[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Jun 27 19:10:02 UTC 2017
The branch, master has been updated
via c29db05 s4:auth/ntlm: allow auth_operations to specify check_password_send/recv()
via f9388b0 s4:auth/ntlm: introduce auth_check_password_next()
via ee4ea4b s4:auth/ntlm: move auth_check_password_wrapper() further down
via 60bee9d s4:auth_winbind: rename 's' to 'state' in winbind_check_password()
via 0178206 s4:auth_winbind: remove a block nesting level and fix indentation
via 28f2039 s4:auth_winbind: fix error checking in winbind_check_password()
via b039ef4 WHATSNEW: document "client max protocol" change to SMB3_11
via 1199907 param: change the effective default for "client max protocol" to the latest supported protocol
via 006539e s3:selftest: run samba3.blackbox.smbclient_large_file (NTLM) with NT1 and SMB3
via b0d8e2b s3:test_smbclient_posix_large.sh: there's no posix test to rename to test_smbclient_large_file.sh
via f5747d7 s3:selftest: also run samba3.blackbox.smbclient_krb5 with the new ccache
via dd7ae23 s3:selftest: run samba3.blackbox.smbclient_tar* tests with NT1 and SMB3
via 2f3fc5e s3:selftest: run samba3.blackbox.large_acl tests with NT1 and SMB3
via e06d13f s3:selftest: run samba3.blackbox.inherit_owner tests with NT1 and SMB3
via ccb1848 s3:selftest: run samba3.blackbox.acl_xattr with NT1 and SMB3
via acfee20 s3:test_acl_xattr.sh: add more assertion about the expected output.
via 5c42aa8 Revert "s3:test_acl_xattr.sh: use -mNT1 for the 'getfacl' commands"
via f691afe s3:test_acl_xattr.sh: allow passing additional arguments for smbclient and smbcacls
via be036d1 s3:selftest: also run test_smbclient_s3.sh with PROTO=SMB3
via 911c3fb WHATSNEW: document the new smbclient banner
via e011391 s3:libsmb: remove unused 'bool show_hdr' from cli_cm_open()
via b92a669 s3:libsmb: remove unused 'bool show_hdr' from cli_cm_connect()
via 011d63f s3:libsmb: remove unused show_sessetup handling from do_connect()
via 5a794ec s3:smbclient: remove unreliable Domain=[...] OS=[Windows 6.1] Server=[...] banner
via 1723090 s3:test_smbclient_s3.sh: improve the error handling
via 205fe4d s3:smb2_create: remove unused timer pointer from smbd_smb2_create_state
via 02146ea s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
via 5d99f9b auth/credentials: remove unused smb_krb5_create_salt_principal()
via 3e33fb8 auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()
via 3ffaf5f s4:password_hash: make use of smb_krb5_salt_principal() and smb_krb5_salt_principal2data()
via 9530284 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
via f513c20 s3:secrets: remove unused secrets_store_[prev_]machine_password()
via b874dc9 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
via 4ae6a3f net: make use of secrets_*_password_change() for "net changesecretpw"
via 40c42af s3:trusts_util: make use the workstation password change more robust
via c3ad8be s3:libnet: make use of secrets_store_JoinCtx()
via c7c17d9 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
via 5f0038f s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
via a59c9cb secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
via 28ac105 netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
via 6027447 netlogon.idl: make netr_TrustFlags [public]
via ea07988 lsa.idl: make lsa_DnsDomainInfo [public]
via d60404b s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
via 0f5945a libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
via 1b48c85 libcli/auth: add const to set_pw_in_buffer()
via ddd7ac6 libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
via 1421abf s3:trusts_util: pass dcname to trust_pw_change()
via bfe35ab s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
via dfaadc8 s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
via cf8a464 s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
via 5bc2764 s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
via 5b95cb7 s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
via 45eea32 s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
via c5ded11 s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
via fde4af1 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
via cd1e888 s3:secrets: rename secrets_delete() to secrets_delete_entry()
via 4e37d78 s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
via 9901368 s3:secrets: add some const to secrets_store_domain_guid()
via d37e30c s3:secrets: split out a domain_guid_keystr() function
via 072dd87 s3:secrets: rework des_salt_key() to take the realm as argument
via 504b446 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
via 1a26805 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
via b0928a2 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
via 51ae7b4 s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
via 1d1cf97 s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
via 5fe939e s3:libads: provide a simpler kerberos_fetch_salt_princ() function
via 487b471 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
via 7d2eea3 s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
via a922e01 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
via 559de1e s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
via 0ab7944 s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
via 0c65d5f s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
via 549c9d9 s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
via 3b13e4d s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
via fc2bad0 s3:libnet_join: remember the domain_guid for AD domains
via 03e455f s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
via 826223c s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
via 5958c67 s3:libnet_join: remove dead code from libnet_join_connect_ads()
via ec2da94 krb5_wrap: add smb_krb5_salt_principal2data()
via 5df4670 krb5_wrap: add smb_krb5_salt_principal()
via c56043a s3:libads: remove unused kerberos_secrets_store_salting_principal()
