The branch, master has been updated
via 585900d... s4:gensec Don't give a warning when Windows client
connects with NTLM
via 0809696... s4:auth Change 'get_challenge' API to be more like Samba3
via 383369e... s4:auth generate the prototype file in the right place
via 551ea65... Samba4 and LDB requires talloc 2.0.1
from 100168d... Fix bug reported in mangle_hash code (no bugid yet).
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 585900deb58944f35bdf03c0b8cba3509d5b0076
Author: Andrew Bartlett <[email protected]>
Date: Tue Dec 8 16:50:18 2009 +1100
s4:gensec Don't give a warning when Windows client connects with NTLM
We have had the workaround for a long time, but at the time the log
warnings remained.
Andrew Bartlett
commit 0809696dbf3f551c0fbd37154025053b55fa07ee
Author: Andrew Bartlett <[email protected]>
Date: Mon Dec 14 20:32:47 2009 +1100
s4:auth Change 'get_challenge' API to be more like Samba3
It is just easier to fill in the known to be 8 byte challenge than
stuff about with allocated pointers.
Andrew Bartlett
commit 383369e8f204f5a02b6c056f276f14f2f9518044
Author: Andrew Bartlett <[email protected]>
Date: Tue Dec 22 17:21:06 2009 +1100
s4:auth generate the prototype file in the right place
commit 551ea65c96e3f9a1aa285c86381d93faba6b4e75
Author: Andrew Bartlett <[email protected]>
Date: Fri Dec 18 15:30:41 2009 +1100
Samba4 and LDB requires talloc 2.0.1
reported by [email protected]
-----------------------------------------------------------------------
Summary of changes:
source4/auth/auth.h | 6 +++---
source4/auth/ntlm/auth.c | 25 ++++++++-----------------
source4/auth/ntlm/auth_proto.h | 2 +-
source4/auth/ntlm/auth_server.c | 7 +++++--
source4/auth/ntlm/auth_util.c | 12 ++++++------
source4/auth/ntlm/auth_winbind.c | 6 +++---
source4/auth/ntlm/config.mk | 2 +-
source4/auth/ntlmssp/ntlmssp_server.c | 7 +++++--
source4/auth/ntlmssp/ntlmssp_sign.c | 31 ++++++++++++++++++++-----------
source4/lib/ldb/external/libtalloc.m4 | 2 +-
source4/min_versions.m4 | 2 +-
source4/smb_server/smb/negprot.c | 5 +----
12 files changed, 55 insertions(+), 52 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index c31ed2f..c625c87 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -135,7 +135,7 @@ struct auth_operations {
* security=server, and makes a number of compromises to allow
* that. It is not compatible with being a PDC. */
- NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX
*mem_ctx, DATA_BLOB *challenge);
+ NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX
*mem_ctx, uint8_t chal[8]);
/* Given the user supplied info, check if this backend want to handle
the password checking */
@@ -190,7 +190,7 @@ struct auth_context {
const struct auth_usersupplied_info
*user_info,
struct auth_serversupplied_info
**server_info);
- NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, const uint8_t
**_chal);
+ NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, uint8_t
chal[8]);
bool (*challenge_may_be_modified)(struct auth_context *auth_ctx);
@@ -226,7 +226,7 @@ struct ldb_context;
struct ldb_dn;
struct gensec_security;
-NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t
**_chal);
+NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8]);
NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
uint32_t logon_parameters,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 5520c9d..d0c8ed3 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -51,42 +51,34 @@ bool auth_challenge_may_be_modified(struct auth_context
*auth_ctx)
Try to get a challenge out of the various authentication modules.
Returns a const char of length 8 bytes.
