[PATCH] Correctly handle !authoritative in the rpc-based auth backends
Stefan Metzmacher
metze at samba.org
Thu Mar 23 16:48:06 UTC 2017
Am 23.03.2017 um 10:03 schrieb Andrew Bartlett:
> On Wed, 2017-03-22 at 17:00 +0100, Stefan Metzmacher wrote:
>>
>> + <para>
>> + When this parameter is set to <smbconfoption name="map untrusted
>> to domain">auto</smbconfoption> smbd will
>> + deferr the mapping decision to the stack of auth method
>> backends.
>> + Each auth method is able to say I'm not authoritative and the
>> + next backend will be used. This is basically the behavior
>> + implemented in Windows.
>> + </para>
>> +
>
> Thanks for documenting the change. However the language needs some
> work: Currently it describes too closely the C level changes rather
> than what changes for the user when the options are set (you can say
> 'assuming the default auth methods, as recommended' if you like. Also,
> the documentation shouldn't speculate about backports, this is
> something we can fix when we backport.
>
> To make progress, could we skip this part until we get a test to cover
> the different values, and keep this patch set to just the "no behaviour
> change"?
Ok, here's part one for https://bugzilla.samba.org/show_bug.cgi?id=2976
Except that we expose the authoritative=0 from the auth stacks to the
netlogon
client, there should be no behavior change.
This is in the following branch:
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-ok
The following contains a rebase of your current auth-logging branch
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-auth-logging
metze
-------------- next part --------------
From d024ec2b414a49dfa8ab32da138386bce7a94d65 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Mar 2017 09:37:22 +0100
Subject: [PATCH 01/42] auth4: add TODO comment on the
auth_sam_trigger_repl_secret msDS-NeverRevealGroup interaction
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_sam.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 90eabca..d3f9019 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -237,6 +237,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
* mechanism. We also send a message to our
* drepl server to tell it to try and
* replicate the secrets for this account.
+ *
+ * TODO: Should we only trigger this is detected
+ * there's a chance that the password might be
+ * replicated, we should be able to detect this
+ * based on msDS-NeverRevealGroup.
*/
auth_sam_trigger_repl_secret(auth_context, msg->dn);
TALLOC_FREE(tmp_ctx);
--
1.9.1
From d1dc15924ef05237d5e311331f0d1b4fd81a7998 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 6 Mar 2017 14:32:18 +0100
Subject: [PATCH 02/42] wbinfo: Add "authoritative" to wbinfo -a output
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
nsswitch/wbinfo.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 80b245a..57f2b3b 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1823,13 +1823,15 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
if (wbc_status == WBC_ERR_AUTH_ERROR) {
d_fprintf(stderr,
- "wbcAuthenticateUserEx(%s%c%s): error code was %s (0x%x)\n"
+ "wbcAuthenticateUserEx(%s%c%s): error code was "
+ "%s (0x%x, authoritative=%"PRIu8")\n"
"error message was: %s\n",
name_domain,
winbind_separator(),
name_user,
err->nt_string,
err->nt_status,
+ err->authoritative,
err->display_string);
wbcFreeMemory(err);
} else if (WBC_ERROR_IS_OK(wbc_status)) {
--
1.9.1
From ff8eb3b4c5265b720844a511b8342272ad1503f3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:43:06 +0100
Subject: [PATCH 03/42] auth3: Slightly simplify make_auth_context_subsystem()
step1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 1cbe46e..034701d 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -471,10 +471,12 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
char **auth_method_list = NULL;
NTSTATUS nt_status;
- if (lp_auth_methods()
- && !(auth_method_list = str_list_copy(talloc_tos(),
- lp_auth_methods()))) {
- return NT_STATUS_NO_MEMORY;
+ if (lp_auth_methods()) {
+ DEBUG(5,("Using specified auth order\n"));
+ nt_status = make_auth_context_text_list(
+ mem_ctx, auth_context,
+ discard_const_p(char *, lp_auth_methods()));
+ return nt_status;
}
if (auth_method_list == NULL) {
--
1.9.1
From b168194acb3df207a247756062972bab9c9d3d83 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:43:06 +0100
Subject: [PATCH 04/42] auth3: Slightly simplify make_auth_context_subsystem()
step2
Use "git show -b" to see the simple diff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 73 +++++++++++++++++++++++++----------------------------
1 file changed, 34 insertions(+), 39 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 034701d..5f3cdb6 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -479,48 +479,43 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
return nt_status;
}
- if (auth_method_list == NULL) {
- switch (lp_server_role())
- {
- case ROLE_DOMAIN_MEMBER:
- DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_MEMBER:
+ DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
+ auth_method_list = str_list_make_v3(
+ talloc_tos(), "guest sam winbind:ntdomain",
+ NULL);
+ break;
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ DEBUG(5,("Making default auth method list for DC\n"));
+ auth_method_list = str_list_make_v3(
+ talloc_tos(),
+ "guest sam winbind:trustdomain",
+ NULL);
+ break;
+ case ROLE_STANDALONE:
+ DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
+ if (lp_encrypt_passwords()) {
auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam winbind:ntdomain",
- NULL);
- break;
- case ROLE_DOMAIN_BDC:
- case ROLE_DOMAIN_PDC:
- DEBUG(5,("Making default auth method list for DC\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(),
- "guest sam winbind:trustdomain",
- NULL);
- break;
- case ROLE_STANDALONE:
- DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
- if (lp_encrypt_passwords()) {
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam",
- NULL);
- } else {
- DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest unix", NULL);
- }
- break;
- case ROLE_ACTIVE_DIRECTORY_DC:
- DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
+ talloc_tos(), "guest sam",
+ NULL);
+ } else {
+ DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
auth_method_list = str_list_make_v3(
- talloc_tos(),
- "samba4",
- NULL);
- break;
- default:
- DEBUG(5,("Unknown auth method!\n"));
- return NT_STATUS_UNSUCCESSFUL;
+ talloc_tos(), "guest unix", NULL);
}
- } else {
- DEBUG(5,("Using specified auth order\n"));
+ break;
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
+ auth_method_list = str_list_make_v3(
+ talloc_tos(),
+ "samba4",
+ NULL);
+ break;
+ default:
+ DEBUG(5,("Unknown auth method!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
}
nt_status = make_auth_context_text_list(mem_ctx, auth_context,
--
1.9.1
From d8d7962f9004b9875014bc7af5737fd78f913c9b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:58:43 +0100
Subject: [PATCH 05/42] auth3: Introduce make_auth_context_specific
Take a string instead of a string list. Simplifies
make_auth_context_subsystem and later similar callers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 49 +++++++++++++++++++++++++++----------------------
1 file changed, 27 insertions(+), 22 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 5f3cdb6..2b0eb50 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -461,6 +461,26 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+static NTSTATUS make_auth_context_specific(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context,
+ const char *methods)
+{
+ char **method_list;
+ NTSTATUS status;
+
+ method_list = str_list_make_v3(talloc_tos(), methods, NULL);
+ if (method_list == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = make_auth_context_text_list(
+ mem_ctx, auth_context, method_list);
+
+ TALLOC_FREE(method_list);
+
+ return status;
+}
+
/***************************************************************************
Make a auth_context struct for the auth subsystem
***************************************************************************/
@@ -468,7 +488,7 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
- char **auth_method_list = NULL;
+ const char *methods = NULL;
NTSTATUS nt_status;
if (lp_auth_methods()) {
@@ -482,47 +502,32 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
switch (lp_server_role()) {
case ROLE_DOMAIN_MEMBER:
DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam winbind:ntdomain",
- NULL);
+ methods = "guest sam winbind:ntdomain";
break;
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
DEBUG(5,("Making default auth method list for DC\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(),
- "guest sam winbind:trustdomain",
- NULL);
+ methods = "guest sam winbind:trustdomain";
break;
case ROLE_STANDALONE:
DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
if (lp_encrypt_passwords()) {
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam",
- NULL);
+ methods = "guest sam";
} else {
DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest unix", NULL);
+ methods = "guest unix";
}
break;
case ROLE_ACTIVE_DIRECTORY_DC:
DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(),
- "samba4",
- NULL);
+ methods = "samba4";
break;
default:
DEBUG(5,("Unknown auth method!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
- nt_status = make_auth_context_text_list(mem_ctx, auth_context,
- auth_method_list);
-
- TALLOC_FREE(auth_method_list);
- return nt_status;
+ return make_auth_context_specific(mem_ctx, auth_context, methods);
}
/***************************************************************************
--
1.9.1
From 19aaee2781c2723244048ced2f4e380fd55168dd Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 15:05:52 +0100
Subject: [PATCH 06/42] auth3: Don't try other auth modules on any error
So far if any kind of error has happened, we just tried further auth
modules. An auth module should have the chance to definitely say "no,
this is a valid error, no further attempts anywhere else". The protocol
so far was for an auth module to return NT_STATUS_NOT_IMPLEMENTED if it
wanted to pass on to other modules, but any error led to the next auth
modules also being given a try.
