[SCM] Samba Shared Repository - branch v4-4-test updated
Stefan Metzmacher
metze at samba.org
Fri Apr 29 11:13:13 UTC 2016
The branch, v4-4-test has been updated
via b9cc3bd s3:selftest: add smbclient_ntlm tests
via d96f774 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
via 883660a selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
via 7548e8d s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via 771bcf9 selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
via 6d62364 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
via c52eab4 auth/spnego: add spnego:simulate_w2k option for testing
via eb085f3 auth/ntlmssp: do map to guest checking after the authentication
via ab24cfa s3:smbd: only mark real guest sessions with the GUEST flag
via 2a9cbef s3:smbd: make use SMB_SETUP_GUEST constant
via 696b25f libcli/security: implement SECURITY_GUEST
via 070ae1b s3:auth_builtin: anonymous authentication doesn't allow a password
via 039dc0b s4:auth_anonymous: anonymous authentication doesn't allow a password
via 622a603 auth/spnego: only try to verify the mechListMic if signing was negotiated.
via bc2331b s3:libsmb: use anonymous authentication via spnego if possible
via 702d846 s3:libsmb: don't finish the gensec handshake for guest logins
via 779a339 s3:libsmb: record the session setup action flags
via ad94c11 libcli/smb: add smbXcli_session_is_guest() helper function
via 2bae4e9 libcli/smb: add SMB1 session setup action flags
via e61d929 libcli/smb: add smb1cli_session_set_action() helper function
via eff4ed6 libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
via ce9dc37 s3:libsmb: use password = NULL for anonymous connections
via e72697d auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via 0e06d40 auth/ntlmssp: don't require any flags in the ccache_resume code
via f26e6c9 auth/spnego: handle broken mechListMIC response from Windows 2000
via 8a8a567 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via 9aa4b3c s3:librpc:crypto:gse: increase debug level for gse_init_client().
via a9a5c60 lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
via fc3a36c s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
via 8f159c5 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
via 794d0c2 Mask general purpose signals for notifyd.
from 1a36149 WHATSNEW: Start release notes for Samba 4.4.3.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit b9cc3bdc7f011a7761157c14cd833b10e14588d6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 16:12:47 2016 +0200
s3:selftest: add smbclient_ntlm tests
We test all combinations of NT1 with and without spnego and SMB3
for user, anonymous and guest authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144
(cherry picked from commit eee88e07b3e68efb467b390536eea4155b5ced7e)
Autobuild-User(v4-4-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-4-test): Fri Apr 29 13:12:46 CEST 2016 on sn-devel-144
commit d96f774432819c3deb03f7fc9d879047b54882c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 16:02:22 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4de43387235cb17a185fdd1afd658972e8c174ef)
commit 883660adc5590fa4d178eac7dc4c5332b66a44cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:00:14 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd)
commit 7548e8d3e97d9afdc85e0dbbb4b56aa65136c068
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 26 11:33:52 2016 +0200
s3:test_smbclient_auth.sh: this script reqiures 5 arguments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 70910334caa176bf98fece7d638ed599979dc173)
commit 771bcf992addba20ac61d38deee8467312ae004d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 26 08:50:00 2016 +0200
selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b8055cb42cadf48367867213a35635f3391c9b8d)
commit 6d6236421e27527344cc43a0b685fd8368c581db
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 15:58:27 2016 +0200
auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 7a2cb2c97611171613fc677a534277839348c56f)
commit c52eab433d60c1395b76d60d341859ebb491e3a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 14:45:55 2016 +0200
auth/spnego: add spnego:simulate_w2k option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit db9c01a51975a0a3ec2564357617958c2f466091)
commit eb085f389f56b6e8e270afdbd9d69485e3a2be99
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:27:34 2016 +0200
auth/ntlmssp: do map to guest checking after the authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d667520568996471b55007a42b503edbabb1eee0)
commit ab24cfadcd879a7507551e9e60bb4b09f21846d0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 16:34:28 2016 +0200
s3:smbd: only mark real guest sessions with the GUEST flag
Real anonymous sessions don't get it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441)
commit 2a9cbef97d2e5803f1e67dbc2c5205db9eee2285
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:36:56 2016 +0200
s3:smbd: make use SMB_SETUP_GUEST constant
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396)
