]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | From 77942b3569d379a097b2f7c58203d0379fd80ddc Mon Sep 17 00:00:00 2001 |
2 | From: Andreas Schneider <asn@samba.org> | |
3 | Date: Mon, 16 Dec 2013 12:57:20 +0100 | |
4 | Subject: [PATCH 1/6] s3-lib: Add winbind_lookup_usersids(). | |
5 | ||
6 | Pair-Programmed-With: Guenther Deschner <gd@samba.org> | |
7 | Signed-off-by: Guenther Deschner <gd@samba.org> | |
8 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
9 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | |
10 | --- | |
11 | source3/lib/winbind_util.c | 34 ++++++++++++++++++++++++++++++++++ | |
12 | source3/lib/winbind_util.h | 4 ++++ | |
13 | 2 files changed, 38 insertions(+) | |
14 | ||
15 | diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c | |
16 | index f30bcfc..758fe73 100644 | |
17 | --- a/source3/lib/winbind_util.c | |
18 | +++ b/source3/lib/winbind_util.c | |
19 | @@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, | |
20 | return true; | |
21 | } | |
22 | ||
23 | +bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, | |
24 | + const struct dom_sid *user_sid, | |
25 | + uint32_t *p_num_sids, | |
26 | + struct dom_sid **p_sids) | |
27 | +{ | |
28 | + wbcErr ret; | |
29 | + struct wbcDomainSid dom_sid; | |
30 | + struct wbcDomainSid *sid_list = NULL; | |
31 | + uint32_t num_sids; | |
32 | + | |
33 | + memcpy(&dom_sid, user_sid, sizeof(dom_sid)); | |
34 | + | |
35 | + ret = wbcLookupUserSids(&dom_sid, | |
36 | + false, | |
37 | + &num_sids, | |
38 | + &sid_list); | |
39 | + if (ret != WBC_ERR_SUCCESS) { | |
40 | + return false; | |
41 | + } | |
42 | + | |
43 | + *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids); | |
44 | + if (*p_sids == NULL) { | |
45 | + wbcFreeMemory(sid_list); | |
46 | + return false; | |
47 | + } | |
48 | + | |
49 | + memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids); | |
50 | + | |
51 | + *p_num_sids = num_sids; | |
52 | + wbcFreeMemory(sid_list); | |
53 | + | |
54 | + return true; | |
55 | +} | |
56 | + | |
57 | #else /* WITH_WINBIND */ | |
58 | ||
59 | struct passwd * winbind_getpwnam(const char * name) | |
60 | diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h | |
61 | index 541bb95..abbc5a9 100644 | |
62 | --- a/source3/lib/winbind_util.h | |
63 | +++ b/source3/lib/winbind_util.h | |
64 | @@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, | |
65 | size_t num_members, | |
66 | uint32_t **pp_alias_rids, | |
67 | size_t *p_num_alias_rids); | |
68 | +bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, | |
69 | + const struct dom_sid *user_sid, | |
70 | + uint32_t *p_num_sids, | |
71 | + struct dom_sid **p_sids); | |
72 | ||
73 | #endif /* __LIB__WINBIND_UTIL_H__ */ | |
74 | -- | |
75 | 1.8.5.3 | |
76 | ||
77 | ||
78 | From a776571e344110b89340f5008bed869763aa4dff Mon Sep 17 00:00:00 2001 | |
79 | From: Andreas Schneider <asn@samba.org> | |
80 | Date: Fri, 13 Dec 2013 19:08:34 +0100 | |
81 | Subject: [PATCH 2/6] s3-auth: Add passwd_to_SamInfo3(). | |
82 | ||
83 | First this function tries to contacts winbind if the user is a domain | |
84 | user to get valid information about it. If winbind isn't running it will | |
85 | try to create everything from the passwd struct. This is not always | |
86 | reliable but works in most cases. It improves the current situation | |
87 | which doesn't talk to winbind at all. | |
88 | ||
89 | Pair-Programmed-With: Guenther Deschner <gd@samba.org> | |
90 | Signed-off-by: Guenther Deschner <gd@samba.org> | |
91 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
92 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | |
93 | --- | |
94 | source3/auth/proto.h | 4 ++ | |
95 | source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++ | |
96 | 2 files changed, 120 insertions(+) | |
97 | ||
98 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
99 | index 3d1fa06..c5a9647 100644 | |
100 | --- a/source3/auth/proto.h | |
101 | +++ b/source3/auth/proto.h | |
102 | @@ -225,6 +225,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
103 | const char *login_server, | |
104 | struct netr_SamInfo3 **_info3, | |
105 | struct extra_auth_info *extra); | |
106 | +NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
107 | + const char *unix_username, | |
108 | + const struct passwd *pwd, | |
109 | + struct netr_SamInfo3 **pinfo3); | |
110 | struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, | |
111 | struct netr_SamInfo3 *orig); | |
112 | struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, | |
113 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | |
114 | index 90b3ed6..32ffd3a 100644 | |
115 | --- a/source3/auth/server_info.c | |
116 | +++ b/source3/auth/server_info.c | |
117 | @@ -24,6 +24,7 @@ | |
118 | #include "../libcli/security/security.h" | |
119 | #include "rpc_client/util_netlogon.h" | |
120 | #include "nsswitch/libwbclient/wbclient.h" | |
121 | +#include "lib/winbind_util.h" | |
122 | #include "passdb.h" | |
123 | ||
124 | #undef DBGC_CLASS | |
125 | @@ -476,6 +477,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
126 | return NT_STATUS_OK; | |
127 | } | |
128 | ||
129 | +NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
130 | + const char *unix_username, | |
131 | + const struct passwd *pwd, | |
132 | + struct netr_SamInfo3 **pinfo3) | |
133 | +{ | |
134 | + struct netr_SamInfo3 *info3; | |
135 | + NTSTATUS status; | |
136 | + TALLOC_CTX *tmp_ctx; | |
137 | + const char *domain_name = NULL; | |
138 | + const char *user_name = NULL; | |
139 | + struct dom_sid domain_sid; | |
140 | + struct dom_sid user_sid; | |
141 | + struct dom_sid group_sid; | |
142 | + enum lsa_SidType type; | |
143 | + uint32_t num_sids = 0; | |
144 | + struct dom_sid *user_sids = NULL; | |
145 | + bool ok; | |
146 | + | |
147 | + tmp_ctx = talloc_stackframe(); | |
148 | + | |
149 | + ok = lookup_name_smbconf(tmp_ctx, | |
150 | + unix_username, | |
