The branch, v4-16-test has been updated
via 41054b61231 s4:kdc: tunnel the check_client_access status to
hdb_samba4_audit()
via 507ececf03d s4-kdc: Handle previously unhandled auth event types
via 9272ec1a245 s3:libads: Fix creating local krb5.conf
via abe01ca6b21 s3:libads: Check print_canonical_sockaddr_with_port()
for NULL in get_kdc_ip_string()
via 3c5d0c379d7 s3:libads: Remove obsolete free's of kdc_str
via 3c98408be7d s3:libads: Allocate all memory on the talloc stackframe
via cfbd47d7b48 s3:libads: Use talloc_asprintf_append() in
get_kdc_ip_string()
via cce13c772f1 s3:libads: Improve debug messages for
get_kdc_ip_string()
via 2599f5313bd s3:libads: Leave early on error in get_kdc_ip_string()
via c20ca210fb8 s3:libads: Remove trailing spaces in kerberos.c
via dd6c50b82ee testprogs: Add test that local krb5.conf has been
created
via 34771e19315 s3:libsmb: Fix errno for failed authentication in
SMBC_server_internal()
from bf8f8c592b0 s4:auth: let authenticate_ldap_simple_bind() pass down
the mapped nt4names
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -----------------------------------------------------------------
commit 41054b612311e624fa6a673808118fc319e758d8
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 16 09:21:03 2022 +0100
s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()
Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 5294dc80090482d5669126802672eb2c89e269cf)
Autobuild-User(v4-16-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-16-test): Thu Mar 17 10:12:38 UTC 2022 on sn-devel-184
commit 507ececf03d8644b93a9ea953f6ab1c4aefb8e47
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Mar 15 15:34:34 2022 +1300
s4-kdc: Handle previously unhandled auth event types
Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:
commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300
s4:kdc: hdb_samba4_audit() is only called once per request
Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR
To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.
For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit b01388da8a72c11c46bb27e773b354520bc6ac88)
commit 9272ec1a2452ecea60b894f649c18d870cf9e2aa
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 13:10:06 2022 +0100
s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
Autobuild-User(master): Günther Deschner <g...@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184
(cherry picked from commit 68d181ee676e17a5cdcfc12c5cc7eef242fdfa6c)
commit abe01ca6b215e51dea8328869731d88956bfb2dc
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 13:02:05 2022 +0100
s3:libads: Check print_canonical_sockaddr_with_port() for NULL in
get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 12c843ad0a97fcbaaea738b82941533e5d2aec99)
commit 3c5d0c379d7882d8c3c45a0dde53a68c7ec8a2a7
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 12:57:18 2022 +0100
s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit cca189d0934790418e27d9d01282370b1e6a057f)
commit 3c98408be7ddfe1d3df45b4790746eb608c2b98d
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 12:56:58 2022 +0100
s3:libads: Allocate all memory on the talloc stackframe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 652c8ce1672dfead00c7af6af22e3bb3927764ec)
commit cfbd47d7b48896847cd43da58167cd6afcbef31e
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 12:48:23 2022 +0100
s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 812032833aa65729dbbfd4313a6e3fe072c88530)
commit cce13c772f1db5a03e43f083819c458a4a8844c8
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 12:10:47 2022 +0100
s3:libads: Improve debug messages for get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 7f721dc2eee0064a1ddd480fcaf77bf1659c7a26)
commit 2599f5313bd86b9821ba38dd0b9679b5aaa50acc
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 12:04:34 2022 +0100
s3:libads: Leave early on error in get_kdc_ip_string()
This avoids useless allocations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 313f03c78487ae49747b8143220ecbfe8ad9310a)
commit c20ca210fb8cb123501cfa9ead0fbb2dd29acdf0
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 12:03:40 2022 +0100
s3:libads: Remove trailing spaces in kerberos.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit 567b1996796e5d3cf572653f38817d832fa135ca)
commit dd6c50b82ee7e1ffc4f4a481543b4888df37b89c
Author: Andreas Schneider <a...@samba.org>
Date: Tue Mar 15 16:53:02 2022 +0100
testprogs: Add test that local krb5.conf has been created
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Guenther Deschner <g...@samba.org>
(cherry picked from commit d2ac90cdd5672330ed9c323fc474f8ba62750a6f)
commit 34771e1931587807d0395c7ac7f4be18654997f4
Author: Elia Geretto <elia.f.gere...@gmail.com>
Date: Fri Mar 11 19:32:30 2022 +0100
s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
In SMBC_server_internal(), when authentication fails, the errno value is
currently hard-coded to EPERM, while it should be EACCES instead. Use the
NT_STATUS map to set the appropriate value.