via 4260b52 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
via 969ab12 idl_types.h: add NDR_SECRET shortcut
via 32aa3a1 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
via 91d8272 librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
via 81bbfb0 pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
via 295c9f7 s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02"
via 94b9b68 selftest: run nt4_dc_schannel with 'server max protocol = SMB2_02'
via 89117b0 s3:selftest: run test_smbclient_basic.sh against nt4_dc_schannel with various protocols
via 26fb635 s3:test_smbclient_basic.sh: make use of $incdir/common_test_fns.inc
via 1951634 s3:test_smbclient_basic.sh: make use of $ADDARGS
via a9780a2 s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()
via a075b7f s4-netlogon: Escape user-supplied computer name in Bad credentials log line
via d9a1d57 s4-netlogon: Provide logs for machine account success and failures
via 1bd627b smbtorture: Add more tests around NETLOGON challenge reuse
via 38033ed s3:tests: Add blackbox test for 'net usershare'
via 0df6ecf s3:param: Allow to add usershare if uid_wrapper is loaded
via 4f5cfe2 s3:tests: Do not delete the contets of LOCAL_PATH with tarmode test
from eedebe2 docs-xml: Sort input file list
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c29db055a7052c25c9d4d1adfe1afff5c32f65ec
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 17 00:05:22 2017 +0200
s4:auth/ntlm: allow auth_operations to specify check_password_send/recv()
This prepares real async handling in the backends.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144
commit f9388b0ec7bbdb0df1f5a0b8a71532dc4e47fd17
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 17 00:05:22 2017 +0200
s4:auth/ntlm: introduce auth_check_password_next()
This prepares real async handling in the backends.
Check with git show -w.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ee4ea4b99cd7977cd388fe375e23468f927fa41d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 16 22:46:27 2017 +0200
s4:auth/ntlm: move auth_check_password_wrapper() further down
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 60bee9d118a3d05e1415223aafd612904b9e869a
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 17 00:29:25 2017 +0200
s4:auth_winbind: rename 's' to 'state' in winbind_check_password()
This prepares the conversion to winbind_check_password_send/recv()
where the internal state is called 'winbind_check_password_state'
as 'state'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0178206fecb69dd0e7b3c93ab9bfc9c5d8b59563
Author: Ralph Boehme <slow at samba.org>
Date: Tue Jun 27 12:09:41 2017 +0200
s4:auth_winbind: remove a block nesting level and fix indentation
The previous commit removed the condition from the block. No change in
behaviour, best viewed with git show -w.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 28f2039886870a1f2f0eba7dd7420d08a479cf97
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 17 00:26:18 2017 +0200
s4:auth_winbind: fix error checking in winbind_check_password()
We need to handle every error instead of just NT_STATUS_NO_SUCH_USER,
the callers also doesn't require NT_STATUS_NOT_IMPLEMENTED anymore.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b039ef422444144c52194f030f6df92dd29bbeef
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 10:24:45 2017 +0200
WHATSNEW: document "client max protocol" change to SMB3_11
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1199907cbe2f003a7df6f56e6cf3878d0732344d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 10:00:53 2017 +0200
param: change the effective default for "client max protocol" to the latest supported protocol
Currently it's SMB3_11.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 006539e885d8febe564078c3c7240a7f3ec6f1cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:48:21 2017 +0200
s3:selftest: run samba3.blackbox.smbclient_large_file (NTLM) with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b0d8e2bcbb083577c8034e7941ad277ff5cd3a50
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:55:34 2017 +0200
s3:test_smbclient_posix_large.sh: there's no posix test to rename to test_smbclient_large_file.sh
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f5747d7d9425529d91d0776e8a29b2b00487216b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:41:47 2017 +0200
s3:selftest: also run samba3.blackbox.smbclient_krb5 with the new ccache
There's no point in running it twice with the old ccache.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dd7ae23bac90dd1da509637d4da1b15fd094f873
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:40:08 2017 +0200
s3:selftest: run samba3.blackbox.smbclient_tar* tests with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2f3fc5eeedb64a536c38bfc167cfaa274b4f67b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:39:31 2017 +0200
s3:selftest: run samba3.blackbox.large_acl tests with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e06d13f7ad7504b73283adf8280a5d53533e2e0e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:25:17 2017 +0200
s3:selftest: run samba3.blackbox.inherit_owner tests with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ccb18481fb8f407e9f95f756b75a1ad81d50efa9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:34:38 2017 +0200
s3:selftest: run samba3.blackbox.acl_xattr with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit acfee205b6fd1695151488ed0381df99f8d1da02
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 09:32:54 2017 +0200
s3:test_acl_xattr.sh: add more assertion about the expected output.
We should not treat 'test "" = ""' as success.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5c42aa8b1c6f7e1a197603c5e372245c11599d83
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jun 25 20:44:47 2017 +0200
Revert "s3:test_acl_xattr.sh: use -mNT1 for the 'getfacl' commands"
This reverts commit 4eb29ce3266a8c05047ecf33a98d1dbdbbbd63c6.