This patch makes any auth module return code except NOT_IMPLEMENTED to
terminate the loop, such that every module has to explicitly request to
pass on to the next module via NOT_IMPLEMENTED.
All modules we reference in make_auth_context_subsystem() have code to
explicitly say "not for me please" with NOT_IMPLEMENTED.
This *might* break existing setups which fail in for example "guest" or
"winbind" due to other reasons. I prefer it this way though, because
adding another parameter like "This is a real authoritative failure,
don't go looking somewhere else" will only add to the mess.
But it's more a theoretical than a practical change with the
default auth backends.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 2b0eb50..ff41404 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -250,9 +250,7 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
}
- if (NT_STATUS_IS_OK(nt_status)) {
- break;
- }
+ break;
}
/* successful authentication */
--
1.9.1
From 152e1dfa97f73917900fdaa1535075dbbad0c8d8 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 15:44:01 +0100
Subject: [PATCH 07/42] auth3: Simplify the logic in auth_check_ntlm_password
Move everything but the strict loop logic outside. This makes the
loop exit condition clearer to me: Anything but NOT_IMPLEMENTED breaks
the loop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 58 ++++++++++++++++++++++++++---------------------------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ff41404..fddb6b9 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -166,6 +166,7 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info **pserver_info)
{
TALLOC_CTX *frame;
+ const char *auth_method_name = "";
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
const char *unix_username;
@@ -214,51 +215,50 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
}
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
- NTSTATUS result;
+
+ auth_method_name = auth_method->name;
if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY
&& !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) {
continue;
}
- result = auth_method->auth(auth_context,
- auth_method->private_data,
- talloc_tos(),
- user_info,
- &server_info);
-
- /* check if the module did anything */
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
- if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
- /* we don't expose the NT_STATUS_NOT_IMPLEMENTED
- * internals, except when the caller is only probing
- * one method, as they may do the fallback
- */
- nt_status = result;
- }
- continue;
- }
-
- nt_status = result;
+ nt_status = auth_method->auth(auth_context,
+ auth_method->private_data,
+ talloc_tos(),
+ user_info,
+ &server_info);
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
- auth_method->name, user_info->client.account_name));
- } else {
- DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
- auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+ break;
}
- break;
+ DBG_DEBUG("%s had nothing to say\n", auth_method->name);
}
- /* successful authentication */
+ /* check if the module did anything */
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
+ ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
+ /*
+ * we don't expose the NT_STATUS_NOT_IMPLEMENTED
+ * internals, except when the caller is only probing
+ * one method, as they may do the fallback
+ */
+ nt_status = NT_STATUS_NO_SUCH_USER;
+ }
if (!NT_STATUS_IS_OK(nt_status)) {
+ DBG_INFO("%s authentication for user [%s] FAILED with "
+ "error %s\n",
+ auth_method_name,
+ user_info->client.account_name,
+ nt_errstr(nt_status));
goto fail;
}
+ DBG_NOTICE("%s authentication for user [%s] succeeded\n",
+ auth_method_name, user_info->client.account_name);
+
unix_username = server_info->unix_name;
/* We skip doing this step if the caller asked us not to */
--
1.9.1
From b75fe30557f4e958c1eafd80ecf829ee10a239f7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:08:44 +0100
Subject: [PATCH 08/42] auth3: Introduce auth3_context_set_challenge
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 14 +++++++++++++-
source3/auth/proto.h | 2 ++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index fddb6b9..e40c4a6 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -547,4 +547,16 @@ NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
return nt_status;
}
-
+bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
+ const char *challenge_set_by)
+{
+ ctx->challenge = data_blob_talloc(ctx, chal, 8);
+ if (ctx->challenge.data == NULL) {
+ return false;
+ }
+ ctx->challenge_set_by = talloc_strdup(ctx, challenge_set_by);
+ if (ctx->challenge_set_by == NULL) {
+ return false;
+ }
+ return true;
+}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 5fd3158..83ea2a5 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -43,6 +43,8 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context,
uchar chal[8]) ;
+bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
+ const char *challenge_set_by);
/****************************************************************************
Try to get a challenge out of the various authentication modules.
--
1.9.1
From 14016a375346a4bda497b844fad452769059af92 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:14:00 +0100
Subject: [PATCH 09/42] winbindd: Call make_auth_context_subsystem directly
Soon we'll call specific methods here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_pam.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 782b28a..4ff6eaa 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1235,6 +1235,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
struct tsocket_address *local;
struct netr_SamInfo3 *info3;
NTSTATUS status;
+ bool ok;
int rc;
TALLOC_CTX *frame = talloc_stackframe();
@@ -1268,15 +1269,22 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
}
- status = make_auth_context_fixed(frame, &auth_context, challenge->data);
+ status = make_auth_context_subsystem(frame, &auth_context);
if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("make_auth_context_fixed failed: %s\n",
+ DBG_ERR("make_auth_context_subsystem failed: %s\n",
nt_errstr(status));
TALLOC_FREE(frame);
return status;
}
+ ok = auth3_context_set_challenge(auth_context,
+ challenge->data, "fixed");
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
--
1.9.1
From 867b9d655e76e31661bda24744265ee48765ef32 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 9 Mar 2017 15:19:06 +0100
Subject: [PATCH 10/42] netlogond3: "authorititative" is a uint8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index ef2c827..005bd03 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1510,7 +1510,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
return NT_STATUS_INTERNAL_ERROR;
}
- *r->out.authoritative = true; /* authoritative response */
+ *r->out.authoritative = 1; /* authoritative response */
switch (r->in.validation_level) {
case 2:
--
1.9.1
From 014ce63ed4385b328101ed94c18463ea8e1e304f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:14:00 +0100
Subject: [PATCH 11/42] netlogond3: Call make_auth_context_subsystem directly
Soon we'll call specific methods here
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 005bd03..09feb13 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1586,13 +1586,20 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
{
const char *wksname = nt_workstation;
const char *workgroup = lp_workgroup();
+ bool ok;
- status = make_auth_context_fixed(talloc_tos(), &auth_context,
- logon->network->challenge);
+ status = make_auth_context_subsystem(talloc_tos(),
+ &auth_context);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ ok = auth3_context_set_challenge(
+ auth_context, logon->network->challenge, "fixed");
+ if (!ok) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* For a network logon, the workstation name comes in with two
* backslashes in the front. Strip them if they are there. */
--
1.9.1
From 648cfc96830d280d4f89f26967dd62ca855a3fbf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 15:54:18 +0100
Subject: [PATCH 12/42] netlogond3: only call make_auth_context_subsystem() in
one place
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 09feb13..088ffe1 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1580,6 +1580,12 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
r->in.logon_level,
logon);
+ status = make_auth_context_subsystem(talloc_tos(),
+ &auth_context);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
switch (r->in.logon_level) {
case NetlogonNetworkInformation:
case NetlogonNetworkTransitiveInformation:
@@ -1588,12 +1594,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
const char *workgroup = lp_workgroup();
bool ok;
- status = make_auth_context_subsystem(talloc_tos(),
- &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
ok = auth3_context_set_challenge(
auth_context, logon->network->challenge, "fixed");
if (!ok) {
@@ -1658,11 +1658,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
DEBUG(100,("decrypt of nt owf password:"));
dump_data(100, logon->password->ntpassword.hash, 16);
#endif
- status = make_auth_context_subsystem(talloc_tos(),
- &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
auth_get_ntlm_challenge(auth_context, chal);
--
1.9.1
From 01a78789e90490e19217d2e7689171bb7d2d9764 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:19:41 +0100
Subject: [PATCH 13/42] pdbtest: Call make_auth_context_subsystem directly
Last caller of make_auth_context_fixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/torture/pdbtest.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index fe51a76..a9f49bb 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -268,6 +268,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
struct netr_SamInfo3 *info3_sam, *info3_auth;
struct auth_serversupplied_info *server_info;
NTSTATUS status;
+ bool ok;
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
local_nt_response);
@@ -298,13 +299,20 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
return False;
}
- status = make_auth_context_fixed(NULL, &auth_context, challenge.data);
+ status = make_auth_context_subsystem(NULL, &auth_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
return False;
}
-
+
+ ok = auth3_context_set_challenge(
+ auth_context, challenge.data, "fixed");
+ if (!ok) {
+ DBG_ERR("auth3_context_set_challenge failed\n");
+ return false;
+ }
+
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
--
1.9.1
From 596d7a057a60d8bb206a90afec1af1774b36d335 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Mon, 13 Mar 2017 08:22:27 +0100
Subject: [PATCH 14/42] auth3: Remove unused make_auth_context_fixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 19 -------------------
source3/auth/proto.h | 3 ---
2 files changed, 22 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index e40c4a6..7769c23 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -528,25 +528,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
return make_auth_context_specific(mem_ctx, auth_context, methods);
}
-/***************************************************************************
- Make a auth_info struct with a fixed challenge
-***************************************************************************/
-
-NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
- struct auth_context **auth_context,
- uchar chal[8])
-{
- NTSTATUS nt_status;
- nt_status = make_auth_context_subsystem(mem_ctx, auth_context);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- (*auth_context)->challenge = data_blob_talloc(*auth_context, chal, 8);
- (*auth_context)->challenge_set_by = "fixed";
