[SCM] Samba Shared Repository - branch v4-3-stable updated
Karolin Seeger
kseeger at samba.org
Mon May 2 07:55:01 UTC 2016
The branch, v4-3-stable has been updated
via 8e71328 VERSION: Disable git snapshots for the 4.3.9 release.
via 0508804 WHATSNEW: Add release date.
via 8836adc WHATSNEW: Update release notes.
via b74285d s3:selftest: add smbclient_ntlm tests
via c41e187 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
via 081faaf selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
via ad67741 s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via 4ed0cba selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
via 51e4047 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
via cdc3194 auth/spnego: add spnego:simulate_w2k option for testing
via d9ffc7e auth/ntlmssp: do map to guest checking after the authentication
via 74afa66 s3:smbd: only mark real guest sessions with the GUEST flag
via 9b40c33 s3:smbd: make use SMB_SETUP_GUEST constant
via 4b4c1b5 libcli/security: implement SECURITY_GUEST
via 71b49a4 s3:auth_builtin: anonymous authentication doesn't allow a password
via 7b7826b s4:auth_anonymous: anonymous authentication doesn't allow a password
via ac8db7a auth/spnego: only try to verify the mechListMic if signing was negotiated.
via 0e92263 s3:libsmb: use anonymous authentication via spnego if possible
via 8df7d7d s3:libsmb: don't finish the gensec handshake for guest logins
via 5d6e840 s3:libsmb: record the session setup action flags
via eeb8510 libcli/smb: add smbXcli_session_is_guest() helper function
via 8373d89 libcli/smb: add SMB1 session setup action flags
via 97368ad libcli/smb: add smb1cli_session_set_action() helper function
via f22870c libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
via 70d8727 s3:libsmb: use password = NULL for anonymous connections
via 1fbce2f auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via bde57cb auth/ntlmssp: don't require any flags in the ccache_resume code
via 37cc6b5 auth/spnego: handle broken mechListMIC response from Windows 2000
via 5593c60 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via 66c2db4 s3:librpc:crypto:gse: increase debug level for gse_init_client().
via 73f52ae lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
via 33f1e55 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
via 4c46c54 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
via c7e2669 Mask general purpose signals for notifyd.
via 180cdd7 WHATSNEW: Start release notes for Samba 4.3.9.
via 6eef281 configure: Don't check for inotify on illumos
via 1050204 nwrap: Fix the build on Solaris
via d714633 smbd: Avoid large reads beyond EOF
via f8e6523 Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel
via 810dca6 libads: record session expiry for spnego sasl binds
via 9944a5a s3:wscript: pylibsmb depends on pycredentials
via 8c295c3 libsmb/pysmb: add pytalloc-util dependency to fix the build.
via 828a9b4 build: mark explicit dependencies on pytalloc-util
via b174304 pydsdb: Fix returning of ldb.MessageElement.
via e25a6f3 pydsdb: Also accept ldb.MessageElement values to dsdb routines
via bf61978 vfs_catia: Fix bug 11827, memleak
via 63614b5 s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.
via 1a9fd08 vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set
via a74212b tevent: version 0.9.28
via 1739d34 lib: tevent: Fix memory leak reported by Pavel Březina <pbrezina at redhat.com> when old signal action restored.
via 62e1382 tevent: version 0.9.27
via 2d7ac27 Fix ETIME handling for Solaris event ports.
via 2fe44e7 tevent: Only set public headers field when installing as a public library.
via ad39420 Simplify handling of dependencies on external libraries in test_headers.
via ebed8f3 Set LD_LIBRARY_PATH during tests.
via 2c626fa lib: tevent: Whitespace cleanup.
via 0cd4ddf lib: tevent: Fix bug in poll backend - poll_event_loop_poll()
via 8f31190 tevent: version 0.9.26
via f4add9a lib: tevent: docs: Add tutorial on thread usage.
via 60199e2 lib: tevent: tests: Add a second thread test that does request/reply.
via d96e00e lib: tevent: Initial test of tevent threaded context code.
via fc4d726 lib: tevent: Initial checkin of threaded tevent context calling code.
via ec56ef8 libcli/smb: fix BUFFER_OVERFLOW handling in tstream_smbXcli_np
via 9cf45fe libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb1cli_readx*
via 91f335b libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_query_info*
via cc64ed9 libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_read*
via af6bd5c libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response
via cd143a4 VERSION: Bump version up to 4.3.9
via 5bd1f11 Merge tag 'samba-4.3.8' into v4-3-test
via ca09ef7 build: fix build when --without-quota specified
via 0380ec6 build: fix disk-free quota support on Solaris 10
via 12c0248 s3:winbindd: don't unclude two '
via 596a51e smbd: Only check dev/inode in open_directory, not the full stat()
via b28fea7 VERSION: Bump version up to 4.3.7...
