[SCM] Samba Shared Repository - branch v4-1-test updated

Karolin Seeger kseeger at samba.org
Sat Jul 11 22:10:05 UTC 2015


The branch, v4-1-test has been updated
       via  15b323d s4:selftest: also run rpc.winreg with kerberos and all possible auth options
       via  d8df89f s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal
       via  6d6799a s4:rpc_server: fix padding caclucation in dcesrv_auth_response()
       via  62966eb s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error
       via  496d7f9 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload
       via  e22adb8 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define
       via  e661c30 s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign()
       via  3336fb7 s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error
       via  18342a7 s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload
       via  ad94101 s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define
       via  9ab5872 s3:rpc_server: remove pad handling from api_pipe_alter_context()
       via  c17dd15 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
       via  843c953 s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer()
       via  213b98b librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro
       via  c0432c2 dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16)
       via  5570954 auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
       via  54b9c1c auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
       via  b6a59bb winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
       via  7e05f60 kerberos auth info3 should contain resource group ids available from pac_logon
       via  8ddab98 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC.
       via  4bdfb15 s3: auth: Change auth3_generate_session_info_pac() to use a copy of the info3 struct from the struct PAC_LOGON_INFO.
       via  02bda07 s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it.
       via  a3d6a15 s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
       via  2ff1428 s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
      from  7434e77 docs: overhaul the description of "smb encrypt" to include SMB3 encryption.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-test


- Log -----------------------------------------------------------------
commit 15b323d38c3730f697dd821a798503b9f890b6bd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jun 23 10:27:27 2015 +0200

    s4:selftest: also run rpc.winreg with kerberos and all possible auth options
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Jun 23 17:31:08 CEST 2015 on sn-devel-104
    
    (cherry picked from commit 6dd117b21ef06da68af67051f2822f71193d193a)
    
    Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-1-test): Sun Jul 12 00:09:40 CEST 2015 on sn-devel-104

commit d8df89f5b9f9e446947c0a869ca742013ce96bba
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 00:35:29 2015 +0200

    s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 5b917fd6226952a1f792d1ad921d2ae54ab6ab42)

commit 6d6799a2190dc131b01e897f538b137b0b400ccf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 20 17:49:02 2015 +0200

    s4:rpc_server: fix padding caclucation in dcesrv_auth_response()
    
    This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
    so that we will use no padding if the stub_length is already aligned
    to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 69c1b4b7c10dd5fd9cacaa3a76c47bc854ee3fed)

commit 62966ebc287803bbe7482b41fa529e2bddc8b4dc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 20 17:47:14 2015 +0200

    s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error
    
    Don't send plaintext on the wire because of an internal error...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 1bf7ab49b4459e81ab2b82d9668b3d7cb76372f4)

commit 496d7f9a43b7acd14b168db91271ab57a6b6cec7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 22:35:44 2015 +0200

    s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload
    
    The sig_size could differ depending on the aligment/padding.
    So should use the same alignment as we use for the payload.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 16f3837e026e4cae135bbdddf09b44a02af25b05)

commit e22adb88bbab445c7aa21eebc0aaf0e7de9e3147
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 22:35:44 2015 +0200

    s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 3fbdb255e3ac7ad5261c5fa3836e4a38a0d59221)

commit e661c302bf7d5bfaaac50bfa5d52f10ee9ec85d7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 20 17:49:02 2015 +0200

    s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign()
    
    This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
    so that we will use no padding if the stub_length is already aligned
    to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 114c52e73ed9e0adeac8ad1bc1dc014f3c10f4d6)

commit 3336fb7a3fc6ca6b1524654aaac0207410bf632e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 20 17:47:14 2015 +0200

    s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error
    
    Don't send plaintext on the wire because of an internal error...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 48f2c383e1d7f52114223cd2a54857426bf64025)

commit 18342a7cbb14c7fe2f451a3e1386deaf819f6f7a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 22:35:44 2015 +0200

    s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload
    
    The sig_size could differ depending on the aligment/padding.
    So should use the same alignment as we use for the payload.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit fc249d542fcb8d043ae72eb7963d3a85eb79253a)

commit ad94101f6415f274092d2ba8ab7146c431304d5d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 22:35:44 2015 +0200

    s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit ef801bae95403e96042f5d8c87085bce21436013)

commit 9ab5872439acd7a7de6a6ee319e997313d02586c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 22:09:57 2015 +0200

    s3:rpc_server: remove pad handling from api_pipe_alter_context()
    
