[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-29-4-gcf9ef3a
coffeedude at samba.org
coffeedude at samba.org
Fri May 23 18:17:21 GMT 2008
The branch, v3-0-test has been updated
via cf9ef3a45b2cdd150ec77a811e3d4927c3bfbc85 (commit)
via 8dc4e979776aae0ecaa74b51dc1eac78a7631405 (commit)
via fd0ae47046d37ec8297396a2733209c4d999ea91 (commit)
from a7ad5189670d6497c958edc1a85e41ecb50df837 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit cf9ef3a45b2cdd150ec77a811e3d4927c3bfbc85
Author: Gerald Carter <coffeedude at plainjoe.org>
Date: Fri May 23 13:15:02 2008 -0500
Set version in v3-0-test to 3.0.30-GIT
commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405
Author: Steven Danneman <sdanneman at isilon.com>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the situation
where we're connecting to a trusted domain, specifically one (like W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that defaults
us directly to NTLM when negHint is empty.
commit fd0ae47046d37ec8297396a2733209c4d999ea91
Author: Steven Danneman <sdanneman at isilon.com>
Date: Thu May 8 13:34:49 2008 -0700
Use machine account and machine password from our domain when
contacting trusted domains.
-----------------------------------------------------------------------
Summary of changes:
source/VERSION | 6 ++--
source/libsmb/cliconnect.c | 42 +++++++++++++++++++++-------------------
source/nsswitch/winbindd_cm.c | 18 +++++++++-------
source/passdb/secrets.c | 7 +++--
4 files changed, 39 insertions(+), 34 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/VERSION b/source/VERSION
index 04974ad..66458e7 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=29
+SAMBA_VERSION_RELEASE=30
########################################################
# Bug fix releases use a letter for the patch revision #
@@ -68,7 +68,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=
+SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
########################################################
# This can be set by vendors if they want... #
@@ -95,5 +95,5 @@ SAMBA_VERSION_IS_GIT_SNAPSHOT=
# e.g. SAMBA_VERSION_VENDOR_SUFFIX=vendor_version() #
# -> "CVS 3.0.0rc2-VendorVersion" #
########################################################
-SAMBA_VERSION_VENDOR_SUFFIX=
+SAMBA_VERSION_VENDOR_SUFFIX="test"
SAMBA_VERSION_VENDOR_PATCH=
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index ce9e7fa..c467191 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -787,12 +787,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
/****************************************************************************
Do a spnego encrypted session setup.
+
+ user_domain: The shortname of the domain the user/machine is a member of.
+ dest_realm: The realm we're connecting to, if NULL we use our default realm.
****************************************************************************/
ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
- const char *pass, const char *domain)
+ const char *pass, const char *user_domain,
+ const char * dest_realm)
{
- char *principal;
+ char *principal = NULL;
char *OIDs[ASN1_MAX_OIDS];
int i;
BOOL got_kerberos_mechanism = False;
@@ -813,8 +817,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
/* there is 16 bytes of GUID before the real spnego packet starts */
blob = data_blob(cli->secblob.data+16, cli->secblob.length-16);
- /* the server sent us the first part of the SPNEGO exchange in the negprot
- reply */
+ /* The server sent us the first part of the SPNEGO exchange in the
+ * negprot reply. It is WRONG to depend on the principal sent in the
+ * negprot reply, but right now we do it. If we don't receive one,
+ * we try to best guess, then fall back to NTLM. */
if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
data_blob_free(&blob);
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
@@ -833,18 +839,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
DEBUG(3,("got principal=%s\n", principal ? principal : "<null>"));
- if (got_kerberos_mechanism && (principal == NULL)) {
- /*
- * It is WRONG to depend on the principal sent in the negprot
- * reply, but right now we do it. So for safety (don't
- * segfault later) disable Kerberos when no principal was
- * sent. -- VL
- */
- DEBUG(1, ("Kerberos mech was offered, but no principal was "
- "sent, disabling Kerberos\n"));
- cli->use_kerberos = False;
- }
-
fstrcpy(cli->user_name, user);
#ifdef HAVE_KRB5
@@ -896,7 +890,12 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
- realm = kerberos_get_default_realm_from_ccache();
+ if (dest_realm) {
+ realm = SMB_STRDUP(dest_realm);
+ strupper_m(realm);
+ } else {
+ realm = kerberos_get_default_realm_from_ccache();
+ }
if (realm && *realm) {
if (asprintf(&principal, "%s$@%s",
machine, realm) < 0) {
@@ -913,7 +912,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
}
if (principal) {
- rc = cli_session_setup_kerberos(cli, principal, domain);
+ rc = cli_session_setup_kerberos(cli, principal,
+ dest_realm);
if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) {
SAFE_FREE(principal);
return rc;
@@ -926,7 +926,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
ntlmssp:
- return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass,
+ user_domain));
}
/****************************************************************************
@@ -1009,7 +1010,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
/* if the server supports extended security then use SPNEGO */
if (cli->capabilities & CAP_EXTENDED_SECURITY) {
- ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup);
+ ADS_STATUS status = cli_session_setup_spnego(cli, user, pass,
+ workgroup, NULL);
if (!ADS_ERR_OK(status)) {
DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status)));
return ads_ntstatus(status);
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index 91c8c46..6eb0964 100644
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -607,12 +607,12 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
return NT_STATUS_NO_MEMORY;
}
- /* this is at least correct when domain is our domain,
- * which is the only case, when this is currently used: */
+ /* For now assume our machine account only exists in our domain */
+
if (machine_krb5_principal != NULL)
{
if (asprintf(machine_krb5_principal, "%s$@%s",
- account_name, domain->alt_name) == -1)
+ account_name, lp_realm()) == -1)
{
return NT_STATUS_NO_MEMORY;
}
@@ -729,13 +729,14 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
(*cli)->use_kerberos = True;
DEBUG(5, ("connecting to %s from %s with kerberos principal "
- "[%s]\n", controller, global_myname(),
- machine_krb5_principal));
+ "[%s] and realm [%s]\n", controller, global_myname(),
+ machine_krb5_principal, domain->alt_name));
ads_status = cli_session_setup_spnego(*cli,
machine_krb5_principal,
machine_password,
- domain->name);
+ lp_workgroup(),
+ domain->alt_name);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4,("failed kerberos session setup with %s\n",
@@ -755,12 +756,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
- domain->name, machine_account));
+ lp_workgroup(), machine_account));
ads_status = cli_session_setup_spnego(*cli,
machine_account,
machine_password,
- domain->name);
+ lp_workgroup(),
+ NULL);
if (!ADS_ERR_OK(ads_status)) {
DEBUG(4, ("authenticated session setup failed with %s\n",
ads_errstr(ads_status)));
diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
index cd6c751..21fdbca 100644
--- a/source/passdb/secrets.c
+++ b/source/passdb/secrets.c
@@ -702,10 +702,11 @@ BOOL get_trust_pw_clear(const char *domain, char **ret_pwd,
return True;
}
- /* Just get the account for the requested domain. In the future this
- * might also cover to be member of more than one domain. */
+ /* Here we are a domain member server. We can only be a member
+ of one domain so ignore the request domain and assume our own */
- pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+ pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time,
+ channel);
if (pwd != NULL) {
*ret_pwd = pwd;
--
Samba Shared Repository
More information about the samba-cvs
mailing list