From 228ef2a4e26ada151104e7225e7e32176f1a84d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Thu, 30 Aug 2018 16:33:25 +0200 Subject: [PATCH 01/13] auth: move copy_session_info() from source3 into the global auth context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- auth/auth_util.c | 68 +++++++++++++++++++++++++++++++++++++++ auth/auth_util.h | 23 +++++++++++++ auth/wscript_build | 16 +++++++-- source3/auth/auth_util.c | 39 +--------------------- source3/auth/proto.h | 2 -- source3/auth/wscript_build | 2 +- source3/rpc_server/rpc_ncacn_np.c | 1 + source3/smbd/msdfs.c | 1 + source3/smbd/service.c | 1 + source3/smbd/uid.c | 1 + 10 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 auth/auth_util.c create mode 100644 auth/auth_util.h diff --git a/auth/auth_util.c b/auth/auth_util.c new file mode 100644 index 00000000000..f3586f1fc1e --- /dev/null +++ b/auth/auth_util.c @@ -0,0 +1,68 @@ +/* + Unix SMB/CIFS implementation. + Authentication utility functions + + Copyright (C) Andrew Bartlett 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_auth.h" +#include "auth_util.h" + +struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, + const struct auth_session_info *src) +{ + struct auth_session_info *dst; + DATA_BLOB blob; + enum ndr_err_code ndr_err; + + ndr_err = ndr_push_struct_blob( + &blob, + talloc_tos(), + src, + (ndr_push_flags_fn_t)ndr_push_auth_session_info); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DBG_ERR("copy_session_info(): ndr_push_auth_session_info " + "failed: %s\n", + ndr_errstr(ndr_err)); + return NULL; + } + + dst = talloc(mem_ctx, struct auth_session_info); + if (dst == NULL) { + DBG_ERR("talloc failed\n"); + TALLOC_FREE(blob.data); + return NULL; + } + + ndr_err = ndr_pull_struct_blob( + &blob, + dst, + dst, + (ndr_pull_flags_fn_t)ndr_pull_auth_session_info); + TALLOC_FREE(blob.data); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DBG_ERR("copy_session_info(): ndr_pull_auth_session_info " + "failed: %s\n", + ndr_errstr(ndr_err)); + TALLOC_FREE(dst); + return NULL; + } + + return dst; +} diff --git a/auth/auth_util.h b/auth/auth_util.h new file mode 100644 index 00000000000..1037cb8361f --- /dev/null +++ b/auth/auth_util.h @@ -0,0 +1,23 @@ +/* + Unix SMB/CIFS implementation. + Authentication utility functions + + Copyright (C) Andrew Bartlett 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +struct auth_session_info *copy_session_info( + TALLOC_CTX *mem_ctx, + const struct auth_session_info *src); diff --git a/auth/wscript_build b/auth/wscript_build index e2e3d213f48..a8b0e6cf3eb 100644 --- a/auth/wscript_build +++ b/auth/wscript_build @@ -1,8 +1,20 @@ #!/usr/bin/env python bld.SAMBA_LIBRARY('common_auth', - source='auth_sam_reply.c wbc_auth_util.c auth_log.c', - deps='talloc samba-security samba-util util_str_escape LIBTSOCKET audit_logging jansson MESSAGING_SEND server_id_db ', + source='''auth_sam_reply.c + wbc_auth_util.c + auth_log.c + auth_util.c''', + deps='''talloc + samba-security + samba-util + util_str_escape + LIBTSOCKET + audit_logging + jansson + MESSAGING_SEND + server_id_db + ndr-samba''', private_library=True) bld.RECURSE('gensec') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 24d1e37e9cb..7b0d69f1f21 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -38,6 +38,7 @@ #include "../lib/tsocket/tsocket.h" #include "rpc_client/util_netlogon.h" #include "source4/auth/auth.h" +#include "auth/auth_util.