    This is not needed and windows doesn't use it.
    The padding is for the payload in request and response.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit a6a6795826954eef6763a39b129a4db578edca01)

commit c17dd15bb8b7933d86525943dd14f86190311a99
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 15:52:11 2015 +0200

    s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
    
    The padding needs to be relative to the payload start not to the pdu start.
    We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (similar to commit b2e042ad9652e2dfb39640de43e09030efc41d3d)

commit 843c95324a95ae3bf9680a61b357e5b08c4b42df
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 16:55:39 2015 +0200

    s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 3e6e9e3acd17531148457be59a32727fb87ae43d)

commit 213b98ba93501fe85d37ea875d28f6ae9375d47f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 20 17:43:47 2015 +0200

    librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro
    
    This calculates the required padding DCERPC_AUTH_PAD_ALIGNMENT
    and the stub_length.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (similar to commit f1e3ad269ca8f76876afd8e3837c9c9b48688941)

commit c0432c2c066ea2630a6bb215ad582e08666f9094
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 16:48:48 2015 +0200

    dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16)
    
    Windows pads the payload aligned to 16 bytes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 2cb3ec5856ab5b7edad8ffd67a5d0f927c161138)

commit 55709541204cb1066c13744a4c577bf3c02b2e3c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Jun 20 16:19:31 2015 +0200

    auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
    
    We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
    auth_level and should not have GENSEC_FEATURE_SEAL if
    DCERPC_AUTH_LEVEL_INTEGRITY is desired.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 756508c8c37b0370301a096e35abc171fe08d31c)

commit 54b9c1c8cb58608cfaa98fc75654557f8fab2df7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jun 19 14:46:53 2015 +0200

    auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
    
    gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
    GENSEC_FEATURE_SEAL is negotiated.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 3542d33314e32279340f07f995c1dcbd16106352)

commit b6a59bbd3fb775ce40a45d71d69ba4f777651a8b
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jun 10 16:31:21 2015 -0700

    winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104
    
    (cherry picked from commit 4c5fefe0723ae4cd3cacaabc5ae4c500d2306968)
    
    Conflicts:
    	source3/winbindd/winbindd_pam.c
    
    The last 7 patches address
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11328
    we should use resource group sids obtained from pac logon_info

commit 7e05f6024cc6ae593fb3bcc7592018495b6f74d9
Author: Noel Power <noel.power at suse.com>
Date:   Wed Jun 10 13:13:25 2015 +0100

    kerberos auth info3 should contain resource group ids available from pac_logon
    
    successful pam auth (e.g. from ssh) will cache group sids (but not any
    resource group sids)) The subsequent cached entry used for groups lookups
    can be missing those resource groups
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit efadcb31215f9ccaf7942341c698a8eb2ac166ce)
    
    Conflicts:
    	source3/winbindd/winbindd_pam.c

commit 8ddab98ae07a69920dccb387ba1554e4ff364c33
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jun 16 23:27:35 2014 -0700

    s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC.
    
    Based on a patch from Richard Sharpe <realrichardsharpe at gmail.com>.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    Reviewed-by: Simo Sorce <idra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
    
    (cherry picked from commit e907f8415639d2a7cbc1cc2e40e2e35bfa0024de)

commit 4bdfb15ecd6c3fe154130d252fb7d392dd46323c
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jun 16 23:15:21 2014 -0700

    s3: auth: Change auth3_generate_session_info_pac() to use a copy of the info3 struct from the struct PAC_LOGON_INFO.
    
    Call create_info3_from_pac_logon_info() to add in any resource SIDs
    from the struct PAC_LOGON_INFO to the info3.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    Reviewed-by: Simo Sorce <idra at samba.org>
    (cherry picked from commit 0e5a9f44e4b08b93bc4b501d1e14b59ed7b3647c)

commit 02bda079a0a22a62b05689f571da34f232caace4
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jun 16 23:11:58 2014 -0700

    s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it.
    
    Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe at gmail.com>.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    Reviewed-by: Simo Sorce <idra at samba.org>
    (cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6)

commit a3d6a15ba18b20d21a531812ff6e670e6a717178
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jun 16 22:54:45 2014 -0700

    s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
    
    make_server_info_info3() only reads from the info3 pointer.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    Reviewed-by: Simo Sorce <idra at samba.org>
    (cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368)

commit 2ff1428b8db53298c9ecb49b3bf99e302e46c3f0
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jun 11 18:16:01 2015 +0100

    s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
    
    Both functions only read from the struct netr_SamInfo3 * argument.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    Reviewed-by: Simo Sorce <idra at samba.org>
    (cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab)
    
