The Samba-Bugzilla – Attachment 14053 Details for
Bug 13328
Windows 10 cannot logon on Samba NT4 domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-7-test
tmp47.diff.txt (text/plain), 77.20 KB, created by
Stefan Metzmacher
on 2018-03-16 09:18:00 UTC
(
hide
)
Description:
Patches for v4-7-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2018-03-16 09:18:00 UTC
Size:
77.20 KB
patch
obsolete
>From e989778d9b53ef183a2f692c4aa2f71128b81dab Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2018 17:40:07 +0100 >Subject: [PATCH 01/19] s3:torture: add SMB2-ANONYMOUS which asserts no GUEST > bit for anonymous > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f) >--- > source3/torture/proto.h | 1 + > source3/torture/test_smb2.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > source3/torture/torture.c | 1 + > 3 files changed, 44 insertions(+) > >diff --git a/source3/torture/proto.h b/source3/torture/proto.h >index 4c3e540..6f12ff7 100644 >--- a/source3/torture/proto.h >+++ b/source3/torture/proto.h >@@ -95,6 +95,7 @@ bool run_nttrans_create(int dummy); > bool run_nttrans_fsctl(int dummy); > bool run_smb2_basic(int dummy); > bool run_smb2_negprot(int dummy); >+bool run_smb2_anonymous(int dummy); > bool run_smb2_session_reconnect(int dummy); > bool run_smb2_tcon_dependence(int dummy); > bool run_smb2_multi_channel(int dummy); >diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c >index 297c3ab..897d034 100644 >--- a/source3/torture/test_smb2.c >+++ b/source3/torture/test_smb2.c >@@ -24,6 +24,7 @@ > #include "../libcli/smb/smbXcli_base.h" > #include "libcli/security/security.h" > #include "libsmb/proto.h" >+#include "auth/credentials/credentials.h" > #include "auth/gensec/gensec.h" > #include "auth_generic.h" > #include "../librpc/ndr/libndr.h" >@@ -274,6 +275,47 @@ bool run_smb2_negprot(int dummy) > return true; > } > >+bool run_smb2_anonymous(int dummy) >+{ >+ struct cli_state *cli = NULL; >+ NTSTATUS status; >+ struct cli_credentials *anon_creds = NULL; >+ bool guest = false; >+ >+ printf("Starting SMB2-ANONYMOUS\n"); >+ >+ if (!torture_init_connection(&cli)) { >+ return false; >+ } >+ >+ status = smbXcli_negprot(cli->conn, cli->timeout, >+ PROTOCOL_SMB2_02, PROTOCOL_LATEST); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ anon_creds = cli_credentials_init_anon(talloc_tos()); >+ if (anon_creds == NULL) { >+ printf("cli_credentials_init_anon failed\n"); >+ return false; >+ } >+ >+ status = cli_session_setup_creds(cli, anon_creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_session_setup returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ guest = smbXcli_session_is_guest(cli->smb2.session); >+ if (guest) { >+ printf("anonymous session should not have guest authentication\n"); >+ return false; >+ } >+ >+ return true; >+} >+ > bool run_smb2_session_reconnect(int dummy) > { > struct cli_state *cli1; >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index 72efcb2..1709e94 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -11644,6 +11644,7 @@ static struct { > { "NOTIFY-ONLINE", run_notify_online }, > { "SMB2-BASIC", run_smb2_basic }, > { "SMB2-NEGPROT", run_smb2_negprot }, >+ { "SMB2-ANONYMOUS", run_smb2_anonymous }, > { "SMB2-SESSION-RECONNECT", run_smb2_session_reconnect }, > { "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence }, > { "SMB2-MULTI-CHANNEL", run_smb2_multi_channel }, >-- >1.9.1 > > >From a4fc7236ffb004b747faaf12a612e3142159172c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 15 Mar 2018 18:04:21 +0100 >Subject: [PATCH 02/19] s3:selftest: run SMB2-ANONYMOUS > >This fails against a non AD DC smbd. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2) >--- > selftest/knownfail.d/anonymous-guest | 1 + > source3/selftest/tests.py | 1 + > 2 files changed, 2 insertions(+) > create mode 100644 selftest/knownfail.d/anonymous-guest > >diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest >new file mode 100644 >index 0000000..a134cec >--- /dev/null >+++ b/selftest/knownfail.d/anonymous-guest >@@ -0,0 +1 @@ >+^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 108d0c4..e40150b 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -78,6 +78,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7" > "GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST", > "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT", > "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE", >+ "SMB2-ANONYMOUS", > "CLEANUP1", > "CLEANUP2", > "CLEANUP4", >-- >1.9.1 > > >From 644243f876ffe8d55e2edb554d189fbb5f63e902 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Wed, 14 Mar 2018 11:44:49 +0100 >Subject: [PATCH 03/19] libcli/security: only announce a session as GUEST if > 'Builtin\Guests' is there without 'Authenticated User' > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3) >--- > libcli/security/session.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > >diff --git a/libcli/security/session.c b/libcli/security/session.c >index 0fbb87d..f17e884 100644 >--- a/libcli/security/session.c >+++ b/libcli/security/session.c >@@ -26,6 +26,9 @@ > enum security_user_level security_session_user_level(struct auth_session_info *session_info, > const struct dom_sid *domain_sid) > { >+ bool authenticated = false; >+ bool guest = false; >+ > if (!session_info) { > return SECURITY_ANONYMOUS; > } >@@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s > return SECURITY_ANONYMOUS; > } > >- if (security_token_has_builtin_guests(session_info->security_token)) { >- return SECURITY_GUEST; >+ authenticated = security_token_has_nt_authenticated_users(session_info->security_token); >+ guest = security_token_has_builtin_guests(session_info->security_token); >+ if (!authenticated) { >+ if (guest) { >+ return SECURITY_GUEST; >+ } >+ return SECURITY_ANONYMOUS; > } > > if (security_token_has_builtin_administrators(session_info->security_token)) { >@@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s > return SECURITY_DOMAIN_CONTROLLER; > } > >- if (security_token_has_nt_authenticated_users(session_info->security_token)) { >- return SECURITY_USER; >- } >- >- return SECURITY_ANONYMOUS; >+ return SECURITY_USER; > } >-- >1.9.1 > > >From cead3f4419dd14f1334a4cf54e82612a0aece68b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 1 Mar 2018 18:05:28 +0100 >Subject: [PATCH 04/19] s3:auth: remove unused auth_serversupplied_info->system > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9) >--- > source3/auth/auth_util.c | 1 - > source3/include/auth.h | 1 - > 2 files changed, 2 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 1021f2a..4ae9dad 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1045,7 +1045,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO > SMB_ASSERT(src->unix_info); > > dst->guest = true; >- dst->system = false; > > /* This element must be provided to convert back to an > * auth_serversupplied_info. This needs to be from the >diff --git a/source3/include/auth.h b/source3/include/auth.h >index b7223c1..d305537 100644 >--- a/source3/include/auth.h >+++ b/source3/include/auth.h >@@ -30,7 +30,6 @@ struct extra_auth_info { > > struct auth_serversupplied_info { > bool guest; >- bool system; > > struct security_unix_token utok; > >-- >1.9.1 > > >From 30ff9f3609870ffd949e6653da3b008bdce4cda1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Mar 2018 16:37:58 +0100 >Subject: [PATCH 05/19] s3:auth: add the "Unix Groups" sid for the primary gid > >The primary gid might not be in the gid array. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405) >--- > source3/auth/auth_util.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 4ae9dad..2aa4038 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -660,7 +660,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > */ > > uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); >+ add_sid_to_array_unique(session_info->security_token, &tmp_sid, >+ &session_info->security_token->sids, >+ &session_info->security_token->num_sids); > >+ gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); > add_sid_to_array_unique(session_info->security_token, &tmp_sid, > &session_info->security_token->sids, > &session_info->security_token->num_sids); >-- >1.9.1 > > >From 6b1be02ff52365047fbed761c64f3f51c08af0c5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Mar 2018 17:14:34 +0100 >Subject: [PATCH 06/19] s3:auth: move add_local_groups() out of > finalize_local_nt_token() > >finalize_local_nt_token() will be used in another place, >were we don't want to add local groups in a following commit. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8) >--- > source3/auth/token_util.c | 22 +++++++++++++++------- > 1 file changed, 15 insertions(+), 7 deletions(-) > >diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c >index 03c4b64..e5a12db 100644 >--- a/source3/auth/token_util.c >+++ b/source3/auth/token_util.c >@@ -208,6 +208,8 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, > return NT_STATUS_OK; > } > >+static NTSTATUS add_local_groups(struct security_token *result, >+ bool is_guest); > static NTSTATUS finalize_local_nt_token(struct security_token *result, > bool is_guest); > >@@ -323,6 +325,13 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, > } > } > >+ status = add_local_groups(usrtok, is_guest); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(3, ("Failed to add local groups\n")); >+ TALLOC_FREE(usrtok); >+ return status; >+ } >+ > status = finalize_local_nt_token(usrtok, is_guest); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3, ("Failed to finalize nt token\n")); >@@ -392,6 +401,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, > } > } > >+ status = add_local_groups(result, is_guest); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(result); >+ return NULL; >+ } >+ > status = finalize_local_nt_token(result, is_guest); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(result); >@@ -502,13 +517,6 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > NTSTATUS status; > struct acct_info *info; > >- /* Add any local groups. */ >- >- status = add_local_groups(result, is_guest); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >- } >- > /* Add in BUILTIN sids */ > > status = add_sid_to_array(result, &global_sid_World, >-- >1.9.1 > > >From 043a82d1564c2c545f96c4c13f66b8a2ae418031 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 13 Mar 2018 21:35:48 +0100 >Subject: [PATCH 07/19] s3:passdb: handle dom_sid=NULL in > create_builtin_{users,administrators}() > >We should not crash if we're called with NULL. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102) >--- > source3/passdb/pdb_util.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > >diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c >index bf7b2b8..309eb89 100644 >--- a/source3/passdb/pdb_util.c >+++ b/source3/passdb/pdb_util.c >@@ -130,8 +130,9 @@ NTSTATUS create_builtin_users(const struct dom_sid *dom_sid) > } > > /* add domain users */ >- if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) >- && sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) >+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && >+ (dom_sid != NULL) && >+ sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) > { > status = add_sid_to_builtin(&global_sid_Builtin_Users, > &dom_users); >@@ -159,8 +160,9 @@ NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid) > } > > /* add domain admins */ >- if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) >- && sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) >+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && >+ (dom_sid != NULL) && >+ sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) > { > status = add_sid_to_builtin(&global_sid_Builtin_Administrators, > &dom_admins); >-- >1.9.1 > > >From e81904d64c5c92f2f682387bccff7da8ac906ff8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 13 Mar 2018 21:38:27 +0100 >Subject: [PATCH 08/19] s3:auth: only call secrets_fetch_domain_sid() once in > finalize_local_nt_token() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308) >--- > source3/auth/token_util.c | 35 +++++++++++++++++++---------------- > 1 file changed, 19 insertions(+), 16 deletions(-) > >diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c >index e5a12db..f3d24cd 100644 >--- a/source3/auth/token_util.c >+++ b/source3/auth/token_util.c >@@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, > if ( IS_DC ) { > sid_copy( &domadm, get_global_sam_sid() ); > } else { >+ if (dom_sid == NULL) { >+ return NT_STATUS_INVALID_PARAMETER_MIX; >+ } > sid_copy(&domadm, dom_sid); > } > sid_append_rid( &domadm, DOMAIN_RID_ADMINS ); >@@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result, > static NTSTATUS finalize_local_nt_token(struct security_token *result, > bool is_guest) > { >- struct dom_sid dom_sid; >+ struct dom_sid _dom_sid = { 0, }; >+ struct dom_sid *domain_sid = NULL; > NTSTATUS status; > struct acct_info *info; >+ bool ok; > > /* Add in BUILTIN sids */ > >@@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > } > } > >+ become_root(); >+ ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); >+ if (ok) { >+ domain_sid = &_dom_sid; >+ } else { >+ DEBUG(3, ("Failed to fetch domain sid for %s\n", >+ lp_workgroup())); >+ } >+ unbecome_root(); >+ > info = talloc_zero(talloc_tos(), struct acct_info); > if (info == NULL) { > DEBUG(0, ("talloc failed!\n")); >@@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > if (!NT_STATUS_IS_OK(status)) { > > become_root(); >- if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { >- status = NT_STATUS_OK; >- DEBUG(3, ("Failed to fetch domain sid for %s\n", >- lp_workgroup())); >- } else { >- status = create_builtin_administrators(&dom_sid); >- } >+ status = create_builtin_administrators(domain_sid); > unbecome_root(); > > if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { > /* Add BUILTIN\Administrators directly to token. */ >- status = add_builtin_administrators(result, &dom_sid); >+ status = add_builtin_administrators(result, domain_sid); > if ( !NT_STATUS_IS_OK(status) ) { > DEBUG(3, ("Failed to check for local " > "Administrators membership (%s)\n", >@@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > if (!NT_STATUS_IS_OK(status)) { > > become_root(); >- if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { >- status = NT_STATUS_OK; >- DEBUG(3, ("Failed to fetch domain sid for %s\n", >- lp_workgroup())); >- } else { >- status = create_builtin_users(&dom_sid); >- } >+ status = create_builtin_users(domain_sid); > unbecome_root(); > > if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) && >-- >1.9.1 > > >From 7893d5084cf7834916b05d381d4e47dc042d0575 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Mar 2018 23:26:28 +0100 >Subject: [PATCH 09/19] s3:auth: add add_builtin_guests() handling to > finalize_local_nt_token() > >We should add Builtin_Guests depending on the current token >not based on 'is_guest'. Even authenticated users can be member >a guest related group and therefore get Builtin_Guests. > >Sadly we still need to use 'is_guest' within create_local_nt_token() >as we only have S-1-22-* SIDs there and still need to >add Builtin_Guests. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7) >--- > source3/auth/token_util.c | 122 +++++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 114 insertions(+), 8 deletions(-) > >diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c >index f3d24cd..30f2f8d3 100644 >--- a/source3/auth/token_util.c >+++ b/source3/auth/token_util.c >@@ -211,6 +211,74 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, > return NT_STATUS_OK; > } > >+static NTSTATUS add_builtin_guests(struct security_token *token, >+ const struct dom_sid *dom_sid) >+{ >+ struct dom_sid tmp_sid; >+ NTSTATUS status; >+ >+ /* >+ * First check the local GUEST account. >+ */ >+ sid_copy(&tmp_sid, get_global_sam_sid()); >+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUEST); >+ >+ if (nt_token_check_sid(&tmp_sid, token)) { >+ status = add_sid_to_array_unique(token, >+ &global_sid_Builtin_Guests, >+ &token->sids, &token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ return NT_STATUS_OK; >+ } >+ >+ /* >+ * First check the local GUESTS group. >+ */ >+ sid_copy(&tmp_sid, get_global_sam_sid()); >+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); >+ >+ if (nt_token_check_sid(&tmp_sid, token)) { >+ status = add_sid_to_array_unique(token, >+ &global_sid_Builtin_Guests, >+ &token->sids, &token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ return NT_STATUS_OK; >+ } >+ >+ if (lp_server_role() != ROLE_DOMAIN_MEMBER) { >+ return NT_STATUS_OK; >+ } >+ >+ if (dom_sid == NULL) { >+ return NT_STATUS_INVALID_PARAMETER_MIX; >+ } >+ >+ /* >+ * First check the domain GUESTS group. >+ */ >+ sid_copy(&tmp_sid, dom_sid); >+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); >+ >+ if (nt_token_check_sid(&tmp_sid, token)) { >+ status = add_sid_to_array_unique(token, >+ &global_sid_Builtin_Guests, >+ &token->sids, &token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ return NT_STATUS_OK; >+ } >+ >+ return NT_STATUS_OK; >+} >+ > static NTSTATUS add_local_groups(struct security_token *result, > bool is_guest); > static NTSTATUS finalize_local_nt_token(struct