[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Apr 23 15:22:02 UTC 2024
The branch, master has been updated
via 2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
via aff2932c420 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
via 0ba9e5dacbb lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
via 994e12e8f7a lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
via e2170431f1d s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
via 5af5bf26457 auth/credentials: don't call talloc_free(ccache_name) on callers memory
via d221f930efc auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
via 126357e2e73 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
via e58f83d3958 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
via e6f92edba69 s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
from c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2674df4cc0e124d74eb9d764c29a07c9c84b94d6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 14 15:36:51 2022 +0200
s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
Only legacy protocols need a password for share level authentication,
so avoid triggering the password prompt for the common case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224
commit aff2932c420fd102c077063b8d1f66cdd8a777cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 8 14:14:34 2024 +0100
python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0ba9e5dacbb4e5bf94600e0a4a1cbd9f7a9c5d9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 14 13:31:20 2022 +0200
lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 994e12e8f7a6b089342a32a6c3269048bfef1545
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 14 13:30:56 2022 +0200
lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e2170431f1d4a6f4ce7e3e6949282d5bc60b5d08
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 7 00:11:26 2024 +0100
s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5af5bf264571b732b5236e6db2061b523e603c05
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 27 16:22:14 2024 +0100
auth/credentials: don't call talloc_free(ccache_name) on callers memory
The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d221f930efcff09a9b5dc18c5dfb6475ade1312a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 27 16:07:22 2024 +0100
auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
A simple krb5_cc_close() doesn't remove it from the global memory list.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 126357e2e7302eb219fda80e3cfbef3da02c1d6d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 8 11:39:35 2024 +0100
lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
If the ccache doesn't have a intial TGT the shortest lifetime of
service tickets should be returned.
This is needed in order to work with special ccaches used for
things like S2U4Self/S4U2Proxy tickets or other things
where the caller only wants to pass a single service ticket.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e58f83d3958d7b6a16d7d75a7a266cead4befb48
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 3 16:00:41 2024 +0200
s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit e6f92edba690923ec8ef427bc6d5b30d609c129a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 3 16:35:35 2024 +0200
s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 9 ++++-----
lib/cmdline/cmdline.c | 28 +++++++++++++++-------------
lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++++++++-
python/samba/getopt.py | 1 +
source3/libads/ldap.c | 2 ++
source3/libsmb/auth_generic.c | 2 +-
source3/libsmb/cliconnect.c | 18 +++++++++++++++++-
source3/smbd/notify.c | 11 ++++++++---
8 files changed, 75 insertions(+), 24 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c388f6c82df..dcfa2e4daee 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -109,13 +109,13 @@ static uint32_t smb_gss_krb5_copy_ccache(uint32_t *min_stat,
*/
maj_stat = gss_krb5_copy_ccache(min_stat, cred, dummy_ccache);
if (maj_stat != 0) {
- krb5_cc_close(context, dummy_ccache);
+ krb5_cc_destroy(context, dummy_ccache);
return maj_stat;
}
code = krb5_cc_start_seq_get(context, dummy_ccache, &cursor);
if (code != 0) {
- krb5_cc_close(context, dummy_ccache);
+ krb5_cc_destroy(context, dummy_ccache);
*min_stat = EINVAL;
return GSS_S_FAILURE;
}
@@ -125,7 +125,7 @@ static uint32_t smb_gss_krb5_copy_ccache(uint32_t *min_stat,
&cursor,
&creds);
if (code != 0) {
- krb5_cc_close(context, dummy_ccache);
+ krb5_cc_destroy(context, dummy_ccache);
*min_stat = EINVAL;
return GSS_S_FAILURE;
}
@@ -163,7 +163,7 @@ static uint32_t smb_gss_krb5_copy_ccache(uint32_t *min_stat,
krb5_cc_end_seq_get(context, dummy_ccache, &cursor);
code = 0;
}
- krb5_cc_close(context, dummy_ccache);
+ krb5_cc_destroy(context, dummy_ccache);
if (code != 0 || princ == NULL) {
krb5_free_cred_contents(context, &creds);
@@ -647,7 +647,6 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
ccache_name,
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context,
ret, ccc));
- talloc_free(ccache_name);
talloc_free(ccc);
return ret;
}
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index db962146bd2..6f081324e64 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -803,19 +803,6 @@ static void popt_common_credentials_callback(poptContext popt_ctx,
"Unable to read defaults from smb.conf\n");
}
- (void)cli_credentials_get_password_and_obtained(creds,
- &password_obtained);
- if (!skip_password_callback &&
- password_obtained < CRED_CALLBACK) {
- ok = cli_credentials_set_cmdline_callbacks(creds);
- if (!ok) {
- fprintf(stderr,
- "Failed to set cmdline password "
- "callback\n");
- exit(1);
- }
- }
-
if (machine_account_pending) {
NTSTATUS status;
@@ -850,6 +837,21 @@ static void popt_common_credentials_callback(poptContext popt_ctx,
CRED_SPECIFIED);
}
+ if (!skip_password_callback) {
+ (void)cli_credentials_get_password_and_obtained(creds,
+ &password_obtained);
+ }
+ if (!skip_password_callback &&
+ password_obtained < CRED_CALLBACK) {
+ ok = cli_credentials_set_cmdline_callbacks(creds);
+ if (!ok) {
+ fprintf(stderr,
+ "Failed to set cmdline password "
+ "callback\n");
+ exit(1);
+ }
+ }
+
return;
}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 6865b049b77..7cc28697e81 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3028,6 +3028,7 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context,
krb5_cc_cursor cursor;
krb5_error_code kerr;
krb5_creds cred;
+ krb5_timestamp endtime = 0;
krb5_timestamp now;
*t = 0;
@@ -3043,20 +3044,45 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context,
}
while ((kerr = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
+ if (krb5_is_config_principal(context, cred.server)) {
+ krb5_free_cred_contents(context, &cred);
+ continue;
+ }
+
#ifndef HAVE_FLAGS_IN_KRB5_CREDS
if (cred.ticket_flags & TKT_FLG_INITIAL) {
#else
if (cred.flags.b.initial) {
#endif
if (now < cred.times.endtime) {
- *t = (time_t) (cred.times.endtime - now);
+ endtime = cred.times.endtime;
}
krb5_free_cred_contents(context, &cred);
break;
}
+
+ if (cred.times.endtime <= now) {
+ /* already expired */
+ krb5_free_cred_contents(context, &cred);
+ continue;
+ }
+
+ /**
+ * If there was no krbtgt, use the shortest lifetime of
+ * service tickets that have yet to expire. If all
+ * credentials are expired, krb5_cc_get_lifetime() will fail.
