[SCM] Samba Shared Repository - branch v4-16-stable updated
Jule Anger
janger at samba.org
Mon Mar 21 12:17:18 UTC 2022
The branch, v4-16-stable has been updated
via e95d85f784a VERSION: Disable GIT_SNAPSHOT for the 4.16.0 release.
via 9fef6aae682 WHATSNEW: Add release notes for Samba 4.16.0.
via 85ce5e7d821 WHATSNEW: Mention our matrix room as well
via 8892af2a092 WHATSNEW: IRC is irc.libera.chat according to https://www.samba.org/samba/irc.html
via e79f04a3179 WHATSNEW for Heimdal upgrade
via f4236271500 WHATSNEW: older SMB1 command removal/simpliciation and deprecation
via 41054b61231 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
via 507ececf03d s4-kdc: Handle previously unhandled auth event types
via 9272ec1a245 s3:libads: Fix creating local krb5.conf
via abe01ca6b21 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string()
via 3c5d0c379d7 s3:libads: Remove obsolete free's of kdc_str
via 3c98408be7d s3:libads: Allocate all memory on the talloc stackframe
via cfbd47d7b48 s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()
via cce13c772f1 s3:libads: Improve debug messages for get_kdc_ip_string()
via 2599f5313bd s3:libads: Leave early on error in get_kdc_ip_string()
via c20ca210fb8 s3:libads: Remove trailing spaces in kerberos.c
via dd6c50b82ee testprogs: Add test that local krb5.conf has been created
via 34771e19315 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
via bf8f8c592b0 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names
via 7bb17ee5134 auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available
via f4e39095450 s4:auth: rename user_info->mapped_state to user_info->cracknames_called
via 1e617128adb winbindd: don't set mapped_state in winbindd_dual_auth_passdb()
via cd29a661e0f nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN
via c46c341016d s3:auth: make_user_info_map() should not set mapped_state
via a219a81ff89 s4:auth: fix confusing DEBUG message in authsam_want_check()
via e691165b4de s4:auth: check for user_info->mapped.account_name if it needs to be filled
via 03996701fb5 s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging
via b353567acf0 s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging
via 20be02ecfde s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging
via 7b31dcbd704 s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info
via 27a8698ced5 auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info
via 6841fdef65b s4:auth: encrypt_user_info() should set password_state instead of mapped_state
via 9898afd747f s4:auth: a simple bind uses the DCs name as workstation
via 80f35f7ab6a s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name()
via fcec3b21d9a rodc: Add tests for simple BIND alongside NTLMSSP binds
via 64b2075c119 s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon
via cafbb3e7307 s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON
via d92b46a4c04 dsdb/tests: add test_login_basics_simple()
via 54bb3569e5d dsdb/tests: prepare BasePasswordTestCase for simple bind tests
via 4b245891416 dsdb/tests: introduce assertLoginSuccess
via c35de738dad dsdb/tests: make use of assertLoginFailure helper
via ff7ffbdf612 dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps]
via 43c4dc75e21 dsdb/tests: passwords.py don't need to import BasePasswordTestCase
via 528ed90d03a python:tests: let insta_creds() also copy the bind_dn from the template
via 1fcb5ed30f9 s4-kdc: Fix memory leak in FAST cookie handling
via 9d819c9359f third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d)
via e6196c456c1 selftest: use 'kdc enable fast = no' for fl2000 fl2003
via 46435367394 s4:kdc: make use of the 'kdc enable fast' option
via 9aa78f15fd6 docs-xml: add 'kdc enable fast' option
via 2aa95f78203 third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864)
via 8ac427eed2c VERSION: Bump version up to Samba 4.16.0rc6...
