The branch, v4-4-stable has been updated via f67230d VERSION: Disable git snapshots for the 4.4.3 release. via d89905e WHATSNEW: Add date. via 0c53521 WHATSNEW: Udpate release notes. via b9cc3bd s3:selftest: add smbclient_ntlm tests via d96f774 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP via 883660a selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes via 7548e8d s3:test_smbclient_auth.sh: this script reqiures 5 arguments via 771bcf9 selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc via 6d62364 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing via c52eab4 auth/spnego: add spnego:simulate_w2k option for testing via eb085f3 auth/ntlmssp: do map to guest checking after the authentication via ab24cfa s3:smbd: only mark real guest sessions with the GUEST flag via 2a9cbef s3:smbd: make use SMB_SETUP_GUEST constant via 696b25f libcli/security: implement SECURITY_GUEST via 070ae1b s3:auth_builtin: anonymous authentication doesn't allow a password via 039dc0b s4:auth_anonymous: anonymous authentication doesn't allow a password via 622a603 auth/spnego: only try to verify the mechListMic if signing was negotiated. via bc2331b s3:libsmb: use anonymous authentication via spnego if possible via 702d846 s3:libsmb: don't finish the gensec handshake for guest logins via 779a339 s3:libsmb: record the session setup action flags via ad94c11 libcli/smb: add smbXcli_session_is_guest() helper function via 2bae4e9 libcli/smb: add SMB1 session setup action flags via e61d929 libcli/smb: add smb1cli_session_set_action() helper function via eff4ed6 libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated(). via ce9dc37 s3:libsmb: use password = NULL for anonymous connections via e72697d auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections via 0e06d40 auth/ntlmssp: don't require any flags in the ccache_resume code via f26e6c9 auth/spnego: handle broken mechListMIC response from Windows 2000 via 8a8a567 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR' via 9aa4b3c s3:librpc:crypto:gse: increase debug level for gse_init_client(). via a9a5c60 lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache(). via fc3a36c s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff via 8f159c5 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff via 794d0c2 Mask general purpose signals for notifyd. via 1a36149 WHATSNEW: Start release notes for Samba 4.4.3. via 06343ea configure: Don't check for inotify on illumos via 969ddf1 nwrap: Fix the build on Solaris via 13d563a smbd: Avoid large reads beyond EOF via a4c00ce Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel via 2184ae7 cleanupd: restart as needed via 85185e7 nss_wins: Fix the hostent setup via 23497a6 nss_wins: ip_pton expects the raw IP address via d4dd33b libads: record session expiry for spnego sasl binds via eb96e15 vfs_catia: Fix bug 11827, memleak via 6b66061 s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1. via a6a4532 smbcquotas: print "NO LIMIT" only if returned quota value is 0. via 811fbb2 vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set via 26f5b40 winbind: Fix CID 1357100 Unchecked return value via fb0c85b52 idmap_hash: only allow the hash module for default idmap config. via dab38c3 idmap_hash: rename be_init() --> idmap_hash_initialize() via 8bd67a1 s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well. via 87fcc70 s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration. via 9d56304 s3:winbindd:idmap: add domain_has_idmap_config() helper function. via e8918a1 VERSION: Bump version up to 4.4.3... from 71de921 VERSION: Disable git snapshots for the 4.4.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 112 +++++++++++++++++++-- auth/gensec/spnego.c | 66 +++++++++++-- auth/ntlmssp/gensec_ntlmssp_server.c | 15 +-- auth/ntlmssp/ntlmssp_client.c | 15 +-- auth/ntlmssp/ntlmssp_server.c | 40 ++++++++ lib/krb5_wrap/krb5_samba.c | 4 +- lib/nss_wrapper/wscript | 2 +- libcli/security/security_token.c | 5 + libcli/security/security_token.h | 2 + libcli/security/session.c | 4 + libcli/security/session.h | 1 + libcli/smb/smbXcli_base.c | 35 +++++++ libcli/smb/smbXcli_base.h | 3 + libcli/smb/smb_constants.h | 6 ++ nsswitch/wins.c | 13 ++- selftest/target/Samba.pm | 13 +++ selftest/target/Samba4.pm | 23 ++++- source3/auth/auth_builtin.c | 47 +++++++-- source3/libads/sasl.c | 13 ++- source3/librpc/crypto/gse.c | 2 +- source3/libsmb/cliconnect.c | 92 ++++++++++++----- source3/libsmb/clilist.c | 2 +- source3/modules/vfs_acl_common.c | 147 +++++++++++++++++++--------- source3/modules/vfs_catia.c | 6 +- source3/script/tests/test_smbclient_auth.sh | 2 +- source3/script/tests/test_smbclient_ntlm.sh | 40 ++++++++ source3/selftest/tests.py | 4 +- source3/smbd/globals.h | 7 ++ source3/smbd/notifyd/notifyd.c | 4 + source3/smbd/reply.c | 10 ++ source3/smbd/server.c | 35 +++++-- source3/smbd/sesssetup.c | 12 +-- source3/smbd/smb2_sesssetup.c | 7 +- source3/smbd/smb2_setinfo.c | 18 ++++ source3/smbd/trans2.c | 143 +++++++++++++++++---------- source3/utils/smbcquotas.c | 2 +- source3/winbindd/idmap.c | 41 ++++++++ source3/winbindd/idmap_hash/idmap_hash.c | 32 ++++-- source3/winbindd/winbindd_proto.h | 1 + source3/wscript | 11 ++- source4/auth/gensec/gensec_tstream.c | 6 +- source4/auth/ntlm/auth_anonymous.c | 30 ++++++ source4/ntvfs/sysdep/wscript_configure | 13 ++- 44 files changed, 868 insertions(+), 220 deletions(-) create mode 100755 source3/script/tests/test_smbclient_ntlm.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 8f6c55c..ba47aab 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=4 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index cea4492..ac373fd 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,101 @@ ============================= + Release Notes for Samba 4.4.3 + May 2, 2016 + ============================= + + +This is the latest stable release of Samba 4.4. + +This release fixes some regressions introduced by the last security fixes. +Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of +bugs addressing these regressions and more information. + + +Changes since 4.4.2: +-------------------- + +o Michael Adam <ob...@samba.org> + * BUG 11786: idmap_hash: Only allow the hash module for default idmap config. + +o Jeremy Allison <j...@samba.org> + * BUG 11822: s3: libsmb: Fix error where short name length was read as 2 + bytes, should be 1. + +o Andrew Bartlett <abart...@samba.org> + * BUG 11789: Fix returning of ldb.MessageElement. + +o Ralph Boehme <s...@samba.org> + * BUG 11855: cleanupd: Restart as needed. + +o Günther Deschner <g...@samba.org> + * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config() + helper as well. + * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build. + +o Volker Lendecke <v...@samba.org> + * BUG 11786: winbind: Fix CID 1357100: Unchecked return value. + * BUG 11816: nwrap: Fix the build on Solaris. + * BUG 11827: vfs_catia: Fix memleak. + * BUG 11878: smbd: Avoid large reads beyond EOF. + +o Stefan Metzmacher <me...@samba.org> + * BUG 11789: s3:wscript: pylibsmb depends on pycredentials. + * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share. + * BUG 11847: Only validate MIC if "map to guest" is not being used. + * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego + option for testing. + * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN. + * BUG 11858: Allow anonymous smb connections. + * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5). + * BUG 11872: Fix 'wbinfo -u' and 'net ads search'. + +o Tom Mortensen <t...@lime-technology.com> + * BUG 11875: nss_wins: Fix the hostent setup. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 11789: build: Mark explicit dependencies on pytalloc-util. + +o Partha Sarathi <par...@exablox.com> + * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA + infolevel. + +o Jorge Schrauwen <sjo...@blackdot.be> + * BUG 11816: configure: Don't check for inotify on illumos. + +o Uri Simchoni <u...@samba.org> + * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls" + is set. + * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0. + * BUG 11852: libads: Record session expiry for spnego sasl binds. + +o Hemanth Thummala <hemanth.thumm...@nutanix.com> + * BUG 11840: Mask general purpose signals for notifyd. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.4.2 April 12, 2016 ============================= @@ -16,8 +113,9 @@ o Stefan Metzmacher <me...