[SCM] Samba Shared Repository - branch v4-10-test updated
Karolin Seeger
kseeger at samba.org
Wed Apr 10 14:22:02 UTC 2019
The branch, v4-10-test has been updated
via dda1c48a47c py/provision: fix for Python 2.6
via bdf59b416d2 s3-libnet_join: allow fallback to NTLMSSP auth in libnet_join
via f85efe206f9 s3-libnet_join: setup libnet join error string when AD connect fails
via 05709dbaf2d s3-libnet_join: always pass down admin domain to ads layer
via 837a141a4d9 s3:ldap: Leave add machine code early for pre-existing accounts
via 78f308084f5 s3:libads: Make sure we can lookup KDCs which are not configured
via bd573b37c60 s3:libnet: Use more secure name for the JOIN krb5.conf
via 936594d66b7 auth:creds: Prefer the principal over DOMAIN/username when using NTLM
via 0b00c7a2d0a auth:ntlmssp: Add back CRAP ndr debug output
via 2e96408eac8 s3:libnet: Fix debug message in libnet_DomainJoin()
via 461090e0a12 s3:libsmb: Add some useful debug output to cliconnect
via ada3417c5cb s3:libads: Print more information when LDAP fails
via 54571d3325f docs: Update smbclient manpage for --max-protocol
from cf323d769f0 VERSION: Bump version up to 4.10.3.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit dda1c48a47cd6a26757c8839dbbc4bbeb25d65a0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Apr 4 10:43:30 2019 +1300
py/provision: fix for Python 2.6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13882
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Wed Apr 10 14:21:16 UTC 2019 on sn-devel-144
commit bdf59b416d224ef91696e98ac17348a8a6a5a5cd
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 2 13:16:55 2019 +0200
s3-libnet_join: allow fallback to NTLMSSP auth in libnet_join
When a non-DNS and non-default admin domain is provided during the join
sometimes we might not be able to kinit with 'user at SHORTDOMAINNAME'
(e.g. when the winbind krb5 locator is not installed). In that case lets
fallback to NTLMSSP, like we do in winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
commit f85efe206f9b192a7365ec7ada5e17c7c8655f49
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 2 13:16:11 2019 +0200
s3-libnet_join: setup libnet join error string when AD connect fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
commit 05709dbaf2d80f4c2d8a8931655e63b20e216c2a
Author: Günther Deschner <gd at samba.org>
Date: Tue Apr 2 13:14:06 2019 +0200
s3-libnet_join: always pass down admin domain to ads layer
Otherwise we could loose the information that a non-default domain name
has been used for admin creds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
commit 837a141a4d9cebfe0ce29bf3673333ca622fcd24
Author: Guenther Deschner <gd at samba.org>
Date: Mon Apr 1 17:40:03 2019 +0200
s3:ldap: Leave add machine code early for pre-existing accounts
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
commit 78f308084f5d762be88374adf784c0ac6d0ad847
Author: Andreas Schneider <asn at samba.org>
Date: Mon Apr 1 16:47:26 2019 +0200
s3:libads: Make sure we can lookup KDCs which are not configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
commit bd573b37c606ae12e34992431e745329cee3e1f2
Author: Andreas Schneider <asn at samba.org>
Date: Mon Apr 1 16:39:45 2019 +0200
s3:libnet: Use more secure name for the JOIN krb5.conf
Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
commit 936594d66b75c71ec61c11b4e4484a74a5a694d7
Author: Andreas Schneider <asn at samba.org>
Date: Mon Apr 1 15:59:10 2019 +0200
auth:creds: Prefer the principal over DOMAIN/username when using NTLM
If we want to authenticate using -Wadmin at otherdomain the DC should do
take care of the authentication with the right DC for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
commit 0b00c7a2d0aa4607bc871f7daad23f7d3b9125f0
Author: Guenther Deschner <gd at samba.org>
Date: Wed Mar 27 17:51:04 2019 +0100
auth:ntlmssp: Add back CRAP ndr debug output
This got lost somehow during refactoring. This is still viable
information when trying to figure out what is going wrong when
authenticating a user over NTLMSSP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
commit 2e96408eac8e5e9d8420b3dc0c603fa7109519bd
Author: Guenther Deschner <gd at samba.org>
Date: Mon Apr 1 17:46:39 2019 +0200
s3:libnet: Fix debug message in libnet_DomainJoin()
A newline is missing but also use DBG_INFO macro and cleanup spelling.
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
commit 461090e0a12b0f9849d19da7b76f214fe044cfdf
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 27 16:45:39 2019 +0100
s3:libsmb: Add some useful debug output to cliconnect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
commit ada3417c5cb3b40f47ca963c8d7844f9fadc81f0
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 29 11:34:53 2019 +0100
s3:libads: Print more information when LDAP fails
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
commit 54571d3325fbdf4eff5f2f5d8c38bfd929f48b19
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 22 14:39:11 2019 +0100
docs: Update smbclient manpage for --max-protocol
We default to SMB3 now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 2 +-
auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
docs-xml/manpages/smbclient.1.xml | 6 +++---
python/samba/provision/__init__.py | 2 +-
source3/libads/kerberos.c | 12 ++++++++++--
source3/libads/ldap.c | 22 +++++++++++++++++++---
source3/libnet/libnet_join.c | 29 ++++++++++++++++++++++++-----
source3/libsmb/cliconnect.c | 13 +++++++++++++
8 files changed, 103 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 4663185c979..7ef58d0752c 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
const char **username,
const char **domain)
{
- if (cred->principal_obtained > cred->username_obtained) {
+ if (cred->principal_obtained >= cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index ab406a2c5be..8e49dcee5ea 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
}
+ if (DEBUGLEVEL >= 10) {
+ struct CHALLENGE_MESSAGE *challenge =
+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
+ if (challenge != NULL) {
+ NTSTATUS status;
+ challenge->NegotiateFlags = chal_flags;
+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
+ &in, challenge, challenge);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
+ challenge);
+ }
+ TALLOC_FREE(challenge);
+ }
+ }
+
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
ntlmssp_state->server.is_standalone = true;
} else {
@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return nt_status;
}
+ if (DEBUGLEVEL >= 10) {
+ struct AUTHENTICATE_MESSAGE *authenticate =
+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
+ if (authenticate != NULL) {
+ NTSTATUS status;
+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
+ out, authenticate, authenticate);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
+ authenticate);
+ }
+ TALLOC_FREE(authenticate);
+ }
+ }
+
/*
* We always include the MIC, even without:
* av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
index e71a21a95e3..e25f7d3517b 100644
--- a/docs-xml/manpages/smbclient.1.xml
+++ b/docs-xml/manpages/smbclient.1.xml
@@ -261,9 +261,9 @@
<listitem><para>This allows the user to select the
highest SMB protocol level that smbclient will use to
connect to the server. By default this is set to
- NT1, which is the highest available SMB1 protocol.
