[SCM] Samba Shared Repository - branch v4-9-test updated
Karolin Seeger
kseeger at samba.org
Tue Nov 20 14:51:03 UTC 2018
The branch, v4-9-test has been updated
via 7cd5db7a63d ctdb-tests: Make the debug hung script test cope with unreadable stacks
via 041e0945cb5 s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd
via 77cf7167374 s4:torture/smb2/session: session reauth response must be signed
via f2c456aa1b7 s4:torture/smb2/session: add force_signing to test_session_expire1i
via 2b164eca304 s4:torture/smb2/session: require a signed session setup reauth response
via ff0db7ec9c2 s4:torture/smb2/session: invalidate credential cache
via 6c3577a5885 libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
via 6ca7a8a2ffb libcli/smb: defer singing check a little bit
via cd8ea322a32 libcli/smb: maintain require_signed_response in smbXcli_req_state
via 4f5af7ba729 libcli/smb: add smb2cli_session_require_signed_response()
via 052df0f679d s3:selftest: also run smb2.session torture testsuite against ad_member
via e71252ecb2b s3:selftest: split "raw.session" and "smb2.session"
from 299e6edd0e6 torture: Fix the 32-bit build
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test
- Log -----------------------------------------------------------------
commit 7cd5db7a63db2746c600e740e33e426a975bd901
Author: Martin Schwenke <martin at meltin.net>
Date: Wed Nov 14 14:09:42 2018 +1100
ctdb-tests: Make the debug hung script test cope with unreadable stacks
Ideally this would just involve using "test -r". However, operating
system security features may mean that kernel stacks are not readable
even though they appear to be.
Instead, try reading that stack of a process on the test node. If
that succeeds then so should reading the stack of the "stuck" sleep
process in the test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13684
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Tim Beale <timbeale at catalyst.net.nz>
Autobuild-User(master): Tim Beale <timbeale at samba.org>
Autobuild-Date(master): Thu Nov 15 08:15:32 CET 2018 on sn-devel-144
(cherry picked from commit c1dd6382e3211792e313f7d559b943f55c9cb0e1)
Autobuild-User(v4-9-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-9-test): Tue Nov 20 15:50:33 CET 2018 on sn-devel-144
commit 041e0945cb559c492a3f741cdaab48c85c0dde04
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 8 17:31:41 2018 +0100
s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd
We talloc_move() session_info to session->global->auth_session_info
which sets session_info to NULL.
This means security_session_user_level(NULL, NULL) will always return
SECURITY_ANONYMOUS so we never sign the session setup response.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Nov 13 14:22:46 CET 2018 on sn-devel-144
(cherry picked from commit bb93e691ca9b1922bf552363a1e7d70792749d67)
commit 77cf7167374b65258ff9da9aaf6118ba0e63f1aa
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 12:39:41 2018 +0100
s4:torture/smb2/session: session reauth response must be signed
This test checks that a session setup reauth is signed even when neither
client nor server require signing.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 181f18c4bf70754a6f3132375d06250baab2871b)
commit f2c456aa1b7d0a90d73265085d53275d868b56ac
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 12:19:16 2018 +0100
s4:torture/smb2/session: add force_signing to test_session_expire1i
Existing callers pass true, so no change in behaviour. The next commit
adds an additional test that passes force_signing=false.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5fdea4095ac82536192c8d91c411b22e2683a5c1)
commit 2b164eca30453381d666b9ed190880272ba7a165
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 15:34:24 2018 +0100
s4:torture/smb2/session: require a signed session setup reauth response
All existing tests using this function require signing, so currently
this passes. A subsequent commit adds a test where neither client nor
server require signing and that's where this trap will explode.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ffc424ee6bedc3c208acb4c0c83da836a12d6123)
commit ff0db7ec9c2f7bae0b90b92dabbb611520f8d310
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 8 15:42:46 2018 +0100
s4:torture/smb2/session: invalidate credential cache
Invalidate credential cache before connecting to the server, otherwise
we will reuse the credentials from the credential cache populated by the
preceeding tests.
Also invalidate it at the end, otherwise subsequent tests might run into
problems if the credentials expire while authenticating.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 368e1860654e737aa2fa9516cdd3668fa644009a)
commit 6c3577a588599f638fdd70ddea28301a6940f220
Author: Ralph Boehme <slow at samba.org>
Date: Sat Nov 10 22:00:04 2018 +0100
libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming()
This can be used by the upper layers to force checking a response is
signed. It will be used to implement verification of session setup
reauth responses in a torture test. That comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc)
commit 6ca7a8a2ffb1c87f633dc0890b285dab73337bc2
Author: Ralph Boehme <slow at samba.org>
Date: Sat Nov 10 21:56:28 2018 +0100
libcli/smb: defer singing check a little bit
This allows adding an additional condition to the if check where the
condition state may be modified in the "if (opcode ==
SMB2_OP_SESSSETUP)" case directly above.
