The branch, v4-10-test has been updated
via dda1c48a47c py/provision: fix for Python 2.6
via bdf59b416d2 s3-libnet_join: allow fallback to NTLMSSP auth in
libnet_join
via f85efe206f9 s3-libnet_join: setup libnet join error string when AD
connect fails
via 05709dbaf2d s3-libnet_join: always pass down admin domain to ads
layer
via 837a141a4d9 s3:ldap: Leave add machine code early for pre-existing
accounts
via 78f308084f5 s3:libads: Make sure we can lookup KDCs which are not
configured
via bd573b37c60 s3:libnet: Use more secure name for the JOIN krb5.conf
via 936594d66b7 auth:creds: Prefer the principal over DOMAIN/username
when using NTLM
via 0b00c7a2d0a auth:ntlmssp: Add back CRAP ndr debug output
via 2e96408eac8 s3:libnet: Fix debug message in libnet_DomainJoin()
via 461090e0a12 s3:libsmb: Add some useful debug output to cliconnect
via ada3417c5cb s3:libads: Print more information when LDAP fails
via 54571d3325f docs: Update smbclient manpage for --max-protocol
from cf323d769f0 VERSION: Bump version up to 4.10.3.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit dda1c48a47cd6a26757c8839dbbc4bbeb25d65a0
Author: Douglas Bagnall <[email protected]>
Date: Thu Apr 4 10:43:30 2019 +1300
py/provision: fix for Python 2.6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13882
Signed-off-by: Douglas Bagnall <[email protected]>
Autobuild-User(v4-10-test): Karolin Seeger <[email protected]>
Autobuild-Date(v4-10-test): Wed Apr 10 14:21:16 UTC 2019 on sn-devel-144
commit bdf59b416d224ef91696e98ac17348a8a6a5a5cd
Author: Günther Deschner <[email protected]>
Date: Tue Apr 2 13:16:55 2019 +0200
s3-libnet_join: allow fallback to NTLMSSP auth in libnet_join
When a non-DNS and non-default admin domain is provided during the join
sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
(e.g. when the winbind krb5 locator is not installed). In that case lets
fallback to NTLMSSP, like we do in winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
commit f85efe206f9b192a7365ec7ada5e17c7c8655f49
Author: Günther Deschner <[email protected]>
Date: Tue Apr 2 13:16:11 2019 +0200
s3-libnet_join: setup libnet join error string when AD connect fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
commit 05709dbaf2d80f4c2d8a8931655e63b20e216c2a
Author: Günther Deschner <[email protected]>
Date: Tue Apr 2 13:14:06 2019 +0200
s3-libnet_join: always pass down admin domain to ads layer
Otherwise we could loose the information that a non-default domain name
has been used for admin creds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
commit 837a141a4d9cebfe0ce29bf3673333ca622fcd24
Author: Guenther Deschner <[email protected]>
Date: Mon Apr 1 17:40:03 2019 +0200
s3:ldap: Leave add machine code early for pre-existing accounts
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Andreas Schneider <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
commit 78f308084f5d762be88374adf784c0ac6d0ad847
Author: Andreas Schneider <[email protected]>
Date: Mon Apr 1 16:47:26 2019 +0200
s3:libads: Make sure we can lookup KDCs which are not configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
commit bd573b37c606ae12e34992431e745329cee3e1f2
Author: Andreas Schneider <[email protected]>
Date: Mon Apr 1 16:39:45 2019 +0200
s3:libnet: Use more secure name for the JOIN krb5.conf
Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
commit 936594d66b75c71ec61c11b4e4484a74a5a694d7
Author: Andreas Schneider <[email protected]>
Date: Mon Apr 1 15:59:10 2019 +0200
auth:creds: Prefer the principal over DOMAIN/username when using NTLM
If we want to authenticate using -Wadmin@otherdomain the DC should do
take care of the authentication with the right DC for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
commit 0b00c7a2d0aa4607bc871f7daad23f7d3b9125f0
Author: Guenther Deschner <[email protected]>
Date: Wed Mar 27 17:51:04 2019 +0100
auth:ntlmssp: Add back CRAP ndr debug output
This got lost somehow during refactoring. This is still viable
information when trying to figure out what is going wrong when
authenticating a user over NTLMSSP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
commit 2e96408eac8e5e9d8420b3dc0c603fa7109519bd
Author: Guenther Deschner <[email protected]>
Date: Mon Apr 1 17:46:39 2019 +0200
s3:libnet: Fix debug message in libnet_DomainJoin()
A newline is missing but also use DBG_INFO macro and cleanup spelling.
