[SCM] Samba Shared Repository - branch v4-8-test updated

Stefan Metzmacher metze at samba.org
Wed Mar 21 01:30:03 UTC 2018


The branch, v4-8-test has been updated
       via  cbbb6ef s3:auth: make use of make_{server,session}_info_anonymous()
       via  f9d850d s3:rpc_server: make use of make_session_info_anonymous()
       via  a6ecafa s3:auth: add make_{server,session}_info_anonymous()
       via  07091cd s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token()
       via  e811adb s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()
       via  59cf56e s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()
       via  df9ae9d auth: add auth_user_info_copy() function
       via  05fad28 s3:auth: remove static from finalize_local_nt_token()
       via  aee3318 s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()
       via  3adb292 s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()
       via  2c148eb s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()
       via  8557994 s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
       via  03b4684 s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()
       via  253f0d1 s3:auth: move add_local_groups() out of finalize_local_nt_token()
       via  88c8499 s3:auth: add the "Unix Groups" sid for the primary gid
       via  a67e3d0 s3:auth: remove unused auth_serversupplied_info->system
       via  abffcb8 libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User'
       via  8227b0a s3:selftest: run SMB2-ANONYMOUS
       via  ebc2137 s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
      from  5d36aa6 VERSION: Bump version up to 4.8.1...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test


- Log -----------------------------------------------------------------
commit cbbb6ef5c2b41bb46972fabc08c55134098ac29b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 2 14:40:19 2018 +0100

    s3:auth: make use of make_{server,session}_info_anonymous()
    
    It's important to have them separated from make_{server,session}_info_guest(),
    because there's a fundamental difference between anonymous (the client requested
    no authentication) and guest (the server lies about the authentication failure).
    
    When it's really an anonymous connection, we should reflect that in the
    resulting session info.
    
    This should fix a problem where Windows 10 tries to join
    a Samba hosted NT4 domain and has SMB2/3 enabled.
    
    We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
    for true anonymous connections.
    
    The commit message from a few commit before shows the resulting
    auth_session_info change.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
    
    (cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b)
    
    Autobuild-User(v4-8-test): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(v4-8-test): Wed Mar 21 02:29:57 CET 2018 on sn-devel-144

commit f9d850d3d1b803143bee807ebba218b7f14aaef0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 2 14:40:19 2018 +0100

    s3:rpc_server: make use of make_session_info_anonymous()
    
    For unauthenticated connections we should default to a
    session info with an anonymous nt token.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c)

commit a6ecafa7189938b77c11faf8e1026cb8c02256b8
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 2 14:39:44 2018 +0100

    s3:auth: add make_{server,session}_info_anonymous()
    
    It's important to have them separated from make_{server,session}_info_guest(),
    because there's a fundamental difference between anonymous (the client requested
    no authentication) and guest (the server lies about the authentication failure).
    
    The following is the difference between guest and anonymous token:
    
                 security_token: struct security_token
    -                num_sids                 : 0x0000000a (10)
    -                sids: ARRAY(10)
    -                    sids                     : S-1-5-21-3793881525-3372187982-3724979742-501
    -                    sids                     : S-1-5-21-3793881525-3372187982-3724979742-514
    -                    sids                     : S-1-22-2-65534
    -                    sids                     : S-1-22-2-65533
    +                num_sids                 : 0x00000009 (9)
    +                sids: ARRAY(9)
    +                    sids                     : S-1-5-7
                         sids                     : S-1-1-0
                         sids                     : S-1-5-2
    -                    sids                     : S-1-5-32-546
                         sids                     : S-1-22-1-65533
    +                    sids                     : S-1-22-2-65534
    +                    sids                     : S-1-22-2-100004
                         sids                     : S-1-22-2-100002
                         sids                     : S-1-22-2-100003
    +                    sids                     : S-1-22-2-65533
                     privilege_mask           : 0x0000000000000000 (0)
    
    ...
    
