[SCM] Samba Shared Repository - branch v4-4-stable updated

Karolin Seeger kseeger at samba.org
Mon May 2 07:53:29 UTC 2016


The branch, v4-4-stable has been updated
       via  f67230d VERSION: Disable git snapshots for the 4.4.3 release.
       via  d89905e WHATSNEW: Add date.
       via  0c53521 WHATSNEW: Udpate release notes.
       via  b9cc3bd s3:selftest: add smbclient_ntlm tests
       via  d96f774 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
       via  883660a selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
       via  7548e8d s3:test_smbclient_auth.sh: this script reqiures 5 arguments
       via  771bcf9 selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
       via  6d62364 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
       via  c52eab4 auth/spnego: add spnego:simulate_w2k option for testing
       via  eb085f3 auth/ntlmssp: do map to guest checking after the authentication
       via  ab24cfa s3:smbd: only mark real guest sessions with the GUEST flag
       via  2a9cbef s3:smbd: make use SMB_SETUP_GUEST constant
       via  696b25f libcli/security: implement SECURITY_GUEST
       via  070ae1b s3:auth_builtin: anonymous authentication doesn't allow a password
       via  039dc0b s4:auth_anonymous: anonymous authentication doesn't allow a password
       via  622a603 auth/spnego: only try to verify the mechListMic if signing was negotiated.
       via  bc2331b s3:libsmb: use anonymous authentication via spnego if possible
       via  702d846 s3:libsmb: don't finish the gensec handshake for guest logins
       via  779a339 s3:libsmb: record the session setup action flags
       via  ad94c11 libcli/smb: add smbXcli_session_is_guest() helper function
       via  2bae4e9 libcli/smb: add SMB1 session setup action flags
       via  e61d929 libcli/smb: add smb1cli_session_set_action() helper function
       via  eff4ed6 libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
       via  ce9dc37 s3:libsmb: use password = NULL for anonymous connections
       via  e72697d auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
       via  0e06d40 auth/ntlmssp: don't require any flags in the ccache_resume code
       via  f26e6c9 auth/spnego: handle broken mechListMIC response from Windows 2000
       via  8a8a567 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
       via  9aa4b3c s3:librpc:crypto:gse: increase debug level for gse_init_client().
       via  a9a5c60 lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
       via  fc3a36c s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
       via  8f159c5 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
       via  794d0c2 Mask general purpose signals for notifyd.
       via  1a36149 WHATSNEW: Start release notes for Samba 4.4.3.
       via  06343ea configure: Don't check for inotify on illumos
       via  969ddf1 nwrap: Fix the build on Solaris
       via  13d563a smbd: Avoid large reads beyond EOF
       via  a4c00ce Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel
       via  2184ae7 cleanupd: restart as needed
       via  85185e7 nss_wins: Fix the hostent setup
       via  23497a6 nss_wins: ip_pton expects the raw IP address
       via  d4dd33b libads: record session expiry for spnego sasl binds
       via  eb96e15 vfs_catia: Fix bug 11827, memleak
       via  6b66061 s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.
       via  a6a4532 smbcquotas: print "NO LIMIT" only if returned quota value is 0.
       via  811fbb2 vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set
       via  26f5b40 winbind: Fix CID 1357100 Unchecked return value
       via  fb0c85b52 idmap_hash: only allow the hash module for default idmap config.
       via  dab38c3 idmap_hash: rename be_init() --> idmap_hash_initialize()
       via  8bd67a1 s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
       via  87fcc70 s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
       via  9d56304 s3:winbindd:idmap: add domain_has_idmap_config() helper function.
       via  e8918a1 VERSION: Bump version up to 4.4.3...
      from  71de921 VERSION: Disable git snapshots for the 4.4.2 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                     |   2 +-
 WHATSNEW.txt                                | 112 +++++++++++++++++++--
 auth/gensec/spnego.c                        |  66 +++++++++++--
 auth/ntlmssp/gensec_ntlmssp_server.c        |  15 +--
 auth/ntlmssp/ntlmssp_client.c               |  15 +--
 auth/ntlmssp/ntlmssp_server.c               |  40 ++++++++
 lib/krb5_wrap/krb5_samba.c                  |   4 +-
 lib/nss_wrapper/wscript                     |   2 +-
 libcli/security/security_token.c            |   5 +
 libcli/security/security_token.h            |   2 +
 libcli/security/session.c                   |   4 +
 libcli/security/session.h                   |   1 +
 libcli/smb/smbXcli_base.c                   |  35 +++++++
 libcli/smb/smbXcli_base.h                   |   3 +
 libcli/smb/smb_constants.h                  |   6 ++
 nsswitch/wins.c                             |  13 ++-
 selftest/target/Samba.pm                    |  13 +++
 selftest/target/Samba4.pm                   |  23 ++++-
 source3/auth/auth_builtin.c                 |  47 +++++++--
 source3/libads/sasl.c                       |  13 ++-
 source3/librpc/crypto/gse.c                 |   2 +-
 source3/libsmb/cliconnect.c                 |  92 ++++++++++++-----
 source3/libsmb/clilist.c                    |   2 +-
 source3/modules/vfs_acl_common.c            | 147 +++++++++++++++++++---------
 source3/modules/vfs_catia.c                 |   6 +-
 source3/script/tests/test_smbclient_auth.sh |   2 +-
 source3/script/tests/test_smbclient_ntlm.sh |  40 ++++++++
 source3/selftest/tests.py                   |   4 +-
 source3/smbd/globals.h                      |   7 ++
 source3/smbd/notifyd/notifyd.c              |   4 +
 source3/smbd/reply.c                        |  10 ++
 source3/smbd/server.c                       |  35 +++++--
 source3/smbd/sesssetup.c                    |  12 +--
 source3/smbd/smb2_sesssetup.c               |   7 +-
 source3/smbd/smb2_setinfo.c                 |  18 ++++
 source3/smbd/trans2.c                       | 143 +++++++++++++++++----------
 source3/utils/smbcquotas.c                  |   2 +-
 source3/winbindd/idmap.c                    |  41 ++++++++
 source3/winbindd/idmap_hash/idmap_hash.c    |  32 ++++--
 source3/winbindd/winbindd_proto.h           |   1 +
 source3/wscript                             |  11 ++-
 source4/auth/gensec/gensec_tstream.c        |   6 +-
 source4/auth/ntlm/auth_anonymous.c          |  30 ++++++
 source4/ntvfs/sysdep/wscript_configure      |  13 ++-
 44 files changed, 868 insertions(+), 220 deletions(-)
 create mode 100755 source3/script/tests/test_smbclient_ntlm.sh