- return nt_status;
-}
-
bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
const char *challenge_set_by)
{
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 83ea2a5..5ffe757 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -40,9 +40,6 @@ bool load_auth_module(struct auth_context *auth_context,
const char *module, auth_methods **ret) ;
NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context);
-NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
- struct auth_context **auth_context,
- uchar chal[8]) ;
bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
const char *challenge_set_by);
--
1.9.1
From d59c19c0b41a3e1848470652a9a705dc20ac0c04 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:13:02 +0100
Subject: [PATCH 15/42] auth3: add
make_auth3_context_for_{ntlm,netlogon,winbind}
For now they'll all do the same, but that will change in the following commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 18 ++++++++++++++++++
source3/auth/proto.h | 6 ++++++
2 files changed, 24 insertions(+)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 7769c23..ed42740 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -528,6 +528,24 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
return make_auth_context_specific(mem_ctx, auth_context, methods);
}
+NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context)
+{
+ return make_auth_context_subsystem(mem_ctx, auth_context);
+}
+
+NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context)
+{
+ return make_auth_context_subsystem(mem_ctx, auth_context);
+}
+
+NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context)
+{
+ return make_auth_context_subsystem(mem_ctx, auth_context);
+}
+
bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
const char *challenge_set_by)
{
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 5ffe757..92b2a85 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -40,6 +40,12 @@ bool load_auth_module(struct auth_context *auth_context,
const char *module, auth_methods **ret) ;
NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context);
+NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context);
+NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context);
+NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context);
bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
const char *challenge_set_by);
--
1.9.1
From ca701c5c793541387d5bc1b79920a385d6a15c4d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:17:45 +0100
Subject: [PATCH 16/42] auth3: make use of make_auth3_context_for_ntlm()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_generic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index f9b9184..95c70e8 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -208,7 +208,7 @@ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_co
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
- nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context);
+ nt_status = make_auth3_context_for_ntlm(tmp_ctx, &auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(tmp_ctx);
return nt_status;
@@ -242,7 +242,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
- nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context);
+ nt_status = make_auth3_context_for_ntlm(tmp_ctx, &auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE(tmp_ctx);
return nt_status;
--
1.9.1
From 2c4b6a19a2669583b48bbccced430ae738a07778 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:29:26 +0100
Subject: [PATCH 17/42] pdbtest: make use of make_auth3_context_for_ntlm()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/torture/pdbtest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index a9f49bb..0003566 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -299,7 +299,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
return False;
}
- status = make_auth_context_subsystem(NULL, &auth_context);
+ status = make_auth3_context_for_ntlm(NULL, &auth_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
--
1.9.1
From 864ddef391fa4449a1ae6f21e71c2443cd7bf7aa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:18:25 +0100
Subject: [PATCH 18/42] netlogond3: make use of
make_auth3_context_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 088ffe1..4c43802 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1580,8 +1580,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
r->in.logon_level,
logon);
- status = make_auth_context_subsystem(talloc_tos(),
- &auth_context);
+ status = make_auth3_context_for_netlogon(talloc_tos(), &auth_context);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
1.9.1
From 2180295efd753130738f173292b2c6bae137d583 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:18:41 +0100
Subject: [PATCH 19/42] winbindd: make use of make_auth3_context_for_winbind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_pam.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 4ff6eaa..fb6b8af 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1269,10 +1269,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
}
- status = make_auth_context_subsystem(frame, &auth_context);
-
+ status = make_auth3_context_for_winbind(frame, &auth_context);
if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("make_auth_context_subsystem failed: %s\n",
+ DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
nt_errstr(status));
TALLOC_FREE(frame);
return status;
--
1.9.1
From 52f5c9ca697d40680a4cc948771eeaea42b6c23f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:31:01 +0100
Subject: [PATCH 20/42] auth3: make make_auth_context_subsystem() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 4 ++--
source3/auth/proto.h | 2 --
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ed42740..ef8fcef 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -483,8 +483,8 @@ static NTSTATUS make_auth_context_specific(TALLOC_CTX *mem_ctx,
Make a auth_context struct for the auth subsystem
***************************************************************************/
-NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
- struct auth_context **auth_context)
+static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
+ struct auth_context **auth_context)
{
const char *methods = NULL;
NTSTATUS nt_status;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 92b2a85..1101346 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -38,8 +38,6 @@
NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init);
bool load_auth_module(struct auth_context *auth_context,
const char *module, auth_methods **ret) ;
-NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
- struct auth_context **auth_context);
NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context);
NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
--
1.9.1
From b93ee81630162e51362633a500b651eeafe55a2f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:41:04 +0100
Subject: [PATCH 21/42] auth4: make auth_check_password_wrapper() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/auth.h | 6 ------
source4/auth/ntlm/auth.c | 10 +++++-----
2 files changed, 5 insertions(+), 11 deletions(-)
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 7c62318..feddb46 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -145,12 +145,6 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct auth4_context **auth_ctx);
-NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- void **server_returned_info,
- DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key);
-
NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 05d6c3c..2260244 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -184,11 +184,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
return status;
}
-_PUBLIC_ NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- void **server_returned_info,
- DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
+static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ void **server_returned_info,
+ DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct auth_user_info_dc *user_info_dc;
NTSTATUS status;
--
1.9.1
From 5180bfb71e00bc2d41e486cf9cbabbc59937e3fb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:08:59 +0100
Subject: [PATCH 22/42] auth4: add auth_context_create_for_netlogon()
For now it's the same as auth_context_create(), but this will
change the in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/auth.h | 5 +++++
source4/auth/ntlm/auth.c | 9 +++++++++
2 files changed, 14 insertions(+)
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index feddb46..95aacfe 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -144,6 +144,11 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
struct auth4_context **auth_ctx);
+NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct imessaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct auth4_context **auth_ctx);
NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 2260244..926bf48 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -645,6 +645,15 @@ _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
return status;
}
+_PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct imessaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct auth4_context **auth_ctx)
+{
+ return auth_context_create(mem_ctx, ev, msg, lp_ctx, auth_ctx);
+}
+
/* the list of currently registered AUTH backends */
static struct auth_backend {
const struct auth_operations *ops;
--
1.9.1
From 94ce86bca1ca19940578dfc8bda5e064a6b7c672 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 12:15:13 +0100
Subject: [PATCH 23/42] netlogon4: make use of
auth_context_create_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index afa9b1c..332afd3 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -868,11 +868,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
case NetlogonInteractiveTransitiveInformation:
case NetlogonServiceTransitiveInformation:
- /* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx,
- dce_call->event_ctx, dce_call->msg_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- &auth_context);
+ nt_status = auth_context_create_for_netlogon(mem_ctx,
+ dce_call->event_ctx, dce_call->msg_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ &auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
user_info->logon_parameters = r->in.logon->password->identity_info.parameter_control;
@@ -895,11 +894,10 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
case NetlogonNetworkInformation:
case NetlogonNetworkTransitiveInformation:
- /* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx,
- dce_call->event_ctx, dce_call->msg_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
- &auth_context);
+ nt_status = auth_context_create_for_netlogon(mem_ctx,
+ dce_call->event_ctx, dce_call->msg_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ &auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = auth_context_set_challenge(auth_context, r->in.logon->network->challenge, "netr_LogonSamLogonWithFlags");
--
1.9.1
From 97b31b03157323c81ea88083aafd19c9ef279744 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 2 Mar 2017 11:28:18 +0100
Subject: [PATCH 24/42] winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means
"Dunno"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_pam.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index fb6b8af..77f2bf7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1344,6 +1344,16 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
result = cm_connect_netlogon(domain, &netlogon_pipe);
+ if (NT_STATUS_EQUAL(result,
+ NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+ /*
+ * This means we don't have a trust account.
