kill security=share and security=server
Stefan (metze) Metzmacher
metze at samba.org
Sat May 12 04:56:20 MDT 2012
Hi,
>> Does Windows7 supports that, if not we should get rid of it.
>
>> And I'd also love to get rid of security=server
>> and auth/auth_server.c
>
> Yes, please deprecate that too. There are more users of security=server
> (SMB servers running without IT authorization in large companies), but
> we need to put the signal out there that this isn't the right way to
> handle the problem, even if we renege on removing the feature in future.
Now where we removed security=share support, I think we should
also remove security=server.
I'd like to push the following patches...
metze
-------------- next part --------------
From 75ecba03323401f5dbb60dacb30ef83eae8994da Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 11:14:17 +0200
Subject: [PATCH 1/7] s4:param/tests: remove "security=server" test
metze
---
source4/param/tests/loadparm.c | 10 ----------
1 files changed, 0 insertions(+), 10 deletions(-)
diff --git a/source4/param/tests/loadparm.c b/source4/param/tests/loadparm.c
index a8a6d78..fd4885e 100644
--- a/source4/param/tests/loadparm.c
+++ b/source4/param/tests/loadparm.c
@@ -237,15 +237,6 @@ static bool test_server_role_security_domain(struct torture_context *tctx)
return true;
}
-static bool test_server_role_security_server(struct torture_context *tctx)
-{
- struct loadparm_context *lp_ctx = loadparm_init(tctx);
- torture_assert(tctx, lpcfg_set_option(lp_ctx, "security=server"), "lpcfg_set_option failed");
- torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_STANDALONE, "ROLE should be STANDALONE");
- torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_SERVER, "security should be server");
- return true;
-}
-
struct torture_suite *torture_local_loadparm(TALLOC_CTX *mem_ctx)
{
struct torture_suite *suite = torture_suite_create(mem_ctx, "loadparm");
@@ -273,7 +264,6 @@ struct torture_suite *torture_local_loadparm(TALLOC_CTX *mem_ctx)
torture_suite_add_simple_test(suite, "test_server_role_dc_domain_logons_and_not_master", test_server_role_dc_domain_logons_and_not_master);
torture_suite_add_simple_test(suite, "test_server_role_security_ads", test_server_role_security_ads);
torture_suite_add_simple_test(suite, "test_server_role_security_domain", test_server_role_security_domain);
- torture_suite_add_simple_test(suite, "test_server_role_security_server", test_server_role_security_server);
return suite;
}
--
1.7.4.1
From d73b7741300f2aa1fdaecbb6e91e83bfa868a743 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 12:00:00 +0200
Subject: [PATCH 2/7] s3-auth: remove "security=server" (depricated since 3.6)
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!
Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).
metze
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SERVER |
| security=server |
| |
| |
| 12 May |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
---
lib/param/loadparm_server_role.c | 9 +--------
lib/param/param_enums.c | 1 -
libds/common/roles.h | 19 +++++++++++++++++--
source3/auth/auth.c | 6 ------
source3/param/loadparm.c | 4 ----
source3/utils/testparm.c | 6 ++----
6 files changed, 20 insertions(+), 25 deletions(-)
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 4ba54b9..9ff64be 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -73,13 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
role = ROLE_STANDALONE;
switch (security) {
- case SEC_SERVER:
- if (domain_logons) {
- DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
- }
- /* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
- role = ROLE_STANDALONE;
- break;
case SEC_DOMAIN:
if (domain_logons) {
DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
@@ -157,7 +150,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
valid = true;
break;
case ROLE_STANDALONE:
- if (security == SEC_SERVER || security == SEC_USER) {
+ if (security == SEC_USER) {
valid = true;
}
break;
diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c
index 36234ea..5f4cd61 100644
--- a/lib/param/param_enums.c
+++ b/lib/param/param_enums.c
@@ -46,7 +46,6 @@ static const struct enum_list enum_protocol[] = {
static const struct enum_list enum_security[] = {
{SEC_AUTO, "AUTO"},
{SEC_USER, "USER"},
- {SEC_SERVER, "SERVER"},
{SEC_DOMAIN, "DOMAIN"},
#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
{SEC_ADS, "ADS"},
diff --git a/libds/common/roles.h b/libds/common/roles.h
index 90281ba..9dc9a00 100644
--- a/libds/common/roles.h
+++ b/libds/common/roles.h
@@ -60,10 +60,25 @@ enum server_role {
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
- */
+ --------------
+ / \
+ / REST \
+ / IN \
+ / PEACE \
+ / \
+ | SEC_SERVER |
+ | security=server |
+ | |
+ | |
+ | 12 May |
+ | |
+ | 2012 |
+ *| * * * | *
+ _________)/\\_//(\/(/\)/\//\/\///|_)_______
+
+*/
enum security_types {SEC_AUTO = 0,
SEC_USER = 2,
- SEC_SERVER = 3,
SEC_DOMAIN = 4,
SEC_ADS = 5};
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4b075a6..c442a53 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -494,12 +494,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
talloc_tos(), "guest sam winbind:ntdomain",
NULL);
break;
- case SEC_SERVER:
- DEBUG(5,("Making default auth method list for security=server\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam smbserver",
- NULL);
- break;
case SEC_USER:
if (lp_encrypted_passwords()) {
if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7d82b61..a34e5d5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -9049,10 +9049,6 @@ static bool lp_load_ex(const char *pszFname,
set_allowed_client_auth();
- if (lp_security() == SEC_SERVER) {
- DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
- }
-
if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) {
DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n",
lp_passwordserver()));
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 9b224d4..b75fc61 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -129,11 +129,9 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n");
* Password server sanity checks.
