[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Jul 19 18:32:02 MDT 2011
The branch, master has been updated
via d8cce7d s3-auth Replace False with false in auth_util.c
via c2ce806 s3-auth Replace True with true in auth_util.c
via bdd794c s3-auth Fix spelling
via d2a661a s3-auth Remove pointless destructor in make_server_info
via 15123d9 s3-auth inline make_auth_session_info into only caller
via 42e4014 security.idl: Use gid_t for gid in security_unix_token
via 6622821 s3-auth Remove seperate guest boolean
via 9d09b66 auth: Set NETLOGON_GUEST and use it to determine guest status
via 02444af selftest: Add tests to verify that the named pipe proxy works.
via 702e35a selftest: Pass lsass and epmapper across the named pipe proxy to the AD server
via af47f7c auth: remove now unused auth3_session_info from auth.idl
via 7f64ea4 auth: Move make_user_info_SamBaseInfo() to talloc_strdup and out of memory checking
via 52b28ec auth: Split out make_user_info_SamBaseInfo and add authenticated argument
via 03b153c s3-rpc_server remove per-element copies of auth_session_info
via 9fcc617 s3-auth Use the common auth_session_info
via 128ae06 s3-auth use auth_user_info not netr_SamInfo3 in auth3_session_info
via 8d72e61 s3-rpc_server read and write the unix_token and unix_info across named_pipe_auth
via 594597e s3-auth reimplement copy_session_info via NDR pull/push
via 92f28e7 auth: use char * pointers in auth.idl
via 9d96b78 s3-auth Remove pointless destructor
via 7b273df s3-auth import auth3_session_info into IDL
via 86f2a19 s3-auth Avoid redundant copies in create_local_token()
via 4363b71 s3-auth Add comments to copy_session_info_serverinfo_guest()
via 74815e0 s3-auth inline copy_serverinfo_session_info into only caller
via 140435f s3-auth use a cached auth_serversupplied_info in make_server_info_guest()
via fc19c69 s3-auth remove extra from auth3_session_info
via 894fc14 s3-auth Clarify inputs and ouptuts by using elements from server_info
via d22ff66 s3-auth assert that security_token is present in the copy, and explain why nss_token can be skipped
via ba53498 s3-auth Remove unused nss_token variable
via eea444f s3-auth: Remove unused lm_session_key from auth3_session_info
via 058f5e6 s3-auth remove unused copy_serverinfo
via ec5f1b7 s3-auth Use system boolean in auth_user_info_unix
via e2049e7 s3-auth Use guest boolean in auth_user_info_unix
via bf1dba0 auth: Put 'guest' and 'system' booleans into auth_user_info_unix
via 92895379 s3-auth Use struct auth_user_info_unix for unix_name and sanitized_username
via a39187f auth: include auth.idl structures into common_auth.h
via 6d741e9 s3-auth Use *unix_token rather than utok in struct auth3_session_info
via f16d8f4 s3-auth Use struct auth3_session_info outside the auth subsystem
via d7d8a5e s3-auth Add struct auth3_session_info to aid transition to auth_session info
via e244319 s3-auth Add const to indicate input elements
via fa18267 auth: Preserve guest flag on transition via netr_SamInfo3
via f47662f s3-auth Restore nss_token behaviour by reading from server_info
via 55ad1da Add my copyright
via d9c3cb1 s4-param Handle P_CHAR and P_BOOLREV in pyparam
via 4858984 debug: log early messages to stdout, and keep it open
via 3c9d01e lib/util Change debug priority order: DEBUG_STDOUT now overrides DEBUG_FILE
from 93dcfde Second part of fix for bug 8310 - toupper_ascii() is broken on big-endian systems.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d8cce7d466b1fb122136a464e978f71483ab0e09
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 20:15:45 2011 +1000
s3-auth Replace False with false in auth_util.c
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Wed Jul 20 02:31:15 CEST 2011 on sn-devel-104
commit c2ce806790c7b1089a8af9a8f8fe87a74c432091
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 20:15:12 2011 +1000
s3-auth Replace True with true in auth_util.c
commit bdd794cd6297ca019a97cc3b45293aa87f15159b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 20:11:22 2011 +1000
s3-auth Fix spelling
commit d2a661a531da3d6b9bad6890a2cec46ec96e8521
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 16:05:32 2011 +1000
s3-auth Remove pointless destructor in make_server_info
All the callers allocate ->info3 as a talloc child already.