151 | + LOOKUP_NAME_ALL, | |
152 | + &domain_name, | |
153 | + &user_name, | |
154 | + &user_sid, | |
155 | + &type); | |
156 | + if (!ok) { | |
157 | + status = NT_STATUS_NO_SUCH_USER; | |
158 | + goto done; | |
159 | + } | |
160 | + | |
161 | + if (type != SID_NAME_USER) { | |
162 | + status = NT_STATUS_NO_SUCH_USER; | |
163 | + goto done; | |
164 | + } | |
165 | + | |
166 | + ok = winbind_lookup_usersids(tmp_ctx, | |
167 | + &user_sid, | |
168 | + &num_sids, | |
169 | + &user_sids); | |
170 | + /* Check if winbind is running */ | |
171 | + if (ok) { | |
172 | + /* | |
173 | + * Winbind is running and the first element of the user_sids | |
174 | + * is the primary group. | |
175 | + */ | |
176 | + if (num_sids > 0) { | |
177 | + group_sid = user_sids[0]; | |
178 | + } | |
179 | + } else { | |
180 | + /* | |
181 | + * Winbind is not running, create the group_sid from the | |
182 | + * group id. | |
183 | + */ | |
184 | + gid_to_sid(&group_sid, pwd->pw_gid); | |
185 | + } | |
186 | + | |
187 | + /* Make sure we have a valid group sid */ | |
188 | + ok = !is_null_sid(&group_sid); | |
189 | + if (!ok) { | |
190 | + status = NT_STATUS_NO_SUCH_USER; | |
191 | + goto done; | |
192 | + } | |
193 | + | |
194 | + /* Construct a netr_SamInfo3 from the information we have */ | |
195 | + info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3); | |
196 | + if (!info3) { | |
197 | + status = NT_STATUS_NO_MEMORY; | |
198 | + goto done; | |
199 | + } | |
200 | + | |
201 | + info3->base.account_name.string = talloc_strdup(info3, unix_username); | |
202 | + if (info3->base.account_name.string == NULL) { | |
203 | + status = NT_STATUS_NO_MEMORY; | |
204 | + goto done; | |
205 | + } | |
206 | + | |
207 | + ZERO_STRUCT(domain_sid); | |
208 | + | |
209 | + sid_copy(&domain_sid, &user_sid); | |
210 | + sid_split_rid(&domain_sid, &info3->base.rid); | |
211 | + info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); | |
212 | + | |
213 | + ok = sid_peek_check_rid(&domain_sid, &group_sid, | |
214 | + &info3->base.primary_gid); | |
215 | + if (!ok) { | |
216 | + DEBUG(1, ("The primary group domain sid(%s) does not " | |
217 | + "match the domain sid(%s) for %s(%s)\n", | |
218 | + sid_string_dbg(&group_sid), | |
219 | + sid_string_dbg(&domain_sid), | |
220 | + unix_username, | |
221 | + sid_string_dbg(&user_sid))); | |
222 | + status = NT_STATUS_INVALID_SID; | |
223 | + goto done; | |
224 | + } | |
225 | + | |
226 | + info3->base.acct_flags = ACB_NORMAL; | |
227 | + | |
228 | + if (num_sids) { | |
229 | + status = group_sids_to_info3(info3, user_sids, num_sids); | |
230 | + if (!NT_STATUS_IS_OK(status)) { | |
231 | + goto done; | |
232 | + } | |
233 | + } | |
234 | + | |
235 | + *pinfo3 = talloc_steal(mem_ctx, info3); | |
236 | + | |
237 | + status = NT_STATUS_OK; | |
238 | +done: | |
239 | + talloc_free(tmp_ctx); | |
240 | + | |
241 | + return status; | |
242 | +} | |
243 | + | |
244 | #undef RET_NOMEM | |
245 | ||
246 | #define RET_NOMEM(ptr) do { \ | |
247 | -- | |
248 | 1.8.5.3 | |
249 | ||
250 | ||
251 | From de5914820e7e8665036411061911a9a5ed06a673 Mon Sep 17 00:00:00 2001 | |
252 | From: Andreas Schneider <asn@samba.org> | |
253 | Date: Fri, 13 Dec 2013 19:11:01 +0100 | |
254 | Subject: [PATCH 3/6] s3-auth: Pass talloc context to make_server_info_pw(). | |
255 | ||
256 | Pair-Programmed-With: Guenther Deschner <gd@samba.org> | |
257 | Signed-off-by: Guenther Deschner <gd@samba.org> | |
258 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
259 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | |
260 | --- | |
261 | source3/auth/auth_server.c | 5 ++++- | |
262 | source3/auth/auth_unix.c | 7 +++++-- | |
263 | source3/auth/auth_util.c | 51 ++++++++++++++++++++++++++-------------------- | |
264 | source3/auth/proto.h | 9 ++++---- | |
265 | source3/auth/user_krb5.c | 2 +- | |
266 | 5 files changed, 44 insertions(+), 30 deletions(-) | |
267 | ||
268 | diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c | |
269 | index fdd7671..969caad 100644 | |
270 | --- a/source3/auth/auth_server.c | |
271 | +++ b/source3/auth/auth_server.c | |
272 | @@ -448,7 +448,10 @@ use this machine as the password server.\n")); | |
273 | if ( (pass = smb_getpwnam(talloc_tos(), user_info->mapped.account_name, | |
274 | &real_username, True )) != NULL ) | |
275 | { | |
276 | - nt_status = make_server_info_pw(server_info, pass->pw_name, pass); | |
277 | + nt_status = make_server_info_pw(mem_ctx, | |
278 | + pass->pw_name, | |
279 | + pass, | |
280 | + server_info); | |
281 | TALLOC_FREE(pass); | |
282 | TALLOC_FREE(real_username); | |
283 | } | |
284 | diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c | |
285 | index 086c39e..d6ef547 100644 | |
286 | --- a/source3/auth/auth_unix.c | |
287 | +++ b/source3/auth/auth_unix.c | |
288 | @@ -56,8 +56,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, | |
289 | unbecome_root(); | |
290 | ||
291 | if (NT_STATUS_IS_OK(nt_status)) { | |
292 | - if (pass) { | |
293 | - make_server_info_pw(server_info, pass->pw_name, pass); | |
294 | + if (pass != NULL) { | |
295 | + nt_status = make_server_info_pw(mem_ctx, | |
296 | + pass->pw_name, | |
297 | + pass, | |
298 | + server_info); | |
299 | } else { | |
300 | /* we need to do somthing more useful here */ | |
301 | nt_status = NT_STATUS_NO_SUCH_USER; | |
302 | diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c | |
303 | index 288f461..3aa229d 100644 | |
304 | --- a/source3/auth/auth_util.c | |
305 | +++ b/source3/auth/auth_util.c | |
306 | @@ -555,14 +555,15 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info) | |
307 | to a struct samu | |
308 | ***************************************************************************/ | |
309 | ||
310 | -NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, | |
311 | - char *unix_username, | |
312 | - struct passwd *pwd) | |
