[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Dec 9 00:51:02 MST 2010
The branch, master has been updated
via 154b431 s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
via f681859 s4-lsa Implement kerberos ticket life policy
via 22d6775 s4-tests Workaround new default of 'client ntlmv2 auth = yes' in tests
via 54ee213 s4-client Use NTLMv2 by default in the Samba4 client.
from a6351e2 waf: add a dependency between the library and its vscript
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 154b431093db68b30c429316eb660f776958a56f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 17:51:36 2010 +1100
s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Dec 9 08:50:28 CET 2010 on sn-devel-104
commit f681859eb819b441da41e2985586bfc59dff2ec5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 14:17:54 2010 +1100
s4-lsa Implement kerberos ticket life policy
We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC. We should get
this from group policy, but for now it's parametric smb.conf options.
Andrew Bartlett
commit 22d67758efd20e62d6050fd10c8b922db75747c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 17:02:49 2010 +1100
s4-tests Workaround new default of 'client ntlmv2 auth = yes' in tests
The new default breaks some tests that were assuming LM or NTLM auth
Andrew Bartlett
commit 54ee213fa5da6b138ab367b537c5e084edf35ff2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 14:59:29 2010 +1100
s4-client Use NTLMv2 by default in the Samba4 client.
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/lsa.idl | 5 ++-
source4/auth/gensec/spnego.c | 11 +----
source4/client/tests/test_smbclient.sh | 4 +-
source4/kdc/db-glue.c | 26 +++++++++-
.../libnet/grouptest.h => kdc/kdc-policy.h} | 9 +++-
source4/kdc/policy.c | 50 ++++++++++++++++++++
source4/kdc/samba_kdc.h | 1 +
source4/kdc/wscript_build | 9 +++-
source4/param/loadparm.c | 1 +
source4/rpc_server/lsa/dcesrv_lsa.c | 10 ++--
source4/rpc_server/wscript_build | 2 +-
source4/torture/rpc/netlogon.c | 2 +-
12 files changed, 104 insertions(+), 26 deletions(-)
copy source4/{torture/libnet/grouptest.h => kdc/kdc-policy.h} (78%)
create mode 100644 source4/kdc/policy.c
Changeset truncated at 500 lines:
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 869a97a..abad501 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1064,11 +1064,14 @@ import "misc.idl", "security.idl";
);
/* Function 0x35 */
+ typedef [bitmap32bit] bitmap {
+ LSA_POLICY_KERBEROS_VALIDATE_CLIENT = 0x00000080
+ } lsa_krbAuthenticationOptions;
/* w2k3 returns either 0x000bbbd000000000 or 0x000a48e800000000
for reserved - gd */
typedef struct {
- uint32 enforce_restrictions;
+ lsa_krbAuthenticationOptions authentication_options;
hyper service_tkt_lifetime;
hyper user_tkt_lifetime;
hyper user_tkt_renewaltime;
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index b757e62..1f6c919 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -635,17 +635,8 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
spnego_out.negTokenInit.reqFlagsPadding = 0;
if (spnego_state->state_position == SPNEGO_SERVER_START) {
- /* server credentials */
- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
- if (creds) {
- principal = cli_credentials_get_principal(creds, out_mem_ctx);
- } else {
- principal = ADS_IGNORE_PRINCIPAL;
- }
- }
- if (principal) {
spnego_out.negTokenInit.mechListMIC
- = data_blob_string_const(principal);
+ = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
} else {
spnego_out.negTokenInit.mechListMIC = null_data_blob;
}
diff --git a/source4/client/tests/test_smbclient.sh b/source4/client/tests/test_smbclient.sh
index 2fd5b56..66cc2d9 100755
--- a/source4/client/tests/test_smbclient.sh
+++ b/source4/client/tests/test_smbclient.sh
@@ -116,8 +116,8 @@ runcmd "Lookup name" "lookup $DOMAIN\\$USERNAME" || failed=`expr $failed + 1`
#runcmd "Lookup privs of name" "privileges $DOMAIN\\$USERNAME" || failed=`expr $failed + 1`
# do some simple operations using old protocol versions
-runcmd "List directory with LANMAN1" 'ls' -m LANMAN1 || failed=`expr $failed + 1`
-runcmd "List directory with LANMAN2" 'ls' -m LANMAN2 || failed=`expr $failed + 1`
+runcmd "List directory with LANMAN1" 'ls' -m LANMAN1 --option=clientntlmv2auth=no || failed=`expr $failed + 1`
+runcmd "List directory with LANMAN2" 'ls' -m LANMAN2 --option=clientntlmv2auth=no || failed=`expr $failed + 1`
runcmd "Print current working directory" 'pwd'|| failed=`expr $failed + 1`
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 4bb8e35..15024fa 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -43,6 +43,7 @@
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/db-glue.h"
+#include "kdc/kdc-policy.h"
enum samba_kdc_ent_type
{ SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
@@ -740,9 +741,28 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.valid_start = NULL;
- entry_ex->entry.max_life = NULL;
+ entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life));
+ if (entry_ex->entry.max_life == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
- entry_ex->entry.max_renew = NULL;
+ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+ *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
+ *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+ } else {
+ *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
+ nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+ }
+
+ entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
+ if (entry_ex->entry.max_renew == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
entry_ex->entry.generation = NULL;
@@ -1636,6 +1656,8 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
+ kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+
session_info = system_session(kdc_db_ctx->lp_ctx);
if (session_info == NULL) {
return NT_STATUS_INTERNAL_ERROR;
diff --git a/source4/torture/libnet/grouptest.h b/source4/kdc/kdc-policy.h
similarity index 78%
copy from source4/torture/libnet/grouptest.h
copy to source4/kdc/kdc-policy.h
index 8b65e6e..01e9372 100644
--- a/source4/torture/libnet/grouptest.h
+++ b/source4/kdc/kdc-policy.h
@@ -1,7 +1,9 @@
/*
Unix SMB/CIFS implementation.