*/
- if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
+ if((lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
const char *sec_setting;
- if(lp_security() == SEC_SERVER)
- sec_setting = "server";
- else if(lp_security() == SEC_DOMAIN)
+ if(lp_security() == SEC_DOMAIN)
sec_setting = "domain";
else if(lp_security() == SEC_ADS)
sec_setting = "ads";
--
1.7.4.1
From 6226e1027df1e3c899965f3e21a1ff0bbfd9fcd9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 12:00:32 +0200
Subject: [PATCH 3/7] docs-xml: remove documentation of "SECURITY = SERVER"
metze
---
docs-xml/smbdotconf/security/security.xml | 32 -----------------------------
1 files changed, 0 insertions(+), 32 deletions(-)
diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
index 2575d77..453de94 100644
--- a/docs-xml/smbdotconf/security/security.xml
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -79,38 +79,6 @@
<para>See also the <smbconfoption name="password server"/> parameter and
the <smbconfoption name="encrypted passwords"/> parameter.</para>
- <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
-
- <para>
- In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an
- NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
- <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
- server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
- revert back to checking the UNIX password file, it must have a valid <filename
- moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
- the Samba HOWTO Collection for details on how to set this up.
-</para>
-
- <note><para>This mode of operation has
- significant pitfalls since it is more vulnerable to
- man-in-the-middle attacks and server impersonation. In particular,
- this mode of operation can cause significant resource consumption on
- the PDC, as it must maintain an active connection for the duration
- of the user's session. Furthermore, if this connection is lost,
- there is no way to reestablish it, and further authentications to the
- Samba server may fail (from a single client, till it disconnects).
- </para></note>
-
- <note><para>If the client selects NTLMv2 authentication, then this mode of operation <emphasis>will fail</emphasis>
- </para></note>
-
- <note><para>From the client's point of
- view, <command moreinfo="none">security = server</command> is the
- same as <command moreinfo="none">security = user</command>. It
- only affects how the server deals with the authentication, it does
- not in any way affect what the client sees.</para></note>
-
- <note><para>This option is deprecated, and may be removed in future</para></note>
<para><emphasis>Note</emphasis> that the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
--
1.7.4.1
From 2242c5395098f1c40235b5ea3112f49f81183bc3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 12:01:03 +0200
Subject: [PATCH 4/7] s3:auth: remove unused auth_server.c
metze
---
source3/Makefile.in | 5 -
source3/auth/auth_server.c | 487 --------------------------------------------
source3/auth/proto.h | 4 -
source3/auth/wscript_build | 9 -
source3/configure.in | 2 -
source3/wscript | 2 +-
6 files changed, 1 insertions(+), 508 deletions(-)
delete mode 100644 source3/auth/auth_server.c
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f7c2952..e8050d0 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -906,7 +906,6 @@ DCUTIL_OBJ = libsmb/namequery_dc.o libsmb/trustdom_cache.o libsmb/trusts_util.o
AUTH_BUILTIN_OBJ = auth/auth_builtin.o
AUTH_DOMAIN_OBJ = auth/auth_domain.o
AUTH_SAM_OBJ = auth/auth_sam.o auth/check_samsec.o
-AUTH_SERVER_OBJ = auth/auth_server.o
AUTH_UNIX_OBJ = auth/auth_unix.o
AUTH_WINBIND_OBJ = auth/auth_winbind.o
AUTH_WBC_OBJ = auth/auth_wbc.o
@@ -2864,10 +2863,6 @@ bin/netlogond. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_NETLOGOND_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(AUTH_NETLOGOND_OBJ)
-bin/smbserver. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_SERVER_OBJ)
- @echo "Building plugin $@"
- @$(SHLD_MODULE) $(AUTH_SERVER_OBJ)
-
bin/winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_WINBIND_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(AUTH_WINBIND_OBJ)
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
deleted file mode 100644
index 3bd69cd..0000000
--- a/source3/auth/auth_server.c
+++ /dev/null
@@ -1,487 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Authenticate to a remote server
- Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Andrew Bartlett 2001
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "auth.h"
-#include "system/passwd.h"
-#include "smbd/smbd.h"
-#include "libsmb/libsmb.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_AUTH
-
-extern userdom_struct current_user_info;
-
-/****************************************************************************
- Support for server level security.
