From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 4 Sep 2023 16:29:46 +0200 Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no' firewalls Unix User|Group UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver) REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4) --- selftest/knownfail.d/forceuser_trusteddomains | 2 ++ selftest/target/Samba3.pm | 1 + 2 files changed, 3 insertions(+) create mode 100644 selftest/knownfail.d/forceuser_trusteddomains diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains new file mode 100644 index 00000000000..b515400cd90 --- /dev/null +++ b/selftest/knownfail.d/forceuser_trusteddomains @@ -0,0 +1,2 @@ +samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver +samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 39831afc599..85e69e4b72d 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1689,6 +1689,7 @@ sub setup_simpleserver vfs objects = xattr_tdb streams_depot change notify = no server smb encrypt = off + allow trusted domains = no [vfs_aio_pthread] path = $prefix_abs/share -- 2.43.0 From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 8 Sep 2023 12:50:32 +0200 Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd) --- source3/auth/auth_util.c | 64 ++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 293523f4272..e5863d2272b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, } /**************************************************************************** - Create an auth_usersupplied_data, making the DATA_BLOBs here. + Create an auth_usersupplied_data, making the DATA_BLOBs here. Decrypt and encrypt the passwords. ****************************************************************************/ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, struct auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, + const char *smb_name, + const char *client_domain, const char *workstation_name, const struct tsocket_address *remote_address, const struct tsocket_address *local_address, @@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); status = make_user_info_map(mem_ctx, user_info, - smb_name, client_domain, + smb_name, client_domain, workstation_name, remote_address, local_address, "SamLogon", - lm_pwd_len ? &lm_blob : NULL, + lm_pwd_len ? &lm_blob : NULL, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, AUTH_PASSWORD_RESPONSE); @@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, } /**************************************************************************** - Create an auth_usersupplied_data, making the DATA_BLOBs here. + Create an auth_usersupplied_data, making the DATA_BLOBs here. Decrypt and encrypt the passwords. ****************************************************************************/ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, struct auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, + const char *smb_name, + const char *client_domain, const char *workstation_name, const struct tsocket_address *remote_address, const struct tsocket_address *local_address, uint32_t logon_parameters, - const uchar chal[8], - const uchar lm_interactive_pwd[16], + const uchar chal[8], + const uchar lm_interactive_pwd[16], const uchar nt_interactive_pwd[16]) { struct samr_Password lm_pwd; @@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, nt_status = make_user_info_map( mem_ctx, - user_info, + user_info, smb_name, client_domain, workstation_name, remote_address, local_address, @@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, struct auth_usersupplied_info **user_info, - const char *smb_name, + const char *smb_name, const char *client_domain, const struct tsocket_address *remote_address, const struct tsocket_address *local_address, @@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, /* We can't do an NT hash here, as the password needs to be case insensitive */ - local_nt_blob = data_blob_null; + local_nt_blob = data_blob_null; } else { - local_lm_blob = data_blob_null; - local_nt_blob = data_blob_null; + local_lm_blob = data_blob_null; + local_nt_blob = data_blob_null; } plaintext_password_string = talloc_strndup(talloc_tos(), @@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, } ret = make_user_info(mem_ctx, - user_info, smb_name, smb_name, client_domain, client_domain, + user_info, smb_name, smb_name, client_domain, client_domain, get_remote_machine_name(), remote_address, local_address, @@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx, nt_status = make_user_info(mem_ctx, user_info, - "","", - "","", - "", + "","", + "","", + "", remote_address, local_address, service_description, - NULL, NULL, - NULL, NULL, + NULL, NULL, + NULL, NULL, NULL, AUTH_PASSWORD_RESPONSE); @@ -1258,7 +1258,7 @@ done: } session_info->unique_session_token = GUID_random(); - + *session_info_out = talloc_move(mem_ctx, &session_info); TALLOC_FREE(frame); return NT_STATUS_OK; @@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, *pwd = passwd; /* This is pointless -- there is no support for differing - unix and windows names. Make sure to always store the + unix and windows names. Make sure to always store the one we actually looked up and succeeded. Have I mentioned - why I hate the 'winbind use default domain' parameter? + why I hate the 'winbind use default domain' parameter? --jerry */ *found_username = talloc_strdup( mem_ctx, real_username ); @@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, } /**************************************************************************** - Wrapper to allow the getpwnam() call to strip the domain name and - try again in case a local UNIX user is already there. Also run through + Wrapper to allow the getpwnam() call to strip the domain name and + try again in case a local UNIX user is already there. Also run through the username if we fallback to the username only. ****************************************************************************/ @@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, char *p = NULL; const char *username = NULL; - /* we only save a copy of the username it has been mangled + /* we only save a copy of the username it has been mangled by winbindd use default domain */ *p_save_username = NULL; - /* don't call map_username() here since it has to be done higher + /* don't call map_username() here since it has to be done higher up the stack so we don't call it multiple times */ username = talloc_strdup(mem_ctx, domuser); @@ -2068,10 +2068,10 @@ username_only: } /*************************************************************************** - Make a server_info struct from the info3 returned by a domain logon + Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ -NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, +NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, const char *sent_nt_username, const char *domain, struct auth_serversupplied_info **server_info, @@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct dom_sid sid; TALLOC_CTX *tmp_ctx = talloc_stackframe(); - /* + /* Here is where we should check the list of - trusted domains, and verify that the SID + trusted domains, and verify that the SID matches. */ -- 2.43.0 From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 30 Nov 2023 10:54:07 +0100 Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce) --- selftest/knownfail.d/forceuser_trusteddomains | 2 -- source3/auth/auth_util.c | 17 ++++++++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains deleted file mode 100644 index b515400cd90..00000000000 --- a/selftest/knownfail.d/forceuser_trusteddomains +++ /dev/null @@ -1,2 +0,0 @@ -samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver -samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e5863d2272b..2a35fea5061 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -21,6 +21,7 @@ along with this program. If not, see . */ +#include "dom_sid.h" #include "includes.h" #include "auth.h" #include "lib/util_unixsids.h" @@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, struct dom_sid tmp_sid; struct auth_session_info *session_info = NULL; struct unixid *ids; + bool is_allowed = false; /* Ensure we can't possible take a code path leading to a * null deref. */ @@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } - if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { + if (is_allowed_domain(server_info->info3->base.logon_domain.string)) { + is_allowed = true; + } + + /* Check if we have extra info about the user. */ + if (dom_sid_in_domain(&global_sid_Unix_Users, + &server_info->extra.user_sid) || + dom_sid_in_domain(&global_sid_Unix_Groups, + &server_info->extra.pgid_sid)) + { + is_allowed = true; + } + + if (!is_allowed) { DBG_NOTICE("Authentication failed for user [%s] " "from firewalled domain [%s]\n", server_info->info3->base.account_name.string, -- 2.43.0