[SCM] Samba Shared Repository - branch v4-2-test updated

Karolin Seeger kseeger at samba.org
Mon May 30 11:56:07 UTC 2016 

The branch, v4-2-test has been updated
       via  615516b s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT
       via  b6c9438 s3:smbd: fix anonymous authentication if signing is mandatory
       via  93155fa s3:ntlm_auth: make ntlm_auth_generate_session_info() more complete
      from  e410d79 libcli/auth: let msrpc_parse() return talloc'ed empty strings

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test


- Log -----------------------------------------------------------------
commit 615516bcabb08b0c4947b3fe030439c41f62d9bf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu May 19 11:47:18 2016 +0200

    s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT
    
    This means we'll use the "client ipc min protocol", "client ipc max protocol"
    and "client ipc signing" options. But "--signing=no" or "--signing=required"
    still overwrite "client ipc signing".
    
    The following can be used to alter the max protocol
    
    rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
    Account Name: Administrator, Authority Name: W4EDOM-L4
    
    rpcclient --option="client ipc max protocol=NT1" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
    Account Name: Administrator, Authority Name: W4EDOM-L4
    
    rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername"
    Account Name: Administrator, Authority Name: W4EDOM-L4
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat May 21 05:01:15 CEST 2016 on sn-devel-144
    
    (cherry picked from commit 2eb824fbaf61dfc5e9c735589c80c41379dabe86)
    
    Autobuild-User(v4-2-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-2-test): Mon May 30 13:55:41 CEST 2016 on sn-devel-104

commit b6c9438158cb149f749d0eb258ed22886edd6b94
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed May 18 09:56:02 2016 +0200

    s3:smbd: fix anonymous authentication if signing is mandatory
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11910
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 2b67554e6ccca6dd4616dea672890e0a56bed8bd)

commit 93155fae52ff4e5b36826a6369d1a7c6152f873a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed May 11 17:59:32 2016 +0200

    s3:ntlm_auth: make ntlm_auth_generate_session_info() more complete
    
    The generate_session_info() function maybe called more than once
    per session.
    
    Some may try to look/dereference session_info->security_token,
    so we provide simplified token.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11914
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/rpcclient/rpcclient.c | 13 ++++++++++-
 source3/smbd/sesssetup.c      |  8 +++++--
 source3/utils/ntlm_auth.c     | 51 ++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 64 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index a35e422..ebe72b9 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -944,6 +944,7 @@ out_free:
 	const char *binding_string = NULL;
 	char *user, *domain, *q;
 	const char *host;
+	int signing_state = SMB_SIGNING_IPC_DEFAULT;
 
 	/* make sure the vars that get altered (4th field) are in
 	   a fixed location or certain compilers complain */
@@ -1116,6 +1117,16 @@ out_free:
 		}
 	}
 
+	signing_state = get_cmdline_auth_info_signing_state(rpcclient_auth_info);
+	switch (signing_state) {
+	case SMB_SIGNING_OFF:
+		lp_set_cmdline("client ipc signing", "no");
+		break;
+	case SMB_SIGNING_REQUIRED:
+		lp_set_cmdline("client ipc signing", "required");
+		break;
+	}
+
 	if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) {
 		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
 			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
@@ -1143,7 +1154,7 @@ out_free:
 					get_cmdline_auth_info_domain(rpcclient_auth_info),
 					get_cmdline_auth_info_password(rpcclient_auth_info),
 					flags,
-					get_cmdline_auth_info_signing_state(rpcclient_auth_info));
+					SMB_SIGNING_IPC_DEFAULT);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("Cannot connect to server.  Error was %s\n", nt_errstr(nt_status)));
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 77b8077..5d92af1 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -135,6 +135,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 	struct smbXsrv_connection *xconn = req->xconn;
 	struct smbd_server_connection *sconn = req->sconn;
 	uint16_t action = 0;
+	bool is_authenticated = false;
 	NTTIME now = timeval_to_nttime(&req->request_time);
 	struct smbXsrv_session *session = NULL;
 	uint16_t smb_bufsize = SVAL(req->vwv+2, 0);
@@ -328,12 +329,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		sconn->num_users++;
 
 		if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+			is_authenticated = true;
 			session->compat->homes_snum =
 				register_homes_share(session_info->unix_info->unix_name);
 		}
 
 		if (srv_is_signing_negotiated(xconn) &&
-		    action == 0 &&
+		    is_authenticated &&
 		    session->global->signing_key.length > 0)
 		{
 			/*
@@ -592,6 +594,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	struct auth_session_info *session_info = NULL;
 	uint16 smb_flag2 = req->flags2;
 	uint16_t action = 0;
+	bool is_authenticated = false;
 	NTTIME now = timeval_to_nttime(&req->request_time);
 	struct smbXsrv_session *session = NULL;
 	NTSTATUS nt_status;
@@ -1029,12 +1032,13 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	sconn->num_users++;
 
 	if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+		is_authenticated = true;
 		session->compat->homes_snum =
 			register_homes_share(session_info->unix_info->unix_name);
 	}
 
 	if (srv_is_signing_negotiated(xconn) &&
-	    action == 0 &&
+	    is_authenticated &&
 	    session->global->signing_key.length > 0)
 	{
 		/*
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index d01c522..0fa8997 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -27,6 +27,7 @@
 #include "includes.h"
 #include "lib/param/param.h"
 #include "popt_common.h"
+#include "libcli/security/security.h"
 #include "utils/ntlm_auth.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "auth/ntlmssp/ntlmssp.h"
@@ -705,18 +706,58 @@ static NTSTATUS ntlm_auth_generate_session_info(struct auth4_context *auth_conte
 						uint32_t session_info_flags,
 						struct auth_session_info **session_info_out)
 {
-	char *unix_username = (char *)server_returned_info;
-	struct auth_session_info *session_info = talloc_zero(mem_ctx, struct auth_session_info);
-	if (!session_info) {
+	const char *unix_username = (const char *)server_returned_info;
+	bool ok;
+	struct dom_sid *sids = NULL;
+	struct auth_session_info *session_info = NULL;
+
+	session_info = talloc_zero(mem_ctx, struct auth_session_info);
+	if (session_info == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
-	if (!session_info->unix_info) {
+	if (session_info->unix_info == NULL) {
+		TALLOC_FREE(session_info);
+		return NT_STATUS_NO_MEMORY;
+	}
+	session_info->unix_info->unix_name = talloc_strdup(session_info->unix_info,
+							   unix_username);
+	if (session_info->unix_info->unix_name == NULL) {
+		TALLOC_FREE(session_info);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	session_info->security_token = talloc_zero(session_info, struct security_token);
+	if (session_info->security_token == NULL) {
 		TALLOC_FREE(session_info);
 		return NT_STATUS_NO_MEMORY;
 	}
-	session_info->unix_info->unix_name = talloc_steal(session_info->unix_info, unix_username);
+
+	sids = talloc_zero_array(session_info->security_token,
+				 struct dom_sid, 3);
+	if (sids == NULL) {
+		TALLOC_FREE(session_info);
+		return NT_STATUS_NO_MEMORY;
+	}
+	ok = dom_sid_parse(SID_WORLD, &sids[0]);
+	if (!ok) {
+		TALLOC_FREE(session_info);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	ok = dom_sid_parse(SID_NT_NETWORK, &sids[1]);
+	if (!ok) {
+		TALLOC_FREE(session_info);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	ok = dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[2]);
+	if (!ok) {
+		TALLOC_FREE(session_info);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	session_info->security_token->num_sids = talloc_array_length(sids);
+	session_info->security_token->sids = sids;
 
 	*session_info_out = session_info;
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list