This will be passed by the caller in a following commit.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f691afecb7c956cda58192eff365f8480661f4f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jun 25 19:59:46 2017 +0200
s3:test_acl_xattr.sh: allow passing additional arguments for smbclient and smbcacls
This will make it possible to test with -mNT1 as well as -mSMB3
in a following patch.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit be036d11e64bb009975ee1ac7b720c500e6899d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 20 09:07:44 2017 +0200
s3:selftest: also run test_smbclient_s3.sh with PROTO=SMB3
This makes sure only the "creating a bad symlink and deleting it"
is failing with -mSMB3.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 911c3fb918b3b69b0b8c0a3e4d2a4c023688da03
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 17:11:51 2017 +0200
WHATSNEW: document the new smbclient banner
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e0113918c51cb636c49a23fe0f502000ab5acfa7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 17:03:05 2017 +0200
s3:libsmb: remove unused 'bool show_hdr' from cli_cm_open()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b92a669b4b8f2cdecf2df2182acb908342509551
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 17:03:05 2017 +0200
s3:libsmb: remove unused 'bool show_hdr' from cli_cm_connect()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 011d63f4a89194c2c2b33faea773562483d06dcd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 17:03:05 2017 +0200
s3:libsmb: remove unused show_sessetup handling from do_connect()
All caller pass in 'false'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a794ece3d2c5b8dbb5d6e71ad25784a370230d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 16:58:42 2017 +0200
s3:smbclient: remove unreliable Domain=[...] OS=[Windows 6.1] Server=[...] banner
On interactive sessions we print the following instead now:
Try "help" do get a list of possible commands.
smb: >
The reason for this is that we don't get these information via SMB2
and the we only get the domain name via some layering violations
from the NTLMSSP state.
It's better to remove this consitently for all SMB and auth
protocol combinations.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1723090d63fd5a48fb5f2b3a281b99f097b2368d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 16:33:04 2017 +0200
s3:test_smbclient_s3.sh: improve the error handling
We should directly return if he hit an error.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 205fe4db8aabfe853dbf9fe32c903df822523a81
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 9 18:22:19 2017 +0200
s3:smb2_create: remove unused timer pointer from smbd_smb2_create_state
This finishes commits 4e4376164bafbd3a883b6ce8033dcd714f971d51
and 8da5a0f1e33a85281610700b58b534bc985894f0.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 02146ea5ee729de0e49ecf617e6983f4e61fbe59
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 9 12:30:33 2017 +0200
s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
As the caller ("smbd_smb2_request_process_create()") already sets the callback,
the first time, it's not safe to reuse the tevent_req structure.
The typical 'tevent_req_nterror(); return tevent_req_post()' will
crash as the tevent_req_nterror() already triggered the former callback,
which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates
the tevent_req structure, so that tevent_req_post() will crash.
We just remember the required values from the old state
and move them to the new state.
We tried to write reproducers for this, but sadly weren't able to trigger
the backtrace we had from a create a customer (using recent code)
with commit 6beba782f1bf951236813e0b46115b8102212c03
included. And this patch fixed the situation for the
customer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12832
Pair-Programmed-With: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5d99f9bb6229bc7c3537796d9d2e71cdb79a7820
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 10:54:06 2017 +0200
auth/credentials: remove unused smb_krb5_create_salt_principal()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3e33fb8a3760dba2f25f661bd775a9bdddee8465
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 10:50:34 2017 +0200
auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3ffaf5f3fcbc77a3e2664ad5e9467e938b32b741
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 11:37:25 2017 +0200
s4:password_hash: make use of smb_krb5_salt_principal() and smb_krb5_salt_principal2data()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9530284383f252efd64bfdf138579964c6500eba
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 22 15:30:56 2017 +0200
selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f513c20ee04fe896900c99ae804753d445414d7d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:42:09 2017 +0200
s3:secrets: remove unused secrets_store_[prev_]machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b874dc90c91dd41c35e99bf7c4fe04220465edca
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:41:34 2017 +0200
s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4ae6a3ffb233c9b9576a3b5bb15a51ee56e4dbc3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:29:31 2017 +0200
net: make use of secrets_*_password_change() for "net changesecretpw"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 40c42af11fda062fef9df96a9b5ae3e02709f07c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 20:47:17 2017 +0200
s3:trusts_util: make use the workstation password change more robust
We use secrets_{prepare,failed,defer,finish}_password_change() to make
the process more robust.
Even if we just just verified the current password with the DC
it can still happen that the remote password change will fail.
If a server has the RefusePasswordChange=1 under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD.
This results in a successful local change, but a failing remote change,
which means the domain membership is broken (as we don't fallback to
the previous password for ntlmssp nor kerberos yet).
An (at least Samba) RODC will also reject a password change,
see https://bugzilla.samba.org/show_bug.cgi?id=12773.
Even with this change we still have open problems, e.g. if the password was
changed, but we didn't get the servers response. In order to fix that we need
to use only netlogon and lsa over unprotected transports, just using schannel
authentication (which supports the fallback to the old password).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c3ad8be5d5192070c599350d6ab28c064206b6cf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:29:59 2017 +0200
s3:libnet: make use of secrets_store_JoinCtx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c7c17d9f503d6037aa8ed0bd7ab7cf52f5f28382
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 18:05:40 2017 +0200
net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5f0038fba612afd7fc15b7ab321df979891170d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:28:17 2017 +0200
s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.