As regardes the TALLOC_ZERO(), I added this originally out of parinoia
many years ago. We do not consistantly zero session keys in memory,
and for NTLMv2 and Kerberos they are random for each sesssion, so
breaking into smbd far enough to read an old session key isn't a
particularly interesting attack, compared with (say) reading the
keytab or the password database. (NTLM and LM session keys are fixed
derivitives of the passwords however).
Andrew Bartlett
commit 15123d96ffcac2243f69be41143bf78d92228d7f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 15:58:20 2011 +1000
s3-auth inline make_auth_session_info into only caller
commit 42e40140ae4f6031987d00aaad8a08066d0abd5c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 15:50:49 2011 +1000
security.idl: Use gid_t for gid in security_unix_token
commit 662282106318e3f1f0bbcc7281f49ee5b3727f21
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 11:57:05 2011 +1000
s3-auth Remove seperate guest boolean
Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 9d09b66f41cb4ab58bd4a6d83ecebb91805a4b5b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 10:51:08 2011 +1000
auth: Set NETLOGON_GUEST and use it to determine guest status
These additional measures should help ensure we do not accidentily upgrade
a guest to an authenticated user in the future.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 02444afb87ae940d4d58d5566f16121279a57902
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 20:26:26 2011 +1000
selftest: Add tests to verify that the named pipe proxy works.
This verifies that for NTLM authenticated connections, named pipe
forwarding works as expected, including the session keys.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 702e35ac6d4225049e948f2e20595f2a7f56639b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 19:56:17 2011 +1000
selftest: Pass lsass and epmapper across the named pipe proxy to the AD server
Eventually we will have just one end point mapper, but for now we need
to use the source4 one for the AD tests.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit af47f7cd224c7947003c919a3227582cc5d6e3c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 18:29:47 2011 +1000
auth: remove now unused auth3_session_info from auth.idl
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 7f64ea456be7f653dfb8aa74bbaf29b0d25fb725
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 14:00:14 2011 +1000
auth: Move make_user_info_SamBaseInfo() to talloc_strdup and out of memory checking
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 52b28ec813ff3696606fc8f3a6bf4759a1a104e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 13:55:20 2011 +1000
auth: Split out make_user_info_SamBaseInfo and add authenticated argument
This will allow the source3 auth code to call this without needing to
double-parse the SIDs
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 03b153ce54fdae77694577f33453a19928225d00
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 13:10:30 2011 +1000
s3-rpc_server remove per-element copies of auth_session_info
This is not required any more now that they are the same structure,
and shows the value in having a common structure across the codebase.
In particular, now any additional state that needs to be added to the
auth_session_info will be transparently available across the named
pipe proxy, without a need to modify the mapping layer.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 9fcc617ff5a216cc4ff1a587786522d28d84c7f2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 13:06:47 2011 +1000
s3-auth Use the common auth_session_info
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.
This will allow of our session handling to be accomplished with common code.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 128ae06a619b2c50cc9379053abb18277e814747
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 12:58:25 2011 +1000
s3-auth use auth_user_info not netr_SamInfo3 in auth3_session_info
This makes auth3_session_info identical to auth_session_info
The logic to convert the info3 to a struct auth_user_info is
essentially moved up the stack from the named pipe proxy in
source3/rpc_server to create_local_token().
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 8d72e612ac2845cd873c4fd614456fe8749db130
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 12:23:04 2011 +1000
s3-rpc_server read and write the unix_token and unix_info across named_pipe_auth
This ensures that the exact same token is used on both sides of the
pipe, when a full token is passed (ie, source3 to source3, but not yet
source4 to to source3 as the unix info isn't calculated there yet).
If we do not have unix_token, we fall back to the old behaviour and go
via create_local_token(). (However, in this case the security_token
is now overwritten, as it is better to have it match the rest of the
session_info create_local_token() builds).