313 | +NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, | |
314 | + const char *unix_username, | |
315 | + const struct passwd *pwd, | |
316 | + struct auth_serversupplied_info **server_info) | |
317 | { | |
318 | NTSTATUS status; | |
319 | struct samu *sampass = NULL; | |
320 | char *qualified_name = NULL; | |
321 | - TALLOC_CTX *mem_ctx = NULL; | |
322 | + TALLOC_CTX *tmp_ctx; | |
323 | struct dom_sid u_sid; | |
324 | enum lsa_SidType type; | |
325 | struct auth_serversupplied_info *result; | |
326 | @@ -580,27 +581,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, | |
327 | * plaintext passwords were used with no SAM backend. | |
328 | */ | |
329 | ||
330 | - mem_ctx = talloc_init("make_server_info_pw_tmp"); | |
331 | - if (!mem_ctx) { | |
332 | + tmp_ctx = talloc_stackframe(); | |
333 | + if (tmp_ctx == NULL) { | |
334 | return NT_STATUS_NO_MEMORY; | |
335 | } | |
336 | ||
337 | - qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", | |
338 | + qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", | |
339 | unix_users_domain_name(), | |
340 | unix_username ); | |
341 | if (!qualified_name) { | |
342 | - TALLOC_FREE(mem_ctx); | |
343 | + TALLOC_FREE(tmp_ctx); | |
344 | return NT_STATUS_NO_MEMORY; | |
345 | } | |
346 | ||
347 | - if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, | |
348 | + if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, | |
349 | NULL, NULL, | |
350 | &u_sid, &type)) { | |
351 | - TALLOC_FREE(mem_ctx); | |
352 | + TALLOC_FREE(tmp_ctx); | |
353 | return NT_STATUS_NO_SUCH_USER; | |
354 | } | |
355 | ||
356 | - TALLOC_FREE(mem_ctx); | |
357 | + TALLOC_FREE(tmp_ctx); | |
358 | ||
359 | if (type != SID_NAME_USER) { | |
360 | return NT_STATUS_NO_SUCH_USER; | |
361 | @@ -623,7 +624,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, | |
362 | /* set the user sid to be the calculated u_sid */ | |
363 | pdb_set_user_sid(sampass, &u_sid, PDB_SET); | |
364 | ||
365 | - result = make_server_info(NULL); | |
366 | + result = make_server_info(mem_ctx); | |
367 | if (result == NULL) { | |
368 | TALLOC_FREE(sampass); | |
369 | return NT_STATUS_NO_MEMORY; | |
370 | @@ -908,37 +909,43 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, | |
371 | { | |
372 | struct auth_serversupplied_info *result; | |
373 | struct passwd *pwd; | |
374 | + TALLOC_CTX *tmp_ctx; | |
375 | NTSTATUS status; | |
376 | ||
377 | - pwd = Get_Pwnam_alloc(talloc_tos(), username); | |
378 | - if (pwd == NULL) { | |
379 | - return NT_STATUS_NO_SUCH_USER; | |
380 | + tmp_ctx = talloc_stackframe(); | |
381 | + if (tmp_ctx == NULL) { | |
382 | + return NT_STATUS_NO_MEMORY; | |
383 | } | |
384 | ||
385 | - status = make_server_info_pw(&result, pwd->pw_name, pwd); | |
386 | - | |
387 | - TALLOC_FREE(pwd); | |
388 | + pwd = Get_Pwnam_alloc(tmp_ctx, username); | |
389 | + if (pwd == NULL) { | |
390 | + status = NT_STATUS_NO_SUCH_USER; | |
391 | + goto done; | |
392 | + } | |
393 | ||
394 | + status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result); | |
395 | if (!NT_STATUS_IS_OK(status)) { | |
396 | - return status; | |
397 | + goto done; | |
398 | } | |
399 | ||
400 | result->nss_token = true; | |
401 | result->guest = is_guest; | |
402 | ||
403 | if (use_guest_token) { | |
404 | - status = make_server_info_guest(mem_ctx, &result); | |
405 | + status = make_server_info_guest(tmp_ctx, &result); | |
406 | } else { | |
407 | status = create_local_token(result); | |
408 | } | |
409 | ||
410 | + *presult = talloc_steal(mem_ctx, result); | |
411 | +done: | |
412 | + talloc_free(tmp_ctx); | |
413 | if (!NT_STATUS_IS_OK(status)) { | |
414 | TALLOC_FREE(result); | |
415 | return status; | |
416 | } | |
417 | ||
418 | - *presult = talloc_steal(mem_ctx, result); | |
419 | - return NT_STATUS_OK; | |
420 | + return status; | |
421 | } | |
422 | ||
423 | ||
424 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
425 | index c5a9647..50a27cf 100644 | |
426 | --- a/source3/auth/proto.h | |
427 | +++ b/source3/auth/proto.h | |
428 | @@ -144,14 +144,15 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, | |
429 | bool user_in_group_sid(const char *username, const struct dom_sid *group_sid); | |
430 | bool user_in_group(const char *username, const char *groupname); | |
431 | struct passwd; | |
432 | -NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, | |
433 | - char *unix_username, | |
434 | - struct passwd *pwd); | |
435 | +NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, | |
436 | + const char *unix_username, | |
437 | + const struct passwd *pwd, | |
438 | + struct auth_serversupplied_info **server_info); | |
439 | NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, | |
440 | const char *username, | |
441 | bool use_guest_token, | |
442 | bool is_guest, | |
443 | - struct auth_serversupplied_info **presult); | |
444 | + struct auth_serversupplied_info **session_info); | |
445 | struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, | |
446 | const struct auth_serversupplied_info *src); | |
447 | bool init_guest_info(void); | |
448 | diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c | |
449 | index e52149a..1214b45 100644 | |
450 | --- a/source3/auth/user_krb5.c | |
451 | +++ b/source3/auth/user_krb5.c | |
452 | @@ -238,7 +238,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
453 | */ | |
454 | DEBUG(10, ("didn't find user %s in passdb, calling " | |
455 | "make_server_info_pw\n", username)); | |
456 | - status = make_server_info_pw(&tmp, username, pw); | |
457 | + status = make_server_info_pw(mem_ctx, username, pw, &tmp); | |
458 | } | |
459 | TALLOC_FREE(sampass); | |
460 | ||
461 | -- | |
462 | 1.8.5.3 | |
463 | ||
464 | ||
465 | From 840b5b996a719922a1fdaa5ee2188a4d4c60f345 Mon Sep 17 00:00:00 2001 | |
466 | From: Andreas Schneider <asn@samba.org> | |
467 | Date: Fri, 13 Dec 2013 19:19:02 +0100 | |
468 | Subject: [PATCH 4/6] s3-auth: Use passwd_to_SamInfo3(). | |