+ */
+ *authoritative = 0;
+ result = NT_STATUS_NO_SUCH_USER;
+ break;
+ }
+
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3,("Could not open handle to NETLOGON pipe "
"(error: %s, attempts: %d)\n",
--
1.9.1
From 58ee8ebd0e9fa4d14693a06018f7bdca9a9df2df Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:42:38 +0100
Subject: [PATCH 25/42] winbindd: let winbindd_dual_auth_passdb() return
pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 77f2bf7..2bac9ec 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1227,6 +1227,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
const DATA_BLOB *lm_resp,
const DATA_BLOB *nt_resp,
bool interactive,
+ uint8_t *pauthoritative,
struct netr_SamInfo3 **pinfo3)
{
struct auth_context *auth_context;
@@ -1239,6 +1240,11 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
int rc;
TALLOC_CTX *frame = talloc_stackframe();
+ /*
+ * We are authoritative by default
+ */
+ *pauthoritative = 1;
+
rc = tsocket_address_inet_from_strings(frame,
"ip",
"127.0.0.1",
@@ -1290,6 +1296,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
&server_info);
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ *pauthoritative = 0;
+ }
TALLOC_FREE(frame);
return status;
}
@@ -1563,12 +1572,14 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
mem_ctx, 0, name_domain, name_user,
&chal_blob, &lm_resp, &nt_resp,
true, /* interactive */
+ &authoritative,
info3);
/*
- * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
+ * We need to try the remote NETLOGON server if this is
+ * not authoritative.
*/
- if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ if (authoritative != 0) {
goto done;
}
}
@@ -1983,13 +1994,14 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
name_domain, name_user,
&chal_blob, &lm_response, &nt_response,
false, /* interactive */
+ authoritative,
info3);
/*
- * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
+ * We need to try the remote NETLOGON server if this is
+ * not authoritative.
*/
- if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- *authoritative = 1;
+ if (*authoritative != 0) {
*flags = 0;
goto process_result;
}
--
1.9.1
From f2b656e240f917418479d67f98586d710fd488a7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 09:43:59 +0100
Subject: [PATCH 26/42] auth3: let auth_check_ntlm_password() return
pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 35 +++++++++++++++--------------
source3/auth/auth_ntlmssp.c | 10 ++++++---
source3/auth/proto.h | 10 ++++++---
source3/rpc_server/netlogon/srv_netlog_nt.c | 12 ++--------
source3/torture/pdbtest.c | 10 ++++++---
source3/winbindd/winbindd_pam.c | 7 ++----
6 files changed, 43 insertions(+), 41 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index ef8fcef..11a777a4 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -153,22 +153,25 @@ static bool check_domain_match(const char *user, const char *domain)
* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
- * @param server_info If successful, contains information about the authentication,
- * including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ * including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ * result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
-
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **pserver_info)
+ struct auth_serversupplied_info **pserver_info,
+ uint8_t *pauthoritative)
{
TALLOC_CTX *frame;
const char *auth_method_name = "";
/* if all the modules say 'not for me' this is reasonable */
- NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
const char *unix_username;
auth_methods *auth_method;
struct auth_serversupplied_info *server_info;
@@ -179,6 +182,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
frame = talloc_stackframe();
+ *pauthoritative = 1;
+
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
@@ -236,23 +241,18 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
DBG_DEBUG("%s had nothing to say\n", auth_method->name);
}
- /* check if the module did anything */
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED) &&
- ((user_info->flags & USER_INFO_LOCAL_SAM_ONLY) == 0)) {
- /*
- * we don't expose the NT_STATUS_NOT_IMPLEMENTED
- * internals, except when the caller is only probing
- * one method, as they may do the fallback
- */
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+ *pauthoritative = 0;
nt_status = NT_STATUS_NO_SUCH_USER;
}
if (!NT_STATUS_IS_OK(nt_status)) {
DBG_INFO("%s authentication for user [%s] FAILED with "
- "error %s\n",
+ "error %s, authoritative=%u\n",
auth_method_name,
user_info->client.account_name,
- nt_errstr(nt_status));
+ nt_errstr(nt_status),
+ *pauthoritative);
goto fail;
}
@@ -313,9 +313,10 @@ fail:
/* failed authentication; check for guest lapping */
- DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
+ DEBUG(2, ("check_ntlm_password: Authentication for user "
+ "[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
user_info->client.account_name, user_info->mapped.account_name,
- nt_errstr(nt_status)));
+ nt_errstr(nt_status), *pauthoritative));
ZERO_STRUCTP(pserver_info);
TALLOC_FREE(frame);
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index a0e4902..0ff3bdd 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -145,6 +145,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
struct auth_serversupplied_info *server_info;
NTSTATUS nt_status;
bool username_was_mapped;
+ uint8_t authoritative = 0;
/* The client has given us its machine name (which we only get over NBT transport).
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -179,13 +180,16 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
nt_status = auth_check_ntlm_password(mem_ctx,
auth_context,
mapped_user_info,
- &server_info);
+ &server_info,
+ &authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
+ DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
+ "%s, authoritative=%u\n",
user_info->client.domain_name,
user_info->client.account_name,
- nt_errstr(nt_status)));
+ nt_errstr(nt_status),
+ authoritative));
}
username_was_mapped = mapped_user_info->was_mapped;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 1101346..ccc284c 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -78,8 +78,11 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
* filled in, either at creation or by calling the challenge geneation
* function auth_get_challenge().
*
- * @param server_info If successful, contains information about the authentication,
- * including a struct samu struct describing the user.
+ * @param pserver_info If successful, contains information about the authentication,
+ * including a struct samu struct describing the user.