security_token *result, >@@ -416,6 +484,29 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, > return NULL; > } > >+ if (is_guest) { >+ /* >+ * It's ugly, but for now it's >+ * needed to add Builtin_Guests >+ * here, the "local" token only >+ * consist of S-1-22-* SIDs >+ * and finalize_local_nt_token() >+ * doesn't have the chance to >+ * to detect it need to >+ * add Builtin_Guests via >+ * add_builtin_guests(). >+ */ >+ status = add_sid_to_array_unique(result, >+ &global_sid_Builtin_Guests, >+ &result->sids, >+ &result->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(3, ("Failed to add SID to nt token\n")); >+ TALLOC_FREE(result); >+ return NULL; >+ } >+ } >+ > return result; > } > >@@ -535,14 +626,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > return status; > } > >- if (is_guest) { >- status = add_sid_to_array(result, &global_sid_Builtin_Guests, >- &result->sids, >- &result->num_sids); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >- } >- } else { >+ if (!is_guest) { > status = add_sid_to_array(result, > &global_sid_Authenticated_Users, > &result->sids, >@@ -613,6 +697,28 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > } > } > >+ /* >+ * Add BUILTIN\Guests directly to token. >+ * But only if the token already indicates >+ * real guest access by: >+ * - local GUEST account >+ * - local GUESTS group >+ * - domain GUESTS group >+ * >+ * Even if a user was authenticated, it >+ * can be member of a guest related group. >+ */ >+ status = add_builtin_guests(result, domain_sid); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(3, ("Failed to check for local " >+ "Guests membership (%s)\n", >+ nt_errstr(status))); >+ /* >+ * This is a hard error. >+ */ >+ return status; >+ } >+ > TALLOC_FREE(info); > > /* Deal with local groups */ >-- >1.9.1 > > >From 26ff4a3a602632a2133f7763225c707e6b192d1d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Mar 2018 23:36:03 +0100 >Subject: [PATCH 10/19] s3:auth: don't try to expand system or anonymous tokens > in finalize_local_nt_token() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6) >--- > source3/auth/token_util.c | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > >diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c >index 30f2f8d3..6ebfa54 100644 >--- a/source3/auth/token_util.c >+++ b/source3/auth/token_util.c >@@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > struct acct_info *info; > bool ok; > >+ result->privilege_mask = 0; >+ result->rights_mask = 0; >+ >+ if (result->num_sids == 0) { >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ > /* Add in BUILTIN sids */ > > status = add_sid_to_array(result, &global_sid_World, >@@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > return status; > } > >+ /* >+ * Don't expand nested groups of system, anonymous etc >+ * >+ * Note that they still get SID_WORLD and SID_NETWORK >+ * for now in order let existing tests pass. >+ * >+ * But SYSTEM doesn't get AUTHENTICATED_USERS >+ * and ANONYMOUS doesn't get BUILTIN GUESTS anymore. >+ */ >+ if (security_token_is_anonymous(result)) { >+ return NT_STATUS_OK; >+ } >+ if (security_token_is_system(result)) { >+ result->privilege_mask = ~0; >+ return NT_STATUS_OK; >+ } >+ > if (!is_guest) { > status = add_sid_to_array(result, > &global_sid_Authenticated_Users, >-- >1.9.1 > > >From af7414ac236e7f26ae1acbd19e13dd79ee778e8a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Mar 2018 23:40:10 +0100 >Subject: [PATCH 11/19] s3:auth: pass AUTH_SESSION_INFO_* flags to > finalize_local_nt_token() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b) >--- > source3/auth/token_util.c | 58 +++++++++++++++++++++++++++++++---------------- > 1 file changed, 39 insertions(+), 19 deletions(-) > >diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c >index 6ebfa54..acb916a 100644 >--- a/source3/auth/token_util.c >+++ b/source3/auth/token_util.c >@@ -282,7 +282,7 @@ static NTSTATUS add_builtin_guests(struct security_token *token, > static NTSTATUS add_local_groups(struct security_token *result, > bool is_guest); > static NTSTATUS finalize_local_nt_token(struct security_token *result, >- bool is_guest); >+ uint32_t session_info_flags); > > NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, > const struct extra_auth_info *extra, >@@ -313,6 +313,7 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, > struct security_token **ntok) > { > struct security_token *usrtok = NULL; >+ uint32_t session_info_flags = 0; > NTSTATUS status; > int i; > >@@ -403,7 +404,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, > return status; > } > >- status = finalize_local_nt_token(usrtok, is_guest); >+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; >+ if (!is_guest) { >+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; >+ } >+ >+ status = finalize_local_nt_token(usrtok, session_info_flags); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3, ("Failed to finalize nt token\n")); > TALLOC_FREE(usrtok); >@@ -427,6 +433,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, > struct security_token *result = NULL; > int i; > NTSTATUS status; >+ uint32_t session_info_flags = 0; > > DEBUG(10, ("Create local NT token for %s\n", > sid_string_dbg(user_sid))); >@@ -478,7 +485,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, > return NULL; > } > >- status = finalize_local_nt_token(result, is_guest); >+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; >+ if (!is_guest) { >+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; >+ } >+ >+ status = finalize_local_nt_token(result, session_info_flags); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(result); > return NULL; >@@ -605,7 +617,7 @@ static NTSTATUS add_local_groups(struct security_token *result, > } > > static NTSTATUS finalize_local_nt_token(struct security_token *result, >- bool is_guest) >+ uint32_t session_info_flags) > { > struct dom_sid _dom_sid = { 0, }; > struct dom_sid *domain_sid = NULL; >@@ -620,17 +632,17 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > return NT_STATUS_INVALID_TOKEN; > } > >- /* Add in BUILTIN sids */ >- >- status = add_sid_to_array(result, &global_sid_World, >- &result->sids, &result->num_sids); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >- } >- status = add_sid_to_array(result, &global_sid_Network, >- &result->sids, &result->num_sids); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { >+ status = add_sid_to_array(result, &global_sid_World, >+ &result->sids, &result->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ status = add_sid_to_array(result, &global_sid_Network, >+ &result->sids, &result->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } > } > > /* >@@ -650,7 +662,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > return NT_STATUS_OK; > } > >- if (!is_guest) { >+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { > status = add_sid_to_array(result, > &global_sid_Authenticated_Users, > &result->sids, >@@ -660,6 +672,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > } > } > >+ /* Add in BUILTIN sids */ >+ > become_root(); > ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); > if (ok) { >@@ -772,10 +786,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, > unbecome_root(); > } > >- /* Add privileges based on current user sids */ > >- get_privileges_for_sids(&result->privilege_mask, result->sids, >- result->num_sids); >+ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { >+ if (security_token_has_builtin_administrators(result)) { >+ result->privilege_mask = ~0; >+ } >+ } else { >+ /* Add privileges based on current user sids */ >+ get_privileges_for_sids(&result->privilege_mask, result->sids, >+ result->num_sids); >+ } > > return NT_STATUS_OK; > } >-- >1.9.1 > > >From ee10f0abc2170dbc8a0744d1c79fcef624df0d66 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Mar 2018 23:45:30 +0100 >Subject: [PATCH 12/19] s3:auth: remove static from finalize_local_nt_token() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870) >--- > source3/auth/proto.h | 2 ++ > source3/auth/token_util.c | 6 ++---- > 2 files changed, 4 insertions(+), 4 deletions(-) > >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 3942815..d3403f1 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -359,6 +359,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, > bool is_guest, > int num_groupsids, > const struct dom_sid *groupsids); >+NTSTATUS finalize_local_nt_token(struct security_token *result, >+ uint32_t session_info_flags); > NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, > const struct extra_auth_info *extra, > struct dom_sid *sid); >diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c >index acb916a..f015f8d 100644 >--- a/source3/auth/token_util.c >+++ b/source3/auth/token_util.c >@@ -281,8 +281,6 @@ static NTSTATUS add_builtin_guests(struct security_token *token, > > static NTSTATUS add_local_groups(struct security_token *result, > bool is_guest); >-static NTSTATUS finalize_local_nt_token(struct security_token *result, >- uint32_t session_info_flags); > > NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, > const struct extra_auth_info *extra, >@@ -616,8 +614,8 @@ static NTSTATUS add_local_groups(struct security_token *result, > return NT_STATUS_OK; > } > >-static NTSTATUS finalize_local_nt_token(struct security_token *result, >- uint32_t session_info_flags) >+NTSTATUS finalize_local_nt_token(struct security_token *result, >+ uint32_t session_info_flags) > { > struct dom_sid _dom_sid = { 0, }; > struct dom_sid *domain_sid = NULL; >-- >1.9.1 > > >From 99462351acf766662859ab4d1bb43417a5ff71d8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Mar 2018 16:38:10 +0100 >Subject: [PATCH 13/19] auth: add auth_user_info_copy() function > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb) >--- > auth/auth_sam_reply.c | 35 +++++++++++++++++++++++++++++++++++ > auth/auth_sam_reply.h | 3 +++ > 2 files changed, 38 insertions(+) > >diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c >index 15d17b0..bd69515 100644 >--- a/auth/auth_sam_reply.c >+++ b/auth/auth_sam_reply.c >@@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, > return NT_STATUS_OK; > } > >+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, >+ const struct auth_user_info *src) >+{ >+ struct auth_user_info *dst = NULL; >+ >+ dst = talloc_zero(mem_ctx, struct auth_user_info); >+ if (dst == NULL) { >+ return NULL; >+ } >+ >+ *dst = *src; >+#define _COPY_STRING(_mem, _str) do { \ >+ if ((_str) != NULL) { \ >+ (_str) = talloc_strdup((_mem), (_str)); \ >+ if ((_str) == NULL) { \ >+ TALLOC_FREE(dst); \ >+ return NULL; \ >+ } \ >+ } \ >+} while(0) >+ _COPY_STRING(dst, dst->account_name); >+ _COPY_STRING(dst, dst->user_principal_name); >+ _COPY_STRING(dst, dst->domain_name); >+ _COPY_STRING(dst, dst->dns_domain_name); >+ _COPY_STRING(dst, dst->full_name); >+ _COPY_STRING(dst, dst->logon_script); >+ _COPY_STRING(dst, dst->profile_path); >+ _COPY_STRING(dst, dst->home_directory); >+ _COPY_STRING(dst, dst->home_drive); >+ _COPY_STRING(dst, dst->logon_server); >+#undef _COPY_STRING >+ >+ return dst; >+} >+ > /** > * Make a user_info_dc struct from the info3 returned by a domain logon > */ >diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h >index 4aa3096..e4b26e9 100644 >--- a/auth/auth_sam_reply.h >+++ b/auth/auth_sam_reply.h >@@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, > bool authenticated, > struct auth_user_info **_user_info); > >+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, >+ const struct auth_user_info *src); >+ > NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, > const struct auth_user_info_dc *user_info_dc, > struct netr_SamInfo6 **_sam6); >-- >1.9.1 > > >From ded4a03e8d1dd81c0bf1ca138fbf02fdd5acb0e3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 7 Mar 2018 00:21:13 +0100 >Subject: [PATCH 14/19] s3:auth: add auth3_user_info_dc_add_hints() and > auth3_session_info_create() > >These functions make it possible to construct a full auth_session_info >from the information available from an auth_user_info_dc structure. > >This has all the logic from create_local_token() that is used >to transform a auth_serversupplied_info to a full auth_session_info. > >In order to workarround the restriction that auth_user_info_dc >doesn't contain hints for the unix token/name, we use >the special S-1-5-88 (Unix_NFS) sids: > > - S-1-5-88-1-Y gives the uid=Y > - S-1-5-88-2-Y gives the gid=Y > - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* > >The currently implemented flags are: > >- AUTH3_UNIX_HINT_QUALIFIED_NAME > unix_name = DOMAIN+ACCOUNT > >- AUTH3_UNIX_HINT_ISLOLATED_NAME > unix_name = ACCOUNT > >- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS > Don't translate the nt token SIDS into uid/gids > using sid mapping. > >- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS > Don't translate the unix token uid/gids to S-1-22-X-Y SIDS > >- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS > The unix token won't get expanded gid values > from getgroups_unix_user() > >By using the hints it is possible to keep the current logic >where an authentication backend provides uid/gid values and >the unix name. > >Note the S-1-5-88-* SIDS never appear in the final security_token. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3) >--- > source3/auth/auth_util.c | 552 +++++++++++++++++++++++++++++++++++++++++++++++ > source3/auth/proto.h | 32 +++ > 2 files changed, 584 insertions(+) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 2aa4038..9d6e802 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -692,6 +692,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > return NT_STATUS_OK; > } > >+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, >+ uid_t uid, >+ gid_t gid, >+ uint32_t flags) >+{ >+ uint32_t orig_num_sids = user_info_dc->num_sids; >+ struct dom_sid tmp_sid = { 0, }; >+ NTSTATUS status; >+ >+ /* >+ * We add S-5-88-1-X in order to pass the uid >+ * for the unix token. >+ */ >+ sid_compose(&tmp_sid, >+ &global_sid_Unix_NFS_Users, >+ (uint32_t)uid); >+ status = add_sid_to_array_unique(user_info_dc->sids, >+ &tmp_sid, >+ &user_info_dc->sids, >+ &user_info_dc->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n", >+ nt_errstr(status))); >+ goto fail; >+ } >+ >+ /* >+ * We add S-5-88-2-X in order to pass the gid >+ * for the unix token. >+ */ >+ sid_compose(&tmp_sid, >+ &global_sid_Unix_NFS_Groups, >+ (uint32_t)gid); >+ status = add_sid_to_array_unique(user_info_dc->sids, >+ &tmp_sid, >+ &user_info_dc->sids, >+ &user_info_dc->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n", >+ nt_errstr(status))); >+ goto fail; >+ } >+ >+ /* >+ * We add S-5-88-3-X in order to pass some flags >+ * (AUTH3_UNIX_HINT_*) to auth3_create_session_info(). >+ */ >+ sid_compose(&tmp_sid, >+ &global_sid_Unix_NFS_Mode, >+ flags); >+ status = add_sid_to_array_unique(user_info_dc->sids, >+ &tmp_sid, >+ &user_info_dc->sids, >+ &user_info_dc->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n", >+ nt_errstr(status))); >+ goto fail; >+ } >+ >+ return NT_STATUS_OK; >+ >+fail: >+ user_info_dc->num_sids = orig_num_sids; >+ return status; >+} >+ >+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, >+ const struct auth_user_info_dc *user_info_dc, >+ const char *original_user_name, >+ uint32_t session_info_flags, >+ struct auth_session_info **session_info_out) >+{ >+ TALLOC_CTX *frame = talloc_stackframe(); >+ struct auth_session_info *session_info = NULL; >+ uid_t hint_uid = -1; >+ bool found_hint_uid = false; >+ uid_t hint_gid = -1; >+ bool found_hint_gid = false; >+ uint32_t hint_flags = 0; >+ bool found_hint_flags = false; >+ bool need_getpwuid = false; >+ struct unixid *ids = NULL; >+ uint32_t num_gids = 0; >+ gid_t *gids = NULL; >+ struct dom_sid tmp_sid = { 0, }; >+ fstring tmp = { 0, }; >+ NTSTATUS status; >+ size_t i; >+ bool ok; >+ >+ *session_info_out = NULL; >+ >+ if (user_info_dc->num_sids == 0) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ if (user_info_dc->info == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ if (user_info_dc->info->account_name == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ session_info = talloc_zero(mem_ctx, struct auth_session_info); >+ if (session_info == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ /* keep this under frame for easier cleanup */ >+ talloc_reparent(mem_ctx, frame, session_info); >+ >+ session_info->info = auth_user_info_copy(session_info, >+ user_info_dc->info); >+ if (session_info->info == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ session_info->security_token = talloc_zero(session_info, >+ struct security_token); >+ if (session_info->security_token == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ /* >+ * Avoid a lot of reallocations and allocate what we'll >+ * use in most cases. >+ */ >+ session_info->security_token->sids = talloc_zero_array( >+ session_info->security_token, >+ struct dom_sid, >+ user_info_dc->num_sids); >+ if (session_info->security_token->sids == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) { >+ struct security_token *nt_token = session_info->security_token; >+ int cmp; >+ >+ /* >+ * S-1-5-88-X-Y sids are only used to give hints >+ * to the unix token