The Samba-Bugzilla – Attachment 16845 Details for
Bug 14556
CVE-2020-25717 [SECURITY] A user on the domain can become root on domain members
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Current work in progress patches
CVE-2020-2571.wip.20211011.patches.txt (text/plain), 75.80 KB, created by
Stefan Metzmacher
on 2021-10-11 21:44:04 UTC
(
hide
)
Description:
Current work in progress patches
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-10-11 21:44:04 UTC
Size:
75.80 KB
patch
obsolete
>From d5884d3f180669db62e44ff031ce9723b9325c3e Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@samba.org> >Date: Tue, 28 Sep 2021 10:43:40 +0200 >Subject: [PATCH 01/34] loadparm: Add new parameter "min domain uid" > >--- > docs-xml/smbdotconf/security/mindomainuid.xml | 13 +++++++++++++ > lib/param/loadparm.c | 4 ++++ > source3/param/loadparm.c | 2 ++ > 3 files changed, 19 insertions(+) > create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml > >diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml >new file mode 100644 >index 000000000000..81e57111c82e >--- /dev/null >+++ b/docs-xml/smbdotconf/security/mindomainuid.xml >@@ -0,0 +1,13 @@ >+<samba:parameter name="min domain uid" >+ type="integer" >+ context="G" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ The integer parameter specifies the minimum uid allowed when mapping a >+ local account to an AD account. >+ </para> >+</description> >+ >+<value type="default">1000</value> >+</samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index 2eac1ba7c388..953734976959 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2994,6 +2994,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > "server smb3 encryption algorithms", > DEFAULT_SMB3_ENCRYPTION_ALGORITHMS); > >+ lpcfg_do_global_parameter(lp_ctx, >+ "min domain uid", >+ "1000"); >+ > for (i = 0; parm_table[i].label; i++) { > if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { > lp_ctx->flags[i] |= FLAG_DEFAULT; >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 6c9830563c3b..e98d1738bb44 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -976,6 +976,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > Globals.server_smb3_encryption_algorithms = > str_list_make_v3_const(NULL, DEFAULT_SMB3_ENCRYPTION_ALGORITHMS, NULL); > >+ Globals.min_domain_uid = 1000; >+ > /* Now put back the settings that were set with lp_set_cmdline() */ > apply_lp_set_cmdline(); > } >-- >2.25.1 > > >From 048573ea4d57ffac514d1c3e0a1cf162df7a9d00 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 18:04:55 +0200 >Subject: [PATCH 02/34] selftest/Samba3: remove unused close(USERMAP); calls > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/target/Samba3.pm | 5 ----- > 1 file changed, 5 deletions(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 3fe6c194ed88..804b19aa7467 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -782,7 +782,6 @@ sub provision_ad_member > > mkdir($_, 0777) foreach(@dirs); > >- close(USERMAP); > $ret->{DOMAIN} = $dcvars->{DOMAIN}; > $ret->{REALM} = $dcvars->{REALM}; > $ret->{DOMSID} = $dcvars->{DOMSID}; >@@ -1044,7 +1043,6 @@ sub setup_ad_member_rfc2307 > > $ret or return undef; > >- close(USERMAP); > $ret->{DOMAIN} = $dcvars->{DOMAIN}; > $ret->{REALM} = $dcvars->{REALM}; > $ret->{DOMSID} = $dcvars->{DOMSID}; >@@ -1142,7 +1140,6 @@ sub setup_ad_member_idmap_rid > > $ret or return undef; > >- close(USERMAP); > $ret->{DOMAIN} = $dcvars->{DOMAIN}; > $ret->{REALM} = $dcvars->{REALM}; > $ret->{DOMSID} = $dcvars->{DOMSID}; >@@ -1242,7 +1239,6 @@ sub setup_ad_member_idmap_ad > > $ret or return undef; > >- close(USERMAP); > $ret->{DOMAIN} = $dcvars->{DOMAIN}; > $ret->{REALM} = $dcvars->{REALM}; > $ret->{DOMSID} = $dcvars->{DOMSID}; >@@ -1342,7 +1338,6 @@ sub setup_ad_member_oneway > > $ret or return undef; > >- close(USERMAP); > $ret->{DOMAIN} = $dcvars->{DOMAIN}; > $ret->{REALM} = $dcvars->{REALM}; > $ret->{DOMSID} = $dcvars->{DOMSID}; >-- >2.25.1 > > >From 239ee3f307a3fc94373802ca63c2817c2661ac92 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@samba.org> >Date: Tue, 5 Oct 2021 12:31:29 +0200 >Subject: [PATCH 03/34] selftest: Add ad_member_no_nss_wb environment > >This environment creates an AD member without running NSS winbind >neither winbind daemon. It also enables SMB1 to be able to get the >security token using posix extensions. > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >--- > selftest/target/Samba.pm | 1 + > selftest/target/Samba3.pm | 62 +++++++++++++++++++++++++++++++++++++-- > 2 files changed, 61 insertions(+), 2 deletions(-) > >diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm >index 10353008b888..69e6dcee5910 100644 >--- a/selftest/target/Samba.pm >+++ b/selftest/target/Samba.pm >@@ -610,6 +610,7 @@ sub get_interface($) > fipsadmember => 57, > offlineadmem => 58, > s2kmember => 59, >+ admemnonsswb => 60, > > rootdnsforwarder => 64, > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 804b19aa7467..b6251df5e48a 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -240,6 +240,7 @@ sub check_env($$) > ad_member_fips => ["ad_dc_fips"], > ad_member_offlogon => ["ad_dc"], > ad_member_oneway => ["fl2000dc"], >+ ad_member_no_nss_wb => ["ad_dc"], > > clusteredmember => ["nt4_dc"], > ); >@@ -653,8 +654,15 @@ sub provision_ad_member > $dcvars, > $trustvars_f, > $trustvars_e, >+ $extra_member_options, > $force_fips_mode, >- $offline_logon) = @_; >+ $offline_logon, >+ $no_nss_winbind) = @_; >+ >+ if (defined($offline_logon) && defined($no_nss_winbind)) { >+ warn ("Offline logon incompatible with no nss winbind\n"); >+ return undef; >+ } > > my $prefix_abs = abs_path($prefix); > my @dirs = (); >@@ -696,6 +704,10 @@ sub provision_ad_member > $netbios_aliases = "netbios aliases = foo bar"; > } > >+ unless (defined($extra_member_options)) { >+ $extra_member_options = ""; >+ } >+ > my $member_options = " > security = ads > workgroup = $dcvars->{DOMAIN} >@@ -719,6 +731,10 @@ sub provision_ad_member > rpc_daemon:epmd = fork > rpc_daemon:lsasd = fork > >+ # Begin extra member options >+ $extra_member_options >+ # End extra member options >+ > [sub_dug] > path = $share_dir/D_%D/U_%U/G_%G > writeable = yes >@@ -941,10 +957,17 @@ sub provision_ad_member > return undef; > } > } else { >+ my $run_wb = 1; >+ if (defined($no_nss_winbind)) { >+ $ret->{NSS_WRAPPER_MODULE_SO_PATH} = ""; >+ $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = ""; >+ $run_wb = 0; >+ } >+ > if (not $self->check_or_start( > env_vars => $ret, > nmbd => "yes", >- winbindd => "yes", >+ winbindd => $run_wb ? "yes" : "no", > smbd => "yes")) { > return undef; > } >@@ -1419,6 +1442,7 @@ sub setup_ad_member_fips > $dcvars, > $trustvars_f, > $trustvars_e, >+ undef, > 1); > } > >@@ -1443,9 +1467,43 @@ sub setup_ad_member_offlogon > $trustvars_f, > $trustvars_e, > undef, >+ undef, > 1); > } > >+sub setup_ad_member_no_nss_wb >+{ >+ my ($self, >+ $prefix, >+ $dcvars, >+ $trustvars_f, >+ $trustvars_e) = @_; >+ >+ # If we didn't build with ADS, pretend this env was never available >+ if (not $self->have_ads()) { >+ return "UNKNOWN"; >+ } >+ >+ print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; >+ >+ my $extra_member_options = " >+ client min protocol = CORE >+ server min protocol = LANMAN1 >+"; >+ >+ my $ret = $self->provision_ad_member($prefix, >+ "ADMEMNONSSWB", >+ $dcvars, >+ $trustvars_f, >+ $trustvars_e, >+ $extra_member_options, >+ undef, >+ undef, >+ 1); >+ >+ return $ret; >+} >+ > sub setup_simpleserver > { > my ($self, $path) = @_; >-- >2.25.1 > > >From cf175cd1c5a606fc72702cb339e74dec8ff29d12 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 12:37:57 +0200 >Subject: [PATCH 04/34] sq setup_ad_member_no_nss_wb map to local root > >--- > selftest/target/Samba3.pm | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index b6251df5e48a..56d73a9b5819 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -957,17 +957,15 @@ sub provision_ad_member > return undef; > } > } else { >- my $run_wb = 1; > if (defined($no_nss_winbind)) { > $ret->{NSS_WRAPPER_MODULE_SO_PATH} = ""; > $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = ""; >- $run_wb = 0; > } > > if (not $self->check_or_start( > env_vars => $ret, > nmbd => "yes", >- winbindd => $run_wb ? "yes" : "no", >+ winbindd => "yes", > smbd => "yes")) { > return undef; > } >@@ -1487,8 +1485,11 @@ sub setup_ad_member_no_nss_wb > print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; > > my $extra_member_options = " >+ > client min protocol = CORE > server min protocol = LANMAN1 >+ >+ username map = $prefix/lib/username.map > "; > > my $ret = $self->provision_ad_member($prefix, >@@ -1501,6 +1502,12 @@ sub setup_ad_member_no_nss_wb > undef, > 