[PATCH] some fixes for auth4

Volker Lendecke vl at samba.org
Sun Feb 26 17:18:14 UTC 2017


Hi!

Review appreciated!

Thanks,

Volker
-------------- next part --------------
>From 6975bbda0ababcf166446208c674f46a01474cbc Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 26 Feb 2017 09:16:02 +0100
Subject: [PATCH 1/4] auth4: Fix map_user_info_cracknames for domain==NULL

DsCrackNameOneName directly fails for DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT
if the name passed in does not contain a \. The only caller of
map_user_info_cracknames (auth_check_password_send) passes in
lpcfg_workgroup(), which does not contain a \. Add in the \ also for
the default_domain case.

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source4/auth/ntlm/auth_util.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 3e5a0da..f7b01eb 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -128,12 +128,11 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 	} else {
-		char *domain_name;
+		const char *domain_name = default_domain;
 		if (user_info->client.domain_name && *user_info->client.domain_name) {
-			domain_name = talloc_asprintf(tmp_ctx, "%s\\", user_info->client.domain_name);
-		} else {
-			domain_name = talloc_strdup(tmp_ctx, default_domain);
+			domain_name = user_info->client.domain_name;
 		}
+		domain_name = talloc_asprintf(tmp_ctx, "%s\\", domain_name);
 		if (domain_name == NULL) {
 			talloc_free(tmp_ctx);
 			return NT_STATUS_NO_MEMORY;
-- 
2.1.4


>From 0d8769d01d19b1ab44640b878946cea9809542f7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 26 Feb 2017 11:25:20 +0100
Subject: [PATCH 2/4] auth4: Only use CrackNames if we're a DC

DsCrackNameOneName on a member does not really have a big user database. We
should delegate as much responsibility as possible to our DC.

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source4/auth/ntlm/auth.c      | 10 ++++++++--
 source4/auth/ntlm/auth_util.c |  3 ++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index eeb2336..656d4bc 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -280,8 +280,14 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
 	state->user_info	= user_info;
 
 	if (!user_info->mapped_state) {
-		nt_status = map_user_info(auth_ctx->sam_ctx, req, lpcfg_workgroup(auth_ctx->lp_ctx),
-					  user_info, &user_info_tmp);
+		int server_role = lpcfg_server_role(auth_ctx->lp_ctx);
+
+		nt_status = map_user_info(
+			auth_ctx->sam_ctx, req,
+			server_role == ROLE_ACTIVE_DIRECTORY_DC,
+			lpcfg_workgroup(auth_ctx->lp_ctx),
+			user_info, &user_info_tmp);
+
 		if (tevent_req_nterror(req, nt_status)) {
 			return tevent_req_post(req, ev);
 		}
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index f7b01eb..e3d196c 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -221,6 +221,7 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx,
 ****************************************************************************/
 NTSTATUS map_user_info(struct ldb_context *sam_ctx,
 		       TALLOC_CTX *mem_ctx,
+		       bool is_ad_dc,
 		       const char *default_domain,
 		       const struct auth_usersupplied_info *user_info,
 		       struct auth_usersupplied_info **user_info_mapped)
@@ -230,7 +231,7 @@ NTSTATUS map_user_info(struct ldb_context *sam_ctx,
 	char *d;
 	TALLOC_CTX *tmp_ctx;
 
-	if (sam_ctx != NULL) {
+	if (is_ad_dc) {
 		/* if possible, use cracknames to parse the
 		   domain/account */
 		return map_user_info_cracknames(sam_ctx, mem_ctx, default_domain, user_info, user_info_mapped);
-- 
2.1.4


>From d6442a01c9c0181c7cf85fcbcf5892fc0864f8e9 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 23 Feb 2017 20:48:32 +0100
Subject: [PATCH 3/4] auth4: Reduce indentation level by an early error return

Just cosmetics for easier readability, no code change

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source4/auth/ntlm/auth.c | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 656d4bc..a1276df 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -191,29 +191,33 @@ _PUBLIC_ NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
 					      DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
 	struct auth_user_info_dc *user_info_dc;
-	NTSTATUS status = auth_check_password(auth_ctx, mem_ctx, user_info, &user_info_dc);
+	NTSTATUS status;
 
-	if (NT_STATUS_IS_OK(status)) {
-		*server_returned_info = user_info_dc;
+	status = auth_check_password(auth_ctx, mem_ctx, user_info,
+				     &user_info_dc);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
 
-		if (user_session_key) {
-			DEBUG(10, ("Got NT session key of length %u\n",
-				   (unsigned)user_info_dc->user_session_key.length));
-			*user_session_key = user_info_dc->user_session_key;
-			talloc_steal(mem_ctx, user_session_key->data);
-			user_info_dc->user_session_key = data_blob_null;
-		}
+	*server_returned_info = user_info_dc;
 
-		if (lm_session_key) {
-			DEBUG(10, ("Got LM session key of length %u\n",
-				   (unsigned)user_info_dc->lm_session_key.length));
-			*lm_session_key = user_info_dc->lm_session_key;
-			talloc_steal(mem_ctx, lm_session_key->data);
-			user_info_dc->lm_session_key = data_blob_null;
-		}
+	if (user_session_key) {
+		DEBUG(10, ("Got NT session key of length %u\n",
+			   (unsigned)user_info_dc->user_session_key.length));
+		*user_session_key = user_info_dc->user_session_key;
+		talloc_steal(mem_ctx, user_session_key->data);
+		user_info_dc->user_session_key = data_blob_null;
 	}
 
-	return status;
+	if (lm_session_key) {
+		DEBUG(10, ("Got LM session key of length %u\n",
+			   (unsigned)user_info_dc->lm_session_key.length));
+		*lm_session_key = user_info_dc->lm_session_key;
+		talloc_steal(mem_ctx, lm_session_key->data);
+		user_info_dc->lm_session_key = data_blob_null;
+	}
+
+	return NT_STATUS_OK;
 }
 
 struct auth_check_password_state {
-- 
2.1.4


>From de3280bd72046317405f51dc0b5f48b3a504895f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 26 Feb 2017 13:06:05 +0100
Subject: [PATCH 4/4] samdb: Fix a typo

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source4/dsdb/samdb/cracknames.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index ad4ef5c..596343a 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -679,7 +679,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 			return WERR_NOT_ENOUGH_MEMORY;
 		}
 
-		/* Ensure we reject compleate junk first */
+		/* Ensure we reject complete junk first */
 		ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
 		if (ret) {
 			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
-- 
2.1.4



More information about the samba-technical mailing list