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 8f6c55c..ba47aab 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cea4492..ac373fd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,101 @@
                    =============================
+                   Release Notes for Samba 4.4.3
+                           May 2, 2016
+                   =============================
+
+
+This is the latest stable release of Samba 4.4.
+
+This release fixes some regressions introduced by the last security fixes.
+Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
+bugs addressing these regressions and more information.
+
+
+Changes since 4.4.2:
+--------------------
+
+o  Michael Adam <obnox at samba.org>
+   * BUG 11786: idmap_hash: Only allow the hash module for default idmap config.
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
+     bytes, should be 1.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 11789: Fix returning of ldb.MessageElement.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 11855: cleanupd: Restart as needed.
+
+o  G√ľnther Deschner <gd at samba.org>
+   * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config()
+     helper as well.
+   * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 11786: winbind: Fix CID 1357100: Unchecked return value.
+   * BUG 11816: nwrap: Fix the build on Solaris.
+   * BUG 11827: vfs_catia: Fix memleak.
+   * BUG 11878: smbd: Avoid large reads beyond EOF.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
+   * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
+   * BUG 11847: Only validate MIC if "map to guest" is not being used.
+   * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
+     option for testing.
+   * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
+   * BUG 11858: Allow anonymous smb connections.
+   * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
+   * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
+
+o  Tom Mortensen <tomm at lime-technology.com>
+   * BUG 11875: nss_wins: Fix the hostent setup.
+
+o  Garming Sam <garming at catalyst.net.nz>
+   * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
+
+o  Partha Sarathi <partha at exablox.com>
+   * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
+     infolevel.
+
+o  Jorge Schrauwen <sjorge at blackdot.be>
+   * BUG 11816: configure: Don't check for inotify on illumos.
+
+o  Uri Simchoni <uri at samba.org>
+   * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
+     is set.
+   * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0.
+   * BUG 11852: libads: Record session expiry for spnego sasl binds.
+
+o  Hemanth Thummala <hemanth.thummala at nutanix.com>
+   * BUG 11840: Mask general purpose signals for notifyd.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.4.2
                            April 12, 2016
                    =============================
@@ -16,8 +113,9 @@ o  Stefan Metzmacher <metze at samba.org>
    * Bug 11804 - prerequisite backports for the security release on
      April 12th, 2016
 