             unix_token               : *
                 unix_token: struct security_unix_token
                     uid                      : 0x000000000000fffd (65533)
                     gid                      : 0x000000000000fffe (65534)
    -                ngroups                  : 0x00000004 (4)
    -                groups: ARRAY(4)
    +                ngroups                  : 0x00000005 (5)
    +                groups: ARRAY(5)
                         groups                   : 0x000000000000fffe (65534)
    -                    groups                   : 0x000000000000fffd (65533)
    +                    groups                   : 0x00000000000186a4 (100004)
                         groups                   : 0x00000000000186a2 (100002)
                         groups                   : 0x00000000000186a3 (100003)
    +                    groups                   : 0x000000000000fffd (65533)
    
                 info: struct auth_user_info
                     account_name             : *
    -                    account_name             : 'nobody'
    +                    account_name             : 'ANONYMOUS LOGON'
                     user_principal_name      : NULL
                     user_principal_constructed: 0x00 (0)
                     domain_name              : *
    -                    domain_name              : 'SAMBA-TEST'
    +                    domain_name              : 'NT AUTHORITY'
                     dns_domain_name          : NULL
    -                full_name                : NULL
    -                logon_script             : NULL
    -                profile_path             : NULL
    -                home_directory           : NULL
    -                home_drive               : NULL
    -                logon_server             : NULL
    +                full_name                : *
    +                    full_name                : 'Anonymous Logon'
    +                logon_script             : *
    +                    logon_script             : ''
    +                profile_path             : *
    +                    profile_path             : ''
    +                home_directory           : *
    +                    home_directory           : ''
    +                home_drive               : *
    +                    home_drive               : ''
    +                logon_server             : *
    +                    logon_server             : 'LOCALNT4DC2'
                     last_logon               : NTTIME(0)
                     last_logoff              : NTTIME(0)
                     acct_expiry              : NTTIME(0)
                     last_password_change     : NTTIME(0)
                     allow_password_change    : NTTIME(0)
                     force_password_change    : NTTIME(0)
                     logon_count              : 0x0000 (0)
                     bad_password_count       : 0x0000 (0)
    -                acct_flags               : 0x00000000 (0)
    +                acct_flags               : 0x00000010 (16)
                     authenticated            : 0x00 (0)
                 security_token: struct security_token
                     num_sids                 : 0x00000006 (6)
                     sids: ARRAY(6)
    +                    sids                     : S-1-5-7
    +                    sids                     : S-1-1-0
    +                    sids                     : S-1-5-2
                         sids                     : S-1-22-1-65533
                         sids                     : S-1-22-2-65534
                         sids                     : S-1-22-2-65533
    -                    sids                     : S-1-1-0
    -                    sids                     : S-1-5-2
    -                    sids                     : S-1-5-32-546
                     privilege_mask           : 0x0000000000000000 (0)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d)

commit 07091cd7f02a7c785ed85ea79268d73249c8ac8e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 2 17:07:11 2018 +0100

    s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token()
    
    We only need to adjust sanitized_username in order to keep the same behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906)

commit e811adb14b188808d29058d409d17c634536364b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Mar 7 00:51:51 2018 +0100

    s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()
    
    The changes in the resulting token look like this:
    
               unix_token               : *
                   unix_token: struct security_unix_token
                       uid                      : 0x0000000000000000 (0)
                       gid                      : 0x0000000000000000 (0)
    -                  ngroups                  : 0x00000000 (0)
    -                  groups: ARRAY(0)
    +                  ngroups                  : 0x00000001 (1)
    +                  groups: ARRAY(1)
    +                      groups                   : 0x0000000000000000 (0)
    
    ...
    
                       domain_name              : *
                           domain_name              : 'NT AUTHORITY'
                       dns_domain_name          : NULL
    -                  full_name                : NULL
    -                  logon_script             : NULL
    -                  profile_path             : NULL
    -                  home_directory           : NULL
    -                  home_drive               : NULL
    -                  logon_server             : NULL
    +                  full_name                : *
    +                      full_name                : 'System'
    +                  logon_script             : *
    +                      logon_script             : ''
    +                  profile_path             : *
    +                      profile_path             : ''
    +                  home_directory           : *
    +                      home_directory           : ''
    +                  home_drive               : *
    +                      home_drive               : ''
    +                  logon_server             : *
    +                      logon_server             : 'SLOWSERVER'
                       last_logon               : NTTIME(0)
                       last_logoff              : NTTIME(0)
                       acct_expiry              : NTTIME(0)
                       last_password_change     : NTTIME(0)
                       allow_password_change    : NTTIME(0)
                       force_password_change    : NTTIME(0)
                       logon_count              : 0x0000 (0)
                       bad_password_count       : 0x0000 (0)
    -                  acct_flags               : 0x00000000 (0)
    +                  acct_flags               : 0x00000010 (16)
                       authenticated            : 0x01 (1)
               unix_info                : *
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4)

commit 59cf56ee987e372c2afac0662d7ef830a943ad36
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Mar 7 00:21:13 2018 +0100

    s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()
    
    These functions make it possible to construct a full auth_session_info
    from the information available from an auth_user_info_dc structure.
    
