[SCM] Samba Shared Repository - branch v4-5-stable updated

Karolin Seeger kseeger at samba.org
Thu Aug 31 06:59:41 UTC 2017


The branch, v4-5-stable has been updated
       via  3c9bc04 VERSION: Disable GIT_SNAPSHOTS for the 4.5.13 release.
       via  0247ece WHATSNEW: Add release notes for Samba 4.5.13.
       via  2339d4b vfs_fruit: factor out common code from ad_get() and ad_fget()
       via  b559efc vfs_fruit: return fake pipe fd in fruit_open_meta_netatalk()
       via  379dbb5 vfs_fruit: don't open basefile in ad_open() and simplify API
       via  d6c9916 vfs_fruit: use path based setxattr call in ad_fset()
       via  12c818b s4/torture: additional tests for kernel-oplocks
       via  c03af9f s4/torture: reproducer for kernel oplocks issue with streams
       via  38d8b62 vfs_streams_xattr: return a fake fd in streams_xattr_open()
       via  f7e96ae vfs_streams_xattr: implement all missing handle based VFS functions
       via  62c9719 vfs_streams_xattr: always pass NULL as fsp arg to get_ea_value()
       via  10b04e9 vfs_streams_xattr: remove fsp argument from get_xattr_size()
       via  c642283 vfs_streams_xattr: remove all uses of fd, use name based functions
       via  da22be9 vfs_streams_xattr: invalidate stat info if xattr was not found
       via  715e1c9 s3: torture: Add a test for cli_setpathinfo_basic() to smbtorture3.
       via  57f129b s3: libsmb: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo().
       via  a6f4924 s3: libsmb: Add cli_smb2_setpathinfo(), to be called by cli_setpathinfo_basic().
       via  bfa7ac0 s3: libsmbclient: Fix cli_setpathinfo_basic() to treat mode == -1 as no change.
       via  ad113e0 vfs_gpfs: handle EACCES when fetching DOS attributes from xattr
       via  c493d8e s3/smbd: handle EACCES when fetching DOS attributes from xattr
       via  5b3f031 s3/smbd: handling of failed DOS attributes reading
       via  9792ec2 s3: libsmb: Reverse sense of 'clear all attributes', ignore attribute change in SMB2 to match SMB1.
       via  3475d11 vfs_ceph: fix cephwrap_chdir()
       via  cfa8c18 s3: smbd: Fix a read after free if a chained SMB1 call goes async.
       via  5d740e4 s3: libsmb: Fix use-after-free when accessing pointer *p.
       via  5659328 s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init
       via  dbb2814 vfs_fruit: don't use MS NFS ACEs with Windows clients
       via  35cba47 vfs_fruit: add fruit:model = <modelname> parametric option
       via  6512059 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
       via  6c728cc s3:secrets: remove unused secrets_store_[prev_]machine_password()
       via  ad1e456 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
       via  7d86014 net: make use of secrets_*_password_change() for "net changesecretpw"
       via  ab5109f s3:trusts_util: make use the workstation password change more robust
       via  75a05ad s3:libnet: make use of secrets_store_JoinCtx()
       via  d9a2394 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
       via  f3da295 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
       via  97b72e3 secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
       via  4d66652 netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
       via  19addd1 netlogon.idl: make netr_TrustFlags [public]
       via  e635a4f lsa.idl: make lsa_DnsDomainInfo [public]
       via  1e5489d s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
       via  399945b libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
       via  0c7de3c libcli/auth: add const to set_pw_in_buffer()
       via  09461fe libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
       via  c1d6f18 s3:trusts_util: pass dcname to trust_pw_change()
       via  9afd00e s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
       via  3c3765f s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
       via  64b3919 s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
       via  04384a4 s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
       via  a920733 s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
       via  fdbf0de s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
       via  96319f6 s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
       via  1bbefc1 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
       via  f5dc61c s3:secrets: rename secrets_delete() to secrets_delete_entry()
       via  f30adda s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
       via  0a36325 s3:secrets: add some const to secrets_store_domain_guid()
       via  ec6b939 s3:secrets: split out a domain_guid_keystr() function
       via  de0f730 s3:secrets: rework des_salt_key() to take the realm as argument
       via  fd161f1 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
       via  701361c s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
       via  24478a5 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
       via  aa2f79b s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
       via  0aa6bfd s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
       via  2ef7d5a s3:libads: provide a simpler kerberos_fetch_salt_princ() function
       via  0f4d181 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
       via  87b27a5 s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
       via  00a2ce6 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
       via  a210289 s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
       via  7110ea3 s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
       via  4765cb4 s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
       via  9d818ce s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
       via  18cd978 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
       via  f18c0ca s3:libnet_join: remember the domain_guid for AD domains
       via  d68b34b s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
       via  35b6d50 s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
       via  77980ad s3:libnet_join: remove dead code from libnet_join_connect_ads()
       via  cef8c67 krb5_wrap: add smb_krb5_salt_principal2data()
       via  5b96252 krb5_wrap: add smb_krb5_salt_principal()
       via  88abba9 s3:libads: remove unused kerberos_secrets_store_salting_principal()
       via  208c771 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
       via  899c0d5 idl_types.h: add NDR_SECRET shortcut
       via  9bbacf5 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
       via  7b3bfd5 librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
       via  0c8ae83 pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
       via  941aaa9 werror: replace WERR_SETUP_NOT_JOINED with WERR_NERR_SETUPNOTJOINED in source3/libnet/libnet_join.c
       via  3a491cd krb5_wrap: add smb_krb5_free_data_contents() compat define (for v4-5)
       via  82f9cba s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
       via  2cae38b selftest: add a test for accessing previous version of directories with snapdirseverywhere
       via  911e3ab s3/smbd: let non_widelink_open() chdir() to directories directly
       via  3de773e VERSION: Bump version up to 4.5.13...
      from  6e6361e VERSION: Release Samba 4.5.12 for CVE-2017-11103