469 | ||
470 | Correctly lookup users which come from smb.conf. passwd_to_SamInfo3() | |
471 | tries to contact winbind if the user is a domain user to get | |
472 | valid information about it. If winbind isn't running it will try to | |
473 | create everything from the passwd struct. This is not always reliable | |
474 | but works in most cases. It improves the current situation which doesn't | |
475 | talk to winbind at all. | |
476 | ||
477 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 | |
478 | ||
479 | Pair-Programmed-With: Guenther Deschner <gd@samba.org> | |
480 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
481 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | |
482 | ||
483 | Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> | |
484 | Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104 | |
485 | --- | |
486 | source3/auth/auth_util.c | 91 +++++++++------------------------------------- | |
487 | source3/auth/server_info.c | 22 ++++++++++- | |
488 | 2 files changed, 37 insertions(+), 76 deletions(-) | |
489 | ||
490 | diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c | |
491 | index 3aa229d..5ffdb25f 100644 | |
492 | --- a/source3/auth/auth_util.c | |
493 | +++ b/source3/auth/auth_util.c | |
494 | @@ -561,100 +561,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, | |
495 | struct auth_serversupplied_info **server_info) | |
496 | { | |
497 | NTSTATUS status; | |
498 | - struct samu *sampass = NULL; | |
499 | - char *qualified_name = NULL; | |
500 | - TALLOC_CTX *tmp_ctx; | |
501 | - struct dom_sid u_sid; | |
502 | - enum lsa_SidType type; | |
503 | + TALLOC_CTX *tmp_ctx = NULL; | |
504 | struct auth_serversupplied_info *result; | |
505 | ||
506 | - /* | |
507 | - * The SID returned in server_info->sam_account is based | |
508 | - * on our SAM sid even though for a pure UNIX account this should | |
509 | - * not be the case as it doesn't really exist in the SAM db. | |
510 | - * This causes lookups on "[in]valid users" to fail as they | |
511 | - * will lookup this name as a "Unix User" SID to check against | |
512 | - * the user token. Fix this by adding the "Unix User"\unix_username | |
513 | - * SID to the sid array. The correct fix should probably be | |
514 | - * changing the server_info->sam_account user SID to be a | |
515 | - * S-1-22 Unix SID, but this might break old configs where | |
516 | - * plaintext passwords were used with no SAM backend. | |
517 | - */ | |
518 | - | |
519 | tmp_ctx = talloc_stackframe(); | |
520 | if (tmp_ctx == NULL) { | |
521 | return NT_STATUS_NO_MEMORY; | |
522 | } | |
523 | ||
524 | - qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", | |
525 | - unix_users_domain_name(), | |
526 | - unix_username ); | |
527 | - if (!qualified_name) { | |
528 | - TALLOC_FREE(tmp_ctx); | |
529 | - return NT_STATUS_NO_MEMORY; | |
530 | - } | |
531 | - | |
532 | - if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, | |
533 | - NULL, NULL, | |
534 | - &u_sid, &type)) { | |
535 | - TALLOC_FREE(tmp_ctx); | |
536 | - return NT_STATUS_NO_SUCH_USER; | |
537 | - } | |
538 | - | |
539 | - TALLOC_FREE(tmp_ctx); | |
540 | - | |
541 | - if (type != SID_NAME_USER) { | |
542 | - return NT_STATUS_NO_SUCH_USER; | |
543 | - } | |
544 | - | |
545 | - if ( !(sampass = samu_new( NULL )) ) { | |
546 | - return NT_STATUS_NO_MEMORY; | |
547 | - } | |
548 | - | |
549 | - status = samu_set_unix( sampass, pwd ); | |
550 | - if (!NT_STATUS_IS_OK(status)) { | |
551 | - return status; | |
552 | - } | |
553 | - | |
554 | - /* In pathological cases the above call can set the account | |
555 | - * name to the DOMAIN\username form. Reset the account name | |
556 | - * using unix_username */ | |
557 | - pdb_set_username(sampass, unix_username, PDB_SET); | |
558 | - | |
559 | - /* set the user sid to be the calculated u_sid */ | |
560 | - pdb_set_user_sid(sampass, &u_sid, PDB_SET); | |
561 | - | |
562 | - result = make_server_info(mem_ctx); | |
563 | + result = make_server_info(tmp_ctx); | |
564 | if (result == NULL) { | |
565 | - TALLOC_FREE(sampass); | |
566 | - return NT_STATUS_NO_MEMORY; | |
567 | + status = NT_STATUS_NO_MEMORY; | |
568 | + goto done; | |
569 | } | |
570 | ||
571 | - status = samu_to_SamInfo3(result, sampass, global_myname(), | |
572 | - &result->info3, &result->extra); | |
573 | - TALLOC_FREE(sampass); | |
574 | + status = passwd_to_SamInfo3(result, | |
575 | + unix_username, | |
576 | + pwd, | |
577 | + &result->info3); | |
578 | if (!NT_STATUS_IS_OK(status)) { | |
579 | - DEBUG(10, ("Failed to convert samu to info3: %s\n", | |
580 | - nt_errstr(status))); | |
581 | - TALLOC_FREE(result); | |
582 | - return status; | |
583 | + goto done; | |
584 | } | |
585 | ||
586 | result->unix_name = talloc_strdup(result, unix_username); | |
587 | - result->sanitized_username = sanitize_username(result, unix_username); | |
588 | - | |
589 | - if ((result->unix_name == NULL) | |
590 | - || (result->sanitized_username == NULL)) { | |
591 | - TALLOC_FREE(result); | |
592 | - return NT_STATUS_NO_MEMORY; | |
593 | + if (result->unix_name == NULL) { | |
594 | + status = NT_STATUS_NO_MEMORY; | |
595 | + goto done; | |
596 | } | |
597 | ||
598 | result->utok.uid = pwd->pw_uid; | |
599 | result->utok.gid = pwd->pw_gid; | |
600 | ||
601 | - *server_info = result; | |
602 | + *server_info = talloc_steal(mem_ctx, result); | |
603 | + status = NT_STATUS_OK; | |
604 | +done: | |
605 | + talloc_free(tmp_ctx); | |
606 | ||
607 | - return NT_STATUS_OK; | |
608 | + return status; | |
609 | } | |
610 | ||
611 | static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, | |
612 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | |
613 | index 32ffd3a..077bb6b 100644 | |
614 | --- a/source3/auth/server_info.c | |
615 | +++ b/source3/auth/server_info.c | |
616 | @@ -529,10 +529,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
