix_token: struct security_unix_token uid : 0x000000000000fffd (65533) gid : 0x000000000000fffe (65534) - ngroups : 0x00000004 (4) - groups: ARRAY(4) + ngroups : 0x00000005 (5) + groups: ARRAY(5) groups : 0x000000000000fffe (65534) - groups : 0x000000000000fffd (65533) + groups : 0x00000000000186a4 (100004) groups : 0x00000000000186a2 (100002) groups : 0x00000000000186a3 (100003) + groups : 0x000000000000fffd (65533) info: struct auth_user_info account_name : * - account_name : 'nobody' + account_name : 'ANONYMOUS LOGON' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * - domain_name : 'SAMBA-TEST' + domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'Anonymous Logon' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'LOCALNT4DC2' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x00 (0) security_token: struct security_token num_sids : 0x00000006 (6) sids: ARRAY(6) + sids : S-1-5-7 + sids : S-1-1-0 + sids : S-1-5-2 sids : S-1-22-1-65533 sids : S-1-22-2-65534 sids : S-1-22-2-65533 - sids : S-1-1-0 - sids : S-1-5-2 - sids : S-1-5-32-546 privilege_mask : 0x0000000000000000 (0) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d) --- source3/auth/auth_util.c | 143 ++++++++++++++++++++++++++++++++++++++++++++++- source3/auth/proto.h | 4 ++ 2 files changed, 146 insertions(+), 1 deletion(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a151ac1..a1dde2c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1484,6 +1484,87 @@ done: return status; } +static NTSTATUS make_new_session_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *guest_account = lp_guest_account(); + struct auth_user_info_dc *user_info_dc = NULL; + struct passwd *pwd = NULL; + uint32_t hint_flags = 0; + uint32_t session_info_flags = 0; + NTSTATUS status; + + /* + * We use the guest account for the unix token + * while we use a true anonymous nt token. + * + * It's very important to have a separate + * nt token for anonymous. + */ + + pwd = Get_Pwnam_alloc(frame, guest_account); + if (pwd == NULL) { + DBG_ERR("Unable to locate guest account [%s]!\n", + guest_account); + status = NT_STATUS_NO_SUCH_USER; + goto done; + } + + status = auth_anonymous_user_info_dc(frame, lp_netbios_name(), + &user_info_dc); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth_anonymous_user_info_dc failed: %s\n", + nt_errstr(status))); + goto done; + } + + /* + * Note we don't pass AUTH3_UNIX_HINT_QUALIFIED_NAME + * nor AUTH3_UNIX_HINT_ISOLATED_NAME here + * as we want the unix name be found by getpwuid_alloc(). + */ + + status = auth3_user_info_dc_add_hints(user_info_dc, + pwd->pw_uid, + pwd->pw_gid, + hint_flags); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", + nt_errstr(status))); + goto done; + } + + /* + * In future we may want to remove + * AUTH_SESSION_INFO_DEFAULT_GROUPS. + * + * Similar to Windows with EveryoneIncludesAnonymous + * and RestrictAnonymous. + * + * We may introduce AUTH_SESSION_INFO_ANON_WORLD... + * + * But for this is required to keep the existing tests + * working. + */ + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + status = auth3_session_info_create(mem_ctx, user_info_dc, + "", + session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("auth3_session_info_create failed: %s\n", + nt_errstr(status))); + goto done; + } + +done: + TALLOC_FREE(frame); + return status; +} + /**************************************************************************** Fake a auth_session_info just from a username (as a session_info structure, with create_local_token() already called on @@ -1661,15 +1742,30 @@ bool session_info_set_session_key(struct auth_session_info *info, } static struct auth_session_info *guest_info = NULL; +static struct auth_session_info *anonymous_info = NULL; static struct auth_serversupplied_info *guest_server_info = NULL; bool init_guest_info(void) { + NTSTATUS status; + if (guest_info != NULL) return true; - return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info)); + status = make_new_session_info_guest(&guest_info, + &guest_server_info); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + status = make_new_session_info_anonymous(NULL, + &anonymous_info); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + return true; } NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, @@ -1690,6 +1786,51 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } +NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info) +{ + if (anonymous_info == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + + /* + * This is trickier than it would appear to need to be because + * we are trying to avoid certain costly operations when the + * structure is converted to a 'auth_session_info' again in + * create_local_token() + * + * We use a guest server_info, but with the anonymous session info, + * which means create_local_token() will return a copy + * of the anonymous token. + * + * The server info is just used as legacy in order to + * keep existing code working. Maybe some debug messages + * will still refer to guest instead of anonymous. + */ + *server_info = copy_session_info_serverinfo_guest(mem_ctx, anonymous_info, + guest_server_info); + if (*server_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + +NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) +{ + if (anonymous_info == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + + *session_info = copy_session_info(mem_ctx, anonymous_info); + if (*session_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; +} + static struct auth_session_info *system_info = NULL; NTSTATUS init_system_session_info(void) diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 84e2009..0ce3474 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -284,6 +284,10 @@ NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **server_info); NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, struct auth_session_info **server_info); +NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info); +NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, + struct auth_session_info **psession_info); NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info); const struct auth_session_info *get_session_info_system(void); -- 1.9.1 From 3798dfc68ae1ac970b693a1a48e4713fba3a477a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 14:40:19 +0100 Subject: [PATCH 18/19] s3:rpc_server: make use of make_session_info_anonymous() For unauthenticated connections we should default to a session info with an anonymous nt token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c) --- source3/rpc_server/rpc_server.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index e15cd20..4f196de 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -1104,14 +1104,11 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx, } if (ncacn_conn->session_info == NULL) { - /* - * TODO: use auth_anonymous_session_info() here? - */ - status = make_session_info_guest(ncacn_conn, - &ncacn_conn->session_info); + status = make_session_info_anonymous(ncacn_conn, + &ncacn_conn->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(2, ("Failed to create " - "make_session_info_guest - %s\n", + "make_session_info_anonymous - %s\n", nt_errstr(status))); talloc_free(ncacn_conn); return; -- 1.9.1 From 1f594a0c0d5d96a0d45d6778abbeddd6d8f50f2f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2018 14:40:19 +0100 Subject: [PATCH 19/19] s3:auth: make use of make_{server,session}_info_anonymous() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). When it's really an anonymous connection, we should reflect that in the resulting session info. This should fix a problem where Windows 10 tries to join a Samba hosted NT4 domain and has SMB2/3 enabled. We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST for true anonymous connections. The commit message from a few commit before shows the resulting auth_session_info change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 (cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b) --- selftest/knownfail.d/anonymous-guest | 1 - source3/auth/auth_builtin.c | 2 +- source3/auth/auth_ntlmssp.c | 5 +---- 3 files changed, 2 insertions(+), 6 deletions(-) delete mode 100644 selftest/knownfail.d/anonymous-guest diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest deleted file mode 100644 index a134cec..0000000 --- a/selftest/knownfail.d/anonymous-guest +++ /dev/null @@ -1 +0,0 @@ -^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 0fa95d9..a2d95a7 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, break; } - return make_server_info_guest(NULL, server_info); + return make_server_info_anonymous(NULL, server_info); } /* Guest modules initialisation */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index fd629fd..2e345e1 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, cmp = dom_sid_compare(sid, &global_sid_Anonymous); if (cmp == 0) { - /* - * TODO: use auth_anonymous_session_info() here? - */ - return make_session_info_guest(mem_ctx, session_info); + return make_session_info_anonymous(mem_ctx, session_info); } return NT_STATUS_INTERNAL_ERROR; -- 1.9.1