[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Dec 10 00:46:01 MST 2010
The branch, master has been updated
via e928032 wintest flush DNS on Windows clients to improve reliablity
via 280caa6 s3-dns Don't use DELEG_FLAG in DNS update, Windows 2008R2 does not like it
via 0f1cc88 s3-dns Don't use SEQUENCE_FLAG in DNS update, Windows 2008R2 does not like it
via 89d4439 wintest More work to make test-s3.py work
via c2a1ad9 s3-net Allow 'net ads dns register' to take an optional hostname argument
via 4408f8a wintest Share more of the S4 test code with the s3 test
via 6195dfc s3-winbind Improve memory handling in NTLMv2-backend plaintext authentication
via 5cfe949 s3-winbind Don't send the LM password to the server, ever
via f13404e s3-libsmb Don't ever ask for machine$ principals as a target.
via 45d784e s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'
via d69b4f1 s3-docs Explain change to NTLMv2 by default in the client
via 635fbf2 s3-client Use NTLMv2 by default in the Samba client
via b3c2df5 s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
via bb78062 s3-libads Default to NOT using the server-supplied principal from SPNEGO
from 10441ed subunitrun: Use unittest.TestProgram if subunit.TestProgram is not available.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e92803201ae442892bee220fbcd2a124a8ca854b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 16:56:57 2010 +1100
wintest flush DNS on Windows clients to improve reliablity
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Fri Dec 10 08:45:28 CET 2010 on sn-devel-104
commit 280caa6b3bb1199939f9349ea5a436a491c81791
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:32:08 2010 +1100
s3-dns Don't use DELEG_FLAG in DNS update, Windows 2008R2 does not like it
commit 0f1cc889a26477e9a98629f120fe5890b2e106fa
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:30:22 2010 +1100
s3-dns Don't use SEQUENCE_FLAG in DNS update, Windows 2008R2 does not like it
Andrew Bartlett
commit 89d4439ff13825d2bd59ebf8a49960258f4feebd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:09:54 2010 +1100
wintest More work to make test-s3.py work
- Set the password on the newly added 'root' user so we can connect with a user that exists in getpwnam() without further configuration
- bind interfaces only so we don't conflict with other Samba instances
- use the full DNS name for smbclient
- don't connect to localhost (as we will be on ${INTERFACE_IP} only
- Use the windows domain in the wbinfo command (winbindd won't take bare name here).
- Register our IP address in DNS using 'net ads dns register'
Andrew Bartlett
commit c2a1ad9047508cf2745a9019e6783c8b8f7ef475
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:08:53 2010 +1100
s3-net Allow 'net ads dns register' to take an optional hostname argument
This allows the administrator to more carefully chose what name to register.
Andrew Bartlett
commit 4408f8a0dec80c34dfe770cc2a81f2d4e074ba8a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 12:13:58 2010 +1100
wintest Share more of the S4 test code with the s3 test
This allows us to run a private BIND in the S3 test, and allows the S3
test to join a freshly provisioned AD instance if the VM isn't already
configured.
Andrew Bartlett
commit 6195dfc0eb310a2362cb949a000979514a52c648
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 12:12:23 2010 +1100
s3-winbind Improve memory handling in NTLMv2-backend plaintext authentication
Andrew Bartlett
commit 5cfe949108f253a8e20c835cb53fe6f5eae7fbb5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 12:10:07 2010 +1100
s3-winbind Don't send the LM password to the server, ever
This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.
We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.
Andrew Bartlett
commit f13404e27b00f826a11684e69cff82ae0023fc91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 07:57:59 2010 +1100
s3-libsmb Don't ever ask for machine$ principals as a target.
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
commit 45d784e929b37edddea4c472d288a46b37aa7415
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 17:37:14 2010 +1100
s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'
Andrew Bartlett
commit d69b4f13f7edda8d8457315936051cc9d3fb103f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 16:47:08 2010 +1100
s3-docs Explain change to NTLMv2 by default in the client
commit 635fbf2b5498df5698e240728add95f8ff8cda0f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 14:57:46 2010 +1100
s3-client Use NTLMv2 by default in the Samba client
This matches the improved security measures of Windows Vista.
