[PATCH] some fixes for auth4
Volker Lendecke
vl at samba.org
Sun Feb 26 17:18:14 UTC 2017
Hi!
Review appreciated!
Thanks,
Volker
-------------- next part --------------
>From 6975bbda0ababcf166446208c674f46a01474cbc Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 26 Feb 2017 09:16:02 +0100
Subject: [PATCH 1/4] auth4: Fix map_user_info_cracknames for domain==NULL
DsCrackNameOneName directly fails for DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT
if the name passed in does not contain a \. The only caller of
map_user_info_cracknames (auth_check_password_send) passes in
lpcfg_workgroup(), which does not contain a \. Add in the \ also for
the default_domain case.
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/auth/ntlm/auth_util.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 3e5a0da..f7b01eb 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -128,12 +128,11 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx,
return NT_STATUS_NO_MEMORY;
}
} else {
- char *domain_name;
+ const char *domain_name = default_domain;
if (user_info->client.domain_name && *user_info->client.domain_name) {
- domain_name = talloc_asprintf(tmp_ctx, "%s\\", user_info->client.domain_name);
- } else {
- domain_name = talloc_strdup(tmp_ctx, default_domain);
+ domain_name = user_info->client.domain_name;
}
+ domain_name = talloc_asprintf(tmp_ctx, "%s\\", domain_name);
if (domain_name == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
--
2.1.4
>From 0d8769d01d19b1ab44640b878946cea9809542f7 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 26 Feb 2017 11:25:20 +0100
Subject: [PATCH 2/4] auth4: Only use CrackNames if we're a DC
DsCrackNameOneName on a member does not really have a big user database. We
should delegate as much responsibility as possible to our DC.
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/auth/ntlm/auth.c | 10 ++++++++--
source4/auth/ntlm/auth_util.c | 3 ++-
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index eeb2336..656d4bc 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -280,8 +280,14 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
state->user_info = user_info;
if (!user_info->mapped_state) {
- nt_status = map_user_info(auth_ctx->sam_ctx, req, lpcfg_workgroup(auth_ctx->lp_ctx),
- user_info, &user_info_tmp);
+ int server_role = lpcfg_server_role(auth_ctx->lp_ctx);
+
+ nt_status = map_user_info(
+ auth_ctx->sam_ctx, req,
+ server_role == ROLE_ACTIVE_DIRECTORY_DC,
+ lpcfg_workgroup(auth_ctx->lp_ctx),
+ user_info, &user_info_tmp);
+
if (tevent_req_nterror(req, nt_status)) {
return tevent_req_post(req, ev);
}
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index f7b01eb..e3d196c 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -221,6 +221,7 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx,
****************************************************************************/
NTSTATUS map_user_info(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx,
+ bool is_ad_dc,
const char *default_domain,
const struct auth_usersupplied_info *user_info,
struct auth_usersupplied_info **user_info_mapped)
@@ -230,7 +231,7 @@ NTSTATUS map_user_info(struct ldb_context *sam_ctx,
char *d;
TALLOC_CTX *tmp_ctx;
- if (sam_ctx != NULL) {
+ if (is_ad_dc) {
/* if possible, use cracknames to parse the
domain/account */
return map_user_info_cracknames(sam_ctx, mem_ctx, default_domain, user_info, user_info_mapped);
--
2.1.4
>From d6442a01c9c0181c7cf85fcbcf5892fc0864f8e9 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Thu, 23 Feb 2017 20:48:32 +0100
Subject: [PATCH 3/4] auth4: Reduce indentation level by an early error return
Just cosmetics for easier readability, no code change
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/auth/ntlm/auth.c | 40 ++++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 656d4bc..a1276df 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -191,29 +191,33 @@ _PUBLIC_ NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct auth_user_info_dc *user_info_dc;
- NTSTATUS status = auth_check_password(auth_ctx, mem_ctx, user_info, &user_info_dc);
+ NTSTATUS status;
- if (NT_STATUS_IS_OK(status)) {
- *server_returned_info = user_info_dc;
+ status = auth_check_password(auth_ctx, mem_ctx, user_info,
+ &user_info_dc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- if (user_session_key) {
- DEBUG(10, ("Got NT session key of length %u\n",
- (unsigned)user_info_dc->user_session_key.length));
- *user_session_key = user_info_dc->user_session_key;
- talloc_steal(mem_ctx, user_session_key->data);
- user_info_dc->user_session_key = data_blob_null;
- }
+ *server_returned_info = user_info_dc;
- if (lm_session_key) {
- DEBUG(10, ("Got LM session key of length %u\n",
- (unsigned)user_info_dc->lm_session_key.length));
- *lm_session_key = user_info_dc->lm_session_key;
- talloc_steal(mem_ctx, lm_session_key->data);
- user_info_dc->lm_session_key = data_blob_null;
- }
+ if (user_session_key) {
+ DEBUG(10, ("Got NT session key of length %u\n",
+ (unsigned)user_info_dc->user_session_key.length));
+ *user_session_key = user_info_dc->user_session_key;
+ talloc_steal(mem_ctx, user_session_key->data);
+ user_info_dc->user_session_key = data_blob_null;
}
- return status;
+ if (lm_session_key) {
+ DEBUG(10, ("Got LM session key of length %u\n",
+ (unsigned)user_info_dc->lm_session_key.length));
+ *lm_session_key = user_info_dc->lm_session_key;
+ talloc_steal(mem_ctx, lm_session_key->data);
+ user_info_dc->lm_session_key = data_blob_null;
+ }
+
+ return NT_STATUS_OK;
}
struct auth_check_password_state {
--
2.1.4
>From de3280bd72046317405f51dc0b5f48b3a504895f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 26 Feb 2017 13:06:05 +0100
Subject: [PATCH 4/4] samdb: Fix a typo
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/dsdb/samdb/cracknames.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index ad4ef5c..596343a 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -679,7 +679,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
return WERR_NOT_ENOUGH_MEMORY;
}
- /* Ensure we reject compleate junk first */
+ /* Ensure we reject complete junk first */
ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
if (ret) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
--
2.1.4
More information about the samba-technical
mailing list