[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Apr 10 03:05:02 UTC 2017
The branch, master has been updated
via 56df7cf auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
via 45227b3 auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
via f23af92 auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
via 9ad3b43 auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
via 0ca09b0 auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
via 6018924 auth4: remove unused map_user_info[_cracknames]()
via 236b24d auth4: avoid map_user_info() in auth_check_password_send()
via 8193b70 auth4: improve authsam_want_check for upn authentication
via 09e24ce auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
via 13649fa auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
via 2a57b28 auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
via bb6583f auth4: add a "sam_failtrusts" module
via 3caca9b s4:selftest: run test_trust_ntlm.sh against various environments
via 2de1994 testprogs/blackbox: add test_trust_ntlm.sh
via 948a1da winbindd: allow wbinfo -a REALM\user to work on a DC
via 5da664d auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
via 66ee788 testprogs/blackbox: add test_rpcclient_*_grep helper functions
via 31f0b31 testprogs/blackbox: use subunit_ helper functions in test_smbclient_*
via 20404e1 selftest: make sure we don't have any umask limitations for selftest
from 6d6117b s4: process_standard: Add a simplified SIGTERM handler based on code from source4/smbd/server.c. Use from a tevent handler added to standard_accept_connection() and standard_new_task()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 56df7cf3d95dd3de9b6e3d581cbc8d3663817b7f
Author: Volker Lendecke <vl at samba.org>
Date: Sun Feb 19 15:37:51 2017 +0100
auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".
We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144
commit 45227b301fba492edfb57fb52e66564c1ee2de6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:53:27 2017 +0100
auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
make_auth3_context_for_ntlm() was the only caller of
make_auth_context_subsystem().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f23af921dfb8876ded0094adb6f7832fb41e6147
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:51:45 2017 +0100
auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9ad3b43d03ce94cb03321612db8ccd86cddba9e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 16 15:45:32 2017 +0100
auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
This will be used in the s3 netlogon server in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ca09b0e10cdc7e6cef083289da85236d40082ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 19:35:24 2017 +0100
auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
We should not do anonymous authentication nor a fallback that
ignores the domain part.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 601892457865ec636dccab708d1380d58bb04fa3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:21:05 2017 +0100
auth4: remove unused map_user_info[_cracknames]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 236b24dfd29f1343c6de9a1e8c8baf3d2991244e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:19:10 2017 +0100
auth4: avoid map_user_info() in auth_check_password_send()
The cracknames call is done in the "sam" backend now.
In order to support trusted domains correctly, the backends
need to get the raw values from the client.
This is the important change in order to no longer
silently map users from trusted domains to local users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8193b708984671df8439c516fd2f209d7760f5c2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 16:31:02 2017 +0100
auth4: improve authsam_want_check for upn authentication
We need to check if the upn suffix is within our forest.
The check if it's within our domain is done in
authsam_check_password_internals() after calling
crack_name_to_nt4_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09e24ce40f89ac2f03d0c5fefa8b59f0d113fa6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 14:57:33 2017 +0100
auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
Currently the caller does this before calling the auth backends,
but that should change in order to support trusted domains correctly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 13649fa2dca59154db9af4edf3d07ef0917f833d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 22 10:45:25 2017 +0100
auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
We hopefully remove this role in future, but for now we should do this
correct and fallback to sam_ignoredomain at the end of the auth chain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a57b285ce0a7417b14ab028b2f711d1048eb27c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 17 14:54:16 2017 +0100
auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bb6583fdf200677bd7ef17dfa9e57b6f5c14fb45
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 22 10:37:22 2017 +0100
auth4: add a "sam_failtrusts" module
This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.
This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.
This is just a temporary solution, until we have full
async support in the gensec/auth4.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3caca9b7fb61196c1f7285cd6be8a257b306ff67
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 6 19:44:16 2017 +0200
s4:selftest: run test_trust_ntlm.sh against various environments
This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.
Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.