617 | } | |
618 | } else { | |
619 | /* | |
620 | - * Winbind is not running, create the group_sid from the | |
621 | - * group id. | |
622 | + * Winbind is not running, try to create the group_sid from the | |
623 | + * passwd group id. | |
624 | + */ | |
625 | + | |
626 | + /* | |
627 | + * This can lead to a primary group of S-1-22-2-XX which | |
628 | + * will be rejected by other Samba code. | |
629 | */ | |
630 | gid_to_sid(&group_sid, pwd->pw_gid); | |
631 | + | |
632 | + ZERO_STRUCT(domain_sid); | |
633 | + | |
634 | + /* | |
635 | + * If we are a unix group, set the group_sid to the | |
636 | + * 'Domain Users' RID of 513 which will always resolve to a | |
637 | + * name. | |
638 | + */ | |
639 | + if (sid_check_is_in_unix_groups(&group_sid)) { | |
640 | + sid_compose(&group_sid, | |
641 | + get_global_sam_sid(), | |
642 | + DOMAIN_RID_USERS); | |
643 | + } | |
644 | } | |
645 | ||
646 | /* Make sure we have a valid group sid */ | |
647 | -- | |
648 | 1.8.5.3 | |
649 | ||
650 | ||
651 | From 7d8da06b8966cfb45ede48ce2be0754fd592ff62 Mon Sep 17 00:00:00 2001 | |
652 | From: Andreas Schneider <asn@samba.org> | |
653 | Date: Tue, 18 Feb 2014 10:02:57 +0100 | |
654 | Subject: [PATCH 5/6] s3-auth: Pass mem_ctx to make_server_info_sam(). | |
655 | ||
656 | Coverity-Id: 1168009 | |
657 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 | |
658 | ||
659 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
660 | ||
661 | Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd | |
662 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | |
663 | ||
664 | (cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39) | |
665 | --- | |
666 | source3/auth/check_samsec.c | 2 +- | |
667 | source3/auth/proto.h | 5 ++-- | |
668 | source3/auth/server_info_sam.c | 63 +++++++++++++++++++++++++----------------- | |
669 | source3/auth/user_krb5.c | 12 ++++---- | |
670 | 4 files changed, 49 insertions(+), 33 deletions(-) | |
671 | ||
672 | diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c | |
673 | index f918dc0..ed30e0d 100644 | |
674 | --- a/source3/auth/check_samsec.c | |
675 | +++ b/source3/auth/check_samsec.c | |
676 | @@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, | |
677 | } | |
678 | ||
679 | become_root(); | |
680 | - nt_status = make_server_info_sam(server_info, sampass); | |
681 | + nt_status = make_server_info_sam(mem_ctx, sampass, server_info); | |
682 | unbecome_root(); | |
683 | ||
684 | TALLOC_FREE(sampass); | |
685 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
686 | index 50a27cf..e6830aa 100644 | |
687 | --- a/source3/auth/proto.h | |
688 | +++ b/source3/auth/proto.h | |
689 | @@ -133,8 +133,9 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, | |
690 | DATA_BLOB lm_resp, DATA_BLOB nt_resp); | |
691 | bool make_user_info_guest(struct auth_usersupplied_info **user_info) ; | |
692 | struct samu; | |
693 | -NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, | |
694 | - struct samu *sampass); | |
695 | +NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, | |
696 | + struct samu *sampass, | |
697 | + struct auth_serversupplied_info **pserver_info); | |
698 | NTSTATUS create_local_token(struct auth_serversupplied_info *server_info); | |
699 | NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, | |
700 | bool is_guest, | |
701 | diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c | |
702 | index 31fd9f9..aed70fa 100644 | |
703 | --- a/source3/auth/server_info_sam.c | |
704 | +++ b/source3/auth/server_info_sam.c | |
705 | @@ -58,45 +58,54 @@ static bool is_our_machine_account(const char *username) | |
706 | Make (and fill) a user_info struct from a struct samu | |
707 | ***************************************************************************/ | |
708 | ||
709 | -NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, | |
710 | - struct samu *sampass) | |
711 | +NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, | |
712 | + struct samu *sampass, | |
713 | + struct auth_serversupplied_info **pserver_info) | |
714 | { | |
715 | struct passwd *pwd; | |
716 | - struct auth_serversupplied_info *result; | |
717 | + struct auth_serversupplied_info *server_info; | |
718 | const char *username = pdb_get_username(sampass); | |
719 | + TALLOC_CTX *tmp_ctx; | |
720 | NTSTATUS status; | |
721 | ||
722 | - if ( !(result = make_server_info(NULL)) ) { | |
723 | + tmp_ctx = talloc_stackframe(); | |
724 | + if (tmp_ctx == NULL) { | |
725 | return NT_STATUS_NO_MEMORY; | |
726 | } | |
727 | ||
728 | - if ( !(pwd = Get_Pwnam_alloc(result, username)) ) { | |
729 | + server_info = make_server_info(tmp_ctx); | |
730 | + if (server_info == NULL) { | |
731 | + status = NT_STATUS_NO_MEMORY; | |
732 | + goto out; | |
733 | + } | |
734 | + | |
735 | + pwd = Get_Pwnam_alloc(tmp_ctx, username); | |
736 | + if (pwd == NULL) { | |
737 | DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", | |
738 | pdb_get_username(sampass))); | |
739 | - TALLOC_FREE(result); | |
740 | - return NT_STATUS_NO_SUCH_USER; | |
741 | + status = NT_STATUS_NO_SUCH_USER; | |
742 | + goto out; | |
743 | } | |
744 | ||
745 | - status = samu_to_SamInfo3(result, sampass, global_myname(), | |
746 | - &result->info3, &result->extra); | |
747 | + status = samu_to_SamInfo3(server_info, | |
748 | + sampass, | |
749 | + global_myname(), | |
750 | + &server_info->info3, | |
751 | + &server_info->extra); | |
752 | if (!NT_STATUS_IS_OK(status)) { | |
753 | - TALLOC_FREE(result); | |
754 | - return status; | |
755 | + goto out; | |
756 | } | |
757 | ||
758 | - result->unix_name = pwd->pw_name; | |
759 | - /* Ensure that we keep pwd->pw_name, because we will free pwd below */ | |
760 | - talloc_steal(result, pwd->pw_name); | |
761 | - result->utok.gid = pwd->pw_gid; | |
762 | - result->utok.uid = pwd->pw_uid; | |
763 | + server_info->unix_name = talloc_steal(server_info, pwd->pw_name); | |
