The branch, v4-7-test has been updated via 7a49112 s4:auth_sam: allow logons with an empty domain name via 7ea5588 tests/bind.py: Add a bind test with NTLMSSP with no domain via 35c8220 tests/py_creds: Add a SamLogonEx test with an empty string domain via 04cc893 s3:cliconnect.c: remove useless ';' via 4c087a0 s3:libsmb: allow -U"\administrator" to work via 6c1dde6 s3:auth: make use of make_{server,session}_info_anonymous() via 47b1336 s3:rpc_server: make use of make_session_info_anonymous() via 8f69498 s3:auth: add make_{server,session}_info_anonymous() via c3fdc61 s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token() via 1902652 s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info() via b8c518d s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create() via 104de61 auth: add auth_user_info_copy() function via 8b5253e s3:auth: remove static from finalize_local_nt_token() via 627a86b s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token() via ecee945 s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token() via 7687d26 s3:auth: add add_builtin_guests() handling to finalize_local_nt_token() via e0e4aa1 s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token() via c1f61c0 s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}() via 85097b1 s3:auth: move add_local_groups() out of finalize_local_nt_token() via 1258f28 s3:auth: add the "Unix Groups" sid for the primary gid via b991dca s3:auth: remove unused auth_serversupplied_info->system via ff7a8e4 libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User' via e39a5bd s3:selftest: run SMB2-ANONYMOUS via 23d1850 s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous from 17977a9 Merge tag 'samba-4.7.6' into v4-7-test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log ----------------------------------------------------------------- commit 7a49112b5077381383d9d6c2b5356e6208dceaf0 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 9 08:54:11 2018 +0100 s4:auth_sam: allow logons with an empty domain name It turns out that an empty domain name maps to the local SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144 (cherry picked from commit 57762229da971e837b923f09ca01bad6151f9419) Autobuild-User(v4-7-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-7-test): Tue Mar 20 21:51:18 CET 2018 on sn-devel-144 commit 7ea5588d089b5b97f307c71aa4de78fe0aa2441b Author: Garming Sam <garm...@catalyst.net.nz> Date: Mon Jan 8 16:34:02 2018 +1300 tests/bind.py: Add a bind test with NTLMSSP with no domain Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0) commit 35c8220990a2671443ca6b9f457efd72a427be9e Author: Garming Sam <garm...@catalyst.net.nz> Date: Mon Jan 8 13:36:59 2018 +1300 tests/py_creds: Add a SamLogonEx test with an empty string domain This test passes against 4.6, but failed against 4.7.5 and master. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18) commit 04cc8936c3f90bf3bbb05bce25c55212c8f0823b Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 9 08:57:05 2018 +0100 s3:cliconnect.c: remove useless ';' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3) commit 4c087a0e9e8ffd797e810f7dc21d630fd6833eed Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 9 08:55:48 2018 +0100 s3:libsmb: allow -U"\\administrator" to work cli_credentials_get_principal() returns NULL in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87) commit 6c1dde631da2f5b41682210eca40f9d363168696 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 2 14:40:19 2018 +0100 s3:auth: make use of make_{server,session}_info_anonymous() It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). When it's really an anonymous connection, we should reflect that in the resulting session info. This should fix a problem where Windows 10 tries to join a Samba hosted NT4 domain and has SMB2/3 enabled. We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST for true anonymous connections. The commit message from a few commit before shows the resulting auth_session_info change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 (cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b) commit 47b13364bed551fb9480ff8ac500d6251fae7b72 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 2 14:40:19 2018 +0100 s3:rpc_server: make use of make_session_info_anonymous() For unauthenticated connections we should default to a session info with an anonymous nt token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c) commit 8f69498ab6fa85dc3d23a1453224a654a9bedead Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 2 14:39:44 2018 +0100 s3:auth: add make_{server,session}_info_anonymous() It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). The following is the difference between guest and anonymous token: security_token: struct security_token - num_sids : 0x0000000a (10) - sids: ARRAY(10) - sids : S-1-5-21-3793881525-3372187982-3724979742-501 - sids : S-1-5-21-3793881525-3372187982-3724979742-514 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 + num_sids : 0x00000009 (9) + sids: ARRAY(9) + sids : S-1-5-7 sids : S-1-1-0 sids : S-1-5-2 - sids : S-1-5-32-546 sids : S-1-22-1-65533 + sids : S-1-22-2-65534 + sids : S-1-22-2-100004 sids : S-1-22-2-100002 sids : S-1-22-2-100003 + sids : S-1-22-2-65533 privilege_mask : 0x0000000000000000 (0) ... unix_token : * unix_token: struct security_unix_token uid : 0x000000000000fffd (65533) gid : 0x000000000000fffe (65534) - ngroups : 0x00000004 (4) - groups: ARRAY(4) + ngroups : 0x00000005 (5) + groups: ARRAY(5) groups : 0x000000000000fffe (65534) - groups : 0x000000000000fffd (65533) + groups : 0x00000000000186a4 (100004) groups : 0x00000000000186a2 (100002) groups : 0x00000000000186a3 (100003) + groups : 0x000000000000fffd (65533) info: struct auth_user_info account_name : * - account_name : 'nobody' + account_name : 'ANONYMOUS LOGON' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * - domain_name : 'SAMBA-TEST' + domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'Anonymous Logon' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'LOCALNT4DC2' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x00 (0) security_token: struct security_token num_sids : 0x00000006 (6) sids: ARRAY(6) + sids : S-1-5-7 + sids : S-1-1-0 + sids : S-1-5-2 sids : S-1-22-1-65533 sids : S-1-22-2-65534 sids : S-1-22-2-65533 - sids : S-1-1-0 - sids : S-1-5-2 - sids : S-1-5-32-546 privilege_mask : 0x0000000000000000 (0) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d) commit c3fdc6157377e71cf354fae5b59b823a4ebaa0eb Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 2 17:07:11 2018 +0100 s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token() We only need to adjust sanitized_username in order to keep the same behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906) commit 19026525a2b649f282bb11d55ae1eb5807fc4a3a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 7 00:51:51 2018 +0100 s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info() The changes in the resulting token look like this: unix_token : * unix_token: struct security_unix_token uid : 0x0000000000000000 (0) gid : 0x0000000000000000 (0) - ngroups : 0x00000000 (0) - groups: ARRAY(0) + ngroups : 0x00000001 (1) + groups: ARRAY(1) + groups : 0x0000000000000000 (0) ... domain_name : * domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'System' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'SLOWSERVER' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (similar to commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4) commit b8c518d57fc32f8daffb0d4798dc8f5de17c0150 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 7 00:21:13 2018 +0100 s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create() These functions make it possible to construct a full auth_session_info from the information available from an auth_user_info_dc structure. This has all the logic from create_local_token() that is used to transform a auth_serversupplied_info to a full auth_session_info. In order to workarround the restriction that auth_user_info_dc doesn't contain hints for the unix token/name, we use the special S-1-5-88 (Unix_NFS) sids: - S-1-5-88-1-Y gives the uid=Y - S-1-5-88-2-Y gives the gid=Y - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* The currently implemented flags are: - AUTH3_UNIX_HINT_QUALIFIED_NAME unix_name = DOMAIN+ACCOUNT - AUTH3_UNIX_HINT_ISLOLATED_NAME unix_name = ACCOUNT - AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS Don't translate the nt token SIDS into uid/gids using sid mapping. - AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS Don't translate the unix token uid/gids to S-1-22-X-Y SIDS - AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS The unix token won't get expanded gid values from getgroups_unix_user() By using the hints it is possible to keep the current logic where an authentication backend provides uid/gid values and the unix name. Note the S-1-5-88-* SIDS never appear in the final security_token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3) commit 104de61756e6b098985c3a599a3ccf62cbbe7299 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 6 16:38:10 2018 +0100 auth: add auth_user_info_copy() function BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb) commit 8b5253e5d4c79265a9c35955f83407a0c11a76d1 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 6 23:45:30 2018 +0100 s3:auth: remove static from finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870) commit 627a86bf2d516e256701f50473d0cdfd15d7eecc Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 6 23:40:10 2018 +0100 s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b) commit ecee9453a6ef611763d11e88e2ecf212f065a86c Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 6 23:36:03 2018 +0100 s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6) commit 7687d26f8bb6aa57672c70f95bee3f67b9957107 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 6 23:26:28 2018 +0100 s3:auth: add add_builtin_guests() handling to finalize_local_nt_token() We should add Builtin_Guests depending on the current token not based on 'is_guest'. Even authenticated users can be member a guest related group and therefore get Builtin_Guests. Sadly we still need to use 'is_guest' within create_local_nt_token() as we only have S-1-22-* SIDs there and still need to add Builtin_Guests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7) commit