commit 696b25f1f0932dc43c288dbb7b512629a1df7015
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 16:29:42 2016 +0200
libcli/security: implement SECURITY_GUEST
SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 837e6176329330893d5a1e4ce4ac67dbac758e56)
commit 070ae1b079caf4b3ecadd9764d677935618199e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:48:32 2016 +0200
s3:auth_builtin: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit ead483b0c0ec746c0869162024c97f2e08df7f4b)
commit 039dc0b597173395a33ef34266b921ca75ffd338
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:44:56 2016 +0200
s4:auth_anonymous: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d247dceaaab24b568425f2360e40f5e91be452cc)
commit 622a603c4b7a82eb9f6da37bb7e17b1ad4108b85
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 10:04:38 2016 +0200
auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e)
commit bc2331bc8c208713ff4ca11b37b10c6ee714190b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:33:03 2016 +0200
s3:libsmb: use anonymous authentication via spnego if possible
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e72ad193a53e20b769f798d02c0610f91859bd38)
commit 702d846d6f2f31027ba3fc2016c3c5ee5a3be57a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:20:28 2016 +0200
s3:libsmb: don't finish the gensec handshake for guest logins
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit fa5799207e55ee8e329f36f784d027845eaf0e34)
commit 779a339cd83ee14efa24ffb4865a697631d8df14
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:19:19 2016 +0200
s3:libsmb: record the session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 02c902103521e5a2b1d221db83e6c59d0ce31099)
commit ad94c11330f361115e478f73cb28132ff737aaa0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:38:46 2016 +0200
libcli/smb: add smbXcli_session_is_guest() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2)
commit 2bae4e9f0d896bda3e87acd74900198545e56d5f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:34:21 2016 +0200
libcli/smb: add SMB1 session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit cceaa61cf064926baca6db4b303d34ea90d40d52)
commit e61d929391bcecd6619c9dc33086062cab7f284c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:33:11 2016 +0200
libcli/smb: add smb1cli_session_set_action() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd)
commit eff4ed6420ca7c07d7b12fe0d8c81c2081bb77c8
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 20 20:09:53 2016 +0200
libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a)
commit ce9dc371c81192ce3c94c40f2a3db5f162932329
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:31:50 2016 +0200
s3:libsmb: use password = NULL for anonymous connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 53be47410236ef7c90fe895f49f300e3fe47a8bf)
commit e72697d8bcc12592285cf4d27158134e4bf19266
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
Enforcement of SMB signing is done at the SMB layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d97b347d041f9b5c0aa71f35526cbefd56f3500b)
commit 0e06d40fc7b86370327d4aa7ffa9bdbb0e66ebdf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require any flags in the ccache_resume code
ntlmssp_client_challenge() already checks for required flags
before asking winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 5041adb6657596399049a33e6a739a040b4df0db)
commit f26e6c9a797751d451c2f47557d740d119302e6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Apr 23 05:17:25 2016 +0200
auth/spnego: handle broken mechListMIC response from Windows 2000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 032c2733dea834e2c95178cdd0deb73e7bb13621)
commit 8a8a5677295d5008bd09fff109cf16ca6a0bdfd2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 28 12:26:16 2016 +0200
auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1)
commit 9aa4b3c5d86a88d8b73d5bfba0d67a1cc05cd16d
Author: Günther Deschner <gd at samba.org>
Date: Thu Apr 28 12:58:33 2016 +0200
s3:librpc:crypto:gse: increase debug level for gse_init_client().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b6595037f3fcaafb957d9c08edfb89c72cded987)
commit a9a5c6023834af8ec565e5a61e2b957d3da49ab7
Author: Günther Deschner <gd at samba.org>
Date: Thu Apr 28 12:58:10 2016 +0200
lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1)
commit fc3a36c23fb3b05234c1e1c75619cdbeff5e704d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 16:31:55 2016 +0200
s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 795e796658e6da0149c9c00ece7cca4ccc457717)
commit 8f159c53b63053f851990ed13a978af557ca297a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 16:18:24 2016 +0200
s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d)
commit 794d0c2a8cd693c8bc5cba951f320df97974b02f
Author: Hemanth Thummala <hemanth.thummala at nutanix.com>
Date: Thu Apr 14 13:09:37 2016 -0700
Mask general purpose signals for notifyd.
Currently there is no signal handling available for notify daemon.