764 | ||
765 | - TALLOC_FREE(pwd); | |
766 | + server_info->utok.gid = pwd->pw_gid; | |
767 | + server_info->utok.uid = pwd->pw_uid; | |
768 | ||
769 | - result->sanitized_username = sanitize_username(result, | |
770 | - result->unix_name); | |
771 | - if (result->sanitized_username == NULL) { | |
772 | - TALLOC_FREE(result); | |
773 | - return NT_STATUS_NO_MEMORY; | |
774 | + server_info->sanitized_username = sanitize_username(server_info, | |
775 | + server_info->unix_name); | |
776 | + if (server_info->sanitized_username == NULL) { | |
777 | + status = NT_STATUS_NO_MEMORY; | |
778 | + goto out; | |
779 | } | |
780 | ||
781 | if (IS_DC && is_our_machine_account(username)) { | |
782 | @@ -117,9 +126,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, | |
783 | } | |
784 | ||
785 | DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", | |
786 | - pdb_get_username(sampass), result->unix_name)); | |
787 | + pdb_get_username(sampass), server_info->unix_name)); | |
788 | + | |
789 | + *pserver_info = talloc_steal(mem_ctx, server_info); | |
790 | ||
791 | - *server_info = result; | |
792 | + status = NT_STATUS_OK; | |
793 | +out: | |
794 | + talloc_free(tmp_ctx); | |
795 | ||
796 | - return NT_STATUS_OK; | |
797 | + return status; | |
798 | } | |
799 | diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c | |
800 | index 1214b45..1441f88 100644 | |
801 | --- a/source3/auth/user_krb5.c | |
802 | +++ b/source3/auth/user_krb5.c | |
803 | @@ -219,9 +219,6 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
804 | * SID consistency with ntlmssp session setup | |
805 | */ | |
806 | struct samu *sampass; | |
807 | - /* The stupid make_server_info_XX functions here | |
808 | - don't take a talloc context. */ | |
809 | - struct auth_serversupplied_info *tmp = NULL; | |
810 | ||
811 | sampass = samu_new(talloc_tos()); | |
812 | if (sampass == NULL) { | |
813 | @@ -231,14 +228,19 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
814 | if (pdb_getsampwnam(sampass, username)) { | |
815 | DEBUG(10, ("found user %s in passdb, calling " | |
816 | "make_server_info_sam\n", username)); | |
817 | - status = make_server_info_sam(&tmp, sampass); | |
818 | + status = make_server_info_sam(mem_ctx, | |
819 | + sampass, | |
820 | + &server_info); | |
821 | } else { | |
822 | /* | |
823 | * User not in passdb, make it up artificially | |
824 | */ | |
825 | DEBUG(10, ("didn't find user %s in passdb, calling " | |
826 | "make_server_info_pw\n", username)); | |
827 | - status = make_server_info_pw(mem_ctx, username, pw, &tmp); | |
828 | + status = make_server_info_pw(mem_ctx, | |
829 | + username, | |
830 | + pw, | |
831 | + &server_info); | |
832 | } | |
833 | TALLOC_FREE(sampass); | |
834 | ||
835 | -- | |
836 | 1.8.5.3 | |
837 | ||
838 | ||
839 | From 77c2d6c08ab3f3894a225a306dbc87f5575a1902 Mon Sep 17 00:00:00 2001 | |
840 | From: Andreas Schneider <asn@samba.org> | |
841 | Date: Tue, 18 Feb 2014 10:19:57 +0100 | |
842 | Subject: [PATCH 6/6] s3-auth: Pass mem_ctx to auth_check_ntlm_password(). | |
843 | ||
844 | Coverity-Id: 1168009 | |
845 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 | |
846 | ||
847 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
848 | ||
849 | Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a | |
850 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | |
851 | ||
852 | (cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28) | |
853 | --- | |
854 | source3/auth/auth.c | 51 ++++++++++++++++++----------- | |
855 | source3/auth/auth_compat.c | 19 ++++++++--- | |
856 | source3/auth/auth_ntlmssp.c | 6 ++-- | |
857 | source3/auth/proto.h | 3 +- | |
858 | source3/auth/user_krb5.c | 7 ++-- | |
859 | source3/include/auth.h | 3 +- | |
860 | source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++-- | |
861 | source3/smbd/sesssetup.c | 16 +++++---- | |
862 | 8 files changed, 69 insertions(+), 42 deletions(-) | |
863 | ||
864 | diff --git a/source3/auth/auth.c b/source3/auth/auth.c | |
865 | index dbe337f..17431b8 100644 | |
866 | --- a/source3/auth/auth.c | |
867 | +++ b/source3/auth/auth.c | |
868 | @@ -201,19 +201,19 @@ static bool check_domain_match(const char *user, const char *domain) | |
869 | * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. | |
870 | * | |
871 | **/ | |
872 | - | |
873 | -static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, | |
874 | - const struct auth_usersupplied_info *user_info, | |
875 | - struct auth_serversupplied_info **server_info) | |
876 | +static NTSTATUS check_ntlm_password(TALLOC_CTX *mem_ctx, | |
877 | + const struct auth_context *auth_context, | |
878 | + const struct auth_usersupplied_info *user_info, | |
879 | + struct auth_serversupplied_info **pserver_info) | |
880 | { | |
881 | /* if all the modules say 'not for me' this is reasonable */ | |
882 | NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; | |
883 | const char *unix_username; | |
884 | auth_methods *auth_method; | |
885 | - TALLOC_CTX *mem_ctx; | |
886 | ||
887 | - if (!user_info || !auth_context || !server_info) | |
888 | + if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { | |
889 | return NT_STATUS_LOGON_FAILURE; | |
890 | + } | |
891 | ||
892 | DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", | |
893 | user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); | |
894 | @@ -247,17 +247,27 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, | |
895 | return NT_STATUS_LOGON_FAILURE; | |
896 | ||
897 | for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { | |
898 | + struct auth_serversupplied_info *server_info; | |
899 | + TALLOC_CTX *tmp_ctx; | |
900 | NTSTATUS result; | |
901 | ||
902 | - mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, | |
903 | - user_info->mapped.domain_name, user_info->client.account_name); | |
904 | + tmp_ctx = talloc_named(mem_ctx, | |
905 | + 0, | |