    This has all the logic from create_local_token() that is used
    to transform a auth_serversupplied_info to a full auth_session_info.
    
    In order to workarround the restriction that auth_user_info_dc
    doesn't contain hints for the unix token/name, we use
    the special S-1-5-88 (Unix_NFS) sids:
    
     - S-1-5-88-1-Y gives the uid=Y
     - S-1-5-88-2-Y gives the gid=Y
     - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*
    
    The currently implemented flags are:
    
    - AUTH3_UNIX_HINT_QUALIFIED_NAME
      unix_name = DOMAIN+ACCOUNT
    
    - AUTH3_UNIX_HINT_ISLOLATED_NAME
      unix_name = ACCOUNT
    
    - AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
      Don't translate the nt token SIDS into uid/gids
      using sid mapping.
    
    - AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
      Don't translate the unix token uid/gids to S-1-22-X-Y SIDS
    
    - AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
      The unix token won't get expanded gid values
      from getgroups_unix_user()
    
    By using the hints it is possible to keep the current logic
    where an authentication backend provides uid/gid values and
    the unix name.
    
    Note the S-1-5-88-* SIDS never appear in the final security_token.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3)

commit df9ae9d72560578d0000a4083bd2ba3bf5cbd910
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 16:38:10 2018 +0100

    auth: add auth_user_info_copy() function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb)

commit 05fad286f1c1f4e9fdfb1797cdfc6bf23d6c4a25
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 23:45:30 2018 +0100

    s3:auth: remove static from finalize_local_nt_token()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870)

commit aee33186bb136a43222dcb85ac7dcc57760fa4b9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 23:40:10 2018 +0100

    s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b)

commit 3adb292feec9364d1fd7c0f81927f1bf4d7d6d83
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 23:36:03 2018 +0100

    s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6)

commit 2c148eb8ec36fc22caa9f47dada8f387eee80ab0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 23:26:28 2018 +0100

    s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()
    
    We should add Builtin_Guests depending on the current token
    not based on 'is_guest'. Even authenticated users can be member
    a guest related group and therefore get Builtin_Guests.
    
    Sadly we still need to use 'is_guest' within create_local_nt_token()
    as we only have S-1-22-* SIDs there and still need to
    add Builtin_Guests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7)

commit 8557994f1f535f81acd240eec2c462b0bb1d5b19
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 13 21:38:27 2018 +0100

    s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308)

commit 03b4684e9a3b1bd988409b89a6cc08ea1a4b8a56
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 13 21:35:48 2018 +0100

    s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}()
    
    We should not crash if we're called with NULL.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102)

commit 253f0d184151e6a3c8b2fd5d827d9c3a1d30149c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Mar 6 17:14:34 2018 +0100

    s3:auth: move add_local_groups() out of finalize_local_nt_token()
    
    finalize_local_nt_token() will be used in another place,
    were we don't want to add local groups in a following commit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8)

commit 88c8499ccc07fed5cfe263ced2309b50efc83c40
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 2 16:37:58 2018 +0100

    s3:auth: add the "Unix Groups" sid for the primary gid
    
    The primary gid might not be in the gid array.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405)

commit a67e3d00169d220bfb085c465f073214eb26636a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Mar 1 18:05:28 2018 +0100

    s3:auth: remove unused auth_serversupplied_info->system
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9)

commit abffcb8179101736dc98306d5232fd452ac63466
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Mar 14 11:44:49 2018 +0100

    libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3)

commit 8227b0a6c092ebe84ea4cc402a9fc4cb8766b229
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Mar 15 18:04:21 2018 +0100

    s3:selftest: run SMB2-ANONYMOUS
    
    This fails against a non AD DC smbd.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2)

commit ebc21376e6a8362bbc7ac1d330da995af10a1c26
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Mar 15 17:40:07 2018 +0100

    s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f)