Andrew Bartlett
commit b3c2df5e0d0ba1c17c3248bf9d238de3c54613ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 14:11:57 2010 +1100
s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber at mitre.org>
turns off the sending of the principal in the negprot by default, matching
Windows 2008 behaviour.
This slowly works us back from this hack, which from an RFC
perspective was never the right thing to do in the first place, but we
traditionally follow windows behaviour. It also discourages client
implmentations from relying on it, as if they do they are more open to
man-in-the-middle attacks.
Andrew Bartlett
commit bb7806283e71f3b8029aae0eed326b5847a36d83
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 13:48:37 2010 +1100
s3-libads Default to NOT using the server-supplied principal from SPNEGO
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 13 +-
.../security/clientusepsnegoprincipal.xml | 28 ++
.../smbdotconf/security/sendspengoprincipal.xml | 28 ++
source3/include/proto.h | 2 +
source3/libaddns/dnsgss.c | 4 +-
source3/libads/sasl.c | 8 +-
source3/libsmb/cliconnect.c | 41 +---
source3/param/loadparm.c | 26 ++-
source3/smbd/negprot.c | 3 +
source3/utils/net_ads.c | 16 +-
source3/winbindd/winbindd_pam.c | 35 +--
wintest/test-s3.py | 79 +++++--
wintest/test-s4-howto.py | 260 ++------------------
wintest/wintest.py | 239 ++++++++++++++++++
14 files changed, 441 insertions(+), 341 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
create mode 100644 docs-xml/smbdotconf/security/sendspengoprincipal.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
index 9f0627a..b151df2 100644
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -10,9 +10,9 @@
response.</para>
<para>If enabled, only an NTLMv2 and LMv2 response (both much more
- secure than earlier versions) will be sent. Many servers
+ secure than earlier versions) will be sent. Older servers
(including NT4 < SP4, Win9x and Samba 2.2) are not compatible with
- NTLMv2. </para>
+ NTLMv2 when not in an NTLMv2 supporting domain</para>
<para>Similarly, if enabled, NTLMv1, <command
moreinfo="none">client lanman auth</command> and <command
@@ -24,9 +24,10 @@
will be sent by the client, depending on the value of <command
moreinfo="none">client lanman auth</command>. </para>
- <para>Note that some sites (particularly
- those following 'best practice' security polices) only allow NTLMv2
- responses, and not the weaker LM or NTLM.</para>
+ <para>Note that Windows Vista and later versions already use
+ NTLMv2 by default, and some sites (particularly those following
+ 'best practice' security polices) only allow NTLMv2 responses, and
+ not the weaker LM or NTLM.</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
new file mode 100644
index 0000000..6ec1eb1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client use spnego principal"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not
+ <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and other samba components
+ acting as a client will attempt to use the server-supplied
+ principal sometimes given in the SPNEGO exchange.</para>
+
+ <para>If enabled, Samba can attempt to use Kerberos to contact
+ servers known only by IP address. Kerberos relies on names, so
+ ordinarily cannot function in this situation. </para>
+
+ <para>If disabled, Samba will use the name used to look up the
+ server when asking the KDC for a ticket. This avoids situations
+ where a server may impersonate another, soliciting authentication
+ as one principal while being known on the network as another.
+ </para>
+
+ <para>Note that Windows XP SP2 and later versions already follow
+ this behaviour, and Windows Vista and later servers no longer
+ supply this 'rfc4178 hint' principal on the server side.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/sendspengoprincipal.xml b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
new file mode 100644
index 0000000..03794de
--- /dev/null
+++ b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="send spnego principal"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will send the
+ server-supplied principal sometimes given in the SPNEGO
+ exchange.</para>
+
+ <para>If enabled, Samba can attempt to help clients to use
+ Kerberos to contact it, even when known only by IP address or a
+ name not registered with our KDC as a service principal name.
+ Kerberos relies on names, so ordinarily cannot function in this
+ situation. </para>
+
+ <para>If disabled, Samba will send the string
+ not_defined_in_RFC4178 at please_ignore as the 'rfc4178 hint',
+ following the updated RFC and Windows 2008 behaviour in this area.
