[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Dec 19 12:42:03 UTC 2016
The branch, master has been updated
via b38f1ae s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()
via 6e122ee s3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()
via cb83be2 s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""
via a579151 s3:libsmb: split out a cli_session_creds_prepare_krb5() function
via b17543a s3:torture/masktest: masktest only works with SMB1 currently
via 6a5943c s3:torture/masktest: Use cli_tree_connect_creds()
via 65be3af s3:torture: Use cli_tree_connect_creds() where we may use share level auth
via af97833 s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()
from 59dc07e ctdb-tests: Remove the python LCP2 simulation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b38f1aee4092cd621081614dce34a86d0d70afff
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 3 15:11:29 2016 +0100
s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()
This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Dec 19 13:41:15 CET 2016 on sn-devel-144
commit 6e122eef71c05c76d26ffce0ce7c4c4750f428f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 3 15:11:29 2016 +0100
s3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()
This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cb83be2f01585cad35e6dba7b60cff301ce08058
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 16 01:26:29 2016 +0100
s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a579151ee7a613b11d66a56938e7d894bd4e89a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 8 12:11:45 2016 +0100
s3:libsmb: split out a cli_session_creds_prepare_krb5() function
This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.
In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b17543a584f0919b7491bcfc3cd20cf47a9beed1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 9 09:49:17 2016 +0100
s3:torture/masktest: masktest only works with SMB1 currently
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6a5943cfd010ce54787fd404fffb4003f4ed6363
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 9 09:49:17 2016 +0100
s3:torture/masktest: Use cli_tree_connect_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 65be3af952791de16a683a1fefc6d5721822245a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 9 09:06:21 2016 +0100
s3:torture: Use cli_tree_connect_creds() where we may use share level auth
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit af9783300c8f2c8c56e958139750e4df7a868a44
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 9 09:48:06 2016 +0100
s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/lib/netapi/cm.c | 2 +-
source3/libsmb/cliconnect.c | 300 ++++++++++++++++++++++-------------------
source3/libsmb/libsmb_server.c | 24 ++--
source3/libsmb/proto.h | 2 +
source3/torture/masktest.c | 4 +-
source3/torture/torture.c | 4 +-
source3/utils/net_util.c | 28 +---
7 files changed, 188 insertions(+), 176 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index 2649422..57e44ac 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -111,7 +111,7 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
server_name, "IPC$",
auth_info,
false, false,
- lp_client_max_protocol(),
+ lp_client_ipc_max_protocol(),
0, 0x20, &cli_ipc);
if (!NT_STATUS_IS_OK(status)) {
cli_ipc = NULL;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 559712e..02c465c 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -72,10 +72,6 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
}
cli_credentials_set_conf(creds, lp_ctx);
- if (domain == NULL) {
- domain = "";
- }
-
if (username == NULL) {
username = "";
}
@@ -159,11 +155,13 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
goto fail;
}
- ok = cli_credentials_set_domain(creds,
- domain,
- CRED_SPECIFIED);
- if (!ok) {
- goto fail;
+ if (domain != NULL) {
+ ok = cli_credentials_set_domain(creds,
+ domain,
+ CRED_SPECIFIED);
+ if (!ok) {
+ goto fail;
+ }
}
if (principal != NULL) {
@@ -219,6 +217,154 @@ fail:
return NULL;
}
+NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ struct cli_credentials *creds)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const char *user_principal = NULL;
+ const char *user_account = NULL;
+ const char *user_domain = NULL;
+ const char *pass = NULL;
+ const char *target_hostname = NULL;
+ const DATA_BLOB *server_blob = NULL;
+ enum credentials_use_kerberos krb5_state;
+ bool try_kerberos = false;
+ bool need_kinit = false;
+ bool auth_requested = true;
+ int ret;
+
+ target_hostname = smbXcli_conn_remote_name(cli->conn);
+ if (!cli->got_kerberos_mechanism) {
+ server_blob = smbXcli_conn_server_gss_blob(cli->conn);
+ }
+
+ /* the server might not even do spnego */
+ if (server_blob != NULL && server_blob->length != 0) {
+ char *OIDs[ASN1_MAX_OIDS] = { NULL, };
+ size_t i;
+ bool ok;
+
+ /*
+ * The server sent us the first part of the SPNEGO exchange in the
+ * negprot reply. It is WRONG to depend on the principal sent in the
+ * negprot reply, but right now we do it. If we don't receive one,
+ * we try to best guess, then fall back to NTLM.