No change in behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 7abf3900218e3d27c075b405735b2c38ec0fc4ca)
commit cd8ea322a32bf83ef0555815d99ab8c740665540
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 15:26:44 2018 +0100
libcli/smb: maintain require_signed_response in smbXcli_req_state
Not used for now, that comes next.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 67cfb01611869b7590ccd836dd13a80e53545714)
commit 4f5af7ba7292fea93fb4607b7e6a18c8082247c2
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 15:17:19 2018 +0100
libcli/smb: add smb2cli_session_require_signed_response()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d407201d9bd4ee5ae5609dd107e3ab9ee7afbeb0)
commit 052df0f679d1135f93fabcdbfdca00ae020ce6c7
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 9 12:33:29 2018 +0100
s3:selftest: also run smb2.session torture testsuite against ad_member
The next commit adds a subtest to the smb2.session testsuite that
requires Kerberos (ad_dc would work), but where neither SMB2 server or
client must require signing (ad_dc, being an AD DC, requires signing).
The ad_member environment supports Kerberos with the SMB2 server not
mandating signing, that'll do.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b86c94f0b929f2d9e521d41396c4e1611f5a4c5b)
commit e71252ecb2b755dec4aa0d4d41181120026d9183
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 8 16:24:45 2018 +0100
s3:selftest: split "raw.session" and "smb2.session"
The next commit is going to add a testsuite to "smb2.session".
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d0a8899ed57c2b368c3870b3899a3422251222aa)
-----------------------------------------------------------------------
Summary of changes:
ctdb/tests/simple/90_debug_hung_script.sh | 17 +++++++++++---
libcli/smb/smbXcli_base.c | 37 ++++++++++++++++++++++++++-----
libcli/smb/smbXcli_base.h | 2 ++
source3/selftest/tests.py | 8 ++++++-
source3/smbd/smb2_sesssetup.c | 8 +++----
source4/torture/smb2/session.c | 31 +++++++++++++++++++++++++-
6 files changed, 88 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ctdb/tests/simple/90_debug_hung_script.sh b/ctdb/tests/simple/90_debug_hung_script.sh
index 846188fc716..8b8e22b3239 100755
--- a/ctdb/tests/simple/90_debug_hung_script.sh
+++ b/ctdb/tests/simple/90_debug_hung_script.sh
@@ -61,9 +61,21 @@ wait_until 60 onnode $test_node test -s "$debug_output"
echo "Checking output of hung script debugging..."
try_command_on_node -v $test_node cat "$debug_output"
+hung_script_output="$out"
+
+# Can we actually read kernel stacks
+if try_command_on_node $test_node "cat /proc/$$/stack >/dev/null 2>&1" ; then
+ stackpat='
+---- Stack trace of interesting process [0-9]*\\[sleep\\] ----
+[<[0-9a-f]*>] .*sleep+.*
+'
+else
+ stackpat=''
+fi
while IFS="" read pattern ; do
- if grep -- "^${pattern}\$" <<<"$out" >/dev/null ; then
+ [ -n "$pattern" ] || continue
+ if grep -- "^${pattern}\$" <<<"$hung_script_output" >/dev/null ; then
printf 'GOOD: output contains "%s"\n' "$pattern"
else
printf 'BAD: output does not contain "%s"\n' "$pattern"
@@ -75,8 +87,7 @@ done <<EOF
pstree -p -a .*:
00\\\\.test\\\\.script,.*
*\`-sleep,.*
----- Stack trace of interesting process [0-9]*\\\\[sleep\\\\] ----
-[<[0-9a-f]*>] .*sleep+.*
+${stackpat}
---- ctdb scriptstatus monitor: ----
00\\.test *TIMEDOUT.*
*OUTPUT: Sleeping for [0-9]* seconds\\\\.\\\\.\\\\.
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 9edb6292777..d0cc33b8b05 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -161,6 +161,7 @@ struct smb2cli_session {
uint64_t nonce_low;
uint16_t channel_sequence;
bool replay_active;
+ bool require_signed_response;
};
struct smbXcli_session {
@@ -289,6 +290,7 @@ struct smbXcli_req_state {
uint64_t encryption_session_id;
bool signing_skipped;
+ bool require_signed_response;
bool notify_async;
bool got_async;
uint16_t cancel_flags;
@@ -2962,6 +2964,8 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
state->smb2.should_sign = session->smb2->should_sign;
state->smb2.should_encrypt = session->smb2->should_encrypt;
+ state->smb2.require_signed_response =
+ session->smb2->require_signed_response;
if (cmd == SMB2_OP_SESSSETUP &&
session->smb2_channel.signing_key.length == 0 &&
@@ -3749,12 +3753,6 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
}
last_session = session;
- if (state->smb2.should_sign) {
- if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
if (flags & SMB2_HDR_FLAG_SIGNED) {
uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
@@ -3801,6 +3799,27 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
*/
signing_key = NULL;
}
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Only check the signature of the last response
+ * of a successfull session auth. This matches
+ * Windows behaviour for NTLM auth and reauth.