-****************************************************************************/
-
-static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
-{
- struct cli_state *cli = NULL;
- char *desthost = NULL;
- struct sockaddr_storage dest_ss;
- const char *p;
- char *pserver = NULL;
- bool connected_ok = False;
- struct named_mutex *mutex = NULL;
- NTSTATUS status;
- /* security = server just can't function with spnego */
- int flags = CLI_FULL_CONNECTION_DONT_SPNEGO;
- uint16_t sec_mode = 0;
-
- pserver = talloc_strdup(mem_ctx, lp_passwordserver());
- p = pserver;
-
- while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) {
-
- desthost = talloc_sub_basic(mem_ctx,
- current_user_info.smb_name,
- current_user_info.domain,
- desthost);
- if (!desthost) {
- return NULL;
- }
- strupper_m(desthost);
-
- if (strequal(desthost, myhostname())) {
- DEBUG(1,("Password server loop - disabling "
- "password server %s\n", desthost));
- continue;
- }
-
- if(!resolve_name( desthost, &dest_ss, 0x20, false)) {
- DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
- continue;
- }
-
- if (ismyaddr((struct sockaddr *)(void *)&dest_ss)) {
- DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
- continue;
- }
-
- /* we use a mutex to prevent two connections at once - when a
- Win2k PDC get two connections where one hasn't completed a
- session setup yet it will send a TCP reset to the first
- connection (tridge) */
-
- mutex = grab_named_mutex(talloc_tos(), desthost, 10);
- if (mutex == NULL) {
- return NULL;
- }
-
- status = cli_connect_nb(desthost, &dest_ss, 0, 0x20,
- lp_netbios_name(), SMB_SIGNING_DEFAULT,
- flags, &cli);
- if (NT_STATUS_IS_OK(status)) {
- DEBUG(3,("connected to password server %s\n",desthost));
- connected_ok = True;
- break;
- }
- DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n",
- desthost, nt_errstr(status) ));
- TALLOC_FREE(mutex);
- }
-
- if (!connected_ok) {
- DEBUG(0,("password server not available\n"));
- return NULL;
- }
-
- DEBUG(3,("got session\n"));
-
- status = cli_negprot(cli, PROTOCOL_NT1);
-
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(mutex);
- DEBUG(1, ("%s rejected the negprot: %s\n",
- desthost, nt_errstr(status)));
- cli_shutdown(cli);
- return NULL;
- }
-
- sec_mode = cli_state_security_mode(cli);
- if (cli_state_protocol(cli) < PROTOCOL_LANMAN2 ||
- !(sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
- TALLOC_FREE(mutex);
- DEBUG(1,("%s isn't in user level security mode\n",desthost));
- cli_shutdown(cli);
- return NULL;
- }
-
- /* Get the first session setup done quickly, to avoid silly
- Win2k bugs. (The next connection to the server will kill
- this one...
- */
-
- status = cli_session_setup(cli, "", "", 0, "", 0, "");
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(mutex);
- DEBUG(0,("%s rejected the initial session setup (%s)\n",
- desthost, nt_errstr(status)));
- cli_shutdown(cli);
- return NULL;
- }
-
- TALLOC_FREE(mutex);
-
- DEBUG(3,("password server OK\n"));
-
- return cli;
-}
-
-struct server_security_state {
- struct cli_state *cli;
-};
-
-/****************************************************************************
- Send a 'keepalive' packet down the cli pipe.