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                  |    2 +-
 WHATSNEW.txt                             |   70 +-
 docs-xml/manpages/vfs_fruit.8.xml        |    9 +
 lib/krb5_wrap/krb5_samba.c               |  187 ++++
 lib/krb5_wrap/krb5_samba.h               |   12 +
 libcli/auth/netlogon_creds_cli.c         |   78 +-
 libcli/auth/netlogon_creds_cli.h         |   16 +-
 libcli/auth/proto.h                      |    2 +-
 libcli/auth/smbencrypt.c                 |    2 +-
 librpc/idl/idl_types.h                   |    6 +
 librpc/idl/lsa.idl                       |    2 +-
 librpc/idl/netlogon.idl                  |    6 +-
 librpc/ndr/libndr.h                      |   24 +-
 librpc/ndr/ndr.c                         |   23 +
 librpc/ndr/ndr_basic.c                   |   44 +
 pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |    4 +
 selftest/target/Samba3.pm                |   10 +
 source3/include/proto.h                  |    1 +
 source3/include/secrets.h                |   38 +-
 source3/libads/kerberos.c                |  200 ----
 source3/libads/kerberos_keytab.c         |   14 +-
 source3/libads/kerberos_proto.h          |    8 -
 source3/libads/util.c                    |  106 +-
 source3/libnet/libnet_join.c             |  133 ++-
 source3/libnet/libnet_keytab.c           |    5 +-
 source3/librpc/crypto/gse_krb5.c         |   40 +-
 source3/librpc/idl/libnet_join.idl       |    4 +-
 source3/librpc/idl/secrets.idl           |   92 +-
 source3/librpc/wscript_build             |    2 +-
 source3/libsmb/cli_smb2_fnum.c           |   94 +-
 source3/libsmb/cli_smb2_fnum.h           |    5 +
 source3/libsmb/clirap.c                  |   27 +-
 source3/libsmb/libsmb_dir.c              |    6 +-
 source3/libsmb/trusts_util.c             |  276 ++++-
 source3/modules/vfs_ceph.c               |    7 -
 source3/modules/vfs_fruit.c              |  270 ++---
 source3/modules/vfs_gpfs.c               |   69 +-
 source3/modules/vfs_streams_xattr.c      |  574 +++++++++--
 source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++++++++++++--
 source3/passdb/secrets.c                 |   25 +-
 source3/passdb/secrets_lsa.c             |    2 +-
 source3/rpc_client/cli_netlogon.c        |   15 +-
 source3/rpcclient/cmd_netlogon.c         |    2 +
 source3/script/tests/test_shadow_copy.sh |   23 +
 source3/smbd/dosmode.c                   |   43 +-
 source3/smbd/lanman.c                    |   20 +-
 source3/smbd/open.c                      |   30 +-
 source3/smbd/process.c                   |    2 +-
 source3/smbd/reply.c                     |    2 +-
 source3/smbd/server.c                    |    8 +-
 source3/torture/torture.c                |  137 +++
 source3/utils/net.c                      |  142 ++-
 source3/utils/net_rpc.c                  |    8 +
 source3/winbindd/winbindd_dual.c         |    1 +
 source3/winbindd/winbindd_dual_srv.c     |    2 +
 source4/torture/smb2/oplock.c            |  346 +++++++
 source4/torture/vfs/fruit.c              |    8 +-
 57 files changed, 4113 insertions(+), 832 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index b5eaa03..6c1c849 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a519b6c..f3fccf7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
                    ==============================
+                   Release Notes for Samba 4.5.13
+                           August 31, 2017
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.5 release series.
+
+
+Changes since 4.5.12:
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes
+     async.
+   * BUG 12899: 'smbclient setmode' no longer works to clear attribute bits due
+     to dialect upgrade.
+   * BUG 12913: SMBC_setatr() initially uses an SMB1 call before falling back.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 12791: Fix kernel oplock issues with named streams.
+   * BUG 12897: vfs_fruit: Don't use MS NFS ACEs with Windows clients.
+   * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
+     smbd_notifyd_init.
+   * BUG 12944: vfs_gpfs: handle EACCES when fetching DOS attributes from xattr.
+   * BUG 12885: Let non_widelink_open() chdir() to directories directly.
+
+o  G√ľnther Deschner <gd at samba.org>
+   * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option.
+
+o  David Disseldorp <ddiss at samba.org>
+   * BUG 12911: vfs_ceph: fix cephwrap_chdir().
+
+o  Thomas Jarosch <thomas.jarosch at intra2net.com>
+   * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 12782: winbindd changes the local password and gets
+     NT_STATUS_WRONG_PASSWORD for the remote change.
+   * BUG 12890: s3:smbd: consistently use talloc_tos() memory for
+     rpc_pipe_open_interface().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   ==============================
                    Release Notes for Samba 4.5.12
                             July 12, 2017
                    ==============================
@@ -48,8 +114,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 4.5.11
diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml
index e2e696c..08b8700 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -162,6 +162,15 @@
 	    </listitem>
 	  </varlistentry>
 