from 3a2c1b12f84 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc5 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 171 +++++++++++++++++----
auth/auth_log.c | 20 ++-
auth/common_auth.h | 4 +-
auth/ntlmssp/ntlmssp_server.c | 1 -
docs-xml/smbdotconf/security/kdcenablefast.xml | 15 ++
lib/param/loadparm.c | 2 +
nsswitch/tests/test_wbinfo.sh | 2 +
python/samba/tests/__init__.py | 4 +
selftest/target/Samba4.pm | 2 +
source3/auth/auth_util.c | 3 +-
source3/libads/kerberos.c | 80 +++++-----
source3/libsmb/libsmb_server.c | 2 +-
source3/param/loadparm.c | 2 +
source3/rpc_client/cli_netlogon.c | 4 +
source3/winbindd/winbindd_pam.c | 3 -
source4/auth/ntlm/auth.c | 7 +-
source4/auth/ntlm/auth_sam.c | 13 +-
source4/auth/ntlm/auth_simple.c | 10 +-
source4/auth/ntlm/auth_util.c | 4 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 1 -
source4/dsdb/tests/python/login_basics.py | 32 ++--
source4/dsdb/tests/python/password_lockout.py | 7 +-
source4/dsdb/tests/python/password_lockout_base.py | 36 ++++-
source4/dsdb/tests/python/passwords.py | 1 -
source4/dsdb/tests/python/rodc_rwdc.py | 63 +++++---
source4/kdc/db-glue.c | 8 +-
source4/kdc/hdb-samba4.c | 49 +++++-
source4/kdc/kdc-heimdal.c | 7 +
source4/kdc/pac-glue.c | 1 +
source4/kdc/samba_kdc.h | 1 +
source4/rpc_server/samr/samr_password.c | 1 -
source4/selftest/tests.py | 5 +-
source4/smb_server/smb/sesssetup.c | 2 -
testprogs/blackbox/test_net_ads.sh | 6 +
third_party/heimdal/.github/workflows/coverity.yml | 68 ++++++++
third_party/heimdal/.github/workflows/linux.yml | 146 ++++++++++++++++++
third_party/heimdal/.github/workflows/osx.yml | 122 +++++++++++++++
.../heimdal/.github/workflows/scanbuild.yml | 67 ++++++++
third_party/heimdal/.github/workflows/valgrind.yml | 71 +++++++++
third_party/heimdal/.github/workflows/windows.yml | 92 +++++++++++
third_party/heimdal/kdc/default_config.c | 9 ++
third_party/heimdal/kdc/fast.c | 3 +
third_party/heimdal/kdc/kdc.h | 1 +
third_party/heimdal/kdc/krb5tgs.c | 3 +
third_party/heimdal/lib/krb5/fast.c | 98 ++++++++++--
third_party/heimdal/lib/krb5/get_cred.c | 76 +++++----
third_party/heimdal/lib/krb5/init_creds_pw.c | 1 -
third_party/heimdal/lib/krb5/krb5.conf.5 | 2 +
third_party/heimdal/lib/krb5/pac.c | 12 +-
third_party/heimdal/tests/gss/check-context.in | 4 -
51 files changed, 1147 insertions(+), 199 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcenablefast.xml
create mode 100644 third_party/heimdal/.github/workflows/coverity.yml
create mode 100644 third_party/heimdal/.github/workflows/linux.yml
create mode 100644 third_party/heimdal/.github/workflows/osx.yml
create mode 100644 third_party/heimdal/.github/workflows/scanbuild.yml
create mode 100644 third_party/heimdal/.github/workflows/valgrind.yml
create mode 100644 third_party/heimdal/.github/workflows/windows.yml
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 762aee3b49c..fb03b0852e9 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=5
+SAMBA_VERSION_RC_RELEASE=
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 83d77b5c028..785650e269f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,16 +1,10 @@
-Release Announcements
-=====================
+ ==============================
+ Release Notes for Samba 4.16.0
+ March 21, 2022
+ ==============================
-This is the fifth release candidate of Samba 4.16. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-
-Samba 4.16 will be the next version of the Samba suite.
-
-
-UPGRADING
-=========
+This is the first stable release of the Samba 4.16 release series.
+Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
@@ -52,6 +46,46 @@ samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.
+Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
+------------------------------------------------------------------
+
+Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
+implementation. This snapshot has now been updated and will closely
+match what will be released as Heimdal 8.0 shortly.
