The branch, v3-6-stable has been updated via e0c2e3c WHATSNEW: Prepare release notes for Samba 3.6.15. via 07f930e winbind: Fix bug 9854 -- NULL pointer dereference via 6c5c055 BUG 9817: Fix 'map untrusted to domain' with NTLMv2. via 76d9020 bug 9830: fix panic in nt_printer_publish_ads via b633e71 s3:librpc: add support for PFC_FLAG_OBJECT_UUID when parsing packets (bug #9382) via 6f14d3b s3-smbd: Split make_serverinfo_from_username guest parameters into two parts from abe0fec WHATSNEW: Start release notes for Samba 3.6.15.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable - Log ----------------------------------------------------------------- commit e0c2e3cd1579d89b2e3f8d1bce2019e61104441e Author: Karolin Seeger <ksee...@samba.org> Date: Wed May 8 10:15:32 2013 +0200 WHATSNEW: Prepare release notes for Samba 3.6.15. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit 8a3db2e8ef12d259feaa2af5092ddda74c5b4def) commit 07f930e32cdc0d8a317d4b14285b2fb1f15f0c46 Author: Volker Lendecke <v...@samba.org> Date: Tue May 7 12:39:16 2013 +0200 winbind: Fix bug 9854 -- NULL pointer dereference Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> Autobuild-User(master): Michael Adam <ob...@samba.org> Autobuild-Date(master): Tue May 7 14:49:07 CEST 2013 on sn-devel-104 (cherry picked from commit 8c1283a89f746a108e8014b6fbc9a58a371950cf) (cherry picked from commit 0872d998cd2bcfa274283bd7dd1d70010ca33166) commit 6c5c055ab1a83c71adf26b2089e51715833b2c31 Author: Andreas Schneider <a...@samba.org> Date: Wed Apr 24 15:27:21 2013 +0200 BUG 9817: Fix 'map untrusted to domain' with NTLMv2. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104 (cherry picked from commit 62873916076d748f7c91868a6cd28d35e64d8dca) commit 76d90201a02511429bf0f658c1564ccc78f26e6d Author: David Disseldorp <dd...@samba.org> Date: Thu Apr 25 16:01:54 2013 +0200 bug 9830: fix panic in nt_printer_publish_ads Check for ads_find_machine_acct() errors, to ensure a NULL LDAPMessage pointer doesn't get passed to ldap_get_dn(). Signed-off-by: David Disseldorp <dd...@samba.org> (cherry picked from commit dd07b3c4973b169f07d227869dba8d0f4a76569a) commit b633e710743aff595a87782507429e68d94ce80e Author: Stefan Metzmacher <me...@samba.org> Date: Mon Nov 12 10:16:50 2012 +0100 s3:librpc: add support for PFC_FLAG_OBJECT_UUID when parsing packets (bug #9382) Now the logic matches the one in dcerpc_read_ncacn_packet_done(). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org> Reviewed-by: David Disseldorp <dd...@suse.de> (cherry picked from commit 65860c540faba0ca3542ee2edc0a16fa76a2bcde) commit 6f14d3be50c0f45fa8f2afc2d42f229a05a6056d Author: Andrew Bartlett <abart...@samba.org> Date: Thu Apr 4 09:53:34 2013 +1100 s3-smbd: Split make_serverinfo_from_username guest parameters into two parts This handles differently the case where we are the guest (from security=share) and when we are forced to be a different user with force user. We want to maintain only the is_guest flag if were forced to become any other user, we need the rest of the token to change. Andrew Bartlett Fix bug #9746 - guest ok + force user + force group doesn't work. (cherry picked from commit 24d68d799553b0806e580a47aed70a4eaac09191) ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 20 +++++++++++++++++--- source3/auth/auth_util.c | 3 ++- source3/auth/auth_winbind.c | 10 ++++++++-- source3/auth/proto.h | 1 + source3/librpc/rpc/dcerpc_helpers.c | 4 ++++ source3/printing/nt_printing_ads.c | 10 ++++++++-- source3/smbd/service.c | 4 ++-- source3/winbindd/winbindd_cache.c | 6 +++--- 8 files changed, 45 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6b986c2..461ed76 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,6 +1,6 @@ ============================== Release Notes for Samba 3.6.15 - June 10, 2013 + May 08, 2013 ============================== @@ -8,12 +8,26 @@ This is is the latest stable release of Samba 3.6. Major enhancements in Samba 3.6.15 include: -o +o Fix crash bug in Winbind (bug #9854). + Changes since 3.6.14: --------------------- -o Jeremy Allison <j...@samba.org> +o Andrew Bartlett <abart...@samba.org> + * BUG 9746: Fix "guest ok", "force user" and "force group" for guest users. + + +o David Disseldorp <dd...@samba.org> + * BUG 9830: Fix panic in nt_printer_publish_ads. + + +o Volker Lendecke <v...@samba.org> + * BUG 9854: Fix crash bug in Winbind. + + +o Andreas Schneider <a...