+ */
+ if (endtime == 0 || cred.times.endtime < endtime) {
+ endtime = cred.times.endtime;
+ }
krb5_free_cred_contents(context, &cred);
}
+ if (now < endtime) {
+ *t = (time_t) (endtime - now);
+ kerr = 0;
+ }
+
krb5_cc_end_seq_get(context, id, &cursor);
return kerr;
diff --git a/python/samba/getopt.py b/python/samba/getopt.py
index 0935ed00d40..2620138c3de 100644
--- a/python/samba/getopt.py
+++ b/python/samba/getopt.py
@@ -439,6 +439,7 @@ class CredentialsOptions(OptionGroup):
self.creds.set_bind_dn(arg)
def _set_krb5_ccache(self, option, opt_str, arg, parser):
+ self.ask_for_password = False
self.creds.set_kerberos_state(MUST_USE_KERBEROS)
self.creds.set_named_ccache(arg)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 4d4afb279c8..04b2f35022d 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2906,11 +2906,13 @@ static bool ads_dump_field(ADS_STRUCT *ads, char *field, void **values, void *da
{"nTSecurityDescriptor", False, dump_sd},
{"dnsRecord", False, dump_binary},
{"objectSid", False, dump_sid},
+ {"securityIdentifier", False, dump_sid},
{"tokenGroups", False, dump_sid},
{"tokenGroupsNoGCAcceptable", False, dump_sid},
{"tokengroupsGlobalandUniversal", False, dump_sid},
{"mS-DS-CreatorSID", False, dump_sid},
{"msExchMailboxGuid", False, dump_guid},
+ {"msDS-TrustForestTrustInfo", False, dump_binary},
{NULL, True, NULL}
};
int i;
diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
index e5120a083a6..527b51900d8 100644
--- a/source3/libsmb/auth_generic.c
+++ b/source3/libsmb/auth_generic.c
@@ -51,7 +51,7 @@ NTSTATUS auth_generic_set_password(struct auth_generic_state *ans,
NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans,
struct cli_credentials *creds)
{
- talloc_unlink(ans->credentials, creds);
+ talloc_unlink(ans, ans->credentials);
ans->credentials = creds;
return NT_STATUS_OK;
}
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index d42f08fbb1a..169960282a4 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2424,9 +2424,25 @@ NTSTATUS cli_tree_connect_creds(struct cli_state *cli,
const char *share, const char *dev,
struct cli_credentials *creds)
{
+ bool need_pass = false;
const char *pw = NULL;
- if (creds != NULL) {
+ /*
+ * We should work out if the protocol
+ * will make use of a password for share level
+ * authentication before we may cause
+ * the password prompt to be called.
+ */
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ uint16_t sec_mode = smb1cli_conn_server_security_mode(cli->conn);
+
+ /* in user level security don't send a password now */
+ if (!(sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
+ need_pass = true;
+ }
+ }
+
+ if (need_pass && creds != NULL) {
pw = cli_credentials_get_password(creds);
}
diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
index 850193eccf3..d08df3c8380 100644
--- a/source3/smbd/notify.c
+++ b/source3/smbd/notify.c
@@ -651,9 +651,14 @@ static bool user_can_stat_name_under_fsp(files_struct *fsp, const char *name)
0,
&fname);
if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("synthetic_pathref failed for %s, error %s\n",
- filepath,
- nt_errstr(status));
+ int dbg_lvl = DBGLVL_ERR;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ dbg_lvl = DBGLVL_DEBUG;
+ }
+ DBG_PREFIX(dbg_lvl, (
+ "synthetic_pathref failed for %s, error %s\n",
+ filepath,
+ nt_errstr(status)));
TALLOC_FREE(fname);
TALLOC_FREE(filepath);
return false;
--
Samba Shared Repository
More information about the samba-cvs
mailing list