[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Jul 18 21:57:02 MDT 2012
The branch, master has been updated
via 376dc5c s3-auth Use correct RID for domain guests primary group
via 11d7f77 s3-rpc_server: Remove make_server_info_info3() call from make_server_pipes_struct()
via cbc3083 auth/credentials: Remove extra newline
via 9130bbb selftest: Run unix.whomai against the machine acccount as well
via 38a4703 Revert "s3:auth make sure the primary group sid is usable"
via faa9b2e s4-torture: Move check of map-to-guest above SID list check
via 624f11e s4-torture: Allow unix.whoami to test against a member server
via 8825085 s4-torture: Also print GID values in whoami test
via 6305b4b torture: Print SIDs as additional debug output in unix.whoami
from 8ef968a s3-aio: Panic if we try to close a fsp with outstanding aio requests
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 376dc5cc5da44f154637187bfccf52821e837e37
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jul 15 14:38:18 2012 +1000
s3-auth Use correct RID for domain guests primary group
This was incorrect in commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd
as the RID was from the BUILTIN domain, but this creates a guest
account token for the real domain.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jul 19 05:56:28 CEST 2012 on sn-devel-104
commit 11d7f7762dc943418d46cf1958a71701e58620c0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jul 15 14:31:01 2012 +1000
s3-rpc_server: Remove make_server_info_info3() call from make_server_pipes_struct()
This codepath would only be executed if we provided a partial session_info token
across the named pipe forwarding code.
The smbd file server always fills this in, and if the ntvfs file server ever
wants to use an smbd hosted pipe, it can do the same. Calling create_local_token
is always the wrong thing to do.
Andrew Bartlett
commit cbc30833d60ad36129cfbf3924086a7e4592a82a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jul 15 12:50:02 2012 +1000
auth/credentials: Remove extra newline
commit 9130bbb7e5c3268cf51c8be01bea0cd64b0e1304
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jul 15 11:34:06 2012 +1000
selftest: Run unix.whomai against the machine acccount as well
This shows that the machine account got an extra SID in the token for domain users.
Andrew Bartlett
commit 38a47039cf05983df26ad6fed7470d83da56af3a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jul 15 12:22:44 2012 +1000
Revert "s3:auth make sure the primary group sid is usable"
This reverts commit 00089fd74af740f832573d904312854e494a869e.
The issue with this patch, which I did sign off on, is that for the
domain member case, we already know that the SID is reasonable and
valid, and we indeed rely on that, because we keep it as an additonal
group anyway. The primary group is not so special that we need to do
extra validation.
Calling this function may put a user into the domain 'domain users'
group, even if they are not in that group to start with.
Andrew Bartlett
commit faa9b2e1b1c6a02add3295f4b2b61b887b017ded
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 12 13:32:37 2012 +1000
s4-torture: Move check of map-to-guest above SID list check
This makes it easier to interpret failing output.
Andrew Bartlett
commit 624f11e4b46884c13056709ba6abc8dc2a659bc3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 12 12:59:29 2012 +1000
s4-torture: Allow unix.whoami to test against a member server
This compares only the domain SIDs betwen the two servers, rather than
the full token, as well known and other SIDs may be added locally
in both cases.
This also expands the test environments this is run against to verify
this between our AD server and domain members.
Andrew Bartlett
commit 8825085ea40d80d1061e83cd471b7732934619ad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jul 12 11:31:31 2012 +1000
s4-torture: Also print GID values in whoami test
commit 6305b4b64fea206150603f0de29c937d4e9afb3c
Author: Christof Schmitt <christof.schmitt at us.ibm.com>
Date: Wed Jul 11 13:48:55 2012 -0700
torture: Print SIDs as additional debug output in unix.whoami
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_secrets.c | 2 +-
selftest/knownfail | 1 +
source3/auth/auth_util.c | 45 +++++----------
source3/rpc_server/rpc_server.c | 55 +-----------------
source3/selftest/tests.py | 14 +++--
source4/torture/unix/whoami.c | 99 ++++++++++++++++++++++++--------
6 files changed, 103 insertions(+), 113 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8206173..ab7f5e8 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -93,7 +93,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
NULL, 0, "%s", filter);
if (ldb_ret != LDB_SUCCESS) {
- *error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s\n",
+ *error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s",
filter, base ? base : "",
ldb_strerror(ldb_ret), ldb_errstring(ldb));
/* set anonymous as the fallback, if the machine account won't work */
diff --git a/selftest/knownfail b/selftest/knownfail
index e5bff1b..19f728d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -42,6 +42,7 @@
^samba3.raw.samba3closeerr.samba3closeerr\(s3dc\) # This test fails against an smbd environment with NT ACLs enabled
^samba3.raw.acls.generic\(s3dc\) # This fails against smbd
^samba3.unix.whoami anonymous connection.whoami\(plugin_s4_dc\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token
+^samba3.unix.whoami anonymous connection.whoami\(s3member\) # smbd maps anonymous logins to domain guest in the local domain, not SID_NT_ANONYMOUS
# these show that we still have some differences between our system
# with our internal iconv because it passes except when we bypass our
# internal iconv modules
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index b41fac8..c4479d4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -843,7 +843,7 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
info3->base.rid = DOMAIN_RID_GUEST;
/* Primary gid */
- info3->base.primary_gid = BUILTIN_RID_GUESTS;
+ info3->base.primary_gid = DOMAIN_RID_GUESTS;
/* Set as guest */
info3->base.user_flags = NETLOGON_GUEST;
@@ -1404,11 +1404,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
char *found_username = NULL;
const char *nt_domain;
const char *nt_username;
+ struct dom_sid user_sid;
+ struct dom_sid group_sid;
bool username_was_mapped;
struct passwd *pwd;
struct auth_serversupplied_info *result;
- struct dom_sid *group_sid;
- struct netr_SamInfo3 *i3;
/*
Here is where we should check the list of
@@ -1416,6 +1416,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
matches.