906 | + "%s authentication for user %s\\%s", | |
907 | + auth_method->name, | |
908 | + user_info->mapped.domain_name, | |
909 | + user_info->client.account_name); | |
910 | ||
911 | - result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); | |
912 | + result = auth_method->auth(auth_context, | |
913 | + auth_method->private_data, | |
914 | + tmp_ctx, | |
915 | + user_info, | |
916 | + &server_info); | |
917 | ||
918 | /* check if the module did anything */ | |
919 | if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { | |
920 | DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); | |
921 | - talloc_destroy(mem_ctx); | |
922 | + TALLOC_FREE(tmp_ctx); | |
923 | continue; | |
924 | } | |
925 | ||
926 | @@ -271,19 +281,20 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, | |
927 | auth_method->name, user_info->client.account_name, nt_errstr(nt_status))); | |
928 | } | |
929 | ||
930 | - talloc_destroy(mem_ctx); | |
931 | - | |
932 | - if ( NT_STATUS_IS_OK(nt_status)) | |
933 | - { | |
934 | - break; | |
935 | + if (NT_STATUS_IS_OK(nt_status)) { | |
936 | + *pserver_info = talloc_steal(mem_ctx, server_info); | |
937 | + TALLOC_FREE(tmp_ctx); | |
938 | + break; | |
939 | } | |
940 | + | |
941 | + TALLOC_FREE(tmp_ctx); | |
942 | } | |
943 | ||
944 | /* successful authentication */ | |
945 | ||
946 | if (NT_STATUS_IS_OK(nt_status)) { | |
947 | - unix_username = (*server_info)->unix_name; | |
948 | - if (!(*server_info)->guest) { | |
949 | + unix_username = (*pserver_info)->unix_name; | |
950 | + if (!(*pserver_info)->guest) { | |
951 | /* We might not be root if we are an RPC call */ | |
952 | become_root(); | |
953 | nt_status = smb_pam_accountcheck( | |
954 | @@ -301,9 +312,9 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, | |
955 | } | |
956 | ||
957 | if (NT_STATUS_IS_OK(nt_status)) { | |
958 | - DEBUG((*server_info)->guest ? 5 : 2, | |
959 | + DEBUG((*pserver_info)->guest ? 5 : 2, | |
960 | ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", | |
961 | - (*server_info)->guest ? "guest " : "", | |
962 | + (*pserver_info)->guest ? "guest " : "", | |
963 | user_info->client.account_name, | |
964 | user_info->mapped.account_name, | |
965 | unix_username)); | |
966 | @@ -317,7 +328,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, | |
967 | DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", | |
968 | user_info->client.account_name, user_info->mapped.account_name, | |
969 | nt_errstr(nt_status))); | |
970 | - ZERO_STRUCTP(server_info); | |
971 | + ZERO_STRUCTP(pserver_info); | |
972 | ||
973 | return nt_status; | |
974 | } | |
975 | diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c | |
976 | index 0ae712a..d51c96f 100644 | |
977 | --- a/source3/auth/auth_compat.c | |
978 | +++ b/source3/auth/auth_compat.c | |
979 | @@ -35,7 +35,8 @@ check if a username/password is OK assuming the password is in plaintext | |
980 | return True if the password is correct, False otherwise | |
981 | ****************************************************************************/ | |
982 | ||
983 | -NTSTATUS check_plaintext_password(const char *smb_name, | |
984 | +NTSTATUS check_plaintext_password(TALLOC_CTX *mem_ctx, | |
985 | + const char *smb_name, | |
986 | DATA_BLOB plaintext_blob, | |
987 | struct auth_serversupplied_info **server_info) | |
988 | { | |
989 | @@ -59,8 +60,10 @@ NTSTATUS check_plaintext_password(const char *smb_name, | |
990 | return NT_STATUS_NO_MEMORY; | |
991 | } | |
992 | ||
993 | - nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, | |
994 | - user_info, server_info); | |
995 | + nt_status = plaintext_auth_context->check_ntlm_password(mem_ctx, | |
996 | + plaintext_auth_context, | |
997 | + user_info, | |
998 | + server_info); | |
999 | ||
1000 | TALLOC_FREE(plaintext_auth_context); | |
1001 | free_user_info(&user_info); | |
1002 | @@ -84,7 +87,10 @@ static NTSTATUS pass_check_smb(struct auth_context *actx, | |
1003 | domain, | |
1004 | lm_pwd, | |
1005 | nt_pwd); | |
1006 | - nt_status = actx->check_ntlm_password(actx, user_info, &server_info); | |
1007 | + nt_status = actx->check_ntlm_password(talloc_tos(), | |
1008 | + actx, | |
1009 | + user_info, | |
1010 | + &server_info); | |
1011 | free_user_info(&user_info); | |
1012 | TALLOC_FREE(server_info); | |
1013 | return nt_status; | |
1014 | @@ -127,7 +133,10 @@ bool password_ok(struct auth_context *actx, bool global_encrypted, | |
1015 | } | |
1016 | } else { | |
1017 | struct auth_serversupplied_info *server_info = NULL; | |
1018 | - NTSTATUS nt_status = check_plaintext_password(smb_name, password_blob, &server_info); | |
1019 | + NTSTATUS nt_status = check_plaintext_password(talloc_tos(), | |
1020 | + smb_name, | |
1021 | + password_blob, | |
1022 | + &server_info); | |
1023 | TALLOC_FREE(server_info); | |
1024 | if (NT_STATUS_IS_OK(nt_status)) { | |
1025 | return True; | |
1026 | diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c | |
1027 | index ae29c30..097501c 100644 | |
1028 | --- a/source3/auth/auth_ntlmssp.c | |
1029 | +++ b/source3/auth/auth_ntlmssp.c | |
1030 | @@ -143,8 +143,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, | |
1031 | ||
1032 | user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; | |
1033 | ||
1034 | - nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context, | |
1035 | - user_info, &auth_ntlmssp_state->server_info); | |
1036 | + nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(mem_ctx, | |
1037 | + auth_ntlmssp_state->auth_context, | |
1038 | + user_info, | |
1039 | + &auth_ntlmssp_state->server_info); | |
1040 | ||
1041 | username_was_mapped = user_info->was_mapped; | |
1042 | ||
1043 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
1044 | index e6830aa..fccabc4 100644 | |
1045 | --- a/source3/auth/proto.h | |
1046 | +++ b/source3/auth/proto.h | |
1047 | @@ -50,7 +50,8 @@ NTSTATUS auth_builtin_init(void); | |
1048 | ||