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const
uint8_t **_chal)
+_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t
chal[8])
{
NTSTATUS nt_status;
struct auth_method_context *method;
- if (auth_ctx->challenge.data.length) {
+ if (auth_ctx->challenge.data.length == 8) {
DEBUG(5, ("auth_get_challenge: returning previous challenge by
module %s (normal)\n",
auth_ctx->challenge.set_by));
- *_chal = auth_ctx->challenge.data.data;
+ memcpy(chal, auth_ctx->challenge.data.data, 8);
return NT_STATUS_OK;
}
for (method = auth_ctx->methods; method; method = method->next) {
- DATA_BLOB challenge = data_blob(NULL,0);
-
- nt_status = method->ops->get_challenge(method, auth_ctx,
&challenge);
+ nt_status = method->ops->get_challenge(method, auth_ctx, chal);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
NT_STATUS_NOT_OK_RETURN(nt_status);
- if (challenge.length != 8) {
- DEBUG(0, ("auth_get_challenge: invalid challenge
(length %u) by mothod [%s]\n",
- (unsigned)challenge.length, method->ops->name));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- auth_ctx->challenge.data = challenge;
+ auth_ctx->challenge.data = data_blob_talloc(auth_ctx,
chal, 8);
+ NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
auth_ctx->challenge.set_by = method->ops->name;
break;
}
if (!auth_ctx->challenge.set_by) {
- uint8_t chal[8];
generate_random_buffer(chal, 8);
auth_ctx->challenge.data =
data_blob_talloc(auth_ctx, chal, 8);
@@ -99,7 +91,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context
*auth_ctx, const uint8_
DEBUG(10,("auth_get_challenge: challenge set by %s\n",
auth_ctx->challenge.set_by));
- *_chal = auth_ctx->challenge.data.data;
return NT_STATUS_OK;
}
@@ -256,7 +247,7 @@ _PUBLIC_ void auth_check_password_send(struct auth_context
*auth_ctx,
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status;
struct auth_method_context *method;
- const uint8_t *challenge;
+ uint8_t chal[8];
struct auth_usersupplied_info *user_info_tmp;
struct auth_check_password_request *req = NULL;
@@ -283,7 +274,7 @@ _PUBLIC_ void auth_check_password_send(struct auth_context
*auth_ctx,
DEBUGADD(3,("auth_check_password_send: mapped user is:
[%s]\\[...@[%s]\n",
user_info->mapped.domain_name,
user_info->mapped.account_name, user_info->workstation_name));
- nt_status = auth_get_challenge(auth_ctx, &challenge);
+ nt_status = auth_get_challenge(auth_ctx, chal);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("auth_check_password_send: Invalid challenge (length
%u) stored for this auth context set_by %s - cannot continue: %s\n",
(unsigned)auth_ctx->challenge.data.length,
auth_ctx->challenge.set_by, nt_errstr(nt_status)));
diff --git a/source4/auth/ntlm/auth_proto.h b/source4/auth/ntlm/auth_proto.h
index 572c1a4..5e8c725 100644
--- a/source4/auth/ntlm/auth_proto.h
+++ b/source4/auth/ntlm/auth_proto.h
@@ -23,7 +23,7 @@ NTSTATUS server_service_auth_init(void);
/* The following definitions come from auth/ntlm/auth_util.c */
-NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
+NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, uint8_t chal[8]);
/****************************************************************************
Create an auth_usersupplied_data structure after appropriate mapping.
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
index 12849aa..ae7b7dd 100644
--- a/source4/auth/ntlm/auth_server.c
+++ b/source4/auth/ntlm/auth_server.c
@@ -40,7 +40,7 @@ static NTSTATUS server_want_check(struct auth_method_context
*ctx,
/**
* The challenge from the target server, when operating in security=server
**/
-static NTSTATUS server_get_challenge(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, DATA_BLOB *_blob)
+static NTSTATUS server_get_challenge(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, uint8_t chal[8])
{
struct smb_composite_connect io;
struct smbcli_options smb_options;
@@ -88,7 +88,10 @@ static NTSTATUS server_get_challenge(struct
auth_method_context *ctx, TALLOC_CTX
ctx->auth_ctx->event_ctx);
NT_STATUS_NOT_OK_RETURN(status);
- *_blob = io.out.tree->session->transport->negotiate.secblob;
+ if (io.out.tree->session->transport->negotiate.secblob.length != 8) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ memcpy(chal, io.out.tree->session->transport->negotiate.secblob.data,
8);
ctx->private_data = talloc_steal(ctx, io.out.tree->session);
return NT_STATUS_OK;
}
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 5543cbe..92df0bf 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -29,7 +29,7 @@
/* this default function can be used by mostly all backends
* which don't want to set a challenge
*/
-NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, DATA_BLOB *challenge)
+NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx, uint8_t chal[8])
{
/* we don't want to set a challenge */