+
+This is a major update, previously we used a snapshot of Heimdal from
+2011, and brings important new Kerberos security features such as
+Kerberos request armoring, known as FAST. This tunnels ticket
+requests and replies that might be encrypted with a weak password
+inside a wrapper built with a stronger password, say from a machine
+account.
+
+In Heimdal and MIT modes Samba's KDC now supports FAST, for the
+support of non-Windows clients.
+
+Windows clients will not use this feature however, as they do not
+attempt to do so against a server not advertising domain Functional
+Level 2012. Samba users are of course free to modify how Samba
+advertises itself, but use with Windows clients is not supported "out
+of the box".
+
+Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
+the FAST protocol. A future version will align this more closely with
+Microsoft AD behaviour.
+
+If FAST needs to be disabled on your Samba KDC, set
+
+ kdc enable fast = no
+
+in the smb.conf.
+
+The Samba project wishes to thank the numerous developers who have put
+in a massive effort to make this possible over many years. In
+particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer,
+Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank
+their employers and in turn their customers who have supported this
+effort over many years.
+
Certificate Auto Enrollment
---------------------------
@@ -135,21 +169,69 @@ CTDB changes
REMOVED FEATURES
================
-SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed
-=======================================================================
+Older SMB1 protocol SMBCopy command removed
+-------------------------------------------
+
+SMB is a nearly 30-year old protocol, and some protocol commands that
+while supported in all versions, have not seen widespread use.
+
+One of those is SMBCopy, a feature for a server-side copy of a file.
+This feature has been so unmaintained that Samba has no testsuite for
+it.
+
+The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
+introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
+in the NT LAN Manager dialect.
+
+Therefore it has been removed from the Samba smbd server.
+
+We do note that a fully supported and tested server-side copy is
+present in SMB2, and can be accessed with "scopy" subcommand in
+smbclient)
+
+SMB1 server-side wildcard expansion removed
+-------------------------------------------
+
+Server-side wildcard expansion is another feature that sounds useful,
+but is also rarely used and has become problematic - imposing extra
+work on the server (both in terms of code and CPU time).
-In preparation for the removal of the SMB1 server, the unused
-SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been
-removed from the Samba smbd server. In addition, the ability
-to process file name wildcards in requests using the SMB1 commands
-SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command
-number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and
-SMB_COM_DELETE (SMB1 command number 0x6) have been removed.
+In actual OS design, wildcard expansion is handled in the local shell,
+not at the remote server using SMB wildcard syntax (which is not shell
+syntax).
-This only affects clients using MS-DOS based versions of
-SMB1, the last release of which was Windows 98. Users requiring
-support for these features will need to use older versions
-of Samba.
+In Samba 4.16 the ability to process file name wildcards in requests
+using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
+SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
+command number 0x6) has been removed.
+
+SMB1 protocol has been deprecated, particularly older dialects
+--------------------------------------------------------------
+
+We take this opportunity to remind that we have deprecated and
+disabled by default, but not removed, the whole SMB1 protocol since
+Samba 4.11. If needed for security purposes or code maintenance we
+will continue to remove older protocol commands and dialects that are
+unused or have been replaced in more modern SMB1 versions.
+
+We specifically deprecate the older dialects older than "NT LM 0.12"
+(also known as "NT LANMAN 1.0" and "NT1").
+
+Please note that "NT LM 0.12" is the dialect used by software as old
+as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
+to DOS and similar era clients.
+
+We do reassure that that 'simple' operation of older clients than
+these (eg DOS) will, while untested, continue for the near future, our
+purpose is not to cripple use of Samba in unique situations, but to
+reduce the maintaince burden.
+
+Eventually SMB1 as a whole will be removed, but no broader change is
+announced for 4.16.
+
+In the rare case where the above changes cause incompatibilities,
+users requiring support for these features will need to use older
+versions of Samba.
No longer using Linux mandatory locks for sharemodes
====================================================
@@ -174,6 +256,42 @@ smb.conf changes
rpc start on demand helpers Added true
+CHANGES SINCE 4.16.0rc5
+=======================
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15000: Memory leak in FAST cookie handling.