1); > >+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); >+ print USERMAP " >+root = $dcvars->{DOMAIN}/root >+"; >+ close(USERMAP); >+ > return $ret; > } > >-- >2.25.1 > > >From d7d0c447c4a17a2c01ee38dd8a6fa7717ea8d669 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 19:03:52 +0200 >Subject: [PATCH 05/34] sq setup_ad_member_no_nss_wb > >--- > selftest/target/Samba3.pm | 4 ---- > 1 file changed, 4 deletions(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 56d73a9b5819..dde687168d93 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1485,10 +1485,6 @@ sub setup_ad_member_no_nss_wb > print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND..."; > > my $extra_member_options = " >- >- client min protocol = CORE >- server min protocol = LANMAN1 >- > username map = $prefix/lib/username.map > "; > >-- >2.25.1 > > >From 78bcdde9018cb934acd73cc3134b2a342c86d2e6 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@samba.org> >Date: Tue, 5 Oct 2021 16:56:06 +0200 >Subject: [PATCH 06/34] selftest: Add a test for the new 'min domain uid' > parameter > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >--- > python/samba/tests/krb5/test_smb_no_nss_wb.py | 153 ++++++++++++++++++ > selftest/knownfail | 2 + > source4/selftest/tests.py | 7 + > 3 files changed, 162 insertions(+) > create mode 100755 python/samba/tests/krb5/test_smb_no_nss_wb.py > >diff --git a/python/samba/tests/krb5/test_smb_no_nss_wb.py b/python/samba/tests/krb5/test_smb_no_nss_wb.py >new file mode 100755 >index 000000000000..7d85c0fe7aa2 >--- /dev/null >+++ b/python/samba/tests/krb5/test_smb_no_nss_wb.py >@@ -0,0 +1,153 @@ >+#!/usr/bin/env python3 >+# Unix SMB/CIFS implementation. >+# Copyright (C) Samuel Cabrero 2021 >+# >+# This program is free software; you can redistribute it and/or modify >+# it under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or >+# (at your option) any later version. >+# >+# This program is distributed in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU General Public License for more details. >+# >+# You should have received a copy of the GNU General Public License >+# along with this program. If not, see <http://www.gnu.org/licenses/>. >+# >+ >+import sys >+import os >+import pwd >+import ctypes >+ >+from ldb import SCOPE_SUBTREE >+from samba.tests import delete_force, env_get_var_value >+from samba.dcerpc import security >+from samba.ndr import ndr_unpack >+from samba.samba3 import libsmb_samba_internal as libsmb >+from samba.samba3 import param as s3param >+from samba import NTSTATUSError, ntstatus >+ >+from samba.tests.krb5.kdc_base_test import KDCBaseTest >+ >+sys.path.insert(0, "bin/python") >+os.environ["PYTHONUNBUFFERED"] = "1" >+ >+global_asn1_print = False >+global_hexdump = False >+ >+class SmbNoNssWbTests(KDCBaseTest): >+ """Test for SMB authorization based on Kerberos ticket names without NSS >+ winbind and without running winbind daemon. In this scenario smbd will >+ try to match the name in the kerberos ticket to a local unix account. >+ """ >+ >+ def setUp(self): >+ super(KDCBaseTest, self).setUp() >+ >+ # Create a user account, along with a Kerberos credentials cache file >+ # where the service ticket authenticating the user are stored. >+ self.samdb = self.get_samdb() >+ >+ self.mach_name = env_get_var_value('SERVER') >+ self.user_name = "root" >+ self.service = "cifs" >+ self.share = "tmp" >+ >+ # Create the user account. >+ (self.user_creds, _) = self.create_account(self.samdb, self.user_name) >+ >+ # Talk to the KDC to obtain the service ticket, which gets placed into >+ # the cache. The machine account name has to match the name in the >+ # ticket, to ensure that the krbtgt ticket doesn't also need to be >+ # stored. >+ (self.creds, self.cachefile) = self.create_ccache_with_user( >+ self.user_creds, self.mach_name, self.service) >+ >+ # Set the Kerberos 5 credentials cache environment variable. This is >+ # required because the codepath that gets run (gse_krb5) looks for it >+ # in here and not in the credentials object. >+ krb5_ccname = os.environ.get("KRB5CCNAME", "") >+ self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) >+ os.environ["KRB5CCNAME"] = "FILE:" + self.cachefile.name >+ >+ # Build the global inject file path >+ server_conf = env_get_var_value('SMB_CONF_PATH') >+ server_conf_dir = os.path.dirname(server_conf) >+ self.global_inject = os.path.join(server_conf_dir, "global_inject.conf") >+ >+ def test_min_uid(self): >+ # Retrieve the user account's SID. >+ ldb_res = self.samdb.search( >+ scope=SCOPE_SUBTREE, >+ expression="(sAMAccountName=%s)" % self.user_name, >+ attrs=["objectSid"]) >+ self.assertEqual(1, len(ldb_res)) >+ sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) >+ >+ # Assert unix root uid is less than 'idmap config ADDOMAIN' minimum >+ s3_lp = s3param.get_context() >+ s3_lp.load(self.get_lp().configfile) >+ >+ domain_range = s3_lp.get("idmap config * : range").split('-') >+ domain_range_low = int(domain_range[0]) >+ unix_root_pw = pwd.getpwnam(self.user_name) >+ self.assertLess(unix_root_pw.pw_uid, domain_range_low) >+ self.assertLess(unix_root_pw.pw_gid, domain_range_low) >+ >+ # Connect to a share and retrieve the mapped user SID >+ min_protocol = s3_lp.get("client min protocol") >+ self.addCleanup(s3_lp.set, "client min protocol", min_protocol) >+ s3_lp.set("client min protocol", "NT1") >+ >+ max_protocol = s3_lp.get("client max protocol") >+ self.addCleanup(s3_lp.set, "client max protocol", max_protocol) >+ s3_lp.set("client max protocol", "NT1") >+ >+ conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=self.creds) >+ >+ (uid, gid, gids, sids, guest) = conn.posix_whoami() >+ >+ # Ensure no guest >+ self.assertFalse(guest) >+ >+ # Ensure SIDs do not match >+ self.assertNotEqual(sid, sids[0]) >+ >+ # Ensure mapped to unix root >+ self.assertEqual(uid, unix_root_pw.pw_uid) >+ self.assertEqual(gid, unix_root_pw.pw_gid) >+ >+ # Disconnect >+ conn = None >+ >+ # Restrict access to local unix accounts setting min domain uid >+ with open(self.global_inject, 'w') as f: >+ f.write("min domain uid = %s\n" % domain_range_low) >+ >+ with self.assertRaises(NTSTATUSError) as cm: >+ conn = libsmb.Conn(self.mach_name, >+ self.share, >+ lp=s3_lp, >+ creds=self.creds) >+ code = ctypes.c_uint32(cm.exception.args[0]).value >+ self.assertEqual(code, ntstatus.NT_STATUS_ACCESS_DENIED) >+ >+ with open(self.global_inject, 'w') as f: >+ f.truncate() >+ >+ def tearDown(self): >+ # Ensure no leftovers in global inject file >+ with open(self.global_inject, 'w') as f: >+ f.truncate() >+ >+ # Remove the cached credentials file. >+ os.remove(self.cachefile.name) >+ super(KDCBaseTest, self).tearDown() >+ >+if __name__ == "__main__": >+ global_asn1_print = True >+ global_hexdump = True >+ import unittest >+ unittest.main() >diff --git a/selftest/knownfail b/selftest/knownfail >index 94af250d4eb5..2c23bd724346 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -394,3 +394,5 @@ > ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) > >+^samba.tests.krb5.test_smb_no_nss_wb.samba.*.SmbNoNssWbTests.test_min_uid\(ad_member_no_nss_wb:local\) >+ >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 2ed72fda2651..b4740207f5cb 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -948,6 +948,13 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", > 'ADMIN_PASSWORD': '$PASSWORD', > 'STRICT_CHECKING': '0' > }) >+planoldpythontestsuite("ad_member_no_nss_wb:local", >+ "samba.tests.krb5.test_smb_no_nss_wb", >+ environ={ >+ 'ADMIN_USERNAME': '$DC_USERNAME', >+ 'ADMIN_PASSWORD': '$DC_PASSWORD', >+ 'STRICT_CHECKING': '0' >+ }) > > for env in ["ad_dc", smbv1_disabled_testenv]: > planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) >-- >2.25.1 > > >From bb32ce8af9776c9880889286c1d6c5cd723f804a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 19:22:31 +0200 >Subject: [PATCH 07/34] samba.tests.krb5.test_min_domain_uid > >--- > ...mb_no_nss_wb.py => test_min_domain_uid.py} | 44 +++++-------------- > source4/selftest/tests.py | 2 +- > 2 files changed, 12 insertions(+), 34 deletions(-) > rename python/samba/tests/krb5/{test_smb_no_nss_wb.py => test_min_domain_uid.py} (78%) > >diff --git a/python/samba/tests/krb5/test_smb_no_nss_wb.py b/python/samba/tests/krb5/test_min_domain_uid.py >similarity index 78% >rename from python/samba/tests/krb5/test_smb_no_nss_wb.py >rename to python/samba/tests/krb5/test_min_domain_uid.py >index 7d85c0fe7aa2..830b5a30e0a7 100755 >--- a/python/samba/tests/krb5/test_smb_no_nss_wb.py >+++ b/python/samba/tests/krb5/test_min_domain_uid.py >@@ -37,7 +37,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" > global_asn1_print = False > global_hexdump = False > >-class SmbNoNssWbTests(KDCBaseTest): >+class SmbMinDomainUid(KDCBaseTest): > """Test for SMB authorization based on Kerberos ticket names without NSS > winbind and without running winbind daemon. In this scenario smbd will > try to match the name in the kerberos ticket to a local unix account. >@@ -78,14 +78,6 @@ class SmbNoNssWbTests(KDCBaseTest): > self.global_inject = os.path.join(server_conf_dir, "global_inject.conf") > > def test_min_uid(self): >- # Retrieve the user account's SID. >- ldb_res = self.samdb.search( >- scope=SCOPE_SUBTREE, >- expression="(sAMAccountName=%s)" % self.user_name, >- attrs=["objectSid"]) >- self.assertEqual(1, len(ldb_res)) >- sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) >- > # Assert unix root uid is less than 'idmap config ADDOMAIN' minimum > s3_lp = s3param.get_context() > s3_lp.load(self.get_lp().configfile) >@@ -96,35 +88,13 @@ class SmbNoNssWbTests(KDCBaseTest): > self.assertLess(unix_root_pw.pw_uid, domain_range_low) > self.assertLess(unix_root_pw.pw_gid, domain_range_low) > >- # Connect to a share and retrieve the mapped user SID >- min_protocol = s3_lp.get("client min protocol") >- self.addCleanup(s3_lp.set, "client min protocol", min_protocol) >- s3_lp.set("client min protocol", "NT1") >- >- max_protocol = s3_lp.get("client max protocol") >- self.addCleanup(s3_lp.set, "client max protocol", max_protocol) >- s3_lp.set("client max protocol", "NT1") >- > conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=self.creds) >- >- (uid, gid, gids, sids, guest) = conn.posix_whoami() >- >- # Ensure no guest >- self.assertFalse(guest) >- >- # Ensure SIDs do not match >- self.assertNotEqual(sid, sids[0]) >- >- # Ensure mapped to unix root >- self.assertEqual(uid, unix_root_pw.pw_uid) >- self.assertEqual(gid, unix_root_pw.pw_gid) >- > # Disconnect > conn = None > >- # Restrict access to local unix accounts setting min domain uid >+ # Restrict access to local root account uid > with open(self.global_inject, 'w') as f: >- f.write("min domain uid = %s\n" % domain_range_low) >+ f.write("min domain uid = %s\n" % (unix_root_pw.pw_uid + 1)) > > with self.assertRaises(NTSTATUSError) as cm: > conn = libsmb.Conn(self.mach_name, >@@ -134,6 +104,14 @@ class SmbNoNssWbTests(KDCBaseTest): > code = ctypes.c_uint32(cm.exception.args[0]).value > self.assertEqual(code, ntstatus.NT_STATUS_ACCESS_DENIED) > >+ # check that the local root account uid is now allowed >+ with open(self.global_inject, 'w') as f: >+ f.write("min domain uid = %s\n" % unix_root_pw.pw_uid) >+ >+ conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=self.creds) >+ # Disconnect >+ conn = None >+ > with open(self.global_inject, 'w') as f: > f.truncate() > >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index b4740207f5cb..36c1b8527c24 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -949,7 +949,7 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", > 'STRICT_CHECKING': '0' > }) > planoldpythontestsuite("ad_member_no_nss_wb:local", >- "samba.tests.krb5.test_smb_no_nss_wb", >+ "samba.tests.krb5.test_min_domain_uid", > environ={ > 'ADMIN_USERNAME': '$DC_USERNAME', > 'ADMIN_PASSWORD': '$DC_PASSWORD', >-- >2.25.1 > > >From 801cedae324ee289c9b04d16cbca7009ced3838b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 19:56:07 +0200 >Subject: [PATCH 08/34] sq python/samba/tests/krb5/test_min_domain_uid.py > >--- > .../samba/tests/krb5/test_min_domain_uid.py | 41 +++++++++---------- > 1 file changed, 20 insertions(+), 21 deletions(-) > >diff --git a/python/samba/tests/krb5/test_min_domain_uid.py b/python/samba/tests/krb5/test_min_domain_uid.py >index 830b5a30e0a7..5f5298961029 100755 >--- a/python/samba/tests/krb5/test_min_domain_uid.py >+++ b/python/samba/tests/krb5/test_min_domain_uid.py >@@ -30,6 +30,9 @@ from samba.samba3 import param as s3param > from samba import NTSTATUSError, ntstatus > > from samba.tests.krb5.kdc_base_test import KDCBaseTest >+from samba.credentials import MUST_USE_KERBEROS >+from samba.credentials import DONT_USE_KERBEROS >+from samba.credentials import AUTO_USE_KERBEROS > > sys.path.insert(0, "bin/python") > os.environ["PYTHONUNBUFFERED"] = "1" >@@ -58,26 +61,12 @@ class SmbMinDomainUid(KDCBaseTest): > # Create the user account. > (self.user_creds, _) = self.create_account(self.samdb, self.user_name) > >- # Talk to the KDC to obtain the service ticket, which gets placed into >- # the cache. The machine account name has to match the name in the >- # ticket, to ensure that the krbtgt ticket doesn't also need to be >- # stored. >- (self.creds, self.cachefile) = self.create_ccache_with_user( >- self.user_creds, self.mach_name, self.service) >- >- # Set the Kerberos 5 credentials cache environment variable. This is >- # required because the codepath that gets run (gse_krb5) looks for it >- # in here and not in the credentials object. >- krb5_ccname = os.environ.get("KRB5CCNAME", "") >- self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) >- os.environ["KRB5CCNAME"] = "FILE:" + self.cachefile.name >- > # Build the global inject file path > server_conf = env_get_var_value('SMB_CONF_PATH') > server_conf_dir = os.path.dirname(server_conf) > self.global_inject = os.path.join(server_conf_dir, "global_inject.conf") > >- def test_min_uid(self): >+ def _test_min_uid(self, creds): > # Assert unix root uid is less than 'idmap config ADDOMAIN' minimum > s3_lp = s3param.get_context() > s3_lp.load(self.get_lp().configfile) >@@ -88,7 +77,7 @@ class SmbMinDomainUid(KDCBaseTest): > self.assertLess(unix_root_pw.pw_uid, domain_range_low) > self.assertLess(unix_root_pw.pw_gid, domain_range_low) > >- conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=self.creds) >+ conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=creds) > # Disconnect > conn = None > >@@ -100,28 +89,38 @@ class SmbMinDomainUid(KDCBaseTest): > conn = libsmb.Conn(self.mach_name, > self.share, > lp=s3_lp, >- creds=self.creds) >+ creds=creds) > code = ctypes.c_uint32(cm.exception.args[0]).value >- self.assertEqual(code, ntstatus.NT_STATUS_ACCESS_DENIED) >+ self.assertEqual(code, ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED) > > # check that the local root account uid is now allowed > with open(self.global_inject, 'w') as f: > f.write("min domain uid = %s\n" % unix_root_pw.pw_uid) > >- conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=self.creds) >+ conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=creds) > # Disconnect > conn = None > > with open(self.global_inject, 'w') as f: > f.truncate() > >+ def test_min_domain_uid_krb5(self): >+ self.user_creds.set_kerberos_state(MUST_USE_KERBEROS) >+ ret = self._test_min_uid(self.user_creds) >+ self.user_creds.set_kerberos_state(AUTO_USE_KERBEROS) >+ return ret >+ >+ def _test_min_domain_uid_ntlmssp(self): >+ self.user_creds.set_kerberos_state(DONT_USE_KERBEROS) >+ ret = self._test_min_uid(self.user_creds) >+ self.user_creds.set_kerberos_state(AUTO_USE_KERBEROS) >+ return ret >+ > def tearDown(self): > # Ensure no leftovers in global inject file > with open(self.global_inject, 'w') as f: > f.truncate() > >- # Remove the cached credentials file. >- os.remove(self.cachefile.name) > super(KDCBaseTest, self).tearDown() > > if __name__ == "__main__": >-- >2.25.1 > > >From 83dcef0bdb8cf6389f40f3c54a40795527c5a666 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 20:10:16 +0200 >Subject: [PATCH 09/34] sq python/samba/tests/krb5/test_min_domain_uid.py > >--- > python/samba/tests/krb5/test_min_domain_uid.