e0e4aa1ac539d2811bd801e9e3b8f69d7e306f3b Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 13 21:38:27 2018 +0100 s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308) commit c1f61c0816441be2061b3fd23db04dc60dcc64f7 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 13 21:35:48 2018 +0100 s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}() We should not crash if we're called with NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102) commit 85097b155447257d9c4a66cd43ac432a27b52529 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 6 17:14:34 2018 +0100 s3:auth: move add_local_groups() out of finalize_local_nt_token() finalize_local_nt_token() will be used in another place, were we don't want to add local groups in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8) commit 1258f287420642698c456f6bb17bf4547a921964 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 2 16:37:58 2018 +0100 s3:auth: add the "Unix Groups" sid for the primary gid The primary gid might not be in the gid array. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405) commit b991dca37a425cc252752e5a306df80077814aaf Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 1 18:05:28 2018 +0100 s3:auth: remove unused auth_serversupplied_info->system BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9) commit ff7a8e416b53e073a6d16fb122cdeba8b53c6e53 Author: Ralph Boehme <s...@samba.org> Date: Wed Mar 14 11:44:49 2018 +0100 libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3) commit e39a5bd12e1704926c9d8141d8ef75a093670892 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 18:04:21 2018 +0100 s3:selftest: run SMB2-ANONYMOUS This fails against a non AD DC smbd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2) commit 23d1850c1c632984052ac923ab365501dd1c0195 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 15 17:40:07 2018 +0100 s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f) ----------------------------------------------------------------------- Summary of changes: auth/auth_sam_reply.c | 35 ++ auth/auth_sam_reply.h | 3 + auth/credentials/tests/bind.py | 26 +- libcli/security/session.c | 18 +- python/samba/tests/py_credentials.py | 27 ++ source3/auth/auth_builtin.c | 2 +- source3/auth/auth_ntlmssp.c | 5 +- source3/auth/auth_util.c | 852 ++++++++++++++++++++++++++++++----- source3/auth/proto.h | 38 ++ source3/auth/token_util.c | 251 +++++++++-- source3/include/auth.h | 6 +- source3/libsmb/cliconnect.c | 9 +- source3/passdb/pdb_util.c | 10 +- source3/rpc_server/rpc_server.c | 9 +- source3/selftest/tests.py | 1 + source3/torture/proto.h | 1 + source3/torture/test_smb2.c | 42 ++ source3/torture/torture.c | 1 + source4/auth/ntlm/auth_sam.c | 16 +- 19 files changed, 1170 insertions(+), 182 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 15d17b0..bd69515 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src) +{ + struct auth_user_info *dst = NULL; + + dst = talloc_zero(mem_ctx, struct auth_user_info); + if (dst == NULL) { + return NULL; + } + + *dst = *src; +#define _COPY_STRING(_mem, _str) do { \ + if ((_str) != NULL) { \ + (_str) = talloc_strdup((_mem), (_str)); \ + if ((_str) == NULL) { \ + TALLOC_FREE(dst); \ + return NULL; \ + } \ + } \ +} while(0) + _COPY_STRING(dst, dst->account_name); + _COPY_STRING(dst, dst->user_principal_name); + _COPY_STRING(dst, dst->domain_name); + _COPY_STRING(dst, dst->dns_domain_name); + _COPY_STRING(dst, dst->full_name); + _COPY_STRING(dst, dst->logon_script); + _COPY_STRING(dst, dst->profile_path); + _COPY_STRING(dst, dst->home_directory); + _COPY_STRING(dst, dst->home_drive); + _COPY_STRING(dst, dst->logon_server); +#undef _COPY_STRING + + return dst; +} + /** * Make a user_info_dc struct from the info3 returned by a domain logon */ diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index 4aa3096..e4b26e9 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, bool authenticated, struct auth_user_info **_user_info); +struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, + const struct auth_user_info *src); + NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, struct netr_SamInfo6 **_sam6); diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py index 91e493d..4aa4498 100755 --- a/auth/credentials/tests/bind.py +++ b/auth/credentials/tests/bind.py @@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds) creds_user1 = copy.deepcopy(creds) creds_user2 = copy.deepcopy(creds) creds_user3 = copy.deepcopy(creds) +creds_user4 = copy.deepcopy(creds) class BindTests(samba.tests.TestCase): @@ -64,7 +65,7 @@ class BindTests(samba.tests.TestCase): self.config_dn = self.info_dc["configurationNamingContext"][0] self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn self.password = "P@ssw0rd" - self.username = "BindTestUser_" + time.strftime("%s", time.gmtime()) + self.username = "BindTestUser" def tearDown(self): super(BindTests, self).tearDown() @@ -113,6 +114,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ expression="(samAccountName=%s)" % self.username) self.assertEquals(len(ldb_res), 1) user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) # do a simple bind and search with the user account in format user@realm creds_user1.set_bind_dn(self.username + "@" + creds.get_realm()) @@ -138,5 +140,27 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """ lp=lp, ldap_only=True) res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + def test_user_account_bind_no_domain(self): + # create user + self.ldb.newuser(username=self.username, password=self.password) + ldb_res = self.ldb.search(base=self.domain_dn, + scope=SCOPE_SUBTREE, + expression="(samAccountName=%s)" % self.username) + self.assertEquals(len(ldb_res), 1) + user_dn = ldb_res[0]["dn"] + self.addCleanup(delete_force, self.ldb, user_dn) + + creds_user4.set_username(self.username) + creds_user4.set_password(self.password) + creds_user4.set_domain('') + creds_user4.set_workstation('') + print "BindTest (no domain) with: " + self.username + try: + ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4, + lp=lp, ldap_only=True) + except: + self.fail("Failed to connect without the domain set") + + res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) TestProgram(module=__name__, opts=subunitopts) diff --git a/libcli/security/session.c b/libcli/security/session.c index 0fbb87d..f17e884 100644 --- a/libcli/security/session.c +++ b/libcli/security/session.c @@ -26,6 +26,9 @@ enum security_user_level security_session_user_level(struct auth_session_info *session_info, const struct dom_sid *domain_sid) { + bool authenticated = false; + bool guest = false; + if (!session_info) { return SECURITY_ANONYMOUS; } @@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ANONYMOUS; } - if (security_token_has_builtin_guests(session_info->security_token)) { - return SECURITY_GUEST; + authenticated = security_token_has_nt_authenticated_users(session_info->security_token); + guest = security_token_has_builtin_guests(session_info->security_token); + if (!authenticated) { + if (guest) { + return SECURITY_GUEST; + } + return SECURITY_ANONYMOUS; } if (security_token_has_builtin_administrators(session_info->security_token)) { @@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_DOMAIN_CONTROLLER; } - if (security_token_has_nt_authenticated_users(session_info->security_token)) { - return SECURITY_USER; - } - - return SECURITY_ANONYMOUS; + return SECURITY_USER; } diff --git a/python/samba/tests/py_credentials.py b/python/samba/tests/py_credentials.py index ff017ec..2f5a7d6 100644 --- a/python/samba/tests/py_credentials.py +++ b/python/samba/tests/py_credentials.py @@ -129,6 +129,33 @@ class PyCredentialsTests(TestCase): else: raise + def test_SamLogonEx_no_domain(self): + c = self.get_netlogon_connection() + + self.user_creds.set_domain('') + + logon = samlogon_logon_info(self.domain, + self.machine_name, + self.user_creds) + + logon_level = netlogon.NetlogonNetworkTransitiveInformation + validation_level = netlogon.NetlogonValidationSamInfo4 + netr_flags = 0 + + try: + c.netr_LogonSamLogonEx(self.server, + self.user_creds.get_workstation(), + logon_level, + logon, + validation_level, + netr_flags) + except NTSTATUSError as e: + enum = ctypes.c_uint32(e[0]).value + if enum == ntstatus.NT_STATUS_WRONG_PASSWORD: + self.fail("got wrong password error") + else: + self.fail("got unexpected error" + str(e)) + def test_SamLogonExNTLM(self): c = self.get_netlogon_connection() diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 0fa95d9..a2d95a7 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, break; } - return make_server_info_guest(NULL, server_info); + return make_server_info_anonymous(NULL, server_info); } /* Guest modules initialisation */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index fd629fd..2e345e1 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, cmp = dom_sid_compare(sid, &global_sid_Anonymous); if (cmp == 0) { - /* - * TODO: use auth_anonymous_session_info() here? - */ - return make_session_info_guest(mem_ctx, session_info); + return make_session_info_anonymous(mem_ctx, session_info); } return NT_STATUS_INTERNAL_ERROR; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1021f2a..a1dde2c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -36,6 +36,7 @@ #include "../librpc/gen_ndr/idmap.h" #include "lib/param/loadparm.h" #include "../lib/tsocket/tsocket.h" +#include "source4/auth/auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -499,6 +500,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (server_info->cached_session_info != NULL) { + session_info = copy_session_info(mem_ctx, + server_info->cached_session_info); + if (session_info == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* This is a potentially untrusted username for use in %U */ + alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); + session_info->unix_info->sanitized_username = + talloc_strdup(session_info->unix_info, tmp); + if (session_info->unix_info->sanitized_username == NULL) { + TALLOC_FREE(session_info); + return NT_STATUS_NO_MEMORY; + } + + *session_info_out = session_info; + return NT_STATUS_OK; + } + session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!session_info) { return NT_STATUS_NO_MEMORY; @@ -553,30 +574,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return status; } - if (server_info->security_token) { - /* Just copy the token, it has already been finalised - * (nasty hack to support a cached guest/system