[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger kseeger at samba.org
Sun Nov 28 11:52:59 MST 2010 

The branch, v3-5-test has been updated
       via  56b1082 s3: Fix "force group" with ntlmssp guest session setup
      from  49632d4 s3: Make winbind recover from a signing error

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit 56b1082fe436e1f99a87d3e37d9ea8b017353b39
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Nov 13 18:03:25 2010 +0100

    s3: Fix "force group" with ntlmssp guest session setup
    
    This one is subtle: Set "force group = <somegroup>" together with "guest ok =
    yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
    the same share from Windows 2003 using an anonymous connection. Breaks with
    
    make_connection: connection to share denied due to security descriptor
    
    although the share_info.tdb is empty. I've seen reports of this on the lists,
    but I could never ever nail it until a customer gave me access to such a box.
    
    What happens? With an empty share_info.tdb we create a security descriptor
    allow everything to the world. The problem with the above parameter combination
    is that S-1-1-0 (World) is lost in the token. When you look at the callers of
    create_local_token, they are only called if the preceding check_ntlm_password
    did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
    we get a NTLMSSP session setup with user="", domain="", pass="" we call
    create_local_token even though check_guest_security() via
    make_server_info_guest() has already correctly done so. In this case
    create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the
    primary group sid of the user logging in. "force group" then overwrites this ->
    the world is gone -> "denied due to security descriptor".
    
    Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
    not use ntlmssp for anon session setup.
    
    This seems not to happen to 3.6.
    
    Volker
    
    Fix bug #7817 ("force group" broken).

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth_ntlmssp.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 034d354..0e2c61a 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -126,12 +126,13 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 
 	auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 
-	nt_status = create_local_token(auth_ntlmssp_state->server_info);
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(10, ("create_local_token failed: %s\n",
-			nt_errstr(nt_status)));
-		return nt_status;
+	if (auth_ntlmssp_state->server_info->ptok == NULL) {
+		nt_status = create_local_token(auth_ntlmssp_state->server_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DEBUG(10, ("create_local_token failed: %s\n",
+				   nt_errstr(nt_status)));
+			return nt_status;
+		}
 	}
 
 	if (auth_ntlmssp_state->server_info->user_session_key.length) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list