The branch, master has been updated via 5776222 s4:auth_sam: allow logons with an empty domain name via 2e49a97 tests/bind.py: Add a bind test with NTLMSSP with no domain via 5c625ea tests/py_creds: Add a SamLogonEx test with an empty string domain via e039e9b s3:cliconnect.c: remove useless ';' via 0786a65 s3:libsmb: allow -U"\administrator" to work from 6a59619 build: fix libceph-common detection
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 57762229da971e837b923f09ca01bad6151f9419 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 9 08:54:11 2018 +0100 s4:auth_sam: allow logons with an empty domain name It turns out that an empty domain name maps to the local SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144 commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0 Author: Garming Sam <garm...@catalyst.net.nz> Date: Mon Jan 8 16:34:02 2018 +1300 tests/bind.py: Add a bind test with NTLMSSP with no domain Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18 Author: Garming Sam <garm...@catalyst.net.nz> Date: Mon Jan 8 13:36:59 2018 +1300 tests/py_creds: Add a SamLogonEx test with an empty string domain This test passes against 4.6, but failed against 4.7.5 and master. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e039e9b0d2a16b21ace019b028e5c8244486b8a3 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 9 08:57:05 2018 +0100 s3:cliconnect.c: remove useless ';' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0786a65cabb92a812cf1c692d0d26914f74a6f87 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 9 08:55:48 2018 +0100 s3:libsmb: allow -U"\\administrator" to work cli_credentials_get_principal() returns NULL in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/tests/bind.py | 26 +++++++++++++++++++++++++- python/samba/tests/py_credentials.py | 27 +++++++++++++++++++++++++++ source3/libsmb/cliconnect.c | 9 +++++++-- source4/auth/ntlm/auth_sam.c | 16 ++++++++++------ 4 files changed, 69 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py index 91e493d..4aa4498 100755 --- a/auth/credentials/tests/bind.py +++ b/auth/credentials/tests/bind.py @@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds) creds_user1 = copy.deepcopy(creds) creds_user2 = copy.deepcopy(creds) creds_user3 = copy.deepcopy(creds) +creds_user4 = copy.deepcopy(creds) class BindTests(samba.tests.TestCase): @@ -64,7 +65,7 @@ class BindTests(samba.tests.TestCase): self.config_dn = self.info_dc["configurationNamingContext"][0] self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn self.password = "P@ssw0rd" - self.username = "BindTestUser_" + time.strftime("%s", time.gmtime()) + self.username = "BindTestUser" def tearDown(self): super(BindTests, self).tearDown() @@ -113,6 +114,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ expression="(samAccountName=%s)" % self.username) self.assertEquals(len(ldb_res), 1) user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) # do a simple bind and search with the user account in format user@realm creds_user1.set_bind_dn(self.username + "@" + creds.get_realm()) @@ -138,5 +140,27 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ lp=lp, ldap_only=True) res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + def test_user_account_bind_no_domain(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username) + self.assertEquals(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + creds_user4.set_username(self.username) + creds_user4.set_password(self.password) + creds_user4.set_domain('') + creds_user4.set_workstation('') + print "BindTest (no domain) with: " + self.username + try: + ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4, + lp=lp, ldap_only=True) + except: + self.fail("Failed to connect without the domain set") + + res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) TestProgram(module=__name__, opts=subunitopts) diff --git a/python/samba/tests/py_credentials.py b/python/samba/tests/py_credentials.py index ff017ec..2f5a7d6 100644 --- a/python/samba/tests/py_credentials.py +++ b/python/samba/tests/py_credentials.py @@ -129,6 +129,33 @@ class PyCredentialsTests(TestCase): else: raise + def test_SamLogonEx_no_domain(self): + c = self.get_netlogon_connection() + + self.user_creds.set_domain('') + + logon = samlogon_logon_info(self.domain, + self.machine_name, + self.user_creds) + + logon_level = netlogon.NetlogonNetworkTransitiveInformation + validation_level = netlogon.NetlogonValidationSamInfo4 + netr_flags = 0 + + try: + c.netr_LogonSamLogonEx(self.server, + self.user_creds.get_workstation(), + logon_level, + logon, + validation_level, + netr_flags) + except NTSTATUSError as e: + enum = ctypes.c_uint32(e[0]).value + if enum == ntstatus.NT_STATUS_WRONG_PASSWORD: + self.fail("got wrong password error") + else: + self.fail("got unexpected error" + str(e)) + def test_SamLogonExNTLM(self): c = self.get_netlogon_connection() diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 26bf569..7689910 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, auth_requested = cli_credentials_authentication_requested(creds); if (auth_requested) { + errno = 0; user_principal = cli_credentials_get_principal(creds, frame); - if (user_principal == NULL) { + if (errno != 0) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } @@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, try_kerberos = true; } + if (user_principal == NULL) { + try_kerberos = false; + } + if (target_hostname == NULL) { try_kerberos = false; } else if (is_ipaddress(target_hostname)) { @@ -1284,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send( status = cli_session_creds_prepare_krb5(cli, creds); if (tevent_req_nterror(req, status)) { - return tevent_req_post(req, ev);; + return tevent_req_post(req, ev); } subreq = cli_session_setup_gensec_send(state, ev, cli, creds, diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 5e2a584..8c5ebd7 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -739,6 +739,10 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } + if (effective_domain == NULL) { + effective_domain = ""; + } + is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx, effective_domain); @@ -784,7 +788,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } - if (effective_domain != NULL && !strequal(effective_domain, "")) { + if (!strequal(effective_domain, "")) { DBG_DEBUG("%s is not one domain name (DC)\n", effective_domain); return NT_STATUS_NOT_IMPLEMENTED; @@ -792,11 +796,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, p = strchr_m(user_info->mapped.account_name, '@'); if (p == NULL) { - if (effective_domain == NULL) { - return NT_STATUS_OK; - } - DEBUG(6,("authsam_check_password: '' without upn not handled (DC)\n")); - return NT_STATUS_NOT_IMPLEMENTED; + /* + * An empty to domain name should be handled + * as the local domain name. + */ + return NT_STATUS_OK; } effective_domain = p + 1; -- Samba Shared Repository