-****************************************************************************/
-
-static bool send_server_keepalive(const struct timeval *now,
- void *private_data)
-{
- struct server_security_state *state = talloc_get_type_abort(
- private_data, struct server_security_state);
- NTSTATUS status;
- unsigned char garbage[16];
-
- if (!cli_state_is_connected(state->cli)) {
- return false;
- }
-
- /* Ping the server to keep the connection alive using SMBecho. */
- memset(garbage, 0xf0, sizeof(garbage));
- status = cli_echo(state->cli, 1, data_blob_const(garbage, sizeof(garbage)));
- if (NT_STATUS_IS_OK(status)) {
- return true;
- }
-
- DEBUG(2,("send_server_keepalive: password server SMBecho failed: %s\n",
- nt_errstr(status)));
- cli_shutdown(state->cli);
- state->cli = NULL;
- return false;
-}
-
-static int destroy_server_security(struct server_security_state *state)
-{
- if (state->cli) {
- cli_shutdown(state->cli);
- }
- return 0;
-}
-
-static struct server_security_state *make_server_security_state(struct cli_state *cli)
-{
- struct server_security_state *result;
-
- if (!(result = talloc(NULL, struct server_security_state))) {
- DEBUG(0, ("talloc failed\n"));
- cli_shutdown(cli);
- return NULL;
- }
-
- result->cli = cli;
- talloc_set_destructor(result, destroy_server_security);
-
- if (lp_keepalive() != 0) {
- struct timeval interval;
- interval.tv_sec = lp_keepalive();
- interval.tv_usec = 0;
-
- if (event_add_idle(server_event_context(), result, interval,
- "server_security_keepalive",
- send_server_keepalive,
- result) == NULL) {
- DEBUG(0, ("event_add_idle failed\n"));
- TALLOC_FREE(result);
- return NULL;
- }
- }
-
- return result;
-}
-
-/****************************************************************************
- Get the challenge out of a password server.
-****************************************************************************/
-
-static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context,
- void **my_private_data,
- TALLOC_CTX *mem_ctx)
-{
- struct cli_state *cli = server_cryptkey(mem_ctx);
-
- if (cli) {
- uint16_t sec_mode = cli_state_security_mode(cli);
- const uint8_t *server_challenge = cli_state_server_challenge(cli);
-
- DEBUG(3,("using password server validation\n"));
-
- if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- /* We can't work with unencrypted password servers
- unless 'encrypt passwords = no' */
- DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
-
- /* However, it is still a perfectly fine connection
- to pass that unencrypted password over */
- *my_private_data =
- (void *)make_server_security_state(cli);
- return data_blob_null;
- }
-
- if (!(*my_private_data = (void *)make_server_security_state(cli))) {
- return data_blob(NULL,0);
- }
-
- /* The return must be allocated on the caller's mem_ctx, as our own will be
- destoyed just after the call. */
- return data_blob_talloc(discard_const_p(TALLOC_CTX, auth_context), server_challenge ,8);
- } else {
- return data_blob_null;
- }
-}
-
-
-/****************************************************************************
- Check for a valid username and password in security=server mode.
- - Validate a password with the password server.
-****************************************************************************/
-
-static NTSTATUS check_smbserver_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
-{
- struct server_security_state *state = NULL;
- struct cli_state *cli = NULL;
- static bool tested_password_server = False;
- static bool bad_password_server = False;
- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- bool locally_made_cli = False;
- uint16_t sec_mode = 0;
-
- DEBUG(10, ("check_smbserver_security: Check auth for: [%s]\n",
- user_info->mapped.account_name));
-
- if (my_private_data == NULL) {
- DEBUG(10,("check_smbserver_security: "
- "password server is not connected\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- state = talloc_get_type_abort(my_private_data, struct server_security_state);
- cli = state->cli;
-
- if (cli) {
- } else {
- cli = server_cryptkey(mem_ctx);
- locally_made_cli = True;
- }
-
- if (!cli_state_is_connected(cli)) {
- DEBUG(1,("password server is not connected (cli not initialised)\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
-
- sec_mode = cli_state_security_mode(cli);
- if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
- DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli_state_remote_name(cli)));
- return NT_STATUS_LOGON_FAILURE;
- }
- } else {
- const uint8_t *server_challenge = cli_state_server_challenge(cli);
-
- if (memcmp(server_challenge, auth_context->challenge.data, 8) != 0) {
- DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli_state_remote_name(cli)));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
-
- /*
- * Attempt a session setup with a totally incorrect password.
- * If this succeeds with the guest bit *NOT* set then the password
- * server is broken and is not correctly setting the guest bit. We
- * need to detect this as some versions of NT4.x are broken. JRA.
- */
-
- /* I sure as hell hope that there aren't servers out there that take
- * NTLMv2 and have this bug, as we don't test for that...
