[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Jul 17 11:18:01 UTC 2024
The branch, master has been updated
via 687139144a2 s3:auth: allow real plaintext authentication
via 66e9d3fe01f selftest: setup pam_matrix in the simpleserver env
via 108724ac346 s3:auth: let smb_pam_conv() handle resp=NULL
via 97f0408f776 third_party/pam_wrapper: add pam_matrix module
via 9afe7b7a0f2 s3:passdb: don't clear the LM HASH without a password change
via 8e35933ceb5 s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests
via f7574a59226 selftest:Samba3: allow lanman auth in setup_nt4_member
via 1e21b99b643 selftest:Samba3: add simpleserver globals before include = global_inject.conf
via 8937dce1334 libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2()
from eaed0cd9403 s3:lib: Fix a typo in MACRO
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 687139144a2f6210aae570accedafca9250753e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 12 17:12:46 2024 +0200
s3:auth: allow real plaintext authentication
In standalone setups we use the PAM stack to verify
the plaintext authentication, so we need to pass it
down...
There are still production systems out there
(legacy audio/video recording systems...)
using this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 17 11:17:54 UTC 2024 on atb-devel-224
commit 66e9d3fe01f80f19264aaf8250d92c82a707162a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 12 20:23:52 2024 +0200
selftest: setup pam_matrix in the simpleserver env
This allows testing a plaintext password authentication
on a standalone server using the PAM stack to verify it.
There are still production systems out in the wild using this...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 108724ac34663a234ab0a506a1e5d5e0a106af9c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 15 18:47:24 2024 +0200
s3:auth: let smb_pam_conv() handle resp=NULL
pam_matrix calls smb_pam_conv() with resp=NULL in some situation,
we should not segfault...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 97f0408f776ecbde4bec6d3001d0bdc82f9d86eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 15 18:43:37 2024 +0200
third_party/pam_wrapper: add pam_matrix module
This allows testing pam with simple passwords.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9afe7b7a0f248d2d31dfc2a13bd61906d113c932
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 12 19:38:40 2024 +0200
s3:passdb: don't clear the LM HASH without a password change
Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.
This allows testing with 'lanman auth = no' and 'lanman auth = yes'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8e35933ceb5bcede2b45d8223766bd8b2ebd7ef1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 15 18:32:42 2024 +0200
s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests
This demonstrates that we currently have problems with
plaintext and lanman authentication. In both domain member
and standalone setups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f7574a59226ed65c6048af64507c0be0d044eb8c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 15 18:31:18 2024 +0200
selftest:Samba3: allow lanman auth in setup_nt4_member
Note that the LM HASH is only generated for passwords
up to 14 characters...
We use extra_options_before_inject in order to
allow overriding any existing parameter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1e21b99b643c4d2177c382a296c2edfc2b7e7f91
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 12 18:26:07 2024 +0200
selftest:Samba3: add simpleserver globals before include = global_inject.conf
This allows overriding any existing parameter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8937dce133485ff5e8fd0291f096adbaffba56be
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 3 12:56:02 2024 +0200
libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/smbencrypt.c | 11 +-
python/samba/tests/s3passdb.py | 2 +-
script/autobuild.py | 4 +-
script/compare_cc_results.py | 1 +
selftest/knownfail | 6 +-
selftest/selftest.pl | 13 +
selftest/target/Samba.pm | 24 +
selftest/target/Samba3.pm | 41 +-
selftest/wscript | 2 +
source3/auth/auth_ntlmssp.c | 2 +-
source3/auth/pampass.c | 13 +-
