[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Aug 3 11:11:01 UTC 2021
The branch, master has been updated
via 93bac5f1224 winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
from 23e5b7cc79b s4:torture: Add rpc netlogon fips test
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 93bac5f12240597e1e92291de70a7000a403baca
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Aug 2 14:17:47 2021 +0200
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
Handle the case where a NT4 DC does not fill in the acct_flags in
the samlogon reply info3. Yes, in 2021, there are still admins
arround with real NT4 DCs.
NT4 DCs reject authentication with workstation accounts with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified.
We no longer call dcerpc_samr_QueryUserInfo(level=16)
to get the acct_flags, as we only ever got
ACB_NORMAL back (maybe with ACB_PWNOEXP in addition),
which is easy to calculate on our own.
This was removed in commit (for 4.15.0rc1):
commit 73528f26eea24033a7093e5591b8f89ad2b8644e
Author: Ralph Boehme <slow at samba.org>
AuthorDate: Mon Jan 11 14:59:46 2021 +0100
Commit: Jeremy Allison <jra at samba.org>
CommitDate: Thu Jan 21 22:56:20 2021 +0000
winbind: remove legacy flags fallback
Some very old NT4 DCs might have not returned the account flags filled in. This
shouldn't be a problem anymore. Additionally, on a typical domain member server,
this request is (and can only be) send to the primary domain, so this will not
work with accounts from trusted domains.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184
It means one more caller of the problematic cm_connect_sam()
function is removed! SAMR connections may not be allowed for
machine accounts with modern AD DCs.
For network logons NT4 DCs also skip the
account_name, so we have to fallback to the
one given by the client. We have code to cope
with that deeply hidden inside of netsamlogon_cache_store().
Up to Samba 4.7 netsamlogon_cache_store() operated on the
info3 structure that was passed to the caller of winbind_dual_SamLogon()
and pass propagated up to auth_winbind in smbd.
But for Samba 4.8 the following commit:
commit f153c95176b7759e10996b24b66d9917945372ed
Author: Ralph Boehme <slow at samba.org>
Date: Mon Dec 11 16:25:35 2017 +0100
winbindd: let winbind_dual_SamLogon return validation
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
actually changed the situation and only a temporary info3 structure
was passed into netsamlogon_cache_store(), which means
account_name was NULL and get propagated as "" into auth_winbind
in smbd, where getpwnam() is no longer possible and every
smb access gets NT_STATUS_LOGON_FAILURE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Aug 3 11:10:27 UTC 2021 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_pam.c | 65 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a2bb8816859..ea315aecf6d 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1507,6 +1507,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
enum netr_LogonInfoClass logon_type_n;
uint16_t validation_level = UINT16_MAX;
union netr_Validation *validation = NULL;
+ TALLOC_CTX *base_ctx = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
do {
struct rpc_pipe_client *netlogon_pipe;
@@ -1713,6 +1715,69 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
return result;
}
+ switch (validation_level) {
+ case 3:
+ base_ctx = validation->sam3;
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_ctx = validation->sam6;
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ smb_panic(__location__);
+ }
+
+ if (base_info->acct_flags == 0 || base_info->account_name.string == NULL) {
+ struct dom_sid user_sid;
+ struct dom_sid_buf sid_buf;
+ const char *acct_flags_src = "server";
+ const char *acct_name_src = "server";
+
+ /*
+ * Handle the case where a NT4 DC does not fill in the acct_flags in
+ * the samlogon reply info3. Yes, in 2021, there are still admins
+ * arround with real NT4 DCs.
+ *
+ * We used to call dcerpc_samr_QueryUserInfo(level=16) to fetch
+ * acct_flags, but as NT4 DCs reject authentication with workstation
+ * accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
+ * MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified, we only ever got
+ * ACB_NORMAL back (maybe with ACB_PWNOEXP in addition).
+ *
+ * For network logons NT4 DCs also skip the
+ * account_name, so we have to fallback to the
+ * one given by the client.
+ */
+
+ if (base_info->acct_flags == 0) {
+ base_info->acct_flags = ACB_NORMAL;
+ if (base_info->force_password_change == NTTIME_MAX) {
+ base_info->acct_flags |= ACB_PWNOEXP;
+ }
+ acct_flags_src = "calculated";
+ }
+
+ if (base_info->account_name.string == NULL) {
+ base_info->account_name.string = talloc_strdup(base_ctx,
+ username);
+ if (base_info->account_name.string == NULL) {
+ TALLOC_FREE(validation);
+ return NT_STATUS_NO_MEMORY;
+ }
+ acct_name_src = "client";
+ }
+
+ sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
+
+ DBG_DEBUG("Fallback to %s_acct_flags[0x%x] %s_acct_name[%s] for %s\n",
+ acct_flags_src,
+ base_info->acct_flags,
+ acct_name_src,
+ base_info->account_name.string,
+ dom_sid_str_buf(&user_sid, &sid_buf));
+ }
+
*_validation_level = validation_level;
*_validation = validation;
return NT_STATUS_OK;
--
Samba Shared Repository
More information about the samba-cvs
mailing list