The Samba-Bugzilla – Attachment 17213 Details for
Bug 14865
uncached logon on RODC always fails once
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-14-test
bfixes-tmp414.txt (text/plain), 7.54 KB, created by
Stefan Metzmacher
on 2022-03-15 09:32:43 UTC
(
hide
)
Description:
Patches for v4-14-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-03-15 09:32:43 UTC
Size:
7.54 KB
patch
obsolete
>From 566a26d84d04e9887b7e6a627f0af38994d26cd9 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 18 Feb 2022 17:17:02 +0100 >Subject: [PATCH 1/2] HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in > HDB_ERR_NOT_FOUND_HERE > >On an RODC we need to redirect failing preauthentication to an RWDC. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216) >--- > source4/heimdal/kdc/kerberos5.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index c1d4cb1d4aa1..6fe42232cdc6 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -1357,13 +1357,18 @@ _kdc_as_rep(krb5_context context, > > free_EncryptedData(&enc_data); > >- if (clientdb->hdb_auth_status) >- (clientdb->hdb_auth_status)(context, clientdb, client, >+ if (clientdb->hdb_auth_status) { >+ ret = (clientdb->hdb_auth_status)(context, clientdb, client, > from_addr, > &_kdc_now, > client_name, > str ? str : "unknown enctype", > HDB_AUTH_WRONG_PASSWORD); >+ if (ret == HDB_ERR_NOT_FOUND_HERE) { >+ kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name); >+ goto out; >+ } >+ } > > free(str); > >-- >2.25.1 > > >From 89ba1e90b94607d1ec96a9d47f58c767c291075a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 18 Feb 2022 17:17:02 +0100 >Subject: [PATCH 2/2] s4:kdc: redirect pre-authentication failured to an RWDC > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(similar to commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be) >--- > selftest/knownfail | 1 - > source4/dsdb/tests/python/rodc_rwdc.py | 3 +- > source4/kdc/hdb-samba4.c | 79 +++++--------------------- > 3 files changed, 16 insertions(+), 67 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 2701fe4c5b32..c4c050403d0d 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -374,7 +374,6 @@ > ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\) > # We currently don't send referrals for LDAP modify of non-replicated attrs > ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* >-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos > # NETLOGON is disabled in any non-DC environments > ^samba.tests.netlogonsvc.python\(ad_member\) > ^samba.tests.netlogonsvc.python\(simpleserver\) >diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py >index 0340042e19d6..c4507869fd17 100644 >--- a/source4/dsdb/tests/python/rodc_rwdc.py >+++ b/source4/dsdb/tests/python/rodc_rwdc.py >@@ -1147,8 +1147,7 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): > > creds2 = make_creds(username, password) > self.try_ldap_logon(RWDC, creds2) >- # We can forward WRONG_PASSWORD over NTLM. >- # This SHOULD succeed. >+ # The RODC forward WRONG_PASSWORD to the RWDC > self.try_ldap_logon(RODC, creds2) > > def test_change_password_reveal_on_demand_ntlm(self): >diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c >index f0939193ad78..0bd31ea19a63 100644 >--- a/source4/kdc/hdb-samba4.c >+++ b/source4/kdc/hdb-samba4.c >@@ -311,60 +311,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, > irpc_handle, &req); > } > >-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, >- struct samba_kdc_db_context *kdc_db_ctx, >- struct auth_usersupplied_info *user_info) >-{ >- struct dcerpc_binding_handle *irpc_handle; >- struct winbind_SamLogon req; >- struct netr_IdentityInfo *identity_info; >- struct netr_NetworkInfo *network_info; >- >- irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx, >- "winbind_server", >- &ndr_table_winbind); >- if (irpc_handle == NULL) { >- DEBUG(0, ("Winbind forwarding for [%s]\\[%s] failed, " >- "no winbind_server running!\n", >- user_info->mapped.domain_name, user_info->mapped.account_name)); >- return; >- } >- >- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo); >- if (network_info == NULL) { >- DEBUG(0, ("Winbind forwarding failed: No memory\n")); >- return; >- } >- >- identity_info = &network_info->identity_info; >- req.in.logon_level = 2; >- req.in.logon.network = network_info; >- >- identity_info->domain_name.string = user_info->mapped.domain_name; >- identity_info->parameter_control = user_info->logon_parameters; /* TODO */ >- identity_info->logon_id = user_info->logon_id; >- identity_info->account_name.string = user_info->mapped.account_name; >- identity_info->workstation.string >- = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s", >- tsocket_address_string(user_info->remote_host, >- identity_info)); >- if (identity_info->workstation.string == NULL) { >- DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n")); >- return; >- } >- >- req.in.validation_level = 3; >- >- /* >- * The memory in identity_info and user_info only needs to be >- * valid until the end of this function call, as it will be >- * pushed to NDR during this call >- */ >- >- dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx, >- irpc_handle, &req); >-} >- > static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, > hdb_entry_ex *entry, > struct sockaddr *from_addr, >@@ -396,8 +342,8 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, > .password_type = auth_type, > .logon_id = logon_id > }; >- > size_t sa_socklen = 0; >+ int final_ret = 0; > > switch (from_addr->sa_family) { > case AF_INET: >@@ -447,6 +393,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, > struct tsocket_address *remote_host; > NTSTATUS status; > int ret; >+ bool rwdc_fallback = false; > > ret = tsocket_address_bsd_from_sockaddr(frame, from_addr, > sa_socklen, >@@ -463,18 +410,20 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, > if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) { > authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); > status = NT_STATUS_WRONG_PASSWORD; >- /* >- * TODO We currently send a bad password via NETLOGON, >- * however, it should probably forward the ticket to >- * another KDC to allow login after password changes. >- */ >- if (kdc_db_ctx->rodc) { >- send_bad_password_netlogon(frame, kdc_db_ctx, &ui); >- } >+ rwdc_fallback = kdc_db_ctx->rodc; > } else { > status = NT_STATUS_OK; > } > >+ if (rwdc_fallback) { >+ /* >+ * Forward the request to an RWDC in order >+ * to give an authoritative answer to the client. >+ */ >+ ui.password_type = "Forwarding to RWDC"; >+ final_ret = HDB_ERR_NOT_FOUND_HERE; >+ } >+ > log_authentication_event(kdc_db_ctx->msg_ctx, > kdc_db_ctx->lp_ctx, > start_time, >@@ -500,6 +449,8 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, > ui.remote_host = remote_host; > } > >+ /* Note this is not forwarded to an RWDC */ >+ > log_authentication_event(kdc_db_ctx->msg_ctx, > kdc_db_ctx->lp_ctx, > start_time, >@@ -511,7 +462,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, > break; > } > } >- return 0; >+ return final_ret; > } > > /* This interface is to be called by the KDC and libnet_keytab_dump, >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 14865
:
17193
|
17196
|
17197
|
17212
|
17213
|
17225
|
17226