construction. >+ * >+ * S-1-5-88-1-Y gives the uid=Y >+ * S-1-5-88-2-Y gives the gid=Y >+ * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_* >+ */ >+ cmp = dom_sid_compare_domain(&global_sid_Unix_NFS, >+ &user_info_dc->sids[i]); >+ if (cmp == 0) { >+ bool match; >+ uint32_t hint = 0; >+ >+ match = sid_peek_rid(&user_info_dc->sids[i], &hint); >+ if (!match) { >+ continue; >+ } >+ >+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Users, >+ &user_info_dc->sids[i]); >+ if (match) { >+ if (found_hint_uid) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ found_hint_uid = true; >+ hint_uid = (uid_t)hint; >+ continue; >+ } >+ >+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups, >+ &user_info_dc->sids[i]); >+ if (match) { >+ if (found_hint_gid) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ found_hint_gid = true; >+ hint_gid = (gid_t)hint; >+ continue; >+ } >+ >+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode, >+ &user_info_dc->sids[i]); >+ if (match) { >+ if (found_hint_flags) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ found_hint_flags = true; >+ hint_flags = hint; >+ continue; >+ } >+ >+ continue; >+ } >+ >+ status = add_sid_to_array_unique(nt_token->sids, >+ &user_info_dc->sids[i], >+ &nt_token->sids, >+ &nt_token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ } >+ >+ /* >+ * We need at least one usable SID >+ */ >+ if (session_info->security_token->num_sids == 0) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ /* >+ * We need all tree hints: uid, gid, flags >+ * or none of them. >+ */ >+ if (found_hint_uid || found_hint_gid || found_hint_flags) { >+ if (!found_hint_uid) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ if (!found_hint_gid) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ if (!found_hint_flags) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ } >+ >+ if (session_info->info->authenticated) { >+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; >+ } >+ >+ status = finalize_local_nt_token(session_info->security_token, >+ session_info_flags); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ >+ /* >+ * unless set otherwise, the session key is the user session >+ * key from the auth subsystem >+ */ >+ if (user_info_dc->user_session_key.length != 0) { >+ session_info->session_key = data_blob_dup_talloc(session_info, >+ user_info_dc->user_session_key); >+ if (session_info->session_key.data == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } >+ >+ if (!(session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)) { >+ goto done; >+ } >+ >+ session_info->unix_token = talloc_zero(session_info, struct security_unix_token); >+ if (session_info->unix_token == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ session_info->unix_token->uid = -1; >+ session_info->unix_token->gid = -1; >+ >+ session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); >+ if (session_info->unix_info == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ /* Convert the SIDs to uid/gids. */ >+ >+ ids = talloc_zero_array(frame, struct unixid, >+ session_info->security_token->num_sids); >+ if (ids == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ if (!(hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS)) { >+ ok = sids_to_unixids(session_info->security_token->sids, >+ session_info->security_token->num_sids, >+ ids); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } >+ >+ if (found_hint_uid) { >+ session_info->unix_token->uid = hint_uid; >+ } else if (ids[0].type == ID_TYPE_UID) { >+ /* >+ * The primary SID resolves to a UID only. >+ */ >+ session_info->unix_token->uid = ids[0].id; >+ } else if (ids[0].type == ID_TYPE_BOTH) { >+ /* >+ * The primary SID resolves to a UID and GID, >+ * use it as uid and add it as first element >+ * to the groups array. >+ */ >+ session_info->unix_token->uid = ids[0].id; >+ >+ ok = add_gid_to_array_unique(session_info->unix_token, >+ session_info->unix_token->uid, >+ &session_info->unix_token->groups, >+ &session_info->unix_token->ngroups); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } else { >+ /* >+ * It we can't get a uid, we can't imporsonate >+ * the user. >+ */ >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ >+ if (found_hint_gid) { >+ session_info->unix_token->gid = hint_gid; >+ } else { >+ need_getpwuid = true; >+ } >+ >+ if (hint_flags & AUTH3_UNIX_HINT_QUALIFIED_NAME) { >+ session_info->unix_info->unix_name = >+ talloc_asprintf(session_info->unix_info, >+ "%s%c%s", >+ session_info->info->domain_name, >+ *lp_winbind_separator(), >+ session_info->info->account_name); >+ if (session_info->unix_info->unix_name == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } else if (hint_flags & AUTH3_UNIX_HINT_ISLOLATED_NAME) { >+ session_info->unix_info->unix_name = >+ talloc_strdup(session_info->unix_info, >+ session_info->info->account_name); >+ if (session_info->unix_info->unix_name == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } else { >+ need_getpwuid = true; >+ } >+ >+ if (need_getpwuid) { >+ struct passwd *pwd = NULL; >+ >+ /* >+ * Ask the system for the primary gid >+ * and the real unix name. >+ */ >+ pwd = getpwuid_alloc(frame, session_info->unix_token->uid); >+ if (pwd == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ if (!found_hint_gid) { >+ session_info->unix_token->gid = pwd->pw_gid; >+ } >+ >+ session_info->unix_info->unix_name = >+ talloc_strdup(session_info->unix_info, pwd->pw_name); >+ if (session_info->unix_info->unix_name == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ TALLOC_FREE(pwd); >+ } >+ >+ ok = add_gid_to_array_unique(session_info->unix_token, >+ session_info->unix_token->gid, >+ &session_info->unix_token->groups, >+ &session_info->unix_token->ngroups); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ /* This is a potentially untrusted username for use in %U */ >+ alpha_strcpy(tmp, original_user_name, ". _-$", sizeof(tmp)); >+ session_info->unix_info->sanitized_username = >+ talloc_strdup(session_info->unix_info, tmp); >+ if (session_info->unix_info->sanitized_username == NULL) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ for (i=0; i < session_info->security_token->num_sids; i++) { >+ >+ if (ids[i].type != ID_TYPE_GID && >+ ids[i].type != ID_TYPE_BOTH) { >+ struct security_token *nt_token = >+ session_info->security_token; >+ >+ DEBUG(10, ("Could not convert SID %s to gid, " >+ "ignoring it\n", >+ sid_string_dbg(&nt_token->sids[i]))); >+ continue; >+ } >+ >+ ok = add_gid_to_array_unique(session_info->unix_token, >+ ids[i].id, >+ &session_info->unix_token->groups, >+ &session_info->unix_token->ngroups); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } >+ TALLOC_FREE(ids); >+ >+ /* >+ * Now we must get any groups this user has been >+ * added to in /etc/group and merge them in. >+ * This has to be done in every code path >+ * that creates an NT token, as remote users >+ * may have been added to the local /etc/group >+ * database. Tokens created merely from the >+ * info3 structs (via the DC or via the krb5 PAC) >+ * won't have these local groups. Note the >+ * groups added here will only be UNIX groups >+ * (S-1-22-2-XXXX groups) as getgroups_unix_user() >+ * turns off winbindd before calling getgroups(). >+ * >+ * NB. This is duplicating work already >+ * done in the 'unix_user:' case of >+ * create_token_from_sid() but won't >+ * do anything other than be inefficient >+ * in that case. >+ */ >+ if (!