This bug was found because it breaks listing printers protected by
authentication in GNOME Control Panel.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14983
Signed-off-by: Elia Geretto <elia.f.gere...@gmail.com>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Wed Mar 16 19:44:18 UTC 2022 on sn-devel-184
(cherry picked from commit 70b9977a46e5242174b4461a7f49d5f640c1db62)
-----------------------------------------------------------------------
Summary of changes:
source3/libads/kerberos.c | 80 +++++++++++++++++++++-----------------
source3/libsmb/libsmb_server.c | 2 +-
source4/kdc/hdb-samba4.c | 47 ++++++++++++++++++++++
source4/kdc/pac-glue.c | 1 +
source4/kdc/samba_kdc.h | 1 +
testprogs/blackbox/test_net_ads.sh | 6 +++
6 files changed, 100 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 75beeef4a44..3fd86e87064 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
@@ -37,11 +37,11 @@
#define LIBADS_CCACHE_NAME "MEMORY:libads"
/*
- we use a prompter to avoid a crash bug in the kerberos libs when
+ we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy ...
*/
-static krb5_error_code
+static krb5_error_code
kerb_prompter(krb5_context ctx, void *data,
const char *name,
const char *banner,
@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
}
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me,
discard_const_p(char,password),
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me,
discard_const_p(char,password),
kerb_prompter,
discard_const_p(char, password),
0, NULL, opt))) {
goto out;
@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
}
if ((code = krb5_cc_destroy (ctx, cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
error_message(code)));
}
@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
int time_offset,
const char *cache_name)
{
- return kerberos_kinit_password_ext(principal,
- password,
- time_offset,
- 0,
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
0,
cache_name,
False,
@@ -434,17 +434,25 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
bool ok;
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
-
print_canonical_sockaddr_with_port(mem_ctx, pss));
+ char *kdc_str = NULL;
+ char *canon_sockaddr = NULL;
+
+ SMB_ASSERT(pss != NULL);
+
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+ canon_sockaddr);
if (kdc_str == NULL) {
- TALLOC_FREE(frame);
- return NULL;
+ goto out;
}
ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
if (!ok) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -454,7 +462,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
*/
if (sitename) {
- status = get_kdc_list(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
sitename,
&ip_sa_site,
@@ -462,7 +470,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("get_kdc_list fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site %s search\n",
@@ -472,7 +479,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
/* Get all KDC's. */
- status = get_kdc_list(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
NULL,
&ip_sa_nonsite,
@@ -480,7 +487,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("get_kdc_list (site-less) fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
@@ -488,7 +494,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (count_site + count_nonsite < count_site) {
/* Wrap check. */
DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -496,7 +501,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
count_site + count_nonsite);
if (dc_addrs == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -516,17 +520,20 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
}
- dc_addrs2 = talloc_zero_array(talloc_tos(),
- struct tsocket_address *,
- num_dcs);
-
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
- TALLOC_FREE(kdc_str);
+ /*
+ * We do not have additional KDCs, but we have the one passed
+ * in via `pss`. So just use that one and leave.