+
+o Elia Geretto <elia.f.geretto at gmail.com>
+ * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
+ in SMBC_server_internal.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+ * BUG 14641: Crash of winbind on RODC.
+ * BUG 15001: LDAP simple binds should honour "old password allowed period".
+ * BUG 15002: S4U2Self requests don't work against servers without FAST
+ support.
+ * BUG 15003: wbinfo -a doesn't work reliable with upn names.
+ * BUG 15005: A cross-realm kerberos client exchanges fail using KDCs with and
+ without FAST.
+ * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
+ INTERNAL_ERROR.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
+ KDC.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15015: PKINIT: hdb_samba4_audit: Unhandled hdb_auth_status=9 =>
+ INTERNAL_ERROR.
+
+
CHANGES SINCE 4.16.0rc4
=======================
@@ -292,7 +410,8 @@ Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 60bc6334591..dc1cea12390 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -152,6 +152,12 @@ static void log_authentication_event_json(
char negotiate_flags[11];
char logon_id[19];
int rc = 0;
+ const char *clientDomain = ui->orig_client.domain_name ?
+ ui->orig_client.domain_name :
+ ui->client.domain_name;
+ const char *clientAccount = ui->orig_client.account_name ?
+ ui->orig_client.account_name :
+ ui->client.account_name;
authentication = json_new_object();
if (json_is_invalid(&authentication)) {
@@ -203,12 +209,12 @@ static void log_authentication_event_json(
goto failure;
}
rc = json_add_string(
- &authentication, "clientDomain", ui->client.domain_name);
+ &authentication, "clientDomain", clientDomain);
if (rc != 0) {
goto failure;
}
rc = json_add_string(
- &authentication, "clientAccount", ui->client.account_name);
+ &authentication, "clientAccount", clientAccount);
if (rc != 0) {
goto failure;
}
@@ -594,6 +600,12 @@ static void log_authentication_event_human_readable(
char *trust_account_name = NULL;
char *logon_line = NULL;
const char *password_type = NULL;
+ const char *clientDomain = ui->orig_client.domain_name ?
+ ui->orig_client.domain_name :
+ ui->client.domain_name;
+ const char *clientAccount = ui->orig_client.account_name ?
+ ui->orig_client.account_name :
+ ui->client.account_name;
frame = talloc_stackframe();
@@ -640,8 +652,8 @@ static void log_authentication_event_human_readable(
" %s\n",
ui->service_description,
ui->auth_description,
- log_escape(frame, ui->client.domain_name),
- log_escape(frame, ui->client.account_name),
+ log_escape(frame, clientDomain),
+ log_escape(frame, clientAccount),
ts,
password_type,
nt_errstr(status),
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 0452c673ebc..d922b66ab4d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -49,14 +49,14 @@ struct auth_usersupplied_info
uint32_t logon_parameters;
- bool mapped_state;
+ bool cracknames_called;
bool was_mapped;
uint64_t logon_id;
/* the values the client gives us */
struct {
const char *account_name;
const char *domain_name;
- } client, mapped;
+ } client, mapped, orig_client;
enum auth_password_state password_state;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index ce78af1d32d..e077c2f7379 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -771,7 +771,6 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
user_info->flags = 0;
- user_info->mapped_state = false;
user_info->client.account_name = ntlmssp_state->user;
user_info->client.domain_name = ntlmssp_state->domain;
user_info->workstation_name = ntlmssp_state->client.netbios_name;
diff --git a/docs-xml/smbdotconf/security/kdcenablefast.xml b/docs-xml/smbdotconf/security/kdcenablefast.xml
new file mode 100644
index 00000000000..e47ca3b0bd4
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcenablefast.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="kdc enable fast"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>With the Samba 4.16 the embedded Heimdal KDC brings
+ support for RFC6113 FAST, which wasn't available in
+ older Samba versions.</para>
+
+ <para>This option is mostly for testing and currently only applies
+ if the embedded Heimdal KDC is used.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index cae763b44ea..d6d845391e6 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2695,6 +2695,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "krb5 port", "88");