+	  <varlistentry>
+	    <term>fruit:model = MacSamba</term>
+	    <listitem>
+	      <para>This option defines the model string inside the AAPL
+	      extension and will determine the appearance of the icon representing the
+	      Samba server in the Finder window.</para>
+	      <para>The default is <emphasis>MacSamba</emphasis>.</para>
+	    </listitem>
+	  </varlistentry>
 	</variablelist>
 </refsect1>
 
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 76e8795..fe29386 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -324,6 +324,193 @@ int smb_krb5_get_pw_salt(krb5_context context,
 #error UNKNOWN_SALT_FUNCTIONS
 #endif
 
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in]  realm              The realm the user/computer is added too.
+ *
+ * @param[in]  sAMAccountName     The sAMAccountName attribute of the object.
+ *
+ * @param[in]  userPrincipalName  The userPrincipalName attribute of the object
+ *                                or NULL is not available.
+ *
+ * @param[in]  is_computer        The indication of the object includes
+ *                                objectClass=computer.
+ *
+ * @param[in]  mem_ctx            The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out]  _salt_principal   The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal(const char *realm,
+			    const char *sAMAccountName,
+			    const char *userPrincipalName,
+			    bool is_computer,
+			    TALLOC_CTX *mem_ctx,
+			    char **_salt_principal)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	char *upper_realm = NULL;
+	const char *principal = NULL;
+	int principal_len = 0;
+
+	*_salt_principal = NULL;
+
+	if (sAMAccountName == NULL) {
+		TALLOC_FREE(frame);
+		return EINVAL;
+	}
+
+	if (realm == NULL) {
+		TALLOC_FREE(frame);
+		return EINVAL;
+	}
+
+	upper_realm = strupper_talloc(frame, realm);
+	if (upper_realm == NULL) {
+		TALLOC_FREE(frame);
+		return ENOMEM;
+	}
+
+	/* Many, many thanks to lukeh at padl.com for this
+	 * algorithm, described in his Nov 10 2004 mail to
+	 * samba-technical at lists.samba.org */
+
+	/*
+	 * Determine a salting principal
+	 */
+	if (is_computer) {
+		int computer_len = 0;
+		char *tmp = NULL;
+
+		computer_len = strlen(sAMAccountName);
+		if (sAMAccountName[computer_len-1] == '$') {
+			computer_len -= 1;
+		}
+
+		tmp = talloc_asprintf(frame, "host/%*.*s.%s",
+				      computer_len, computer_len,
+				      sAMAccountName, realm);
+		if (tmp == NULL) {
+			TALLOC_FREE(frame);
+			return ENOMEM;
+		}
+
+		principal = strlower_talloc(frame, tmp);
+		TALLOC_FREE(tmp);
+		if (principal == NULL) {
+			TALLOC_FREE(frame);
+			return ENOMEM;
+		}
+		principal_len = strlen(principal);
+
+	} else if (userPrincipalName != NULL) {
+		char *p;
+
+		principal = userPrincipalName;
+		p = strchr(principal, '@');
+		if (p != NULL) {
+			principal_len = PTR_DIFF(p, principal);
+		} else {
+			principal_len = strlen(principal);
+		}
+	} else {
+		principal = sAMAccountName;
+		principal_len = strlen(principal);
+	}
+
+	*_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
+					   principal_len, principal_len,
+					   principal, upper_realm);
+	if (*_salt_principal == NULL) {