@samba.org> * Bug 11804 - prerequisite backports for the security release on April 12th, 2016 -Release notes for the original 4.4.1 release follows: ------------------------------------------------------ + +----------------------------------------------------------------------- + ============================= Release Notes for Samba 4.4.1 @@ -544,12 +642,14 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- -Release Announcements -===================== + ============================= + Release Notes for Samba 4.4.0 + March 22, 2016 + ============================= + This is the first stable release of the Samba 4.4 release series. diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 2922478..3962d72 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -59,6 +59,8 @@ struct spnego_state { bool needs_mic_check; bool done_mic_check; + bool simulate_w2k; + /* * The following is used to implement * the update token fragmentation @@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi spnego_state->out_max_length = gensec_max_update_size(gensec_security); spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + gensec_security->private_data = spnego_state; return NT_STATUS_OK; } @@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi spnego_state->out_max_length = gensec_max_update_size(gensec_security); spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + gensec_security->private_data = spnego_state; return NT_STATUS_OK; } @@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec talloc_free(spnego_state->sub_sec_security); spnego_state->sub_sec_security = NULL; - DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); + DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); return nt_status; } @@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego.negTokenInit.mechToken, &unwrapped_out); + if (spnego_state->simulate_w2k) { + /* + * Windows 2000 returns the unwrapped token + * also in the mech_list_mic field. + * + * In order to verify our client code, + * we need a way to have a server with this + * broken behaviour + */ + mech_list_mic = unwrapped_out; + } + nt_status = gensec_spnego_server_negTokenTarg(spnego_state, out_mem_ctx, nt_status, unwrapped_out, - null_data_blob, + mech_list_mic, out); spnego_free_data(&spnego); @@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA case SPNEGO_SERVER_TARG: { NTSTATUS nt_status; + bool have_sign = true; bool new_spnego = false; if (!in.length) { @@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA goto server_response; } + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } - if (spnego.negTokenTarg.mechListMIC.length > 0) { + if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego.negTokenTarg.mechListMIC.length > 0) { + DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC; + const DATA_BLOB *r = &spnego.negTokenTarg.responseToken; + + /* + * Windows 2000 has a bug, it repeats the + * responseToken in the mechListMIC field. + */ + if (m->length == r->length) { + int cmp; + + cmp = memcmp(m->data, r->data, m->length); + if (cmp == 0) { + data_blob_free(m); + } + } + } + + if (spnego.negTokenTarg.mechListMIC.length > 0) { if (spnego_state->no_response_expected) { spnego_state->needs_mic_check = true; } @@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (spnego_state->no_response_expected && !spnego_state->done_mic_check) { + bool have_sign = true; bool new_spnego = false; + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); @@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->mic_requested) { - bool sign; - - sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); - if (sign) { + if (have_sign) { new_spnego = true; } } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index ca19863..99cedd0 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -131,20 +131,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->allow_lm_key = true; } - if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) { - /* - * map to guest is not secure anyway, so - * try to make it work and don't try to - * negotiate new_spnego and MIC checking - */ - ntlmssp_state->force_old_spnego = true; - } + ntlmssp_state->force_old_spnego = false; - if (role == ROLE_ACTIVE_DIRECTORY_DC) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) { /* - * map to guest is not supported on an AD DC. + * For testing Windows 2000 mode */ - ntlmssp_state->force_old_spnego = false; + ntlmssp_state->force_old_spnego = true; } ntlmssp_state->neg_flags = diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index b419615..5edd5f4 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { gensec_security->want_features |= GENSEC_FEATURE_SIGN; - - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { gensec_security->want_features |= GENSEC_FEATURE_SEAL; - - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } - ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; + ntlmssp_state->required_flags = 0; if (DEBUGLEVEL >= 10) { struct NEGOTIATE_MESSAGE *negotiate = talloc( @@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx); + ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", "force_old_spnego", false); + ntlmssp_state->expected_state = NTLMSSP_INITIAL; ntlmssp_state->neg_flags = @@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * Without this, Windows will not create the master key * that it thinks is only used for NTLMSSP signing and * sealing. (It is actually pulled out and used directly) + * + * We don't require this here as some servers (e.g. NetAPP) + * doesn't support this. */ - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 17d5ade..ddee875 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -31,6 +31,9 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" #include "auth/common_auth.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "libcli/security/session.h" /** * Determine correct target name flags for reply, given server role @@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; struct auth4_context *auth_context = gensec_security->auth_context; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + struct auth_session_info *session_info = NULL; struct auth_usersupplied_info *user_info; user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); @@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec NT_STATUS_NOT_OK_RETURN(nt_status); + if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST + && auth_context->generate_session_info != NULL) + { + NTSTATUS tmp_status; + + /* + * We need to check if the auth is anonymous or mapped to guest + */ + tmp_status = auth_context->generate_session_info(auth_context, mem_ctx, + gensec_ntlmssp->server_returned_info, + gensec_ntlmssp->ntlmssp_state->user, + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, + &session_info); + if (!NT_STATUS_IS_OK(tmp_status)) { + /* + * We don't care about failures, + * the worst result is that we try MIC checking + * for a map to guest authentication. + */ + TALLOC_FREE(session_info); + } + } + + if (session_info != NULL) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + /* + * Anonymous and GUEST are not secure anyway. + * avoid new_spnego and MIC checking. + */ + ntlmssp_state->new_spnego = false; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + TALLOC_FREE(session_info); + } + talloc_steal(mem_ctx, user_session_key->data); talloc_steal(mem_ctx, lm_session_key->data); diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 13984e9..6cfd498 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2397,12 +2397,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) "Trying to read krb5 cache: %s\n", krb5_cc_default_name(ctx))); if (krb5_cc_default(ctx, &cc)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " + DEBUG(5,("kerberos_get_default_realm_from_ccache: " "failed to read default cache\n")); goto out; } if (krb5_cc_get_principal(ctx, cc, &princ)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " + DEBUG(5,("kerberos_get_default_realm_from_ccache: " "failed to get default principal\n")); goto out; } diff --git a/lib/nss_wrapper/wscript b/lib/nss_wrapper/wscript index 6c3d7f7..c727980 100644 --- a/lib/nss_wrapper/wscript +++ b/lib/nss_wrapper/wscript @@ -62,7 +62,7 @@ def configure(conf): define='HAVE_SOLARIS_GETPWUID_R', headers='unistd.h pwd.h') conf.CHECK_C_PROTOTYPE('getgrent_r', 'struct group *getgrent_r(struct group *src, char *buf, int buflen)', - define='SOLARIS_GETGRENT_R', headers='unistd.h grp.h') + define='HAVE_SOLARIS_GETGRENT_R', headers='unistd.h grp.h') conf.CHECK_C_PROTOTYPE('getgrnam_r', 'int getgrnam_r(const char *name, struct group *grp, char *buf, int buflen, struct group **pgrp)', define='HAVE_SOLARIS_GETGRNAM_R', headers='unistd.h grp.h') diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c index 6812d42..2e5a87b 100644 --- a/libcli/security/security_token.c +++ b/libcli/security/security_token.c @@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha return ret; } +bool security_token_has_builtin_guests(const struct security_token *token) +{ + return security_token_has_sid(token, &global_sid_Builtin_Guests); +} + bool security_token_has_builtin_administrators(const struct security_token *token) { return security_token_has_sid(token, &global_sid_Builtin_Administrators); -- Samba Shared Repository