- * - abartlet at samba.org
- */
-
- if ((!tested_password_server) && (lp_paranoid_server_security())) {
- unsigned char badpass[24];
- char *baduser = NULL;
-
- memset(badpass, 0x1f, sizeof(badpass));
-
- if((user_info->password.response.nt.length == sizeof(badpass)) &&
- !memcmp(badpass, user_info->password.response.nt.data, sizeof(badpass))) {
- /*
- * Very unlikely, our random bad password is the same as the users
- * password.
- */
- memset(badpass, badpass[0]+1, sizeof(badpass));
- }
-
- baduser = talloc_asprintf(mem_ctx,
- "%s%s",
- INVALID_USER_PREFIX,
- lp_netbios_name());
- if (!baduser) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (NT_STATUS_IS_OK(cli_session_setup(cli, baduser,
- (char *)badpass,
- sizeof(badpass),
- (char *)badpass,
- sizeof(badpass),
- user_info->mapped.domain_name))) {
-
- /*
- * We connected to the password server so we
- * can say we've tested it.
- */
- tested_password_server = True;
-
- if (!cli->is_guestlogin) {
- DEBUG(0,("server_validate: password server %s allows users as non-guest \
-with a bad password.\n", cli_state_remote_name(cli)));
- DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- cli_ulogoff(cli);
-
- /*
- * Password server has the bug.
- */
- bad_password_server = True;
- return NT_STATUS_LOGON_FAILURE;
- }
- cli_ulogoff(cli);
- }
- } else {
-
- /*
- * We have already tested the password server.
- * Fail immediately if it has the bug.
- */
-
- if(bad_password_server) {
- DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
-with a bad password.\n", cli_state_remote_name(cli)));
- DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- return NT_STATUS_LOGON_FAILURE;
- }
- }
-
- /*
- * Now we know the password server will correctly set the guest bit, or is
- * not guest enabled, we can try with the real password.
- */
- switch (user_info->password_state) {
- case AUTH_PASSWORD_PLAIN:
- /* Plaintext available */
- nt_status = cli_session_setup(
- cli, user_info->client.account_name,
- user_info->password.plaintext,
- strlen(user_info->password.plaintext),
- NULL, 0, user_info->mapped.domain_name);
- break;
-
- /* currently the hash values include a challenge-response as well */
- case AUTH_PASSWORD_HASH:
- case AUTH_PASSWORD_RESPONSE:
- nt_status = cli_session_setup(
- cli, user_info->client.account_name,
- (char *)user_info->password.response.lanman.data,
- user_info->password.response.lanman.length,
- (char *)user_info->password.response.nt.data,
- user_info->password.response.nt.length,
- user_info->mapped.domain_name);
- break;
- default:
- DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
- nt_status = NT_STATUS_INTERNAL_ERROR;
- }
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1,("password server %s rejected the password: %s\n",
- cli_state_remote_name(cli), nt_errstr(nt_status)));
- }
-
- /* if logged in as guest then reject */
- if (cli->is_guestlogin) {
- DEBUG(1,("password server %s gave us guest only\n",
- cli_state_remote_name(cli)));
- nt_status = NT_STATUS_LOGON_FAILURE;
- }
-
- cli_ulogoff(cli);
-
- if (NT_STATUS_IS_OK(nt_status)) {
- char *real_username = NULL;
- struct passwd *pass = NULL;
-
- if ( (pass = smb_getpwnam(talloc_tos(), user_info->mapped.account_name,
- &real_username, True )) != NULL )
- {
- nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
- TALLOC_FREE(pass);
- TALLOC_FREE(real_username);
- }
- else
- {
- nt_status = NT_STATUS_NO_SUCH_USER;
- }
- }
-
- if (locally_made_cli) {
- cli_shutdown(cli);
- }
-
- return(nt_status);
-}
-
-static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
-{
- struct auth_methods *result;
-
- result = talloc_zero(auth_context, struct auth_methods);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- result->name = "smbserver";
- result->auth = check_smbserver_security;
- result->get_chal = auth_get_challenge_server;
-
- *auth_method = result;
- return NT_STATUS_OK;
-}
-
-NTSTATUS auth_server_init(void)
-{
- return smb_register_auth(AUTH_INTERFACE_VERSION, "smbserver", auth_init_smbserver);
-}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 2754e86..d383f38 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -140,10 +140,6 @@ NTSTATUS check_sam_security_info3(const DATA_BLOB *challenge,