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/python/samba/tests/krb5/test_min_domain_uid.py b/python/samba/tests/krb5/test_min_domain_uid.py >index 5f5298961029..cf0a9a275b7c 100755 >--- a/python/samba/tests/krb5/test_min_domain_uid.py >+++ b/python/samba/tests/krb5/test_min_domain_uid.py >@@ -91,7 +91,7 @@ class SmbMinDomainUid(KDCBaseTest): > lp=s3_lp, > creds=creds) > code = ctypes.c_uint32(cm.exception.args[0]).value >- self.assertEqual(code, ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED) >+ self.assertEqual(code, ntstatus.NT_STATUS_INVALID_TOKEN) > > # check that the local root account uid is now allowed > with open(self.global_inject, 'w') as f: >-- >2.25.1 > > >From 5c407f2901a2f39cfc35c3d0edb4515ba016b97b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 11 Oct 2021 08:40:24 +0200 >Subject: [PATCH 10/34] sq python/samba/tests/krb5/test_min_domain_uid.py > python/samba/tests/usage.py > >--- > python/samba/tests/usage.py | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py >index e97be071a5d0..e3d4c26a88a4 100644 >--- a/python/samba/tests/usage.py >+++ b/python/samba/tests/usage.py >@@ -103,6 +103,7 @@ EXCLUDE_USAGE = { > 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', > 'python/samba/tests/krb5/as_req_tests.py', > 'python/samba/tests/krb5/fast_tests.py', >+ 'python/samba/tests/krb5/test_min_domain_uid.py', > } > > EXCLUDE_HELP = { >-- >2.25.1 > > >From 267eed51c41207c6ae2c269ae11f908aba5460e1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 19:57:18 +0200 >Subject: [PATCH 11/34] auth3_generate_session_info_pac status = > nt_status_squash(status) > >--- > source3/auth/auth_generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index 0e9245fc23dc..41c53cee391e 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", > nt_errstr(status))); >- status = NT_STATUS_ACCESS_DENIED; >+ status = nt_status_squash(status); > goto done; > } > >-- >2.25.1 > > >From 8781d43bbc537e5bb4c144931c77a30b72d42fd8 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@samba.org> >Date: Tue, 28 Sep 2021 10:45:11 +0200 >Subject: [PATCH 12/34] s3: auth: Check minimum domain uid > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >--- > selftest/knownfail | 2 -- > source3/auth/auth_util.c | 15 +++++++++++++++ > 2 files changed, 15 insertions(+), 2 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 2c23bd724346..94af250d4eb5 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -394,5 +394,3 @@ > ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) > >-^samba.tests.krb5.test_smb_no_nss_wb.samba.*.SmbNoNssWbTests.test_min_uid\(ad_member_no_nss_wb:local\) >- >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 0a1cf4803e4e..a0c31124b96d 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -2117,6 +2117,21 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > } > } > goto out; >+ } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) && >+ !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) { >+ /* >+ * !is_myname(domain) because when smbd starts tries to setup >+ * the guest user info, calling this function with nobody >+ * username. Nobody is usually uid 65535 but it can be changed >+ * to a regular user with 'guest account' parameter >+ */ >+ DBG_NOTICE("Username '%s%s%s' is invalid on this system, " >+ "it does not meet 'min domain uid' " >+ "restriction (%u < %u)\n", >+ nt_domain, lp_winbind_separator(), nt_username, >+ pwd->pw_uid, lp_min_domain_uid()); >+ nt_status = NT_STATUS_LOGON_FAILURE; >+ goto out; > } > > result = make_server_info(tmp_ctx); >-- >2.25.1 > > >From cd910cb8315c65a2e6c1a45274d706e2823e65b6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 19:56:48 +0200 >Subject: [PATCH 13/34] make_server_info_info3 min domain uid > >--- > source3/auth/auth_util.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index a0c31124b96d..c2949a57acdb 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -2125,12 +2125,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > * username. Nobody is usually uid 65535 but it can be changed > * to a regular user with 'guest account' parameter > */ >+ nt_status = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; > DBG_NOTICE("Username '%s%s%s' is invalid on this system, " > "it does not meet 'min domain uid' " >- "restriction (%u < %u)\n", >+ "restriction (%u < %u): %s\n", > nt_domain, lp_winbind_separator(), nt_username, >- pwd->pw_uid, lp_min_domain_uid()); >- nt_status = NT_STATUS_LOGON_FAILURE; >+ pwd->pw_uid, lp_min_domain_uid(), >+ nt_errstr(nt_status)); > goto out; > } > >-- >2.25.1 > > >From 93a9576ba91f546584845183806e865c52e90282 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 20:10:32 +0200 >Subject: [PATCH 14/34] make_server_info_info3 NT_STATUS_INVALID_TOKEN > >--- > source3/auth/auth_util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index c2949a57acdb..9ff7256bbed7 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -2125,7 +2125,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > * username. Nobody is usually uid 65535 but it can be changed > * to a regular user with 'guest account' parameter > */ >- nt_status = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; >+ nt_status = NT_STATUS_INVALID_TOKEN; > DBG_NOTICE("Username '%s%s%s' is invalid on this system, " > "it does not meet 'min domain uid' " > "restriction (%u < %u): %s\n", >-- >2.25.1 > > >From 4906704e09b1018a35277e0fc48d1ae9c73884a7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 5 Oct 2021 16:42:00 +0200 >Subject: [PATCH 15/34] selftest/Samba3: replace (winbindd => "yes", skip_wait > => 1) with (winbindd => "offline") > >This is much more flexible and concentrates the logic in a single place. > >We'll use winbindd => "offline" in other places soon. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/target/Samba3.pm | 38 ++++++++------------------------------ > 1 file changed, 8 insertions(+), 30 deletions(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index dde687168d93..fb84e4de5b97 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -928,34 +928,13 @@ sub provision_ad_member > # Start winbindd in offline mode > if (not $self->check_or_start( > env_vars => $ret, >- winbindd => "yes", >- skip_wait => 1)) { >+ winbindd => "offline")) { > return undef; > } > > # Set socket dir again > $ENV{SOCKET_WRAPPER_DIR} = $swrap_env; > >- print "checking for winbindd\n"; >- my $count = 0; >- my $rc = 0; >- $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' "; >- $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' "; >- $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; >- $cmd .= "$wbinfo --ping"; >- >- do { >- $rc = system($cmd); >- if ($rc != 0) { >- sleep(1); >- } >- $count++; >- } while ($rc != 0 && $count < 20); >- if ($count == 20) { >- print "WINBINDD not reachable after 20 seconds\n"; >- teardown_env($self, $ret); >- return undef; >- } > } else { > if (defined($no_nss_winbind)) { > $ret->{NSS_WRAPPER_MODULE_SO_PATH} = ""; >@@ -2171,7 +2150,6 @@ sub check_or_start($$) { > my $winbindd = $args{winbindd} // "no"; > my $smbd = $args{smbd} // "no"; > my $child_cleanup = $args{child_cleanup}; >- my $skip_wait = $args{skip_wait} // 0; > > my $STDIN_READER; > >@@ -2220,7 +2198,7 @@ sub check_or_start($$) { > LOG_FILE => $env_vars->{WINBINDD_TEST_LOG}, > PCAP_FILE => "env-$ENV{ENVNAME}-winbindd", > }; >- if ($winbindd ne "yes") { >+ if ($winbindd ne "yes" and $winbindd ne "offline") { > $daemon_ctx->{SKIP_DAEMON} = 1; > } > >@@ -2256,10 +2234,6 @@ sub check_or_start($$) { > # close the parent's read-end of the pipe > close($STDIN_READER); > >- if ($skip_wait) { >- return 1; >- } >- > return $self->wait_for_start($env_vars, $nmbd, $winbindd, $smbd); > } > >@@ -3456,13 +3430,17 @@ sub wait_for_start($$$$$) > } > } > >- if ($winbindd eq "yes") { >+ if ($winbindd eq "yes" or $winbindd eq "offline") { > print "checking for winbindd\n"; > my $count = 0; > $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' "; > $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' "; > $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' "; >- $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc"; >+ if ($winbindd eq "yes") { >+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc"; >+ } elsif ($winbindd eq "offline") { >+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping"; >+ } > > do { > $ret = system($cmd); >-- >2.25.1 > > >From 9ffae7bad0277ccef15f1f563ec10791ac661b2a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 5 Oct 2021 17:14:01 +0200 >Subject: [PATCH 16/34] ktest autorid winbindd = offline > >--- > selftest/target/Samba3.pm | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index fb84e4de5b97..afefc47bae18 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1962,6 +1962,10 @@ sub setup_ktest > # This disables NTLM auth against the local SAM, which > # we use can then test this setting by. > ntlm auth = disabled >+ >+ idmap config * : backend = autorid >+ idmap config * : range = 1000000-1999999 >+ idmap config * : rangesize = 100000 > "; > > my $ret = $self->provision( >@@ -2044,6 +2048,7 @@ $ret->{USERNAME} = KTEST\\Administrator > if (not $self->check_or_start( > env_vars => $ret, > nmbd => "yes", >+ winbindd => "offline", > smbd => "yes")) { > return undef; > } >-- >2.25.1 > > >From b080af1d6e200ac1b98617db342c5954c7a5de88 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 5 Oct 2021 18:12:24 +0200 >Subject: [PATCH 17/34] ktest #username map script = /bin/echo > >--- > selftest/target/Samba3.pm | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index afefc47bae18..62bb57f270b3 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1955,6 +1955,7 @@ sub setup_ktest > realm = ktest.samba.example.com > security = ads > username map = $prefix/lib/username.map >+ #username map script = /bin/echo > server signing = required > server min protocol = SMB3_00 > client max protocol = SMB3 >-- >2.25.1 > > >From f7ed65408d306db04e61fb66f443ce735b1ecf27 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 20:29:07 +0200 >Subject: [PATCH 18/34] Revert "ktest #username map script = /bin/echo" > >This reverts commit 75cd8b01a3727c940d0fa416f033ab5931d8110c. >--- > selftest/target/Samba3.pm | 1 - > 1 file changed, 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 62bb57f270b3..afefc47bae18 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1955,7 +1955,6 @@ sub setup_ktest > realm = ktest.samba.example.com > security = ads > username map = $prefix/lib/username.map >- #username map script = /bin/echo > server signing = required > server min protocol = SMB3_00 > client max protocol = SMB3 >-- >2.25.1 > > >From 936199787c8cbcf74c57c7dedd8f3d978c6262db Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 5 Oct 2021 17:14:38 +0200 >Subject: [PATCH 19/34] ktest no username map > >--- > selftest/target/Samba3.