(hint_flags & AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS)) { >+ ok = getgroups_unix_user(frame, >+ session_info->unix_info->unix_name, >+ session_info->unix_token->gid, >+ &gids, &num_gids); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_INVALID_TOKEN; >+ } >+ } >+ >+ for (i=0; i < num_gids; i++) { >+ >+ ok = add_gid_to_array_unique(session_info->unix_token, >+ gids[i], >+ &session_info->unix_token->groups, >+ &session_info->unix_token->ngroups); >+ if (!ok) { >+ TALLOC_FREE(frame); >+ return NT_STATUS_NO_MEMORY; >+ } >+ } >+ TALLOC_FREE(gids); >+ >+ if (hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS) { >+ /* >+ * We should not translate the unix token uid/gids >+ * to S-1-22-X-Y SIDs. >+ */ >+ goto done; >+ } >+ >+ /* >+ * Add the "Unix Group" SID for each gid to catch mapped groups >+ * and their Unix equivalent. This is to solve the backwards >+ * compatibility problem of 'valid users = +ntadmin' where >+ * ntadmin has been paired with "Domain Admins" in the group >+ * mapping table. Otherwise smb.conf would need to be changed >+ * to 'valid user = "Domain Admins"'. --jerry >+ * >+ * For consistency we also add the "Unix User" SID, >+ * so that the complete unix token is represented within >+ * the nt token. >+ */ >+ >+ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); >+ status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, >+ &session_info->security_token->sids, >+ &session_info->security_token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ >+ gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); >+ status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, >+ &session_info->security_token->sids, >+ &session_info->security_token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ >+ for (i=0; i < session_info->unix_token->ngroups; i++ ) { >+ struct security_token *nt_token = session_info->security_token; >+ >+ gid_to_unix_groups_sid(session_info->unix_token->groups[i], >+ &tmp_sid); >+ status = add_sid_to_array_unique(nt_token->sids, >+ &tmp_sid, >+ &nt_token->sids, >+ &nt_token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ } >+ >+done: >+ security_token_debug(DBGC_AUTH, 10, session_info->security_token); >+ if (session_info->unix_token != NULL) { >+ debug_unix_user_token(DBGC_AUTH, 10, >+ session_info->unix_token->uid, >+ session_info->unix_token->gid, >+ session_info->unix_token->ngroups, >+ session_info->unix_token->groups); >+ } >+ >+ status = log_nt_token(session_info->security_token); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ >+ *session_info_out = talloc_move(mem_ctx, &session_info); >+ TALLOC_FREE(frame); >+ return NT_STATUS_OK; >+} >+ > /*************************************************************************** > Make (and fill) a server_info struct from a 'struct passwd' by conversion > to a struct samu >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index d3403f1..84e2009 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -225,6 +225,38 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > DATA_BLOB *session_key, > const char *smb_name, > struct auth_session_info **session_info_out); >+ >+/* >+ * The unix name should be constructed as DOMAIN+ACCOUNT, >+ * while '+' will be the "winbind separator" character. >+ */ >+#define AUTH3_UNIX_HINT_QUALIFIED_NAME 0x00000001 >+/* >+ * The unix name will be just ACCOUNT >+ */ >+#define AUTH3_UNIX_HINT_ISLOLATED_NAME 0x00000002 >+/* >+ * Don't translate the nt token SIDS into uid/gids >+ */ >+#define AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS 0x00000004 >+/* >+ * Don't translate the unix token uid/gids to S-1-22-X-Y SIDS >+ */ >+#define AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS 0x00000008 >+/* >+ * The unix token won't get expanded gid values >+ * from getgroups_unix_user() >+ */ >+#define AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS 0x00000010 >+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, >+ uid_t uid, >+ gid_t gid, >+ uint32_t flags); >+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, >+ const struct auth_user_info_dc *user_info_dc, >+ const char *original_user_name, >+ uint32_t session_info_flags, >+ struct auth_session_info **session_info_out); > NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, > bool is_guest, > uid_t *uid, gid_t *gid, >-- >1.9.1 > > >From bc9c8fce5d8bfbf4941a093206aa513ab9bd6fb4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 7 Mar 2018 00:51:51 +0100 >Subject: [PATCH 15/19] s3:auth: base make_new_session_info_system() on > auth_system_user_info_dc() and auth3_create_session_info() > >The changes in the resulting token look like this: > > unix_token : * > unix_token: struct security_unix_token > uid : 0x0000000000000000 (0) > gid : 0x0000000000000000 (0) >- ngroups : 0x00000000 (0) >- groups: ARRAY(0) >+ ngroups : 0x00000001 (1) >+ groups: ARRAY(1) >+ groups : 0x0000000000000000 (0) > >... > > domain_name : * > domain_name : 'NT AUTHORITY' > dns_domain_name : NULL >- full_name : NULL >- logon_script : NULL >- profile_path : NULL >- home_directory : NULL >- home_drive : NULL >- logon_server : NULL >+ full_name : * >+ full_name : 'System' >+ logon_script : * >+ logon_script : '' >+ profile_path : * >+ profile_path : '' >+ home_directory : * >+ home_directory : '' >+ home_drive : * >+ home_drive : '' >+ logon_server : * >+ logon_server : 'SLOWSERVER' > last_logon : NTTIME(0) > last_logoff : NTTIME(0) > acct_expiry : NTTIME(0) > last_password_change : NTTIME(0) > allow_password_change : NTTIME(0) > force_password_change : NTTIME(0) > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) >- acct_flags : 0x00000000 (0) >+ acct_flags : 0x00000010 (16) > authenticated : 0x01 (1) > unix_info : * > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(similar to commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4) >--- > source3/auth/auth_util.c | 123 +++++++++++++++++------------------------------ > 1 file changed, 43 insertions(+), 80 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 9d6e802..7fc3da2 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -36,6 +36,7 @@ > #include "../librpc/gen_ndr/idmap.h" > #include "lib/param/loadparm.h" > #include "../lib/tsocket/tsocket.h" >+#include "source4/auth/auth.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_AUTH >@@ -1295,31 +1296,6 @@ done: > return status; > } > >-static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, >- struct netr_SamInfo3 *info3) >-{ >- NTSTATUS status; >- >- /* Set account name */ >- init_lsa_String(&info3->base.account_name, "SYSTEM"); >- >- /* Set domain name */ >- init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY"); >- >- >- status = dom_sid_split_rid(mem_ctx, &global_sid_System, >- &info3->base.domain_sid, >- &info3->base.rid); >- if (!NT_STATUS_IS_OK(status)) { >- return status; >- } >- >- /* Primary gid is the same */ >- info3->base.primary_gid = info3->base.rid; >- >- return NT_STATUS_OK; >-} >- > static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx, > struct netr_SamInfo3 *info3) > { >@@ -1448,80 +1424,67 @@ done: > static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, > struct auth_session_info **session_info) > { >+ TALLOC_CTX *frame = talloc_stackframe(); >+ struct auth_user_info_dc *user_info_dc = NULL; >+ uid_t uid = -1; >+ gid_t gid = -1; >+ uint32_t hint_flags = 0; >+ uint32_t session_info_flags = 0; > NTSTATUS status; >- struct auth_serversupplied_info *server_info; >- TALLOC_CTX *tmp_ctx; >- >- tmp_ctx = talloc_stackframe(); >- if (tmp_ctx == NULL) { >- return NT_STATUS_NO_MEMORY; >- } >- >- server_info = make_server_info(tmp_ctx); >- if (!server_info) { >- status = NT_STATUS_NO_MEMORY; >- DEBUG(0, ("failed making server_info\n")); >- goto done; >- } > >- server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3); >- if (!server_info->info3) { >- status = NT_STATUS_NO_MEMORY; >- DEBUG(0, ("talloc failed setting info3\n")); >- goto done; >- } >- >- status = get_system_info3(server_info, server_info->info3); >+ status = auth_system_user_info_dc(frame, lp_netbios_name(), >+ &user_info_dc); > if (!NT_STATUS_IS_OK(status)) { >- DEBUG(0, ("Failed creating system info3 with %s\n", >+ DEBUG(0, ("auth_system_user_info_dc failed: %s\n", > nt_errstr(status))); > goto done; > } > >- server_info->utok.uid = sec_initial_uid(); >- server_info->utok.gid = sec_initial_gid(); >- server_info->unix_name = talloc_asprintf(server_info, >- "NT AUTHORITY%cSYSTEM", >- *lp_winbind_separator()); >- >- if (!server_info->unix_name) { >- status = NT_STATUS_NO_MEMORY; >- DEBUG(0, ("talloc_asprintf failed setting unix_name\n")); >- goto done; >- } >+ /* >+ * Just get the initial uid/gid >+ * and don't expand the unix groups. >+ */ >+ uid = sec_initial_uid(); >+ gid = sec_initial_gid(); >+ hint_flags |= AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS; > >- server_info->security_token = talloc_zero(server_info, struct security_token); >- if (!server_info->security_token) { >- status = NT_STATUS_NO_MEMORY; >- DEBUG(0, ("talloc failed setting security token\n")); >- goto done; >- } >+ /* >+ * Also avoid sid mapping to gids, >+ * as well as adding the unix_token uid/gids as >+ * S-1-22-X-Y SIDs to the nt token. >+ */ >+ hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS; >+ hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS; > >- status = add_sid_to_array_unique(server_info->security_token->sids, >- &global_sid_System, >- &server_info->security_token->sids, >- &server_info->security_token->num_sids); >+ /* >+ * The unix name will be "NT AUTHORITY+SYSTEM", >+ * where '+' is the "winbind separator" character. >+ */ >+ hint_flags |= AUTH3_UNIX_HINT_QUALIFIED_NAME; >+ status = auth3_user_info_dc_add_hints(user_info_dc, >+ uid, >+ gid, >+ hint_flags); > if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", >+ nt_errstr(status))); > goto done; > } > >- /* SYSTEM has all privilages */ >- server_info->security_token->privilege_mask = ~0; >- >- /* Now turn the server_info into a session_info with the full token etc */ >- status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info); >- talloc_free(server_info); >- >+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; >+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; >+ status = auth3_session_info_create(mem_ctx, user_info_dc, >+ user_info_dc->info->account_name, >+ session_info_flags, >+ session_info); > if (!NT_STATUS_IS_OK(status)) { >- DEBUG(0, ("create_local_token failed: %s\n", >+ DEBUG(0, ("auth3_session_info_create failed: %s\n", > nt_errstr(status))); > goto done; > } > >- talloc_steal(mem_ctx, *session_info); >- > done: >- TALLOC_FREE(tmp_ctx); >+ TALLOC_FREE(frame); > return status; > } > >-- >1.9.1 > > >From d9706a8c5b720876b4c40e8f71ca41f49911ab30 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Mar 2018 17:07:11 +0100 >Subject: [PATCH 16/19] s3:auth: pass the whole auth_session_info from > copy_session_info_serverinfo_guest() to create_local_token() > >We only need to adjust sanitized_username in order to keep the same behaviour. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906) >--- > source3/auth/auth_util.c | 51 ++++++++++++++++++++---------------------------- > source3/include/auth.h | 5 ++--- > 2 files changed, 23 insertions(+), 33 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 7fc3da2..a151ac1 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -500,6 +500,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > return NT_STATUS_LOGON_FAILURE; > } > >+ if (server_info->cached_session_info != NULL) { >+ session_info = copy_session_info(mem_ctx, >+ server_info->cached_session_info); >+ if (session_info == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ /* This is a potentially untrusted username for use in %U */ >+ alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); >+ session_info->unix_info->sanitized_username = >+ talloc_strdup(session_info->unix_info, tmp); >+ if (session_info->unix_info->sanitized_username == NULL) { >+ TALLOC_FREE(session_info); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ *session_info_out = session_info; >+ return NT_STATUS_OK; >+ } >+ > session_info = talloc_zero(mem_ctx, struct auth_session_info); > if (!session_info) { > return NT_STATUS_NO_MEMORY; >@@ -554,30 +574,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > return status; > } > >- if (server_info->security_token) { >- /* Just copy the token, it has already been finalised >- * (nasty hack to support a cached guest/system session_info >- */ >- >- session_info->security_token = dup_nt_token(session_info, server_info->security_token); >- if (!session_info->security_token) { >- TALLOC_FREE(session_info); >- return NT_STATUS_NO_MEMORY; >- } >- >- session_info->unix_token->ngroups = server_info->utok.ngroups; >- if (server_info->utok.ngroups != 0) { >- session_info->unix_token->groups = (gid_t *)talloc_memdup( >- session_info->unix_token, server_info->utok.groups, >- sizeof(gid_t)*session_info->unix_token->ngroups); >- } else { >- session_info->unix_token->groups = NULL; >- } >- >- *session_info_out = session_info; >- return NT_STATUS_OK; >- } >- > /* > * If winbind is not around, we can not make much use of the SIDs the > * domain controller provided us with. Likewise if the user name was >@@ -1586,12 +1582,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO > * to take the wrong path */ > SMB_ASSERT(src->security_token); > >- dst->security_token = dup_nt_token(dst, src->security_token); >- if (!dst->security_token) { >- TALLOC_FREE(dst); >- return NULL; >- } >- > dst->session_key = data_blob_talloc( dst, src->session_key.data, > src->session_key.length); > >@@ -1612,6 +1602,7 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO > return NULL; > } > >+ dst->cached_session_info = src; > return dst; > } > >diff --git a/source3/include/auth.h b/source3/include/auth.h >index d305537..31a1f20 100644 >--- a/source3/include/auth.h >+++ b/source3/include/auth.h >@@ -34,15 +34,14 @@ struct auth_serversupplied_info { > struct security_unix_token utok; > > /* >- * NT group information taken from the info3 structure >+ * A complete auth_session_info > * > * This is not normally filled in, during the typical > * authentication process. If filled in, it has already been > * finalised by a nasty hack to support a cached guest/system > * session_info > */ >- >- struct security_token *security_token; >+ const struct auth_session_info *cached_session_info; > > /* These are the intermediate session keys, as provided by a > * NETLOGON server and used by NTLMSSP to negotiate key >-- >1.9.1 > > >From 0fbc61d19bf40addb2fbb9408cacd419e8142b7f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Mar 2018 14:39:44 +0100 >Subject: [PATCH 17/19] s3:auth: add make_{server,session}_info_anonymous() > >It's important to have them separated from make_{server,session}_info_guest(), >because there's a fundamental difference between anonymous (the client requested >no authentication) and guest (the server lies about the authentication failure). > >The following is the difference between guest and anonymous token: > > security_token: struct security_token >- num_sids : 0x0000000a (10) >- sids: ARRAY(10) >- sids : S-1-5-21-3793881525-3372187982-3724979742-501 >- sids : S-1-5-21-3793881525-3372187982-3724979742-514 >- sids : S-1-22-2-65534 >- sids : S-1-22-2-65533 >+ num_sids : 0x00000009 (9) >+ sids: ARRAY(9) >+ sids : S-1-5-7 > sids : S-1-1-0 > sids : S-1-5-2 >- sids : S-1-5-32-546 > sids : S-1-22-1-65533 >+ sids : S-1-22-2-65534 >+ sids : S-1-22-2-100004 > sids : S-1-22-2-100002 > sids : S-1-22-2-100003 >+ sids : S-1-22-2-65533 > privilege_mask : 0x0000000000000000 (0) > >... > > unix_token : * > unix_token: struct security_unix_token > uid : 0x000000000000fffd (65533) > gid : 0x000000000000fffe (65534) >- ngroups : 0x00000004 (4) >- groups: ARRAY(4) >+ ngroups : 0x00000005 (5) >+ groups: ARRAY(5) > groups : 0x000000000000fffe (65534) >- groups : 0x000000000000fffd (65533) >+ groups : 0x00000000000186a4 (100004) > groups : 0x00000000000186a2 (100002) > groups : 0x00000000000186a3 (100003) >+ groups : 0x000000000000fffd (65533) > > info: struct auth_user_info > account_name : * >- account_name : 'nobody' >+ account_name : 'ANONYMOUS LOGON' > user_principal_name : NULL > user_principal_constructed: 0x00 (0) > domain_name : * >- domain_name : 'SAMBA-TEST' >+ domain_name : 'NT AUTHORITY' > dns_domain_name : NULL >- full_name : NULL >- logon_script : NULL >- profile_path : NULL >- home_directory : NULL >- home_drive : NULL >- logon_server : NULL >+ full_name : * >+ full_name : 'Anonymous Logon' >+ logon_script : * >+ logon_script : '' >+ profile_path : * >+ profile_path : '' >+ home_directory : * >+ home_directory : '' >+ home_drive : * >+ home_drive : '' >+ logon_server : * >+ logon_server : 'LOCALNT4DC2' > last_logon : NTTIME(0) > last_logoff : NTTIME(0) > acct_expiry : NTTIME(0) > last_password_change : NTTIME(0) > allow_password_change : NTTIME(0) > force_password_change : NTTIME(0) > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) >- acct_flags : 0x00000000 (0) >+ acct_flags : 0x00000010 (16) > authenticated : 0x00 (0) > security_token: struct security_token > num_sids : 0x00000006 (6) > sids: ARRAY(6) >+ sids : S-1-5-7 >+ sids : S-1-1-0 >+ sids : S-1-5-2 > sids : S-1-22-1-65533 > sids : S-1-22-2-65534 > sids : S-1-22-2-65533 >- sids : S-1-1-0 >- sids : S-1-5-2 >- sids : S-1-5-32-546 > privilege_mask : 0x0000000000000000 (0) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >(similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d) >--- > source3/auth/auth_util.c | 143 ++++++++++++++++++++++++++++++++++++++++++++++- > source3/auth/proto.h | 4 ++ > 2 files changed, 146 insertions(+), 1 deletion(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index a151ac1..a1dde2c 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1484,6 +1484,87 @@ done: > return status; > } > >+static NTSTATUS make_new_session_info_anonymous(TALLOC_CTX *mem_ctx, >+ struct auth_session_info **session_info) >+{ >+ TALLOC_CTX *frame = talloc_stackframe(); >+ const char *guest_account = lp_guest_account(); >+ struct auth_user_info_dc *user_info_dc = NULL; >+ struct passwd *pwd = NULL; >+ uint32_t hint_flags = 0; >+ uint32_t session_info_flags = 0; >+ NTSTATUS status; >+ >+ /* >+ * We use the guest account for the unix token >+ * while we use a true anonymous nt token. >+ * >+ * It's very important to have a separate >+ * nt token for anonymous. >+ */ >+ >+ pwd = Get_Pwnam_alloc(frame, guest_account); >+ if (pwd == NULL) { >+ DBG_ERR("Unable to locate guest account [%s]!