        Conflicts:
        	source3/auth/proto.h
        	source3/auth/server_info.c

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/gensec.c                | 14 +++++++
 auth/gensec/gensec_start.c          |  6 +++
 librpc/idl/dcerpc.idl               |  1 +
 librpc/rpc/rpc_common.h             |  6 +++
 source3/auth/auth_generic.c         | 11 +++++-
 source3/auth/auth_util.c            |  2 +-
 source3/auth/proto.h                |  9 +++--
 source3/auth/server_info.c          | 79 ++++++++++++++++++++++++++++++++++++-
 source3/auth/user_krb5.c            |  8 ++--
 source3/librpc/rpc/dcerpc.h         |  2 +-
 source3/librpc/rpc/dcerpc_helpers.c | 26 ++++++------
 source3/rpc_client/cli_pipe.c       |  1 -
 source3/rpc_server/srv_pipe.c       | 28 +------------
 source3/winbindd/winbindd_pam.c     | 38 ++++++++++++++++--
 source4/librpc/rpc/dcerpc.c         | 16 ++++++--
 source4/rpc_server/common/reply.c   |  9 ++++-
 source4/rpc_server/dcesrv_auth.c    |  8 +++-
 source4/selftest/tests.py           |  9 ++++-
 18 files changed, 207 insertions(+), 66 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..01c4ac6 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -39,9 +39,15 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->unseal_packet) {
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->unseal_packet(gensec_security,
 						   data, length,
@@ -79,6 +85,9 @@ _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
@@ -107,6 +116,11 @@ _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return 0;
 	}
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+			return 0;
+		}
+	}
 
 	return gensec_security->ops->sig_size(gensec_security, data_size);
 }
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index e46f0ee..8b649e5 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -701,6 +701,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	gensec_security->dcerpc_auth_level = auth_level;
+	/*
+	 * We need to reset sign/seal in order to reset it.
+	 * We may got some default features inherited by the credentials
+	 */
+	gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+	gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
 	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 86f22a4..f14461c 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -204,6 +204,7 @@ interface dcerpc
 	} dcerpc_auth;
 
 	const uint8 DCERPC_AUTH_TRAILER_LENGTH = 8;
+	const uint8 DCERPC_AUTH_PAD_ALIGNMENT = 16;
 
 	typedef [public] struct {
 		[value(0)]	      uint32    _pad;
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index e2b3755..acf2ed2 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -301,4 +301,10 @@ NTSTATUS dcerpc_binding_handle_call(struct dcerpc_binding_handle *h,
 				    TALLOC_CTX *r_mem,
 				    void *r_ptr);
 
+
+#define DCERPC_AUTH_PAD_LENGTH(stub_length) (\
+	(((stub_length) % DCERPC_AUTH_PAD_ALIGNMENT) > 0)?\
+	(DCERPC_AUTH_PAD_ALIGNMENT - (stub_length) % DCERPC_AUTH_PAD_ALIGNMENT):\
+	0)
+
 #endif /* __DEFAULT_LIBRPC_RPCCOMMON_H__ */
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index a2ba4e3..f841f0c 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 {
 	TALLOC_CTX *tmp_ctx;
 	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct netr_SamInfo3 *info3_copy = NULL;
 	bool is_mapped;
 	bool is_guest;
 	char *ntuser;
@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	/* save the PAC data if we have it */
 	if (logon_info) {
-		netsamlogon_cache_store(ntuser, &logon_info->info3);
+		status = create_info3_from_pac_logon_info(tmp_ctx,
+					logon_info,
+					&info3_copy);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto done;
+		}
+		netsamlogon_cache_store(ntuser, info3_copy);
 	}
 
 	/* setup the string used by %U */
@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	status = make_session_info_krb5(mem_ctx,
 					ntuser, ntdomain, username, pw,
-					logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+					info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
 					session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ceaa706..afa78ec 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 				const char *sent_nt_username,
 				const char *domain,
 				struct auth_serversupplied_info **server_info,
-				struct netr_SamInfo3 *info3)
+				const struct netr_SamInfo3 *info3)
 {
 	static const char zeros[16] = {0, };
 
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 76661fc..cc51698 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 				const char *sent_nt_username,
 				const char *domain,
 				struct auth_serversupplied_info **server_info,
-				struct netr_SamInfo3 *info3);
+				const struct netr_SamInfo3 *info3);
 struct wbcAuthUserInfo;
 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
 					  const char *sent_nt_username,
@@ -281,13 +281,16 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
 				struct netr_SamInfo3 *sam3);
 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
 				struct netr_SamInfo6 *sam6);
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+                                        const struct PAC_LOGON_INFO *logon_info,
+                                        struct netr_SamInfo3 **pp_info3);
 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			  struct samu *samu,
 			  const char *login_server,
 			  struct netr_SamInfo3 **_info3,
 			  struct extra_auth_info *extra);
 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-					 struct netr_SamInfo3 *orig);
+					 const struct netr_SamInfo3 *orig);
 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
 					const struct wbcAuthUserInfo *info);
 