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -1674,44 +1675,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO return dst; } -struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, - const struct auth_session_info *src) -{ - struct auth_session_info *dst; - DATA_BLOB blob; - enum ndr_err_code ndr_err; - - ndr_err = ndr_push_struct_blob( - &blob, talloc_tos(), src, - (ndr_push_flags_fn_t)ndr_push_auth_session_info); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DEBUG(0, ("copy_session_info(): ndr_push_auth_session_info failed: " - "%s\n", ndr_errstr(ndr_err))); - return NULL; - } - - dst = talloc(mem_ctx, struct auth_session_info); - if (dst == NULL) { - DEBUG(0, ("talloc failed\n")); - TALLOC_FREE(blob.data); - return NULL; - } - - ndr_err = ndr_pull_struct_blob( - &blob, dst, dst, - (ndr_pull_flags_fn_t)ndr_pull_auth_session_info); - TALLOC_FREE(blob.data); - - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DEBUG(0, ("copy_session_info(): ndr_pull_auth_session_info failed: " - "%s\n", ndr_errstr(ndr_err))); - TALLOC_FREE(dst); - return NULL; - } - - return dst; -} - /* * Set a new session key. Used in the rpc server where we have to override the * SMB level session key with SystemLibraryDTC diff --git a/source3/auth/proto.h b/source3/auth/proto.h index e4a6830eecb..75cf1e6724f 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -270,8 +270,6 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, const char *username, bool is_guest, struct auth_session_info **session_info); -struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, - const struct auth_session_info *src); bool init_guest_session_info(TALLOC_CTX *mem_ctx); NTSTATUS init_system_session_info(TALLOC_CTX *mem_ctx); bool session_info_set_session_key(struct auth_session_info *info, diff --git a/source3/auth/wscript_build b/source3/auth/wscript_build index 8fd7dcded86..d27c231caa7 100644 --- a/source3/auth/wscript_build +++ b/source3/auth/wscript_build @@ -14,7 +14,7 @@ bld.SAMBA3_SUBSYSTEM('AUTH_COMMON', server_info.c server_info_sam.c user_info.c''', - deps='TOKEN_UTIL DCUTIL USER_UTIL') + deps='TOKEN_UTIL DCUTIL USER_UTIL common_auth') bld.SAMBA3_LIBRARY('auth', source='''auth.c diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c index 511d54e895a..5ee98a10d70 100644 --- a/source3/rpc_server/rpc_ncacn_np.c +++ b/source3/rpc_server/rpc_ncacn_np.c @@ -30,6 +30,7 @@ #include "librpc/gen_ndr/netlogon.h" #include "librpc/gen_ndr/auth.h" #include "../auth/auth_sam_reply.h" +#include "../auth/auth_util.h" #include "auth.h" #include "rpc_server/rpc_pipes.h" #include "../lib/tsocket/tsocket.h" diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c index d3f572e22a1..880a02b0320 100644 --- a/source3/smbd/msdfs.c +++ b/source3/smbd/msdfs.c @@ -28,6 +28,7 @@ #include "smbd/globals.h" #include "msdfs.h" #include "auth.h" +#include "../auth/auth_util.h" #include "lib/param/loadparm.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_dfsblobs.h" diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 2e4a1136254..a19b9734246 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -28,6 +28,7 @@ #include "printing/pcap.h" #include "passdb/lookup_sid.h" #include "auth.h" +#include "../auth/auth_util.h" #include "lib/param/loadparm.h" #include "messages.h" #include "lib/afs/afs_funcs.h" diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 41bb66e2df1..77e5f8c83b7 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -26,6 +26,7 @@ #include "libcli/security/security.h" #include "passdb/lookup_sid.h" #include "auth.h" +#include "../auth/auth_util.h" #include "lib/util/time_basic.h" #include "lib/pthreadpool/pthreadpool_tevent.h" -- 2.16.4 From a014c92562deb73b566f7f49129390bb14de021c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 14:37:41 +0200 Subject: [PATCH 02/13] python: Add samba.auth.copy_session_info() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/auth/pyauth.