- To connect using SMB2 or SMB3 protocol, use the
- strings SMB2 or SMB3 respectively. Note that to connect
+ highest available SMB3 protocol version.
+ To connect using SMB2 or SMB1 protocol, use the
+ strings SMB2 or NT1 respectively. Note that to connect
to a Windows 2012 server with encrypted transport selecting
a max-protocol of SMB3 is required.
</para></listitem>
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 1b7762eb12b..aa9ffc168b2 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1701,7 +1701,7 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain,
# use admin sid dn as user dn, since admin should own most of the files,
# the operation will be much faster
- userdn = '<SID={}-{}>'.format(domainsid, security.DOMAIN_RID_ADMINISTRATOR)
+ userdn = '<SID={0}-{1}>'.format(domainsid, security.DOMAIN_RID_ADMINISTRATOR)
flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
auth.AUTH_SESSION_INFO_AUTHENTICATED |
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index c8aa9191c7e..721c3c2a929 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -677,11 +677,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
}
#endif
+ /*
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
+ *
+ * net ads join -Uadmin at otherdomain
+ */
file_contents =
talloc_asprintf(fname,
- "[libdefaults]\n\tdefault_realm = %s\n"
+ "[libdefaults]\n"
+ "\tdefault_realm = %s\n"
"%s"
- "\tdns_lookup_realm = false\n\n"
+ "\tdns_lookup_realm = false\n"
+ "\tdns_lookup_kdc = true\n\n"
"[realms]\n\t%s = {\n"
"%s\t}\n"
"%s\n",
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 6b5f271272a..112100b0536 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
if (ret != 0) {
char *ld_error = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
- ldap_err2string(ret), ld_error));
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
SAFE_FREE(ld_error);
}
}
@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
(char) 1};
LDAPControl *controls[2];
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
controls[0] = &PermitModify;
controls[1] = NULL;
@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
char *utf8_dn = NULL;
size_t converted_size;
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
@@ -2112,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
goto done;
}
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ ads_msgfree(ads, res);
+ if (ADS_ERR_OK(ret)) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ goto done;
+ }
+
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
@@ -2147,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
done:
SAFE_FREE(machine_escaped);
- ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 27fc5135442..b876d7ea89f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
my_ads->auth.user_name = SMB_STRDUP(user_name);
@@ -205,7 +207,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
password = r->in.machine_password;
ccname = "MEMORY:libnet_join_machine_creds";
} else {
+ char *p = NULL;
+
username = r->in.admin_account;
+
+ p = strchr(r->in.admin_account, '@');
+ if (p == NULL) {
+ username = talloc_asprintf(mem_ctx, "%s@%s",
+ r->in.admin_account,
+ r->in.admin_domain);
+ }
+ if (username == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
password = r->in.admin_password;
/*
@@ -2598,12 +2612,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
/* The domain parameter is only used as modifier
- * to krb5.conf file name. .JOIN is is not a valid
+ * to krb5.conf file name. _JOIN_ is is not a valid
* NetBIOS name so it cannot clash with another domain
* -- Uri.
*/
- create_local_private_krb5_conf_for_domain(
- pre_connect_realm, ".JOIN", sitename, &ss);
+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
+ "_JOIN_",
+ sitename,
+ &ss);
}
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
@@ -2641,6 +2657,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
ads_status = libnet_join_connect_ads_user(mem_ctx, r);
if (!ADS_ERR_OK(ads_status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to connect to AD: %s",
+ ads_errstr(ads_status));
return WERR_NERR_DEFAULTJOINREQUIRED;
}
@@ -2664,8 +2683,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
return WERR_NERR_DEFAULTJOINREQUIRED;
}
- DEBUG(5, ("failed to precreate account in ou %s: %s",
- r->in.account_ou, ads_errstr(ads_status)));
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ r->in.account_ou, ads_errstr(ads_status));
}
rpc_join:
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 0a54d47227a..c416d10fa24 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -346,6 +346,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
return NT_STATUS_OK;
}
+ DBG_INFO("Doing kinit for %s to access %s\n",
+ user_principal, target_hostname);
/*
* TODO: This should be done within the gensec layer
@@ -375,6 +377,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
*/
}
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
+ "Kerberos\n",
+ user_principal,
+ target_hostname);
+
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -1294,6 +1301,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
+ target_hostname,
+ cli_credentials_get_principal(creds, talloc_tos()));
+
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
@@ -1497,6 +1508,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
+
if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
uint8_t *bytes = NULL;
--
Samba Shared Repository
More information about the samba-cvs
mailing list