@@ -357,7 +360,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
 				struct auth_session_info **session_info);
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index d2b7d6e..dc84794 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
 	return NT_STATUS_OK;
 }
 
+/*
+ * Merge resource SIDs, if any, into the passed in info3 structure.
+ */
+
+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
+				struct netr_SamInfo3 *info3)
+{
+	uint32_t i = 0;
+
+	if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
+		return NT_STATUS_OK;
+	}
+
+	/*
+	 * If there are any resource groups (SID Compression) add
+	 * them to the extra sids portion of the info3 in the PAC.
+	 *
+	 * This makes the info3 look like it would if we got the info
+	 * from the DC rather than the PAC.
+	 */
+
+	/*
+	 * Construct a SID for each RID in the list and then append it
+	 * to the info3.
+	 */
+	for (i = 0; i < logon_info->res_groups.count; i++) {
+		NTSTATUS status;
+		struct dom_sid new_sid;
+		uint32_t attributes = logon_info->res_groups.rids[i].attributes;
+
+		sid_compose(&new_sid,
+			logon_info->res_group_dom_sid,
+			logon_info->res_groups.rids[i].rid);
+
+		DEBUG(10, ("Adding SID %s to extra SIDS\n",
+			sid_string_dbg(&new_sid)));
+
+		status = append_netr_SidAttr(info3, &info3->sids,
+					&info3->sidcount,
+					&new_sid,
+					attributes);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
+				sid_string_dbg(&new_sid),
+				nt_errstr(status)));
+			return status;
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
+ * then merge resource SIDs, if any, into it. If successful return
+ * the created info3 struct.
+ */
+
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+					const struct PAC_LOGON_INFO *logon_info,
+					struct netr_SamInfo3 **pp_info3)
+{
+	NTSTATUS status;
+	struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
+					&logon_info->info3);
+	if (info3 == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	status = merge_resource_sids(logon_info, info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info3);
+		return status;
+	}
+	*pp_info3 = info3;
+	return NT_STATUS_OK;
+}
+
 #define RET_NOMEM(ptr) do { \
 	if (!ptr) { \
 		TALLOC_FREE(info3); \
@@ -445,7 +522,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 	} } while(0)
 
 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-					 struct netr_SamInfo3 *orig)
+					 const struct netr_SamInfo3 *orig)
 {
 	struct netr_SamInfo3 *info3;
 	unsigned int i;
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 974a8aa..0a538b4 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
 				struct auth_session_info **session_info)
@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 			return status;
 		}
 
-	} else if (logon_info) {
+	} else if (info3) {
 		/* pass the unmapped username here since map_username()
 		   will be called again in make_server_info_info3() */
 
 		status = make_server_info_info3(mem_ctx,
 						ntuser, ntdomain,
 						&server_info,
-						&logon_info->info3);
+						info3);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("make_server_info_info3 failed: %s!\n",
 				  nt_errstr(status)));
@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
 				struct auth_session_info **session_info)
diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index b3ae3b4..60b91d6 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -76,7 +76,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
 				 bool bigendian);
 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 			    size_t header_len, size_t data_left,
-			    size_t max_xmit_frag, size_t pad_alignment,
+			    size_t max_xmit_frag,
 			    size_t *data_to_send, size_t *frag_len,
 			    size_t *auth_len, size_t *pad_len);
 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index a55e419..b48f45c 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -256,7 +256,6 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
 * @param header_len	The length of the packet header
 * @param data_left	The data left in the send buffer
 * @param max_xmit_frag	The max fragment size.
-* @param pad_alignment	The NDR padding size.
 * @param data_to_send	[out] The max data we will send in the pdu
 * @param frag_len	[out] The total length of the fragment
 * @param auth_len	[out] The length of the auth trailer
@@ -266,7 +265,7 @@ NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
 */
 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 			    size_t header_len, size_t data_left,
-			    size_t max_xmit_frag, size_t pad_alignment,
+			    size_t max_xmit_frag,
 			    size_t *data_to_send, size_t *frag_len,
 			    size_t *auth_len, size_t *pad_len)
 {
@@ -309,7 +308,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 	case DCERPC_AUTH_TYPE_KRB5:
 		gensec_security = talloc_get_type_abort(auth->auth_ctx,
 							struct gensec_security);
-		*auth_len = gensec_sig_size(gensec_security, max_len);
+		mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT);
+		*auth_len = gensec_sig_size(gensec_security, max_len - mod_len);
+		if (*auth_len == 0) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 		break;
 
 	case DCERPC_AUTH_TYPE_SCHANNEL:
@@ -322,19 +325,12 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 	}
 
 	max_len -= *auth_len;
+	mod_len = (max_len % DCERPC_AUTH_PAD_ALIGNMENT);
+	max_len -= mod_len;
 
