The branch, master has been updated
via 5776222 s4:auth_sam: allow logons with an empty domain name
via 2e49a97 tests/bind.py: Add a bind test with NTLMSSP with no domain
via 5c625ea tests/py_creds: Add a SamLogonEx test with an empty string
domain
via e039e9b s3:cliconnect.c: remove useless ';'
via 0786a65 s3:libsmb: allow -U"\administrator" to work
from 6a59619 build: fix libceph-common detection
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 57762229da971e837b923f09ca01bad6151f9419
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jan 9 08:54:11 2018 +0100
s4:auth_sam: allow logons with an empty domain name
It turns out that an empty domain name maps to the local SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Mon Jan 8 16:34:02 2018 +1300
tests/bind.py: Add a bind test with NTLMSSP with no domain
Confirmed to pass against Windows 2012 R2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Mon Jan 8 13:36:59 2018 +1300
tests/py_creds: Add a SamLogonEx test with an empty string domain
This test passes against 4.6, but failed against 4.7.5 and master.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e039e9b0d2a16b21ace019b028e5c8244486b8a3
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jan 9 08:57:05 2018 +0100
s3:cliconnect.c: remove useless ';'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0786a65cabb92a812cf1c692d0d26914f74a6f87
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jan 9 08:55:48 2018 +0100
s3:libsmb: allow -U"\\administrator" to work
cli_credentials_get_principal() returns NULL in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/tests/bind.py | 26 +++++++++++++++++++++++++-
python/samba/tests/py_credentials.py | 27 +++++++++++++++++++++++++++
source3/libsmb/cliconnect.c | 9 +++++++--
source4/auth/ntlm/auth_sam.c | 16 ++++++++++------
4 files changed, 69 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index 91e493d..4aa4498 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds)
creds_user1 = copy.deepcopy(creds)
creds_user2 = copy.deepcopy(creds)
creds_user3 = copy.deepcopy(creds)
+creds_user4 = copy.deepcopy(creds)
class BindTests(samba.tests.TestCase):
@@ -64,7 +65,7 @@ class BindTests(samba.tests.TestCase):
self.config_dn = self.info_dc["configurationNamingContext"][0]
self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn
self.password = "P@ssw0rd"
- self.username = "BindTestUser_" + time.strftime("%s", time.gmtime())
+ self.username = "BindTestUser"
def tearDown(self):
super(BindTests, self).tearDown()
@@ -113,6 +114,7 @@ unicodePwd:: """ +
base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
expression="(samAccountName=%s)" %
self.username)
self.assertEquals(len(ldb_res), 1)
user_dn = ldb_res[0]["dn"]
+ self.addCleanup(delete_force, self.ldb, user_dn)
# do a simple bind and search with the user account in format
user@realm
creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
@@ -138,5 +140,27 @@ unicodePwd:: """ +
base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
lp=lp, ldap_only=True)
res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE,
attrs=["*"])
+ def test_user_account_bind_no_domain(self):
+ # create user
+ self.ldb.newuser(username=self.username, password=self.password)
+ ldb_res = self.ldb.search(base=self.domain_dn,
+ scope=SCOPE_SUBTREE,
+ expression="(samAccountName=%s)" %
self.username)
+ self.assertEquals(len(ldb_res), 1)
+ user_dn = ldb_res[0]["dn"]
+ self.addCleanup(delete_force, self.ldb, user_dn)
+
+ creds_user4.set_username(self.username)
+ creds_user4.set_password(self.password)
+ creds_user4.set_domain('')
+ creds_user4.set_workstation('')
+ print "BindTest (no domain) with: " + self.username
+ try:
+ ldb_user4 = samba.tests.connect_samdb(host,
credentials=creds_user4,
+ lp=lp, ldap_only=True)
+ except:
+ self.fail("Failed to connect without the domain set")
+
+ res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE,
attrs=["*"])
TestProgram(module=__name__, opts=subunitopts)
diff --git a/python/samba/tests/py_credentials.py
b/python/samba/tests/py_credentials.py
index ff017ec..2f5a7d6 100644
--- a/python/samba/tests/py_credentials.py
+++ b/python/samba/tests/py_credentials.py
@@ -129,6 +129,33 @@ class PyCredentialsTests(TestCase):
else:
raise
+ def test_SamLogonEx_no_domain(self):
+ c = self.get_netlogon_connection()
+
+ self.user_creds.set_domain('')
+
+ logon = samlogon_logon_info(self.domain,
+ self.machine_name,
+ self.user_creds)
+
+ logon_level = netlogon.NetlogonNetworkTransitiveInformation
+ validation_level = netlogon.NetlogonValidationSamInfo4
+ netr_flags = 0
+
+ try:
+ c.netr_LogonSamLogonEx(self.server,
+ self.user_creds.get_workstation(),
+ logon_level,
+ logon,
+ validation_level,
+ netr_flags)
+ except NTSTATUSError as e:
+ enum = ctypes.c_uint32(e[0]).value
+ if enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+ self.fail("got wrong password error")
+ else:
+ self.fail("got unexpected error" + str(e))
+
def test_SamLogonExNTLM(self):
c = self.get_netlogon_connection()
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 26bf569..7689910 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state
*cli,
auth_requested = cli_credentials_authentication_requested(creds);
if (auth_requested) {
+ errno = 0;
user_principal = cli_credentials_get_principal(creds, frame);
- if (user_principal == NULL) {
+ if (errno != 0) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state
*cli,
try_kerberos = true;
}
+ if (user_principal == NULL) {
+ try_kerberos = false;
+ }
+
if (target_hostname == NULL) {
try_kerberos = false;
} else if (is_ipaddress(target_hostname)) {
@@ -1284,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send(
status = cli_session_creds_prepare_krb5(cli, creds);
if (tevent_req_nterror(req, status)) {
- return tevent_req_post(req, ev);;
+ return tevent_req_post(req, ev);
}
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 5e2a584..8c5ebd7 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -739,6 +739,10 @@ static NTSTATUS authsam_want_check(struct
auth_method_context *ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
+ if (effective_domain == NULL) {
+ effective_domain = "";
+ }
+
is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
effective_domain);
@@ -784,7 +788,7 @@ static NTSTATUS authsam_want_check(struct
auth_method_context *ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
- if (effective_domain != NULL && !strequal(effective_domain, "")) {
+ if (!strequal(effective_domain, "")) {
DBG_DEBUG("%s is not one domain name (DC)\n",
effective_domain);
return NT_STATUS_NOT_IMPLEMENTED;
@@ -792,11 +796,11 @@ static NTSTATUS authsam_want_check(struct
auth_method_context *ctx,
p = strchr_m(user_info->mapped.account_name, '@');
if (p == NULL) {
- if (effective_domain == NULL) {
- return NT_STATUS_OK;
- }
- DEBUG(6,("authsam_check_password: '' without upn not handled
(DC)\n"));
- return NT_STATUS_NOT_IMPLEMENTED;
+ /*
+ * An empty to domain name should be handled
+ * as the local domain name.
+ */
+ return NT_STATUS_OK;
}
effective_domain = p + 1;
--
Samba Shared Repository