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 594597eb65a9abc0f6190f887ab0fd79caa58085
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 12:38:05 2011 +1000
s3-auth reimplement copy_session_info via NDR pull/push
This ensures we do not miss elements. Pattern copied from auth_netlogond.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 92f28e7fe99ce5f8f6106b163562c1e89c08234f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 18:04:12 2011 +1000
auth: use char * pointers in auth.idl
We need to use this, and not utf8string because we need to
transport NULL pointers correctly.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 9d96b78f31f5b9f470ca5be270f4976863d0b936
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 12:29:50 2011 +1000
s3-auth Remove pointless destructor
All the users of this structure allocate info3 on the session_info
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 7b273df175679e80c9d29c6bb8beee85331c9f0e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 12:28:50 2011 +1000
s3-auth import auth3_session_info into IDL
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 86f2a197dfd61fbf25b170080a0796d2f77f0af8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 11:40:36 2011 +1000
s3-auth Avoid redundant copies in create_local_token()
These values were not read before being overwritten again.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 4363b71f62b136d26b8e1c46ec90b4652751ccac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 11:31:49 2011 +1000
s3-auth Add comments to copy_session_info_serverinfo_guest()
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 74815e08d94519708a9c41df698fbd184574827c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 11:30:55 2011 +1000
s3-auth inline copy_serverinfo_session_info into only caller
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 140435f3995e6b43d6d946adb9059864ff6df9c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 11:22:50 2011 +1000
s3-auth use a cached auth_serversupplied_info in make_server_info_guest()
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit fc19c699a9705c18a09a9645be0152a2943c0be0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 10:20:25 2011 +1000
s3-auth remove extra from auth3_session_info
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 894fc14a2ebfdf5c9b91f4c3fc2f1fa69300b1bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 10:14:19 2011 +1000
s3-auth Clarify inputs and ouptuts by using elements from server_info
This allows us not the put all of these elements into the auth3_session_info
if they are only used as inputs to these functions.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit d22ff66afa9215a7a918c33abc55288e4efae8b6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 18:05:42 2011 +1000
s3-auth assert that security_token is present in the copy, and explain why nss_token can be skipped
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit ba53498c66f5b27602c3f6fe0866729177e211c8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 17:57:55 2011 +1000
s3-auth Remove unused nss_token variable
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit eea444f4655a954c238991eccd742337535d3fcc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 17:45:48 2011 +1000
s3-auth: Remove unused lm_session_key from auth3_session_info
The long term authorization state needs only the final, negotiated
session key, and not the original LM key that may possibly have been
an input.
The special case of the guest account simply needs both values filled
back in with the zeros to avoid changing behaviour in the cached
server_info.
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 058f5e60c5e3a9ac91a1d28b3165f84252cfecad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 16:49:21 2011 +1000
s3-auth remove unused copy_serverinfo
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit ec5f1b78affbbd56c787696cb6f63a547be2cc25
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 16:12:41 2011 +1000
s3-auth Use system boolean in auth_user_info_unix
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit e2049e77e406981363a7b81fd092a6ccb4afb187
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 16:09:52 2011 +1000
s3-auth Use guest boolean in auth_user_info_unix
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit bf1dba03b285f3044f096ab597df7859d68ad28e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 15:10:03 2011 +1000
auth: Put 'guest' and 'system' booleans into auth_user_info_unix
This will allow a transformation of auth3_session_info into
auth_session_info by substitution.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 92895379934b660affa70cd406e40719d429ae2a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 15:55:31 2011 +1000
s3-auth Use struct auth_user_info_unix for unix_name and sanitized_username
This is closer to the layout of struct auth_session_info in auth.idl
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit a39187f0f5e6f99ce8a38cba997e4ad15353e09e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 15:22:41 2011 +1000
auth: include auth.idl structures into common_auth.h
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 6d741e918f145c6ec62c22358aabc8162db108fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 14:59:14 2011 +1000
s3-auth Use *unix_token rather than utok in struct auth3_session_info
This brings this structure one step closer to the struct auth_session_info.
A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.
NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL. This patch has not changed this behaviour however.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit f16d8f4eb86ecc4741c25e5ed87b2ea4c6717a31
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 12:45:17 2011 +1000
s3-auth Use struct auth3_session_info outside the auth subsystem
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit d7d8a5ed94a2b572b6818008a858f8c6b529dd03
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 11:38:49 2011 +1000
s3-auth Add struct auth3_session_info to aid transition to auth_session info
This will allow a gradual conversion of the required elements from the
current struct auth_serversupplied_info.
This commit adds the structure definition and some helper functions to
copy between the two structures.
At this stage these structures and functions are IDENTICAL to the
existing code, and so show the past history of that code. The plan is
to slowly modify them over the course of the patch series, so that the
changes being made a clear.
By using a seperate structure to auth_serversupplied_info we can
remove elements that are not needed after the authentication, and we
can choose a layout that best reflects the needs of runtime users,
rather than the internals of the authentication subsystem.