We keep storing the legacy values:
SECRETS/SID/
SECRETS/DOMGUID/
SECRETS/MACHINE_LAST_CHANGE_TIME/
SECRETS/MACHINE_PASSWORD/
SECRETS/MACHINE_PASSWORD.PREV/
SECRETS/SALTING_PRINCIPAL/DES/
This allows downgrades to older Samba versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a59c9cba31a801d90db06b767cfd44776f4ede77
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:11:18 2017 +0200
secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
This blob will be store in secrets.tdb. It makes it possible to store much
more useful details about the workstation trust.
The key feature that that triggered this change is the ability
to store details for the next password change before doing
the remote change. This will allow us to recover from failures.
While being there I also thought about possible new features,
which we may implement in the near future.
We also store the raw UTF16 like cleartext buffer as well as derived
keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys.
This will allow us to avoid recalculating the keys for an in memory
keytab in future.
I also added pointer to an optional lsa_ForestTrustInformation structure,
which might be useful to implement multi-tenancy in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 28ac10503476de3c000b3deee2c1f67e0b305578
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:09:01 2017 +0200
netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 60274475332dafdfb829a7c086ea09cd9ed00540
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 11:35:37 2017 +0200
netlogon.idl: make netr_TrustFlags [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ea0798881a7aaf5897a3a3806149536d3d54fc3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 11:35:20 2017 +0200
lsa.idl: make lsa_DnsDomainInfo [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d60404b032eca5384d889352f52b9b129861b4af
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 21 21:30:39 2017 +0200
s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
Even in the case where only the password is known to the server, we should
try to leave a valid authentication behind.
We have better ways to indentify which password worked than only using
the current one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0f5945a06df4bef501ca5085c621294057007225
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 11:18:37 2017 +0200
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1b48c8515ed8fd29204c82cc47f958f4636cd494
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 11:17:03 2017 +0200
libcli/auth: add const to set_pw_in_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ddd7ac68ccae8b4df6c6a65b3dad20e21924f538
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 20:44:40 2017 +0200
libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.
We allow up to 4 hashes (next, current, old, older).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1421abfc733247a6b71eefd819dfeae7151a6d78
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 15:36:29 2017 +0200
s3:trusts_util: pass dcname to trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bfe35abc1fb15e70a99fa74d064051a1ad541ed0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 05:56:32 2017 +0200
s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
We just want all values to be removed at the end, it doesn't matter
if they didn't existed before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit dfaadc81925e313901c9b30cd98a4b4fd2404f9d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:44:31 2017 +0200
s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cf8a4646fe71a974b6a5ee13ae7d7751a5a0adc9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:40:05 2017 +0200
s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5bc2764fe517748c03a57b61f2f7ef889c92825d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:31:01 2017 +0200
s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5b95cb74e7b2838d228f9773c0e20982b81d1e7d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 06:44:32 2017 +0200
s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 45eea321a6faa6db1c9c706a27527cc0766dc831
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:27:45 2017 +0200
s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c5ded1123797b2bd152b0989e24eba7cae6a5792
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:21:37 2017 +0200
s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fde4af1c329655d7ef3f55727632b3f026a3ea73
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:21:37 2017 +0200
s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cd1e888773c4fd3db63ce38a496fc3d54eb8e021
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 20 13:07:15 2017 +0200
s3:secrets: rename secrets_delete() to secrets_delete_entry()
secrets_delete_entry() fails if the key doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4e37d7805b345d80ca6e8a598e39fc81f72a27ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:18:33 2017 +0200
s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 99013685a1114829579e420df3625ed79eb7ee94
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 21 19:38:15 2017 +0200
s3:secrets: add some const to secrets_store_domain_guid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d37e30cef7906b7b2b14351ad81d0d884811557b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:10:45 2017 +0200
s3:secrets: split out a domain_guid_keystr() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 072dd87e639d7dbfc583ede5ddf6559d9d433b8b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 11:38:12 2017 +0200
s3:secrets: rework des_salt_key() to take the realm as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 504b446d8dc7410ad63eba9d214e9cf271cf3b2f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:17:00 2017 +0200
s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1a26805ad9f19f02a52d9eaa4f2f11ff20ee76ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:09:20 2017 +0200
s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b0928a2687a9ffe92ebdce7b5252781d62e7e02d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:08:24 2017 +0200
s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 51ae7b42d4d52016b39b79447a3e28d473e676cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:04:36 2017 +0200
s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1d1cf9792f9227e65857c85ff66a961331e3c16e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:28:42 2017 +0200
s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5fe939e32cdaf7bb5b6dac67e7b0118ce65846be
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:15:34 2017 +0200
s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 487b4717b58a6f1ba913708ce8419145b7f4fac8
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:01:55 2017 +0200
s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7d2eea39112fd69d2b710181b23301562efea387
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 16:02:44 2017 +0200