+ */
+ ok = spnego_parse_negTokenInit(frame,
+ *server_blob,
+ OIDs,
+ NULL,
+ NULL);
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ if (OIDs[0] == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* make sure the server understands kerberos */
+ for (i = 0; OIDs[i] != NULL; i++) {
+ if (i == 0) {
+ DEBUG(3,("got OID=%s\n", OIDs[i]));
+ } else {
+ DEBUGADD(3,("got OID=%s\n", OIDs[i]));
+ }
+
+ if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
+ strcmp(OIDs[i], OID_KERBEROS5) == 0) {
+ cli->got_kerberos_mechanism = true;
+ break;
+ }
+ }
+ }
+
+ auth_requested = cli_credentials_authentication_requested(creds);
+ if (auth_requested) {
+ user_principal = cli_credentials_get_principal(creds, frame);
+ if (user_principal == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ user_account = cli_credentials_get_username(creds);
+ user_domain = cli_credentials_get_domain(creds);
+ pass = cli_credentials_get_password(creds);
+
+ krb5_state = cli_credentials_get_kerberos_state(creds);
+
+ if (krb5_state != CRED_DONT_USE_KERBEROS) {
+ try_kerberos = true;
+ }
+
+ if (target_hostname == NULL) {
+ try_kerberos = false;
+ } else if (is_ipaddress(target_hostname)) {
+ try_kerberos = false;
+ } else if (strequal(target_hostname, "localhost")) {
+ try_kerberos = false;
+ } else if (strequal(target_hostname, STAR_SMBSERVER)) {
+ try_kerberos = false;
+ } else if (!auth_requested) {
+ try_kerberos = false;
+ }
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
+ DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access "
+ "'%s' not possible\n",
+ user_principal, user_domain, user_account,
+ target_hostname));
+ TALLOC_FREE(frame);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (pass == NULL || strlen(pass) == 0) {
+ need_kinit = false;
+ } else if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ need_kinit = try_kerberos;
+ } else if (!cli->got_kerberos_mechanism) {
+ /*
+ * Most likely the server doesn't support
+ * Kerberos, don't waste time doing a kinit
+ */
+ need_kinit = false;
+ } else {
+ need_kinit = try_kerberos;
+ }
+
+ if (!need_kinit) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+
+ /*
+ * TODO: This should be done within the gensec layer
+ * only if required!
+ */
+ setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
+ ret = kerberos_kinit_password(user_principal, pass,
+ 0 /* no time correction for now */,
+ NULL);
+ if (ret != 0) {
+ DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
+ user_principal, target_hostname,
+ error_message(ret)));
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ TALLOC_FREE(frame);
+ return krb5_to_nt_status(ret);
+ }
+
+ /*
+ * Ignore the error and hope that NTLM will work
+ */
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/********************************************************
Utility function to ensure we always return at least
a valid char * pointer to an empty string for the
@@ -689,14 +835,6 @@ static NTSTATUS cli_sesssetup_blob_recv(struct tevent_req *req,
}
/****************************************************************************
- Use in-memory credentials cache
-****************************************************************************/
-
-static void use_in_memory_ccache(void) {
- setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
-}
-
-/****************************************************************************
Do a spnego/NTLMSSP encrypted session setup.
