The Samba-Bugzilla – Attachment 15223 Details for
Bug 13944
SMB guest authentication may fail
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.10 cherry-picked from master
bug13944-v410.patch (text/plain), 11.21 KB, created by
Ralph Böhme
on 2019-06-06 12:32:07 UTC
(
hide
)
Description:
Patch for 4.10 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2019-06-06 12:32:07 UTC
Size:
11.21 KB
patch
obsolete
>From f36a7f5641ede3f8c66d08278d9039cf0d17df2c Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 16 May 2019 12:42:29 +0200 >Subject: [PATCH 1/5] s3:auth: add reinit_guest_session_info() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 8096cc7eb2b36b074ff17a52dc3540be4ecff6bb) >--- > source3/auth/auth_util.c | 11 +++++++++++ > source3/auth/proto.h | 1 + > 2 files changed, 12 insertions(+) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index d78dbed14b2..8363d386c12 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1722,6 +1722,17 @@ bool init_guest_session_info(TALLOC_CTX *mem_ctx) > return true; > } > >+bool reinit_guest_session_info(TALLOC_CTX *mem_ctx) >+{ >+ TALLOC_FREE(guest_info); >+ TALLOC_FREE(guest_server_info); >+ TALLOC_FREE(anonymous_info); >+ >+ DBG_DEBUG("Reinitialing guest info\n"); >+ >+ return init_guest_session_info(mem_ctx); >+} >+ > NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, > struct auth_serversupplied_info **server_info) > { >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 75cf1e6724f..fcfd1f36ca2 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -271,6 +271,7 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, > bool is_guest, > struct auth_session_info **session_info); > bool init_guest_session_info(TALLOC_CTX *mem_ctx); >+bool reinit_guest_session_info(TALLOC_CTX *mem_ctx); > NTSTATUS init_system_session_info(TALLOC_CTX *mem_ctx); > bool session_info_set_session_key(struct auth_session_info *info, > DATA_BLOB session_key); >-- >2.21.0 > > >From a07d010cb7260bbdd473bfe56ebea684bd2f5f81 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 16 May 2019 12:42:54 +0200 >Subject: [PATCH 2/5] s3:smbd: call reinit_guest_session_info() in the conf > updated handler > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit f4e340a48b6f059a1daa66deb9c26da9e8fcd5e7) >--- > source3/smbd/server.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/smbd/server.c b/source3/smbd/server.c >index c59759fed98..7d96a5762ec 100644 >--- a/source3/smbd/server.c >+++ b/source3/smbd/server.c >@@ -117,12 +117,18 @@ static void smbd_parent_conf_updated(struct messaging_context *msg, > { > struct tevent_context *ev_ctx = > talloc_get_type_abort(private_data, struct tevent_context); >+ bool ok; > > DEBUG(10,("smbd_parent_conf_updated: Got message saying smb.conf was " > "updated. Reloading.\n")); > change_to_root_user(); > reload_services(NULL, NULL, false); > printing_subsystem_update(ev_ctx, msg, false); >+ >+ ok = reinit_guest_session_info(NULL); >+ if (!ok) { >+ DBG_ERR("Failed to reinit guest info\n"); >+ } > } > > /******************************************************************* >-- >2.21.0 > > >From 24d7cd00ffac2313757f27129293f0b1b7891b60 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 16 May 2019 12:43:40 +0200 >Subject: [PATCH 3/5] selftest: allow guest login in the ad_member_idmap_rid > env > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit ac2167eb2349dc1c453e14a65692f16c8ba6532e) >--- > selftest/target/Samba3.pm | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 892a6a15e2d..9d88253c9fe 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -609,6 +609,7 @@ sub setup_ad_member_idmap_rid > # Prevent overridding the provisioned