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c index ada89ef0c8f..64f8ea67930 100644 --- a/source4/auth/pyauth.c +++ b/source4/auth/pyauth.c @@ -26,6 +26,7 @@ #include "pyldb.h" #include "auth/system_session_proto.h" #include "auth/auth.h" +#include "auth/auth_util.h" #include "param/pyparam.h" #include "libcli/security/security.h" #include "auth/credentials/pycredentials.h" @@ -40,6 +41,60 @@ static PyObject *PyAuthSession_FromSession(struct auth_session_info *session) return py_return_ndr_struct("samba.dcerpc.auth", "session_info", session, session); } +static PyObject *py_copy_session_info(PyObject *module, + PyObject *args, + PyObject *kwargs) +{ + PyObject *py_session = Py_None; + PyObject *result = Py_None; + struct auth_session_info *session = NULL; + struct auth_session_info *session_duplicate = NULL; + TALLOC_CTX *frame; + int ret = 1; + + const char * const kwnames[] = { "session_info", NULL }; + + ret = PyArg_ParseTupleAndKeywords(args, + kwargs, + "O", + discard_const_p(char *, kwnames), + &py_session); + if (!ret) { + return NULL; + } + + ret = py_check_dcerpc_type(py_session, + "samba.dcerpc.auth", + "session_info"); + if (!ret) { + return NULL; + } + session = pytalloc_get_type(py_session, + struct auth_session_info); + if (!session) { + PyErr_Format(PyExc_TypeError, + "Expected auth_session_info for session_info " + "argument got %s", + talloc_get_name(pytalloc_get_ptr(py_session))); + return NULL; + } + + frame = talloc_stackframe(); + if (frame == NULL) { + return PyErr_NoMemory(); + } + + session_duplicate = copy_session_info(frame, session); + if (session_duplicate == NULL) { + TALLOC_FREE(frame); + return PyErr_NoMemory(); + } + + result = PyAuthSession_FromSession(session_duplicate); + TALLOC_FREE(frame); + return result; +} + static PyObject *py_system_session(PyObject *module, PyObject *args) { PyObject *py_lp_ctx = Py_None; @@ -365,6 +420,10 @@ static PyMethodDef py_auth_methods[] = { (PyCFunction)py_session_info_fill_unix, METH_VARARGS|METH_KEYWORDS, NULL }, + { "copy_session_info", + (PyCFunction)py_copy_session_info, + METH_VARARGS|METH_KEYWORDS, + NULL }, { NULL }, }; -- 2.16.4 From 14ed364c68d3c5f7ad6c90d1e27e0659db5f4839 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 14:43:33 +0200 Subject: [PATCH 03/13] s4-auth: fix a typo in a comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/auth/system_session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 1d238ee9c98..03c26a80217 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -41,7 +41,7 @@ static int system_session_destructor(struct auth_session_info *info) } /* Create a security token for a session SYSTEM (the most - * trusted/prvilaged account), including the local machine account as + * trusted/privileged account), including the local machine account as * the off-host credentials */ _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx) -- 2.16.4 From b2a5ff55e048244bafdf6189f164b9cb614e095c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 14:45:05 +0200 Subject: [PATCH 04/13] s4-auth: use TALLOC_FREE() shortcut MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/auth/system_session.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 03c26a80217..b03a55f2cab 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -62,8 +62,7 @@ _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ct lp_ctx, &static_session); if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(static_session); - static_session = NULL; + TALLOC_FREE(static_session); return NULL; } talloc_set_destructor(static_session, system_session_destructor); -- 2.16.4 From ca81f3e66d9e92355657184107902581b08924d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 14:46:03 +0200 Subject: [PATCH 05/13] s4-auth: fetch possible out of memory error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/auth/system_session.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index b03a55f2cab..e9cff3d55d6 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -76,7 +76,12 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, NTSTATUS nt_status; struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; - TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); + TALLOC_CTX *mem_ctx = NULL; + + mem_ctx = talloc_new(parent_ctx); + if (mem_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx), &user_info_dc); -- 2.16.4 From 1d54344ffdd57cdd7a48dad572a258cb18413a45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 25 Sep 2018 13:11:09 +0200 Subject: [PATCH 06/13] s4-auth: allow to create unix token from system session info MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without this patch security_token_to_unix_token() fails with NT_STATUS_ACCESS_DENIED, because the system session does only have one SID. For a typical token are at least two or more SIDs expected. Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/auth/unix_token.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c index 492149b359b..ef3805b6e40 100644 --- a/source4/auth/unix_token.c +++ b/source4/auth/unix_token.c @@ -38,6 +38,21 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, uint32_t s, g; NTSTATUS status; struct id_map *ids; + bool match; + + match = security_token_is_system(token); + if (match) { + /* + * SYSTEM user uid and gid is 0 + */ + + *sec = talloc_zero(mem_ctx, struct security_unix_token); + if (*sec == NULL) { + return NT_STATUS_NO_MEMORY; + } + + return NT_STATUS_OK; + } /* we can't do unix security without a user and group */ if (token->num_sids < 2) { -- 2.16.4 From 60bd15894b90e541171be4a492b4ebb07d80601b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 25 Sep 2018 13:16:15 +0200 Subject: [PATCH 07/13] s4-auth: allow to pass original_user_name=NULL to auth_session_info_fill_unix() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With this patch the auth_session_info_fill_unix() uses the "unix_name" from the session_info->unix_info if no original_user_name was specified. This is used to process a system session info where no original_user_name is given. Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/auth/unix_token.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c index ef3805b6e40..fdfbb240682 100644 --- a/source4/auth/unix_token.c +++ b/source4/auth/unix_token.c @@ -160,6 +160,10 @@ NTSTATUS auth_session_info_fill_unix(struct loadparm_context *lp_ctx, session_info->info->account_name); NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info->unix_name); + if (original_user_name == NULL) { + original_user_name = session_info->unix_info->unix_name; + } + len = strlen(original_user_name) + 1; session_info->unix_info->sanitized_username = su = talloc_array(session_info->unix_info, char, len); NT_STATUS_HAVE_NO_MEMORY(su); -- 2.16.4 From 05a1a54f4538f3704f5d4cd36744326586318810 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 15:29:58 +0200 Subject: [PATCH 08/13] pysmbd: add option to pass a session info to set_nt_acl() function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A filled session info is needed by some vfs modules, e.g. full_audit. Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- python/samba/ntacls.py | 13 +++++++++++-- source3/smbd/pysmbd.c | 44 ++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 51 insertions(+), 6 deletions(-) diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py index 3ce27f32600..838152ad6e0 100644 --- a/python/samba/ntacls.py +++ b/python/samba/ntacls.py @@ -93,7 +93,13 @@ def getdosinfo(lp, file): return ndr_unpack(xattr.DOSATTRIB, attribute) -def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True, service=None): +def getntacl(lp, + file, + backend=None, + eadbfile=None, + direct_db_access=True, + service=None, + session_info=None): if direct_db_access: (backend_obj, dbname) = checkset_backend(lp, backend, eadbfile) if dbname is not None: @@ -119,7 +125,10 @@ def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True, servi elif ntacl.version == 4: return ntacl.info.sd else: - return smbd.get_nt_acl(file, SECURITY_SECINFO_FLAGS, service=service) + return smbd.get_nt_acl(file, + SECURITY_SECINFO_FLAGS, + service=service, + session_info=session_info) def setntacl(lp, file, sddl, domsid, diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 1431925efd0..25667198840 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -31,6 +31,9 @@ #include "librpc/rpc/pyrpc_util.h" #include #include "system/filesys.h" +#include "passdb.h" +#include "secrets.h" +#include "auth.h" extern const struct generic_mapping file_generic_mapping; @@ -622,22 +625,55 @@ static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kw */ static PyObject *py_smbd_get_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs) { - const char * const kwnames[] = { "fname", "security_info_wanted", "service", NULL }; + const char * const kwnames[] = { "fname", + "security_info_wanted", + "service", + "session_info", + NULL }; char *fname, *service = NULL; int security_info_wanted; PyObject *py_sd; struct security_descriptor *sd; TALLOC_CTX *frame = talloc_stackframe(); + PyObject *py_session = Py_None; + struct auth_session_info *session_info = NULL; connection_struct *conn; NTSTATUS status; + int ret = 1; - if (!PyArg_ParseTupleAndKeywords(args, kwargs, "si|z", discard_const_p(char *, kwnames), - &fname, &security_info_wanted, &service)) { + ret = PyArg_ParseTupleAndKeywords(args, + kwargs, + "si|zO", + discard_const_p(char *, kwnames), + &fname, + &security_info_wanted, + &service, + &py_session); + if (!ret) { TALLOC_FREE(frame); return NULL; } - conn = get_conn_tos(service, NULL); + if (py_session != Py_None) { + if (!py_check_dcerpc_type(py_session, + "samba.dcerpc.auth", + "session_info")) { + TALLOC_FREE(frame); + return NULL; + } + session_info = pytalloc_get_type(py_session, + struct auth_session_info); + if (!session_info) { + PyErr_Format( + PyExc_TypeError, + "Expected auth_session_info for " + "session_info argument got %s", + talloc_get_name(pytalloc_get_ptr(py_session))); + return NULL; + } + } + + conn = get_conn_tos(service, session_info); if (!conn) { TALLOC_FREE(frame); return NULL; -- 2.16.4 From 30850406170bb8fa9a23ae5f95041516cb2ba01e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Wed, 19 Sep 2018 16:52:54 +0200 Subject: [PATCH 09/13] pysmbd: handle file not found error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid PANIC: internal error Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source3/smbd/pysmbd.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 25667198840..fd0c9fd46a7 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -150,7 +150,11 @@ static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx, fsp->fsp_name = smb_fname; fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644); if (fsp->fh->fd == -1) { + int err = errno; umask(saved_umask); + if (err == ENOENT) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } return NT_STATUS_INVALID_PARAMETER; } @@ -204,8 +208,11 @@ static NTSTATUS set_nt_acl_conn(const char *fname, } if (!NT_STATUS_IS_OK(status)) { - printf("open: error=%d (%s)\n", errno, strerror(errno)); - SMB_VFS_CLOSE(fsp); + DBG_ERR("init_files_struct failed: %s\n", + nt_errstr(status)); + if (fsp != NULL) { + SMB_VFS_CLOSE(fsp); + } TALLOC_FREE(frame); return status; } -- 2.16.4 From 23e545ce8ffca535491ecf4840fa667d6498e751 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 16:20:49 +0200 Subject: [PATCH 10/13] samba-tool ntacl: pass system session to get/set-ntacl functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The filled session is needed in different vfs modules. Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- python/samba/netcmd/ntacl.py | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/python/samba/netcmd/ntacl.py b/python/samba/netcmd/ntacl.py index 0af07ff20bf..5535cb0b942 100644 --- a/python/samba/netcmd/ntacl.py +++ b/python/samba/netcmd/ntacl.py @@ -29,7 +29,11 @@ from samba import provision from ldb import SCOPE_BASE import os -from samba.auth import system_session +from samba.auth import ( + system_session, + session_info_fill_unix, + copy_session_info, +) from samba.netcmd import ( Command, CommandError, @@ -37,6 +41,12 @@ from samba.netcmd import ( Option, ) +def system_session_unix(): + session_info = system_session() + session_info_unix = copy_session_info(session_info) + session_info_fill_unix(session_info_unix, None) + + return