The branch, v4-4-stable has been updated
via f67230d VERSION: Disable git snapshots for the 4.4.3 release.
via d89905e WHATSNEW: Add date.
via 0c53521 WHATSNEW: Udpate release notes.
via b9cc3bd s3:selftest: add smbclient_ntlm tests
via d96f774 selftest:Samba4: let fl2000dc use Windows2000 style
SPNEGO/NTLMSSP
via 883660a selftest:Samba4: let fl2000dc use Windows2000
supported_enctypes
via 7548e8d s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via 771bcf9 selftest:Samba4: provide DC_* variables for fl2000dc and
fl2008r2dc
via 6d62364 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego
option for testing
via c52eab4 auth/spnego: add spnego:simulate_w2k option for testing
via eb085f3 auth/ntlmssp: do map to guest checking after the
authentication
via ab24cfa s3:smbd: only mark real guest sessions with the GUEST flag
via 2a9cbef s3:smbd: make use SMB_SETUP_GUEST constant
via 696b25f libcli/security: implement SECURITY_GUEST
via 070ae1b s3:auth_builtin: anonymous authentication doesn't allow a
password
via 039dc0b s4:auth_anonymous: anonymous authentication doesn't allow a
password
via 622a603 auth/spnego: only try to verify the mechListMic if signing
was negotiated.
via bc2331b s3:libsmb: use anonymous authentication via spnego if
possible
via 702d846 s3:libsmb: don't finish the gensec handshake for guest
logins
via 779a339 s3:libsmb: record the session setup action flags
via ad94c11 libcli/smb: add smbXcli_session_is_guest() helper function
via 2bae4e9 libcli/smb: add SMB1 session setup action flags
via e61d929 libcli/smb: add smb1cli_session_set_action() helper function
via eff4ed6 libcli/smb: fix NULL pointer derreference in
smbXcli_session_is_authenticated().
via ce9dc37 s3:libsmb: use password = NULL for anonymous connections
via e72697d auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via 0e06d40 auth/ntlmssp: don't require any flags in the ccache_resume
code
via f26e6c9 auth/spnego: handle broken mechListMIC response from
Windows 2000
via 8a8a567 auth/spnego: change log level for 'Failed to setup SPNEGO
negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via 9aa4b3c s3:librpc:crypto:gse: increase debug level for
gse_init_client().
via a9a5c60 lib:krb5_wrap:krb5_samba: increase debug level for
smb_krb5_get_default_realm_from_ccache().
via fc3a36c s3:libads/sasl: allow wrapped messages up to a size of
0xfffffff
via 8f159c5 s4:gensec_tstream: allow wrapped messages up to a size of
0xfffffff
via 794d0c2 Mask general purpose signals for notifyd.
via 1a36149 WHATSNEW: Start release notes for Samba 4.4.3.
via 06343ea configure: Don't check for inotify on illumos
via 969ddf1 nwrap: Fix the build on Solaris
via 13d563a smbd: Avoid large reads beyond EOF
via a4c00ce Fix the smb2_setinfo to handle FS info types and FSQUOTA
infolevel
via 2184ae7 cleanupd: restart as needed
via 85185e7 nss_wins: Fix the hostent setup
via 23497a6 nss_wins: ip_pton expects the raw IP address
via d4dd33b libads: record session expiry for spnego sasl binds
via eb96e15 vfs_catia: Fix bug 11827, memleak
via 6b66061 s3: libsmb: Fix error where short name length was read as 2
bytes, should be 1.
via a6a4532 smbcquotas: print "NO LIMIT" only if returned quota value
is 0.
via 811fbb2 vfs_acl_common: avoid setting POSIX ACLs if "ignore system
acls" is set
via 26f5b40 winbind: Fix CID 1357100 Unchecked return value
via fb0c85b52 idmap_hash: only allow the hash module for default idmap
config.
via dab38c3 idmap_hash: rename be_init() --> idmap_hash_initialize()
via 8bd67a1 s3:winbindd:idmap: check loadparm in
domain_has_idmap_config() helper as well.
via 87fcc70 s3:winbindd:idmap_hash: skip domains that already have
their own idmap configuration.
via 9d56304 s3:winbindd:idmap: add domain_has_idmap_config() helper
function.
via e8918a1 VERSION: Bump version up to 4.4.3...
from 71de921 VERSION: Disable git snapshots for the 4.4.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 112 +++++++++++++++++++--
auth/gensec/spnego.c | 66 +++++++++++--
auth/ntlmssp/gensec_ntlmssp_server.c | 15 +--
auth/ntlmssp/ntlmssp_client.c | 15 +--
auth/ntlmssp/ntlmssp_server.c | 40 ++++++++
lib/krb5_wrap/krb5_samba.c | 4 +-
lib/nss_wrapper/wscript | 2 +-
libcli/security/security_token.c | 5 +
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 +
libcli/security/session.h | 1 +
libcli/smb/smbXcli_base.c | 35 +++++++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 6 ++
nsswitch/wins.c | 13 ++-
selftest/target/Samba.pm | 13 +++
selftest/target/Samba4.pm | 23 ++++-
source3/auth/auth_builtin.c | 47 +++++++--
source3/libads/sasl.c | 13 ++-
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 ++++++++++++-----
source3/libsmb/clilist.c | 2 +-
source3/modules/vfs_acl_common.c | 147 +++++++++++++++++++---------
source3/modules/vfs_catia.c | 6 +-
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 ++++++++
source3/selftest/tests.py | 4 +-
source3/smbd/globals.h | 7 ++
source3/smbd/notifyd/notifyd.c | 4 +
source3/smbd/reply.c | 10 ++
source3/smbd/server.c | 35 +++++--
source3/smbd/sesssetup.c | 12 +--
source3/smbd/smb2_sesssetup.c | 7 +-
source3/smbd/smb2_setinfo.c | 18 ++++
source3/smbd/trans2.c | 143 +++++++++++++++++----------
source3/utils/smbcquotas.c | 2 +-
source3/winbindd/idmap.c | 41 ++++++++
source3/winbindd/idmap_hash/idmap_hash.c | 32 ++++--
source3/winbindd/winbindd_proto.h | 1 +
source3/wscript | 11 ++-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++++++
source4/ntvfs/sysdep/wscript_configure | 13 ++-
44 files changed, 868 insertions(+), 220 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8f6c55c..ba47aab 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cea4492..ac373fd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,101 @@
=============================
+ Release Notes for Samba 4.4.3
+ May 2, 2016
+ =============================
+
+
+This is the latest stable release of Samba 4.4.