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_sam_reply.c           |  35 ++
 auth/auth_sam_reply.h           |   3 +
 libcli/security/session.c       |  18 +-
 source3/auth/auth_builtin.c     |   2 +-
 source3/auth/auth_ntlmssp.c     |   5 +-
 source3/auth/auth_util.c        | 852 +++++++++++++++++++++++++++++++++++-----
 source3/auth/proto.h            |  38 ++
 source3/auth/token_util.c       | 251 +++++++++---
 source3/include/auth.h          |   6 +-
 source3/passdb/pdb_util.c       |  10 +-
 source3/rpc_server/rpc_server.c |   9 +-
 source3/selftest/tests.py       |   1 +
 source3/torture/proto.h         |   1 +
 source3/torture/test_smb2.c     |  42 ++
 source3/torture/torture.c       |   1 +
 15 files changed, 1101 insertions(+), 173 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 15d17b0..bd69515 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
+					   const struct auth_user_info *src)
+{
+	struct auth_user_info *dst = NULL;
+
+	dst = talloc_zero(mem_ctx, struct auth_user_info);
+	if (dst == NULL) {
+		return NULL;
+	}
+
+	*dst = *src;
+#define _COPY_STRING(_mem, _str) do { \
+	if ((_str) != NULL) { \
+		(_str) = talloc_strdup((_mem), (_str)); \
+		if ((_str) == NULL) { \
+			TALLOC_FREE(dst); \
+			return NULL; \
+		} \
+	} \
+} while(0)
+	_COPY_STRING(dst, dst->account_name);
+	_COPY_STRING(dst, dst->user_principal_name);
+	_COPY_STRING(dst, dst->domain_name);
+	_COPY_STRING(dst, dst->dns_domain_name);
+	_COPY_STRING(dst, dst->full_name);
+	_COPY_STRING(dst, dst->logon_script);
+	_COPY_STRING(dst, dst->profile_path);
+	_COPY_STRING(dst, dst->home_directory);
+	_COPY_STRING(dst, dst->home_drive);
+	_COPY_STRING(dst, dst->logon_server);
+#undef _COPY_STRING
+
+	return dst;
+}
+
 /**
  * Make a user_info_dc struct from the info3 returned by a domain logon
  */
diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index 4aa3096..e4b26e9 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
 				    bool authenticated,
 				    struct auth_user_info **_user_info);
 
+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
+					   const struct auth_user_info *src);
+
 NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
 					   const struct auth_user_info_dc *user_info_dc,
 					   struct netr_SamInfo6 **_sam6);
diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0fbb87d..f17e884 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -26,6 +26,9 @@
 enum security_user_level security_session_user_level(struct auth_session_info *session_info,
 						     const struct dom_sid *domain_sid)
 {
+	bool authenticated = false;
+	bool guest = false;
+
 	if (!session_info) {
 		return SECURITY_ANONYMOUS;
 	}
@@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_ANONYMOUS;
 	}
 
-	if (security_token_has_builtin_guests(session_info->security_token)) {
-		return SECURITY_GUEST;
+	authenticated = security_token_has_nt_authenticated_users(session_info->security_token);
+	guest = security_token_has_builtin_guests(session_info->security_token);
+	if (!authenticated) {
+		if (guest) {
+			return SECURITY_GUEST;
+		}
+		return SECURITY_ANONYMOUS;
 	}
 
 	if (security_token_has_builtin_administrators(session_info->security_token)) {
@@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_DOMAIN_CONTROLLER;
 	}
 
-	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
-		return SECURITY_USER;
-	}
-
-	return SECURITY_ANONYMOUS;
+	return SECURITY_USER;
 }
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index 0fa95d9..a2d95a7 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
 		break;
 	}
 
-	return make_server_info_guest(NULL, server_info);
+	return make_server_info_anonymous(NULL, server_info);
 }
 
 /* Guest modules initialisation */
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index fd629fd..2e345e1 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
 
 		cmp = dom_sid_compare(sid, &global_sid_Anonymous);
 		if (cmp == 0) {
-			/*
-			 * TODO: use auth_anonymous_session_info() here?
-			 */
-			return make_session_info_guest(mem_ctx, session_info);
+			return make_session_info_anonymous(mem_ctx, session_info);
 		}
 