struct netr_SamInfo3 **pinfo3);
NTSTATUS auth_sam_init(void);
-/* The following definitions come from auth/auth_server.c */
-
-NTSTATUS auth_server_init(void);
-
/* The following definitions come from auth/auth_unix.c */
NTSTATUS auth_unix_init(void);
diff --git a/source3/auth/wscript_build b/source3/auth/wscript_build
index cf0db42..54d710c 100644
--- a/source3/auth/wscript_build
+++ b/source3/auth/wscript_build
@@ -3,7 +3,6 @@
AUTH_BUILTIN_SRC = 'auth_builtin.c'
AUTH_DOMAIN_SRC = 'auth_domain.c'
AUTH_SAM_SRC = 'auth_sam.c'
-AUTH_SERVER_SRC = 'auth_server.c'
AUTH_UNIX_SRC = 'auth_unix.c'
AUTH_WINBIND_SRC = 'auth_winbind.c'
AUTH_WBC_SRC = 'auth_wbc.c'
@@ -69,14 +68,6 @@ bld.SAMBA3_MODULE('auth_wbc',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_wbc'),
enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_wbc'))
-bld.SAMBA3_MODULE('auth_server',
- subsystem='auth',
- source=AUTH_SERVER_SRC,
- deps='samba-util',
- init_function='',
- internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_server'),
- enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_server'))
-
bld.SAMBA3_MODULE('auth_domain',
subsystem='auth',
source=AUTH_DOMAIN_SRC,
diff --git a/source3/configure.in b/source3/configure.in
index c1564a5..2794990 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -433,7 +433,6 @@ default_static_modules="$default_static_modules auth_sam"
default_static_modules="$default_static_modules auth_unix"
default_static_modules="$default_static_modules auth_winbind"
default_static_modules="$default_static_modules auth_wbc"
-default_static_modules="$default_static_modules auth_server"
default_static_modules="$default_static_modules auth_domain"
default_static_modules="$default_static_modules auth_builtin"
default_static_modules="$default_static_modules vfs_default"
@@ -6496,7 +6495,6 @@ SMB_MODULE(auth_sam, \$(AUTH_SAM_OBJ), "bin/sam.$SHLIBEXT", AUTH)
SMB_MODULE(auth_unix, \$(AUTH_UNIX_OBJ), "bin/unix.$SHLIBEXT", AUTH)
SMB_MODULE(auth_winbind, \$(AUTH_WINBIND_OBJ), "bin/winbind.$SHLIBEXT", AUTH)
SMB_MODULE(auth_wbc, \$(AUTH_WBC_OBJ), "bin/wbc.$SHLIBEXT", AUTH)
-SMB_MODULE(auth_server, \$(AUTH_SERVER_OBJ), "bin/smbserver.$SHLIBEXT", AUTH)
SMB_MODULE(auth_domain, \$(AUTH_DOMAIN_OBJ), "bin/domain.$SHLIBEXT", AUTH)
SMB_MODULE(auth_builtin, \$(AUTH_BUILTIN_OBJ), "bin/builtin.$SHLIBEXT", AUTH)
SMB_MODULE(auth_script, \$(AUTH_SCRIPT_OBJ), "bin/script.$SHLIBEXT", AUTH)
diff --git a/source3/wscript b/source3/wscript
index 46aa582..8bf378c 100755
--- a/source3/wscript
+++ b/source3/wscript
@@ -1376,7 +1376,7 @@ main() {
# if we include the module loader in iconv
default_static_modules=TO_LIST('''pdb_smbpasswd pdb_tdbsam pdb_wbc_sam
- auth_sam auth_unix auth_winbind auth_wbc auth_server
+ auth_sam auth_unix auth_winbind auth_wbc
auth_domain auth_builtin vfs_default
nss_info_template idmap_tdb idmap_passdb
idmap_nss''')
--
1.7.4.1
From 48556d6fc04e61fad3977ecf02bfe6fbf083839d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 12:01:18 +0200
Subject: [PATCH 5/7] s4:auth: remove unused auth_server.c
metze
---
source4/auth/ntlm/auth_server.c | 237 ---------------------------------------
source4/auth/ntlm/wscript_build | 8 --
2 files changed, 0 insertions(+), 245 deletions(-)
delete mode 100644 source4/auth/ntlm/auth_server.c
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
deleted file mode 100644
index 9e1ceae..0000000
--- a/source4/auth/ntlm/auth_server.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Authenticate by using a remote server
- Copyright (C) Andrew Bartlett 2001-2002, 2008
- Copyright (C) Jelmer Vernooij 2002
- Copyright (C) Stefan Metzmacher 2005
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "auth/auth.h"
-#include "auth/credentials/credentials.h"
-#include "libcli/security/security.h"
-#include "libcli/smb_composite/smb_composite.h"
-#include "param/param.h"
-#include "libcli/resolve/resolve.h"
-
-_PUBLIC_ NTSTATUS auth4_server_init(void);
-
-/* This version of 'security=server' rewirtten from scratch for Samba4
- * libraries in 2008 */
-
-
-static NTSTATUS server_want_check(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info)