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
commit 461090e0a12b0f9849d19da7b76f214fe044cfdf
Author: Andreas Schneider <[email protected]>
Date: Wed Mar 27 16:45:39 2019 +0100
s3:libsmb: Add some useful debug output to cliconnect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
commit ada3417c5cb3b40f47ca963c8d7844f9fadc81f0
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 29 11:34:53 2019 +0100
s3:libads: Print more information when LDAP fails
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
commit 54571d3325fbdf4eff5f2f5d8c38bfd929f48b19
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 22 14:39:11 2019 +0100
docs: Update smbclient manpage for --max-protocol
We default to SMB3 now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 2 +-
auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
docs-xml/manpages/smbclient.1.xml | 6 +++---
python/samba/provision/__init__.py | 2 +-
source3/libads/kerberos.c | 12 ++++++++++--
source3/libads/ldap.c | 22 +++++++++++++++++++---
source3/libnet/libnet_join.c | 29 ++++++++++++++++++++++++-----
source3/libsmb/cliconnect.c | 13 +++++++++++++
8 files changed, 103 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 4663185c979..7ef58d0752c 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1115,7 +1115,7 @@ _PUBLIC_ void
cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
const char **username,
const char **domain)
{
- if (cred->principal_obtained > cred->username_obtained) {
+ if (cred->principal_obtained >= cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index ab406a2c5be..8e49dcee5ea 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security
*gensec_security,
}
}
+ if (DEBUGLEVEL >= 10) {
+ struct CHALLENGE_MESSAGE *challenge =
+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
+ if (challenge != NULL) {
+ NTSTATUS status;
+ challenge->NegotiateFlags = chal_flags;
+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
+ &in, challenge, challenge);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
+ challenge);
+ }
+ TALLOC_FREE(challenge);
+ }
+ }
+
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
ntlmssp_state->server.is_standalone = true;
} else {
@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security
*gensec_security,
return nt_status;
}
+ if (DEBUGLEVEL >= 10) {
+ struct AUTHENTICATE_MESSAGE *authenticate =
+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
+ if (authenticate != NULL) {
+ NTSTATUS status;
+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
+ out, authenticate, authenticate);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
+ authenticate);
+ }
+ TALLOC_FREE(authenticate);
+ }
+ }
+
/*
* We always include the MIC, even without:
* av_flags->Value.AvFlags |=
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
diff --git a/docs-xml/manpages/smbclient.1.xml
b/docs-xml/manpages/smbclient.1.xml
index e71a21a95e3..e25f7d3517b 100644
--- a/docs-xml/manpages/smbclient.1.xml
+++ b/docs-xml/manpages/smbclient.1.xml
@@ -261,9 +261,9 @@
<listitem><para>This allows the user to select the
highest SMB protocol level that smbclient will use to
connect to the server. By default this is set to
- NT1, which is the highest available SMB1 protocol.
- To connect using SMB2 or SMB3 protocol, use the
- strings SMB2 or SMB3 respectively. Note that to connect
+ highest available SMB3 protocol version.
+ To connect using SMB2 or SMB1 protocol, use the
+ strings SMB2 or NT1 respectively. Note that to connect
to a Windows 2012 server with encrypted transport selecting
a max-protocol of SMB3 is required.