+
+This release fixes some regressions introduced by the last security fixes.
+Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
+bugs addressing these regressions and more information.
+
+
+Changes since 4.4.2:
+--------------------
+
+o Michael Adam <ob...@samba.org>
+ * BUG 11786: idmap_hash: Only allow the hash module for default idmap
config.
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
+ bytes, should be 1.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 11789: Fix returning of ldb.MessageElement.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 11855: cleanupd: Restart as needed.
+
+o Günther Deschner <g...@samba.org>
+ * BUG 11786: s3:winbindd:idmap: check loadparm in domain_has_idmap_config()
+ helper as well.
+ * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 11786: winbind: Fix CID 1357100: Unchecked return value.
+ * BUG 11816: nwrap: Fix the build on Solaris.
+ * BUG 11827: vfs_catia: Fix memleak.
+ * BUG 11878: smbd: Avoid large reads beyond EOF.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
+ * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public
share.
+ * BUG 11847: Only validate MIC if "map to guest" is not being used.
+ * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
+ option for testing.
+ * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
+ * BUG 11858: Allow anonymous smb connections.
+ * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
+ * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
+
+o Tom Mortensen <t...@lime-technology.com>
+ * BUG 11875: nss_wins: Fix the hostent setup.
+
+o Garming Sam <garm...@catalyst.net.nz>
+ * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
+
+o Partha Sarathi <par...@exablox.com>
+ * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
+ infolevel.
+
+o Jorge Schrauwen <sjo...@blackdot.be>
+ * BUG 11816: configure: Don't check for inotify on illumos.
+
+o Uri Simchoni <u...@samba.org>
+ * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system
acls"
+ is set.
+ * BUG 11815: smbcquotas: print "NO LIMIT" only if returned quota value is 0.
+ * BUG 11852: libads: Record session expiry for spnego sasl binds.
+
+o Hemanth Thummala <hemanth.thumm...@nutanix.com>
+ * BUG 11840: Mask general purpose signals for notifyd.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.4.2
April 12, 2016
=============================
@@ -16,8 +113,9 @@ o Stefan Metzmacher <me...@samba.org>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016
-Release notes for the original 4.4.1 release follows:
------------------------------------------------------
+
+-----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.4.1
@@ -544,12 +642,14 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
-Release Announcements
-=====================
+ =============================
+ Release Notes for Samba 4.4.0
+ March 22, 2016
+ =============================
+
This is the first stable release of the Samba 4.4 release series.
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 2922478..3962d72 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct
gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k",
false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct
gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k",
false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct
gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n",
nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status =
gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
-
null_data_blob,
+
mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security
*gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status =
gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign =
gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego =
gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign =
gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c
b/auth/ntlmssp/gensec_ntlmssp_server.c
index ca19863..99cedd0 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -131,20 +131,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct
gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) !=
NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server",
"force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct
gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security
*gensec_security)
ntlmssp_state->use_ntlmv2 =
lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego =
gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client",
"force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct
gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) !=
NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context,
mem_ctx,
+
gensec_ntlmssp->server_returned_info,
+
gensec_ntlmssp->ntlmssp_state->user,
+
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) <
SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 13984e9..6cfd498 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2397,12 +2397,12 @@ static char
*smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
"Trying to read krb5 cache: %s\n",
krb5_cc_default_name(ctx)));
if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to read default cache\n"));
goto out;
}
if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to get default principal\n"));
goto out;
}
diff --git a/lib/nss_wrapper/wscript b/lib/nss_wrapper/wscript
index 6c3d7f7..c727980 100644
--- a/lib/nss_wrapper/wscript
+++ b/lib/nss_wrapper/wscript
@@ -62,7 +62,7 @@ def configure(conf):
define='HAVE_SOLARIS_GETPWUID_R',
headers='unistd.h pwd.h')
conf.CHECK_C_PROTOTYPE('getgrent_r',
'struct group *getgrent_r(struct group *src,
char *buf, int buflen)',
- define='SOLARIS_GETGRENT_R', headers='unistd.h
grp.h')
+ define='HAVE_SOLARIS_GETGRENT_R',
headers='unistd.h grp.h')
conf.CHECK_C_PROTOTYPE('getgrnam_r',
'int getgrnam_r(const char *name, struct group
*grp, char *buf, int buflen, struct group **pgrp)',
define='HAVE_SOLARIS_GETGRNAM_R',
headers='unistd.h grp.h')
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct
security_token *token, const cha
return ret;
}
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+ return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
bool security_token_has_builtin_administrators(const struct security_token
*token)
{
return security_token_has_sid(token,
&global_sid_Builtin_Administrators);
--
Samba Shared Repository