+ *
+ * @param pauthoritative Indicates if the result should be treated as final
+ * result.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
@@ -87,7 +90,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info);
+ struct auth_serversupplied_info **pserver_info,
+ uint8_t *pauthoritative);
/* The following definitions come from auth/auth_builtin.c */
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 4c43802..38d7bda 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1682,7 +1682,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
status = auth_check_ntlm_password(p->mem_ctx,
auth_context,
user_info,
- &server_info);
+ &server_info,
+ r->out.authoritative);
}
TALLOC_FREE(auth_context);
@@ -1694,15 +1695,6 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
/* Check account and password */
if (!NT_STATUS_IS_OK(status)) {
- /* If we don't know what this domain is, we need to
- indicate that we are not authoritative. This
- allows the client to decide if it needs to try
- a local user. Fix by jpjanosi at us.ibm.com, #2976 */
- if ( NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
- && !strequal(nt_domain, get_global_sam_name())
- && !is_trusted_domain(nt_domain) )
- *r->out.authoritative = false; /* We are not authoritative */
-
TALLOC_FREE(server_info);
return status;
}
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 0003566..b442883 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -269,7 +269,8 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
struct auth_serversupplied_info *server_info;
NTSTATUS status;
bool ok;
-
+ uint8_t authoritative = 0;
+
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
local_nt_response);
SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
@@ -316,10 +317,13 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
- &server_info);
+ &server_info,
+ &authoritative);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
+ DEBUG(0, ("Failed to test authentication with auth module: "
+ "%s authoritative[%u].\n",
+ nt_errstr(status), authoritative));
return False;
}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 2bac9ec..74941c7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1293,12 +1293,9 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
status = auth_check_ntlm_password(mem_ctx,
auth_context,
user_info,
- &server_info);
-
+ &server_info,
+ pauthoritative);
if (!NT_STATUS_IS_OK(status)) {
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- *pauthoritative = 0;
- }
TALLOC_FREE(frame);
return status;
}
--
1.9.1
From 983e74e3ddeb3c0372d8b6cb13ec8eef44482765 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:16:36 +0100
Subject: [PATCH 27/42] auth4: let auth_check_password* return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_samba4.c | 11 +++++++--
source4/auth/auth.h | 6 +++--
source4/auth/ntlm/auth.c | 32 ++++++++++++++++-----------
source4/auth/ntlm/auth_simple.c | 4 +++-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++--
source4/smb_server/smb/sesssetup.c | 9 +++++---
6 files changed, 43 insertions(+), 23 deletions(-)
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index a0d6afd3..138c6cd 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -118,6 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
NTSTATUS nt_status;
struct auth_user_info_dc *user_info_dc;
struct auth4_context *auth4_context;
+ uint8_t authoritative = 0;
nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -132,13 +133,19 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
return nt_status;
}
- nt_status = auth_check_password(auth4_context, auth4_context, user_info, &user_info_dc);
+ nt_status = auth_check_password(auth4_context, auth4_context, user_info,
+ &user_info_dc, &authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
+ authoritative == 0)
+ {
+ nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ }
TALLOC_FREE(auth4_context);
TALLOC_FREE(frame);
return nt_status;
}
-
+
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
user_info_dc,
&info3);
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 95aacfe..7358f40 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -153,7 +153,8 @@ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **user_info_dc);
+ struct auth_user_info_dc **user_info_dc,
+ uint8_t *pauthoritative);
NTSTATUS auth4_init(void);
NTSTATUS auth_register(const struct auth_operations *ops);
NTSTATUS server_service_auth_init(void);
@@ -173,7 +174,8 @@ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info);
NTSTATUS auth_check_password_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- struct auth_user_info_dc **user_info_dc);
+ struct auth_user_info_dc **user_info_dc,
+ uint8_t *pauthoritative);
bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx);
NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 926bf48..12e26f4 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -155,7 +155,8 @@ static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_
_PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **user_info_dc)
+ struct auth_user_info_dc **user_info_dc,
+ uint8_t *pauthoritative)
{
struct tevent_req *subreq;
struct tevent_context *ev;
@@ -178,7 +179,8 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
return NT_STATUS_INTERNAL_ERROR;
}
- status = auth_check_password_recv(subreq, mem_ctx, user_info_dc);
+ status = auth_check_password_recv(subreq, mem_ctx,
+ user_info_dc, pauthoritative);
TALLOC_FREE(subreq);
return status;
@@ -192,9 +194,10 @@ static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
{
struct auth_user_info_dc *user_info_dc;
NTSTATUS status;
+ uint8_t authoritative = 0;
status = auth_check_password(auth_ctx, mem_ctx, user_info,
- &user_info_dc);
+ &user_info_dc, &authoritative);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -225,6 +228,7 @@ struct auth_check_password_state {
const struct auth_usersupplied_info *user_info;
struct auth_user_info_dc *user_info_dc;
struct auth_method_context *method;
+ uint8_t authoritative;
};
static void auth_check_password_async_trigger(struct tevent_context *ev,
@@ -279,6 +283,10 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ /*
+ * We are authoritative by default.
+ */
+ state->authoritative = 1;
state->auth_ctx = auth_ctx;
state->user_info = user_info;
@@ -386,13 +394,8 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
- if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) {
- /* don't expose the NT_STATUS_NOT_IMPLEMENTED
- * internals, except when the caller is only probing
- * one method, as they may do the fallback
- */
- status = NT_STATUS_NO_SUCH_USER;
- }
+ state->authoritative = 0;
+ status = NT_STATUS_NO_SUCH_USER;
}
if (tevent_req_nterror(req, status)) {
@@ -424,20 +427,23 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- struct auth_user_info_dc **user_info_dc)
+ struct auth_user_info_dc **user_info_dc,
+ uint8_t *pauthoritative)
{
struct auth_check_password_state *state =
tevent_req_data(req, struct auth_check_password_state);
NTSTATUS status;
+ *pauthoritative = state->authoritative;
+
if (tevent_req_is_nterror(req, &status)) {
DEBUG(2,("auth_check_password_recv: "
"%s authentication for user [%s\\%s] "
- "FAILED with error %s\n",
+ "FAILED with error %s, authoritative=%u\n",
(state->method ? state->method->ops->name : "NO_METHOD"),
state->user_info->mapped.domain_name,
state->user_info->mapped.account_name,
- nt_errstr(status)));
+ nt_errstr(status), state->authoritative));
tevent_req_received(req);
return status;
}
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index f6dd9d0..be2ff5e 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -42,6 +42,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info *user_info;
struct auth_user_info_dc *user_info_dc;
NTSTATUS nt_status;
+ uint8_t authoritative = 0;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
@@ -83,7 +84,8 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
- nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &user_info_dc);
+ nt_status = auth_check_password(auth_context, tmp_ctx, user_info,
+ &user_info_dc, &authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 332afd3..0f59a96 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -982,8 +982,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc);
- /* TODO: set *r->out.authoritative = 0 on specific errors */
+ nt_status = auth_check_password(auth_context, mem_ctx, user_info,
+ &user_info_dc, r->out.authoritative);
NT_STATUS_NOT_OK_RETURN(nt_status);