session_info - */ - - session_info->security_token = dup_nt_token(session_info, server_info->security_token); - if (!session_info->security_token) { - TALLOC_FREE(session_info); - return NT_STATUS_NO_MEMORY; - } - - session_info->unix_token->ngroups = server_info->utok.ngroups; - if (server_info->utok.ngroups != 0) { - session_info->unix_token->groups = (gid_t *)talloc_memdup( - session_info->unix_token, server_info->utok.groups, - sizeof(gid_t)*session_info->unix_token->ngroups); - } else { - session_info->unix_token->groups = NULL; - } - - *session_info_out = session_info; - return NT_STATUS_OK; - } - /* * If winbind is not around, we can not make much use of the SIDs the * domain controller provided us with. Likewise if the user name was @@ -660,7 +657,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, */ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); + add_sid_to_array_unique(session_info->security_token, &tmp_sid, + &session_info->security_token->sids, + &session_info->security_token->num_sids); + gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); add_sid_to_array_unique(session_info->security_token, &tmp_sid, &session_info->security_token->sids, &session_info->security_token->num_sids); @@ -688,6 +689,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, + uid_t uid, + gid_t gid, + uint32_t flags) +{ + uint32_t orig_num_sids = user_info_dc->num_sids; + struct dom_sid tmp_sid = { 0, }; + NTSTATUS status; + + /* + * We add S-5-88-1-X in order to pass the uid + * for the unix token. + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Users, + (uint32_t)uid); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + /* + * We add S-5-88-2-X in order to pass the gid + * for the unix token. + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Groups, + (uint32_t)gid); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + /* + * We add S-5-88-3-X in order to pass some flags + * (AUTH3_UNIX_HINT_*) to auth3_create_session_info(). + */ + sid_compose(&tmp_sid, + &global_sid_Unix_NFS_Mode, + flags); + status = add_sid_to_array_unique(user_info_dc->sids, + &tmp_sid, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("add_sid_to_array_unique failed: %s\n", + nt_errstr(status))); + goto fail; + } + + return NT_STATUS_OK; + +fail: + user_info_dc->num_sids = orig_num_sids; + return status; +} + +NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, + const struct auth_user_info_dc *user_info_dc, + const char *original_user_name, + uint32_t session_info_flags, + struct auth_session_info **session_info_out) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct auth_session_info *session_info = NULL; + uid_t hint_uid = -1; + bool found_hint_uid = false; + uid_t hint_gid = -1; + bool found_hint_gid = false; + uint32_t hint_flags = 0; + bool found_hint_flags = false; + bool need_getpwuid = false; + struct unixid *ids = NULL; + uint32_t num_gids = 0; + gid_t *gids = NULL; + struct dom_sid tmp_sid = { 0, }; + fstring tmp = { 0, }; + NTSTATUS status; + size_t i; + bool ok; + + *session_info_out = NULL; + + if (user_info_dc->num_sids == 0) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (user_info_dc->info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + if (user_info_dc->info->account_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + + session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (session_info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + /* keep this under frame for easier cleanup */ + talloc_reparent(mem_ctx, frame, session_info); + + session_info->info = auth_user_info_copy(session_info, + user_info_dc->info); + if (session_info->info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + session_info->security_token = talloc_zero(session_info, + struct security_token); + if (session_info->security_token == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* + * Avoid a lot of reallocations and allocate what we'll + * use in most cases. + */ + session_info->security_token->sids = talloc_zero_array( + session_info->security_token, + struct dom_sid, + user_info_dc->num_sids); + if (session_info->security_token->sids == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) { + struct security_token *nt_token = session_info->security_token; + int cmp; + + /* + * S-1-5-88-X-Y sids are only used to give hints + * to the unix token construction. + * + * S-1-5-88-1-Y gives the uid=Y + * S-1-5-88-2-Y gives the gid=Y + * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_* + */ + cmp = dom_sid_compare_domain(&global_sid_Unix_NFS, + &user_info_dc->sids[i]); + if (cmp == 0) { + bool match; + uint32_t hint = 0; + + match = sid_peek_rid(&user_info_dc->sids[i], &hint); + if (!match) { + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Users, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_uid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_uid = true; + hint_uid = (uid_t)hint; + continue; + } + + match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups, + &user_info_dc->sids[i]); + if (match) { + if (found_hint_gid) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_TOKEN; + } + found_hint_gid = true; + hint_gid = (gid_t)hint; + continue; + } -- Samba Shared Repository