@samba.org> + * BUG 9817: Fix 'map untrusted to domain' with NTLMv2. ###################################################################### diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0e1f437..288f461 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -902,6 +902,7 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, const char *username, + bool use_guest_token, bool is_guest, struct auth_serversupplied_info **presult) { @@ -925,7 +926,7 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, result->nss_token = true; result->guest = is_guest; - if (is_guest) { + if (use_guest_token) { status = make_server_info_guest(mem_ctx, &result); } else { status = create_local_token(result); diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 2143353..57a8866 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -62,9 +62,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } /* Send off request */ - params.account_name = user_info->client.account_name; - params.domain_name = user_info->mapped.domain_name; + /* + * We need to send the domain name from the client to the DC. With + * NTLMv2 the domain name is part of the hashed second challenge, + * if we change the domain name, the DC will fail to verify the + * challenge cause we changed the domain name, this is like a + * man in the middle attack. + */ + params.domain_name = user_info->client.domain_name; params.workstation_name = user_info->workstation_name; params.flags = 0; diff --git a/source3/auth/proto.h b/source3/auth/proto.h index b23d827..3d1fa06 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -149,6 +149,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, struct passwd *pwd); NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, const char *username, + bool use_guest_token, bool is_guest, struct auth_serversupplied_info **presult); struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index 7520d76..469e308 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -113,6 +113,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx, ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } + if (CVAL(blob->data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) { + ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT; + } + ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c index 5a0cd24..219124f 100644 --- a/source3/printing/nt_printing_ads.c +++ b/source3/printing/nt_printing_ads.c @@ -192,17 +192,23 @@ static WERROR nt_printer_publish_ads(struct messaging_context *msg_ctx, DEBUG(5, ("publishing printer %s\n", printer)); /* figure out where to publish */ - ads_find_machine_acct(ads, &res, global_myname()); + ads_rc = ads_find_machine_acct(ads, &res, global_myname()); + if (!ADS_ERR_OK(ads_rc)) { + DEBUG(0, ("failed to find machine account for %s\n", + global_myname())); + TALLOC_FREE(ctx); + return WERR_NOT_FOUND; + } /* We use ldap_get_dn here as we need the answer * in utf8 to call ldap_explode_dn(). JRA. */ srv_dn_utf8 = ldap_get_dn((LDAP *)ads->ldap.ld, (LDAPMessage *)res); + ads_msgfree(ads, res); if (!srv_dn_utf8) { TALLOC_FREE(ctx); return WERR_SERVER_UNAVAILABLE; } - ads_msgfree(ads, res); srv_cn_utf8 = ldap_explode_dn(srv_dn_utf8, 1); if (!srv_cn_utf8) { TALLOC_FREE(ctx); diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 6c8c8d3..a22b0df 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -656,7 +656,7 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc return NT_STATUS_WRONG_PASSWORD; } - return make_serverinfo_from_username(mem_ctx, user, guest, + return make_serverinfo_from_username(mem_ctx, user, guest, guest, presult); } @@ -690,7 +690,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) } status = make_serverinfo_from_username( - conn, fuser, conn->session_info->guest, + conn, fuser, false, conn->session_info->guest, &forced_serverinfo); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 033ea77..0a65953 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -946,7 +946,7 @@ static void wcache_save_name_to_sid(struct winbindd_domain *domain, if (!centry) return; - if (domain_name[0] == '\0') { + if ((domain_name == NULL) || (domain_name[0] == '\0')) { struct winbindd_domain *mydomain = find_domain_from_sid_noinit(sid); if (mydomain != NULL) { @@ -974,7 +974,7 @@ static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS sta if (!centry) return; - if (domain_name[0] == '\0') { + if ((domain_name == NULL) || (domain_name[0] == '\0')) { struct winbindd_domain *mydomain = find_domain_from_sid_noinit(sid); if (mydomain != NULL) { @@ -1798,7 +1798,7 @@ NTSTATUS wcache_name_to_sid(struct winbindd_domain *domain, return NT_STATUS_NO_MEMORY; } - if (domain_name[0] == '\0') { + if ((domain_name == NULL) || (domain_name[0] == '\0')) { domain_name = domain->name; } -- Samba Shared Repository