+		TALLOC_FREE(frame);
+		return ENOMEM;
+	}
+
+	TALLOC_FREE(frame);
+	return 0;
+}
+
+/**
+ * @brief Converts the salt principal string into the salt data blob
+ *
+ * This function takes a salt_principal as string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * It generates values like:
+ * - EXAMPLE.COMhost/somehost.example.com
+ * - EXAMPLE.COMSomeAccount
+ * - EXAMPLE.COMSomePrincipal
+ *
+ * @param[in]  realm              The realm the user/computer is added too.
+ *
+ * @param[in]  sAMAccountName     The sAMAccountName attribute of the object.
+ *
+ * @param[in]  userPrincipalName  The userPrincipalName attribute of the object
+ *                                or NULL is not available.
+ *
+ * @param[in]  is_computer        The indication of the object includes
+ *                                objectClass=computer.
+ *
+ * @param[in]  mem_ctx            The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out]  _salt_principal   The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal
+ */
+int smb_krb5_salt_principal2data(krb5_context context,
+				 const char *salt_principal,
+				 TALLOC_CTX *mem_ctx,
+				 char **_salt_data)
+{
+	krb5_error_code ret;
+	krb5_principal salt_princ = NULL;
+	krb5_data salt;
+
+	*_salt_data = NULL;
+
+	ret = krb5_parse_name(context, salt_principal, &salt_princ);
+	if (ret != 0) {
+		return ret;
+	}
+
+	ret = smb_krb5_get_pw_salt(context, salt_princ, &salt);
+	krb5_free_principal(context, salt_princ);
+	if (ret != 0) {
+		return ret;
+	}
+
+	*_salt_data = talloc_strndup(mem_ctx,
+				     (char *)salt.data,
+				     salt.length);
+	smb_krb5_free_data_contents(context, &salt);
+	if (*_salt_data == NULL) {
+		return ENOMEM;
+	}
+
+	return 0;
+}
+
 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 					    krb5_enctype **enctypes)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 2d31619..116bffc 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -362,6 +362,16 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
 int smb_krb5_get_pw_salt(krb5_context context,
 			 krb5_const_principal host_princ,
 			 krb5_data *psalt);
+int smb_krb5_salt_principal(const char *realm,
+			    const char *sAMAccountName,
+			    const char *userPrincipalName,
+			    bool is_computer,
+			    TALLOC_CTX *mem_ctx,
+			    char **_salt_principal);
+int smb_krb5_salt_principal2data(krb5_context context,
+				 const char *salt_principal,
+				 TALLOC_CTX *mem_ctx,
+				 char **_salt_data);
 
 int smb_krb5_create_key_from_string(krb5_context context,
 				    krb5_const_principal host_princ,
@@ -408,4 +418,6 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
 			time_t *tgs_expire,
 			const char *impersonate_princ_s);
 
+#define smb_krb5_free_data_contents(a, b) kerberos_free_data_contents(a, b)
+
 #endif /* _KRB5_SAMBA_H */
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index d55142e..29baae4 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -36,6 +36,7 @@
 #include "source3/include/messages.h"
 #include "source3/include/g_lock.h"
 #include "libds/common/roles.h"
+#include "lib/crypto/crypto.h"
 
 struct netlogon_creds_cli_locked_state;
 