lpcfg_do_global_parameter(lp_ctx, "kpasswd port", "464");
+ lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
+
lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
lpcfg_do_global_parameter(lp_ctx, "max wins ttl", "518400"); /* 6 days */
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 2ac83828a0e..198918494cf 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -294,6 +294,8 @@ testit "wbinfo --user-sids against $TARGET" $wbinfo --user-sids $admin_sid || fa
testit "wbinfo -a against $TARGET with domain creds" $wbinfo -a "$DOMAIN/$USERNAME"%"$PASSWORD" || failed=`expr $failed + 1`
+testit "wbinfo -a against $TARGET with domain upn creds" $wbinfo -a "$USERNAME@$DOMAIN"%"$PASSWORD" || failed=$(expr $failed + 1)
+
testit "wbinfo --getdcname against $TARGET" $wbinfo --getdcname=$DOMAIN
testit "wbinfo -p against $TARGET" $wbinfo -p || failed=`expr $failed + 1`
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index 6d4993ac255..3bb7995052c 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -171,6 +171,8 @@ class TestCase(unittest.TestCase):
username = template.get_username()
userpass = template.get_password()
+ simple_bind_dn = template.get_bind_dn()
+
if kerberos_state is None:
kerberos_state = template.get_kerberos_state()
@@ -184,6 +186,8 @@ class TestCase(unittest.TestCase):
c.set_gensec_features(c.get_gensec_features()
| gensec.FEATURE_SEAL)
c.set_kerberos_state(kerberos_state)
+ if simple_bind_dn:
+ c.set_bind_dn(simple_bind_dn)
return c
def assertStringsEqual(self, a, b, msg=None, strip=False):
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index da6b2de488b..4c263f55de4 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1655,6 +1655,7 @@ sub provision_fl2000dc($$)
print "PROVISIONING DC WITH FOREST LEVEL 2000...\n";
my $extra_conf_options = "
+ kdc enable fast = no
spnego:simulate_w2k=yes
ntlmssp_server:force_old_spnego=yes
";
@@ -1698,6 +1699,7 @@ sub provision_fl2003dc($$$)
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
my $extra_conf_options = "allow dns updates = nonsecure and secure
+ kdc enable fast = no
dcesrv:header signing = no
dcesrv:max auth states = 0
dns forwarder = $ip_addr1 [$ip_addr2]:54";
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 28850cd8520..b60dd2647c8 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -137,8 +137,6 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, password_state);
if (NT_STATUS_IS_OK(result)) {
- /* We have tried mapping */
- (*user_info)->mapped_state = true;
/* did we actually map the user to a different name? */
(*user_info)->was_mapped = was_mapped;
}
@@ -265,6 +263,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
if (NT_STATUS_IS_OK(nt_status)) {
(*user_info)->logon_parameters = logon_parameters;
+ (*user_info)->flags |= USER_INFO_INTERACTIVE_LOGON;
}
ret = NT_STATUS_IS_OK(nt_status) ? true : false;
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 75beeef4a44..3fd86e87064 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
@@ -37,11 +37,11 @@
#define LIBADS_CCACHE_NAME "MEMORY:libads"
/*
- we use a prompter to avoid a crash bug in the kerberos libs when
+ we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy ...
*/
-static krb5_error_code
+static krb5_error_code
kerb_prompter(krb5_context ctx, void *data,
const char *name,
const char *banner,
@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
}
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
kerb_prompter, discard_const_p(char, password),
0, NULL, opt))) {
goto out;
@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
}
if ((code = krb5_cc_destroy (ctx, cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
error_message(code)));
}
@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
int time_offset,
const char *cache_name)
{
- return kerberos_kinit_password_ext(principal,
- password,
- time_offset,
- 0,
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
0,
cache_name,
False,
@@ -434,17 +434,25 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
bool ok;
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
- print_canonical_sockaddr_with_port(mem_ctx, pss));
+ char *kdc_str = NULL;
+ char *canon_sockaddr = NULL;
+
+ SMB_ASSERT(pss != NULL);
+
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+ canon_sockaddr);
if (kdc_str == NULL) {
- TALLOC_FREE(frame);
--
Samba Shared Repository
More information about the samba-cvs
mailing list