return NT_STATUS_NOT_IMPLEMENTED;
@@ -122,7 +122,7 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct
auth_context *auth_contex
}
case AUTH_PASSWORD_HASH:
{
- const uint8_t *challenge;
+ uint8_t chal[8];
DATA_BLOB chall_blob;
user_info_temp = talloc(mem_ctx, struct
auth_usersupplied_info);
if (!user_info_temp) {
@@ -134,12 +134,12 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct
auth_context *auth_contex
*user_info_temp = *user_info_in;
user_info_temp->mapped_state = to_state;
- nt_status = auth_get_challenge(auth_context,
&challenge);
+ nt_status = auth_get_challenge(auth_context, chal);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- chall_blob = data_blob_talloc(mem_ctx, challenge, 8);
+ chall_blob = data_blob_talloc(mem_ctx, chal, 8);
if (lp_client_ntlmv2_auth(auth_context->lp_ctx)) {
DATA_BLOB names_blob =
NTLMv2_generate_names_blob(mem_ctx, lp_netbios_name(auth_context->lp_ctx),
lp_workgroup(auth_context->lp_ctx));
DATA_BLOB lmv2_response, ntlmv2_response,
lmv2_session_key, ntlmv2_session_key;
@@ -162,12 +162,12 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct
auth_context *auth_contex
data_blob_free(&ntlmv2_session_key);
} else {
DATA_BLOB blob = data_blob_talloc(mem_ctx,
NULL, 24);
-
SMBOWFencrypt(user_info_in->password.hash.nt->hash, challenge, blob.data);
+
SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data);
user_info_temp->password.response.nt = blob;
if (lp_client_lanman_auth(auth_context->lp_ctx)
&& user_info_in->password.hash.lanman) {
DATA_BLOB lm_blob =
data_blob_talloc(mem_ctx, NULL, 24);
-
SMBOWFencrypt(user_info_in->password.hash.lanman->hash, challenge, blob.data);
+
SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data);
user_info_temp->password.response.lanman = lm_blob;
} else {
/* if not sending the LM password, send
the NT password twice */
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 568226d..173a895 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -271,7 +271,7 @@ static NTSTATUS winbind_check_password(struct
auth_method_context *ctx,
s->req.in.logon.password= password_info;
} else {
struct netr_NetworkInfo *network_info;
- const uint8_t *challenge;
+ uint8_t chal[8];
status = encrypt_user_info(s, ctx->auth_ctx,
AUTH_PASSWORD_RESPONSE,
user_info, &user_info_new);
@@ -281,10 +281,10 @@ static NTSTATUS winbind_check_password(struct
auth_method_context *ctx,
network_info = talloc(s, struct netr_NetworkInfo);
NT_STATUS_HAVE_NO_MEMORY(network_info);
- status = auth_get_challenge(ctx->auth_ctx, &challenge);
+ status = auth_get_challenge(ctx->auth_ctx, chal);
NT_STATUS_NOT_OK_RETURN(status);
- memcpy(network_info->challenge, challenge,
sizeof(network_info->challenge));
+ memcpy(network_info->challenge, chal,
sizeof(network_info->challenge));
network_info->nt.length =
user_info->password.response.nt.length;
network_info->nt.data = user_info->password.response.nt.data;
diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk
index a0d668f..8273852 100644
--- a/source4/auth/ntlm/config.mk
+++ b/source4/auth/ntlm/config.mk
@@ -74,7 +74,7 @@ OUTPUT_TYPE = MERGED_OBJ
PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS
auth_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth.o auth_util.o
auth_simple.o)
-$(eval $(call
proto_header_template,$(authsrcdir)/auth_proto.h,$(auth_OBJ_FILES:.o=.c)))
+$(eval $(call
proto_header_template,$(authsrcdir)/ntlm/auth_proto.h,$(auth_OBJ_FILES:.o=.c)))
# PUBLIC_HEADERS += auth/auth.h
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c
b/source4/auth/ntlmssp/ntlmssp_server.c
index 94de920..281ffbf 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -600,9 +600,12 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security
*gensec_security,
static const uint8_t *auth_ntlmssp_get_challenge(const struct
gensec_ntlmssp_state *gensec_ntlmssp_state)
{
NTSTATUS status;
- const uint8_t *chal;
+ uint8_t *chal = talloc_array(gensec_ntlmssp_state, uint8_t, 8);
+ if (!chal) {
+ return NULL;
+ }
- status =
gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context,
&chal);
+ status =
gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context,
chal);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge:
%s\n",
nt_errstr(status)));
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c
b/source4/auth/ntlmssp/ntlmssp_sign.c
index 957d0a8..9e0d80f 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -171,7 +171,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security
*gensec_security,
NTLMSSP_RECEIVE, &local_sig,
true);
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("NTLMSSP packet check failed with %s\n",
nt_errstr(nt_status)));
+ DEBUG(0, ("NTLMSSP packet sig creation failed with %s\n",
nt_errstr(nt_status)));
return nt_status;
}
@@ -179,26 +179,25 @@ NTSTATUS gensec_ntlmssp_check_packet(struct