 		return NT_STATUS_INTERNAL_ERROR;
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f543b33..c6fd5da 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -37,6 +37,7 @@
 #include "lib/param/loadparm.h"
 #include "../lib/tsocket/tsocket.h"
 #include "rpc_client/util_netlogon.h"
+#include "source4/auth/auth.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -471,6 +472,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
+	if (server_info->cached_session_info != NULL) {
+		session_info = copy_session_info(mem_ctx,
+				server_info->cached_session_info);
+		if (session_info == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		/* This is a potentially untrusted username for use in %U */
+		alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp));
+		session_info->unix_info->sanitized_username =
+				talloc_strdup(session_info->unix_info, tmp);
+		if (session_info->unix_info->sanitized_username == NULL) {
+			TALLOC_FREE(session_info);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		*session_info_out = session_info;
+		return NT_STATUS_OK;
+	}
+
 	session_info = talloc_zero(mem_ctx, struct auth_session_info);
 	if (!session_info) {
 		return NT_STATUS_NO_MEMORY;
@@ -525,30 +546,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	if (server_info->security_token) {
-		/* Just copy the token, it has already been finalised
-		 * (nasty hack to support a cached guest/system session_info
-		 */
-
-		session_info->security_token = dup_nt_token(session_info, server_info->security_token);
-		if (!session_info->security_token) {
-			TALLOC_FREE(session_info);
-			return NT_STATUS_NO_MEMORY;
-		}
-
-		session_info->unix_token->ngroups = server_info->utok.ngroups;
-		if (server_info->utok.ngroups != 0) {
-			session_info->unix_token->groups = (gid_t *)talloc_memdup(
-				session_info->unix_token, server_info->utok.groups,
-				sizeof(gid_t)*session_info->unix_token->ngroups);
-		} else {
-			session_info->unix_token->groups = NULL;
-		}
-
-		*session_info_out = session_info;
-		return NT_STATUS_OK;
-	}
-
 	/*
 	 * If winbind is not around, we can not make much use of the SIDs the
 	 * domain controller provided us with. Likewise if the user name was
@@ -633,7 +630,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 	 */
 
 	uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);
+	add_sid_to_array_unique(session_info->security_token, &tmp_sid,
+				&session_info->security_token->sids,
+				&session_info->security_token->num_sids);
 