-{
- return NT_STATUS_OK;
-}
-/**
- * The challenge from the target server, when operating in security=server
- **/
-static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8])
-{
- struct smb_composite_connect io;
- struct smbcli_options smb_options;
- const char **host_list;
- NTSTATUS status;
-
- /* Make a connection to the target server, found by 'password server' in smb.conf */
-
- lpcfg_smbcli_options(ctx->auth_ctx->lp_ctx, &smb_options);
-
- /* Make a negprot, WITHOUT SPNEGO, so we get a challenge nice an easy */
- io.in.options.use_spnego = false;
-
- /* Hope we don't get * (the default), as this won't work... */
- host_list = lpcfg_passwordserver(ctx->auth_ctx->lp_ctx);
- if (!host_list) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- io.in.dest_host = host_list[0];
- if (strequal(io.in.dest_host, "*")) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- io.in.dest_ports = lpcfg_smb_ports(ctx->auth_ctx->lp_ctx);
- io.in.socket_options = lpcfg_socket_options(ctx->auth_ctx->lp_ctx);
- io.in.gensec_settings = lpcfg_gensec_settings(mem_ctx, ctx->auth_ctx->lp_ctx);
-
- io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host);
-
- /* We don't want to get as far as the session setup */
- io.in.credentials = cli_credentials_init_anon(mem_ctx);
- cli_credentials_set_workstation(io.in.credentials,
- lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
- CRED_SPECIFIED);
-
- io.in.service = NULL;
-
- io.in.workgroup = ""; /* only used with SPNEGO, disabled above */
-
- io.in.options = smb_options;
-
- lpcfg_smbcli_session_options(ctx->auth_ctx->lp_ctx, &io.in.session_options);
-
- status = smb_composite_connect(&io, mem_ctx, lpcfg_resolve_context(ctx->auth_ctx->lp_ctx),
- ctx->auth_ctx->event_ctx);
- NT_STATUS_NOT_OK_RETURN(status);
-
- if (io.out.tree->session->transport->negotiate.secblob.length != 8) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- memcpy(chal, io.out.tree->session->transport->negotiate.secblob.data, 8);
- ctx->private_data = talloc_steal(ctx, io.out.tree->session);
- return NT_STATUS_OK;
-}
-
-/**
- * Return an error based on username
- *
- * This function allows the testing of obsure errors, as well as the generation
- * of NT_STATUS -> DOS error mapping tables.
- *
- * This module is of no value to end-users.
- *
- * The password is ignored.
- *
- * @return An NTSTATUS value based on the username
- **/
-
-static NTSTATUS server_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **_user_info_dc)
-{
- NTSTATUS nt_status;
- struct auth_user_info_dc *user_info_dc;
- struct auth_user_info *info;
- struct cli_credentials *creds;
- struct smb_composite_sesssetup session_setup;
-
- struct smbcli_session *session = talloc_get_type(ctx->private_data, struct smbcli_session);
-
- creds = cli_credentials_init(mem_ctx);
-
- NT_STATUS_HAVE_NO_MEMORY(creds);
-
- cli_credentials_set_username(creds, user_info->client.account_name, CRED_SPECIFIED);
- cli_credentials_set_domain(creds, user_info->client.domain_name, CRED_SPECIFIED);
-
- switch (user_info->password_state) {
- case AUTH_PASSWORD_PLAIN:
- cli_credentials_set_password(creds, user_info->password.plaintext,
- CRED_SPECIFIED);
- break;
- case AUTH_PASSWORD_HASH:
- cli_credentials_set_nt_hash(creds, user_info->password.hash.nt,
- CRED_SPECIFIED);
- break;
-
- case AUTH_PASSWORD_RESPONSE:
- cli_credentials_set_ntlm_response(creds, &user_info->password.response.lanman, &user_info->password.response.nt, CRED_SPECIFIED);
- break;
- }
-
- session_setup.in.sesskey = session->transport->negotiate.sesskey;
- session_setup.in.capabilities = session->transport->negotiate.capabilities;
-
- session_setup.in.credentials = creds;
- session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are not doing */
- session_setup.in.gensec_settings = lpcfg_gensec_settings(session, ctx->auth_ctx->lp_ctx);
-
- /* Check password with remove server - this should be async some day */
- nt_status = smb_composite_sesssetup(session, &session_setup);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
-
- user_info_dc->num_sids = 1;
-
- /* This returns a pointer to a struct dom_sid, which is the
- * same as a 1 element list of struct dom_sid */