+ </para>
+
+ <para>Note that Windows XP SP2 and later versions already ignored
+ this value in all circumstances. </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 19c693b..3ef1215 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3306,6 +3306,8 @@ bool lp_use_mmap(void);
bool lp_unix_extensions(void);
bool lp_use_spnego(void);
bool lp_client_use_spnego(void);
+bool lp_client_use_spnego_principal(void);
+bool lp_send_spnego_principal(void);
bool lp_hostname_lookups(void);
bool lp_change_notify(const struct share_params *p );
bool lp_kernel_change_notify(const struct share_params *p );
diff --git a/source3/libaddns/dnsgss.c b/source3/libaddns/dnsgss.c
index 1e3d464..c903741 100644
--- a/source3/libaddns/dnsgss.c
+++ b/source3/libaddns/dnsgss.c
@@ -101,8 +101,8 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx,
major = gss_init_sec_context(
&minor, NULL, ctx, target_name, &krb5_oid_desc,
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG,
+ GSS_C_CONF_FLAG |
+ GSS_C_INTEG_FLAG,
0, NULL, input_ptr, NULL, &output_desc,
&ret_flags, NULL );
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 653d546..2ba3474 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -664,10 +664,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
the principal name back in the first round of
the SASL bind reply. So we guess based on server
name and realm. --jerry */
- /* Also try best guess when we get the w2k8 ignore
- principal back - gd */
+ /* Also try best guess when we get the w2k8 ignore principal
+ back, or when we are configured to ignore it - gd,
+ abartlet */
- if (!given_principal ||
+ if (!lp_client_use_spnego_principal() ||
+ !given_principal ||
strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
status = ads_guess_service_principal(ads, &p->string);
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1e11e15..65f6924 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1279,10 +1279,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
}
}
- /* If we get a bad principal, try to guess it if
- we have a valid host NetBIOS name.
+ /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
*/
- if (strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+ if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
TALLOC_FREE(principal);
}
@@ -1291,24 +1290,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
!strequal(STAR_SMBSERVER,
cli->desthost)) {
char *realm = NULL;
- char *machine = NULL;
char *host = NULL;
- DEBUG(3,("cli_session_setup_spnego: got a "
- "bad server principal, trying to guess ...\n"));
+ DEBUG(3,("cli_session_setup_spnego: using target "
+ "hostname not SPNEGO principal\n"));
host = strchr_m(cli->desthost, '.');
- if (host) {
- /* We had a '.' in the name. */
- machine = SMB_STRNDUP(cli->desthost,
- host - cli->desthost);
- } else {
- machine = SMB_STRDUP(cli->desthost);
- }
- if (machine == NULL) {
- TALLOC_FREE(principal);
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
if (dest_realm) {
realm = SMB_STRDUP(dest_realm);
strupper_m(realm);
@@ -1323,21 +1309,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
}
if (realm && *realm) {
- if (host) {
- /* DNS name. */
- principal = talloc_asprintf(talloc_tos(),
- "cifs/%s@%s",
- cli->desthost,
- realm);
- } else {
- /* NetBIOS name, use machine account. */
- principal = talloc_asprintf(talloc_tos(),
- "%s$@%s",
- machine,
- realm);
- }
+ principal = talloc_asprintf(talloc_tos(),
+ "cifs/%s@%s",
+ cli->desthost,
+ realm);
if (!principal) {
- SAFE_FREE(machine);
SAFE_FREE(realm);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
@@ -1345,7 +1321,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
"server principal=%s\n",
principal ? principal : "<null>"));
}
- SAFE_FREE(machine);
SAFE_FREE(realm);
}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0bc27dc..807d074 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -338,6 +338,8 @@ struct global {
bool bClientNTLMv2Auth;
bool bClientPlaintextAuth;
bool bClientUseSpnego;
+ bool client_use_spnego_principal;
+ bool send_spnego_principal;
bool bDebugPrefixTimestamp;
bool bDebugHiresTimestamp;
bool bDebugPid;
@@ -1399,6 +1401,24 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