switch (r->in.validation_level) {
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index e06853a..e3bfcb3 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -72,9 +72,11 @@ static void sesssetup_old_send(struct tevent_req *subreq)
struct auth_session_info *session_info;
struct smbsrv_session *smb_sess;
NTSTATUS status;
+ uint8_t authoritative = 0;
uint32_t flags;
- status = auth_check_password_recv(subreq, req, &user_info_dc);
+ status = auth_check_password_recv(subreq, req, &user_info_dc,
+ &authoritative);
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) goto failed;
@@ -202,11 +204,12 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info;
struct smbsrv_session *smb_sess;
-
+ uint8_t authoritative = 0;
uint32_t flags;
NTSTATUS status;
- status = auth_check_password_recv(subreq, req, &user_info_dc);
+ status = auth_check_password_recv(subreq, req, &user_info_dc,
+ &authoritative);
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) goto failed;
--
1.9.1
From fd4e183462aa0909a19a6860338807b76cf7bc40 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:49:40 +0100
Subject: [PATCH 28/42] ntlm_auth3: let contact_winbind_auth_crap() return
pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/utils/ntlm_auth.c | 11 +++++++++++
source3/utils/ntlm_auth_diagnostics.c | 15 ++++++++++-----
source3/utils/ntlm_auth_proto.h | 1 +
3 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 829eb8f..4bfab5b 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -528,6 +528,7 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
uint32_t extra_logon_parameters,
uint8_t lm_key[8],
uint8_t user_session_key[16],
+ uint8_t *pauthoritative,
char **error_string,
char **unix_name)
{
@@ -536,6 +537,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
struct winbindd_request request;
struct winbindd_response response;
+ *pauthoritative = 1;
+
if (!get_require_membership_sid()) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -605,6 +608,7 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
if (!NT_STATUS_IS_OK(nt_status)) {
if (error_string)
*error_string = smb_xstrdup(response.data.auth.error_string);
+ *pauthoritative = response.data.auth.authoritative;
winbindd_free_response(&response);
return nt_status;
}
@@ -951,6 +955,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
uint8_t lm_key[8];
uint8_t user_sess_key[16];
char *unix_name = NULL;
+ uint8_t authoritative = 0;
nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name,
user_info->workstation_name,
@@ -960,6 +965,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
0,
lm_key, user_sess_key,
+ &authoritative,
&error_string, &unix_name);
if (NT_STATUS_IS_OK(nt_status)) {
@@ -1719,6 +1725,8 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
TALLOC_FREE(mem_ctx);
} else {
+ uint8_t authoritative = 0;
+
if (!domain) {
domain = smb_xstrdup(get_winbind_domain());
}
@@ -1738,6 +1746,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
flags, 0,
lm_key,
user_session_key,
+ &authoritative,
&error_string,
NULL);
}
@@ -2185,6 +2194,7 @@ static bool check_auth_crap(void)
char *hex_lm_key;
char *hex_user_session_key;
char *error_string;
+ uint8_t authoritative = 0;
setbuf(stdout, NULL);
@@ -2204,6 +2214,7 @@ static bool check_auth_crap(void)
flags, 0,
(unsigned char *)lm_key,
(unsigned char *)user_session_key,
+ &authoritative,
&error_string, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c
index 5533fd2..41591a8 100644
--- a/source3/utils/ntlm_auth_diagnostics.c
+++ b/source3/utils/ntlm_auth_diagnostics.c
@@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
DATA_BLOB lm_response = data_blob(NULL, 24);
DATA_BLOB nt_response = data_blob(NULL, 24);
DATA_BLOB session_key = data_blob(NULL, 16);
-
+ uint8_t authoritative = 0;
uchar lm_key[8];
uchar user_session_key[16];
uchar lm_hash[16];
@@ -101,6 +101,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
flags, 0,
lm_key,
user_session_key,
+ &authoritative,
&error_string, NULL);
data_blob_free(&lm_response);
@@ -176,7 +177,7 @@ static bool test_ntlm_in_lm(void)
NTSTATUS nt_status;
uint32_t flags = 0;
DATA_BLOB nt_response = data_blob(NULL, 24);
-
+ uint8_t authoritative = 0;
uchar lm_key[8];
uchar lm_hash[16];
uchar user_session_key[16];
@@ -200,6 +201,7 @@ static bool test_ntlm_in_lm(void)
flags, 0,
lm_key,
user_session_key,
+ &authoritative,
&error_string, NULL);
data_blob_free(&nt_response);
@@ -243,7 +245,7 @@ static bool test_ntlm_in_both(void)
uint32_t flags = 0;
DATA_BLOB nt_response = data_blob(NULL, 24);
DATA_BLOB session_key = data_blob(NULL, 16);
-
+ uint8_t authoritative = 0;
uint8_t lm_key[8];
uint8_t lm_hash[16];
uint8_t user_session_key[16];
@@ -271,6 +273,7 @@ static bool test_ntlm_in_both(void)
flags, 0,
lm_key,
user_session_key,
+ &authoritative,
&error_string, NULL);
data_blob_free(&nt_response);
@@ -319,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
DATA_BLOB lmv2_response = data_blob_null;
DATA_BLOB ntlmv2_session_key = data_blob_null;
DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain());
-
+ uint8_t authoritative = 0;
uchar user_session_key[16];
DATA_BLOB chall = get_challenge();
char *error_string;
@@ -362,6 +365,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
flags, 0,
NULL,
user_session_key,
+ &authoritative,
&error_string, NULL);
data_blob_free(&lmv2_response);
@@ -448,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which)
char *password;
smb_ucs2_t *nt_response_ucs2;
size_t converted_size;
-
+ uint8_t authoritative = 0;
uchar user_session_key[16];
uchar lm_key[16];
static const uchar zeros[8] = { 0, };
@@ -513,6 +517,7 @@ static bool test_plaintext(enum ntlm_break break_which)
flags, MSV1_0_CLEARTEXT_PASSWORD_ALLOWED,
lm_key,
user_session_key,
+ &authoritative,
&error_string, NULL);
TALLOC_FREE(nt_response.data);
diff --git a/source3/utils/ntlm_auth_proto.h b/source3/utils/ntlm_auth_proto.h
index 367fd79..63c4763 100644
--- a/source3/utils/ntlm_auth_proto.h
+++ b/source3/utils/ntlm_auth_proto.h
@@ -39,6 +39,7 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
uint32_t extra_logon_parameters,
uint8_t lm_key[8],
uint8_t user_session_key[16],
+ uint8_t *pauthoritative,
char **error_string,
char **unix_name);
--
1.9.1
From cabc9716261beb2dc73065110973815c8a30e4b9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 11:52:51 +0100
Subject: [PATCH 29/42] auth: let auth4_context->check_ntlm_password() return
pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/common_auth.h | 1 +
auth/ntlmssp/ntlmssp_server.c | 3 +++
source3/auth/auth_generic.c | 2 ++
source3/auth/auth_ntlmssp.c | 12 +++++++++---
source3/auth/proto.h | 1 +
source3/utils/ntlm_auth.c | 9 ++++++---
source4/auth/ntlm/auth.c | 4 ++--
7 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/auth/common_auth.h b/auth/common_auth.h
index d1a775d..5d232f4 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -110,6 +110,7 @@ struct auth4_context {
NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
void **server_returned_info,
DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index ddee875..eab8121 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -726,9 +726,12 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
if (auth_context->check_ntlm_password) {
+ uint8_t authoritative = 0;
+
nt_status = auth_context->check_ntlm_password(auth_context,
gensec_ntlmssp,
user_info,
+ &authoritative,
&gensec_ntlmssp->server_returned_info,
user_session_key, lm_session_key);
}
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 95c70e8..875b7ff 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -389,10 +389,12 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
{
NTSTATUS nt_status;
void *server_info;
+ uint8_t authoritative = 0;
nt_status = auth_context->check_ntlm_password(auth_context,
talloc_tos(),
user_info,
+ &authoritative,
&server_info, NULL, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 0ff3bdd..a48c444 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -136,6 +136,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
void **server_returned_info,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
@@ -145,7 +146,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
struct auth_serversupplied_info *server_info;
NTSTATUS nt_status;
bool username_was_mapped;
- uint8_t authoritative = 0;
+
+ /*
+ * Be authoritative by default.
+ */
+ *pauthoritative = 1;
/* The client has given us its machine name (which we only get over NBT transport).