via 5c5810e Merge tag 'samba-4.3.6' into v4-3-test
via 162efbf passdb: add linefeed to debug message
via 3137519 smbd: ignore SVHDX create context
via 9e9bc07 winbindd: return trust parameters when listing trusts
via 708fe69 winbindd: initialize foreign domain as AD based on trust
via 22aa4d9 winbindd: introduce add_trusted_domain_from_tdc()
via 7fd2e7f access based share enum: handle permission set in configuration files
via e42cd66 s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add
via f37cb21 Real memeory leak(buildup) issue in loadparm.
via 89b13fe docs: Add example for domain logins to smbspool man page.
via 80a8453 libcli: Fix debug message, print sid string for new_ace trustee.
via 150d1f6 VERSION: Bump version up to 4.3.6...
from 4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 122 ++++++-
auth/gensec/spnego.c | 66 +++-
auth/ntlmssp/gensec_ntlmssp_server.c | 15 +-
auth/ntlmssp/ntlmssp_client.c | 15 +-
auth/ntlmssp/ntlmssp_server.c | 40 +++
docs-xml/manpages/smbspool.8.xml | 5 +
lib/krb5_wrap/krb5_samba.c | 4 +-
lib/nss_wrapper/wscript | 2 +-
.../ABI/{tevent-0.9.24.sigs => tevent-0.9.26.sigs} | 2 +
.../ABI/{tevent-0.9.24.sigs => tevent-0.9.27.sigs} | 2 +
.../ABI/{tevent-0.9.24.sigs => tevent-0.9.28.sigs} | 2 +
lib/tevent/doc/tevent_thread.dox | 322 ++++++++++++++++++
lib/tevent/doc/tevent_tutorial.dox | 2 +
lib/tevent/testsuite.c | 330 ++++++++++++++++++
lib/tevent/tevent.h | 52 +++
lib/tevent/tevent_epoll.c | 6 +-
lib/tevent/tevent_poll.c | 5 +-
lib/tevent/tevent_port.c | 22 +-
lib/tevent/tevent_signal.c | 4 +
lib/tevent/tevent_threads.c | 370 +++++++++++++++++++++
lib/tevent/wscript | 9 +-
libcli/security/secdesc.c | 2 +-
libcli/security/security_token.c | 5 +
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 +
libcli/security/session.h | 1 +
libcli/smb/smb1cli_read.c | 53 ++-
libcli/smb/smb2cli_ioctl.c | 84 ++---
libcli/smb/smb2cli_query_info.c | 24 +-
libcli/smb/smb2cli_read.c | 26 +-
libcli/smb/smbXcli_base.c | 35 ++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 6 +
libcli/smb/tstream_smbXcli_np.c | 13 +-
python/samba/dbchecker.py | 4 +-
selftest/target/Samba.pm | 13 +
selftest/target/Samba4.pm | 23 +-
source3/auth/auth_builtin.c | 47 ++-
source3/libads/ldap.c | 26 ++
source3/libads/sasl.c | 13 +-
source3/libnet/libnet_join.c | 65 ----
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 +++--
source3/libsmb/clilist.c | 2 +-
source3/modules/vfs_acl_common.c | 147 +++++---
source3/modules/vfs_catia.c | 6 +-
source3/param/loadparm.c | 40 ++-
source3/passdb/passdb.c | 3 +-
source3/passdb/wscript_build | 2 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 +-
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 +++
source3/selftest/tests.py | 4 +-
source3/smbd/globals.h | 7 +
source3/smbd/notifyd/notifyd.c | 4 +
source3/smbd/open.c | 14 +-
source3/smbd/reply.c | 10 +
source3/smbd/sesssetup.c | 12 +-
source3/smbd/smb2_create.c | 15 -
source3/smbd/smb2_sesssetup.c | 7 +-
source3/smbd/smb2_setinfo.c | 18 +
source3/smbd/trans2.c | 143 +++++---
source3/winbindd/winbindd_misc.c | 13 +-
source3/winbindd/winbindd_util.c | 153 ++++++---
source3/wscript | 35 +-
source3/wscript_build | 5 +-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++
source4/dsdb/pydsdb.c | 162 +++++----
source4/lib/messaging/wscript_build | 2 +-
source4/libcli/wscript_build | 2 +-
source4/libnet/wscript_build | 2 +-
source4/ntvfs/sysdep/wscript_configure | 13 +-
source4/param/wscript_build | 2 +-
tests/oldquotas.c | 174 ++++++++++
testsuite/headers/wscript_build | 13 +-
77 files changed, 2540 insertions(+), 507 deletions(-)
copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.26.sigs} (97%)
copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.27.sigs} (97%)
copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.28.sigs} (97%)
create mode 100644 lib/tevent/doc/tevent_thread.dox
create mode 100644 lib/tevent/tevent_threads.c
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
create mode 100644 tests/oldquotas.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 3339e83..31ec5b1 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 435ae45..4e461bc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,118 @@
=============================
+ Release Notes for Samba 4.3.9
+ May 2, 2016
+ =============================
+
+
+This is the latest stable release of Samba 4.3.
