From cb4e4db4f5bb3467957fbf8f9e25ab5beb34228f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 29 Mar 2019 11:34:53 +0100 Subject: [PATCH 1/8] s3:libads: Print more information when LDAP fails Currently we just get an error but don't know what exactly we tried to do in 'net ads join -d10'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5) --- source3/libads/ldap.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 6b5f271272a..ac03b3fcaa2 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld) if (ret != 0) { char *ld_error = NULL; ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); - DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, - ldap_err2string(ret), ld_error)); + DBG_ERR("AD LDAP ERROR: %d (%s): %s\n", + ret, + ldap_err2string(ret), + ld_error); SAFE_FREE(ld_error); } } @@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) (char) 1}; LDAPControl *controls[2]; + DBG_INFO("AD LDAP: Modifying %s\n", mod_dn); + controls[0] = &PermitModify; controls[1] = NULL; @@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) char *utf8_dn = NULL; size_t converted_size; + DBG_INFO("AD LDAP: Adding %s\n", new_dn); + if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) { DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!")); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); @@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } + DBG_INFO("AD LDAP: Deleting %s\n", del_dn); + ret = ldap_delete_s(ads->ldap.ld, utf8_dn); ads_print_error(ret, ads->ldap.ld); TALLOC_FREE(utf8_dn); -- 2.21.0 From c7e350fa1b4ad408759bcb6d09df48582e231385 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 27 Mar 2019 16:45:39 +0100 Subject: [PATCH 2/8] s3:libsmb: Add some useful debug output to cliconnect BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8) --- source3/libsmb/cliconnect.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0a54d47227a..c416d10fa24 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -346,6 +346,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, return NT_STATUS_OK; } + DBG_INFO("Doing kinit for %s to access %s\n", + user_principal, target_hostname); /* * TODO: This should be done within the gensec layer @@ -375,6 +377,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, */ } + DBG_DEBUG("Successfully authenticated as %s to access %s using " + "Kerberos\n", + user_principal, + target_hostname); + TALLOC_FREE(frame); return NT_STATUS_OK; } @@ -1294,6 +1301,10 @@ static struct tevent_req *cli_session_setup_spnego_send( return tevent_req_post(req, ev); } + DBG_INFO("Connect to %s as %s using SPNEGO\n", + target_hostname, + cli_credentials_get_principal(creds, talloc_tos())); + subreq = cli_session_setup_gensec_send(state, ev, cli, creds, target_service, target_hostname); if (tevent_req_nomem(subreq, req)) { @@ -1497,6 +1508,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + DBG_INFO("Connect to %s as %s using NTLM\n", domain, username); + if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { bool use_unicode = smbXcli_conn_use_unicode(cli->conn); uint8_t *bytes = NULL; -- 2.21.0 From 3478e736207afbb98072421e268ba1b7ef9f2dd7 Mon Sep 17 00:00:00 2001 From: Guenther Deschner Date: Mon, 1 Apr 2019 17:46:39 +0200 Subject: [PATCH 3/8] s3:libnet: Fix debug message in libnet_DomainJoin() A newline is missing but also use DBG_INFO macro and cleanup spelling. Signed-off-by: Guenther Deschner Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662) --- source3/libnet/libnet_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 27fc5135442..ddc00f7ad7c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, return WERR_NERR_DEFAULTJOINREQUIRED; } - DEBUG(5, ("failed to precreate account in ou %s: %s", - r->in.account_ou, ads_errstr(ads_status))); + DBG_INFO("Failed to pre-create account in OU %s: %s\n", + r->in.account_ou, ads_errstr(ads_status)); } rpc_join: -- 2.21.0 From a9581224b74b367581986f73610745dc9a95361b Mon Sep 17 00:00:00 2001 From: Guenther Deschner Date: Wed, 27 Mar 2019 17:51:04 +0100 Subject: [PATCH 4/8] auth:ntlmssp: Add back CRAP ndr debug output This got lost somehow during refactoring. This is still viable information when trying to figure out what is going wrong when authenticating a user over NTLMSSP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Guenther Deschner Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7) --- auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index ab406a2c5be..8e49dcee5ea 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } } + if (DEBUGLEVEL >= 10) { + struct CHALLENGE_MESSAGE *challenge = + talloc(ntlmssp_state, struct CHALLENGE_MESSAGE); + if (challenge != NULL) { + NTSTATUS status; + challenge->NegotiateFlags = chal_flags; + status = ntlmssp_pull_CHALLENGE_MESSAGE( + &in, challenge, challenge); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, + challenge); + } + TALLOC_FREE(challenge); + } + } + if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { ntlmssp_state->server.is_standalone = true; } else { @@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, return nt_status; } + if (DEBUGLEVEL >= 10) { + struct AUTHENTICATE_MESSAGE *authenticate = + talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE); + if (authenticate != NULL) { + NTSTATUS status; + authenticate->NegotiateFlags = ntlmssp_state->neg_flags; + status = ntlmssp_pull_AUTHENTICATE_MESSAGE( + out, authenticate, authenticate); + if (NT_STATUS_IS_OK(status)) { + NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, + authenticate); + } + TALLOC_FREE(authenticate); + } + } + /* * We always include the MIC, even without: * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; -- 2.21.0 From 129f8dd69d2dbbe38bbc77f0e5d22665204b8432 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 1 Apr 2019 15:59:10 +0200 Subject: [PATCH 5/8] auth:creds: Prefer the principal over DOMAIN/username when using NTLM If we want to authenticate using -Wadmin@otherdomain the DC should do take care of the authentication with the right DC for us. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Pair-Programmed-With: Guenther Deschner Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3) --- auth/credentials/credentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 4663185c979..7ef58d0752c 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c const char **username, const char **domain) { - if (cred->principal_obtained > cred->username_obtained) { + if (cred->principal_obtained >= cred->username_obtained) { *domain = talloc_strdup(mem_ctx, ""); *username = cli_credentials_get_principal(cred, mem_ctx); } else { -- 2.21.0 From f149afbf07f3c8db9a16aa2bd72a5dd331398f46 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 1 Apr 2019 16:39:45 +0200 Subject: [PATCH 6/8] s3:libnet: Use more secure name for the JOIN krb5.conf Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753) --- source3/libnet/libnet_join.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index ddc00f7ad7c..e052306523d 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, } /* The domain parameter is only used as modifier - * to krb5.conf file name. .JOIN is is not a valid + * to krb5.conf file name. _JOIN_ is is not a valid * NetBIOS name so it cannot clash with another domain * -- Uri. */ - create_local_private_krb5_conf_for_domain( - pre_connect_realm, ".JOIN", sitename, &ss); + create_local_private_krb5_conf_for_domain(pre_connect_realm, + "_JOIN_", + sitename, + &ss); } status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli); -- 2.21.0 From 167fdaccc727df18eed745243f0ca7ade52ae346 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 1 Apr 2019 16:47:26 +0200 Subject: [PATCH 7/8] s3:libads: Make sure we can lookup KDCs which are not configured BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Pair-Programmed-With: Guenther Deschner Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6) --- source3/libads/kerberos.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index c8aa9191c7e..721c3c2a929 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -677,11 +677,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, } #endif + /* + * We are setting 'dns_lookup_kdc' to true, because we want to lookup + * KDCs which are not configured via DNS SRV records, eg. if we do: + * + * net ads join -Uadmin@otherdomain + */ file_contents = talloc_asprintf(fname, - "[libdefaults]\n\tdefault_realm = %s\n" + "[libdefaults]\n" + "\tdefault_realm = %s\n" "%s" - "\tdns_lookup_realm = false\n\n" + "\tdns_lookup_realm = false\n" + "\tdns_lookup_kdc = true\n\n" "[realms]\n\t%s = {\n" "%s\t}\n" "%s\n", -- 2.21.0 From c10eb61e0d1cd2c06bf9849867500ddeab4a130a Mon Sep 17 00:00:00 2001 From: Guenther Deschner Date: Mon, 1 Apr 2019 17:40:03 +0200 Subject: [PATCH 8/8] s3:ldap: Leave add machine code early for pre-existing accounts This avoids numerous LDAP constraint violation errors when we try to re-precreate an already existing machine account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme Reviewed-by: Andrew Bartlett (cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68) --- source3/libads/ldap.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index ac03b3fcaa2..112100b0536 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, goto done; } + ret = ads_find_machine_acct(ads, &res, machine_escaped); + ads_msgfree(ads, res); + if (ADS_ERR_OK(ret)) { + DBG_DEBUG("Host account for %s already exists.\n", + machine_escaped); + ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); + goto done; + } + new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); samAccountName = talloc_asprintf(ctx, "%s$", machine_name); @@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, done: SAFE_FREE(machine_escaped); - ads_msgfree(ads, res); talloc_destroy(ctx); return ret; -- 2.21.0