The branch, v4-19-test has been updated
via 62c90dfa32e s3:auth: Allow 'Unix Users' and 'Unix Groups' to create
a local token
via 9b26a0eaae8 s3:auth: Remove trailing white spaces from auth_util.c
via b3ac235ba96 selftest: Show that 'allow trusted domains = no'
firewalls Unix User|Group
from e4505c10a76 testprogs: Add net offlinejoin composeodj tests
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test
- Log -----------------------------------------------------------------
commit 62c90dfa32e7918e898c321dd81617c2e6da58ff
Author: Andreas Schneider <a...@samba.org>
Date: Thu Nov 30 10:54:07 2023 +0100
s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
Autobuild-User(v4-19-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-19-test): Tue Dec 5 11:04:17 UTC 2023 on atb-devel-224
commit 9b26a0eaae8544bdf74b5440bb72403286981df4
Author: Andreas Schneider <a...@samba.org>
Date: Fri Sep 8 12:50:32 2023 +0200
s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
commit b3ac235ba966c93744a457bd7014ec6f0503f1e5
Author: Andreas Schneider <a...@samba.org>
Date: Mon Sep 4 16:29:46 2023 +0200
selftest: Show that 'allow trusted domains = no' firewalls Unix User|Group
UNEXPECTED(failure):
samba3.blackbox.smbclient_auth.plain.local_creds.smbclient
//LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed:
NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba3.pm | 1 +
source3/auth/auth_util.c | 81 ++++++++++++++++++++++++++++-------------------
2 files changed, 49 insertions(+), 33 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 39831afc599..85e69e4b72d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1689,6 +1689,7 @@ sub setup_simpleserver
vfs objects = xattr_tdb streams_depot
change notify = no
server smb encrypt = off
+ allow trusted domains = no
[vfs_aio_pthread]
path = $prefix_abs/share
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 293523f4272..2a35fea5061 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -21,6 +21,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "dom_sid.h"
#include "includes.h"
#include "auth.h"
#include "lib/util_unixsids.h"
@@ -144,14 +145,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address
*remote_address,
const struct tsocket_address
*local_address,
@@ -167,12 +168,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
status = make_user_info_map(mem_ctx, user_info,
- smb_name, client_domain,
+ smb_name, client_domain,
workstation_name,
remote_address,
local_address,
"SamLogon",
- lm_pwd_len ? &lm_blob : NULL,
+ lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
@@ -188,20 +189,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info
**user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address
*remote_address,
const struct tsocket_address
*local_address,
uint32_t logon_parameters,
- const uchar chal[8],
- const uchar lm_interactive_pwd[16],
+ const uchar chal[8],
+ const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16])
{
struct samr_Password lm_pwd;
@@ -250,7 +251,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX
*mem_ctx,
nt_status = make_user_info_map(
mem_ctx,
- user_info,
+ user_info,
smb_name, client_domain, workstation_name,
remote_address,
local_address,
@@ -280,7 +281,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX
*mem_ctx,
bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
+ const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -315,10 +316,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
/* We can't do an NT hash here, as the password needs to be
case insensitive */
- local_nt_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
} else {
- local_lm_blob = data_blob_null;
- local_nt_blob = data_blob_null;
+ local_lm_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
}
plaintext_password_string = talloc_strndup(talloc_tos(),
@@ -329,7 +330,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
}
ret = make_user_info(mem_ctx,
- user_info, smb_name, smb_name, client_domain, client_domain,
+ user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
local_address,
@@ -403,14 +404,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
nt_status = make_user_info(mem_ctx,
user_info,
- "","",
- "","",
- "",
+ "","",
+ "","",
+ "",
remote_address,
local_address,
service_description,
- NULL, NULL,
- NULL, NULL,
+ NULL, NULL,
+ NULL, NULL,
NULL,
AUTH_PASSWORD_RESPONSE);
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct dom_sid tmp_sid;
struct auth_session_info *session_info = NULL;
struct unixid *ids;
+ bool is_allowed = false;
/* Ensure we can't possible take a code path leading to a
* null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ is_allowed = true;
+ }
+
+ /* Check if we have extra info about the user. */
+ if (dom_sid_in_domain(&global_sid_Unix_Users,
+ &server_info->extra.user_sid) ||
+ dom_sid_in_domain(&global_sid_Unix_Groups,
+ &server_info->extra.pgid_sid))
+ {
+ is_allowed = true;
+ }
+
+ if (!is_allowed) {
DBG_NOTICE("Authentication failed for user [%s] "
"from firewalled domain [%s]\n",
server_info->info3->base.account_name.string,
@@ -1258,7 +1273,7 @@ done:
}
session_info->unique_session_token = GUID_random();
-
+
*session_info_out = talloc_move(mem_ctx, &session_info);
TALLOC_FREE(frame);
return NT_STATUS_OK;
@@ -1954,9 +1969,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const
char *domain,
*pwd = passwd;
/* This is pointless -- there is no support for differing
- unix and windows names. Make sure to always store the
+ unix and windows names. Make sure to always store the
one we actually looked up and succeeded. Have I mentioned
- why I hate the 'winbind use default domain' parameter?
+ why I hate the 'winbind use default domain' parameter?
--jerry */
*found_username = talloc_strdup( mem_ctx, real_username );
@@ -1965,8 +1980,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const
char *domain,
}
/****************************************************************************
- Wrapper to allow the getpwnam() call to strip the domain name and
- try again in case a local UNIX user is already there. Also run through
+ Wrapper to allow the getpwnam() call to strip the domain name and
+ try again in case a local UNIX user is already there. Also run through
the username if we fallback to the username only.
****************************************************************************/
@@ -1977,11 +1992,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const
char *domuser,
char *p = NULL;
const char *username = NULL;
- /* we only save a copy of the username it has been mangled
+ /* we only save a copy of the username it has been mangled
by winbindd use default domain */
*p_save_username = NULL;
- /* don't call map_username() here since it has to be done higher
+ /* don't call map_username() here since it has to be done higher
up the stack so we don't call it multiple times */
username = talloc_strdup(mem_ctx, domuser);
@@ -2068,10 +2083,10 @@ username_only:
}
/***************************************************************************
- Make a server_info struct from the info3 returned by a domain logon
+ Make a server_info struct from the info3 returned by a domain logon
***************************************************************************/
-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
@@ -2089,9 +2104,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct dom_sid sid;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- /*
+ /*
Here is where we should check the list of
- trusted domains, and verify that the SID
+ trusted domains, and verify that the SID
matches.
*/
--
Samba Shared Repository