+ .label = "client use spnego principal",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.client_use_spnego_principal,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "send spnego principal",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.send_spnego_principal,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "username",
.type = P_STRING,
.p_class = P_LOCAL,
@@ -5233,8 +5253,8 @@ static void init_globals(bool reinit_globals)
Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
- Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */
- /* Note, that we will use NTLM2 session security (which is different), if it is available */
+ Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
+ /* Note, that we will also use NTLM2 session security (which is different), if it is available */
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
@@ -5711,6 +5731,8 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal)
+FN_GLOBAL_BOOL(lp_send_spnego_principal, &Globals.send_spnego_principal)
FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify)
FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index a0c1d25..443fac4 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -213,6 +213,9 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
/* Code for standalone WXP client */
blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE");
#endif
+ } else if (!lp_send_spnego_principal()) {
+ /* By default, Windows 2008 and later sends not_defined_in_RFC4178 at please_ignore */
+ blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, ADS_IGNORE_PRINCIPAL);
} else {
fstring myname;
char *host_princ_s = NULL;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 1d617c0..858830f 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1210,14 +1210,18 @@ done:
return status;
}
-static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
+static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
{
int num_addrs;
struct sockaddr_storage *iplist = NULL;
fstring machine_name;
NTSTATUS status;
- name_to_fqdn( machine_name, global_myname() );
+ if (hostname) {
+ fstrcpy(machine_name, hostname);
+ } else {
+ name_to_fqdn( machine_name, global_myname() );
+ }
strlower_m( machine_name );
/* Get our ip address (not the 127.0.0.x address but a real ip
@@ -1408,7 +1412,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
ads_kinit_password( ads_dns );
}
- if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
+ if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
d_fprintf( stderr, _("DNS update failed!\n") );
}
@@ -1445,9 +1449,9 @@ static int net_ads_dns_register(struct net_context *c, int argc, const char **ar
talloc_enable_leak_report();
#endif
- if (argc > 0 || c->display_usage) {
+ if (argc > 1 || c->display_usage) {
d_printf( "%s\n"
- "net ads dns register\n"
+ "net ads dns register [hostname]\n"
" %s\n",
_("Usage:"),
_("Register hostname with DNS\n"));
@@ -1466,7 +1470,7 @@ static int net_ads_dns_register(struct net_context *c, int argc, const char **ar
return -1;
}
- if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
+ if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
d_fprintf( stderr, _("DNS update failed!\n") );
ads_destroy( &ads );
TALLOC_FREE( ctx );
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d52d4e2..7ec0bff 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1145,7 +1145,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
int attempts = 0;
- unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
fstring name_domain, name_user;
bool retry;
@@ -1167,47 +1166,27 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
if (lp_client_ntlmv2_auth()) {
DATA_BLOB server_chal;
DATA_BLOB names_blob;
- DATA_BLOB nt_response;
- DATA_BLOB lm_response;
- server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
+ server_chal = data_blob_const(chal, 8);
- /* note that the 'workgroup' here is a best guess - we don't know
- the server's domain at this point. The 'server name' is also
- dodgy...
+ /* note that the 'workgroup' here is for the local
+ machine. The 'server name' must match the
+ 'workstation' passed to the actual SamLogon call.
