RFC/WIP: NTLMSSP passthrough + user at realm credentials
Stefan Metzmacher
metze at samba.org
Fri Oct 21 14:12:53 UTC 2016
Hi,
>> The attached patch seems to fix
>> https://bugzilla.samba.org/show_bug.cgi?id=12375 - authenticating
>> clients by a member server using user at realm credentials.
>>
>> In essence, the client passes an empty domain and upn at realm as user, and
>> those need to be passed untouched to the netlogon server.
>>
>> The patch seems to make it work, but I feel I don't have the big
>> picture, and would like to receive comments on:
>> - Whether there are any flags to be looked at instead of the heuristic
>> that the domain is empty and user contains '@'
>
> We don't use any flags when dealing with the name, all existing
> code uses heuristics on the name string.
>
>> - If heuristic - do we already have functions to parse and classify a
>> user name
>
> Nope. All cases currently just do a strchr(name, '@').
> The only special case taken care of I can see is checking
> if lp_winbind_separator() != '@' (it would obviously
> break in this case). Maybe a common utility function doing
> the parsing might help.
>
>> - Interaction with user mapping
>
> Why are you avoiding the map_username() in the upn case ?
>
> I think map_username() should just get access to the 'raw'
> passed in DOMAIN\username (even if it's a \upn at realm name)
> to allow the admin to explicitly map to a local user.
>
> Other than that this looks really good to me. Do we
> currently have a test for this ? If not, then I think we
> do need tests for this before it goes in.
>
> If you have good ideas on what tests we need I'm happy
> to work on them with you.
Andreas and I are working on related things for the client side
in order to be able to create tests.
The first step is to password the relevant details from the
command line to the gensec layer.
As a start I've made 'struct user_auth_info' private,
this will hopefully allow us to use cli_credentials internally
in struct user_auth_info.
Please review and push.
Thanks!
metze
-------------- next part --------------
From 4a667fd421e6a8774b8afdca09ecf2eace8aedf5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Oct 2016 10:16:26 +0200
Subject: [PATCH 1/5] s3:util_cmdline: add
set_cmdline_auth_info_signing_state_raw() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/include/auth_info.h | 2 ++
source3/lib/util_cmdline.c | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
index d8d8317..5764bb8 100644
--- a/source3/include/auth_info.h
+++ b/source3/include/auth_info.h
@@ -46,6 +46,8 @@ void set_cmdline_auth_info_password(struct user_auth_info *auth_info,
const char *get_cmdline_auth_info_password(const struct user_auth_info *auth_info);
bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
const char *arg);
+void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
+ int signing_state);
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_use_ccache(struct user_auth_info *auth_info,
bool b);
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index 3ef1d09..0948bb7 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -162,6 +162,12 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
return true;
}
+void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
+ int signing_state)
+{
+ auth_info->signing_state = signing_state;
+}
+
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
return auth_info->signing_state;
--
1.9.1
From 09fd5b8f92cd3df8fe6abd0733d383d2e05b4219 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Oct 2016 10:17:04 +0200
Subject: [PATCH 2/5] s3:lib/netapi: make use of
set_cmdline_auth_info_signing_state_raw()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/lib/netapi/cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index 7e16b4d..2649422 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -88,7 +88,7 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
if (!auth_info) {
return WERR_NOT_ENOUGH_MEMORY;
}
- auth_info->signing_state = SMB_SIGNING_IPC_DEFAULT;
+ set_cmdline_auth_info_signing_state_raw(auth_info, SMB_SIGNING_IPC_DEFAULT);
set_cmdline_auth_info_use_kerberos(auth_info, ctx->use_kerberos);
set_cmdline_auth_info_username(auth_info, ctx->username);
if (ctx->password) {
--
1.9.1