By eventually using the auth_session_info from auth.idl, we will gain
a single session authorization structure across the whole codebase,
allowing more code to be shared, and a much more transparent process
for forwarding authorization credentials over the named pipe proxy.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit e2443195992c33d69073bcae320779041215339a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 10:19:27 2011 +1000
s3-auth Add const to indicate input elements
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit fa18267042440e9d9529f0228a3df030c84acb11
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jul 19 10:43:23 2011 +1000
auth: Preserve guest flag on transition via netr_SamInfo3
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit f47662f363a433f43568b62af14be979c33109e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 17:57:35 2011 +1000
s3-auth Restore nss_token behaviour by reading from server_info
The implementation of copy_serverinfo(), used to copy server_info into
session_info never copied the nss_token variable, and so
17d8f0ad30847bb940f645ee1817d782ddaaee74 introduced this regression.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 55ad1da888bccad47f2e60fc6dc077fd6ab14832
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 22:26:31 2011 +1000
Add my copyright
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit d9c3cb1fb65a74703bbe5ae30b2d5561128accb5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 15 11:37:39 2011 +1000
s4-param Handle P_CHAR and P_BOOLREV in pyparam
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 485898458a1f786febd400be30bb3917fe5f71eb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 17:07:25 2011 +1000
debug: log early messages to stdout, and keep it open
The --log-stdout option was compromised by the log file descriptors being
closed once the file process forked.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge at samba.org>
commit 3c9d01e3e58e2217915317406541ac8c6f6dcf92
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 18 16:00:16 2011 +1000
lib/util Change debug priority order: DEBUG_STDOUT now overrides DEBUG_FILE
Signed-off-by: Andrew Tridgell <tridge at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_sam_reply.c | 112 ++++++--
auth/auth_sam_reply.h | 7 +
auth/common_auth.h | 2 +
lib/util/debug.c | 6 +
lib/util/debug.h | 3 +-
librpc/idl/auth.idl | 37 ++-
librpc/idl/security.idl | 2 +-
selftest/target/Samba3.pm | 2 +
source3/Makefile.in | 2 +-
source3/auth/auth_ntlmssp.c | 2 +-
source3/auth/auth_util.c | 323 ++++++++++++++++-------
source3/auth/proto.h | 24 +-
source3/auth/server_info.c | 10 -
source3/auth/token_util.c | 4 +-
source3/auth/user_krb5.c | 2 +-
source3/include/nt_printing.h | 20 +-
source3/include/ntdomain.h | 2 +-
source3/include/printing.h | 14 +-
source3/include/smb.h | 6 +-
source3/lib/afs.c | 6 +-
source3/lib/substitute.c | 7 +-
source3/modules/onefs_open.c | 2 +-
source3/modules/vfs_expand_msdfs.c | 8 +-
source3/modules/vfs_fake_perms.c | 8 +-
source3/modules/vfs_full_audit.c | 8 +-
source3/modules/vfs_recycle.c | 8 +-
source3/modules/vfs_smb_traffic_analyzer.c | 8 +-
source3/nmbd/nmbd.c | 5 +-
source3/printing/nt_printing.c | 26 +-
source3/printing/nt_printing_ads.c | 12 +-
source3/printing/nt_printing_migrate_internal.c | 2 +-
source3/printing/printing.c | 34 ++--
source3/rpc_client/cli_winreg_int.c | 6 +-
source3/rpc_client/cli_winreg_int.h | 6 +-
source3/rpc_server/dcesrv_gssapi.c | 4 +-
source3/rpc_server/dcesrv_gssapi.h | 2 +-
source3/rpc_server/dcesrv_ntlmssp.c | 2 +-
source3/rpc_server/dcesrv_ntlmssp.h | 2 +-
source3/rpc_server/dfs/srv_dfs_nt.c | 4 +-
source3/rpc_server/epmapper/srv_epmapper.c | 4 +-
source3/rpc_server/lsa/srv_lsa_nt.c | 18 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +-
source3/rpc_server/rpc_handles.c | 3 +-
source3/rpc_server/rpc_ncacn_np.c | 52 +---
source3/rpc_server/rpc_ncacn_np.h | 8 +-
source3/rpc_server/rpc_server.c | 131 ++++------