\n", >+ guest_account); >+ status = NT_STATUS_NO_SUCH_USER; >+ goto done; >+ } >+ >+ status = auth_anonymous_user_info_dc(frame, lp_netbios_name(), >+ &user_info_dc); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("auth_anonymous_user_info_dc failed: %s\n", >+ nt_errstr(status))); >+ goto done; >+ } >+ >+ /* >+ * Note we don't pass AUTH3_UNIX_HINT_QUALIFIED_NAME >+ * nor AUTH3_UNIX_HINT_ISOLATED_NAME here >+ * as we want the unix name be found by getpwuid_alloc(). >+ */ >+ >+ status = auth3_user_info_dc_add_hints(user_info_dc, >+ pwd->pw_uid, >+ pwd->pw_gid, >+ hint_flags); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", >+ nt_errstr(status))); >+ goto done; >+ } >+ >+ /* >+ * In future we may want to remove >+ * AUTH_SESSION_INFO_DEFAULT_GROUPS. >+ * >+ * Similar to Windows with EveryoneIncludesAnonymous >+ * and RestrictAnonymous. >+ * >+ * We may introduce AUTH_SESSION_INFO_ANON_WORLD... >+ * >+ * But for this is required to keep the existing tests >+ * working. >+ */ >+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; >+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; >+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; >+ status = auth3_session_info_create(mem_ctx, user_info_dc, >+ "", >+ session_info_flags, >+ session_info); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(0, ("auth3_session_info_create failed: %s\n", >+ nt_errstr(status))); >+ goto done; >+ } >+ >+done: >+ TALLOC_FREE(frame); >+ return status; >+} >+ > /**************************************************************************** > Fake a auth_session_info just from a username (as a > session_info structure, with create_local_token() already called on >@@ -1661,15 +1742,30 @@ bool session_info_set_session_key(struct auth_session_info *info, > } > > static struct auth_session_info *guest_info = NULL; >+static struct auth_session_info *anonymous_info = NULL; > > static struct auth_serversupplied_info *guest_server_info = NULL; > > bool init_guest_info(void) > { >+ NTSTATUS status; >+ > if (guest_info != NULL) > return true; > >- return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info)); >+ status = make_new_session_info_guest(&guest_info, >+ &guest_server_info); >+ if (!NT_STATUS_IS_OK(status)) { >+ return false; >+ } >+ >+ status = make_new_session_info_anonymous(NULL, >+ &anonymous_info); >+ if (!NT_STATUS_IS_OK(status)) { >+ return false; >+ } >+ >+ return true; > } > > NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, >@@ -1690,6 +1786,51 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, > return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; > } > >+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, >+ struct auth_serversupplied_info **server_info) >+{ >+ if (anonymous_info == NULL) { >+ return NT_STATUS_UNSUCCESSFUL; >+ } >+ >+ /* >+ * This is trickier than it would appear to need to be because >+ * we are trying to avoid certain costly operations when the >+ * structure is converted to a 'auth_session_info' again in >+ * create_local_token() >+ * >+ * We use a guest server_info, but with the anonymous session info, >+ * which means create_local_token() will return a copy >+ * of the anonymous token. >+ * >+ * The server info is just used as legacy in order to >+ * keep existing code working. Maybe some debug messages >+ * will still refer to guest instead of anonymous. >+ */ >+ *server_info = copy_session_info_serverinfo_guest(mem_ctx, anonymous_info, >+ guest_server_info); >+ if (*server_info == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ return NT_STATUS_OK; >+} >+ >+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, >+ struct auth_session_info **session_info) >+{ >+ if (anonymous_info == NULL) { >+ return NT_STATUS_UNSUCCESSFUL; >+ } >+ >+ *session_info = copy_session_info(mem_ctx, anonymous_info); >+ if (*session_info == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ return NT_STATUS_OK; >+} >+ > static struct auth_session_info *system_info = NULL; > > NTSTATUS init_system_session_info(void) >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 84e2009..0ce3474 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -284,6 +284,10 @@ NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, > struct auth_serversupplied_info **server_info); > NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, > struct auth_session_info **server_info); >+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, >+ struct auth_serversupplied_info **server_info); >+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, >+ struct auth_session_info **psession_info); > NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx, > struct auth_session_info **session_info); > const struct auth_session_info *get_session_info_system(void); >-- >1.9.1 > > >From 3798dfc68ae1ac970b693a1a48e4713fba3a477a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Mar 2018 14:40:19 +0100 >Subject: [PATCH 18/19] s3:rpc_server: make use of > make_session_info_anonymous() > >For unauthenticated connections we should default to a >session info with an anonymous nt token. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c) >--- > source3/rpc_server/rpc_server.c | 9 +++------ > 1 file changed, 3 insertions(+), 6 deletions(-) > >diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c >index e15cd20..4f196de 100644 >--- a/source3/rpc_server/rpc_server.c >+++ b/source3/rpc_server/rpc_server.c >@@ -1104,14 +1104,11 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx, > } > > if (ncacn_conn->session_info == NULL) { >- /* >- * TODO: use auth_anonymous_session_info() here? >- */ >- status = make_session_info_guest(ncacn_conn, >- &ncacn_conn->session_info); >+ status = make_session_info_anonymous(ncacn_conn, >+ &ncacn_conn->session_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(2, ("Failed to create " >- "make_session_info_guest - %s\n", >+ "make_session_info_anonymous - %s\n", > nt_errstr(status))); > talloc_free(ncacn_conn); > return; >-- >1.9.1 > > >From 1f594a0c0d5d96a0d45d6778abbeddd6d8f50f2f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Mar 2018 14:40:19 +0100 >Subject: [PATCH 19/19] s3:auth: make use of > make_{server,session}_info_anonymous() >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >It's important to have them separated from make_{server,session}_info_guest(), >because there's a fundamental difference between anonymous (the client requested >no authentication) and guest (the server lies about the authentication failure). > >When it's really an anonymous connection, we should reflect that in the >resulting session info. > >This should fix a problem where Windows 10 tries to join >a Samba hosted NT4 domain and has SMB2/3 enabled. > >We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST >for true anonymous connections. > >The commit message from a few commit before shows the resulting >auth_session_info change. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 > >(cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b) >--- > selftest/knownfail.d/anonymous-guest | 1 - > source3/auth/auth_builtin.c | 2 +- > source3/auth/auth_ntlmssp.c | 5 +---- > 3 files changed, 2 insertions(+), 6 deletions(-) > delete mode 100644 selftest/knownfail.d/anonymous-guest > >diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest >deleted file mode 100644 >index a134cec..0000000 >--- a/selftest/knownfail.d/anonymous-guest >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture >diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c >index 0fa95d9..a2d95a7 100644 >--- a/source3/auth/auth_builtin.c >+++ b/source3/auth/auth_builtin.c >@@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, > break; > } > >- return make_server_info_guest(NULL, server_info); >+ return make_server_info_anonymous(NULL, server_info); > } > > /* Guest modules initialisation */ >diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c >index fd629fd..2e345e1 100644 >--- a/source3/auth/auth_ntlmssp.c >+++ b/source3/auth/auth_ntlmssp.c >@@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, > > cmp = dom_sid_compare(sid, &global_sid_Anonymous); > if (cmp == 0) { >- /* >- * TODO: use auth_anonymous_session_info() here? >- */ >- return make_session_info_guest(mem_ctx, session_info); >+ return make_session_info_anonymous(mem_ctx, session_info); > } > > return NT_STATUS_INTERNAL_ERROR; >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 13328
:
14046
|
14052
| 14053