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index afefc47bae18..6dc5bfa9a6b5 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1954,7 +1954,7 @@ sub setup_ktest > workgroup = KTEST > realm = ktest.samba.example.com > security = ads >- username map = $prefix/lib/username.map >+ #username map = $prefix/lib/username.map > server signing = required > server min protocol = SMB3_00 > client max protocol = SMB3 >-- >2.25.1 > > >From 2001403505e80781ec2adff562adab1e050240c0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 17:40:30 +0200 >Subject: [PATCH 20/34] s3:auth: we should not try to autocreate the guest > account > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/auth/user_krb5.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index 8998f9c8f8ae..074e8c7eb711 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > if (!fuser) { > return NT_STATUS_NO_MEMORY; > } >- pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); >+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false); > } > > /* extra sanity check that the guest account is valid */ >-- >2.25.1 > > >From 63f11eb239e270fa226efab11aee812f341783c8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 18:08:20 +0200 >Subject: [PATCH 21/34] check_account don't autocreate local users > >--- > source3/auth/auth_util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 9ff7256bbed7..af76eaad5fe1 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1912,7 +1912,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, > return NT_STATUS_NO_MEMORY; > } > >- passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true ); >+ passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false ); > if (!passwd) { > DEBUG(3, ("Failed to find authenticated user %s via " > "getpwnam(), denying access.\n", dom_user)); >-- >2.25.1 > > >From cbe8323384680bd3101c26308a9439a9de4759db Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 8 Oct 2021 12:33:16 +0200 >Subject: [PATCH 22/34] smb_getpwnam() no fallback for domain users WIP > >--- > source3/auth/auth_util.c | 69 ++++++++++++++++++++-------------------- > 1 file changed, 34 insertions(+), 35 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index af76eaad5fe1..3c3444707979 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1947,7 +1947,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, > { > struct passwd *pw = NULL; > char *p = NULL; >- char *username = NULL; >+ const char *username = NULL; > > /* we only save a copy of the username it has been mangled > by winbindd use default domain */ >@@ -1966,48 +1966,47 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, > /* code for a DOMAIN\user string */ > > if ( p ) { >- pw = Get_Pwnam_alloc( mem_ctx, domuser ); >- if ( pw ) { >- /* make sure we get the case of the username correct */ >- /* work around 'winbind use default domain = yes' */ >- >- if ( lp_winbind_use_default_domain() && >- !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { >- char *domain; >- >- /* split the domain and username into 2 strings */ >- *p = '\0'; >- domain = username; >- >- *p_save_username = talloc_asprintf(mem_ctx, >- "%s%c%s", >- domain, >- *lp_winbind_separator(), >- pw->pw_name); >- if (!*p_save_username) { >- TALLOC_FREE(pw); >- return NULL; >- } >- } else { >- *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); >- } >+ const char *domain = NULL; > >- /* whew -- done! */ >- return pw; >- } >+ /* split the domain and username into 2 strings */ >+ *p = '\0'; >+ domain = username; >+ p++; >+ username = p; > >- /* setup for lookup of just the username */ >- /* remember that p and username are overlapping memory */ >+ if (strequal(domain, get_global_sam_name())) { >+ goto username_only; >+ } > >- p++; >- username = talloc_strdup(mem_ctx, p); >- if (!username) { >+ pw = Get_Pwnam_alloc( mem_ctx, domuser ); >+ if (pw == NULL) { > return NULL; > } >+ /* make sure we get the case of the username correct */ >+ /* work around 'winbind use default domain = yes' */ >+ >+ if ( lp_winbind_use_default_domain() && >+ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { >+ *p_save_username = talloc_asprintf(mem_ctx, >+ "%s%c%s", >+ domain, >+ *lp_winbind_separator(), >+ pw->pw_name); >+ if (!*p_save_username) { >+ TALLOC_FREE(pw); >+ return NULL; >+ } >+ } else { >+ *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); >+ } >+ >+ /* whew -- done! */ >+ return pw; >+ > } > > /* just lookup a plain username */ >- >+username_only: > pw = Get_Pwnam_alloc(mem_ctx, username); > > /* Create local user if requested but only if winbindd >-- >2.25.1 > > >From d728b764433a21921dac419645c58ab009de0ef6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Sep 2021 12:27:28 +0200 >Subject: [PATCH 23/34] s3:ntlm_auth: fix memory leaks in > ntlm_auth_generate_session_info_pac() > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/utils/ntlm_auth.c | 18 ++++++++++++------ > 1 file changed, 12 insertions(+), 6 deletions(-) > >diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c >index f887d6814d0d..89662e82f567 100644 >--- a/source3/utils/ntlm_auth.c >+++ b/source3/utils/ntlm_auth.c >@@ -818,23 +818,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c > if (!p) { > DEBUG(3, ("[%s] Doesn't look like a valid principal\n", > princ_name)); >- return NT_STATUS_LOGON_FAILURE; >+ status = NT_STATUS_LOGON_FAILURE; >+ goto done; > } > > user = talloc_strndup(mem_ctx, princ_name, p - princ_name); > if (!user) { >- return NT_STATUS_NO_MEMORY; >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > } > > realm = talloc_strdup(talloc_tos(), p + 1); > if (!realm) { >- return NT_STATUS_NO_MEMORY; >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > } > > if (!strequal(realm, lp_realm())) { > DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); > if (!lp_allow_trusted_domains()) { >- return NT_STATUS_LOGON_FAILURE; >+ status = NT_STATUS_LOGON_FAILURE; >+ goto done; > } > } > >@@ -842,7 +846,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c > domain = talloc_strdup(mem_ctx, > logon_info->info3.base.logon_domain.string); > if (!domain) { >- return NT_STATUS_NO_MEMORY; >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > } > DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); > } else { >@@ -872,7 +877,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c > domain = talloc_strdup(mem_ctx, realm); > } > if (!domain) { >- return NT_STATUS_NO_MEMORY; >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > } > DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); > } >-- >2.25.1 > > >From 67810f7bb135c0980eabcd780baa300f3a076065 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Sep 2021 12:44:01 +0200 >Subject: [PATCH 24/34] s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() > base the name on the PAC LOGON_INFO only > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/utils/ntlm_auth.c | 91 ++++++++++++--------------------------- > 1 file changed, 28 insertions(+), 63 deletions(-) > >diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c >index 89662e82f567..1d0922d4eb3d 100644 >--- a/source3/utils/ntlm_auth.c >+++ b/source3/utils/ntlm_auth.c >@@ -790,10 +790,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c > struct PAC_LOGON_INFO *logon_info = NULL; > char *unixuser; > NTSTATUS status; >- char *domain = NULL; >- char *realm = NULL; >- char *user = NULL; >- char *p; >+ const char *domain = ""; >+ const char *user = ""; > > tmp_ctx = talloc_new(mem_ctx); > if (!tmp_ctx) { >@@ -810,79 +808,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c > if (!NT_STATUS_IS_OK(status)) { > goto done; > } >- } >- >- DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); >- >- p = strchr_m(princ_name, '@'); >- if (!p) { >- DEBUG(3, ("[%s] Doesn't look like a valid principal\n", >- princ_name)); >- status = NT_STATUS_LOGON_FAILURE; >+ } else { >+ status = NT_STATUS_ACCESS_DENIED; >+ DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n", >+ princ_name, nt_errstr(status)); > goto done; > } > >- user = talloc_strndup(mem_ctx, princ_name, p - princ_name); >- if (!user) { >- status = NT_STATUS_NO_MEMORY; >- goto done; >+ if (logon_info->info3.base.account_name.string != NULL) { >+ user = logon_info->info3.base.account_name.string; >+ } else { >+ user = ""; >+ } >+ if (logon_info->info3.base.logon_domain.string != NULL) { >+ domain = logon_info->info3.base.logon_domain.string; >+ } else { >+ domain = ""; > } > >- realm = talloc_strdup(talloc_tos(), p + 1); >- if (!realm) { >- status = NT_STATUS_NO_MEMORY; >+ if (strlen(user) == 0 || strlen(domain) == 0) { >+ status = NT_STATUS_ACCESS_DENIED; >+ DBG_WARNING("Kerberos ticket for[%s] has invalid " >+ "account_name[%s]/logon_domain[%s]: %s\n", >+ princ_name, >+ logon_info->info3.base.account_name.string, >+ logon_info->info3.base.logon_domain.string, >+ nt_errstr(status)); > goto done; > } > >- if (!strequal(realm, lp_realm())) { >- DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); >+ DBG_NOTICE("Kerberos ticket principal name is [%s] " >+ "account_name[%s]/logon_domain[%s]\n", >+ princ_name, user, domain); >+ >+ if (!strequal(domain, lp_workgroup())) { > if (!lp_allow_trusted_domains()) { > status = NT_STATUS_LOGON_FAILURE; > goto done; > } > } > >- if (logon_info && logon_info->info3.base.logon_domain.string) { >- domain = talloc_strdup(mem_ctx, >- logon_info->info3.base.logon_domain.string); >- if (!domain) { >- status = NT_STATUS_NO_MEMORY; >- goto done; >- } >- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); >- } else { >- >- /* If we have winbind running, we can (and must) shorten the >- username by using the short netbios name. Otherwise we will >- have inconsistent user names. With Kerberos, we get the >- fully qualified realm, with ntlmssp we get the short >- name. And even w2k3 does use ntlmssp if you for example >- connect to an ip address. */ >- >- wbcErr wbc_status; >- struct wbcDomainInfo *info = NULL; >- >- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", >- realm)); >- >- wbc_status = wbcDomainInfo(realm, &info); >- >- if (WBC_ERROR_IS_OK(wbc_status)) { >- domain = talloc_strdup(mem_ctx, >- info->short_name); >- wbcFreeMemory(info); >- } else { >- DEBUG(3, ("Could not find short name: %s\n", >- wbcErrorString(wbc_status))); >- domain = talloc_strdup(mem_ctx, realm); >- } >- if (!domain) { >- status = NT_STATUS_NO_MEMORY; >- goto done; >- } >- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); >- } >- > unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user); > if (!unixuser) { > status = NT_STATUS_NO_MEMORY; >-- >2.25.1 > > >From cedbf14b8d5b7d85f452796a7d8b5484ae784874 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 21 Sep 2021 13:13:52 +0200 >Subject: [PATCH 25/34] s3:lib: add lp_allow_trusted_domains() logic to > is_allowed_domain() > >is_allowed_domain() is a central place we already use to >trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so >we can add additional logic there. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/lib/util_names.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > >diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c >index f0e9f699f29f..b62ddb302c6d 100644 >--- a/source3/lib/util_names.c >+++ b/source3/lib/util_names.c >@@ -69,5 +69,18 @@ bool is_allowed_domain(const char *domain_name) > } > } > >- return true; >+ if (lp_allow_trusted_domains()) { >+ return true; >+ } >+ >+ if (strequal(lp_workgroup(), domain_name)) { >+ return true; >+ } >+ >+ if (is_myname(domain_name)) { >+ return true; >+ } >+ >+ DBG_NOTICE("Not trusted domain '%s'\n", domain_name); >+ return false; > } >-- >2.25.1 > > >From 45a6c9eb2330fc78ccb271e2b3304d4badd0772d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 4 Oct 2021 17:29:34 +0200 >Subject: [PATCH 26/34] s3:winbindd: make sure winbind_SamLogon() defaults to > r->out.authoritative = true > >--- > source3/winbindd/winbindd_dual_srv.c | 7 +++++++ > source3/winbindd/winbindd_irpc.c | 7 +++++++ > 2 files changed, 14 insertions(+) > >diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c >index 32d11e1fa57d..0be5ae5554bd 100644 >--- a/source3/winbindd/winbindd_dual_srv.c >+++ b/source3/winbindd/winbindd_dual_srv.c >@@ -941,6 +941,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p, > union netr_Validation *validation = NULL; > bool interactive = false; > >+ /* >+ * Make sure we start with authoritative=true, >+ * it will only set to false if we don't know the >+ * domain. >+ */ >+ r->out.authoritative = true; >+ > domain = wb_child_domain(); > if (domain == NULL) { > return NT_STATUS_REQUEST_NOT_ACCEPTED; >diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c >index e419736010b8..918393c08277 100644 >--- a/source3/winbindd/winbindd_irpc.c >+++ b/source3/winbindd/winbindd_irpc.c >@@ -142,6 +142,13 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg, > const char *target_domain_name = NULL; > const char *account_name = NULL; > >+ /* >+ * Make sure we start with authoritative=true, >+ * it will only set to false if we don't know the >+ * domain. >+ */ >+ req->out.authoritative = true; >+ > switch (req->in.logon_level) { > case NetlogonInteractiveInformation: > case NetlogonServiceInformation: >-- >2.25.1 > > >From 9cacfbad0adcf178f058645a0f1c2e67fb87f859 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 4 Oct 2021 18:03:55 +0200 >Subject: [PATCH 27/34] create_local_token no !winbind_ping() > >--- > source3/auth/auth_util.c | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 3c3444707979..88737c705ea6 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -570,13 +570,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > } > > /* >- * If winbind is not around, we can not make much use of the SIDs the >- * domain controller provided us with. Likewise if the user name was >- * mapped to some local unix user. >+ * If the user name was mapped to some local unix user, >+ * we can not make much use of the SIDs the >+ * domain controller provided us with. > */ >- >- if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || >- (server_info->nss_token)) { >+ if (server_info->nss_token) { > char *found_username = NULL; > status = create_token_from_username(session_info, > server_info->unix_name, >-- >2.25.1 > > >From 3f6de610f2a7b6bad53ddccc184c4cbf182912da Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 5 Oct 2021 18:11:57 +0200 >Subject: [PATCH 28/34] gensec:require_pac = true > >--- > auth/gensec/gensec_util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c >index e411751c3af2..aa03472603c8 100644 >--- a/auth/gensec/gensec_util.c >+++ b/auth/gensec/gensec_util.c >@@ -48,7 +48,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, > session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; > > if (!pac_blob) { >- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { >+ if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", true)) { > DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", > principal_string)); > return NT_STATUS_ACCESS_DENIED; >-- >2.25.1 > > >From 2bd2c0cdb9ac0edf5405a5136660ac25367b2fd1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 4 Oct 2021 19:42:20 +0200 >Subject: [PATCH 29/34] auth3_generate_session_info_pac > make_server_info_wbcAuthUserInfo > >--- > source3/auth/auth_generic.c | 109 +++++++++++++++++++++++++++++------- > 1 file changed, 89 insertions(+), 20 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index 41c53cee391e..dc7ac81c0f1b 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -54,21 +54,33 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > char *ntuser; > char *ntdomain; > char *username; >- char *rhost; >+ const char *rhost; > struct passwd *pw; > NTSTATUS status; >- int rc; > > tmp_ctx = talloc_new(mem_ctx); > if (!tmp_ctx) { > return NT_STATUS_NO_MEMORY; > } > >+ if (tsocket_address_is_inet(remote_address, "ip")) { >+ rhost = tsocket_address_inet_addr_string( >+ remote_address, tmp_ctx); >+ if (rhost == NULL) { >+ status = NT_STATUS_NO_MEMORY; >+ goto done; >+ } >+ } else { >+ rhost = "127.0.0.1"; >+ } >+ > if (pac_blob) { >-#ifdef HAVE_KRB5 > struct wbcAuthUserParams params = { 0 }; > struct wbcAuthUserInfo *info = NULL; > struct wbcAuthErrorInfo *err = NULL; >+ struct auth_serversupplied_info *server_info = NULL; >+ char *original_user_name = NULL; >+ char *p = NULL; > wbcErr wbc_err; > > /* >@@ -87,6 +99,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > params.password.pac.data = pac_blob->data; > params.password.pac.length = pac_blob->length; > >+ /* we are contacting the privileged pipe */ > become_root(); > wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err); > unbecome_root(); >@@ -99,18 +112,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > */ > > switch (wbc_err) { >- case WBC_ERR_WINBIND_NOT_AVAILABLE: > case WBC_ERR_SUCCESS: > break; >+ case WBC_ERR_WINBIND_NOT_AVAILABLE: >+ if (lp_server_role() == ROLE_DOMAIN_MEMBER) { >+ status = NT_STATUS_NO_LOGON_SERVERS; >+ DBG_ERR("winbindd not running - " >+ "but required as domain member: %s\n", >+ nt_errstr(status)); >+ goto done; >+ } >+ goto legacy; > case WBC_ERR_AUTH_ERROR: > status = NT_STATUS(err->nt_status); > wbcFreeMemory(err); > goto done; >+ case WBC_ERR_NO_MEMORY: >+ status = NT_STATUS_NO_MEMORY; >+ goto done; > default: > status = NT_STATUS_LOGON_FAILURE; > goto done; > } > >+ status = make_server_info_wbcAuthUserInfo(mem_ctx, >+ info->account_name, >+ info->domain_name, >+ info, &server_info); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n", >+ nt_errstr(status))); >+ goto done; >+ } >+ >+ /* We skip doing this step if the caller asked us not to */ >+ if (!