source3/rpc_server/samr/srv_samr_nt.c | 18 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 82 +++---
source3/rpc_server/spoolss/srv_spoolss_util.c | 46 ++--
source3/rpc_server/spoolss/srv_spoolss_util.h | 48 ++--
source3/rpc_server/srv_pipe.c | 4 +-
source3/rpc_server/srv_pipe_hnd.c | 2 +-
source3/rpc_server/srv_pipe_hnd.h | 2 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 24 +-
source3/rpc_server/svcctl/srv_svcctl_nt.c | 4 +-
source3/services/svc_winreg_glue.c | 10 +-
source3/services/svc_winreg_glue.h | 12 +-
source3/smbd/close.c | 2 +-
source3/smbd/connection.c | 7 +-
source3/smbd/fake_file.c | 2 +-
source3/smbd/globals.h | 2 +-
source3/smbd/lanman.c | 26 +-
source3/smbd/msdfs.c | 8 +-
source3/smbd/msg_idmap.c | 10 +-
source3/smbd/nttrans.c | 4 +-
source3/smbd/open.c | 2 +-
source3/smbd/password.c | 46 ++--
source3/smbd/process.c | 6 +-
source3/smbd/proto.h | 12 +-
source3/smbd/reply.c | 4 +-
source3/smbd/server.c | 10 +-
source3/smbd/server_reload.c | 2 +-
source3/smbd/service.c | 82 +++---
source3/smbd/session.c | 12 +-
source3/smbd/sesssetup.c | 54 +++-
source3/smbd/smb2_server.c | 6 +-
source3/smbd/smb2_sesssetup.c | 17 +-
source3/smbd/smb2_tcon.c | 2 +-
source3/smbd/trans2.c | 18 +-
source3/smbd/uid.c | 62 +++---
source3/winbindd/winbindd.c | 3 +
source3/winbindd/winbindd_samr.c | 8 +-
source4/auth/gensec/gensec_krb5.c | 1 +
source4/auth/ntlm/auth_winbind.c | 7 +-
source4/param/pyparam.c | 4 +
source4/selftest/tests.py | 7 +
source4/torture/auth/pac.c | 4 +-
source4/torture/rpc/remote_pac.c | 1 +
88 files changed, 949 insertions(+), 696 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 52abb8a..59fcf7a 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -3,7 +3,7 @@
Convert a server info struct into the form for PAC and NETLOGON replies
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2011
Copyright (C) Stefan Metzmacher <metze at samba.org> 2005
This program is free software; you can redistribute it and/or modify
@@ -102,6 +102,9 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
}
sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
+ if (!user_info_dc->info->authenticated) {
+ sam->user_flags |= NETLOGON_GUEST;
+ }
sam->acct_flags = user_info_dc->info->acct_flags;
sam->logon_server.string = user_info_dc->info->logon_server;
sam->domain.string = user_info_dc->info->domain_name;
@@ -172,16 +175,87 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
}
/**
+ * Make a user_info struct from the info3 or similar returned by a domain logon.
+ *
+ * The netr_SamInfo3 is also a key structure in the source3 auth subsystem
+ */
+
+NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
+ const char *account_name,
+ struct netr_SamBaseInfo *base,
+ bool authenticated,
+ struct auth_user_info **_user_info)
+{
+ struct auth_user_info *info;
+
+ info = talloc_zero(mem_ctx, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(info);
+
+ if (base->account_name.string) {
+ info->account_name = talloc_strdup(info, base->account_name.string);
+ } else {
+ info->account_name = talloc_strdup(info, account_name);
+ }
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
+
+ if (base->domain.string) {
+ info->domain_name = talloc_strdup(info, base->domain.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
+ }
+
+ if (base->full_name.string) {
+ info->full_name = talloc_strdup(info, base->full_name.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->full_name);
+ }
+ if (base->logon_script.string) {
+ info->logon_script = talloc_strdup(info, base->logon_script.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
+ }
+ if (base->profile_path.string) {
+ info->profile_path = talloc_strdup(info, base->profile_path.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
+ }
+ if (base->home_directory.string) {
+ info->home_directory = talloc_strdup(info, base->home_directory.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
+ }
+ if (base->home_drive.string) {
