[Patches] winbindd improvements with anonymous and ntlmssp falbacks (bugs #12587 #12598)

Stefan Metzmacher metze at samba.org
Wed Feb 22 22:07:52 UTC 2017 

Hi,

here're some patches to fix bugs
https://bugzilla.samba.org/show_bug.cgi?id=12587
https://bugzilla.samba.org/show_bug.cgi?id=12598

I'm currently running private autobuilds with them.
I also plan to do some more tests with real setups
tomorrow.

So please have a look but not yet push.

Thanks!
metze
-------------- next part --------------
From 5e8be9a9775c6a9f1ba6f43b52190124d72c85b9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 19:18:04 +0100
Subject: [PATCH 1/5] s3:winbindd: fix the valid usage anonymous smb
 authentication

If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:

  workgroup = NT4DOM
  security = domain
  require strong key = no
  client use spnego = no
  client ipc signing = auto

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_cm.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 41a0076..8637607 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1114,6 +1114,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		  machine_domain, machine_account,
 		  machine_principal, machine_realm));
 
+	if (cli_credentials_is_anonymous(creds)) {
+		smb_sign_client_connections = SMB_SIGNING_OFF;
+		goto anon_fallback;
+	}
+
 	winbindd_set_locator_kdc_envs(domain);
 
 	result = cli_session_setup_creds(*cli, creds);
@@ -1132,10 +1137,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 	    || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
 	    || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
 	{
-		if (cli_credentials_is_anonymous(creds)) {
-			goto done;
-		}
-
 		if (!cm_is_ipc_credentials(creds)) {
 			goto ipc_fallback;
 		}
@@ -1161,6 +1162,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 	}
 
 	if (cli_credentials_is_anonymous(creds)) {
+		smb_sign_client_connections = SMB_SIGNING_OFF;
 		goto anon_fallback;
 	}
 
-- 
1.9.1


From 62657532347a789dcffda11c79d4b44f33cf5391 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 20:07:25 +0100
Subject: [PATCH 2/5] s3:passdb: use cli_credentials_set_kerberos_state() for
 trusts in pdb_get_trust_credentials()

Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.

At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.

In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/passdb/passdb.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 36aedad..64e05b3 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
 			status = NT_STATUS_NO_MEMORY;
 			goto fail;
 		}
+
+		/*
+		 * It's not possible to use NTLMSSP with a domain trust account.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+	} else {
+		/*
+		 * We can't use kerberos against an NT4 domain.
+		 *
+		 * We should have a mode that also disallows NTLMSSP here,
+		 * as only NETLOGON SCHANNEL is possible.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
 	}
 
 	ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
 			status = NT_STATUS_NO_MEMORY;
 			goto fail;
 		}
+		/*
+		 * We currently can't do kerberos just with an NTHASH.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
 		goto done;
 	}
 
-- 
1.9.1


From 8912290faa2ff5abf728c68590b6e3026ba96414 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 20:07:25 +0100
Subject: [PATCH 3/5] s3:winbindd: rely on the kerberos_state from
 pdb_get_trust_credentials()

The implementation of pdb_get_trust_credentials() should have all
the details to set the kerberos_state to a useful value.

This should enable the fallback to NTLMSSP again, when using our
machine account against trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_cm.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 8637607..6ae3b21 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -937,17 +937,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
 		goto ipc_fallback;
 	}
 
-	if (domain->primary && lp_security() == SEC_ADS) {
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_AUTO_USE_KERBEROS);
-	} else if (domain->active_directory) {
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_MUST_USE_KERBEROS);
-	} else {
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_DONT_USE_KERBEROS);
-	}
-
 	/*
 	 * When we contact our own domain and get a list of the trusted domain
 	 * we have the information if we are able to contact the DC with
-- 
1.9.1


From 05fbb3a4f953acebfb477d176dea014d1d81ef65 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 21:18:32 +0100
Subject: [PATCH 4/5] s3:winbindd: allow a fallback to NTLMSSP for LDAP
 connections

This matches the behaviour of pdb_get_trust_credentials() for
our machine account and allows us to fallback to NTLMSSP
when contacting trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_ads.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 077c6ec..05ef2ec 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -120,6 +120,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	ads->auth.renewable = renewable;
 	ads->auth.password = password;
 
+	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
 	ads->auth.realm = SMB_STRDUP(auth_realm);
 	if (!strupper_m(ads->auth.realm)) {
 		ads_destroy(&ads);
-- 
1.9.1


From 30aca5f38eee0484c28b6fb90fb3e8732f67f170 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 21:29:50 +0100
Subject: [PATCH 5/5] s3:idmap_ad: make use of pdb_get_trust_credentials() to
 get the machine account creds

This is mostly a cosmetic change currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/idmap_ad.c | 33 ++++++++++++---------------------
 1 file changed, 12 insertions(+), 21 deletions(-)

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index f406392..09ad7a7 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -300,11 +300,19 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	creds = cli_credentials_init(dcinfo);
-	if (creds == NULL) {
-		DBG_DEBUG("cli_credentials_init failed\n");
+	/*
+	 * Here we use or own machine account as
+	 * we run as domain member.
+	 */
+	status = pdb_get_trust_credentials(lp_workgroup(),
+					   lp_realm(),
+					   dcinfo,
+					   &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n",
+			  nt_errstr(status));
 		TALLOC_FREE(dcinfo);
-		return NT_STATUS_NO_MEMORY;
+		return status;
 	}
 
 	lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
@@ -314,23 +322,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	cli_credentials_set_conf(creds, lp_ctx);
-
-	db_ctx = secrets_db_ctx();
-	if (db_ctx == NULL) {
-		DBG_DEBUG("Failed to open secrets.tdb.\n");
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx,
-							    db_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		DBG_DEBUG("cli_credentials_set_machine_account "
-			  "failed: %s\n", nt_errstr(status));
-		TALLOC_FREE(dcinfo);
-		return status;
-	}
-
 	rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
 			       GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 	if (!TLDAP_RC_IS_SUCCESS(rc)) {
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170222/66b83719/signature.sig>

More information about the samba-technical mailing list