The branch, master has been updated via 6651b07 samdb: Fix a typo via 65e4e81 auth4: Reduce indentation level by an early error return via 6d4acc8 auth4: Only use CrackNames if we're a DC via 5a6f3fc auth4: Fix map_user_info_cracknames for domain==NULL from 41827cc auth3: Simplify get_system_info3
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6651b07e58ef30ea0b5aa536b51818f2e6e8770e Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 26 13:06:05 2017 +0100 samdb: Fix a typo Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Tue Feb 28 13:55:42 CET 2017 on sn-devel-144 commit 65e4e8160a26bf85fad72f48e8a16f861c7ebf25 Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 23 20:48:32 2017 +0100 auth4: Reduce indentation level by an early error return Just cosmetics for easier readability, no code change Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 6d4acc8cd6aecc393a1d456be0814cc88c6dab5a Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 26 11:25:20 2017 +0100 auth4: Only use CrackNames if we're a DC DsCrackNameOneName on a member does not really have a big user database. We should delegate as much responsibility as possible to our DC. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5a6f3fcf811e9199096d343c7d4c8c3af663157d Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 26 09:16:02 2017 +0100 auth4: Fix map_user_info_cracknames for domain==NULL DsCrackNameOneName directly fails for DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT if the name passed in does not contain a \. The only caller of map_user_info_cracknames (auth_check_password_send) passes in lpcfg_workgroup(), which does not contain a \. Add in the \ also for the default_domain case. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/auth/ntlm/auth.c | 50 ++++++++++++++++++++++++----------------- source4/auth/ntlm/auth_util.c | 10 ++++----- source4/dsdb/samdb/cracknames.c | 2 +- 3 files changed, 36 insertions(+), 26 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index eeb2336..a1276df 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -191,29 +191,33 @@ _PUBLIC_ NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { struct auth_user_info_dc *user_info_dc; - NTSTATUS status = auth_check_password(auth_ctx, mem_ctx, user_info, &user_info_dc); + NTSTATUS status; - if (NT_STATUS_IS_OK(status)) { - *server_returned_info = user_info_dc; + status = auth_check_password(auth_ctx, mem_ctx, user_info, + &user_info_dc); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - if (user_session_key) { - DEBUG(10, ("Got NT session key of length %u\n", - (unsigned)user_info_dc->user_session_key.length)); - *user_session_key = user_info_dc->user_session_key; - talloc_steal(mem_ctx, user_session_key->data); - user_info_dc->user_session_key = data_blob_null; - } + *server_returned_info = user_info_dc; - if (lm_session_key) { - DEBUG(10, ("Got LM session key of length %u\n", - (unsigned)user_info_dc->lm_session_key.length)); - *lm_session_key = user_info_dc->lm_session_key; - talloc_steal(mem_ctx, lm_session_key->data); - user_info_dc->lm_session_key = data_blob_null; - } + if (user_session_key) { + DEBUG(10, ("Got NT session key of length %u\n", + (unsigned)user_info_dc->user_session_key.length)); + *user_session_key = user_info_dc->user_session_key; + talloc_steal(mem_ctx, user_session_key->data); + user_info_dc->user_session_key = data_blob_null; } - return status; + if (lm_session_key) { + DEBUG(10, ("Got LM session key of length %u\n", + (unsigned)user_info_dc->lm_session_key.length)); + *lm_session_key = user_info_dc->lm_session_key; + talloc_steal(mem_ctx, lm_session_key->data); + user_info_dc->lm_session_key = data_blob_null; + } + + return NT_STATUS_OK; } struct auth_check_password_state { @@ -280,8 +284,14 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, state->user_info = user_info; if (!user_info->mapped_state) { - nt_status = map_user_info(auth_ctx->sam_ctx, req, lpcfg_workgroup(auth_ctx->lp_ctx), - user_info, &user_info_tmp); + int server_role = lpcfg_server_role(auth_ctx->lp_ctx); + + nt_status = map_user_info( + auth_ctx->sam_ctx, req, + server_role == ROLE_ACTIVE_DIRECTORY_DC, + lpcfg_workgroup(auth_ctx->lp_ctx), + user_info, &user_info_tmp); + if (tevent_req_nterror(req, nt_status)) { return tevent_req_post(req, ev); } diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c index 3e5a0da..e3d196c 100644 --- a/source4/auth/ntlm/auth_util.c +++ b/source4/auth/ntlm/auth_util.c @@ -128,12 +128,11 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx, return NT_STATUS_NO_MEMORY; } } else { - char *domain_name; + const char *domain_name = default_domain; if (user_info->client.domain_name && *user_info->client.domain_name) { - domain_name = talloc_asprintf(tmp_ctx, "%s\\", user_info->client.domain_name); - } else { - domain_name = talloc_strdup(tmp_ctx, default_domain); + domain_name = user_info->client.domain_name; } + domain_name = talloc_asprintf(tmp_ctx, "%s\\", domain_name); if (domain_name == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; @@ -222,6 +221,7 @@ static NTSTATUS map_user_info_cracknames(struct ldb_context *sam_ctx, ****************************************************************************/ NTSTATUS map_user_info(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, + bool is_ad_dc, const char *default_domain, const struct auth_usersupplied_info *user_info, struct auth_usersupplied_info **user_info_mapped) @@ -231,7 +231,7 @@ NTSTATUS map_user_info(struct ldb_context *sam_ctx, char *d; TALLOC_CTX *tmp_ctx; - if (sam_ctx != NULL) { + if (is_ad_dc) { /* if possible, use cracknames to parse the domain/account */ return map_user_info_cracknames(sam_ctx, mem_ctx, default_domain, user_info, user_info_mapped); diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c index ad4ef5c..596343a 100644 --- a/source4/dsdb/samdb/cracknames.c +++ b/source4/dsdb/samdb/cracknames.c @@ -679,7 +679,7 @@ WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, return WERR_NOT_ENOUGH_MEMORY; } - /* Ensure we reject compleate junk first */ + /* Ensure we reject complete junk first */ ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal); if (ret) { info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND; -- Samba Shared Repository