If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2de1994e6f969973d3de2f2f39b52fbcec2e11c8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 29 11:41:31 2017 +0200
testprogs/blackbox: add test_trust_ntlm.sh
This verifies that various domain/realm and username
combinations map to the correct user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 948a1dab4d3bb014b438636208055c78206f8dbd
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 3 00:19:48 2017 +0200
winbindd: allow wbinfo -a REALM\\user to work on a DC
find_domain_from_name_noinit() find the correct domain based
on domain->alt_name, but the child for the local domain
fails to detect that winbindd_dual_auth_passdb() should be
used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5da664dbed4932ef21061ad6127b5c9047398321
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 6 15:34:01 2017 +0200
auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
We also accept the domain to be the realm string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 66ee788a5a7e882f84fe44e1c933b2df1033b1a9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 29 11:53:41 2017 +0200
testprogs/blackbox: add test_rpcclient_*_grep helper functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31f0b313084050389f7967171935753192838bbe
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 29 11:53:18 2017 +0200
testprogs/blackbox: use subunit_ helper functions in test_smbclient_*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 20404e19b900af7ae30e0897323b52eb51e7f950
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 7 10:39:31 2017 +0200
selftest: make sure we don't have any umask limitations for selftest
We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 10 ++
selftest/selftest.pl | 3 +
source3/auth/auth.c | 47 ++++--
source3/auth/auth_sam.c | 64 ++++++++
source3/winbindd/winbindd_pam.c | 22 ++-
source4/auth/ntlm/auth.c | 87 +++++++++--
source4/auth/ntlm/auth_sam.c | 257 +++++++++++++++++++++++++++++---
source4/auth/ntlm/auth_util.c | 259 ---------------------------------
source4/selftest/tests.py | 4 +
testprogs/blackbox/common_test_fns.inc | 68 ++++++++-
testprogs/blackbox/test_trust_ntlm.sh | 164 +++++++++++++++++++++
11 files changed, 670 insertions(+), 315 deletions(-)
create mode 100755 testprogs/blackbox/test_trust_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 07b4cdb..98c9708 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -317,3 +317,13 @@
# rap password tests don't function in the ad_dc_ntvfs:local environment
#
^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs:local\)
+#
+# The following should pass once we have trust support
+^samba4.blackbox.trust_ntlm.Test07.*client.*with.ADDOMAIN\\Administrator%locDCpass1\(fl2008r2dc:local\)
+^samba4.blackbox.trust_ntlm.Test08.*client.*with.ADDOM.SAMBA.EXAMPLE.COM\\Administrator%locDCpass1\(fl2008r2dc:local\)
+^samba4.blackbox.trust_ntlm.Test09.*client.*with.Administrator at ADDOMAIN%locDCpass1\(fl2008r2dc:local\)
+^samba4.blackbox.trust_ntlm.Test10.*client.*with.Administrator at ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2008r2dc:local\)
+^samba4.blackbox.trust_ntlm.Test07.*client.*with.ADDOMAIN\\Administrator%locDCpass1\(fl2003dc:local\)
+^samba4.blackbox.trust_ntlm.Test08.*client.*with.ADDOM.SAMBA.EXAMPLE.COM\\Administrator%locDCpass1\(fl2003dc:local\)
+^samba4.blackbox.trust_ntlm.Test09.*client.*with.Administrator at ADDOMAIN%locDCpass1\(fl2003dc:local\)
+^samba4.blackbox.trust_ntlm.Test10.*client.*with.Administrator at ADDOM.SAMBA.EXAMPLE.COM%locDCpass1\(fl2003dc:local\)
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 45e0ae0..32fc845 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -307,8 +307,11 @@ die("using an empty prefix isn't allowed") unless $prefix ne "";
# permissions on this as some subdirectories in this tree will have
# wider permissions (ie 0777) and this would allow other users on the
# host to subvert the test process.
+umask 0077;
mkdir($prefix, 0700) unless -d $prefix;
chmod 0700, $prefix;
+# We need to have no umask limitations for the tests.