From 9e948cdfc014e4f7ddf28f553b75309abb19c641 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Oct 2016 10:17:59 +0200
Subject: [PATCH 3/5] s3:libsmb: make use of get_cmdline_auth_info_* helper
functions in get_ipc_connect()
We should avoid to dereference struct user_auth_info.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/cliconnect.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index e6deb9d..e15f676 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -3673,14 +3673,14 @@ struct cli_state *get_ipc_connect(char *server,
NTSTATUS nt_status;
uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
- if (user_info->use_kerberos) {
+ if (get_cmdline_auth_info_use_kerberos(user_info)) {
flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
}
nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC",
- user_info->username ? user_info->username : "",
+ get_cmdline_auth_info_username(user_info),
lp_workgroup(),
- user_info->password ? user_info->password : "",
+ get_cmdline_auth_info_password(user_info),
flags,
SMB_SIGNING_DEFAULT);
--
1.9.1
From 5d163315e0c8ccc61e2066446cd797f6dd969f40 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Oct 2016 10:17:59 +0200
Subject: [PATCH 4/5] s3:libsmb: make use of proper allocated struct
user_auth_info in SMBC_opendir_ctx()
We should avoid to dereference struct user_auth_info.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/libsmb_dir.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 714a97c..dd37a24 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -464,7 +464,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
int max_lmb_count;
struct sockaddr_storage *ip_list;
struct sockaddr_storage server_addr;
- struct user_auth_info u_info;
+ struct user_auth_info *u_info;
NTSTATUS status;
if (share[0] != (char)0 || path[0] != (char)0) {
@@ -483,17 +483,12 @@ SMBC_opendir_ctx(SMBCCTX *context,
? INT_MAX
: smbc_getOptionBrowseMaxLmbCount(context));
- memset(&u_info, '\0', sizeof(u_info));
- u_info.username = talloc_strdup(frame,user);
- u_info.password = talloc_strdup(frame,password);
- if (!u_info.username || !u_info.password) {
- if (dir) {
- SAFE_FREE(dir->fname);
- SAFE_FREE(dir);
- }
- TALLOC_FREE(frame);
+ u_info = user_auth_info_init(frame);
+ if (u_info == NULL) {
return NULL;
}
+ set_cmdline_auth_info_username(u_info, user);
+ set_cmdline_auth_info_password(u_info, password);
/*
* We have server and share and path empty but options
@@ -550,7 +545,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
cli = get_ipc_connect_master_ip(talloc_tos(),
&ip_list[i],
- &u_info,
+ u_info,
&wg_ptr);
/* cli == NULL is the master browser refused to talk or
could not be found */
--
1.9.1
From a6908cc934f98479f86b03058903398608316325 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 21 Oct 2016 10:23:21 +0200
Subject: [PATCH 5/5] s3:util_cmdline: make struct user_auth_info private to
util_cmdline.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/include/auth_info.h | 14 +-------------
source3/lib/util_cmdline.c | 14 ++++++++++++++
2 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
index 5764bb8..04ac422 100644
--- a/source3/include/auth_info.h
+++ b/source3/include/auth_info.h
@@ -20,19 +20,7 @@
#ifndef _AUTH_INFO_H
#define _AUTH_INFO_H
-struct user_auth_info {
- char *username;
- char *domain;
- char *password;
- bool got_pass;
- bool use_kerberos;
- int signing_state;
- bool smb_encrypt;
- bool use_machine_account;
- bool fallback_after_kerberos;
- bool use_ccache;
- bool use_pw_nt_hash;
-};
+struct user_auth_info;
struct user_auth_info *user_auth_info_init(TALLOC_CTX *mem_ctx);
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index 0948bb7..68ba7aa 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -30,6 +30,20 @@
Used mainly in client tools.
****************************************************************************/
+struct user_auth_info {
+ char *username;
+ char *domain;
+ char *password;
+ bool got_pass;
+ bool use_kerberos;
+ int signing_state;
+ bool smb_encrypt;
+ bool use_machine_account;
+ bool fallback_after_kerberos;
+ bool use_ccache;
+ bool use_pw_nt_hash;
+};
+
struct user_auth_info *user_auth_info_init(TALLOC_CTX *mem_ctx)
{
struct user_auth_info *result;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161021/586c6f9d/signature.sig>
More information about the samba-technical
mailing list