 	*data_to_send = MIN(max_len, data_left);
 
-	mod_len = (header_len + *data_to_send) % pad_alignment;
-	if (mod_len) {
-		*pad_len = pad_alignment - mod_len;
-	} else {
-		*pad_len = 0;
-	}
-
-	if (*data_to_send + *pad_len > max_len) {
-		*data_to_send -= pad_alignment;
-	}
+	*pad_len = DCERPC_AUTH_PAD_LENGTH(*data_to_send);
 
 	*frag_len = header_len + *data_to_send + *pad_len
 			+ DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
@@ -553,7 +549,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 {
 	struct schannel_state *schannel_auth;
 	struct gensec_security *gensec_security;
-	char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
+	const char pad[DCERPC_AUTH_PAD_ALIGNMENT] = { 0, };
 	DATA_BLOB auth_info;
 	DATA_BLOB auth_blob;
 	NTSTATUS status;
@@ -564,6 +560,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 	}
 
 	if (pad_len) {
+		SMB_ASSERT(pad_len <= ARRAY_SIZE(pad));
+
 		/* Copy the sign/seal padding data. */
 		if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
 			return NT_STATUS_NO_MEMORY;
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 385ae25..78b1c5c 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1282,7 +1282,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 	status = dcerpc_guess_sizes(state->cli->auth,
 				    DCERPC_REQUEST_LENGTH, data_left,
 				    state->cli->max_xmit_frag,
-				    CLIENT_NDR_PADDING_SIZE,
 				    &data_sent_thistime,
 				    &frag_len, &auth_len, &pad_len);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7daff04..93339fb 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -141,7 +141,6 @@ static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
 				    DCERPC_RESPONSE_LENGTH,
 				    data_left,
 				    RPC_MAX_PDU_FRAG_LEN,
-				    SERVER_NDR_PADDING_SIZE,
 				    &data_to_send, &frag_len,
 				    &auth_len, &pad_len);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -1066,7 +1065,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 	struct dcerpc_ack_ctx bind_ack_ctx;
 	DATA_BLOB auth_resp = data_blob_null;
 	DATA_BLOB auth_blob = data_blob_null;
-	int pad_len = 0;
 	struct gensec_security *gensec_security;
 
 	DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
@@ -1218,19 +1216,10 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 	}
 
 	if (auth_resp.length) {
-
-		/* Work out any padding needed before the auth footer. */
-		pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
-		if (pad_len) {
-			pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
-			DEBUG(10, ("auth pad_len = %u\n",
-				   (unsigned int)pad_len));
-		}
-
 		status = dcerpc_push_dcerpc_auth(pkt,
 						 auth_info.auth_type,
 						 auth_info.auth_level,
-						 pad_len,
+						 0, /* pad_len */
 						 1, /* auth_context_id */
 						 &auth_resp,
 						 &auth_blob);
@@ -1244,22 +1233,9 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
 	 * the dcerpc header */
 	dcerpc_set_frag_length(&p->out_data.frag,
 				p->out_data.frag.length +
-					pad_len + auth_blob.length);
+				auth_blob.length);
 
 	if (auth_resp.length) {
-		if (pad_len) {
-			char pad[SERVER_NDR_PADDING_SIZE];
-			memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
-			if (!data_blob_append(p->mem_ctx,
-						&p->out_data.frag,
-						pad, pad_len)) {
-				DEBUG(0, ("api_pipe_bind_req: failed to add "
-					  "%u bytes of pad data.\n",
-					  (unsigned int)pad_len));
-				goto err_exit;
-			}
-		}
-
 		if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
 					auth_blob.data, auth_blob.length)) {
 			DEBUG(0, ("Append of auth info failed.\n"));
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 10d30d2..1de3010 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	time_t time_offset = 0;
 	const char *user_ccache_file;
 	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct netr_SamInfo3 *info3_copy = NULL;
 
 	*info3 = NULL;
 
@@ -664,11 +665,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		goto failed;
 	}
 
-	*info3 = &logon_info->info3;
+	if (logon_info == NULL) {
+		DEBUG(10,("Missing logon_info in ticket of %s\n",
+			principal_s));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",


-- 
Samba Shared Repository



More information about the samba-cvs mailing list