source3/passdb/pdb_get_set.c | 2 +-
source3/script/tests/test_smb1_lanman_plaintext.sh | 63 ++
source3/selftest/tests.py | 8 +
third_party/pam_wrapper/modules/pam_matrix.c | 842 +++++++++++++++++++++
third_party/pam_wrapper/wscript | 10 +
16 files changed, 1024 insertions(+), 20 deletions(-)
create mode 100755 source3/script/tests/test_smb1_lanman_plaintext.sh
create mode 100644 third_party/pam_wrapper/modules/pam_matrix.c
Changeset truncated at 500 lines:
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 725bdcb9f50..bddc843f524 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -344,16 +344,17 @@ NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16],
goto out;
}
+
+ status = NT_STATUS_OK;
+out:
+ gnutls_hmac_deinit(hmac_hnd, resp_buf);
#ifdef DEBUG_PASSWORD
- DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf\n"));
+ DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf: %s\n",
+ nt_errstr(status)));
dump_data(100, srv_chal->data, srv_chal->length);
dump_data(100, smbcli_chal->data, smbcli_chal->length);
dump_data(100, resp_buf, 16);
#endif
-
- status = NT_STATUS_OK;
-out:
- gnutls_hmac_deinit(hmac_hnd, resp_buf);
return status;
}
diff --git a/python/samba/tests/s3passdb.py b/python/samba/tests/s3passdb.py
index b584e07fc98..eac3be6163e 100644
--- a/python/samba/tests/s3passdb.py
+++ b/python/samba/tests/s3passdb.py
@@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir):
self.assertEqual([-1 for i in range(21)], user.hours)
self.assertEqual(21, user.hours_len)
self.assertEqual(9223372036854775807, user.kickoff_time)
- self.assertEqual(None, user.lanman_passwd)
+ self.assertEqual(b'U)\x02\x03\x1b\xed\xe9\xef\xaa\xd3\xb45\xb5\x14\x04\xee', user.lanman_passwd)
self.assertEqual(9223372036854775807, user.logoff_time)
self.assertEqual(0, user.logon_count)
self.assertEqual(168, user.logon_divs)
diff --git a/script/autobuild.py b/script/autobuild.py
index 7d9dc008bcf..5bea99f1fde 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -998,7 +998,7 @@ tasks = {
("allprivate-def-configure", "./configure.developer " + samba_configure_params + " --private-libraries=ALL"),
("allprivate-def-make", "make -j"),
# note wrapper libraries need to be public
- ("allprivate-def-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so' | wc -l | grep -q '^0'"),
+ ("allprivate-def-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"),
("allprivate-def-only-private-ext", "ls ./bin/shared/private | egrep 'private-samba' | wc -l | grep -q '^0' && exit 1; exit 0"),
("allprivate-def-no-non-private-ext", "ls ./bin/shared/private | egrep -v 'private-samba|^libpypamtest.so$' | wc -l | grep -q '^0'"),
("allprivate-def-test", make_test(TESTS="samba3.smb2.create.*nt4_dc")),
@@ -1012,7 +1012,7 @@ tasks = {
("allprivate-ext-configure", "./configure.developer " + samba_configure_params + " --private-libraries=ALL --private-library-extension=private-library --private-extension-exception=pac,ndr"),
("allprivate-ext-make", "make -j"),
# note wrapper libraries need to be public
- ("allprivate-ext-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so' | wc -l | grep -q '^0'"),
+ ("allprivate-ext-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"),
("allprivate-ext-no-private-default-ext", "ls ./bin/shared/private | grep 'private-samba' | wc -l | grep -q '^0'"),
("allprivate-ext-has-private-ext", "ls ./bin/shared/private | grep 'private-library' | wc -l | grep -q '^0' && exit 1; exit 0"),
("allprivate-ext-libndr-no-private-ext", "ls ./bin/shared/private | grep -v 'private-library' | grep 'libndr' | wc -l | grep -q '^1'"),
diff --git a/script/compare_cc_results.py b/script/compare_cc_results.py
index 9bf24adffec..d97050c1870 100755
--- a/script/compare_cc_results.py
+++ b/script/compare_cc_results.py
@@ -16,6 +16,7 @@ exceptions = [
'LIBNSS_WRAPPER_SO_PATH',
'LIBPAM_WRAPPER_SO_PATH',
'PAM_SET_ITEMS_SO_PATH',
+ 'PAM_MATRIX_SO_PATH',
'LIBUID_WRAPPER_SO_PATH',
'LIBRESOLV_WRAPPER_SO_PATH',
]
diff --git a/selftest/knownfail b/selftest/knownfail
index e0db191e2f4..9507b142089 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -321,9 +321,9 @@
^samba4.smb.signing.*disabled.*client-protection=off.*\(ad_dc\)
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.fl2000dc
-# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
-^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*_member
-^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*_member
+# ad_member don't support ntlmv1 (not even over SMB1)
+^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 3dbaa4f0c18..26b1663b5b6 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -62,6 +62,8 @@ my $opt_libnss_wrapper_so_path = "";
my $opt_libresolv_wrapper_so_path = "";
my $opt_libsocket_wrapper_so_path = "";
my $opt_libuid_wrapper_so_path = "";
+my $opt_libpam_wrapper_so_path = "";
+my $opt_libpam_matrix_so_path = "";
my $opt_libasan_so_path = "";
my $opt_libcrypt_so_path = "";
my $opt_use_dns_faking = 0;
@@ -255,6 +257,8 @@ my $result = GetOptions (
'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path,
'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path,
'uid_wrapper_so_path=s' => \$opt_libuid_wrapper_so_path,
+ 'pam_wrapper_so_path=s' => \$opt_libpam_wrapper_so_path,
+ 'pam_matrix_so_path=s' => \$opt_libpam_matrix_so_path,
'asan_so_path=s' => \$opt_libasan_so_path,
'crypt_so_path=s' => \$opt_libcrypt_so_path,
'use-dns-faking' => \$opt_use_dns_faking
@@ -402,6 +406,14 @@ if ($opt_libuid_wrapper_so_path) {
}
}
+if ($opt_libpam_wrapper_so_path) {
+ if ($ld_preload) {
+ $ld_preload = "$ld_preload:$opt_libpam_wrapper_so_path";
+ } else {
+ $ld_preload = "$opt_libpam_wrapper_so_path";
+ }
+}
+
if (defined($ENV{USE_NAMESPACES})) {
print "Using linux containerization for selftest testenv(s)...\n";
@@ -469,6 +481,7 @@ if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") {
$target = new Samba($bindir, $srcdir, $server_maxtime,
$opt_socket_wrapper_pcap,
$opt_socket_wrapper_keep_pcap,
+ $opt_libpam_matrix_so_path,
$opt_default_ldb_backend);
unless ($opt_list) {
if ($opt_target eq "samba") {
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 516684ee900..15d7692b5d6 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -16,11 +16,13 @@ use IO::Poll qw(POLLIN);
sub new($$$$$) {
my ($classname, $bindir, $srcdir, $server_maxtime,
$opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap,
+ $opt_libpam_matrix_so_path,
$default_ldb_backend) = @_;
my $self = {
opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap,
opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap,
+ opt_libpam_matrix_so_path => $opt_libpam_matrix_so_path,
};
$self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime);
$self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend);
@@ -178,6 +180,14 @@ sub nss_wrapper_winbind_so_path($) {
return $ret;
}
+sub pam_matrix_so_path($) {
+ my ($self) = @_;
+ my $SambaCtx = $self;
+ $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
+
+ return $SambaCtx->{opt_libpam_matrix_so_path};
+}
+
sub copy_file_content($$)
{
my ($in, $out) = @_;
@@ -795,6 +805,20 @@ sub get_env_for_process
if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
$proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
}
+
+ if (defined($env_vars->{PAM_WRAPPER})) {
+ $proc_envs->{PAM_WRAPPER} = $env_vars->{PAM_WRAPPER};
+ }
+ if (defined($env_vars->{PAM_WRAPPER_KEEP_DIR})) {
+ $proc_envs->{PAM_WRAPPER_KEEP_DIR} = $env_vars->{PAM_WRAPPER_KEEP_DIR};
+ }
+ if (defined($env_vars->{PAM_WRAPPER_SERVICE_DIR})) {
+ $proc_envs->{PAM_WRAPPER_SERVICE_DIR} = $env_vars->{PAM_WRAPPER_SERVICE_DIR};
+ }
+ if (defined($env_vars->{PAM_WRAPPER_DEBUGLEVEL})) {
+ $proc_envs->{PAM_WRAPPER_DEBUGLEVEL} = $env_vars->{PAM_WRAPPER_DEBUGLEVEL};
+ }
+
return $proc_envs;
}
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 291e3888fc6..c7cdbefc72d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -423,6 +423,8 @@ sub setup_nt4_member
my $member_options = "
security = domain
+ lanman auth = yes
+ ntlm auth = yes
dbwrap_tdb_mutexes:* = yes
${require_mutexes}
";
@@ -430,8 +432,8 @@ sub setup_nt4_member
prefix => $prefix,
domain => $nt4_dc_vars->{DOMAIN},
server => "LOCALNT4MEMBER3",
- password => "localnt4member3pass",
- extra_options => $member_options);
+ password => "Lnt4member3p14",
+ extra_options_before_inject => $member_options);
$ret or return undef;
@@ -1716,14 +1718,16 @@ sub setup_simpleserver
remove_tree($external_streams_depot);