s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a922e01baeccedc3ffc8a893f1d6072bb203220f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:59:00 2017 +0200
s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
We should not store the secrets before we did all remote changes
(except the optional dns updates).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 559de1e7236fd4a38f2a1f9980216db95d0430ce
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:52:59 2017 +0200
s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0ab7944a2b00df4aa155a239c86f97e4e731b864
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:50:49 2017 +0200
s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0c65d5f41023076fd201c3a179df77dd615cdb01
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:48:49 2017 +0200
s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
We should separate the calculation and the storing steps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 549c9d9a07d3002442cbbb7a90d0a7fef4a92bff
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:40:25 2017 +0200
s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3b13e4d2d0f73c6374ffdae57528cd1a7f333792
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:38:26 2017 +0200
s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fc2bad0cf34fca5e65fba7e036acf1d8c61f05c0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:45:22 2017 +0200
s3:libnet_join: remember the domain_guid for AD domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 03e455f5a815ce2134e216dc28929646a964384f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:45:22 2017 +0200
s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 826223cc8d36871c2bcb37fe23241f1dbe99a0db
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 13:53:19 2017 +0200
s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5958c6790fbceb39065353c07fe25f74ddf09ef0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 12:42:04 2017 +0200
s3:libnet_join: remove dead code from libnet_join_connect_ads()
username[strlen(username)] is *always* '\0'!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ec2da944d304852d76137e8f9d234462bc807c6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 11:32:46 2017 +0200
krb5_wrap: add smb_krb5_salt_principal2data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5df46700cfb0a15fec2d366e12728cd497188741
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 17:13:02 2017 +0200
krb5_wrap: add smb_krb5_salt_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c56043a94a10c76a220ce3c7eb7cb8cf2e992cab
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 16:13:37 2017 +0200
s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4260b52a399667bcdbaa375a20952237ff68449c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:05:51 2017 +0200
s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 969ab12c56cd12dcc0e63e9b662397c1604a0cc0
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 17:58:46 2017 +0200
idl_types.h: add NDR_SECRET shortcut
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 32aa3a199dfd61eb5982e158008964b4747599b8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 17:58:20 2017 +0200
librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 91d8272e8604b5d87bcc0ce365b553bc760c8ed3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 15:22:42 2017 +0200
librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
The range included the unused (1<<14) before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 81bbfb010599b65308aca89cc50532372ca4cb00
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 18:58:49 2017 +0200
pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 295c9f7b322e6377d0df1b49cb26597d66e80eda
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 5 18:49:37 2017 +0200
s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02"
A client that supports SMB3 will do a signed FSCTL_VALIDATE_NEGOTIATE_INFO
after a tree connect. This FSCTL_VALIDATE_NEGOTIATE_INFO call contains
the client capabilities, client guid, security mode and the array of supported
dialects. But if SMB 2.02 is negotiated the doesn't send these values to the
server in the first connection attempt (when the client starts with a SMB1 Negotiate).
Windows servers that only support SMB2 just return NT_STATUS_FILE_CLOSED
as answer to FSCTL_VALIDATE_NEGOTIATE_INFO.
We should do the same if we just pretend to support SMB 2.02,
as SMB 2.10 always include an SMB2 Negotiate request we can leave it as is.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 94b9b6832c83137db10d04dbfec071a7df7b91c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 12:10:40 2017 +0200
selftest: run nt4_dc_schannel with 'server max protocol = SMB2_02'
This reproduces the problem with trying to implement
FSCTL_VALIDATE_NEGOTIATE_INFO as SMB2_02 server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 89117b0bf2d0b8d2c42bcf1dbd33c7c2e6b0e16d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 10:52:04 2017 +0200
s3:selftest: run test_smbclient_basic.sh against nt4_dc_schannel with various protocols
This prepared a reproducer for bug #12772
'Clients with SMB3 support can't connect with "server max protocol = SMB2_02"'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 26fb6350fa82dfd61a3246bf822558885f8d37da
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 11:56:40 2017 +0200
s3:test_smbclient_basic.sh: make use of $incdir/common_test_fns.inc
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1951634ced9d8e44c6543ff0609ebc59313db8c9
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 26 10:40:50 2017 +0200
s3:test_smbclient_basic.sh: make use of $ADDARGS
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a9780a2eaa9cba4ab87cc3371d97fa494fa0198c
Author: Michael Saxl <mike at mwsys.mine.bz>
Date: Sat Jun 24 13:41:48 2017 +0200
s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()
If the keytab file isn't readable, we may call
krb5_kt_end_seq_get() with an invalid kt_cursor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Saxl <mike at mwsys.mine.bz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a075b7f8ddc8bd4cd63f9dfb6759bc41c2c9362d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 26 19:25:05 2017 +1200
s4-netlogon: Escape user-supplied computer name in Bad credentials log line
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d9a1d572c2bb8cb04bd7c823f191e09696283f33
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 26 19:24:40 2017 +1200
s4-netlogon: Provide logs for machine account success and failures
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1bd627b1fc37ca676e2f35d63c6d94826b383148
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jun 26 16:40:45 2017 +1200
smbtorture: Add more tests around NETLOGON challenge reuse
The existing tests did not actually demonstrate what they
thought they did until the credential values were refreshed.
