The branch, master has been updated via f7d249d s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send() via f595031 s3:libsmb: pass cli_credentials to cli_check_msdfs_proxy() via c19232b s3:client: use cli_cm_force_encryption_creds in smbspool.c (in a #if 0 section) via 0c52239 s3:libsmb: make use of cli_cm_force_encryption_creds() where we already have creds via ff23ee7 s3:libsmb: split out cli_cm_force_encryption_creds() via b4340ea s3:libsmb: make use of cli_tree_connect_creds() in SMBC_server_internal() via 5fd8db9 s3:libsmb: make use of cli_tree_connect_creds() in clidfs.c:do_connect() via 1221236 s3:libsmb: remove now unused cli_session_setup() via 151e37b s3:libsmb: avoid using cli_session_setup() in SMBC_server_internal() via c478f68 s3:libsmb: make use of get_cmdline_auth_info_creds() in clidfs.c:do_connect() via 9e79433 s3:libsmb: remove unused cli_*_encryption* functions via b9ff137 s3:libsmb: make use of cli_smb1_setup_encryption() in cli_cm_force_encryption() via 19bbd37 s3:client: make use of cli_smb1_setup_encryption() in cmd_posix_encrypt() via 791847f s3:torture: make use of cli_smb1_setup_encryption() in force_cli_encryption() via b9b0815 s3:libsmb: add cli_smb1_setup_encryption*() functions via 9b39377 s3:printing: remove double PRINT_SPOOL_PREFIX define via 1aa765d testprogs: Use better KRB5CCNAME in test_password_settings.sh from 1a59014 docs-xml: Remove duplicate listing of configfile option in man pages
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f7d249da4e79bb4f35b9b57b21f0f5e66380402d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 8 12:25:22 2016 +0100 s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send() Also old servers should be able to handle NTLMSSP via SPNEGO. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144 commit f595031cb8203d4184b81976c22644e86a30cabe Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 4 12:25:34 2016 +0100 s3:libsmb: pass cli_credentials to cli_check_msdfs_proxy() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c19232b4bcfe80e7501c5600bbbec2b27832c1ce Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 4 12:37:08 2016 +0100 s3:client: use cli_cm_force_encryption_creds in smbspool.c (in a #if 0 section) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0c522398684ae34d4306285cb6b30ecc5b5a0e98 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 3 17:27:49 2016 +0100 s3:libsmb: make use of cli_cm_force_encryption_creds() where we already have creds Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ff23ee7ef209b74856426df6bf4e36d9a7ed8f94 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 3 17:26:41 2016 +0100 s3:libsmb: split out cli_cm_force_encryption_creds() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b4340ea7743cdfff91a08eb4fe656ddbe0794cc7 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 12 06:00:32 2016 +0100 s3:libsmb: make use of cli_tree_connect_creds() in SMBC_server_internal() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5fd8db91efe24e0da8321197b8b568fed9ea4d78 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Dec 9 09:06:38 2016 +0100 s3:libsmb: make use of cli_tree_connect_creds() in clidfs.c:do_connect() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 12212363bf756c6ba33804f859d67395e4cf71d3 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Oct 30 16:46:54 2016 +0100 s3:libsmb: remove now unused cli_session_setup() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 151e37b548bdba582bcbe7a216cd9b420d29b7b6 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Oct 30 16:42:45 2016 +0100 s3:libsmb: avoid using cli_session_setup() in SMBC_server_internal() Using cli_session_creds_init() will allow it to be passed to other sub functions later. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c478f688c29f0b9ff114cf2554c1c6cb273c98e4 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Oct 30 16:45:39 2016 +0100 s3:libsmb: make use of get_cmdline_auth_info_creds() in clidfs.c:do_connect() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9e794330d0399777cb6cc4c9b036ba1b4f7ea470 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 3 14:50:28 2016 +0100 s3:libsmb: remove unused cli_*_encryption* functions Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b9ff137e03ef4ba2cc42e886d6133c5ad61b7ea6 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 3 14:50:28 2016 +0100 s3:libsmb: make use of cli_smb1_setup_encryption() in cli_cm_force_encryption() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 19bbd37b8df6315efc09b8e4007f4c4ddc155244 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 3 14:50:28 2016 +0100 s3:client: make use of cli_smb1_setup_encryption() in cmd_posix_encrypt() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 791847f90ce0c0fc42c75ec6283906a0c5f5b926 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 3 14:50:28 2016 +0100 s3:torture: make use of cli_smb1_setup_encryption() in force_cli_encryption() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b9b0815d0f566923fe7442c35e2f321e442bb6bb Author: Stefan Metzmacher <me...