(server_info->guest)) { >+ const char *unix_username = server_info->unix_name; >+ >+ /* We might not be root if we are an RPC call */ >+ become_root(); >+ status = smb_pam_accountcheck(unix_username, rhost); >+ unbecome_root(); >+ >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] " >+ "FAILED with error %s\n", >+ unix_username, nt_errstr(status))); >+ goto done; >+ } >+ >+ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] " >+ "succeeded\n", unix_username)); >+ } >+ >+ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); >+ >+ p = strchr_m(princ_name, '@'); >+ if (!p) { >+ DEBUG(3, ("[%s] Doesn't look like a valid principal\n", >+ princ_name)); >+ status = NT_STATUS_LOGON_FAILURE; >+ goto done; >+ } >+ >+ original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name); >+ if (original_user_name == NULL) { >+ status = NT_STATUS_NO_MEMORY; >+ goto done; >+ } >+ >+ status = create_local_token(mem_ctx, >+ server_info, >+ NULL, >+ original_user_name, >+ session_info); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10, ("create_local_token failed: %s\n", >+ nt_errstr(status))); >+ goto done; >+ } >+ >+ status = NT_STATUS_OK; >+ goto done; >+legacy: >+#ifdef HAVE_KRB5 > status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, > NULL, NULL, 0, &logon_info); > #else >@@ -121,22 +206,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > } > } > >- rc = get_remote_hostname(remote_address, >- &rhost, >- tmp_ctx); >- if (rc < 0) { >- status = NT_STATUS_NO_MEMORY; >- goto done; >- } >- if (strequal(rhost, "UNKNOWN")) { >- rhost = tsocket_address_inet_addr_string(remote_address, >- tmp_ctx); >- if (rhost == NULL) { >- status = NT_STATUS_NO_MEMORY; >- goto done; >- } >- } >- > status = get_user_from_kerberos_info(tmp_ctx, rhost, > princ_name, logon_info, > &is_mapped, &is_guest, >-- >2.25.1 > > >From 9247285f515d39ab2789107d930fb557d4291a43 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 5 Oct 2021 18:12:49 +0200 >Subject: [PATCH 30/34] auth3_generate_session_info_pac remove legacy > >--- > source3/auth/auth_generic.c | 37 ++++++++++++------------------------- > 1 file changed, 12 insertions(+), 25 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index dc7ac81c0f1b..dbed3f19f66c 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -47,8 +47,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > struct auth_session_info **session_info) > { > TALLOC_CTX *tmp_ctx; >- struct PAC_LOGON_INFO *logon_info = NULL; >- struct netr_SamInfo3 *info3_copy = NULL; > bool is_mapped; > bool is_guest; > char *ntuser; >@@ -122,7 +120,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > nt_errstr(status)); > goto done; > } >- goto legacy; >+ status = NT_STATUS_ACCESS_DENIED; >+ goto done; > case WBC_ERR_AUTH_ERROR: > status = NT_STATUS(err->nt_status); > wbcFreeMemory(err); >@@ -194,20 +193,18 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > > status = NT_STATUS_OK; > goto done; >-legacy: >-#ifdef HAVE_KRB5 >- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, >- NULL, NULL, 0, &logon_info); >-#else >- status = NT_STATUS_ACCESS_DENIED; >-#endif >- if (!NT_STATUS_IS_OK(status)) { >- goto done; >- } > } > >+ if (lp_server_role() != ROLE_STANDALONE) { >+ status = NT_STATUS_NO_LOGON_SERVERS; >+ DBG_ERR("winbindd not running - " >+ "but required as domain member: %s\n", >+ nt_errstr(status)); >+ goto done; >+ } >+ > status = get_user_from_kerberos_info(tmp_ctx, rhost, >- princ_name, logon_info, >+ princ_name, NULL, > &is_mapped, &is_guest, > &ntuser, &ntdomain, > &username, &pw); >@@ -218,19 +215,9 @@ legacy: > goto done; > } > >- /* Get the info3 from the PAC data if we have it */ >- if (logon_info) { >- status = create_info3_from_pac_logon_info(tmp_ctx, >- logon_info, >- &info3_copy); >- if (!NT_STATUS_IS_OK(status)) { >- goto done; >- } >- } >- > status = make_session_info_krb5(mem_ctx, > ntuser, ntdomain, username, pw, >- info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, >+ NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, > session_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", >-- >2.25.1 > > >From 7a942772456d928eb1f6a1a8b3cec4353f319b06 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 17:59:59 +0200 >Subject: [PATCH 31/34] get_user_from_kerberos_info no logon_info no winbind > >--- > source3/auth/auth_generic.c | 2 +- > source3/auth/proto.h | 1 - > source3/auth/user_krb5.c | 57 +++++++------------------------------ > 3 files changed, 11 insertions(+), 49 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index dbed3f19f66c..d800c786ce1f 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -204,7 +204,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > } > > status = get_user_from_kerberos_info(tmp_ctx, rhost, >- princ_name, NULL, >+ princ_name, > &is_mapped, &is_guest, > &ntuser, &ntdomain, > &username, &pw); >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 036d4004c382..596cbd68a7f5 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -417,7 +417,6 @@ struct PAC_LOGON_INFO; > NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > const char *cli_name, > const char *princ_name, >- struct PAC_LOGON_INFO *logon_info, > bool *is_mapped, > bool *mapped_to_guest, > char **ntuser, >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index 074e8c7eb711..7b69ca6c222e 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -31,7 +31,6 @@ > NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > const char *cli_name, > const char *princ_name, >- struct PAC_LOGON_INFO *logon_info, > bool *is_mapped, > bool *mapped_to_guest, > char **ntuser, >@@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > struct passwd **_pw) > { > NTSTATUS status; >- char *domain = NULL; >- char *realm = NULL; >+ const char *domain = NULL; >+ const char *realm = NULL; > char *user = NULL; > char *p; > char *fuser = NULL; >@@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > return NT_STATUS_NO_MEMORY; > } > >- realm = talloc_strdup(talloc_tos(), p + 1); >- if (!realm) { >- return NT_STATUS_NO_MEMORY; >- } >+ realm = p + 1; > > if (!strequal(realm, lp_realm())) { > DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); > if (!lp_allow_trusted_domains()) { > return NT_STATUS_LOGON_FAILURE; > } >- } >- >- if (logon_info && logon_info->info3.base.logon_domain.string) { >- domain = talloc_strdup(mem_ctx, >- logon_info->info3.base.logon_domain.string); >- if (!domain) { >- return NT_STATUS_NO_MEMORY; >- } >- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); >+ domain = realm; > } else { >- >- /* If we have winbind running, we can (and must) shorten the >- username by using the short netbios name. Otherwise we will >- have inconsistent user names. With Kerberos, we get the >- fully qualified realm, with ntlmssp we get the short >- name. And even w2k3 does use ntlmssp if you for example >- connect to an ip address. */ >- >- wbcErr wbc_status; >- struct wbcDomainInfo *info = NULL; >- >- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", >- realm)); >- >- wbc_status = wbcDomainInfo(realm, &info); >- >- if (WBC_ERROR_IS_OK(wbc_status)) { >- domain = talloc_strdup(mem_ctx, >- info->short_name); >- wbcFreeMemory(info); >- } else { >- DEBUG(3, ("Could not find short name: %s\n", >- wbcErrorString(wbc_status))); >- domain = talloc_strdup(mem_ctx, realm); >- } >- if (!domain) { >- return NT_STATUS_NO_MEMORY; >- } >- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); >+ domain = lp_workgroup(); > } > > fuser = talloc_asprintf(mem_ctx, >@@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > return NT_STATUS_NO_MEMORY; > } > *ntuser = user; >- *ntdomain = domain; >+ *ntdomain = talloc_strdup(mem_ctx, domain); >+ if (*ntdomain == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ > *_pw = pw; > > return NT_STATUS_OK; >@@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > const char *cli_name, > const char *princ_name, >- struct PAC_LOGON_INFO *logon_info, > bool *is_mapped, > bool *mapped_to_guest, > char **ntuser, >-- >2.25.1 > > >From a61399690348b84874c6d55338588625833bfddf Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 8 Oct 2021 18:03:04 +0200 >Subject: [PATCH 32/34] make_session_info_krb5 no info3 no session key > >--- > source3/auth/auth_generic.c | 2 +- > source3/auth/proto.h | 2 -- > source3/auth/user_krb5.c | 20 +------------------- > 3 files changed, 2 insertions(+), 22 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index d800c786ce1f..41c1a71bcdcf 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -217,7 +217,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > > status = make_session_info_krb5(mem_ctx, > ntuser, ntdomain, username, pw, >- NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, >+ is_guest, is_mapped, > session_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 596cbd68a7f5..9bffce7a8088 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -428,9 +428,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > char *ntdomain, > char *username, > struct passwd *pw, >- const struct netr_SamInfo3 *info3, > bool mapped_to_guest, bool username_was_mapped, >- DATA_BLOB *session_key, > struct auth_session_info **session_info); > > /* The following definitions come from auth/auth_samba4.c */ >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index 7b69ca6c222e..b8f37cbeee05 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > char *ntdomain, > char *username, > struct passwd *pw, >- const struct netr_SamInfo3 *info3, > bool mapped_to_guest, bool username_was_mapped, >- DATA_BLOB *session_key, > struct auth_session_info **session_info) > { > NTSTATUS status; >@@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > return status; > } > >- } else if (info3) { >- /* pass the unmapped username here since map_username() >- will be called again in make_server_info_info3() */ >- >- status = make_server_info_info3(mem_ctx, >- ntuser, ntdomain, >- &server_info, >- info3); >- if (!NT_STATUS_IS_OK(status)) { >- DEBUG(1, ("make_server_info_info3 failed: %s!\n", >- nt_errstr(status))); >- return status; >- } >- > } else { > /* > * We didn't get a PAC, we have to make up the user >@@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > > server_info->nss_token |= username_was_mapped; > >- status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info); >+ status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info); > talloc_free(server_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(10,("failed to create local token: %s\n", >@@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > char *ntdomain, > char *username, > struct passwd *pw, >- const struct netr_SamInfo3 *info3, > bool mapped_to_guest, bool username_was_mapped, >- DATA_BLOB *session_key, > struct auth_session_info **session_info) > { > return NT_STATUS_NOT_IMPLEMENTED; >-- >2.25.1 > > >From 947df52883e8be15565b684754311a86edf75911 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 11 Oct 2021 23:17:19 +0200 >Subject: [PATCH 33/34] auth_generate_session_info_principal > NT_STATUS_NO_IMPERSONATION_TOKEN > >--- > source4/auth/auth.h | 8 ------- > source4/auth/ntlm/auth.c | 45 +----------------------------------- > source4/auth/ntlm/auth_sam.c | 12 ---------- > 3 files changed, 1 insertion(+), 64 deletions(-) > >diff --git a/source4/auth/auth.h b/source4/auth/auth.h >index 3f9fb1ae3cbc..6b7db99cbe2d 100644 >--- a/source4/auth/auth.h >+++ b/source4/auth/auth.h >@@ -69,14 +69,6 @@ struct auth_operations { > TALLOC_CTX *mem_ctx, > struct auth_user_info_dc **interim_info, > bool *authoritative); >- >- /* Lookup a 'session info interim' return based only on the principal or DN */ >- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, >- struct auth4_context *auth_context, >- const char *principal, >- struct ldb_dn *user_dn, >- struct auth_user_info_dc **interim_info); >- uint32_t flags; > }; > > struct auth_method_context { >diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c >index e54eb7719f57..25d5b5f5a76d 100644 >--- a/source4/auth/ntlm/auth.c >+++ b/source4/auth/ntlm/auth.c >@@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha > return NT_STATUS_OK; > } > >-/**************************************************************************** >-Used in the gensec_gssapi and gensec_krb5 server-side code, where the >-PAC isn't available, and for tokenGroups in the DSDB stack. >- >- Supply either a principal or a DN >-****************************************************************************/ >-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx, >- TALLOC_CTX *mem_ctx, >- const char *principal, >- struct ldb_dn *user_dn, >- uint32_t session_info_flags, >- struct auth_session_info **session_info) >-{ >- NTSTATUS nt_status; >- struct auth_method_context *method; >- struct auth_user_info_dc *user_info_dc; >- >- for (method = auth_ctx->methods; method; method = method->next) { >- if (!method->ops->get_user_info_dc_principal) { >- continue; >- } >- >- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc); >- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { >- continue; >- } >- if (!NT_STATUS_IS_OK(nt_status)) { >- return nt_status; >- } >- >- nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, >- user_info_dc, >- user_info_dc->info->account_name, >- session_info_flags, session_info); >- talloc_free(user_info_dc); >- >- return nt_status; >- } >- >- return NT_STATUS_NOT_IMPLEMENTED; >-} >- > /** > * Check a user's Plaintext, LM or NTLM password. > * (sync version) >@@ -622,8 +580,7 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx, > TALLOC_CTX *tmp_ctx; > > if (!pac_blob) { >- return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name, >- NULL, session_info_flags, session_info); >+ return NT_STATUS_NO_IMPERSONATION_TOKEN; > } > > tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); >diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c >index a521bc94bc4a..dbbf97665db3 100644 >--- a/source4/auth/ntlm/auth_sam.c >+++ b/source4/auth/ntlm/auth_sam.c >@@ -938,22 +938,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, > return NT_STATUS_OK; > } > >-/* Wrapper for the auth subsystem pointer */ >-static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, >- struct auth4_context *auth_context, >- const char *principal, >- struct ldb_dn *user_dn, >- struct auth_user_info_dc **user_info_dc) >-{ >- return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, >- principal, user_dn, user_info_dc); >-} > static const struct auth_operations sam_ignoredomain_ops = { > .name = "sam_ignoredomain", > .want_check = authsam_ignoredomain_want_check, > .check_password_send = authsam_check_password_send, > .check_password_recv = authsam_check_password_recv, >- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, > }; > > static const struct auth_operations sam_ops = { >@@ -961,7 +950,6 @@ static const struct auth_operations sam_ops = { > .want_check = authsam_want_check, > .check_password_send = authsam_check_password_send, > .check_password_recv = authsam_check_password_recv, >- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, > }; > > _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *); >-- >2.25.1 > > >From fd882960d1285becde6fadc8ef09acfdff0f6d4e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 11 Oct 2021 23:18:41 +0200 >Subject: [PATCH 34/34] gensec:require_pac=yes NT_STATUS_NO_IMPERSONATION_TOKEN > >--- > auth/gensec/gensec_util.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c >index aa03472603c8..c67091fe96a7 100644 >--- a/auth/gensec/gensec_util.c >+++ b/auth/gensec/gensec_util.c >@@ -51,7 +51,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, > if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", true)) { > DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", > principal_string)); >- return NT_STATUS_ACCESS_DENIED; >+ return NT_STATUS_NO_IMPERSONATION_TOKEN; > } > DBG_NOTICE("Unable to find PAC for %s, resorting to local " > "user lookup\n", principal_string); >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14556
:
16845
|
16924
|
16926
|
16934
|
16952
|
16953
|
16954
|
16955
|
16956
|
16958
|
16959
|
16963
|
16969
|
16970
|
16978
|
17449