+umask 0000;
my $prefix_abs = abs_path($prefix);
my $tmpdir_abs = abs_path("$prefix/tmp");
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 28d0955..ba6245d 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -500,8 +500,8 @@ static NTSTATUS make_auth_context_specific(TALLOC_CTX *mem_ctx,
Make a auth_context struct for the auth subsystem
***************************************************************************/
-static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
- struct auth_context **auth_context)
+NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context)
{
const char *methods = NULL;
NTSTATUS nt_status;
@@ -526,17 +526,17 @@ static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
switch (lp_server_role()) {
case ROLE_DOMAIN_MEMBER:
DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
- methods = "guest sam winbind:ntdomain";
+ methods = "guest sam winbind:ntdomain sam_ignoredomain";
break;
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
DEBUG(5,("Making default auth method list for DC\n"));
- methods = "guest sam winbind:trustdomain";
+ methods = "guest sam winbind:trustdomain sam_ignoredomain";
break;
case ROLE_STANDALONE:
DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
if (lp_encrypt_passwords()) {
- methods = "guest sam";
+ methods = "guest sam_ignoredomain";
} else {
DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
methods = "guest unix";
@@ -550,16 +550,39 @@ static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
return make_auth_context_specific(mem_ctx, auth_context, methods);
}
-NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
- struct auth_context **auth_context)
-{
- return make_auth_context_subsystem(mem_ctx, auth_context);
-}
-
NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
- return make_auth_context_subsystem(mem_ctx, auth_context);
+ const char *methods = NULL;
+ NTSTATUS nt_status;
+
+ /*
+ * We do the lp_auth_methods check before
+ * the lp_server_role check in order to
+ * backward compatible. The "auth methods" option
+ * is deprecated now, so this will go away in a future
+ * release.
+ */
+ if (lp_auth_methods()) {
+ DBG_INFO("Using specified auth order for netlogon\n");
+ nt_status = make_auth_context_text_list(
+ mem_ctx, auth_context,
+ discard_const_p(char *, lp_auth_methods()));
+ return nt_status;
+ }
+
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ methods = "sam_netlogon3 winbind:trustdomain";
+ break;
+
+ default:
+ DBG_ERR("Invalid server role!\n");
+ return NT_STATUS_INVALID_SERVER_STATE;
+ }
+
+ return make_auth_context_specific(mem_ctx, auth_context, methods);
}
NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 5b53bca..634386f 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -125,9 +125,73 @@ static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *par
return NT_STATUS_OK;
}
+static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
+ void *my_private_data,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
+{
+ bool is_my_domain;
+
+ if (!user_info || !auth_context) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
+ user_info->mapped.domain_name,
+ user_info->mapped.account_name);
+
+ /* check whether or not we service this domain/workgroup name */
+
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ break;
+ default:
+ DBG_ERR("Invalid server role\n");
+ return NT_STATUS_INVALID_SERVER_STATE;
+ }
+
+ is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
+ if (!is_my_domain) {
+ DBG_INFO("%s is not our domain name (DC for %s)\n",
+ user_info->mapped.domain_name, lp_workgroup());
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ return check_sam_security(&auth_context->challenge, mem_ctx,
+ user_info, server_info);
+}
+
+/* module initialisation */
+static NTSTATUS auth_init_sam_netlogon3(struct auth_context *auth_context,
+ const char *param, auth_methods **auth_method)
+{
+ struct auth_methods *result;
+
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
+ && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
+ DEBUG(0, ("server role = 'active directory domain controller' "
+ "not compatible with running the auth_sam module.\n"));
+ DEBUGADD(0, ("You should not set 'auth methods' when "
+ "running the AD DC.\n"));
+ exit(1);
+ }
+
+ result = talloc_zero(auth_context, struct auth_methods);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ result->auth = auth_sam_netlogon3_auth;
+ result->name = "sam_netlogon3";
+ *auth_method = result;
+ return NT_STATUS_OK;
+}
+
NTSTATUS auth_sam_init(void)
{
smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
+ smb_register_auth(AUTH_INTERFACE_VERSION, "sam_netlogon3", auth_init_sam_netlogon3);
return NT_STATUS_OK;
}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a466015..292f556 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1564,7 +1564,16 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
parse_domain_user(user, name_domain, name_user);
- if (strequal(name_domain, get_global_sam_name())) {
+ /*
+ * We check against domain->name instead of
+ * name_domain, as find_auth_domain() ->
+ * find_domain_from_name_noinit() already decided
+ * that we are in a child for the correct domain.