- Copyright (C) Rafal Szczesniak 2007
+ KDC Policy
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -17,4 +19,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#define TEST_GROUPNAME "libnetgrptest"
+struct lsa_DomainInfoKerberos;
+struct loadparm_context;
+struct smb_krb5_context;
+#include "kdc/kdc-policy-proto.h"
diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c
new file mode 100644
index 0000000..2760e06
--- /dev/null
+++ b/source4/kdc/policy.c
@@ -0,0 +1,50 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ KDC Policy
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util.h"
+#include "kdc/kdc-policy.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "librpc/gen_ndr/lsa.h"
+#include "param/param.h"
+
+void kdc_get_policy(struct loadparm_context *lp_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ struct lsa_DomainInfoKerberos *k)
+{
+ /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+ /* Our KDC always re-validates the client */
+ k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+ unix_to_nt_time(&k->service_tkt_lifetime,
+ lpcfg_parm_int(lp_ctx, NULL, "kdc", "service ticket lifefime", 10) * 60 * 60);
+ unix_to_nt_time(&k->user_tkt_lifetime,
+ lpcfg_parm_int(lp_ctx, NULL, "kdc", "user ticket lifefime", 10) * 60 * 60);
+ unix_to_nt_time(&k->user_tkt_renewaltime,
+ lpcfg_parm_int(lp_ctx, NULL, "kdc", "renewal lifefime", 24*7) * 60 * 60);
+ if (smb_krb5_context) {
+ unix_to_nt_time(&k->clock_skew,
+ krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+ }
+ k->reserved = 0;
+}
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 72b5cc4..faa4c7b 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -36,6 +36,7 @@ struct samba_kdc_db_context {
bool rodc;
unsigned int my_krbtgt_number;
struct ldb_dn *krbtgt_dn;
+ struct lsa_DomainInfoKerberos policy;
};
struct samba_kdc_entry {
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 82b9929..7ff2623 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -38,10 +38,17 @@ bld.SAMBA_LIBRARY('pac',
bld.SAMBA_LIBRARY('db-glue',
source='db-glue.c',
- deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err',
+ deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err kdc-policy',
private_library=True
)
+bld.SAMBA_LIBRARY('kdc-policy',
+ source='policy.c',
+ deps='samba-hostconfig authkrb5',
+ private_library=True,
+ autoproto = 'kdc-policy-proto.h'
+ )
+
bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
source='mit_samba.c',
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index fa3b591..e7a0aac 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -2463,6 +2463,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "BindInterfacesOnly", "False");
lpcfg_do_global_parameter(lp_ctx, "Unicode", "True");
lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
+ lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 0854f25..6ec078b 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -31,6 +31,7 @@
#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "libcli/security/session.h"
+#include "kdc/kdc-policy.h"
/*
this type allows us to distinguish handle types
@@ -3700,12 +3701,9 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state
*r->out.info = NULL;
return NT_STATUS_INTERNAL_ERROR;
}
- k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */
- k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
- k->user_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
- k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */
- k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context);
- k->reserved = 0;
+ kdc_get_policy(dce_call->conn->dce_ctx->lp_ctx,
+ smb_krb5_context,
+ k);
talloc_free(smb_krb5_context);
*r->out.info = info;
return NT_STATUS_OK;
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 29c1723..3aafaa5 100644
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -95,7 +95,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc',
autoproto='lsa/proto.h',
subsystem='dcerpc_server',
init_function='dcerpc_server_lsa_init',
- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security-session'
+ deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security-session kdc-policy'
)
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index b1739a0..457d38e 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -702,7 +702,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context
flags |= CLI_CRED_LANMAN_AUTH;
}
- if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx)) {
+ if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx) && !null_domain) {
flags |= CLI_CRED_NTLMv2_AUTH;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list