****************************************************************************/
@@ -1089,16 +1227,9 @@ static struct tevent_req *cli_session_setup_spnego_send(
{
struct tevent_req *req, *subreq;
struct cli_session_setup_spnego_state *state;
- const char *user_principal = NULL;
- const char *user_account = NULL;
- const char *user_domain = NULL;
- const char *pass = NULL;
+ const char *target_service = NULL;
const char *target_hostname = NULL;
- const DATA_BLOB *server_blob = NULL;
- enum credentials_use_kerberos krb5_state;
- bool try_kerberos = false;
- bool need_kinit = false;
- bool auth_requested = true;
+ NTSTATUS status;
req = tevent_req_create(mem_ctx, &state,
struct cli_session_setup_spnego_state);
@@ -1106,123 +1237,16 @@ static struct tevent_req *cli_session_setup_spnego_send(
return NULL;
}
+ target_service = "cifs";
target_hostname = smbXcli_conn_remote_name(cli->conn);
- server_blob = smbXcli_conn_server_gss_blob(cli->conn);
-
- /* the server might not even do spnego */
- if (server_blob != NULL && server_blob->length != 0) {
- char *principal = NULL;
- char *OIDs[ASN1_MAX_OIDS];
- int i;
-
- /* The server sent us the first part of the SPNEGO exchange in the
- * negprot reply. It is WRONG to depend on the principal sent in the
- * negprot reply, but right now we do it. If we don't receive one,
- * we try to best guess, then fall back to NTLM. */
- if (!spnego_parse_negTokenInit(state, *server_blob, OIDs,
- &principal, NULL) ||
- OIDs[0] == NULL) {
- state->result = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
- TALLOC_FREE(principal);
- /* make sure the server understands kerberos */
- for (i = 0; OIDs[i] != NULL; i++) {
- if (i == 0) {
- DEBUG(3,("got OID=%s\n", OIDs[i]));
- } else {
- DEBUGADD(3,("got OID=%s\n", OIDs[i]));
- }
-
- if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
- strcmp(OIDs[i], OID_KERBEROS5) == 0) {
- cli->got_kerberos_mechanism = True;
- }
- talloc_free(OIDs[i]);
- }
- }
-
- auth_requested = cli_credentials_authentication_requested(creds);
- if (auth_requested) {
- user_principal = cli_credentials_get_principal(creds, state);
- if (tevent_req_nomem(user_principal, req)) {
- return tevent_req_post(req, ev);
- }
- }
- user_account = cli_credentials_get_username(creds);
- user_domain = cli_credentials_get_domain(creds);
- pass = cli_credentials_get_password(creds);
-
- krb5_state = cli_credentials_get_kerberos_state(creds);
-
- if (krb5_state != CRED_DONT_USE_KERBEROS) {
- try_kerberos = true;
- }
-
- if (target_hostname == NULL) {
- try_kerberos = false;
- } else if (is_ipaddress(target_hostname)) {
- try_kerberos = false;
- } else if (strequal(target_hostname, "localhost")) {
- try_kerberos = false;
- } else if (strequal(target_hostname, STAR_SMBSERVER)) {
- try_kerberos = false;
- } else if (!auth_requested) {
- try_kerberos = false;
- }
-
- if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
- DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access "
- "'%s' not possible\n",
- user_principal, user_domain, user_account,
- target_hostname));
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
- return tevent_req_post(req, ev);
- }
-
- if (pass == NULL || strlen(pass) == 0) {
- need_kinit = false;
- } else if (krb5_state == CRED_MUST_USE_KERBEROS) {
- need_kinit = try_kerberos;
- } else if (!cli->got_kerberos_mechanism) {
- /*
- * Most likely the server doesn't support
- * Kerberos, don't waste time doing a kinit
- */
- need_kinit = false;
- } else {
- need_kinit = try_kerberos;
- }
-
- if (need_kinit) {
- int ret;
-
- use_in_memory_ccache();
- ret = kerberos_kinit_password(user_principal, pass,
- 0 /* no time correction for now */,
- NULL);
-
- if (ret != 0) {
- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
- user_principal, target_hostname,
- error_message(ret)));
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
- state->result = ADS_ERROR_KRB5(ret);
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
-
- /*
- * Ignore the error and hope that NTLM will work
- */
- ret = 0;
- }
+ status = cli_session_creds_prepare_krb5(cli, creds);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);;
}
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