Signals like SIGHUP and SIGUSR1 can lead to terminate the notify
daemon. Masking these signals for notifyd as we are not handling them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11840
Signed-off-by: Hemanth Thummala <hemanth.thummala at nutanix.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Apr 15 15:31:19 CEST 2016 on sn-devel-144
(cherry picked from commit cade673f5fff8a578b8620149688ecc93e981205)
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 66 +++++++++++++++++----
auth/ntlmssp/gensec_ntlmssp_server.c | 15 ++---
auth/ntlmssp/ntlmssp_client.c | 15 ++---
auth/ntlmssp/ntlmssp_server.c | 40 +++++++++++++
lib/krb5_wrap/krb5_samba.c | 4 +-
libcli/security/security_token.c | 5 ++
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 ++
libcli/security/session.h | 1 +
libcli/smb/smbXcli_base.c | 35 +++++++++++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 6 ++
selftest/target/Samba.pm | 13 ++++
selftest/target/Samba4.pm | 23 +++++++-
source3/auth/auth_builtin.c | 47 ++++++++++++---
source3/libads/sasl.c | 4 +-
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 +++++++++++++++++++++--------
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++
source3/selftest/tests.py | 4 +-
source3/smbd/notifyd/notifyd.c | 4 ++
source3/smbd/sesssetup.c | 12 ++--
source3/smbd/smb2_sesssetup.c | 7 ++-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++
26 files changed, 403 insertions(+), 79 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 2922478..3962d72 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
- null_data_blob,
+ mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index ca19863..99cedd0 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -131,20 +131,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client", "force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+ gensec_ntlmssp->server_returned_info,
+ gensec_ntlmssp->ntlmssp_state->user,
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 13984e9..6cfd498 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2397,12 +2397,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
"Trying to read krb5 cache: %s\n",
krb5_cc_default_name(ctx)));
if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to read default cache\n"));
goto out;
}
if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to get default principal\n"));
goto out;
}
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha
return ret;
}
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+ return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
bool security_token_has_builtin_administrators(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Administrators);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index b8ca990..5c5b30b 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
bool security_token_has_sid_string(const struct security_token *token, const char *sid_string);
+bool security_token_has_builtin_guests(const struct security_token *token);
+
bool security_token_has_builtin_administrators(const struct security_token *token);
bool security_token_has_nt_authenticated_users(const struct security_token *token);
diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0c32556..0fbb87d 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
return SECURITY_ANONYMOUS;
}
+ if (security_token_has_builtin_guests(session_info->security_token)) {
+ return SECURITY_GUEST;
+ }
+
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
diff --git a/libcli/security/session.h b/libcli/security/session.h
index ee9187d..31e950e 100644
--- a/libcli/security/session.h
+++ b/libcli/security/session.h
@@ -24,6 +24,7 @@
enum security_user_level {
SECURITY_ANONYMOUS = 0,
+ SECURITY_GUEST = 1,
SECURITY_USER = 10,
SECURITY_RO_DOMAIN_CONTROLLER = 20,
SECURITY_DOMAIN_CONTROLLER = 30,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b635c14..faf74ca 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -167,6 +167,7 @@ struct smbXcli_session {
struct {
uint16_t session_id;
+ uint16_t action;
DATA_BLOB application_key;
bool protected_key;
} smb1;
@@ -5301,10 +5302,38 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
return session;
}
+bool smbXcli_session_is_guest(struct smbXcli_session *session)
+{
+ if (session == NULL) {
+ return false;
+ }
+
+ if (session->conn == NULL) {
+ return false;
+ }
+
+ if (session->conn->protocol >= PROTOCOL_SMB2_02) {
+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ return true;
+ }
+ return false;
+ }
+
+ if (session->smb1.action & SMB_SETUP_GUEST) {
+ return true;
+ }
+
+ return false;
+}
+
bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
{
const DATA_BLOB *application_key;
+ if (session == NULL) {
+ return false;
+ }
+
if (session->conn == NULL) {
return false;
}
@@ -5372,6 +5401,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session,
session->smb1.session_id = session_id;
}
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action)
+{
+ session->smb1.action = action;
+}
+
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index e4cfb10..8b9851b 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
struct smbXcli_conn *conn);
struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
struct smbXcli_session *src);
+bool smbXcli_session_is_guest(struct smbXcli_session *session);
bool smbXcli_session_is_authenticated(struct smbXcli_session *session);
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
@@ -398,6 +399,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session);
uint16_t smb1cli_session_current_id(struct smbXcli_session* session);
void smb1cli_session_set_id(struct smbXcli_session* session,
uint16_t session_id);
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action);
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key);
NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session);
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 57915d9..e03e843 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -278,6 +278,12 @@ enum smb_signing_setting {
CAP_LARGE_WRITEX | \
0)
+/*
+ * The action flags in the SMB session setup response
+ */
+#define SMB_SETUP_GUEST 0x0001
+#define SMB_SETUP_USE_LANMAN_KEY 0x0002
+
/* Client-side offline caching policy types */
enum csc_policy {
CSC_POLICY_MANUAL=0,
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 6ca1036..17a2bbe 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -200,6 +200,19 @@ sub mk_krb5_conf($$)
forwardable = yes
allow_weak_crypto = yes
+";
+
+ if (defined($ctx->{supported_enctypes})) {
+ print KRB5CONF "
+ default_etypes = $ctx->{supported_enctypes}
+ default_as_etypes = $ctx->{supported_enctypes}
+ default_tgs_enctypes = $ctx->{supported_enctypes}
+ default_tkt_enctypes = $ctx->{supported_enctypes}
+ permitted_enctypes = $ctx->{supported_enctypes}
+";
+ }
+
+ print KRB5CONF "
--
Samba Shared Repository
More information about the samba-cvs
mailing list