-Release notes for the original 4.4.1 release follows:
------------------------------------------------------
+
+-----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.4.1
@@ -544,12 +642,14 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
 
-Release Announcements
-=====================
+                   =============================
+                   Release Notes for Samba 4.4.0
+                           March 22, 2016
+                   =============================
+
 
 This is the first stable release of the Samba 4.4 release series.
 
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 2922478..3962d72 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
 	bool needs_mic_check;
 	bool done_mic_check;
 
+	bool simulate_w2k;
+
 	/*
 	 * The following is used to implement
 	 * the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
 	spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 	spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 
+	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+						"spnego", "simulate_w2k", false);
+
 	gensec_security->private_data = spnego_state;
 	return NT_STATUS_OK;
 }
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
 	spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 	spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 
+	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+						"spnego", "simulate_w2k", false);
+
 	gensec_security->private_data = spnego_state;
 	return NT_STATUS_OK;
 }
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
 	talloc_free(spnego_state->sub_sec_security);
 	spnego_state->sub_sec_security = NULL;
 
-	DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+	DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 	return nt_status;
 }
 
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 								     spnego.negTokenInit.mechToken, 
 								     &unwrapped_out);
 
+			if (spnego_state->simulate_w2k) {
+				/*
+				 * Windows 2000 returns the unwrapped token
+				 * also in the mech_list_mic field.
+				 *
+				 * In order to verify our client code,
+				 * we need a way to have a server with this
+				 * broken behaviour
+				 */
+				mech_list_mic = unwrapped_out;
+			}
+
 			nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
 								      out_mem_ctx,
 								      nt_status,
 								      unwrapped_out,
-								      null_data_blob,
+								      mech_list_mic,
 								      out);
 
 			spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 	case SPNEGO_SERVER_TARG:
 	{
 		NTSTATUS nt_status;
+		bool have_sign = true;
 		bool new_spnego = false;
 
 		if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			goto server_response;
 		}
 
+		have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+						GENSEC_FEATURE_SIGN);
+		if (spnego_state->simulate_w2k) {
+			have_sign = false;
+		}
 		new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 						 GENSEC_FEATURE_NEW_SPNEGO);
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			new_spnego = true;
 		}
 
-		if (new_spnego) {
+		if (have_sign && new_spnego) {
 			spnego_state->needs_mic_check = true;
 			spnego_state->needs_mic_sign = true;
 		}
 
-		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+		if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		}
 
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+			DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+			const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+			/*
+			 * Windows 2000 has a bug, it repeats the
+			 * responseToken in the mechListMIC field.
+			 */
+			if (m->length == r->length) {
+				int cmp;
+
+				cmp = memcmp(m->data, r->data, m->length);
+				if (cmp == 0) {
+					data_blob_free(m);
+				}
+			}
+		}
+
+		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			if (spnego_state->no_response_expected) {
 				spnego_state->needs_mic_check = true;
 			}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		if (spnego_state->no_response_expected &&
 		    !spnego_state->done_mic_check)
 		{
+			bool have_sign = true;
 			bool new_spnego = false;
 
+			have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+							GENSEC_FEATURE_SIGN);
+			if (spnego_state->simulate_w2k) {
+				have_sign = false;
+			}
 			new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 							 GENSEC_FEATURE_NEW_SPNEGO);
 
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			}
 
 			if (spnego_state->mic_requested) {
-				bool sign;
-
-				sign = gensec_have_feature(spnego_state->sub_sec_security,
-							   GENSEC_FEATURE_SIGN);
-				if (sign) {
+				if (have_sign) {
 					new_spnego = true;
 				}
 			}
 
-			if (new_spnego) {
+			if (have_sign && new_spnego) {
 				spnego_state->needs_mic_check = true;
 				spnego_state->needs_mic_sign = true;
 			}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index ca19863..99cedd0 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -131,20 +131,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 		ntlmssp_state->allow_lm_key = true;
 	}
 