</para></listitem>
diff --git a/python/samba/provision/__init__.py
b/python/samba/provision/__init__.py
index 1b7762eb12b..aa9ffc168b2 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1701,7 +1701,7 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid,
domainsid, dnsdomain,
# use admin sid dn as user dn, since admin should own most of the files,
# the operation will be much faster
- userdn = '<SID={}-{}>'.format(domainsid, security.DOMAIN_RID_ADMINISTRATOR)
+ userdn = '<SID={0}-{1}>'.format(domainsid,
security.DOMAIN_RID_ADMINISTRATOR)
flags = (auth.AUTH_SESSION_INFO_DEFAULT_GROUPS |
auth.AUTH_SESSION_INFO_AUTHENTICATED |
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index c8aa9191c7e..721c3c2a929 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -677,11 +677,19 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
}
#endif
+ /*
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
+ *
+ * net ads join -Uadmin@otherdomain
+ */
file_contents =
talloc_asprintf(fname,
- "[libdefaults]\n\tdefault_realm = %s\n"
+ "[libdefaults]\n"
+ "\tdefault_realm = %s\n"
"%s"
- "\tdns_lookup_realm = false\n\n"
+ "\tdns_lookup_realm = false\n"
+ "\tdns_lookup_kdc = true\n\n"
"[realms]\n\t%s = {\n"
"%s\t}\n"
"%s\n",
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 6b5f271272a..112100b0536 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
if (ret != 0) {
char *ld_error = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
- ldap_err2string(ret), ld_error));
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
SAFE_FREE(ld_error);
}
}
@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char
*mod_dn, ADS_MODLIST mods)
(char) 1};
LDAPControl *controls[2];
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
controls[0] = &PermitModify;
controls[1] = NULL;
@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char
*new_dn, ADS_MODLIST mods)
char *utf8_dn = NULL;
size_t converted_size;
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size))
{
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
@@ -2112,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
goto done;
}
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ ads_msgfree(ads, res);
+ if (ADS_ERR_OK(ret)) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ goto done;
+ }
+
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
@@ -2147,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
done:
SAFE_FREE(machine_escaped);
- ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 27fc5135442..b876d7ea89f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char
*dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
my_ads->auth.user_name = SMB_STRDUP(user_name);
@@ -205,7 +207,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX
*mem_ctx,
password = r->in.machine_password;
ccname = "MEMORY:libnet_join_machine_creds";
} else {
+ char *p = NULL;
+
username = r->in.admin_account;
+
+ p = strchr(r->in.admin_account, '@');
+ if (p == NULL) {
+ username = talloc_asprintf(mem_ctx, "%s@%s",
+ r->in.admin_account,
+ r->in.admin_domain);
+ }
+ if (username == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
password = r->in.admin_password;
/*
@@ -2598,12 +2612,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
/* The domain parameter is only used as modifier
- * to krb5.conf file name. .JOIN is is not a valid
+ * to krb5.conf file name. _JOIN_ is is not a valid
* NetBIOS name so it cannot clash with another domain
* -- Uri.
*/
- create_local_private_krb5_conf_for_domain(
- pre_connect_realm, ".JOIN", sitename, &ss);
+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
+ "_JOIN_",
+ sitename,
+ &ss);
}
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
@@ -2641,6 +2657,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
ads_status = libnet_join_connect_ads_user(mem_ctx, r);
if (!ADS_ERR_OK(ads_status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to connect to AD: %s",
+ ads_errstr(ads_status));
return WERR_NERR_DEFAULTJOINREQUIRED;
}
@@ -2664,8 +2683,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
return WERR_NERR_DEFAULTJOINREQUIRED;
}
- DEBUG(5, ("failed to precreate account in ou %s: %s",
- r->in.account_ou, ads_errstr(ads_status)));
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ r->in.account_ou, ads_errstr(ads_status));
}
rpc_join:
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 0a54d47227a..c416d10fa24 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -346,6 +346,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state
*cli,
return NT_STATUS_OK;
}
+ DBG_INFO("Doing kinit for %s to access %s\n",
+ user_principal, target_hostname);
/*
* TODO: This should be done within the gensec layer
@@ -375,6 +377,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state
*cli,
*/
}
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
+ "Kerberos\n",
+ user_principal,
+ target_hostname);
+
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -1294,6 +1301,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
+ target_hostname,
+ cli_credentials_get_principal(creds, talloc_tos()));
+
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
@@ -1497,6 +1508,8 @@ struct tevent_req
*cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
+
if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
uint8_t *bytes = NULL;
--
Samba Shared Repository