gensec_security *gensec_security,
if (local_sig.length != sig->length ||
memcmp(local_sig.data,
sig->data, sig->length) != 0) {
- DEBUG(5, ("BAD SIG NTLM2: wanted signature over %llu
bytes of input:\n", (unsigned long long)pdu_length));
- dump_data(5, local_sig.data, local_sig.length);
+
+ DEBUG(10, ("BAD SIG NTLM2: wanted signature over %llu
bytes of input:\n", (unsigned long long)pdu_length));
+ dump_data(10, local_sig.data, local_sig.length);
- DEBUG(5, ("BAD SIG: got signature over %llu bytes of
input:\n", (unsigned long long)pdu_length));
- dump_data(5, sig->data, sig->length);
+ DEBUG(10, ("BAD SIG: got signature over %llu bytes of
input:\n", (unsigned long long)pdu_length));
+ dump_data(10, sig->data, sig->length);
- DEBUG(1, ("NTLMSSP NTLM2 packet check failed due to
invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length));
return NT_STATUS_ACCESS_DENIED;
}
} else {
if (local_sig.length != sig->length ||
memcmp(local_sig.data + 8,
sig->data + 8, sig->length - 8) != 0) {
- DEBUG(5, ("BAD SIG NTLM1: wanted signature of %llu
bytes of input:\n", (unsigned long long)length));
+ DEBUG(10, ("BAD SIG NTLM1: wanted signature of %llu
bytes of input:\n", (unsigned long long)length));
dump_data(5, local_sig.data, local_sig.length);
- DEBUG(5, ("BAD SIG: got signature of %llu bytes of
input:\n", (unsigned long long)length));
- dump_data(5, sig->data, sig->length);
+ DEBUG(10, ("BAD SIG: got signature of %llu bytes of
input:\n", (unsigned long long)length));
+ dump_data(10, sig->data, sig->length);
- DEBUG(1, ("NTLMSSP NTLM1 packet check failed due to
invalid signature on %llu bytes of input:\n", (unsigned long long)length));
return NT_STATUS_ACCESS_DENIED;
}
}
@@ -281,6 +280,7 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct
gensec_security *gensec_security,
const uint8_t *whole_pdu, size_t
pdu_length,
const DATA_BLOB *sig)
{
+ NTSTATUS status;
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct
gensec_ntlmssp_state *)gensec_security->private_data;
if (!gensec_ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n"));
@@ -294,7 +294,12 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct
gensec_security *gensec_security,
arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data,
length);
}
dump_data_pw("ntlmssp clear data\n", data, length);
- return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data,
length, whole_pdu, pdu_length, sig);
+ status = gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx,
data, length, whole_pdu, pdu_length, sig);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("NTLMSSP packet check for unseal failed due to
invalid signature on %llu bytes of input:\n", (unsigned long long)length));
+ }
+ return status;
}
/**
@@ -585,6 +590,10 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security
*gensec_security,
status = check_status;
}
}
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("NTLMSSP packet check for unwrap failed due
to invalid signature\n"));
+ }
return status;
} else {
*out = *in;
diff --git a/source4/lib/ldb/external/libtalloc.m4
b/source4/lib/ldb/external/libtalloc.m4
index 8c63fcc..dfccaf4 100644
--- a/source4/lib/ldb/external/libtalloc.m4
+++ b/source4/lib/ldb/external/libtalloc.m4
@@ -2,7 +2,7 @@ AC_SUBST(TALLOC_OBJ)
AC_SUBST(TALLOC_CFLAGS)
AC_SUBST(TALLOC_LIBS)
-PKG_CHECK_MODULES(TALLOC, talloc >= 2.0.0,
+PKG_CHECK_MODULES(TALLOC, talloc >= 2.0.1,
[ ],
[ AC_CHECK_HEADER(talloc.h,
[ AC_CHECK_LIB(talloc, talloc_init,
[TALLOC_LIBS="-ltalloc"])])])
diff --git a/source4/min_versions.m4 b/source4/min_versions.m4
index 5bb3b0b..af8c4dd 100644
--- a/source4/min_versions.m4
+++ b/source4/min_versions.m4
@@ -1,6 +1,6 @@
# Minimum and exact required versions for various libraries
# if we use the ones installed in the system.
define(TDB_MIN_VERSION,1.2.0)
-define(TALLOC_MIN_VERSION,2.0.0)
+define(TALLOC_MIN_VERSION,2.0.1)
define(LDB_REQUIRED_VERSION,0.9.10)
define(TEVENT_REQUIRED_VERSION,0.9.8)
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
index ab763e3..fe6cd68 100644
--- a/source4/smb_server/smb/negprot.c
+++ b/source4/smb_server/smb/negprot.c
@@ -33,7 +33,6 @@
static NTSTATUS get_challenge(struct smbsrv_connection *smb_conn, uint8_t
buff[8])
{
NTSTATUS nt_status;
- const uint8_t *challenge;
/* muliple negprots are not premitted */
if (smb_conn->negotiate.auth_context) {
@@ -53,14 +52,12 @@ static NTSTATUS get_challenge(struct smbsrv_connection
*smb_conn, uint8_t buff[8
return nt_status;
}
- nt_status = auth_get_challenge(smb_conn->negotiate.auth_context,
&challenge);
+ nt_status = auth_get_challenge(smb_conn->negotiate.auth_context, buff);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("auth_get_challenge() returned %s",
nt_errstr(nt_status)));
return nt_status;
}
- memcpy(buff, challenge, 8);
-
return NT_STATUS_OK;
}
--
Samba Shared Repository