+ */
+ result = talloc_move(mem_ctx, &kdc_str);
goto out;
}
+
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
+ struct tsocket_address *,
+ num_dcs);
if (dc_addrs2 == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -543,7 +550,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
status = map_nt_error_from_unix(errno);
DEBUG(2,("Failed to create tsocket_address for %s -
%s\n",
addr, nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
}
@@ -561,7 +567,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
"%s\n", nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -573,22 +578,25 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
- kdc_str,
-
print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
- TALLOC_FREE(kdc_str);
+ new_kdc_str = talloc_asprintf_append(
+ kdc_str,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(
+ mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto out;
}
kdc_str = new_kdc_str;
}
- result = kdc_str;
+ result = talloc_move(mem_ctx, &kdc_str);
out:
- DBG_DEBUG("Returning\n%s\n", kdc_str);
+ if (result != NULL) {
+ DBG_DEBUG("Returning\n%s\n", kdc_str);
+ } else {
+ DBG_NOTICE("Failed to get KDC ip address\n");
+ }
- TALLOC_FREE(ip_sa_site);
- TALLOC_FREE(ip_sa_nonsite);
TALLOC_FREE(frame);
return result;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index b92477c88fe..09d27868c0e 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -572,7 +572,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
!NT_STATUS_IS_OK(cli_session_setup_anon(c))) {
cli_shutdown(c);
- errno = EPERM;
+ errno = map_errno_from_nt_status(status);
return NULL;
}
}
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 5720dfadc1f..e82ebbe7daa 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -612,7 +612,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
ui.auth_description = auth_description;
if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+ /* This is the final sucess */
status = NT_STATUS_OK;
+ } else if (hdb_auth_status ==
KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+ /*
+ * This was only a pre-authentication success,
+ * but we didn't reach the final
+ * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+ * so consult the error code.
+ */
+ if (r->error_code == 0) {
+ DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
+ "with error=0 => INTERNAL_ERROR\n");
+ status = NT_STATUS_INTERNAL_ERROR;
+ final_ret = KRB5KRB_ERR_GENERIC;
+ r->error_code = final_ret;
+ } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+ status = p->reject_status;
+ } else {
+ status = krb5_to_nt_status(r->error_code);
+ }
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED)
{
+ /*
+ * This was only a pre-authentication success,
+ * but we didn't reach the final
+ * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+ * so consult the error code.
+ */
+ if (r->error_code == 0) {
+ DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
+ "with error=0 => INTERNAL_ERROR\n");
+ status = NT_STATUS_INTERNAL_ERROR;
+ final_ret = KRB5KRB_ERR_GENERIC;
+ r->error_code = final_ret;
+ } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+ status = p->reject_status;
+ } else {
+ status = krb5_to_nt_status(r->error_code);
+ }
} else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
} else if (hdb_auth_status ==
KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
@@ -640,6 +677,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
DBG_ERR("Unhandled hdb_auth_status=%d =>
INTERNAL_ERROR\n",
hdb_auth_status);
status = NT_STATUS_INTERNAL_ERROR;
+ final_ret = KRB5KRB_ERR_GENERIC;
+ r->error_code = final_ret;
}
if (rwdc_fallback) {
@@ -664,6 +703,14 @@ static krb5_error_code hdb_samba4_audit(krb5_context
context,
domain_name,
account_name,
sid);
+ if (final_ret == KRB5KRB_ERR_GENERIC &&
socket_wrapper_enabled()) {
+ /*
+ * If we're running under make test
+ * just panic
+ */
+ DBG_ERR("Unexpected situation => PANIC\n");
+ smb_panic("hdb_samba4_audit: Unexpected situation");
+ }
TALLOC_FREE(frame);
break;
}
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index dc6db122865..f0181d2e676 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1143,6 +1143,7 @@ NTSTATUS samba_kdc_check_client_access(struct
samba_kdc_entry *kdc_entry,
workstation, client_name,
true, password_change);
+ kdc_entry->reject_status = nt_status;
talloc_free(tmp_ctx);
return nt_status;
}
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index a354f3e8db3..9b16fcc3b92 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -61,6 +61,7 @@ struct samba_kdc_entry {
bool is_trust;
void *entry_ex;
uint32_t supported_enctypes;
+ NTSTATUS reject_status;
};
extern struct hdb_method hdb_samba4_interface;
diff --git a/testprogs/blackbox/test_net_ads.sh
b/testprogs/blackbox/test_net_ads.sh
index 76b394b10a9..cfafb945b62 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -51,6 +51,12 @@ fi
testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD ||
failed=`expr $failed + 1`
+workgroup=$(awk '/workgroup =/ { print $NR }'
"${BASEDIR}/${WORKDIR}/client.conf")
+testit "local krb5.conf created" \
+ test -r \
+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
+ failed=$((failed + 1))
+
testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required
|| failed=`expr $failed + 1`
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= |
awk '{$1=$1};1')
--
Samba Shared Repository