-	if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
-		/*
-		 * map to guest is not secure anyway, so
-		 * try to make it work and don't try to
-		 * negotiate new_spnego and MIC checking
-		 */
-		ntlmssp_state->force_old_spnego = true;
-	}
+	ntlmssp_state->force_old_spnego = false;
 
-	if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
 		/*
-		 * map to guest is not supported on an AD DC.
+		 * For testing Windows 2000 mode
 		 */
-		ntlmssp_state->force_old_spnego = false;
+		ntlmssp_state->force_old_spnego = true;
 	}
 
 	ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
 		gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	}
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
 		gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 	}
 
-	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
 	ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+	ntlmssp_state->required_flags = 0;
 
 	if (DEBUGLEVEL >= 10) {
 		struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 
 	ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
 
+	ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+						"ntlmssp_client", "force_old_spnego", false);
+
 	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 
 	ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 		 * Without this, Windows will not create the master key
 		 * that it thinks is only used for NTLMSSP signing and
 		 * sealing.  (It is actually pulled out and used directly)
+		 *
+		 * We don't require this here as some servers (e.g. NetAPP)
+		 * doesn't support this.
 		 */
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	}
 	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
 
 /**
  * Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 	struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 	struct auth4_context *auth_context = gensec_security->auth_context;
 	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+	struct auth_session_info *session_info = NULL;
 	struct auth_usersupplied_info *user_info;
 
 	user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
+	if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+	    && auth_context->generate_session_info != NULL)
+	{
+		NTSTATUS tmp_status;
+
+		/*
+		 * We need to check if the auth is anonymous or mapped to guest
+		 */
+		tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+								 gensec_ntlmssp->server_returned_info,
+								 gensec_ntlmssp->ntlmssp_state->user,
+								 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+								 &session_info);
+		if (!NT_STATUS_IS_OK(tmp_status)) {
+			/*
+			 * We don't care about failures,
+			 * the worst result is that we try MIC checking
+			 * for a map to guest authentication.
+			 */
+			TALLOC_FREE(session_info);
+		}
+	}
+
+	if (session_info != NULL) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+			/*
+			 * Anonymous and GUEST are not secure anyway.
+			 * avoid new_spnego and MIC checking.
+			 */
+			ntlmssp_state->new_spnego = false;
+			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+		}
+		TALLOC_FREE(session_info);
+	}
+
 	talloc_steal(mem_ctx, user_session_key->data);
 	talloc_steal(mem_ctx, lm_session_key->data);
 
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 13984e9..6cfd498 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2397,12 +2397,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
 		"Trying to read krb5 cache: %s\n",
 		krb5_cc_default_name(ctx)));
 	if (krb5_cc_default(ctx, &cc)) {
-		DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+		DEBUG(5,("kerberos_get_default_realm_from_ccache: "
 			"failed to read default cache\n"));
 		goto out;
 	}
 	if (krb5_cc_get_principal(ctx, cc, &princ)) {
-		DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+		DEBUG(5,("kerberos_get_default_realm_from_ccache: "
 			"failed to get default principal\n"));
 		goto out;
 	}
diff --git a/lib/nss_wrapper/wscript b/lib/nss_wrapper/wscript
index 6c3d7f7..c727980 100644
--- a/lib/nss_wrapper/wscript
+++ b/lib/nss_wrapper/wscript
@@ -62,7 +62,7 @@ def configure(conf):
                                define='HAVE_SOLARIS_GETPWUID_R', headers='unistd.h pwd.h')
         conf.CHECK_C_PROTOTYPE('getgrent_r',
                                'struct group *getgrent_r(struct group *src, char *buf, int buflen)',
-                               define='SOLARIS_GETGRENT_R', headers='unistd.h grp.h')
+                               define='HAVE_SOLARIS_GETGRENT_R', headers='unistd.h grp.h')
         conf.CHECK_C_PROTOTYPE('getgrnam_r',
                                'int getgrnam_r(const char *name, struct group *grp, char *buf, int buflen, struct group **pgrp)',
                                define='HAVE_SOLARIS_GETGRNAM_R', headers='unistd.h grp.h')
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha
 	return ret;
 }
 
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+	return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
 bool security_token_has_builtin_administrators(const struct security_token *token)
 {
 	return security_token_has_sid(token, &global_sid_Builtin_Administrators);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list