[SCM] Samba Shared Repository - branch v4-11-test updated
Karolin Seeger
kseeger at samba.org
Tue Feb 11 13:09:02 UTC 2020
The branch, v4-11-test has been updated
via 70a36a668ca winbindd: handling missing idmap in getgrgid()
via f778dc20b5a s3:auth_sam: map an empty domain or '.' to the local SAM name
via c880f3539a1 s3:selftest: test authentication with an empty userdomain and upn names
via 58d1613609c s3:auth_sam: introduce effective_domain helper variables
via f8e11e6ca9a s3:auth_sam: make sure we never handle empty usernames
via 5f8e3650f06 s3:auth_sam: unify the debug messages of all auth_sam*_auth() functions
via 2db313bdb57 s3:auth_sam: replace confusing FALL_THROUGH; with break;
from 5f57256cf52 script/release.sh: Don't use quotations any longer.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit 70a36a668caf4e3e1dbfb1aad991b13608032a74
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 22 17:00:07 2020 +0000
winbindd: handling missing idmap in getgrgid()
A similar hunk was added via commit
89f753c1fc824fef29aebb7d783ab7e09cd1f04e ("winbind: Use xids2sids in getpwuid"),
but it was missing in commit
e2dda192e7f8b65a5f02120be56cf0f07d03679f ("winbind: Use xids2sids in getgrgid")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14265
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Feb 5 17:56:58 UTC 2020 on sn-devel-184
(cherry picked from commit 4d0bda9467ac3f45f85f48a281cdb173ce1064eb)
Autobuild-User(v4-11-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-11-test): Tue Feb 11 13:08:14 UTC 2020 on sn-devel-184
commit f778dc20b5af18b46260bc2f3791605f1874f38b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:21:43 2020 +0100
s3:auth_sam: map an empty domain or '.' to the local SAM name
When a domain member gets an empty domain name or '.', it should
not forward the authentication to domain controllers of
the primary domain.
But we need to keep passing UPN account names with
an empty domain to the DCs as a domain member.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 590df382bea44eec2dbfd2a28c659b0a29188bca)
commit c880f3539a11ee96235ca1505e3ca6a8a62ba388
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 4 11:32:05 2020 +0100
s3:selftest: test authentication with an empty userdomain and upn names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a9eeea6ef78cc44c8423c7125fa1376921060018)
commit 58d1613609cc4358e822adbe484e8c7d0da770c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:21:43 2020 +0100
s3:auth_sam: introduce effective_domain helper variables
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a63e2a312c761093fedb09bd234b6736485a930a)
commit f8e11e6ca9ace9c1abf2eaa7dd7038852591ea07
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:17:30 2020 +0100
s3:auth_sam: make sure we never handle empty usernames
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 01b8374e7942141e7f6cbdec7623c981a008e4c1)
commit 5f8e3650f06ff1d768ee2e11515a2051f8febd29
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 16:13:59 2020 +0100
s3:auth_sam: unify the debug messages of all auth_sam*_auth() functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 72ef8d3a52c1ab07c079a4c014ba8ac7bff528f7)
commit 2db313bdb57acb67733e51021a19bd42d245ea75
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 23 15:48:39 2020 +0100
s3:auth_sam: replace confusing FALL_THROUGH; with break;
There's no real logic change here, but is makes it easier to
understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 85b168c6dac88f5065c0ec6e925937439f2c12ed)
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/auth_log_winbind.py | 4 +-
selftest/knownfail.d/empty-domain-name | 7 +++
source3/auth/auth_sam.c | 83 ++++++++++++++++++++++++++++++----
source3/selftest/tests.py | 8 ++++
source3/winbindd/winbindd_getgrgid.c | 4 ++
5 files changed, 95 insertions(+), 11 deletions(-)
create mode 100644 selftest/knownfail.d/empty-domain-name
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/auth_log_winbind.py b/python/samba/tests/auth_log_winbind.py
index a390197fe7f..6ba8795ae1e 100644
--- a/python/samba/tests/auth_log_winbind.py
+++ b/python/samba/tests/auth_log_winbind.py
@@ -322,7 +322,7 @@ class AuthLogTestsWinbind(AuthLogTestBase, BlackboxTestCase):
self.assertEquals("unix:", msg["Authentication"]["localAddress"])
self.assertEquals('', msg["Authentication"]["clientDomain"])
# This is what the existing winbind implementation returns.
- self.assertEquals("NT_STATUS_INVALID_HANDLE",
+ self.assertEquals("NT_STATUS_NO_SUCH_USER",
msg["Authentication"]["status"])
self.assertEquals(self.credentials.get_username(),
msg["Authentication"]["clientAccount"])
@@ -425,7 +425,7 @@ class AuthLogTestsWinbind(AuthLogTestBase, BlackboxTestCase):
self.assertEquals("unix:", msg["Authentication"]["localAddress"])
self.assertEquals('', msg["Authentication"]["clientDomain"])