lib/krb5.conf which sets certain > # values required for tests to succeed > create krb5 conf = no >+ map to guest = bad user > "; > > my $ret = $self->provision($prefix, $dcvars->{DOMAIN}, >-- >2.21.0 > > >From 794cd6dbcecc0cf0f02e85baeff46d6d1651dbf5 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 16 May 2019 12:47:34 +0200 >Subject: [PATCH 4/5] tests: add a test for guest authentication > >This verifies that smbd always adds BUILTIN\Guests to the guest token which is >required for guest authentication. > >Currently the guest token depends on the on-disk configured group mappings. If >there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not >a member, the final guest token won't contain BUILTIN\Guests. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 0e88f98855e24cfddb55bef65c5910b8e662c630) >--- > selftest/knownfail.d/samba3.blackbox.guest | 1 + > source3/script/tests/test_guest_auth.sh | 103 +++++++++++++++++++++ > source3/selftest/tests.py | 5 + > 3 files changed, 109 insertions(+) > create mode 100644 selftest/knownfail.d/samba3.blackbox.guest > create mode 100755 source3/script/tests/test_guest_auth.sh > >diff --git a/selftest/knownfail.d/samba3.blackbox.guest b/selftest/knownfail.d/samba3.blackbox.guest >new file mode 100644 >index 00000000000..cbb62d71c87 >--- /dev/null >+++ b/selftest/knownfail.d/samba3.blackbox.guest >@@ -0,0 +1 @@ >+^samba3.blackbox.guest.*smbclient_guest_auth_without_members >diff --git a/source3/script/tests/test_guest_auth.sh b/source3/script/tests/test_guest_auth.sh >new file mode 100755 >index 00000000000..4ad4a5cbd63 >--- /dev/null >+++ b/source3/script/tests/test_guest_auth.sh >@@ -0,0 +1,103 @@ >+#!/bin/sh >+# >+# Test guest authentication >+# >+# Copyright (C) 2019 Ralph Boehme >+# >+ >+if [ $# -lt 5 ]; then >+cat <<EOF >+Usage: $0 SERVER SMBCLIENT SMBCONTROL NET CONFIGURATION >+EOF >+exit 1; >+fi >+ >+SERVER=$1 >+SMBCLIENT=$2 >+SMBCONTROL=$3 >+NET=$4 >+CONFIGURATION=$5 >+ >+incdir=`dirname $0`/../../../testprogs/blackbox >+. $incdir/subunit.sh >+ >+failed=0 >+SIDS="" >+ >+prepare_empty_builtin_guests() { >+ TMP=$($NET $CONFIGURATION groupmap listmem S-1-5-32-546 2>&1) >+ bg_exists=$? >+ if [ $bg_exists != 0 ] ; then >+ printf "Group map for BUILTIN\\Guests must exist for test\n" >+ return 1 >+ fi >+ >+ SIDS=$($NET $CONFIGURATION groupmap listmem S-1-5-32-546) >+ if [ $? != 0 ] ; then >+ printf "$NET $CONFIGURATION groupmap listmem S-1-5-32-546 failed. Returned:\n" >+ printf "$SIDS\n" >+ return 1 >+ fi >+ printf "Got S-1-5-32-546 members:\n$SIDS\n" >+ >+ if [ "$SIDS" != "" ] ; then >+ for SID in $SIDS ; do >+ printf "Deleting member $SID from S-1-5-32-546\n" >+ $NET $CONFIGURATION groupmap delmem S-1-5-32-546 $SID || return 1 >+ done >+ fi >+ >+ return 0 >+} >+ >+add_local_guest_to_builtin_guests() { >+ if [ "$SIDS" != "" ] ; then >+ for SID in $SIDS ; do >+ printf "Adding $SID as member to S-1-5-32-546\n" >+ $NET $CONFIGURATION groupmap addmem S-1-5-32-546 $SID || return 1 >+ done >+ fi >+} >+ >+test_smbclient() { >+ $SMBCLIENT -U foo%bar //$SERVER/tmpguest -c exit >+ if [ $? != 0 ] ; then >+ printf "smbclient failed\n" >+ return 1 >+ fi >+ return 0 >+} >+ >+testit "smbclient_guest_at_startup" \ >+ test_smbclient || >+ failed=$(expr $failed + 1) >+ >+printf "Prepare BUILTIN\\Guests group mapping without members\n" >+ >+prepare_empty_builtin_guests || { >+ printf "Setting up BUILTIN\\Guests without members failed\n" >+ exit 1 >+} >+ >+$SMBCONTROL $CONFIGURATION smbd reload-config || { >+ printf "Reloading parent smbd guest info failed\n" >+ exit 1 >+} >+ >+testit "smbclient_guest_auth_without_members" \ >+ test_smbclient && >+ failed=$(expr $failed + 1) >+ >+# restore config >+add_local_guest_to_builtin_guests >+ >+$SMBCONTROL $CONFIGURATION smbd reload-config || { >+ printf "Reloading parent smbd guest info failed\n" >+ exit 1 >+} >+ >+testit "smbclient_works_after_restored_setup" \ >+ test_smbclient || >+ failed=$(expr $failed + 1) >+ >+testok $0 $failed >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 1db806ef887..91b870430b9 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -807,3 +807,8 @@ options_list = ["-mNT1", "-mNT1 -e", "-mSMB3", "-mSMB3 -e"] > > plansmbtorture4testsuite('rpc.epmapper', 'nt4_dc:local', 'ncalrpc: -U$USERNAME%$PASSWORD', 'over ncalrpc') > plansmbtorture4testsuite('rpc.fsrvp', 'nt4_dc:local', 'ncacn_np:$SERVER_IP[/pipe/FssagentRpc] -U$USERNAME%$PASSWORD', 'over ncacn_np') >+ >+for env in ["ad_member_idmap_rid:local", "maptoguest:local"]: >+ plantestsuite("samba3.blackbox.guest (%s)" % env , env, >+ [os.path.join(samba3srcdir, "script/tests/test_guest_auth.sh"), >+ '$SERVER', smbclient3, smbcontrol, net, configuration]) >-- >2.21.0 > > >From 919a34f0508c9abb3442c3367b27cc1d99be7732 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Mon, 13 May 2019 20:16:47 +0200 >Subject: [PATCH 5/5] s3:auth: explicitly add BUILTIN\Guests to the guest token > >This changes ensures that smbd always adds BUILTIN\Guests to the guest token >which is required for guest authentication. > >Currently the guest token depends on the on-disk configured group mappings. If >there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not >a member, the final guest token won't contain BUILTIN\Guests. > >For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2 >SESSION_SETUP response, because smbd sets it based on the token containing the >BUILTIN\Guests SID S-1-5-32-546. > >At the same time, the packet is not signed which causes Windows clients and >smbclient to reject the unsigned SMB2 SESSION_SETUP response. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944 > >Pair-programmed-with: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Wed Jun 5 16:55:26 UTC 2019 on sn-devel-184 > >(cherry picked from commit a66af4c96accba4ee64eeb1958458b69f3ccec1d) >--- > selftest/knownfail.d/samba3.blackbox.guest | 1 - > source3/auth/auth_util.c | 15 +++++++++++++++ > 2 files changed, 15 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/samba3.blackbox.guest > >diff --git a/selftest/knownfail.d/samba3.blackbox.guest b/selftest/knownfail.d/samba3.blackbox.guest >deleted file mode 100644 >index cbb62d71c87..00000000000 >--- a/selftest/knownfail.d/samba3.blackbox.guest >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.blackbox.guest.*smbclient_guest_auth_without_members >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 8363d386c12..8ff20c33759 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1387,6 +1387,21 @@ static NTSTATUS make_new_session_info_guest(TALLOC_CTX *mem_ctx, > goto done; > } > >+ /* >+ * It's ugly, but for now it's >+ * needed to force Builtin_Guests >+ * here, because memberships of >+ * Builtin_Guests might be incomplete. >+ */ >+ status = add_sid_to_array_unique(session_info->security_token, >+ &global_sid_Builtin_Guests, >+ &session_info->security_token->sids, >+ &session_info->security_token->num_sids); >+ if (!NT_STATUS_IS_OK(status)) { >+ DBG_ERR("Failed to force Builtin_Guests to nt token\n"); >+ goto done; >+ } >+ > /* annoying, but the Guest really does have a session key, and it is > all zeros! */ > session_info->session_key = data_blob_talloc_zero(session_info, 16); >-- >2.21.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review?
(
abartlet
)
jra
:
review+
Actions:
View
Attachments on
bug 13944
:
15222
| 15223