[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Thu Mar 2 11:42:02 UTC 2017 

The branch, master has been updated
       via  ed42d6e s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly
       via  4194a67 gensec:spnego: Add debug message for the failed principal
      from  70923b7 ndr: Use resizing array instead of linked lists (breaking ABI)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ed42d6e81f6c7cf4ed78b2bc9fcdf6c9d970ca55
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Feb 27 17:18:15 2017 +0100

    s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly
    
    This will make sure we correctly fall back to NTLMSSP.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Mar  2 12:41:40 CET 2017 on sn-devel-144

commit 4194a67c7efcb58ef2bb7efa1d1556d5fa0ce2e0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Jan 20 17:15:49 2017 +0100

    gensec:spnego: Add debug message for the failed principal
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/spnego.c        | 58 +++++++++++++++++++++++++++++++++++++++++----
 source3/librpc/crypto/gse.c | 46 ++++++++++++++++++++++++++++++-----
 2 files changed, 93 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 4787892..f063f7b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 				    NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
 				    NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
 				    NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-					/* Pretend we never started it (lets the first run find some incompatible demand) */
+					const char *next = NULL;
+					const char *principal = NULL;
+					int dbg_level = DBGLVL_WARNING;
+
+					if (all_sec[i+1].op != NULL) {
+						next = all_sec[i+1].op->name;
+						dbg_level = DBGLVL_NOTICE;
+					}
+
+					if (gensec_security->target.principal != NULL) {
+						principal = gensec_security->target.principal;
+					} else if (gensec_security->target.service != NULL &&
+						   gensec_security->target.hostname != NULL)
+					{
+						principal = talloc_asprintf(spnego_state->sub_sec_security,
+									    "%s/%s",
+									    gensec_security->target.service,
+									    gensec_security->target.hostname);
+					} else {
+						principal = gensec_security->target.hostname;
+					}
+
+					DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+							  spnego_state->sub_sec_security->ops->name,
+							  principal,
+							  next, nt_errstr(nt_status)));
 
-					DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
-						  spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+					/* Pretend we never started it (lets the first run find some incompatible demand) */
 					talloc_free(spnego_state->sub_sec_security);
 					spnego_state->sub_sec_security = NULL;
 					continue;
@@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
 
 			if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) 
 			    && !NT_STATUS_IS_OK(nt_status)) {
-				DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", 
-					  spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+				const char *next = NULL;
+				const char *principal = NULL;
+				int dbg_level = DBGLVL_WARNING;
+
+				if (all_sec[i+1].op != NULL) {
+					next = all_sec[i+1].op->name;
+					dbg_level = DBGLVL_NOTICE;
+				}
+
+				if (gensec_security->target.principal != NULL) {
+					principal = gensec_security->target.principal;
+				} else if (gensec_security->target.service != NULL &&
+					   gensec_security->target.hostname != NULL)
+				{
+					principal = talloc_asprintf(spnego_state->sub_sec_security,
+								    "%s/%s",
+								    gensec_security->target.service,
+								    gensec_security->target.hostname);
+				} else {
+					principal = gensec_security->target.hostname;
+				}
+
+				DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+					  spnego_state->sub_sec_security->ops->name,
+					  principal,
+					  next, nt_errstr(nt_status)));
 				talloc_free(spnego_state->sub_sec_security);
 				spnego_state->sub_sec_security = NULL;
 				/* Pretend we never started it (lets the first run find some incompatible demand) */
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 99971d3..abf20bc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -345,14 +345,48 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
 		/* we will need a third leg */
 		status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 		break;
-	default:
-		if ((gss_maj == GSS_S_FAILURE) &&
-		    (gss_min == (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED)) {
+	case GSS_S_CONTEXT_EXPIRED:
+		/* Make SPNEGO ignore us, we can't go any further here */
+		DBG_NOTICE("Context expired\n");
+		status = NT_STATUS_INVALID_PARAMETER;
+		goto done;
+	case GSS_S_FAILURE:
+		switch (gss_min) {
+		case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+			DBG_NOTICE("Server principal not found\n");
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
 			DBG_NOTICE("Ticket expired\n");
-		} else {
-			DBG_ERR("gss_init_sec_context failed with [%s]\n",
-				gse_errstr(talloc_tos(), gss_maj, gss_min));
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV:
+			DBG_NOTICE("Clockskew\n");
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+			goto done;
+		case (OM_uint32)KRB5_KDC_UNREACH:
+			DBG_NOTICE("KDC unreachable\n");
+			/* Make SPNEGO ignore us, we can't go any further here */
+			status = NT_STATUS_NO_LOGON_SERVERS;
+			goto done;
+		case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE:
+			/* Garbage input, possibly from the auto-mech detection */
+			status = NT_STATUS_INVALID_PARAMETER;
+			goto done;
+		default:
+			DBG_ERR("gss_init_sec_context failed with [%s](%u)\n",
+				gse_errstr(talloc_tos(), gss_maj, gss_min),
+				gss_min);
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
 		}
+		break;
+	default:
+		DBG_ERR("gss_init_sec_context failed with [%s]\n",
+			gse_errstr(talloc_tos(), gss_maj, gss_min));
 		status = NT_STATUS_INTERNAL_ERROR;
 		goto done;
 	}


-- 
Samba Shared Repository

More information about the samba-cvs mailing list