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -181,7 +186,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
auth_context,
mapped_user_info,
&server_info,
- &authoritative);
+ pauthoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
@@ -189,7 +194,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
user_info->client.domain_name,
user_info->client.account_name,
nt_errstr(nt_status),
- authoritative));
+ *pauthoritative));
}
username_was_mapped = mapped_user_info->was_mapped;
@@ -203,6 +208,7 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
user_info->client.domain_name,
&server_info);
if (NT_STATUS_IS_OK(nt_status)) {
+ *pauthoritative = 1;
*server_returned_info = talloc_steal(mem_ctx, server_info);
}
return nt_status;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index ccc284c..c5f6ade 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -132,6 +132,7 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
void **server_returned_info,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 4bfab5b..3bd945f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -947,6 +947,7 @@ static NTSTATUS ntlm_auth_set_challenge(struct auth4_context *auth_ctx, const ui
static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
void **server_returned_info,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
@@ -955,7 +956,6 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
uint8_t lm_key[8];
uint8_t user_sess_key[16];
char *unix_name = NULL;
- uint8_t authoritative = 0;
nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name,
user_info->workstation_name,
@@ -965,7 +965,7 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
0,
lm_key, user_sess_key,
- &authoritative,
+ pauthoritative,
&error_string, &unix_name);
if (NT_STATUS_IS_OK(nt_status)) {
@@ -995,7 +995,8 @@ static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
+ const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
void **server_returned_info,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
@@ -1004,6 +1005,8 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
+ *pauthoritative = 1;
+
nt_status = ntlm_password_check(mem_ctx,
true, true, 0,
&auth4_context->challenge.data,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 12e26f4..0eb2260 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -189,15 +189,15 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
void **server_returned_info,
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct auth_user_info_dc *user_info_dc;
NTSTATUS status;
- uint8_t authoritative = 0;
status = auth_check_password(auth_ctx, mem_ctx, user_info,
- &user_info_dc, &authoritative);
+ &user_info_dc, pauthoritative);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
1.9.1
From 7693bce0c3b393e925bca27f4abccdf43756322e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 16 Mar 2017 16:47:15 +0100
Subject: [PATCH 30/42] auth4: debug if method->ops->check_password() gives
NOT_IMPLEMENTED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 0eb2260..5d3fbef 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -374,7 +374,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
status = method->ops->want_check(method, req, state->user_info);
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
DEBUG(11,("auth_check_password_send: "
- "%s had nothing to say\n",
+ "%s doesn't want to check\n",
method->ops->name));
continue;
}
@@ -387,10 +387,15 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
state,
state->user_info,
&state->user_info_dc);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
- /* the backend has handled the request */
- break;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password_send: "
+ "%s passes to the next method\n",
+ method->ops->name));
+ continue;
}
+
+ /* the backend has handled the request */
+ break;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
--
1.9.1
From a789c0239dd4e639bdb0c97775a9fbae5307733a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 16:46:38 +0100
Subject: [PATCH 31/42] auth3: only use "[samba4:]sam" in
make_auth3_context_for_winbind()
This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM
interaction obsolete.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 11a777a4..31313c7 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -544,7 +544,24 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
- return make_auth_context_subsystem(mem_ctx, auth_context);
+ const char *methods = NULL;
+
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ methods = "sam";
+ break;
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ methods = "samba4:sam";
+ break;
+ default:
+ DEBUG(5,("Unknown auth method!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return make_auth_context_specific(mem_ctx, auth_context, methods);
}
bool auth3_context_set_challenge(struct auth_context *ctx, uint8_t chal[8],
--
1.9.1
From a209d0a4d0bb4d4e214f5849f6a50e897ddc2fd3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:31:29 +0100
Subject: [PATCH 32/42] winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY
make_auth3_context_for_winbind() restricts the used auth backends now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_pam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 74941c7..c04367e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1269,7 +1269,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
user_info->mapped_state = True;
/* We don't want to come back to winbindd or to do PAM account checks */
- user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ;
+ user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
if (interactive) {
user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
--
1.9.1
From cb2e93b13755a2bfdcfa63d140c50fadf9cba52e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:32:27 +0100
Subject: [PATCH 33/42] auth3: remove unused
USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 5 -----
source3/auth/auth_sam.c | 3 +--
source3/auth/auth_samba4.c | 1 -
3 files changed, 1 insertion(+), 8 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 31313c7..3d82f2b 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -223,11 +223,6 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
auth_method_name = auth_method->name;
- if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY
- && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) {
- continue;
- }
-
nt_status = auth_method->auth(auth_context,
auth_method->private_data,
talloc_tos(),
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index c4100d5..5b53bca 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -121,8 +121,7 @@ static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *par
}
result->auth = auth_samstrict_auth;
result->name = "sam";
- result->flags = AUTH_METHOD_LOCAL_SAM;
- *auth_method = result;
+ *auth_method = result;
return NT_STATUS_OK;
}
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index 138c6cd..4c83c2a 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -379,7 +379,6 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
result->auth = check_samba4_security;
result->prepare_gensec = prepare_gensec;
result->make_auth4_context = make_auth4_context_s4;
- result->flags = AUTH_METHOD_LOCAL_SAM;
if (param && *param) {
auth_context->forced_samba4_methods = talloc_strdup(result, param);
--
1.9.1
From ed2fb5908d0c3fafd2c3d054f25c72b2af381c23 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:32:27 +0100
Subject: [PATCH 34/42] auth4: remove unused
USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth.c | 5 -----
source4/auth/ntlm/auth_sam.c | 2 --
2 files changed, 7 deletions(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 5d3fbef..1b7faee 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -361,11 +361,6 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
for (method=state->auth_ctx->methods; method; method = method->next) {
- if (state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY
- && !(method->ops->flags & AUTH_METHOD_LOCAL_SAM)) {
- continue;
- }
-
/* we fill in state->method here so debug messages in
the callers know which method failed */
state->method = method;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d3f9019..391492a 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -705,7 +705,6 @@ static const struct auth_operations sam_ignoredomain_ops = {
.want_check = authsam_ignoredomain_want_check,
.check_password = authsam_check_password_internals,
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
- .flags = AUTH_METHOD_LOCAL_SAM
};
static const struct auth_operations sam_ops = {
@@ -713,7 +712,6 @@ static const struct auth_operations sam_ops = {
.want_check = authsam_want_check,
.check_password = authsam_check_password_internals,
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
- .flags = AUTH_METHOD_LOCAL_SAM
};
_PUBLIC_ NTSTATUS auth4_sam_init(void);
--
1.9.1
From fd6f0d2e480f782f7e26c45e828aa8836f11fb87 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Mar 2017 08:32:27 +0100
Subject: [PATCH 35/42] auth: remove unused
USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/common_auth.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 5d232f4..8cbfc54 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -26,7 +26,7 @@
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
-#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
+/*unused #define USER_INFO_LOCAL_SAM_ONLY 0x10 Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
enum auth_password_state {
@@ -79,8 +79,6 @@ struct loadparm_context;
struct ldb_context;
struct smb_krb5_context;
-#define AUTH_METHOD_LOCAL_SAM 0x01
-
struct auth4_context {
struct {
/* Who set this up in the first place? */
--
1.9.1
From 9b5d9ce593e7bdcd52bc45b762a72674fc82356f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Mar 2017 11:57:49 +0100
Subject: [PATCH 36/42] auth4: add a "winbind_rodc" backend
This is only active on a RODC.
The background for this is that we currently only ever
call the "winbind" module when we're an RODC,
otherwise everything is catched by "sam_ignoredomain" before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_winbind.c | 55 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 6f1976d..82a71f3 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -30,6 +30,7 @@
#include "nsswitch/libwbclient/wbclient.h"
#include "auth/auth_sam_reply.h"
#include "libcli/security/security.h"
+#include "dsdb/samdb/samdb.h"
_PUBLIC_ NTSTATUS auth4_winbind_init(void);
@@ -45,6 +46,48 @@ static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
return NT_STATUS_OK;
}
+static NTSTATUS winbind_rodc_want_check(struct auth_method_context *ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info)
+{
+ int ret;
+ bool am_rodc;
+
+ if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (ctx->auth_ctx->sam_ctx == NULL) {
+ DBG_ERR("ctx->auth_ctx->sam_ctx == NULL, don't check.\n");
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ ret = samdb_rodc(ctx->auth_ctx->sam_ctx, &am_rodc);
+ if (ret != LDB_SUCCESS) {
+ DBG_ERR("samdb_rodc() failed %d %s, don't check.\n",
+ ret, ldb_errstring(ctx->auth_ctx->sam_ctx));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (!am_rodc) {
+ /*
+ * We don't support trusts yet and we
+ * don't want to add them using the
+ * semi-async irpc call that uses
+ * a nested event loop.