@samba.org> Date: Mon Oct 31 23:02:27 2016 +0100 s3:libsmb: add cli_smb1_setup_encryption*() functions This will allow us to setup SMB1 encryption by just passing cli_credentials. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9b3937704d2b3a03590758bec7bdbe838d4e83be Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 19 23:04:17 2016 +0100 s3:printing: remove double PRINT_SPOOL_PREFIX define We already have this in source3/include/printing.h which is also included in source3/printing/printspoolss.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1aa765d344e148826c75d65c502ee45bc9e8f42c Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 20 09:46:34 2016 +0200 testprogs: Use better KRB5CCNAME in test_password_settings.sh Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/client/client.c | 46 ++- source3/client/smbspool.c | 6 +- source3/libsmb/cliconnect.c | 452 ++++++++++++++++++++++++--- source3/libsmb/clidfs.c | 96 +++--- source3/libsmb/clifsinfo.c | 245 --------------- source3/libsmb/libsmb_server.c | 47 ++- source3/libsmb/proto.h | 22 +- source3/printing/printspoolss.c | 3 - source3/torture/torture.c | 10 +- testprogs/blackbox/test_password_settings.sh | 8 + 10 files changed, 556 insertions(+), 379 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/client/client.c b/source3/client/client.c index cde9776..226eb27 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -2535,35 +2535,53 @@ static int cmd_posix_encrypt(void) { TALLOC_CTX *ctx = talloc_tos(); NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + char *domain = NULL; + char *user = NULL; + char *password = NULL; + struct cli_credentials *creds = NULL; + struct cli_credentials *lcreds = NULL; - if (cli->use_kerberos) { - status = cli_gss_smb_encryption_start(cli); - } else { - char *domain = NULL; - char *user = NULL; - char *password = NULL; + if (next_token_talloc(ctx, &cmd_ptr, &domain, NULL)) { - if (!next_token_talloc(ctx, &cmd_ptr,&domain,NULL)) { + if (!next_token_talloc(ctx, &cmd_ptr, &user, NULL)) { d_printf("posix_encrypt domain user password\n"); return 1; } - if (!next_token_talloc(ctx, &cmd_ptr,&user,NULL)) { + if (!next_token_talloc(ctx, &cmd_ptr, &password, NULL)) { d_printf("posix_encrypt domain user password\n"); return 1; } - if (!next_token_talloc(ctx, &cmd_ptr,&password,NULL)) { + lcreds = cli_session_creds_init(ctx, + user, + domain, + NULL, /* realm */ + password, + false, /* use_kerberos */ + false, /* fallback_after_kerberos */ + false, /* use_ccache */ + false); /* password_is_nt_hash */ + if (lcreds == NULL) { + d_printf("cli_session_creds_init() failed.\n"); + return -1; + } + creds = lcreds; + } else { + bool auth_requested = false; + + creds = get_cmdline_auth_info_creds(auth_info); + + auth_requested = cli_credentials_authentication_requested(creds); + if (!auth_requested) { d_printf("posix_encrypt domain user password\n"); return 1; } - - status = cli_raw_ntlm_smb_encryption_start(cli, - user, - password, - domain); } + status = cli_smb1_setup_encryption(cli, creds); + /* gensec currently references the creds so we can't free them here */ + talloc_unlink(ctx, lcreds); if (!NT_STATUS_IS_OK(status)) { d_printf("posix_encrypt failed with error %s\n", nt_errstr(status)); } else { diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c index a447836..10e89c7 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -474,11 +474,7 @@ smb_complete_connection(const char *myname, #if 0 /* Need to work out how to specify this on the URL. */ if (smb_encrypt) { - if (!cli_cm_force_encryption(cli, - username, - password, - workgroup, - share)) { + if (!cli_cm_force_encryption_creds(cli, creds, share)) { fprintf(stderr, "ERROR: encryption setup failed\n"); cli_shutdown(cli); return NULL; diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 02c465c..55768bf 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -37,6 +37,7 @@ #include "libsmb/nmblib.h" #include "librpc/ndr/libndr.h" #include "../libcli/smb/smbXcli_base.h" +#include "../libcli/smb/smb_seal.h" #include "lib/param/param.h" #define STAR_SMBSERVER "*SMBSERVER" @@ -1774,43 +1775,6 @@ NTSTATUS cli_session_setup_anon(struct cli_state *cli) return NT_STATUS_OK; } -NTSTATUS cli_session_setup(struct cli_state *cli, - const char *user, - const char *pass, - const char *workgroup) -{ - NTSTATUS status = NT_STATUS_NO_MEMORY; - const char *dest_realm = NULL; - struct cli_credentials *creds = NULL; - - /* - * dest_realm is only valid in the winbindd use case, - * where we also have the account in that realm. - */ - dest_realm = cli_state_remote_realm(cli); - - creds = cli_session_creds_init(cli, - user, - workgroup, - dest_realm, - pass, - cli->use_kerberos, - cli->fallback_after_kerberos, - cli->use_ccache, - cli->pw_nt_hash); - if (creds == NULL) { - return NT_STATUS_NO_MEMORY; - } - - status = cli_session_setup_creds(cli, creds); - TALLOC_FREE(creds); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - return NT_STATUS_OK; -} - /**************************************************************************** Send a uloggoff. *****************************************************************************/ @@ -2864,6 +2828,420 @@ fail: return status; } +struct cli_smb1_setup_encryption_blob_state { + uint16_t setup[1]; + uint8_t param[4]; + NTSTATUS status; + DATA_BLOB out; + uint16_t enc_ctx_id; +}; + +static void cli_smb1_setup_encryption_blob_done(struct tevent_req *subreq); + +static struct tevent_req *cli_smb1_setup_encryption_blob_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_state *cli, + const DATA_BLOB in) +{ + struct tevent_req *req = NULL; + struct cli_smb1_setup_encryption_blob_state *state = NULL; + struct tevent_req *subreq = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct cli_smb1_setup_encryption_blob_state); + if (req == NULL) { + return NULL; + } + + if (in.length > CLI_BUFFER_SIZE) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); + } + + SSVAL(state->setup+0, 0, TRANSACT2_SETFSINFO); + SSVAL(state->param, 0, 0); + SSVAL(state->param, 2, SMB_REQUEST_TRANSPORT_ENCRYPTION); + + subreq = smb1cli_trans_send(state, ev, cli->conn, + SMBtrans2, + 0, 0, /* _flags */ + 0, 0, /* _flags2 */ + cli->timeout, + cli->smb1.pid, + cli->smb1.tcon, + cli->smb1.session, + NULL, /* pipe_name */ + 0, /* fid */ + 0, /* function */ + 0, /* flags */ + state->setup, 1, 0, + state->param, 4, 2, + in.data, in.length, CLI_BUFFER_SIZE); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, + cli_smb1_setup_encryption_blob_done, + req); + + return req; +} + +static void cli_smb1_setup_encryption_blob_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct cli_smb1_setup_encryption_blob_state *state = + tevent_req_data(req, + struct cli_smb1_setup_encryption_blob_state); + uint8_t *rparam=NULL, *rdata=NULL; + uint32_t num_rparam, num_rdata; + NTSTATUS status; + + status = smb1cli_trans_recv(subreq, state, + NULL, /* recv_flags */ + NULL, 0, NULL, /* rsetup */ + &rparam, 0, &num_rparam, + &rdata, 0, &num_rdata); + TALLOC_FREE(subreq); + state->status = status; + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + status = NT_STATUS_OK; + } + if (tevent_req_nterror(req, status)) { + return; + } + + if (num_rparam == 2) { + state->enc_ctx_id = SVAL(rparam, 0); + } + TALLOC_FREE(rparam); + + state->out = data_blob_const(rdata, num_rdata); + + tevent_req_done(req); +} + +static NTSTATUS cli_smb1_setup_encryption_blob_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + DATA_BLOB *out, + uint16_t *enc_ctx_id) +{ + struct cli_smb1_setup_encryption_blob_state *state = + tevent_req_data(req, + struct cli_smb1_setup_encryption_blob_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + status = state->status; + + *out = state->out; + talloc_steal(mem_ctx, out->data); + + *enc_ctx_id = state->enc_ctx_id; + + tevent_req_received(req); + return status; +} + +struct cli_smb1_setup_encryption_state { + struct tevent_context *ev; + struct cli_state *cli; + struct smb_trans_enc_state *es; + DATA_BLOB blob_in; + DATA_BLOB blob_out; + bool local_ready; + bool remote_ready; +}; + +static void cli_smb1_setup_encryption_local_next(struct tevent_req *req); +static void cli_smb1_setup_encryption_local_done(struct tevent_req *subreq); +static void cli_smb1_setup_encryption_remote_next(struct tevent_req *req); +static void cli_smb1_setup_encryption_remote_done(struct tevent_req *subreq); +static void cli_smb1_setup_encryption_ready(struct tevent_req *req); + +static struct tevent_req *cli_smb1_setup_encryption_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_state *cli, + struct cli_credentials *creds) +{ + struct tevent_req *req = NULL; + struct cli_smb1_setup_encryption_state *state = NULL; + struct auth_generic_state *ags = NULL; + const DATA_BLOB *b = NULL; + bool auth_requested = false; + const char *target_service = NULL; + const char *target_hostname = NULL; + NTSTATUS status; + + req = tevent_req_create(mem_ctx, &state, + struct cli_smb1_setup_encryption_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->cli = cli; + + auth_requested = cli_credentials_authentication_requested(creds); + if (!auth_requested) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); + } + + target_service = "cifs"; + target_hostname = smbXcli_conn_remote_name(cli->conn); + + status = cli_session_creds_prepare_krb5(cli, creds); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + state->es = talloc_zero(state, struct smb_trans_enc_state); + if (tevent_req_nomem(state->es, req)) { + return tevent_req_post(req, ev); + } + + status = auth_generic_client_prepare(state->es, &ags); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + gensec_want_feature(ags->gensec_security, + GENSEC_FEATURE_SIGN); + gensec_want_feature(ags->gensec_security, + GENSEC_FEATURE_SEAL); + + status = auth_generic_set_creds(ags, creds); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + if (target_service != NULL) { + status = gensec_set_target_service(ags->gensec_security, + target_service); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + } + + if (target_hostname != NULL) { + status = gensec_set_target_hostname(ags->gensec_security, + target_hostname); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + } + + gensec_set_max_update_size(ags->gensec_security, + CLI_BUFFER_SIZE); + + b = smbXcli_conn_server_gss_blob(state->cli->conn); + if (b != NULL) { + state->blob_in = *b; + } + + status = auth_generic_client_start(ags, GENSEC_OID_SPNEGO); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + + /* + * We only need the gensec_security part from here. + */ + state->es->gensec_security = talloc_move(state->es, + &ags->gensec_security); + TALLOC_FREE(ags); + + cli_smb1_setup_encryption_local_next(req); + if (!tevent_req_is_in_progress(req)) { + return tevent_req_post(req, ev); + } + + return req; +} + +static void cli_smb1_setup_encryption_local_next(struct tevent_req *req) +{ + struct cli_smb1_setup_encryption_state *state = + tevent_req_data(req, + struct cli_smb1_setup_encryption_state); + struct tevent_req *subreq = NULL; + + if (state->local_ready) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + + subreq = gensec_update_send(state, state->ev, + state->es->gensec_security, + state->blob_in); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, cli_smb1_setup_encryption_local_done, req); +} + +static void cli_smb1_setup_encryption_local_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct cli_smb1_setup_encryption_state *state = + tevent_req_data(req, + struct cli_smb1_setup_encryption_state); + NTSTATUS status; + + status = gensec_update_recv(subreq, state, &state->blob_out); + TALLOC_FREE(subreq); + state->blob_in = data_blob_null; + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) + { + tevent_req_nterror(req, status); + return; + } + + if (NT_STATUS_IS_OK(status)) { + state->local_ready = true; + } + + /* + * We always get NT_STATUS_OK from the server even if it is not ready. + * So guess the server is ready when we are ready and already sent + * our last blob to the server. + */ + if (state->local_ready && state->blob_out.length == 0) { + state->remote_ready = true; + } + + if (state->local_ready && state->remote_ready) { + cli_smb1_setup_encryption_ready(req); + return; + } + + cli_smb1_setup_encryption_remote_next(req); +} + +static void cli_smb1_setup_encryption_remote_next(struct tevent_req *req) +{ + struct cli_smb1_setup_encryption_state *state = + tevent_req_data(req, + struct cli_smb1_setup_encryption_state); + struct tevent_req *subreq = NULL; + + if (state->remote_ready) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + + subreq = cli_smb1_setup_encryption_blob_send(state, state->ev, + state->cli, state->blob_out); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, + cli_smb1_setup_encryption_remote_done, + req); +} + +static void cli_smb1_setup_encryption_remote_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct cli_smb1_setup_encryption_state *state = + tevent_req_data(req, + struct cli_smb1_setup_encryption_state); + NTSTATUS status; + + status = cli_smb1_setup_encryption_blob_recv(subreq, state, + &state->blob_in, + &state->es->enc_ctx_num); + TALLOC_FREE(subreq); + data_blob_free(&state->blob_out); + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) + { + tevent_req_nterror(req, status); + return; + } + + /* + * We always get NT_STATUS_OK even if the server is not ready. + * So guess the server is ready when we are ready and sent + * our last blob to the server. + */ + if (state->local_ready) { + state->remote_ready = true; + } -- Samba Shared Repository