- "cifs", target_hostname);
+ target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 438b7e6..e0cdc97 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -587,11 +587,13 @@ SMBC_server_internal(TALLOC_CTX *ctx,
}
if (context->internal->smb_encryption_level) {
- /* Attempt UNIX smb encryption. */
- if (!NT_STATUS_IS_OK(cli_force_encryption(c,
- username_used,
- password_used,
- *pp_workgroup))) {
+ /* Attempt encryption. */
+ status = cli_cm_force_encryption(c,
+ username_used,
+ password_used,
+ *pp_workgroup,
+ share);
+ if (!NT_STATUS_IS_OK(status)) {
/*
* context->smb_encryption_level == 1
@@ -787,11 +789,13 @@ SMBC_attr_server(TALLOC_CTX *ctx,
}
if (context->internal->smb_encryption_level) {
- /* Attempt UNIX smb encryption. */
- if (!NT_STATUS_IS_OK(cli_force_encryption(ipc_cli,
- *pp_username,
- *pp_password,
- *pp_workgroup))) {
+ /* Attempt encryption. */
+ nt_status = cli_cm_force_encryption(ipc_cli,
+ *pp_username,
+ *pp_password,
+ *pp_workgroup,
+ "IPC$");
+ if (!NT_STATUS_IS_OK(nt_status)) {
/*
* context->smb_encryption_level ==
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index e1cd185..290183c 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -43,6 +43,8 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
bool fallback_after_kerberos,
bool use_ccache,
bool password_is_nt_hash);
+NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ struct cli_credentials *creds);
struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct cli_state *cli,
diff --git a/source3/torture/masktest.c b/source3/torture/masktest.c
index 537cfb0..95e0b04 100644
--- a/source3/torture/masktest.c
+++ b/source3/torture/masktest.c
@@ -218,8 +218,7 @@ static struct cli_state *connect_one(char *share)
DEBUG(4,(" session setup ok\n"));
- status = cli_tree_connect(c, share, "?????", password,
- strlen(password)+1);
+ status = cli_tree_connect_creds(c, share, "?????", test_creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("tree connect failed: %s\n", nt_errstr(status)));
cli_shutdown(c);
@@ -537,6 +536,7 @@ static void usage(void)
argv += optind;
max_protocol = lp_client_max_protocol();
+ max_protocol = MIN(max_protocol, PROTOCOL_NT1);
if (!got_pass) {
char pwd[256] = {0};
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 8f0f136..7072f3c 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -1341,7 +1341,7 @@ static bool run_tcon_test(int dummy)
return False;
}
- status = cli_tree_connect(cli, share, "?????", password);
+ status = cli_tree_connect_creds(cli, share, "?????", torture_creds);
if (!NT_STATUS_IS_OK(status)) {
printf("%s refused 2nd tree connect (%s)\n", host,
nt_errstr(status));
@@ -1466,7 +1466,7 @@ static bool tcon_devtest(struct cli_state *cli,
NTSTATUS status;
bool ret;
- status = cli_tree_connect(cli, myshare, devtype, password);
+ status = cli_tree_connect_creds(cli, myshare, devtype, torture_creds);
if (NT_STATUS_IS_OK(expected_error)) {
if (NT_STATUS_IS_OK(status)) {
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index cc65457..86a4667 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -155,29 +155,11 @@ NTSTATUS connect_to_service(struct net_context *c,
}
if (c->smb_encrypt) {
- nt_status = cli_force_encryption(*cli_ctx,
- c->opt_user_name,
- c->opt_password,
- c->opt_workgroup);
-
- if (NT_STATUS_EQUAL(nt_status,NT_STATUS_NOT_SUPPORTED)) {
- d_printf(_("Encryption required and "
- "server that doesn't support "
- "UNIX extensions - failing connect\n"));
- } else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNKNOWN_REVISION)) {
- d_printf(_("Encryption required and "
- "can't get UNIX CIFS extensions "
- "version from server.\n"));
- } else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNSUPPORTED_COMPRESSION)) {
- d_printf(_("Encryption required and "
- "share %s doesn't support "
- "encryption.\n"), service_name);
- } else if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf(_("Encryption required and "
- "setup failed with error %s.\n"),
- nt_errstr(nt_status));
- }
-
+ nt_status = cli_cm_force_encryption(*cli_ctx,
+ c->opt_user_name,
+ c->opt_password,
+ c->opt_workgroup,
+ service_name);
--
Samba Shared Repository
More information about the samba-cvs
mailing list