+ info->home_drive = talloc_strdup(info, base->home_drive.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
+ }
+ if (base->logon_server.string) {
+ info->logon_server = talloc_strdup(info, base->logon_server.string);
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
+ }
+ info->last_logon = base->last_logon;
+ info->last_logoff = base->last_logoff;
+ info->acct_expiry = base->acct_expiry;
+ info->last_password_change = base->last_password_change;
+ info->allow_password_change = base->allow_password_change;
+ info->force_password_change = base->force_password_change;
+ info->logon_count = base->logon_count;
+ info->bad_password_count = base->bad_password_count;
+ info->acct_flags = base->acct_flags;
+
+ /* Only set authenticated if both NETLOGON_GUEST is not set, and authenticated is set */
+ info->authenticated = (authenticated && (!(base->user_flags & NETLOGON_GUEST)));
+
+ *_user_info = info;
+ return NT_STATUS_OK;
+}
+
+/**
* Make a user_info_dc struct from the info3 returned by a domain logon
*/
NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
union netr_Validation *validation,
+ bool authenticated,
struct auth_user_info_dc **_user_info_dc)
{
+ NTSTATUS status;
struct auth_user_info_dc *user_info_dc;
- struct auth_user_info *info;
struct netr_SamBaseInfo *base = NULL;
uint32_t i;
@@ -284,35 +358,11 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
/* Where are the 'global' sids?... */
}
- user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
-
- if (base->account_name.string) {
- info->account_name = talloc_reference(info, base->account_name.string);
- } else {
- info->account_name = talloc_strdup(info, account_name);
- NT_STATUS_HAVE_NO_MEMORY(info->account_name);
+ status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- info->domain_name = talloc_reference(info, base->domain.string);
- info->full_name = talloc_reference(info, base->full_name.string);
- info->logon_script = talloc_reference(info, base->logon_script.string);
- info->profile_path = talloc_reference(info, base->profile_path.string);
- info->home_directory = talloc_reference(info, base->home_directory.string);
- info->home_drive = talloc_reference(info, base->home_drive.string);
- info->logon_server = talloc_reference(info, base->logon_server.string);
- info->last_logon = base->last_logon;
- info->last_logoff = base->last_logoff;
- info->acct_expiry = base->acct_expiry;
- info->last_password_change = base->last_password_change;
- info->allow_password_change = base->allow_password_change;
- info->force_password_change = base->force_password_change;
- info->logon_count = base->logon_count;
- info->bad_password_count = base->bad_password_count;
- info->acct_flags = base->acct_flags;
-
- info->authenticated = true;
-
/* ensure we are never given NULL session keys */
if (all_zero(base->key.key, sizeof(base->key.key))) {
@@ -347,7 +397,9 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
validation.sam3 = &pac_logon_info->info3;
- nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc);
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
+ true, /* This user was authenticated */
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index bd92872..c782c1c 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -32,6 +32,12 @@
/* The following definitions come from auth/auth_sam_reply.c */
+NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
+ const char *account_name,
+ struct netr_SamBaseInfo *base,
+ bool authenticated,
+ struct auth_user_info **_user_info);
+
NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
struct auth_user_info_dc *user_info_dc,
struct netr_SamBaseInfo **_sam);
@@ -46,6 +52,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
union netr_Validation *validation,
+ bool authenticated,
struct auth_user_info_dc **_user_info_dc);
/**
diff --git a/auth/common_auth.h b/auth/common_auth.h
index b2db23c..e9c4bb5 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -20,6 +20,8 @@
#ifndef AUTH_COMMON_AUTH_H