*/
+ if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!sid_compose(&group_sid, info3->base.domain_sid,
+ info3->base.primary_gid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
if (!nt_username) {
/* If the server didn't give us one, just use the one we sent
@@ -1460,43 +1469,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
result->unix_name = talloc_strdup(result, found_username);
/* copy in the info3 */
- result->info3 = i3 = copy_netr_SamInfo3(result, info3);
+ result->info3 = copy_netr_SamInfo3(result, info3);
if (result->info3 == NULL) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* Fill in the unix info we found on the way */
+
result->utok.uid = pwd->pw_uid;
result->utok.gid = pwd->pw_gid;
- /* We can't just trust that the primary group sid sent us is something
- * we can really use. Obtain the usable sid, and store the original
- * one as an additional group if it had to be replaced */
- nt_status = get_primary_group_sid(mem_ctx, found_username,
- &pwd, &group_sid);
- if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(result);
- return nt_status;
- }
-
- /* store and check if it is the same we got originally */
- sid_peek_rid(group_sid, &i3->base.primary_gid);
- if (i3->base.primary_gid != info3->base.primary_gid) {
- uint32_t n = i3->base.groups.count;
- /* not the same, store the original as an additional group */
- i3->base.groups.rids =
- talloc_realloc(i3, i3->base.groups.rids,
- struct samr_RidWithAttribute, n + 1);
- if (i3->base.groups.rids == NULL) {
- TALLOC_FREE(result);
- return NT_STATUS_NO_MEMORY;
- }
- i3->base.groups.rids[n].rid = info3->base.primary_gid;
- i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
- i3->base.groups.count = n + 1;
- }
-
/* ensure we are never given NULL session keys */
if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 675d0d5..5e51f52 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -81,58 +81,9 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
p->session_info = talloc_steal(p, session_info);
} else {
- struct auth_user_info_dc *auth_user_info_dc;
- struct auth_serversupplied_info *server_info;
- struct netr_SamInfo3 *info3;
-
- /* Fake up an auth_user_info_dc for now, to make an info3, to make the session_info structure */
- auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
- if (!auth_user_info_dc) {
- TALLOC_FREE(p);
- *perrno = ENOMEM;
- return -1;
- }
-
- auth_user_info_dc->num_sids = session_info->security_token->num_sids;
- auth_user_info_dc->sids = session_info->security_token->sids;
- auth_user_info_dc->info = session_info->info;
- auth_user_info_dc->user_session_key = session_info->session_key;
-
- /* This creates the input structure that make_server_info_info3 is looking for */
- status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
- &info3);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
- TALLOC_FREE(p);
- *perrno = EINVAL;
- return -1;
- }
-
- status = make_server_info_info3(p,
- info3->base.account_name.string,
- info3->base.logon_domain.string,
- &server_info, info3);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to init server info\n"));
- TALLOC_FREE(p);
- *perrno = EINVAL;
- return -1;
- }
-
- /*
- * Some internal functions need a local token to determine access to
- * resources.