# This is what the existing winbind implementation returns.
- self.assertEquals("NT_STATUS_INVALID_HANDLE",
+ self.assertEquals("NT_STATUS_NO_SUCH_USER",
msg["Authentication"]["status"])
self.assertEquals(self.credentials.get_username(),
msg["Authentication"]["clientAccount"])
diff --git a/selftest/knownfail.d/empty-domain-name b/selftest/knownfail.d/empty-domain-name
new file mode 100644
index 00000000000..a1ffcaf7e3c
--- /dev/null
+++ b/selftest/knownfail.d/empty-domain-name
@@ -0,0 +1,7 @@
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*nt4_member
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*nt4_member
+^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.upn.domain_creds.smbclient.*as.*user.*nt4_member
+^samba3.blackbox.smbclient_auth.upn.member_creds.smbclient.*as.*user.*nt4_member
+^samba3.blackbox.smbclient_auth.upn.member_creds.smbclient.*as.*user.*ad_member
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 46958c54d3a..cdb8453b311 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -35,6 +35,17 @@ static NTSTATUS auth_sam_ignoredomain_auth(const struct auth_context *auth_conte
if (!user_info || !auth_context) {
return NT_STATUS_UNSUCCESSFUL;
}
+
+ if (user_info->mapped.account_name == NULL ||
+ user_info->mapped.account_name[0] == '\0')
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
+ user_info->mapped.domain_name,
+ user_info->mapped.account_name);
+
return check_sam_security(&auth_context->challenge, mem_ctx,
user_info, server_info);
}
@@ -66,16 +77,51 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
+ const char *effective_domain = user_info->mapped.domain_name;
bool is_local_name, is_my_domain;
if (!user_info || !auth_context) {
return NT_STATUS_LOGON_FAILURE;
}
- DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
+ if (user_info->mapped.account_name == NULL ||
+ user_info->mapped.account_name[0] == '\0')
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+ const char *p = NULL;
+
+ p = strchr_m(user_info->mapped.account_name, '@');
+ if (p != NULL) {
+ /*
+ * This needs to go to the DC,
+ * even if @ is the last character
+ */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ }
+
+ if (effective_domain == NULL) {
+ effective_domain = "";
+ }
+
+ DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
+ effective_domain,
+ user_info->mapped.account_name);
+
+
+ if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
+ /*
+ * An empty domain name or '.' should be handled
+ * as the local SAM name.
+ */
+ effective_domain = lp_netbios_name();
+ }
- is_local_name = is_myname(user_info->mapped.domain_name);
- is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
+ is_local_name = is_myname(effective_domain);
+ is_my_domain = strequal(effective_domain, lp_workgroup());
/* check whether or not we service this domain/workgroup name */
@@ -84,21 +130,21 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
case ROLE_DOMAIN_MEMBER:
if ( !is_local_name ) {
DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
- user_info->mapped.domain_name, (lp_server_role() == ROLE_DOMAIN_MEMBER
+ effective_domain, (lp_server_role() == ROLE_DOMAIN_MEMBER
? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
return NT_STATUS_NOT_IMPLEMENTED;
}
- FALL_THROUGH;
+ break;
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
if ( !is_local_name && !is_my_domain ) {
DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
- user_info->mapped.domain_name));
+ effective_domain));
return NT_STATUS_NOT_IMPLEMENTED;
}
- FALL_THROUGH;
+ break;
default: /* name is ok */
break;
}
@@ -135,14 +181,25 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
+ const char *effective_domain = user_info->mapped.domain_name;
bool is_my_domain;
if (!user_info || !auth_context) {
return NT_STATUS_LOGON_FAILURE;
}
+ if (user_info->mapped.account_name == NULL ||
+ user_info->mapped.account_name[0] == '\0')
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (effective_domain == NULL) {
+ effective_domain = "";
+ }
+
DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
- user_info->mapped.domain_name,
+ effective_domain,
user_info->mapped.account_name);
/* check whether or not we service this domain/workgroup name */
@@ -156,10 +213,18 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
return NT_STATUS_INVALID_SERVER_STATE;
}
+ if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
+ /*
+ * An empty domain name or '.' should be handled
+ * as the local SAM name.
+ */
+ effective_domain = lp_workgroup();
+ }
+
is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
if (!is_my_domain) {
DBG_INFO("%s is not our domain name (DC for %s)\n",
- user_info->mapped.domain_name, lp_workgroup());
+ effective_domain, lp_workgroup());
return NT_STATUS_NOT_IMPLEMENTED;
}
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 93c41ef956d..67e9282459c 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -242,6 +242,14 @@ for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --o
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+for env in ["nt4_member", "ad_member"]:
+ plantestsuite("samba3.blackbox.smbclient_auth.empty_domain.domain_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '/$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.empty_domain.member_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.dot_domain.domain_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', './$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.dot_domain.member_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', './$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.upn.domain_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME@$REALM', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.upn.member_creds", env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$USERNAME@$SERVER', '$PASSWORD', smbclient3, configuration, options])
+
env = "ad_dc"
plantestsuite("samba3.blackbox.smbspool", env, [os.path.join(samba3srcdir, "script/tests/test_smbspool.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', env])
diff --git a/source3/winbindd/winbindd_getgrgid.c b/source3/winbindd/winbindd_getgrgid.c
index aa99e6e2561..24d70161770 100644
--- a/source3/winbindd/winbindd_getgrgid.c
+++ b/source3/winbindd/winbindd_getgrgid.c
@@ -79,6 +79,10 @@ static void winbindd_getgrgid_gid2sid_done(struct tevent_req *subreq)
if (tevent_req_nterror(req, status)) {
return;
}
+ if (is_null_sid(state->sid)) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
subreq = wb_getgrsid_send(state, state->ev, state->sid,
lp_winbind_expand_groups());
--
Samba Shared Repository
More information about the samba-cvs
mailing list