#define AUTH_COMMON_AUTH_H
+#include "librpc/gen_ndr/auth.h"
+
#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
diff --git a/lib/util/debug.c b/lib/util/debug.c
index c1b33de..cc57ba8 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -514,6 +514,11 @@ bool debug_get_output_is_stderr(void)
return (state.logtype == DEBUG_DEFAULT_STDERR) || (state.logtype == DEBUG_STDERR);
}
+bool debug_get_output_is_stdout(void)
+{
+ return (state.logtype == DEBUG_DEFAULT_STDOUT) || (state.logtype == DEBUG_STDOUT);
+}
+
/**************************************************************************
reopen the log files
note that we now do this unconditionally
@@ -542,6 +547,7 @@ bool reopen_logs_internal(void)
switch (state.logtype) {
case DEBUG_STDOUT:
+ case DEBUG_DEFAULT_STDOUT:
debug_close_fd(state.fd);
state.fd = 1;
return true;
diff --git a/lib/util/debug.h b/lib/util/debug.h
index c01fa92..c61a2c5 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -197,7 +197,7 @@ extern int *DEBUGLEVEL_CLASS;
* for example. This makes it easy to override for debug to stderr on
* the command line, as the smb.conf cannot reset it back to
* file-based logging */
-enum debug_logtype {DEBUG_DEFAULT_STDERR = 0, DEBUG_STDOUT = 1, DEBUG_FILE = 2, DEBUG_STDERR = 3};
+enum debug_logtype {DEBUG_DEFAULT_STDERR = 0, DEBUG_DEFAULT_STDOUT = 1, DEBUG_FILE = 2, DEBUG_STDOUT = 3, DEBUG_STDERR = 4};
struct debug_settings {
size_t max_log_size;
@@ -229,6 +229,7 @@ void dbgflush( void );
bool dbghdrclass(int level, int cls, const char *location, const char *func);
bool dbghdr(int level, const char *location, const char *func);
bool debug_get_output_is_stderr(void);
+bool debug_get_output_is_stdout(void);
void debug_schedule_reopen_logs(void);
char *debug_list_class_names_and_levels(void);
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index 904beca..3b4853b 100644
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -27,15 +27,15 @@ interface auth
/* This is the parts of the session_info that don't change
* during local privilage and group manipulations */
typedef [public] struct {
- utf8string account_name;
- utf8string domain_name;
+ [unique,charset(UTF8),string] char *account_name;
+ [unique,charset(UTF8),string] char *domain_name;
- utf8string full_name;
- utf8string logon_script;
- utf8string profile_path;
- utf8string home_directory;
- utf8string home_drive;
- utf8string logon_server;
+ [unique,charset(UTF8),string] char *full_name;
+ [unique,charset(UTF8),string] char *logon_script;
+ [unique,charset(UTF8),string] char *profile_path;
+ [unique,charset(UTF8),string] char *home_directory;
+ [unique,charset(UTF8),string] char *home_drive;
+ [unique,charset(UTF8),string] char *logon_server;
NTTIME last_logon;
NTTIME last_logoff;
@@ -62,7 +62,12 @@ interface auth
} auth_user_info_torture;
typedef [public] struct {
- utf8string unix_name;
+ /* These match exactly the values from the
+ * auth_serversupplied_info, but should be changed to
+ * checks involving just the SIDs */
+ boolean8 system;
+
+ [unique,charset(UTF8),string] char *unix_name;
/*
* For performance reasons we keep an alpha_strcpy-sanitized version
@@ -71,7 +76,7 @@ interface auth
* alpha_strcpy whenever we do a become_user(), potentially on every
* smb request. See set_current_user_info in source3.
*/
- utf8string sanitized_username;
+ [unique,charset(UTF8),string] char *sanitized_username;
} auth_user_info_unix;
/* This is the interim product of the auth subsystem, before
@@ -90,7 +95,19 @@ interface auth
auth_user_info *info;
auth_user_info_unix *unix_info;
[value(NULL), ignore] auth_user_info_torture *torture;
+
+ /* This is the final session key, as used by SMB signing, and
+ * (truncated to 16 bytes) encryption on the SAMR and LSA pipes
+ * when over ncacn_np.
+ * It is calculated by NTLMSSP from the session key in the info3,
+ * and is set from the Kerberos session key using
+ * krb5_auth_con_getremotesubkey().
+ *
+ * Bottom line, it is not the same as the session keys in info3.