+
+This release fixes some regressions introduced by the last security fixes.
+Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
+bugs addressing these regressions and more information.
+
+
+Changes since 4.3.8:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 11742: lib: tevent: Fix memory leak when old signal action restored.
+ * BUG 11771: lib: tevent: Fix memory leak when old signal action restored.
+ * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
+ bytes, should be 1.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 11780: smbd: Only check dev/inode in open_directory, not the full
+ stat().
+ * BUG 11789: pydsdb: Fix returning of ldb.MessageElement.
+
+o Berend De Schouwer <berend.de.schouwer at gmail.com>
+ * BUG 11643: docs: Add example for domain logins to smbspool man page.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
+
+o Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
+ * BUG 8093: access based share enum: Handle permission set in configuration
+ files.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 11816: nwrap: Fix the build on Solaris.
+ * BUG 11827: vfs_catia: Fix memleak.
+ * BUG 11878: smbd: Avoid large reads beyond EOF.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11622: libcli/smb: Make sure we have a body size of 0x31 before
+ dereferencing an ioctl response.
+ * BUG 11623: libcli/smb: Fix BUFFER_OVERFLOW handling in tstream_smbXcli_np.
+ * BUG 11755: s3:libads: Setup the msDS-SupportedEncryptionTypes attribute on
+ ldap_add.
+ * BUG 11771: tevent: Version 0.9.28. Fix memory leak when old signal action
+ restored.
+ * BUG 11782: s3:winbindd: Don't include two '\0' at the end of the domain
+ list.
+ * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
+ * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
+ * BUG 11847: Only validate MIC if "map to guest" is not being used.
+ * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
+ option for testing.
+ * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
+ * BUG 11858: Allow anonymous smb connections.
+ * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
+ * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
+
+o Noel Power <noel.power at suse.com>
+ * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
+
+o Partha Sarathi <partha at exablox.com>
+ * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
+ infolevel.
+
+o Jorge Schrauwen <sjorge at blackdot.be>
+ * BUG 11816: configure: Don't check for inotify on illumos.
+
+o Uri Simchoni <uri at samba.org>
+ * BUG 11691: winbindd: Return trust parameters when listing trusts.
+ * BUG 11753: smbd: Ignore SVHDX create context.
+ * BUG 11763: passdb: Add linefeed to debug message.
+ * BUG 11788: build: Fix disk-free quota support on Solaris 10.
+ * BUG 11798: build: Fix build when '--without-quota' specified.
+ * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
+ is set.
+ * BUG 11852: libads: Record session expiry for spnego sasl binds.
+
+o Hemanth Thummala <hemanth.thummala at nutanix.com>
+ * BUG 11740: Real memory leak(buildup) issue in loadparm.
+ * BUG 11840: Mask general purpose signals for notifyd.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
+ =============================
Release Notes for Samba 4.3.8
April 12, 2016
=============================
@@ -16,8 +130,9 @@ o Stefan Metzmacher <metze at samba.org>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016
-Release notes for the original 4.3.7 release follows:
------------------------------------------------------
+
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.3.7
@@ -555,8 +670,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
=============================
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1d4b172..6a82b5f 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
- null_data_blob,
+ mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 6147b14..08a8c8f 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -130,20 +130,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client", "force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+ gensec_ntlmssp->server_returned_info,
+ gensec_ntlmssp->ntlmssp_state->user,
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/docs-xml/manpages/smbspool.8.xml b/docs-xml/manpages/smbspool.8.xml
index 2f2de08..5d619c4 100644
--- a/docs-xml/manpages/smbspool.8.xml
+++ b/docs-xml/manpages/smbspool.8.xml
@@ -50,6 +50,7 @@
<listitem><para>smb://server[:port]/printer</para></listitem>
<listitem><para>smb://workgroup/server[:port]/printer</para></listitem>
<listitem><para>smb://username:password@server[:port]/printer</para></listitem>
+ <listitem><para>smb://domain\username:password@server[:port]/printer</para></listitem>
<listitem><para>smb://username:password@workgroup/server[:port]/printer</para></listitem>
</itemizedlist>
@@ -62,6 +63,10 @@
pass the URI in argv[0], while shell scripts must set the
<envar>DEVICE_URI</envar> environment variable prior to
running smbspool.</para>
+
+ <para>smbspool will accept URI escaped characters. This allows setting
+ a domain in the username, or space in the printer name. For example
+ smb://domain%5Cusername/printer%20name</para>
</refsect1>
<refsect1>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 22975c1..652e811 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2388,12 +2388,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
"Trying to read krb5 cache: %s\n",
krb5_cc_default_name(ctx)));
if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to read default cache\n"));
goto out;
}
if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to get default principal\n"));
--
Samba Shared Repository
More information about the samba-cvs
mailing list