[SCM] Samba Shared Repository - branch master updated

Isaac Boukris iboukris at samba.org
Fri Feb 14 17:14:05 UTC 2020


The branch, master has been updated
       via  f231a072d5c s4-auth: Allow simple bind login of a user with an @ in the samAccountName
       via  8fbdff5c3d7 auth/credentials: Test connecting to LDAP with a "virtual user" style account
      from  7e78d275424 gensec: Fix CID 1458419 Control flow issues (NO_EFFECT)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f231a072d5c09a61e75091c294f722622dcd45da
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Feb 10 11:52:33 2020 +1300

    s4-auth: Allow simple bind login of a user with an @ in the samAccountName
    
    LDAP Simple BIND authentications have already been mapped to a
    DOMAIN\username pair and should not be mapped twice.
    
    This appears to be a regression in 09e24ce40f89ac2f03d0c5fefa8b59f0d113fa6b
    included in Samba 4.7.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>
    
    Autobuild-User(master): Isaac Boukris <iboukris at samba.org>
    Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184

commit 8fbdff5c3d7bc68b4c89ac460914a5d18775244e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Feb 10 11:07:27 2020 +1300

    auth/credentials: Test connecting to LDAP with a "virtual user" style account
    
    This type of account is often used by e-mail hosting platforms
    that do not wish to create an AD domain for each DNS domain that
    they host mail for.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/tests/bind.py | 52 +++++++++++++++++++++++++++++++++++++++++-
 source4/auth/ntlm/auth_sam.c   | 22 +++++++++++++++++-
 2 files changed, 72 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index 79bf93355b1..8bee6f96c62 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -14,7 +14,7 @@ from samba.tests.subunitrun import SubunitOptions, TestProgram
 
 import samba.getopt as options
 
-from ldb import SCOPE_BASE, SCOPE_SUBTREE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_INVALID_CREDENTIALS
 
 from samba import gensec
 import samba.tests
@@ -48,6 +48,7 @@ creds = credopts.get_credentials(lp)
 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
 
 creds_machine = create_credential(lp, creds)
+creds_virtual = create_credential(lp, creds)
 creds_user1 = create_credential(lp, creds)
 creds_user2 = create_credential(lp, creds)
 creds_user3 = create_credential(lp, creds)
@@ -71,13 +72,62 @@ class BindTests(samba.tests.TestCase):
         self.schema_dn = self.info_dc["schemaNamingContext"][0]
         self.domain_dn = self.info_dc["defaultNamingContext"][0]
         self.config_dn = self.info_dc["configurationNamingContext"][0]
+        self.realm = self.info_dc["ldapServiceName"][0].split(b'@')[1].decode('utf-8')
         self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn
+        self.virtual_user_dn = "CN=frednurk@%s,CN=Computers,%s" % (self.realm, self.domain_dn)
         self.password = "P at ssw0rd"
         self.username = "BindTestUser"
 
     def tearDown(self):
+        delete_force(self.ldb, self.virtual_user_dn)
         super(BindTests, self).tearDown()
 
+    def test_virtual_email_account_style_bind(self):
+        # create a user in the style often deployed for authentication
+        # of virtual email account at a hosting provider
+        #
+        # The userPrincipalName must not match the samAccountName for
+        # this test to detect when the LDAP DN is being double-parsed
+        # but must be in the user at realm style to allow the account to
+        # be created
+        self.ldb.add_ldif("""
+dn: """ + self.virtual_user_dn + """
+cn: frednurk@""" + self.realm + """
+displayName: Fred Nurk
+sAMAccountName: frednurk@""" + self.realm + """
+userPrincipalName: frednurk at NOT.""" + self.realm + """
+countryCode: 0
+objectClass: computer
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+objectClass: user
+""")
+        self.addCleanup(delete_force, self.ldb, self.virtual_user_dn)
+        self.ldb.modify_ldif("""
+dn: """ + self.virtual_user_dn + """
+changetype: modify
+replace: unicodePwd
+unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
+""")
+
+        self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn)
+
+        # do a simple bind and search with the machine account
+        creds_virtual.set_bind_dn(self.virtual_user_dn)
+        creds_virtual.set_password(self.password)
+        print("BindTest with: " + creds_virtual.get_bind_dn())
+        try:
+            ldb_virtual = samba.tests.connect_samdb(host, credentials=creds_virtual,
+                                                    lp=lp, ldap_only=True)
+        except LdbError as e:
+            (num, msg) = e.args
+            if num != ERR_INVALID_CREDENTIALS:
+                raise
+            self.fail(msg)
+
+        res = ldb_virtual.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
+
     def test_computer_account_bind(self):
         # create a computer acocount for the test
         delete_force(self.ldb, self.computer_dn)
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index fb88cb87f66..70eddc12c53 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}
 
-	p = strchr_m(account_name, '@');
+	/*
+	 * If we have not already mapped this user, then now is a good
+	 * time to do so, before we look it up.  We used to do this
+	 * earlier, but in a multi-forest environment we want to do
+	 * this mapping at the final domain.
+	 *
+	 * However, on the flip side we may have already mapped the
+	 * user if this was an LDAP simple bind, in which case we
+	 * really, really want to get back to exactly the same account
+	 * we got the DN for.
+	 */
+	if (user_info->mapped_state == false) {
+		p = strchr_m(account_name, '@');
+	} else {
+		/*
+		 * This is slightly nicer than double-indenting the
+		 * block below
+		 */
+		p = NULL;
+	}
+
 	if (p != NULL) {
 		const char *nt4_domain = NULL;
 		const char *nt4_account = NULL;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list