+ */
+
DATA_BLOB session_key;
+
[value(NULL), ignore] cli_credentials *credentials;
} auth_session_info;
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 2f633ab..5760337 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -580,7 +580,7 @@ interface security
/* This is not yet sent over the network, but is simply defined in IDL */
typedef [public] struct {
uid_t uid;
- uid_t gid;
+ gid_t gid;
uint32 ngroups;
[size_is(ngroups)] gid_t groups[*];
} security_unix_token;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 505130f..c78c1d6 100644
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -282,6 +282,8 @@ sub setup_plugin_s4_dc($$$$)
passdb backend = samba4
auth methods = guest samba4
domain logons = yes
+ rpc_server:epmapper = external
+ rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:netlogon = external
rpc_server:samr = external
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 0a72cf5..51b0a7c 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \
lib/ldap_escape.o @CHARSET_STATIC@ \
../libcli/security/secdesc.o ../libcli/security/access_check.o \
../libcli/security/secace.o ../libcli/security/object_tree.o \
- ../libcli/security/sddl.o \
+ ../libcli/security/sddl.o ../libcli/security/session.o \
../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
lib/fncall.o \
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 2d1aef1..61029bc 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -29,7 +29,7 @@
NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
- struct auth_serversupplied_info **session_info)
+ struct auth_session_info **session_info)
{
NTSTATUS nt_status = create_local_token(mem_ctx,
auth_ntlmssp_state->server_info,
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index dd12692..2689afd 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2,10 +2,10 @@
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Andrew Bartlett 2001
+ Copyright (C) Andrew Bartlett 2001-2011
Copyright (C) Jeremy Allison 2000-2001
Copyright (C) Rafal Szczesniak 2002
- Copyright (C) Volker Lendecke 2006
+ Copyright (C) Volker Lendecke 2006-2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -30,6 +30,8 @@
#include "../lib/util/util_pw.h"
#include "lib/winbind_util.h"
#include "passdb.h"
+#include "../librpc/gen_ndr/ndr_auth.h"
+#include "../auth/auth_sam_reply.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -143,7 +145,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
plaintext, password_state);
if (NT_STATUS_IS_OK(result)) {
/* We have tried mapping */
- (*user_info)->mapped_state = True;
+ (*user_info)->mapped_state = true;
/* did we actually map the user to a different name? */
(*user_info)->was_mapped = was_mapped;
}
@@ -183,7 +185,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
if (NT_STATUS_IS_OK(status)) {
(*user_info)->logon_parameters = logon_parameters;
}
- ret = NT_STATUS_IS_OK(status) ? True : False;
+ ret = NT_STATUS_IS_OK(status) ? true : false;
data_blob_free(&lm_blob);
data_blob_free(&nt_blob);
@@ -286,7 +288,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
(*user_info)->logon_parameters = logon_parameters;
}
- ret = NT_STATUS_IS_OK(nt_status) ? True : False;
+ ret = NT_STATUS_IS_OK(nt_status) ? true : false;
data_blob_free(&local_lm_blob);
data_blob_free(&local_nt_blob);
return ret;
@@ -342,7 +344,7 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
(const char *)plaintext_password.data,
plaintext_password.length);
if (!plaintext_password_string) {
- return False;
+ return false;
}
ret = make_user_info_map(
@@ -361,7 +363,7 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
}
data_blob_free(&local_lm_blob);
- return NT_STATUS_IS_OK(ret) ? True : False;
+ return NT_STATUS_IS_OK(ret) ? true : false;
}
/****************************************************************************
@@ -385,7 +387,7 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
}
/****************************************************************************
- Create a guest user_info blob, for anonymous authenticaion.
+ Create a guest user_info blob, for anonymous authentication.
****************************************************************************/
bool make_user_info_guest(const struct tsocket_address *remote_address,
@@ -403,7 +405,7 @@ bool make_user_info_guest(const struct tsocket_address *remote_address,
NULL,
AUTH_PASSWORD_RESPONSE);
- return NT_STATUS_IS_OK(nt_status) ? True : False;
+ return NT_STATUS_IS_OK(nt_status) ? true : false;
}
static NTSTATUS log_nt_token(struct security_token *token)
@@ -455,13 +457,13 @@ static NTSTATUS log_nt_token(struct security_token *token)
NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
const struct auth_serversupplied_info *server_info,
DATA_BLOB *session_key,
- struct auth_serversupplied_info **session_info_out)
+ struct auth_session_info **session_info_out)
{
struct security_token *t;
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
- struct auth_serversupplied_info *session_info;
+ struct auth_session_info *session_info;
struct wbcUnixId *ids;
/* Ensure we can't possible take a code path leading to a
@@ -470,12 +472,40 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
- session_info = copy_serverinfo(mem_ctx, server_info);
-
+ session_info = talloc_zero(mem_ctx, struct auth_session_info);
if (!session_info) {
return NT_STATUS_NO_MEMORY;
}
+ session_info->unix_token = talloc_zero(session_info, struct security_unix_token);
+ if (!session_info->unix_token) {
+ TALLOC_FREE(session_info);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ session_info->unix_token->uid = server_info->utok.uid;
+ session_info->unix_token->gid = server_info->utok.gid;
+
+ session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
+ if (!session_info->unix_info) {
+ TALLOC_FREE(session_info);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ session_info->unix_info->unix_name = talloc_strdup(session_info, server_info->unix_name);
--
Samba Shared Repository
More information about the samba-cvs
mailing list