- */
- status = create_local_token(p, server_info, &session_info->session_key, info3->base.account_name.string,
- &p->session_info);
- talloc_free(server_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to init local auth token\n"));
- TALLOC_FREE(p);
- *perrno = EINVAL;
- return -1;
- }
+ DEBUG(0, ("Supplied session_info in make_server_pipes_struct was incomplete!"));
+ *perrno = EINVAL;
+ return -1;
}
*_p = p;
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 41a1111..a890372 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -305,11 +305,15 @@ for t in tests:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=doscharset=ISO-8859-1')
elif t == "unix.whoami":
- plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
- plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U%', description='anonymous connection')
- plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD --option=torture:addc=true')
- plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD --option=torture:addc=true', description='kerberos connection')
- plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U% --option=torture:addc=true', description='anonymous connection')
+ plansmbtorturetestsuite(t, "member:local", '//$SERVER/tmp --machine-pass', description="machine account")
+ plansmbtorturetestsuite(t, "s3member:local", '//$SERVER/tmp --machine-pass --option=torture:addc=$DC_SERVER', description="machine account")
+ for env in ["s3dc", "member"]:
+ plansmbtorturetestsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD')
+ plansmbtorturetestsuite(t, env, '//$SERVER/tmpguest -U%', description='anonymous connection')
+ for env in ["plugin_s4_dc", "s3member"]:
+ plansmbtorturetestsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER')
+ plansmbtorturetestsuite(t, env, '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER', description='kerberos connection')
+ plansmbtorturetestsuite(t, env, '//$SERVER/tmpguest -U% --option=torture:addc=$DC_SERVER', description='anonymous connection')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/s3dc/share')
plansmbtorturetestsuite(t, "plugin_s4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/plugin_s4_dc/share')
diff --git a/source4/torture/unix/whoami.c b/source4/torture/unix/whoami.c
index 8f608a8..7778776 100644
--- a/source4/torture/unix/whoami.c
+++ b/source4/torture/unix/whoami.c
@@ -228,9 +228,12 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
whoami->gid_list = talloc_array(mem_ctx, uint64_t, whoami->num_gids);
torture_assert(torture, whoami->gid_list != NULL, "out of memory");
+ torture_comment(torture, "\tGIDs:\n");
+
for (i = 0; i < whoami->num_gids; ++i) {
whoami->gid_list[i] = BVAL(tp.out.data.data, offset);
offset += 8;
+ torture_comment(torture, "\t\t%u\n", (unsigned int)whoami->gid_list[i]);
}
}
@@ -253,6 +256,8 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
torture_assert(torture, whoami->sid_list != NULL,
"out of memory");
+ torture_comment(torture, "\tSIDs:\n");
+
for (i = 0; i < whoami->num_sids; ++i) {
if (!whoami_sid_parse(mem_ctx, torture,
&tp.out.data, &offset,
@@ -260,6 +265,8 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
return false;
}
+ torture_comment(torture, "\t\t%s\n",
+ dom_sid_string(torture, whoami->sid_list[i]));
}
}
@@ -270,7 +277,8 @@ static bool smb_raw_query_posix_whoami(void *mem_ctx,
return true;
}
-static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, struct smb_whoami *whoami)
+static bool test_against_ldap(struct torture_context *torture, struct ldb_context *ldb, bool is_dc,
+ struct smb_whoami *whoami)
{
struct ldb_message *msg;
struct ldb_message_element *el;
@@ -281,15 +289,54 @@ static bool test_against_ldap(struct torture_context *torture, struct ldb_contex
torture_assert_int_equal(torture, dsdb_search_one(ldb, torture, &msg, NULL, LDB_SCOPE_BASE, attrs, 0, NULL), LDB_SUCCESS, "searching for tokenGroups");
el = ldb_msg_find_element(msg, "tokenGroups");
torture_assert(torture, el, "obtaining tokenGroups");
- torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
+ torture_assert(torture, el->num_values > 0, "Number of SIDs from LDAP needs to be more than 0");
+ torture_assert(torture, whoami->num_sids > 0, "Number of SIDs from LDAP needs to be more than 0");
+
+ if (is_dc) {
+ torture_assert_int_equal(torture, el->num_values, whoami->num_sids, "Number of SIDs from LDAP and number of SIDs from CIFS does not match!");
+
+ for (i = 0; i < el->num_values; i++) {
+ struct dom_sid *sid = talloc(torture, struct dom_sid);
+ torture_assert(torture, sid != NULL, "talloc failed");
+
+ torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
+ torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
+ talloc_free(sid);
+ }
+ } else {
+ unsigned int num_domain_sids_dc = 0, num_domain_sids_member = 0;
+ struct dom_sid *user_sid = talloc(torture, struct dom_sid);
+ struct dom_sid *dom_sid = talloc(torture, struct dom_sid);
+ struct dom_sid *dc_sids = talloc_array(torture, struct dom_sid, el->num_values);
+ struct dom_sid *member_sids = talloc_array(torture, struct dom_sid, whoami->num_sids);
+ torture_assert(torture, user_sid != NULL, "talloc failed");
+ torture_assert(torture, sid_blob_parse(el->values[0], user_sid), "sid parse failed");
+ torture_assert_ntstatus_equal(torture, dom_sid_split_rid(torture, user_sid, &dom_sid, NULL), NT_STATUS_OK, "failed to split domain SID from user SID");
+ for (i = 0; i < el->num_values; i++) {
+ struct dom_sid *sid = talloc(dc_sids, struct dom_sid);
+ torture_assert(torture, sid != NULL, "talloc failed");
+
+ torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
+ if (dom_sid_in_domain(dom_sid, sid)) {
+ dc_sids[num_domain_sids_dc] = *sid;
+ num_domain_sids_dc++;
+ }
+ talloc_free(sid);
+ }
- for (i = 0; i < el->num_values; i++) {
- struct dom_sid *sid = talloc(torture, struct dom_sid);
- torture_assert(torture, sid != NULL, "talloc failed");
+ for (i = 0; i < whoami->num_sids; i++) {
+ if (dom_sid_in_domain(dom_sid, whoami->sid_list[i])) {
+ member_sids[num_domain_sids_member] = *whoami->sid_list[i];
+ num_domain_sids_member++;
+ }
+ }
- torture_assert(torture, sid_blob_parse(el->values[i], sid), "sid parse failed");
- torture_assert_str_equal(torture, dom_sid_string(sid, sid), dom_sid_string(sid, whoami->sid_list[i]), "SID from LDAP and SID from CIFS does not match!");
- talloc_free(sid);
+ torture_assert_int_equal(torture, num_domain_sids_dc, num_domain_sids_member, "Number of Domain SIDs from LDAP DC and number of SIDs from CIFS member does not match!");
+ for (i = 0; i < num_domain_sids_dc; i++) {
+ torture_assert_str_equal(torture, dom_sid_string(dc_sids, &dc_sids[i]), dom_sid_string(member_sids, &member_sids[i]), "Domain SID from LDAP DC and SID from CIFS member server does not match!");
+ }
+ talloc_free(dc_sids);
+ talloc_free(member_sids);
}
return true;
}
@@ -300,6 +347,7 @@ bool torture_unix_whoami(struct torture_context *torture)
struct smb_whoami whoami;
bool ret;
struct ldb_context *ldb;
+ const char *addc, *host;
cli = connect_to_server(torture, cmdline_credentials);
torture_assert(torture, cli, "connecting to server with authenticated credentials");
@@ -309,13 +357,29 @@ bool torture_unix_whoami(struct torture_context *torture)
cli, &whoami, 0xFFFF), ret, fail,
"calling SMB_QFS_POSIX_WHOAMI on an authenticated connection");
- if (torture_setting_bool(torture, "addc", false)) {
- ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", torture_setting_string(torture, "host", NULL)),
+ /* Check that our anonymous login mapped us to guest on the server, but
+ * only if the server supports this.
+ */
+ if (whoami.mapping_mask & SMB_WHOAMI_GUEST) {
+ bool guest = whoami.mapping_flags & SMB_WHOAMI_GUEST;
+ torture_comment(torture, "checking whether we were logged in as guest... %s\n",
+ guest ? "YES" : "NO");
+ torture_assert(torture, cli_credentials_is_anonymous(cmdline_credentials) == guest,
+ "login did not credentials map to guest");
+ } else {
+ torture_comment(torture, "server does not support SMB_WHOAMI_GUEST flag\n");
+ }
+
+ addc = torture_setting_string(torture, "addc", NULL);
+ host = torture_setting_string(torture, "host", NULL);
+
+ if (addc) {
+ ldb = ldb_wrap_connect(torture, torture->ev, torture->lp_ctx, talloc_asprintf(torture, "ldap://%s", addc),
NULL, cmdline_credentials, 0);
torture_assert(torture, ldb, "ldb connect failed");
/* We skip this testing if we could not contact the LDAP server */
- if (!test_against_ldap(torture, ldb, &whoami)) {
+ if (!test_against_ldap(torture, ldb, strcasecmp(addc, host) == 0, &whoami)) {
goto fail;
}
}
@@ -334,19 +398,6 @@ bool torture_unix_whoami(struct torture_context *torture)
smbcli_tdis(cli);
- /* Check that our anonymous login mapped us to guest on the server, but
- * only if the server supports this.
- */
- if (whoami.mapping_mask & SMB_WHOAMI_GUEST) {
- bool guest = whoami.mapping_flags & SMB_WHOAMI_GUEST;
- printf("checking whether we were logged in as guest... %s\n",
- guest ? "YES" : "NO");
- torture_assert(torture, cli_credentials_is_anonymous(cmdline_credentials) == guest,
- "login did not credentials map to guest");
- } else {
- printf("server does not support SMB_WHOAMI_GUEST flag\n");
- }
-
return true;
fail:
--
Samba Shared Repository
More information about the samba-cvs
mailing list