@@ -942,9 +943,10 @@ struct netlogon_creds_cli_auth_state {
 	struct tevent_context *ev;
 	struct netlogon_creds_cli_context *context;
 	struct dcerpc_binding_handle *binding_handle;
-	struct samr_Password current_nt_hash;
-	struct samr_Password previous_nt_hash;
-	struct samr_Password used_nt_hash;
+	uint8_t num_nt_hashes;
+	uint8_t idx_nt_hashes;
+	const struct samr_Password * const *nt_hashes;
+	const struct samr_Password *used_nt_hash;
 	char *srv_name_slash;
 	uint32_t current_flags;
 	struct netr_Credential client_challenge;
@@ -956,7 +958,6 @@ struct netlogon_creds_cli_auth_state {
 	bool try_auth3;
 	bool try_auth2;
 	bool require_auth2;
-	bool try_previous_nt_hash;
 	struct netlogon_creds_cli_locked_state *locked_state;
 };
 
@@ -967,8 +968,8 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
 				struct tevent_context *ev,
 				struct netlogon_creds_cli_context *context,
 				struct dcerpc_binding_handle *b,
-				struct samr_Password current_nt_hash,
-				const struct samr_Password *previous_nt_hash)
+				uint8_t num_nt_hashes,
+				const struct samr_Password * const *nt_hashes)
 {
 	struct tevent_req *req;
 	struct netlogon_creds_cli_auth_state *state;
@@ -984,12 +985,19 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
 	state->ev = ev;
 	state->context = context;
 	state->binding_handle = b;
-	state->current_nt_hash = current_nt_hash;
-	if (previous_nt_hash != NULL) {
-		state->previous_nt_hash = *previous_nt_hash;
-		state->try_previous_nt_hash = true;
+	if (num_nt_hashes < 1) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+		return tevent_req_post(req, ev);
+	}
+	if (num_nt_hashes > 4) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+		return tevent_req_post(req, ev);
 	}
 
+	state->num_nt_hashes = num_nt_hashes;
+	state->idx_nt_hashes = 0;
+	state->nt_hashes = nt_hashes;
+
 	if (context->db.locked_state != NULL) {
 		tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
 		return tevent_req_post(req, ev);
@@ -1019,7 +1027,7 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
 		state->require_auth2 = true;
 	}
 
-	state->used_nt_hash = state->current_nt_hash;
+	state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
 	state->current_flags = context->client.proposed_flags;
 
 	if (context->db.g_ctx != NULL) {
@@ -1141,7 +1149,7 @@ static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
 						  state->context->client.type,
 						  &state->client_challenge,
 						  &state->server_challenge,
-						  &state->used_nt_hash,
+						  state->used_nt_hash,
 						  &state->client_credential,
 						  state->current_flags);
 	if (tevent_req_nomem(state->creds, req)) {
@@ -1283,7 +1291,8 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
 			return;
 		}
 
-		if (!state->try_previous_nt_hash) {
+		state->idx_nt_hashes += 1;
+		if (state->idx_nt_hashes >= state->num_nt_hashes) {
 			/*
 			 * we already retried, giving up...
 			 */
@@ -1294,8 +1303,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
 		/*
 		 * lets retry with the old nt hash.
 		 */
-		state->try_previous_nt_hash = false;
-		state->used_nt_hash = state->previous_nt_hash;
+		state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
 		state->current_flags = state->context->client.proposed_flags;
 		netlogon_creds_cli_auth_challenge_start(req);
 		return;
@@ -1330,43 +1338,52 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
 	tevent_req_done(req);
 }
 
-NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req,
+				      uint8_t *idx_nt_hashes)
 {
+	struct netlogon_creds_cli_auth_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_auth_state);
 	NTSTATUS status;
 
+	*idx_nt_hashes = 0;
+
 	if (tevent_req_is_nterror(req, &status)) {
 		tevent_req_received(req);
 		return status;
 	}
 
+	*idx_nt_hashes = state->idx_nt_hashes;
 	tevent_req_received(req);
 	return NT_STATUS_OK;
 }
 
 NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
 				 struct dcerpc_binding_handle *b,
-				 struct samr_Password current_nt_hash,
-				 const struct samr_Password *previous_nt_hash)
+				 uint8_t num_nt_hashes,
+				 const struct samr_Password * const *nt_hashes,
+				 uint8_t *idx_nt_hashes)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct tevent_context *ev;
 	struct tevent_req *req;
 	NTSTATUS status = NT_STATUS_NO_MEMORY;
 
+	*idx_nt_hashes = 0;
+
 	ev = samba_tevent_context_init(frame);
 	if (ev == NULL) {
 		goto fail;
 	}
 	req = netlogon_creds_cli_auth_send(frame, ev, context, b,
-					   current_nt_hash,
-					   previous_nt_hash);
+					   num_nt_hashes, nt_hashes);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list