mkdir($external_streams_depot, 0777);
- my $simpleserver_options = "
+ my $simpleserver_options_globals = "
lanman auth = yes
ntlm auth = yes
vfs objects = xattr_tdb streams_depot
change notify = no
server smb encrypt = off
allow trusted domains = no
+";
+ my $simpleserver_options = "
[vfs_aio_pthread]
path = $prefix_abs/share
read only = no
@@ -1781,10 +1785,34 @@ sub setup_simpleserver
domain => "WORKGROUP",
server => "LOCALSHARE4",
password => "local4pass",
+ extra_options_before_inject => $simpleserver_options_globals,
extra_options => $simpleserver_options);
$vars or return undef;
+ my $pam_service_dir = "$prefix_abs/pam_services";
+ remove_tree($pam_service_dir);
+ mkdir($pam_service_dir, 0777);
+ my $pam_service_file = "$pam_service_dir/samba";
+ my $pam_matrix_passdb = "$pam_service_dir/samba_pam_matrix_passdb";
+ my $pam_matrix_so_path = Samba::pam_matrix_so_path($self);
+
+ open(FILE, "> $pam_service_file");
+ print FILE "auth required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n";
+ print FILE "account required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n";
+ close(FILE);
+
+ my $tmpusername = $vars->{USERNAME};
+ my $tmppassword = $vars->{PASSWORD};
+ open(FILE, "> $pam_matrix_passdb");
+ print FILE "$tmpusername:$tmppassword:samba";
+ close(FILE);
+
+ $vars->{PAM_WRAPPER} = "1";
+ $vars->{PAM_WRAPPER_KEEP_DIR} = "1";
+ $vars->{PAM_WRAPPER_SERVICE_DIR} = $pam_service_dir;
+ $vars->{PAM_WRAPPER_DEBUGLEVEL} = "3";
+
if (not $self->check_or_start(
env_vars => $vars,
nmbd => "yes",
@@ -2554,7 +2582,8 @@ sub provision($$)
my $realm = $args{realm};
my $server = $args{server};
my $password = $args{password};
- my $extra_options = $args{extra_options};
+ my $extra_options_before_inject = $args{extra_options_before_inject} // "";
+ my $extra_options = $args{extra_options} // "";
my $resolv_conf = $args{resolv_conf};
my $no_delete_prefix= $args{no_delete_prefix};
my $netbios_name = $args{netbios_name} // $server;
@@ -3004,6 +3033,10 @@ sub provision($$)
#it just means we ALLOW one to be configured.
allow insecure wide links = yes
+ # Begin extra options before global inject
+ $extra_options_before_inject
+ # End extra options befoore global inject
+
include = $globalinjectconf
# Begin extra options
diff --git a/selftest/wscript b/selftest/wscript
index b8faf6dbc84..2d7e192c14f 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -253,6 +253,8 @@ def cmd_testonly(opt):
env.OPTIONS += " --nss_wrapper_so_path=" + CONFIG_GET(opt, 'LIBNSS_WRAPPER_SO_PATH')
env.OPTIONS += " --resolv_wrapper_so_path=" + CONFIG_GET(opt, 'LIBRESOLV_WRAPPER_SO_PATH')
env.OPTIONS += " --uid_wrapper_so_path=" + CONFIG_GET(opt, 'LIBUID_WRAPPER_SO_PATH')
+ env.OPTIONS += " --pam_wrapper_so_path=" + CONFIG_GET(opt, 'LIBPAM_WRAPPER_SO_PATH')
+ env.OPTIONS += " --pam_matrix_so_path=" + CONFIG_GET(opt, 'PAM_MATRIX_SO_PATH')
# selftest can optionally use kernel namespaces instead of socket-wrapper
if os.environ.get('USE_NAMESPACES') is None:
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 73938dc2b88..9d5d87646c9 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -183,7 +183,7 @@ struct tevent_req *auth3_check_password_send(
user_info->service_description,
user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
- NULL, NULL, NULL,
+ NULL, NULL, user_info->password.plaintext,
AUTH_PASSWORD_RESPONSE);
if (tevent_req_nterror(req, nt_status)) {
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index 3e764f32f7d..0be7f9f9d1f 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -131,7 +131,9 @@ static int smb_pam_conv(int num_msg,
struct pam_response *reply = NULL;
struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
- *resp = NULL;
+ if (resp != NULL) {
+ *resp = NULL;
+ }
if (num_msg <= 0)
return PAM_CONV_ERR;
@@ -183,8 +185,13 @@ static int smb_pam_conv(int num_msg,
return PAM_CONV_ERR;
}
}
- if (reply)
- *resp = reply;
+ if (reply != NULL) {
+ if (resp != NULL) {
+ *resp = reply;
+ } else {
+ SAFE_FREE(reply);
+ }
+ }
return PAM_SUCCESS;
}
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 6789cc0824e..a6e45a59b13 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -857,7 +857,7 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8_t pwd[LM_HASH_LEN],