session_info_unix class cmd_ntacl_set(Command): """Set ACLs on a file.""" @@ -88,7 +98,15 @@ class cmd_ntacl_set(Command): # ensure we are using the right samba_dsdb passdb backend, no matter what s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) - setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs, service=service) + setntacl(lp, + file, + acl, + str(domain_sid), + xattr_backend, + eadb_file, + use_ntvfs=use_ntvfs, + service=service, + session_info=system_session_unix()) if use_ntvfs: logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL") @@ -159,7 +177,13 @@ class cmd_ntacl_get(Command): # ensure we are using the right samba_dsdb passdb backend, no matter what s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) - acl = getntacl(lp, file, xattr_backend, eadb_file, direct_db_access=use_ntvfs, service=service) + acl = getntacl(lp, + file, + xattr_backend, + eadb_file, + direct_db_access=use_ntvfs, + service=service, + session_info=system_session_unix()) if as_sddl: try: domain_sid = security.dom_sid(samdb.domain_sid) -- 2.16.4 From b183485a87c2b3816d77d6b1c8e6b676000b0799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 16:30:53 +0200 Subject: [PATCH 11/13] s3/py_passdb: add get_domain_sid() to get domain sid from secrets database MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source3/passdb/py_passdb.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index 31e3907c8bc..1bcf3f667ec 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -3662,6 +3662,31 @@ static PyObject *py_reload_static_pdb(PyObject *self, PyObject *args) Py_RETURN_NONE; } +static PyObject *py_get_domain_sid(PyObject *self, PyObject *unused) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct dom_sid domain_sid, *domain_sid_copy; + PyObject *py_dom_sid = Py_None; + bool ret = false; + + ret = secrets_fetch_domain_sid(lp_workgroup(), &domain_sid); + if (!ret) { + talloc_free(frame); + return PyErr_NoMemory(); + } + + domain_sid_copy = dom_sid_dup(frame, &domain_sid); + if (domain_sid_copy == NULL) { + talloc_free(frame); + return PyErr_NoMemory(); + } + + py_dom_sid = pytalloc_steal(dom_sid_Type, domain_sid_copy); + + talloc_free(frame); + return py_dom_sid; +} + static PyObject *py_get_global_sam_sid(PyObject *self, PyObject *unused) { TALLOC_CTX *frame = talloc_stackframe(); @@ -3697,6 +3722,9 @@ static PyMethodDef py_passdb_methods[] = { { "get_global_sam_sid", py_get_global_sam_sid, METH_NOARGS, "get_global_sam_sid() -> dom_sid\n\n \ Return domain SID." }, + { "get_domain_sid", py_get_domain_sid, METH_NOARGS, + "get_domain_sid() -> dom_sid\n\n \ + Return domain SID from secrets database." }, { "reload_static_pdb", py_reload_static_pdb, METH_NOARGS, "reload_static_pdb() -> None\n\n \ Re-initalise the static pdb used internally. Needed if 'passdb backend' is changed." }, -- 2.16.4 From c4c5580710e7e3730ca0e496dd0c4e6915755100 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Tue, 4 Sep 2018 16:32:50 +0200 Subject: [PATCH 12/13] samba-tool ntacl: allow to run get/set-ntacl command in non-AD-DC role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Can be used to get and apply NT-ACLs on Samba member servers. Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- python/samba/netcmd/ntacl.py | 66 ++++++++++++++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 21 deletions(-) diff --git a/python/samba/netcmd/ntacl.py b/python/samba/netcmd/ntacl.py index 5535cb0b942..323add7243c 100644 --- a/python/samba/netcmd/ntacl.py +++ b/python/samba/netcmd/ntacl.py @@ -77,26 +77,38 @@ class cmd_ntacl_set(Command): service=None): logger = self.get_logger() lp = sambaopts.get_loadparm() - try: - samdb = SamDB(session_info=system_session(), - lp=lp) - except Exception as e: - raise CommandError("Unable to open samdb:", e) + + is_ad_dc = False + server_role = lp.server_role() + if server_role == "ROLE_ACTIVE_DIRECTORY_DC": + is_ad_dc = True if not use_ntvfs and not use_s3fs: use_ntvfs = "smb" in lp.get("server services") elif use_s3fs: use_ntvfs = False - try: - domain_sid = security.dom_sid(samdb.domain_sid) - except: - raise CommandError("Unable to read domain SID from configuration files") - s3conf = s3param.get_context() s3conf.load(lp.configfile) - # ensure we are using the right samba_dsdb passdb backend, no matter what - s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) + + if is_ad_dc: + try: + samdb = SamDB(session_info=system_session(), + lp=lp) + except Exception as e: + raise CommandError("Unable to open samdb:", e) + # ensure we are using the right samba_dsdb passdb backend, no + # matter what + s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) + + try: + if is_ad_dc: + domain_sid = security.dom_sid(samdb.domain_sid) + else: + domain_sid = passdb.get_domain_sid() + except: + raise CommandError("Unable to read domain SID from configuration " + "files") setntacl(lp, file, @@ -161,11 +173,11 @@ class cmd_ntacl_get(Command): credopts=None, sambaopts=None, versionopts=None, service=None): lp = sambaopts.get_loadparm() - try: - samdb = SamDB(session_info=system_session(), - lp=lp) - except Exception as e: - raise CommandError("Unable to open samdb:", e) + + is_ad_dc = False + server_role = lp.server_role() + if server_role == "ROLE_ACTIVE_DIRECTORY_DC": + is_ad_dc = True if not use_ntvfs and not use_s3fs: use_ntvfs = "smb" in lp.get("server services") @@ -174,8 +186,16 @@ class cmd_ntacl_get(Command): s3conf = s3param.get_context() s3conf.load(lp.configfile) - # ensure we are using the right samba_dsdb passdb backend, no matter what - s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) + if is_ad_dc: + try: + samdb = SamDB(session_info=system_session(), + lp=lp) + except Exception as e: + raise CommandError("Unable to open samdb:", e) + + # ensure we are using the right samba_dsdb passdb backend, no + # matter what + s3conf.set("passdb backend", "samba_dsdb:%s" % samdb.url) acl = getntacl(lp, file, @@ -186,9 +206,13 @@ class cmd_ntacl_get(Command): session_info=system_session_unix()) if as_sddl: try: - domain_sid = security.dom_sid(samdb.domain_sid) + if is_ad_dc: + domain_sid = security.dom_sid(samdb.domain_sid) + else: + domain_sid = passdb.get_domain_sid() except: - raise CommandError("Unable to read domain SID from configuration files") + raise CommandError("Unable to read domain SID from " + "configuration files") self.outf.write(acl.as_sddl(domain_sid) + "\n") else: self.outf.write(ndr_print(acl)) -- 2.16.4 From 790c55cc14b2762fa6948c9af8e231d7b49dea72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Wed, 19 Sep 2018 16:36:45 +0200 Subject: [PATCH 13/13] selftest: test samba-tool ntacl get/set on AD member server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Baumbach Reviewed-by: Volker Lendecke --- source4/selftest/tests.py | 1 + testprogs/blackbox/test_samba-tool_ntacl.sh | 67 +++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100755 testprogs/blackbox/test_samba-tool_ntacl.sh diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index c8411313cf5..101418ae544 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -463,6 +463,7 @@ plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client", plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23']) plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18']) plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) +plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX']) plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) # json tests hook into ``chgdcpass'' to make them run in contributor CI on # gitlab diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh new file mode 100755 index 00000000000..439f961443e --- /dev/null +++ b/testprogs/blackbox/test_samba-tool_ntacl.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# Blackbox tests for samba-tool ntacl get/set on member server +# Copyright (C) 2018 Björn Baumbach + +if [ $# -lt 1 ]; then +cat <