The new test showed this, because Samba fails it (windows passes)
due to the way we keep the last challenge on the connection.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 38033ed1d2df96c0c304f21b4cabef232640cf3d
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jun 22 14:17:07 2017 +0200
s3:tests: Add blackbox test for 'net usershare'
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 0df6ecf2fabf7bc4b29688d200274acb81cad0db
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jun 22 16:13:12 2017 +0200
s3:param: Allow to add usershare if uid_wrapper is loaded
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4f5cfe2713294462b9dc68afbec2ea2c72230885
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 26 23:18:30 2017 +0200
s3:tests: Do not delete the contets of LOCAL_PATH with tarmode test
The test_smbclient_tarmode.pl test operates on $LOCAL_PATH by default
and removes everything. So it deletes all precreated files and
directories which the setup_fileserver() function initially set up.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12867
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 37 +-
auth/credentials/credentials_krb5.c | 113 +-
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 2 +-
lib/krb5_wrap/krb5_samba.c | 187 +++
lib/krb5_wrap/krb5_samba.h | 10 +
lib/param/loadparm.c | 2 +-
libcli/auth/netlogon_creds_cli.c | 78 +-
libcli/auth/netlogon_creds_cli.h | 16 +-
libcli/auth/proto.h | 2 +-
libcli/auth/smbencrypt.c | 2 +-
librpc/idl/idl_types.h | 6 +
librpc/idl/lsa.idl | 2 +-
librpc/idl/netlogon.idl | 6 +-
librpc/ndr/libndr.h | 24 +-
librpc/ndr/ndr.c | 23 +
librpc/ndr/ndr_basic.c | 44 +
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 +
selftest/knownfail.d/netlogon | 4 +
selftest/knownfail.d/smbclient-smb3 | 5 +
selftest/target/Samba3.pm | 30 +
source3/client/client.c | 12 +-
source3/include/proto.h | 1 +
source3/include/secrets.h | 38 +-
source3/lib/netapi/cm.c | 2 +-
source3/libads/kerberos.c | 200 ---
source3/libads/kerberos_keytab.c | 14 +-
source3/libads/kerberos_proto.h | 8 -
source3/libads/util.c | 106 +-
source3/libnet/libnet_join.c | 127 +-
source3/libnet/libnet_keytab.c | 5 +-
source3/librpc/crypto/gse_krb5.c | 48 +-
source3/librpc/idl/libnet_join.idl | 4 +-
source3/librpc/idl/secrets.idl | 92 +-
source3/librpc/wscript_build | 2 +-
source3/libsmb/clidfs.c | 19 +-
source3/libsmb/proto.h | 1 -
source3/libsmb/trusts_util.c | 276 +++-
source3/param/loadparm.c | 21 +-
source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++--
source3/passdb/secrets.c | 25 +-
source3/passdb/secrets_lsa.c | 2 +-
source3/rpc_client/cli_netlogon.c | 15 +-
source3/rpcclient/cmd_netlogon.c | 2 +
source3/script/tests/test_acl_xattr.sh | 26 +-
source3/script/tests/test_net_usershare.sh | 82 +
source3/script/tests/test_smbclient_basic.sh | 25 +-
...posix_large.sh => test_smbclient_large_file.sh} | 0
source3/script/tests/test_smbclient_s3.sh | 319 ++--
source3/script/tests/test_smbclient_tarmode.sh | 10 +-
source3/selftest/tests.py | 70 +-
source3/smbd/smb2_create.c | 48 +-
source3/smbd/smb2_ioctl_network_fs.c | 17 +
source3/utils/net.c | 142 +-
source3/utils/net_rpc.c | 8 +
source3/winbindd/winbindd_dual.c | 1 +
source3/winbindd/winbindd_dual_srv.c | 2 +
source4/auth/auth.h | 9 +-
source4/auth/ntlm/auth.c | 216 ++-
source4/auth/ntlm/auth_winbind.c | 94 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 78 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 37 +-
source4/rpc_server/wscript_build | 3 +-
source4/torture/rpc/netlogon.c | 237 +++
63 files changed, 3595 insertions(+), 1107 deletions(-)
create mode 100644 selftest/knownfail.d/netlogon
create mode 100644 selftest/knownfail.d/smbclient-smb3
create mode 100755 source3/script/tests/test_net_usershare.sh
rename source3/script/tests/{test_smbclient_posix_large.sh => test_smbclient_large_file.sh} (100%)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cca7e0b..e8fbecb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,6 +12,35 @@ Samba 4.7 will be the next version of the Samba suite.
UPGRADING
=========
+smbclient changes
+-----------------
+
+smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]'
+banner when connecting to the first server. With SMB2 and Kerberos
+there's no way to print this information reliable. Now we avoid it at all
+consistently. In interactive session the following banner is now presented
+to the user: 'Try "help" do get a list of possible commands.'.