/* on keep the password if we are allowing LANMAN authentication */
- if (pwd && lp_lanman_auth() ) {
+ if (pwd && (flag != PDB_CHANGED || lp_lanman_auth())) {
sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
} else {
sampass->lm_pw = data_blob_null;
diff --git a/source3/script/tests/test_smb1_lanman_plaintext.sh b/source3/script/tests/test_smb1_lanman_plaintext.sh
new file mode 100755
index 00000000000..669a22e5f4c
--- /dev/null
+++ b/source3/script/tests/test_smb1_lanman_plaintext.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+if [ $# -lt 3 ]; then
+ cat <<EOF
+Usage: test_smb1_lanman_plaintext.sh SERVER USERNAME PASSWORD
+EOF
+ exit 1
+fi
+
+# This is used by test_smbclient()
+# shellcheck disable=2034
+smbclient=$1
+SERVER=$2
+USERNAME=$3
+PASSWORD=$4
+shift 4
+
+incdir=$(dirname $0)/../../../testprogs/blackbox
+. $incdir/subunit.sh
+. $incdir/common_test_fns.inc
+
+failed=0
+
+opt="-W ${SERVER} -U${USERNAME}%${PASSWORD}"
+
+# check
+test_smbclient "test_default" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1)
+
+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
+cat > $global_inject_conf << _EOF
+ server min protocol = LANMAN1
+ client min protocol = LANMAN1
+ lanman auth = no
+_EOF
+
+opt="--option=clientminprotocol=LANMAN1 -m LANMAN1 -c ls --option=clientNTLMv2auth=no --option=clientlanmanauth=yes -W ${SERVER} -U${USERNAME}%${PASSWORD}"
+test_smbclient_expect_failure "test_lm_fail" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1)
+
+cat > $global_inject_conf << _EOF
+ server min protocol = LANMAN1
+ client min protocol = LANMAN1
+ lanman auth = yes
+ ntlm auth = yes
+_EOF
+
+test_smbclient "test_lm_ok" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1)
+
+cat > $global_inject_conf << _EOF
+ server min protocol = LANMAN1
+ client min protocol = LANMAN1
+ lanman auth = yes
+ ntlm auth = yes
+ encrypt passwords = no
+_EOF
+
+test_smbclient_expect_failure "test_plaintext_fail_local" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1)
+
+opt="--option=clientminprotocol=LANMAN1 -m LANMAN1 -c ls --option=clientNTLMv2auth=no --option=clientlanmanauth=yes --option=clientplaintextauth=yes -W ${SERVER} -U${USERNAME}%${PASSWORD}"
+test_smbclient "test_plaintext_ok" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1)
+
+echo '' >$global_inject_conf
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 790551245ac..772dfa8672f 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1615,6 +1615,14 @@ plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local",
[os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"),
smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"])
+plantestsuite("samba3.blackbox.smb1_lanman_plaintext", "simpleserver:local",
+ [os.path.join(samba3srcdir, "script/tests/test_smb1_lanman_plaintext.sh"),
+ smbclient3, '$SERVER', "$USERNAME", "$PASSWORD"])
+
+plantestsuite("samba3.blackbox.smb1_lanman_plaintext", "nt4_member:local",
+ [os.path.join(samba3srcdir, "script/tests/test_smb1_lanman_plaintext.sh"),
+ smbclient3, '$SERVER', "$USERNAME", "$PASSWORD"])
+
plantestsuite("samba3.blackbox.winbind_ignore_domain", "ad_member_idmap_ad:local",
[os.path.join(samba3srcdir, "script/tests/test_winbind_ignore_domains.sh")])
diff --git a/third_party/pam_wrapper/modules/pam_matrix.c b/third_party/pam_wrapper/modules/pam_matrix.c
new file mode 100644
index 00000000000..cc6fbf37e82
--- /dev/null
+++ b/third_party/pam_wrapper/modules/pam_matrix.c
@@ -0,0 +1,842 @@
+/*
+ * Copyright (c) 2015 Andreas Schneider <asn at samba.org>
+ * Copyright (c) 2015 Jakub Hrozek <jakub.hrozek at posteo.se>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "config.h"
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <pwd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <errno.h>
+#include <time.h>
+#include <stdint.h>
+
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
+#ifndef discard_const
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
+#endif
+
+#ifndef discard_const_p
+#define discard_const_p(type, ptr) ((type *)discard_const(ptr))
+#endif
+
+#ifdef HAVE_SECURITY_PAM_APPL_H
--
Samba Shared Repository
More information about the samba-cvs
mailing list