The Samba-Bugzilla – Attachment 18193 Details for
Bug 15469
'force user = localunixuser' doesn't work if 'allow trusted domains = no' is set
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.19
v4-19-fix-force-user.patch (text/plain), 11.79 KB, created by
Andreas Schneider
on 2023-12-05 08:33:43 UTC
(
hide
)
Description:
patch for 4.19
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2023-12-05 08:33:43 UTC
Size:
11.79 KB
patch
obsolete
>From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 4 Sep 2023 16:29:46 +0200 >Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no' > firewalls Unix User|Group > >UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver) >REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4) >--- > selftest/knownfail.d/forceuser_trusteddomains | 2 ++ > selftest/target/Samba3.pm | 1 + > 2 files changed, 3 insertions(+) > create mode 100644 selftest/knownfail.d/forceuser_trusteddomains > >diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains >new file mode 100644 >index 00000000000..b515400cd90 >--- /dev/null >+++ b/selftest/knownfail.d/forceuser_trusteddomains >@@ -0,0 +1,2 @@ >+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver >+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index 39831afc599..85e69e4b72d 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1689,6 +1689,7 @@ sub setup_simpleserver > vfs objects = xattr_tdb streams_depot > change notify = no > server smb encrypt = off >+ allow trusted domains = no > > [vfs_aio_pthread] > path = $prefix_abs/share >-- >2.43.0 > > >From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 8 Sep 2023 12:50:32 +0200 >Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd) >--- > source3/auth/auth_util.c | 64 ++++++++++++++++++++-------------------- > 1 file changed, 32 insertions(+), 32 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 293523f4272..e5863d2272b 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, > } > > /**************************************************************************** >- Create an auth_usersupplied_data, making the DATA_BLOBs here. >+ Create an auth_usersupplied_data, making the DATA_BLOBs here. > Decrypt and encrypt the passwords. > ****************************************************************************/ > > bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, > struct auth_usersupplied_info **user_info, >- const char *smb_name, >- const char *client_domain, >+ const char *smb_name, >+ const char *client_domain, > const char *workstation_name, > const struct tsocket_address *remote_address, > const struct tsocket_address *local_address, >@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, > DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); > > status = make_user_info_map(mem_ctx, user_info, >- smb_name, client_domain, >+ smb_name, client_domain, > workstation_name, > remote_address, > local_address, > "SamLogon", >- lm_pwd_len ? &lm_blob : NULL, >+ lm_pwd_len ? &lm_blob : NULL, > nt_pwd_len ? &nt_blob : NULL, > NULL, NULL, NULL, > AUTH_PASSWORD_RESPONSE); >@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, > } > > /**************************************************************************** >- Create an auth_usersupplied_data, making the DATA_BLOBs here. >+ Create an auth_usersupplied_data, making the DATA_BLOBs here. > Decrypt and encrypt the passwords. > ****************************************************************************/ > > bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, > struct auth_usersupplied_info **user_info, >- const char *smb_name, >- const char *client_domain, >+ const char *smb_name, >+ const char *client_domain, > const char *workstation_name, > const struct tsocket_address *remote_address, > const struct tsocket_address *local_address, > uint32_t logon_parameters, >- const uchar chal[8], >- const uchar lm_interactive_pwd[16], >+ const uchar chal[8], >+ const uchar lm_interactive_pwd[16], > const uchar nt_interactive_pwd[16]) > { > struct samr_Password lm_pwd; >@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, > > nt_status = make_user_info_map( > mem_ctx, >- user_info, >+ user_info, > smb_name, client_domain, workstation_name, > remote_address, > local_address, >@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, > > bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, > struct auth_usersupplied_info **user_info, >- const char *smb_name, >+ const char *smb_name, > const char *client_domain, > const struct tsocket_address *remote_address, > const struct tsocket_address *local_address, >@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, > > /* We can't do an NT hash here, as the password needs to be > case insensitive */ >- local_nt_blob = data_blob_null; >+ local_nt_blob = data_blob_null; > } else { >- local_lm_blob = data_blob_null; >- local_nt_blob = data_blob_null; >+ local_lm_blob = data_blob_null; >+ local_nt_blob = data_blob_null; > } > > plaintext_password_string = talloc_strndup(talloc_tos(), >@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, > } > > ret = make_user_info(mem_ctx, >- user_info, smb_name, smb_name, client_domain, client_domain, >+ user_info, smb_name, smb_name, client_domain, client_domain, > get_remote_machine_name(), > remote_address, > local_address, >@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx, > > nt_status = make_user_info(mem_ctx, > user_info, >- "","", >- "","", >- "", >+ "","", >+ "","", >+ "", > remote_address, > local_address, > service_description, >- NULL, NULL, >- NULL, NULL, >+ NULL, NULL, >+ NULL, NULL, > NULL, > AUTH_PASSWORD_RESPONSE); > >@@ -1258,7 +1258,7 @@ done: > } > > session_info->unique_session_token = GUID_random(); >- >+ > *session_info_out = talloc_move(mem_ctx, &session_info); > TALLOC_FREE(frame); > return NT_STATUS_OK; >@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, > *pwd = passwd; > > /* This is pointless -- there is no support for differing >- unix and windows names. Make sure to always store the >+ unix and windows names. Make sure to always store the > one we actually looked up and succeeded. Have I mentioned >- why I hate the 'winbind use default domain' parameter? >+ why I hate the 'winbind use default domain' parameter? > --jerry */ > > *found_username = talloc_strdup( mem_ctx, real_username ); >@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, > } > > /**************************************************************************** >- Wrapper to allow the getpwnam() call to strip the domain name and >- try again in case a local UNIX user is already there. Also run through >+ Wrapper to allow the getpwnam() call to strip the domain name and >+ try again in case a local UNIX user is already there. Also run through > the username if we fallback to the username only. > ****************************************************************************/ > >@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, > char *p = NULL; > const char *username = NULL; > >- /* we only save a copy of the username it has been mangled >+ /* we only save a copy of the username it has been mangled > by winbindd use default domain */ > *p_save_username = NULL; > >- /* don't call map_username() here since it has to be done higher >+ /* don't call map_username() here since it has to be done higher > up the stack so we don't call it multiple times */ > > username = talloc_strdup(mem_ctx, domuser); >@@ -2068,10 +2068,10 @@ username_only: > } > > /*************************************************************************** >- Make a server_info struct from the info3 returned by a domain logon >+ Make a server_info struct from the info3 returned by a domain logon > ***************************************************************************/ > >-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, >+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > const char *sent_nt_username, > const char *domain, > struct auth_serversupplied_info **server_info, >@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > struct dom_sid sid; > TALLOC_CTX *tmp_ctx = talloc_stackframe(); > >- /* >+ /* > Here is where we should check the list of >- trusted domains, and verify that the SID >+ trusted domains, and verify that the SID > matches. > */ > >-- >2.43.0 > > >From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 30 Nov 2023 10:54:07 +0100 >Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a > local token > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce) >--- > selftest/knownfail.d/forceuser_trusteddomains | 2 -- > source3/auth/auth_util.c | 17 ++++++++++++++++- > 2 files changed, 16 insertions(+), 3 deletions(-) > delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains > >diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains >deleted file mode 100644 >index b515400cd90..00000000000 >--- a/selftest/knownfail.d/forceuser_trusteddomains >+++ /dev/null >@@ -1,2 +0,0 @@ >-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver >-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index e5863d2272b..2a35fea5061 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -21,6 +21,7 @@ > along with this program. If not, see <http://www.gnu.org/licenses/>. > */ > >+#include "dom_sid.h" > #include "includes.h" > #include "auth.h" > #include "lib/util_unixsids.h" >@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > struct dom_sid tmp_sid; > struct auth_session_info *session_info = NULL; > struct unixid *ids; >+ bool is_allowed = false; > > /* Ensure we can't possible take a code path leading to a > * null deref. */ >@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, > return NT_STATUS_LOGON_FAILURE; > } > >- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { >+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) { >+ is_allowed = true; >+ } >+ >+ /* Check if we have extra info about the user. */ >+ if (dom_sid_in_domain(&global_sid_Unix_Users, >+ &server_info->extra.user_sid) || >+ dom_sid_in_domain(&global_sid_Unix_Groups, >+ &server_info->extra.pgid_sid)) >+ { >+ is_allowed = true; >+ } >+ >+ if (!is_allowed) { > DBG_NOTICE("Authentication failed for user [%s] " > "from firewalled domain [%s]\n", > server_info->info3->base.account_name.string, >-- >2.43.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18193">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15469
: 18193