+ *
+ * name_domain can also be lp_realm()
+ * we need to check against domain->name.
+ */
+ if (strequal(domain->name, get_global_sam_name())) {
DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
/* do password magic */
@@ -2004,7 +2013,16 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
{
NTSTATUS result;
- if (strequal(name_domain, get_global_sam_name())) {
+ /*
+ * We check against domain->name instead of
+ * name_domain, as find_auth_domain() ->
+ * find_domain_from_name_noinit() already decided
+ * that we are in a child for the correct domain.
+ *
+ * name_domain can also be lp_realm()
+ * we need to check against domain->name.
+ */
+ if (strequal(domain->name, get_global_sam_name())) {
DATA_BLOB chal_blob = data_blob_const(
chal, 8);
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index ecb7d6b..56676bb 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -291,24 +291,39 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
state->user_info = user_info;
if (!user_info->mapped_state) {
- int server_role = lpcfg_server_role(auth_ctx->lp_ctx);
struct auth_usersupplied_info *user_info_tmp;
- nt_status = map_user_info(
- auth_ctx->sam_ctx, req,
- server_role == ROLE_ACTIVE_DIRECTORY_DC,
- lpcfg_workgroup(auth_ctx->lp_ctx),
- user_info, &user_info_tmp);
-
- if (tevent_req_nterror(req, nt_status)) {
- return tevent_req_post(req, ev);
+ /*
+ * We don't really do any mapping here.
+ *
+ * So we don't set user_info->mapped_state,
+ * but we set mapped.domain_name and
+ * mapped.account_name to the client
+ * provided values.
+ *
+ * It's up to the backends to do mappings
+ * for their authentication.
+ */
+ user_info_tmp = talloc_zero(state, struct auth_usersupplied_info);
+ if (tevent_req_nomem(user_info_tmp, req)) {
+ return tevent_req_post(req, ev);;
}
+
+ /*
+ * The lifetime of user_info is longer than
+ * user_info_tmp, so we don't need to copy the
+ * strings.
+ */
+ *user_info_tmp = *user_info;
+ user_info_tmp->mapped.domain_name = user_info->client.domain_name;
+ user_info_tmp->mapped.account_name = user_info->client.account_name;
+
user_info = user_info_tmp;
state->user_info = user_info_tmp;
}
DEBUGADD(3,("auth_check_password_send: "
- "mapped user is: [%s]\\[%s]@[%s]\n",
+ "user is: [%s]\\[%s]@[%s]\n",
user_info->mapped.domain_name,
user_info->mapped.account_name,
user_info->workstation_name));
@@ -645,12 +660,25 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
break;
case ROLE_DOMAIN_MEMBER:
- auth_methods = str_list_make(mem_ctx, "anonymous sam winbind", NULL);
+ auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
break;
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
- auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
+ /*
+ * TODO: we should replace "winbind_rodc sam_failtrusts" with "winbind"
+ * if everything (gensec/auth4) is fully async without nested
+ * event loops!
+ *
+ * But for now we'll fail authentications for trusted
+ * domain consistently with NT_STATUS_NO_TRUST_LSA_SECRET,
+ * instead of silently mapping to local users.
+ */
+ auth_methods = str_list_make(mem_ctx,
+ "anonymous sam "
+ "winbind_rodc sam_failtrusts "
+ "sam_ignoredomain",
+ NULL);
break;
}
return discard_const_p(const char *, auth_methods);
@@ -688,7 +716,40 @@ _PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct auth4_context **auth_ctx)
{
- return auth_context_create(mem_ctx, ev, msg, lp_ctx, auth_ctx);
+ NTSTATUS status;
+ char **_auth_methods = NULL;
+ const char **auth_methods = NULL;
+
+ /*
+ * As 'auth methods' is deprecated it will be removed
+ * in future releases again, but for now give
+ * admins the flexibility to configure, the behavior
+ * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
+ * for a while.
+ */
+ auth_methods = lpcfg_auth_methods(lp_ctx);
+ if (auth_methods != NULL) {
+ DBG_NOTICE("using deprecated 'auth methods' values.\n");
+ } else {
+ /*
+ * We can remove "winbind_rodc sam_failtrusts",
+ * when we made the netlogon retries to
+ * to contact winbind via irpc.
