[SCM] Samba Shared Repository - branch v3-5-test updated
Karolin Seeger
kseeger at samba.org
Sun Nov 28 11:52:59 MST 2010
The branch, v3-5-test has been updated
via 56b1082 s3: Fix "force group" with ntlmssp guest session setup
from 49632d4 s3: Make winbind recover from a signing error
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 56b1082fe436e1f99a87d3e37d9ea8b017353b39
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 13 18:03:25 2010 +0100
s3: Fix "force group" with ntlmssp guest session setup
This one is subtle: Set "force group = <somegroup>" together with "guest ok =
yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
the same share from Windows 2003 using an anonymous connection. Breaks with
make_connection: connection to share denied due to security descriptor
although the share_info.tdb is empty. I've seen reports of this on the lists,
but I could never ever nail it until a customer gave me access to such a box.
What happens? With an empty share_info.tdb we create a security descriptor
allow everything to the world. The problem with the above parameter combination
is that S-1-1-0 (World) is lost in the token. When you look at the callers of
create_local_token, they are only called if the preceding check_ntlm_password
did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
we get a NTLMSSP session setup with user="", domain="", pass="" we call
create_local_token even though check_guest_security() via
make_server_info_guest() has already correctly done so. In this case
create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the
primary group sid of the user logging in. "force group" then overwrites this ->
the world is gone -> "denied due to security descriptor".
Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
not use ntlmssp for anon session setup.
This seems not to happen to 3.6.
Volker
Fix bug #7817 ("force group" broken).
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_ntlmssp.c | 13 +++++++------
1 files changed, 7 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 034d354..0e2c61a 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -126,12 +126,13 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
- nt_status = create_local_token(auth_ntlmssp_state->server_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(10, ("create_local_token failed: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
+ if (auth_ntlmssp_state->server_info->ptok == NULL) {
+ nt_status = create_local_token(auth_ntlmssp_state->server_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(10, ("create_local_token failed: %s\n",
+ nt_errstr(nt_status)));
+ return nt_status;
+ }
}
if (auth_ntlmssp_state->server_info->user_session_key.length) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list