*/
names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
- if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
+ if (!SMBNTLMv2encrypt(state->mem_ctx, name_user, name_domain,
state->request->data.auth.pass,
&server_chal,
&names_blob,
- &lm_response, &nt_response, NULL, NULL)) {
+ &lm_resp, &nt_resp, NULL, NULL)) {
data_blob_free(&names_blob);
- data_blob_free(&server_chal);
DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
data_blob_free(&names_blob);
- data_blob_free(&server_chal);
- lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
- lm_response.length);
- nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
- nt_response.length);
- data_blob_free(&lm_response);
- data_blob_free(&nt_response);
-
} else {
- if (lp_client_lanman_auth()
- && SMBencrypt(state->request->data.auth.pass,
- chal,
- local_lm_response)) {
- lm_resp = data_blob_talloc(state->mem_ctx,
- local_lm_response,
- sizeof(local_lm_response));
- } else {
- lm_resp = data_blob_null;
- }
+ lm_resp = data_blob_null;
SMBNTencrypt(state->request->data.auth.pass,
chal,
local_nt_response);
diff --git a/wintest/test-s3.py b/wintest/test-s3.py
index 6bb196b..33f4aca 100755
--- a/wintest/test-s3.py
+++ b/wintest/test-s3.py
@@ -6,14 +6,9 @@ import sys, os
import optparse
import wintest
-def check_prerequesites(t):
- t.info("Checking prerequesites")
- t.setvar('HOSTNAME', t.cmd_output("hostname -s").strip())
- if os.getuid() != 0:
- raise Exception("You must run this script as root")
+def set_libpath(t):
t.putenv("LD_LIBRARY_PATH", "${PREFIX}/lib")
-
def build_s3(t):
'''build samba3'''
t.info('Building s3')
@@ -34,7 +29,7 @@ def start_s3(t):
t.run_cmd(['sbin/nmbd', "-D"])
t.run_cmd(['sbin/winbindd', "-D"])
t.run_cmd(['sbin/smbd', "-D"])
- t.port_wait("localhost", 139)
+ t.port_wait("${INTERFACE_IP}", 139)
def test_wbinfo(t):
@@ -63,7 +58,7 @@ def test_wbinfo(t):
"S-1-5-.*-513 SID_DOM_GROUP .2",
regex=True)
- t.retry_cmd("bin/wbinfo --authenticate=administrator%${WIN_PASS}",
+ t.retry_cmd("bin/wbinfo --authenticate=${WIN_DOMAIN}/administrator%${WIN_PASS}",
["plaintext password authentication succeeded",
"challenge/response password authentication succeeded"])
@@ -72,9 +67,9 @@ def test_smbclient(t):
t.info('Testing smbclient')
t.chdir('${PREFIX}')
t.cmd_contains("bin/smbclient --version", ["Version 3."])
- t.cmd_contains('bin/smbclient -L localhost -U%', ["Domain=[${WIN_DOMAIN}]", "test", "IPC$", "Samba 3."],
+ t.cmd_contains('bin/smbclient -L ${INTERFACE_IP} -U%', ["Domain=[${WIN_DOMAIN}]", "test", "IPC$", "Samba 3."],
casefold=True)
- child = t.pexpect_spawn('bin/smbclient //${HOSTNAME}/test -Uadministrator%${WIN_PASS}')
+ child = t.pexpect_spawn('bin/smbclient //${HOSTNAME}.${WIN_REALM}/test -Uroot%${PASSWORD2}')
child.expect("smb:")
child.sendline("dir")
child.expect("blocks available")
@@ -98,16 +93,16 @@ def create_shares(t):
t.run_cmd("mkdir -p test")
-def join_as_member(t, vm):
- '''join a windows domain as a member server'''
+def prep_join_as_member(t, vm):
+ '''prepare to join a windows domain as a member server'''
t.setwinvars(vm)
- t.info("Joining ${WIN_VM} as a member using net ads join")
+ t.info("Starting VMs for joining ${WIN_VM} as a member using net ads join")
t.chdir('${PREFIX}')
t.run_cmd('killall -9 -q samba smbd nmbd winbindd', checkfail=False)
t.vm_poweroff("${WIN_VM}", checkfail=False)
t.vm_restore("${WIN_VM}", "${WIN_SNAPSHOT}")
- t.ping_wait("${WIN_HOSTNAME}")
child = t.open_telnet("${WIN_HOSTNAME}", "administrator", "${WIN_PASS}", set_time=True)
+ t.get_ipconfig(child)
t.del_files(["var", "private"])
t.write_file("lib/smb.conf", '''
[global]
@@ -116,6 +111,7 @@ def join_as_member(t, vm):
realm = ${WIN_REALM}
workgroup = ${WIN_DOMAIN}
security = ADS
+ bind interfaces only = yes
interfaces = ${INTERFACE}
winbind separator = /
idmap uid = 1000000-2000000
@@ -128,8 +124,18 @@ def join_as_member(t, vm):
ea support = yes
--
Samba Shared Repository
More information about the samba-cvs
mailing list