+ */
+ _auth_methods = str_list_make(mem_ctx,
+ "sam "
+ "winbind_rodc sam_failtrusts",
+ NULL);
+ if (_auth_methods == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ auth_methods = discard_const_p(const char *, _auth_methods);
+ }
+
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg,
+ lp_ctx, NULL, auth_ctx);
+ talloc_free(_auth_methods);
+ return status;
}
/* the list of currently registered AUTH backends */
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 391492a..1c7fd90 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -580,6 +580,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
struct ldb_dn *domain_dn;
DATA_BLOB user_sess_key, lm_sess_key;
TALLOC_CTX *tmp_ctx;
+ const char *p = NULL;
if (ctx->auth_ctx->sam_ctx == NULL) {
DEBUG(0, ("No SAM available, cannot log in users\n"));
@@ -602,6 +603,43 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
return NT_STATUS_NO_SUCH_DOMAIN;
}
+ p = strchr_m(account_name, '@');
+ if (p != NULL) {
+ const char *nt4_domain = NULL;
+ const char *nt4_account = NULL;
+ bool is_my_domain = false;
+
+ nt_status = crack_name_to_nt4_name(mem_ctx,
+ ctx->auth_ctx->event_ctx,
+ ctx->auth_ctx->lp_ctx,
+ /*
+ * DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON ?
+ */
+ DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
+ account_name,
+ &nt4_domain, &nt4_account);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain);
+ if (!is_my_domain) {
+ /*
+ * This is a user within our forest,
+ * but in a different domain,
+ * we're not authoritative
+ */
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ /*
+ * Let's use the NT4 account name for the lookup.
+ */
+ account_name = nt4_account;
+ }
+
nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -652,44 +690,209 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info)
{
- bool is_local_name, is_my_domain;
+ const char *effective_domain = user_info->mapped.domain_name;
+ bool is_local_name = false;
+ bool is_my_domain = false;
+ const char *p = NULL;
+ struct dsdb_trust_routing_table *trt = NULL;
+ const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
+ NTSTATUS status;
if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
return NT_STATUS_NOT_IMPLEMENTED;
}
is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
- user_info->mapped.domain_name);
- is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx,
- user_info->mapped.domain_name);
+ effective_domain);
/* check whether or not we service this domain/workgroup name */
switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
- case ROLE_STANDALONE:
- return NT_STATUS_OK;
+ case ROLE_STANDALONE:
+ return NT_STATUS_OK;
- case ROLE_DOMAIN_MEMBER:
- if (!is_local_name) {
- DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
- user_info->mapped.domain_name));
- return NT_STATUS_NOT_IMPLEMENTED;
- }
+ case ROLE_DOMAIN_MEMBER:
+ if (is_local_name) {
return NT_STATUS_OK;
+ }
- case ROLE_ACTIVE_DIRECTORY_DC:
- if (!is_local_name && !is_my_domain) {
- DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
- user_info->mapped.domain_name));
- return NT_STATUS_NOT_IMPLEMENTED;
- }
+ DBG_DEBUG("%s is not one of my local names (DOMAIN_MEMBER)\n",
+ effective_domain);
+ return NT_STATUS_NOT_IMPLEMENTED;
+
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ /* handled later */
+ break;
+
+ default:
+ DBG_ERR("lpcfg_server_role() has an undefined value\n");
+ return NT_STATUS_INVALID_SERVER_STATE;
+ }
+
+ /*
+ * Now we handle the AD DC case...
+ */
+
+ is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
+ effective_domain);
+ if (is_my_domain) {
+ return NT_STATUS_OK;
+ }
+
+ if (user_info->mapped_state) {
+ /*
+ * The caller already did a cracknames call.
+ */
+ DBG_DEBUG("%s is not one domain name (DC)\n",
+ effective_domain);
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (effective_domain != NULL && !strequal(effective_domain, "")) {
+ DBG_DEBUG("%s is not one domain name (DC)\n",
+ effective_domain);
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list