+	gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid);
 	add_sid_to_array_unique(session_info->security_token, &tmp_sid,
 				&session_info->security_token->sids,
 				&session_info->security_token->num_sids);
@@ -661,6 +662,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc,
+				      uid_t uid,
+				      gid_t gid,
+				      uint32_t flags)
+{
+	uint32_t orig_num_sids = user_info_dc->num_sids;
+	struct dom_sid tmp_sid = { 0, };
+	NTSTATUS status;
+
+	/*
+	 * We add S-5-88-1-X in order to pass the uid
+	 * for the unix token.
+	 */
+	sid_compose(&tmp_sid,
+		    &global_sid_Unix_NFS_Users,
+		    (uint32_t)uid);
+	status = add_sid_to_array_unique(user_info_dc->sids,
+					 &tmp_sid,
+					 &user_info_dc->sids,
+					 &user_info_dc->num_sids);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("add_sid_to_array_unique failed: %s\n",
+			  nt_errstr(status)));
+		goto fail;
+	}
+
+	/*
+	 * We add S-5-88-2-X in order to pass the gid
+	 * for the unix token.
+	 */
+	sid_compose(&tmp_sid,
+		    &global_sid_Unix_NFS_Groups,
+		    (uint32_t)gid);
+	status = add_sid_to_array_unique(user_info_dc->sids,
+					 &tmp_sid,
+					 &user_info_dc->sids,
+					 &user_info_dc->num_sids);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("add_sid_to_array_unique failed: %s\n",
+			  nt_errstr(status)));
+		goto fail;
+	}
+
+	/*
+	 * We add S-5-88-3-X in order to pass some flags
+	 * (AUTH3_UNIX_HINT_*) to auth3_create_session_info().
+	 */
+	sid_compose(&tmp_sid,
+		    &global_sid_Unix_NFS_Mode,
+		    flags);
+	status = add_sid_to_array_unique(user_info_dc->sids,
+					 &tmp_sid,
+					 &user_info_dc->sids,
+					 &user_info_dc->num_sids);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("add_sid_to_array_unique failed: %s\n",
+			  nt_errstr(status)));
+		goto fail;
+	}
+
+	return NT_STATUS_OK;
+
+fail:
+	user_info_dc->num_sids = orig_num_sids;
+	return status;
+}
+
+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx,
+				   const struct auth_user_info_dc *user_info_dc,
+				   const char *original_user_name,
+				   uint32_t session_info_flags,
+				   struct auth_session_info **session_info_out)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct auth_session_info *session_info = NULL;
+	uid_t hint_uid = -1;
+	bool found_hint_uid = false;
+	uid_t hint_gid = -1;
+	bool found_hint_gid = false;
+	uint32_t hint_flags = 0;
+	bool found_hint_flags = false;
+	bool need_getpwuid = false;
+	struct unixid *ids = NULL;
+	uint32_t num_gids = 0;
+	gid_t *gids = NULL;
+	struct dom_sid tmp_sid = { 0, };
+	fstring tmp = { 0, };
+	NTSTATUS status;
+	size_t i;
+	bool ok;
+
+	*session_info_out = NULL;
+
+	if (user_info_dc->num_sids == 0) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_TOKEN;
+	}
+
+	if (user_info_dc->info == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_TOKEN;
+	}
+
+	if (user_info_dc->info->account_name == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_TOKEN;
+	}
+
+	session_info = talloc_zero(mem_ctx, struct auth_session_info);
+	if (session_info == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+	/* keep this under frame for easier cleanup */
+	talloc_reparent(mem_ctx, frame, session_info);
+
+	session_info->info = auth_user_info_copy(session_info,
+						 user_info_dc->info);
+	if (session_info->info == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	session_info->security_token = talloc_zero(session_info,
+						   struct security_token);
+	if (session_info->security_token == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/*
+	 * Avoid a lot of reallocations and allocate what we'll
+	 * use in most cases.
+	 */
+	session_info->security_token->sids = talloc_zero_array(
+						session_info->security_token,
+						struct dom_sid,
+						user_info_dc->num_sids);
+	if (session_info->security_token->sids == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) {
+		struct security_token *nt_token = session_info->security_token;
+		int cmp;
+
+		/*
+		 * S-1-5-88-X-Y sids are only used to give hints
+		 * to the unix token construction.
+		 *
+		 * S-1-5-88-1-Y gives the uid=Y
+		 * S-1-5-88-2-Y gives the gid=Y
+		 * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_*
+		 */
+		cmp = dom_sid_compare_domain(&global_sid_Unix_NFS,
+					     &user_info_dc->sids[i]);
+		if (cmp == 0) {
+			bool match;
+			uint32_t hint = 0;
+
+			match = sid_peek_rid(&user_info_dc->sids[i], &hint);
+			if (!match) {
+				continue;
+			}
+
+			match = dom_sid_in_domain(&global_sid_Unix_NFS_Users,
+						  &user_info_dc->sids[i]);
+			if (match) {
+				if (found_hint_uid) {
+					TALLOC_FREE(frame);
+					return NT_STATUS_INVALID_TOKEN;
+				}
+				found_hint_uid = true;
+				hint_uid = (uid_t)hint;
+				continue;
+			}
+
+			match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups,
+						  &user_info_dc->sids[i]);
+			if (match) {
+				if (found_hint_gid) {
+					TALLOC_FREE(frame);
+					return NT_STATUS_INVALID_TOKEN;
+				}
+				found_hint_gid = true;
+				hint_gid = (gid_t)hint;
+				continue;
+			}
+
+			match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode,
+						  &user_info_dc->sids[i]);
+			if (match) {
+				if (found_hint_flags) {
+					TALLOC_FREE(frame);
+					return NT_STATUS_INVALID_TOKEN;
+				}
+				found_hint_flags = true;
+				hint_flags = hint;
+				continue;
+			}
+
+			continue;
+		}
+
+		status = add_sid_to_array_unique(nt_token->sids,
+						 &user_info_dc->sids[i],
+						 &nt_token->sids,
+						 &nt_token->num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(frame);
+			return status;
+		}
+	}
+
+	/*
+	 * We need at least one usable SID
+	 */
+	if (session_info->security_token->num_sids == 0) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_TOKEN;
+	}
+
+	/*
+	 * We need all tree hints: uid, gid, flags
+	 * or none of them.
+	 */
+	if (found_hint_uid || found_hint_gid || found_hint_flags) {
+		if (!found_hint_uid) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_INVALID_TOKEN;
+		}
+
+		if (!found_hint_gid) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_INVALID_TOKEN;
+		}
+
+		if (!found_hint_flags) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_INVALID_TOKEN;
+		}
+	}
+
+	if (session_info->info->authenticated) {
+		session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+	}
+
+	status = finalize_local_nt_token(session_info->security_token,
+					 session_info_flags);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	/*
+	 * unless set otherwise, the session key is the user session
+	 * key from the auth subsystem
+	 */
+	if (user_info_dc->user_session_key.length != 0) {
+		session_info->session_key = data_blob_dup_talloc(session_info,
+						user_info_dc->user_session_key);
+		if (session_info->session_key.data == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	if (!(session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)) {
+		goto done;
+	}
+
+	session_info->unix_token = talloc_zero(session_info, struct security_unix_token);
+	if (session_info->unix_token == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+	session_info->unix_token->uid = -1;
+	session_info->unix_token->gid = -1;
+
+	session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
+	if (session_info->unix_info == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list