+ */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ /*
+ * We're a RODC, so we forward the request to our winbind.
+ * As the RODC is not yet production ready anyway, we keep
+ * the semi-async behavior with nested event loops in order
+ * to keep autobuild happy.
+ */
+ return NT_STATUS_OK;
+}
+
struct winbind_check_password_state {
struct winbind_SamLogon req;
};
@@ -258,6 +301,12 @@ static const struct auth_operations winbind_ops = {
.check_password = winbind_check_password
};
+static const struct auth_operations winbind_rodc_ops = {
+ .name = "winbind_rodc",
+ .want_check = winbind_rodc_want_check,
+ .check_password = winbind_check_password
+};
+
static const struct auth_operations winbind_wbclient_ops = {
.name = "winbind_wbclient",
.want_check = winbind_want_check,
@@ -274,6 +323,12 @@ _PUBLIC_ NTSTATUS auth4_winbind_init(void)
return ret;
}
+ ret = auth_register(&winbind_rodc_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register 'winbind_rodc' auth backend!\n"));
+ return ret;
+ }
+
ret = auth_register(&winbind_wbclient_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register 'winbind_wbclient' auth backend!\n"));
--
1.9.1
From 1c59ad5a230fa6113bf5c63c9d07cbaa830ecc2d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 17 Mar 2017 14:54:16 +0100
Subject: [PATCH 37/42] auth4: reflect the reality and use "winbind_rodc"
instead of "winbind" for the auth methods as AD_DC
Currently we always map any incoming domain to our own domain
in map_user_info_cracknames(), so that the winbind module is never
used at all, e.g. we're DC of W4EDOM-L4.BASE with a forest trust to W2012R2-L4.BASE:
[2017/03/22 10:09:54.268472, 3, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [W2012R2-L4]\[administrator]@[UB1404-163]
[2017/03/22 10:09:54.268496, 5, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
map_user_info_cracknames: Mapping user [W2012R2-L4]\[administrator] from workstation [UB1404-163]
auth_check_password_send: mapped user is: [W4EDOM-L4]\[administrator]@[UB1404-163]
That means the only condition in which "sam_ignoredomain" returns
NT_STATUS_NOT_IMPLEMENTED is the RODC case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 1b7faee..26025dc 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -619,7 +619,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
- auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
+ auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
break;
}
return discard_const_p(const char *, auth_methods);
--
1.9.1
From 1a4bb4a7e95bd25730a8b363c076aa23b6dd910f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Mar 2017 15:15:45 +0100
Subject: [PATCH 38/42] selftest: temporary skip
samba.blackbox.pdbtest.s4winbind
This will reenabled in a few commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/skip | 1 +
1 file changed, 1 insertion(+)
diff --git a/selftest/skip b/selftest/skip
index fd9932a..2784ba2 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -142,3 +142,4 @@ bench # don't run benchmarks in our selftest
^samba4.rpc.unixinfo # This contains a server-side getpwuid call which hangs the server when nss_winbindd is in use
^samba.tests.dcerpc.unix # This contains a server-side getpwuid call which hangs the server when nss_winbindd is in use
GETADDRINFO # socket wrapper doesn't support threads
+^samba.blackbox.pdbtest.s4winbind # temporary disable this...
--
1.9.1
From 6f556a26eead8058b986b61a06d7e107121ca27e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Mar 2017 12:54:40 +0100
Subject: [PATCH 39/42] auth3: handle ROLE_ACTIVE_DIRECTORY_DC before
lp_auth_methods() in make_auth_context_subsystem()
"auth methods" never works as AD DC at all, so there's not really a change.
This allows us to implement "auth methods" (temporary) for the auth4 stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 3d82f2b..e2e99a1 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -485,6 +485,15 @@ static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
const char *methods = NULL;
NTSTATUS nt_status;
+ switch (lp_server_role()) {
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ DEBUG(5,("Making default auth method list for server role = "
+ "'active directory domain controller'\n"));
+ return make_auth_context_specific(mem_ctx, auth_context, "samba4");
+ default:
+ break;
+ }
+
if (lp_auth_methods()) {
DEBUG(5,("Using specified auth order\n"));
nt_status = make_auth_context_text_list(
@@ -512,10 +521,6 @@ static NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
methods = "guest unix";
}
break;
- case ROLE_ACTIVE_DIRECTORY_DC:
- DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
- methods = "samba4";
- break;
default:
DEBUG(5,("Unknown auth method!\n"));
return NT_STATUS_UNSUCCESSFUL;
--
1.9.1
From 3be7e497f34d5a63563ed4255e59911e4a3b8fa6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Mar 2017 09:50:13 +0100
Subject: [PATCH 40/42] auth4: implement the deprecated 'auth methods' in
auth_methods_from_lp()
This might be used to explicitly configure the old auth methods list
from Samba 4.6 and older, if required:
"auth methods = anonymous sam_ignoredomain"
But this option will be removed again in future releases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 26025dc..ee98cac 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -608,6 +608,20 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char *
const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
char **auth_methods = NULL;
+ const char **const_auth_methods = NULL;
+
+ /*
+ * As 'auth methods' is deprecated it will be removed
+ * in future releases again, but for now give
+ * admins the flexibility to configure, the behavior
+ * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
+ * for a while.
+ */
+ const_auth_methods = lpcfg_auth_methods(lp_ctx);
+ if (const_auth_methods != NULL) {
+ DBG_NOTICE("using deprecated 'auth methods' values.\n");
+ return const_auth_methods;
+ }
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_STANDALONE:
--
1.9.1
From c77d2eed8fba459725bc1901a7d6f4c4572a4693 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Mar 2017 15:13:54 +0100
Subject: [PATCH 41/42] s4:selftest: specify auth methods of pdbtests without
'samba4:' prefix
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/selftest/tests.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 6a3466f..7bd8ab0 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -234,8 +234,8 @@ for env in ["ad_dc_ntvfs", "nt4_dc"]:
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name)
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
-plantestsuite("samba.blackbox.pdbtest.s4winbind(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=samba4:winbind'"])
-plantestsuite("samba.blackbox.pdbtest.s4winbind_wbclient(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest4", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=samba4:winbind_wbclient'"])
+plantestsuite("samba.blackbox.pdbtest.s4winbind(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind'"])
+plantestsuite("samba.blackbox.pdbtest.s4winbind_wbclient(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest4", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind_wbclient'"])
transports = ["ncacn_np", "ncacn_ip_tcp"]
--
1.9.1
From c778c313caba6e6c6579a655afa3cbe06493bcda Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Mar 2017 15:19:20 +0100
Subject: [PATCH 42/42] Revert "selftest: temporary skip
samba.blackbox.pdbtest.s4winbind"
This works again now...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/skip | 1 -
1 file changed, 1 deletion(-)
diff --git a/selftest/skip b/selftest/skip
index 2784ba2..fd9932a 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -142,4 +142,3 @@ bench # don't run benchmarks in our selftest
^samba4.rpc.unixinfo # This contains a server-side getpwuid call which hangs the server when nss_winbindd is in use
^samba.tests.dcerpc.unix # This contains a server-side getpwuid call which hangs the server when nss_winbindd is in use
GETADDRINFO # socket wrapper doesn't support threads
-^samba.blackbox.pdbtest.s4winbind # temporary disable this...
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170323/09ee8b2d/signature-0001.sig>
More information about the samba-technical
mailing list