- user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
-
- /* annoying, but the Anonymous really does have a session key,
- and it is all zeros! */
- user_info_dc->user_session_key = data_blob(NULL, 0);
- user_info_dc->lm_session_key = data_blob(NULL, 0);
-
- user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
-
- info->account_name = talloc_strdup(user_info_dc, user_info->client.account_name);
- NT_STATUS_HAVE_NO_MEMORY(info->account_name);
-
- info->domain_name = talloc_strdup(user_info_dc, user_info->client.domain_name);
- NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
-
- info->full_name = NULL;
-
- info->logon_script = talloc_strdup(user_info_dc, "");
- NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
-
- info->profile_path = talloc_strdup(user_info_dc, "");
- NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
-
- info->home_directory = talloc_strdup(user_info_dc, "");
- NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
-
- info->home_drive = talloc_strdup(user_info_dc, "");
- NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
-
- info->last_logon = 0;
- info->last_logoff = 0;
- info->acct_expiry = 0;
- info->last_password_change = 0;
- info->allow_password_change = 0;
- info->force_password_change = 0;
-
- info->logon_count = 0;
- info->bad_password_count = 0;
-
- info->acct_flags = ACB_NORMAL;
-
- info->authenticated = false;
-
- *_user_info_dc = user_info_dc;
-
- return nt_status;
-}
-
-static const struct auth_operations server_auth_ops = {
- .name = "server",
- .get_challenge = server_get_challenge,
- .want_check = server_want_check,
- .check_password = server_check_password
-};
-
-_PUBLIC_ NTSTATUS auth4_server_init(void)
-{
- NTSTATUS ret;
-
- ret = auth_register(&server_auth_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'server' auth backend!\n"));
- return ret;
- }
-
- return ret;
-}
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
index 8a8bfcb..2745094 100644
--- a/source4/auth/ntlm/wscript_build
+++ b/source4/auth/ntlm/wscript_build
@@ -16,14 +16,6 @@ bld.SAMBA_MODULE('auth4_anonymous',
)
-bld.SAMBA_MODULE('auth4_server',
- source='auth_server.c',
- subsystem='auth4',
- init_function='auth4_server_init',
- deps='samba-util LIBCLI_SMB CREDENTIALS_NTLM param_options'
- )
-
-
bld.SAMBA_MODULE('auth4_winbind',
source='auth_winbind.c',
subsystem='auth4',
--
1.7.4.1
From 79a22a050a316bbdac8c58436e310024bb389463 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 12:53:34 +0200
Subject: [PATCH 6/7] s4:ntvfs/cifs: remove misleading comment regarding security=server
metze
---
source4/ntvfs/cifs/vfs_cifs.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/source4/ntvfs/cifs/vfs_cifs.c b/source4/ntvfs/cifs/vfs_cifs.c
index 72dff99..fb7a485 100644
--- a/source4/ntvfs/cifs/vfs_cifs.c
+++ b/source4/ntvfs/cifs/vfs_cifs.c
@@ -179,7 +179,6 @@ static NTSTATUS cvfs_connect(struct ntvfs_module_context *ntvfs,
/* Here we need to determine which server to connect to.
* For now we use parametric options, type cifs.
- * Later we will use security=server and auth_server.c.
*/
host = share_string_option(scfg, CIFS_SERVER, NULL);
user = share_string_option(scfg, CIFS_USER, NULL);
--
1.7.4.1
From adc195504c3a16cd837bf3329ed870a13adb9a67 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 12 May 2012 12:53:34 +0200
Subject: [PATCH 7/7] s4:ntvfs/smb2: remove misleading comment regarding security=server
metze
---
source4/ntvfs/smb2/vfs_smb2.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/source4/ntvfs/smb2/vfs_smb2.c b/source4/ntvfs/smb2/vfs_smb2.c
index 889c534..67a8449 100644
--- a/source4/ntvfs/smb2/vfs_smb2.c
+++ b/source4/ntvfs/smb2/vfs_smb2.c
@@ -191,7 +191,6 @@ static NTSTATUS cvfs_connect(struct ntvfs_module_context *ntvfs,
/* Here we need to determine which server to connect to.
* For now we use parametric options, type cifs.
- * Later we will use security=server and auth_server.c.
*/
host = share_string_option(scfg, SMB2_SERVER, NULL);
user = share_string_option(scfg, SMB2_USER, NULL);
--
1.7.4.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120512/a78f04a4/attachment.pgp>
More information about the samba-technical
mailing list