+
+The default for "client max protocol" has changed to "SMB3_11",
+which means that smbclient (and related commands) will work against
+servers without SMB1 support.
+
+It's possible to use the '-m/--max-protocol' option to overwrite
+the "client max protocol" option temporary.
+
+Note that the '-e/--encrypt' option also works with most SMB3 servers
+(e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions
+are not required for encryption.
+
+The change to SMB3_11 as default also means smbclient no longer
+negotiates SMB1 unix extensions by default, when talking to a Samba server with
+"unix extensions = yes". As a result some commands are not available, e.g.
+posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami,
+getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1.
+
+Note the default ("CORE") for "client min protocol" hasn't changed,
+so it's still possible to connect to SMB1-only servers by default.
+
NEW FEATURES/CHANGES
====================
@@ -127,15 +156,17 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
- allow unsafe cluster upgrade New parameter no
+ allow unsafe cluster upgrade New parameter no
auth event notification New parameter no
auth methods Deprecated
+ client max protocol Effective SMB3_11
+ default changed
map untrusted to domain New value/ auto
Default changed/
Deprecated
- mit kdc command New parameter
+ mit kdc command New parameter
profile acls Deprecated
- rpc server dynamic port range New parameter 49152-65535
+ rpc server dynamic port range New parameter 49152-65535
strict sync Default changed yes
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 6544e42..b88497d 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -953,83 +953,6 @@ _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ct
return dst;
}
-static int smb_krb5_create_salt_principal(TALLOC_CTX *mem_ctx,
- const char *samAccountName,
- const char *realm,
- const char **salt_principal,
- const char **error_string)
-{
- char *machine_username;
- bool is_machine_account = false;
- char *upper_realm;
- TALLOC_CTX *tmp_ctx;
- int rc = -1;
-
- if (samAccountName == NULL) {
- *error_string = "Cannot determine salt principal, no "
- "saltPrincipal or samAccountName specified";
- return rc;
- }
-
- if (realm == NULL) {
- *error_string = "Cannot make principal without a realm";
- return rc;
- }
-
- tmp_ctx = talloc_new(mem_ctx);
- if (tmp_ctx == NULL) {
- *error_string = "Cannot allocate talloc context";
- return rc;
- }
-
- upper_realm = strupper_talloc(tmp_ctx, realm);
- if (upper_realm == NULL) {
- *error_string = "Cannot allocate to upper case realm";
- goto out;
- }
-
- machine_username = strlower_talloc(tmp_ctx, samAccountName);
- if (!machine_username) {
- *error_string = "Cannot duplicate samAccountName";
- goto out;
- }
-
- if (machine_username[strlen(machine_username) - 1] == '$') {
- machine_username[strlen(machine_username) - 1] = '\0';
- is_machine_account = true;
- }
-
- if (is_machine_account) {
- char *lower_realm;
-
- lower_realm = strlower_talloc(tmp_ctx, realm);
- if (lower_realm == NULL) {
- *error_string = "Cannot allocate to lower case realm";
- goto out;
- }
-
- *salt_principal = talloc_asprintf(mem_ctx,
- "host/%s.%s@%s",
- machine_username,
- lower_realm,
- upper_realm);
- } else {
- *salt_principal = talloc_asprintf(mem_ctx,
- "%s@%s",
- machine_username,
- upper_realm);
- }
- if (*salt_principal == NULL) {
- *error_string = "Cannot create salt principal";
- goto out;
- }
-
- rc = 0;
-out:
- talloc_free(tmp_ctx);
- return rc;
-}
-
/* Get the keytab (actually, a container containing the krb5_keytab)
* attached to this context. If this hasn't been done or set before,
* it will be generated from the password.
@@ -1045,9 +968,10 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
const char *username = cli_credentials_get_username(cred);
+ const char *upn = NULL;
const char *realm = cli_credentials_get_realm(cred);
- const char *error_string;
- const char *salt_principal;
+ char *salt_principal = NULL;
+ bool is_computer = false;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
@@ -1070,16 +994,27 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- /*
- * FIXME: Currently there is no better way than to create the correct
- * salt principal by checking if the username ends with a '$'. It would
- * be better if it is part of the credentials.