+ */
+ state->smb2.require_signed_response = false;
+ }
+ }
+
+ if (state->smb2.should_sign ||
+ state->smb2.require_signed_response)
+ {
+ if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ if (signing_key == NULL && state->smb2.require_signed_response) {
+ signing_key = &session->smb2_channel.signing_key;
}
if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
@@ -5719,6 +5738,12 @@ void smb2cli_session_stop_replay(struct smbXcli_session *session)
session->smb2->replay_active = false;
}
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+ bool require_signed_response)
+{
+ session->smb2->require_signed_response = require_signed_response;
+}
+
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 536c7ab60f4..42c2519c7ff 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -492,6 +492,8 @@ uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
uint16_t smb2cli_session_current_channel_sequence(struct smbXcli_session *session);
void smb2cli_session_start_replay(struct smbXcli_session *session);
void smb2cli_session_stop_replay(struct smbXcli_session *session);
+void smb2cli_session_require_signed_response(struct smbXcli_session *session,
+ bool require_signed_response);
NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
const struct iovec *iov);
NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 2763b1bf146..09cd5159a0d 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -458,11 +458,17 @@ for t in tests:
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "simpleserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
- elif t == "raw.session" or t == "smb2.session":
+ elif t == "raw.session":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain')
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5')
+ elif t == "smb2.session":
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain')
+ plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc')
+ plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm')
+ plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5')
+ plansmbtorture4testsuite(t, "ad_member", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
elif t == "rpc.lsa":
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index fe5835b83f3..5420d4f09bb 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -525,6 +525,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
reload_services(smb2req->sconn, conn_snum_used, true);
+ if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
+ smb2req->do_signing = true;
+ }
+
session->status = NT_STATUS_OK;
TALLOC_FREE(session->global->auth_session_info);
session->global->auth_session_info = talloc_move(session->global,
@@ -551,10 +555,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
conn_clear_vuid_caches(xconn->client->sconn, session->compat->vuid);
- if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
- smb2req->do_signing = true;
- }
-
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 7dc9ba19ee6..57a5addcfcc 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1047,6 +1047,7 @@ done:
static bool test_session_expire1i(struct torture_context *tctx,
+ bool force_signing,
bool force_encryption)
{
NTSTATUS status;
@@ -1073,10 +1074,14 @@ static bool test_session_expire1i(struct torture_context *tctx,
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
- options.signing = SMB_SIGNING_REQUIRED;
+ if (force_signing) {
+ options.signing = SMB_SIGNING_REQUIRED;
+ }
status = smb2_connect(tctx,
host,
@@ -1152,12 +1157,20 @@ static bool test_session_expire1i(struct torture_context *tctx,
*/
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+ if (!force_encryption) {
+ smb2cli_session_require_signed_response(
+ tree->session->smbXcli, true);
+ }
+
torture_comment(tctx, "reauth => OK\n");
status = smb2_session_setup_spnego(tree->session,
credentials,
0 /* previous_session_id */);
torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
"smb2_session_setup_spnego failed");
+
+ smb2cli_session_require_signed_response(
+ tree->session->smbXcli, false);
}
ZERO_STRUCT(qfinfo.access_information.out);
@@ -1167,6 +1180,8 @@ static bool test_session_expire1i(struct torture_context *tctx,
ret = true;
done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
if (h1 != NULL) {
smb2_util_close(tree, *h1);
}
@@ -1176,15 +1191,24 @@ done:
return ret;
}
+static bool test_session_expire1n(struct torture_context *tctx)
+{
+ return test_session_expire1i(tctx,
+ false, /* force_signing */
+ false); /* force_encryption */
+}
+
static bool test_session_expire1s(struct torture_context *tctx)
{
return test_session_expire1i(tctx,
+ true, /* force_signing */
false); /* force_encryption */
}
static bool test_session_expire1e(struct torture_context *tctx)
{
return test_session_expire1i(tctx,
+ true, /* force_signing */
true); /* force_encryption */
}
@@ -1236,6 +1260,8 @@ static bool test_session_expire2i(struct torture_context *tctx,
torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
"please use -k yes");
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
lpcfg_smbcli_options(tctx->lp_ctx, &options);
@@ -1547,6 +1573,8 @@ static bool test_session_expire2i(struct torture_context *tctx,
ret = true;
done:
+ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
+
if (h1 != NULL) {
smb2_util_close(tree, *h1);
}
@@ -1721,6 +1749,7 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
+ torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
--
Samba Shared Repository
More information about the samba-cvs
mailing list