- */
- ret = smb_krb5_create_salt_principal(mem_ctx,
- username,
- realm,
- &salt_principal,
- &error_string);
+ switch (cred->secure_channel_type) {
+ case SEC_CHAN_WKSTA:
+ case SEC_CHAN_BDC:
+ case SEC_CHAN_RODC:
+ is_computer = true;
+ break;
+ default:
+ upn = cli_credentials_get_principal(cred, mem_ctx);
+ if (upn == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return ENOMEM;
+ }
+ break;
+ }
+
+ ret = smb_krb5_salt_principal(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ is_computer,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
index 0131331..eba18bf 100644
--- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
@@ -79,7 +79,7 @@
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
- <para>The value <constant>default</constant> refers to <constant>NT1</constant>.</para>
+ <para>The value <constant>default</constant> refers to <constant>SMB3_11</constant>.</para>
<para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
<smbconfoption name="client ipc max protocol"/> option.</para>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 0c8b402..fcde9f5 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -422,6 +422,193 @@ int smb_krb5_get_pw_salt(krb5_context context,
#error UNKNOWN_SALT_FUNCTIONS
#endif
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ bool is_computer,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *upper_realm = NULL;
+ const char *principal = NULL;
+ int principal_len = 0;
+
+ *_salt_principal = NULL;
+
+ if (sAMAccountName == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ if (realm == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ upper_realm = strupper_talloc(frame, realm);
+ if (upper_realm == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ /* Many, many thanks to lukeh at padl.com for this
+ * algorithm, described in his Nov 10 2004 mail to
+ * samba-technical at lists.samba.org */
+
+ /*
+ * Determine a salting principal
+ */
+ if (is_computer) {
+ int computer_len = 0;
+ char *tmp = NULL;
+
+ computer_len = strlen(sAMAccountName);
+ if (sAMAccountName[computer_len-1] == '$') {
+ computer_len -= 1;
+ }
+
+ tmp = talloc_asprintf(frame, "host/%*.*s.%s",
+ computer_len, computer_len,
+ sAMAccountName, realm);
+ if (tmp == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ principal = strlower_talloc(frame, tmp);
+ TALLOC_FREE(tmp);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ principal_len = strlen(principal);
+
+ } else if (userPrincipalName != NULL) {
+ char *p;
+
+ principal = userPrincipalName;
+ p = strchr(principal, '@');
+ if (p != NULL) {
+ principal_len = PTR_DIFF(p, principal);
+ } else {
+ principal_len = strlen(principal);
+ }
+ } else {
+ principal = sAMAccountName;
+ principal_len = strlen(principal);
+ }
+
+ *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
+ principal_len, principal_len,
+ principal, upper_realm);
+ if (*_salt_principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+}
+
+/**
+ * @brief Converts the salt principal string into the salt data blob
+ *
+ * This function takes a salt_principal as string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * It generates values like:
+ * - EXAMPLE.COMhost/somehost.example.com
+ * - EXAMPLE.COMSomeAccount
+ * - EXAMPLE.COMSomePrincipal
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal
+ */
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data)
+{
+ krb5_error_code ret;
+ krb5_principal salt_princ = NULL;
+ krb5_data salt;
+
+ *_salt_data = NULL;
+
+ ret = krb5_parse_name(context, salt_principal, &salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = smb_krb5_get_pw_salt(context, salt_princ, &salt);
+ krb5_free_principal(context, salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ *_salt_data = talloc_strndup(mem_ctx,
+ (char *)salt.data,
+ salt.length);
+ smb_krb5_free_data_contents(context, &salt);
+ if (*_salt_data == NULL) {
+ return ENOMEM;
+ }
+
+ return 0;
+}
+
#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
/**
* @brief Get a list of encryption types allowed for session keys
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 6927349..315d3c3 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -350,6 +350,16 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ bool is_computer,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data);
int smb_krb5_create_key_from_string(krb5_context context,
krb5_const_principal host_princ,
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 9f32d7b..3ceea50 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3401,7 +3401,7 @@ int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
{
int client_max_protocol = lpcfg__client_max_protocol(lp_ctx);
if (client_max_protocol == PROTOCOL_DEFAULT) {
- return PROTOCOL_NT1;
+ return PROTOCOL_LATEST;
}
return client_max_protocol;
}
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index fcab814..367bf6c 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -37,6 +37,7 @@
#include "source3/include/messages.h"
#include "source3/include/g_lock.h"
#include "libds/common/roles.h"
+#include "lib/crypto/crypto.h"
struct netlogon_creds_cli_locked_state;
@@ -943,9 +944,10 @@ struct netlogon_creds_cli_auth_state {
struct tevent_context *ev;
struct netlogon_creds_cli_context *context;
struct dcerpc_binding_handle *binding_handle;
- struct samr_Password current_nt_hash;
- struct samr_Password previous_nt_hash;
- struct samr_Password used_nt_hash;
+ uint8_t num_nt_hashes;
+ uint8_t idx_nt_hashes;
+ const struct samr_Password * const *nt_hashes;
+ const struct samr_Password *used_nt_hash;
char *srv_name_slash;
uint32_t current_flags;
struct netr_Credential client_challenge;
@@ -957,7 +959,6 @@ struct netlogon_creds_cli_auth_state {
bool try_auth3;
bool try_auth2;
bool require_auth2;
- bool try_previous_nt_hash;
struct netlogon_creds_cli_locked_state *locked_state;
};
@@ -968,8 +969,8 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash)
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes)
{
struct tevent_req *req;
struct netlogon_creds_cli_auth_state *state;
@@ -985,12 +986,19 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->context = context;
state->binding_handle = b;
- state->current_nt_hash = current_nt_hash;
- if (previous_nt_hash != NULL) {
- state->previous_nt_hash = *previous_nt_hash;
- state->try_previous_nt_hash = true;
+ if (num_nt_hashes < 1) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
--
Samba Shared Repository
More information about the samba-cvs
mailing list