1049 | /* The following definitions come from auth/auth_compat.c */ | |
1050 | ||
1051 | -NTSTATUS check_plaintext_password(const char *smb_name, | |
1052 | +NTSTATUS check_plaintext_password(TALLOC_CTX *mem_ctx, | |
1053 | + const char *smb_name, | |
1054 | DATA_BLOB plaintext_password, | |
1055 | struct auth_serversupplied_info **server_info); | |
1056 | bool password_ok(struct auth_context *actx, bool global_encrypted, | |
1057 | diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c | |
1058 | index 1441f88..1e5254e 100644 | |
1059 | --- a/source3/auth/user_krb5.c | |
1060 | +++ b/source3/auth/user_krb5.c | |
1061 | @@ -230,7 +230,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
1062 | "make_server_info_sam\n", username)); | |
1063 | status = make_server_info_sam(mem_ctx, | |
1064 | sampass, | |
1065 | - &server_info); | |
1066 | + server_info); | |
1067 | } else { | |
1068 | /* | |
1069 | * User not in passdb, make it up artificially | |
1070 | @@ -240,7 +240,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
1071 | status = make_server_info_pw(mem_ctx, | |
1072 | username, | |
1073 | pw, | |
1074 | - &server_info); | |
1075 | + server_info); | |
1076 | } | |
1077 | TALLOC_FREE(sampass); | |
1078 | ||
1079 | @@ -250,9 +250,6 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
1080 | return status; | |
1081 | } | |
1082 | ||
1083 | - /* Steal tmp server info into the server_info pointer. */ | |
1084 | - *server_info = talloc_move(mem_ctx, &tmp); | |
1085 | - | |
1086 | /* make_server_info_pw does not set the domain. Without this | |
1087 | * we end up with the local netbios name in substitutions for | |
1088 | * %D. */ | |
1089 | diff --git a/source3/include/auth.h b/source3/include/auth.h | |
1090 | index c017da9..b0ac11a 100644 | |
1091 | --- a/source3/include/auth.h | |
1092 | +++ b/source3/include/auth.h | |
1093 | @@ -89,7 +89,8 @@ struct auth_context { | |
1094 | ||
1095 | NTSTATUS (*get_ntlm_challenge)(struct auth_context *auth_context, | |
1096 | uint8_t chal[8]); | |
1097 | - NTSTATUS (*check_ntlm_password)(const struct auth_context *auth_context, | |
1098 | + NTSTATUS (*check_ntlm_password)(TALLOC_CTX *mem_ctx, | |
1099 | + const struct auth_context *auth_context, | |
1100 | const struct auth_usersupplied_info *user_info, | |
1101 | struct auth_serversupplied_info **server_info); | |
1102 | NTSTATUS (*nt_status_squash)(NTSTATUS nt_status); | |
1103 | diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
1104 | index 3fd93bc..1cf04df 100644 | |
1105 | --- a/source3/rpc_server/netlogon/srv_netlog_nt.c | |
1106 | +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c | |
1107 | @@ -1563,8 +1563,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, | |
1108 | } /* end switch */ | |
1109 | ||
1110 | if ( NT_STATUS_IS_OK(status) ) { | |
1111 | - status = auth_context->check_ntlm_password(auth_context, | |
1112 | - user_info, &server_info); | |
1113 | + status = auth_context->check_ntlm_password(p->mem_ctx, | |
1114 | + auth_context, | |
1115 | + user_info, | |
1116 | + &server_info); | |
1117 | } | |
1118 | ||
1119 | TALLOC_FREE(auth_context); | |
1120 | diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c | |
1121 | index 75c2a15..2a40e1b 100644 | |
1122 | --- a/source3/smbd/sesssetup.c | |
1123 | +++ b/source3/smbd/sesssetup.c | |
1124 | @@ -140,7 +140,8 @@ static void reply_sesssetup_blob(struct smb_request *req, | |
1125 | Do a 'guest' logon, getting back the | |
1126 | ****************************************************************************/ | |
1127 | ||
1128 | -static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_info) | |
1129 | +static NTSTATUS check_guest_password(TALLOC_CTX *mem_ctx, | |
1130 | + struct auth_serversupplied_info **server_info) | |
1131 | { | |
1132 | struct auth_context *auth_context; | |
1133 | struct auth_usersupplied_info *user_info = NULL; | |
1134 | @@ -150,7 +151,7 @@ static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_in | |
1135 | ||
1136 | DEBUG(3,("Got anonymous request\n")); | |
1137 | ||
1138 | - nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal); | |
1139 | + nt_status = make_auth_context_fixed(mem_ctx, &auth_context, chal); | |
1140 | if (!NT_STATUS_IS_OK(nt_status)) { | |
1141 | return nt_status; | |
1142 | } | |
1143 | @@ -160,9 +161,10 @@ static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_in | |
1144 | return NT_STATUS_NO_MEMORY; | |
1145 | } | |
1146 | ||
1147 | - nt_status = auth_context->check_ntlm_password(auth_context, | |
1148 | - user_info, | |
1149 | - server_info); | |
1150 | + nt_status = auth_context->check_ntlm_password(mem_ctx, | |
1151 | + auth_context, | |
1152 | + user_info, | |
1153 | + server_info); | |
1154 | TALLOC_FREE(auth_context); | |
1155 | free_user_info(&user_info); | |
1156 | return nt_status; | |
1157 | @@ -1609,7 +1611,7 @@ void reply_sesssetup_and_X(struct smb_request *req) | |
1158 | ||
1159 | if (!*user) { | |
1160 | ||
1161 | - nt_status = check_guest_password(&server_info); | |
1162 | + nt_status = check_guest_password(talloc_tos(), &server_info); | |
1163 | ||
1164 | } else if (doencrypt) { | |
1165 | struct auth_context *negprot_auth_context = NULL; | |
1166 | @@ -1627,6 +1629,7 @@ void reply_sesssetup_and_X(struct smb_request *req) | |
1167 | lm_resp, nt_resp); | |
1168 | if (NT_STATUS_IS_OK(nt_status)) { | |
1169 | nt_status = negprot_auth_context->check_ntlm_password( | |
1170 | + talloc_tos(), | |
1171 | negprot_auth_context, | |
1172 | user_info, | |
1173 | &server_info); | |
1174 | @@ -1651,6 +1654,7 @@ void reply_sesssetup_and_X(struct smb_request *req) | |
1175 | ||
1176 | if (NT_STATUS_IS_OK(nt_status)) { | |
1177 | nt_status = plaintext_auth_context->check_ntlm_password( | |
1178 | + talloc_tos(), | |
1179 | plaintext_auth_context, | |
1180 | user_info, | |
1181 | &server_info); | |
1182 | -- | |
1183 | 1.8.5.3 | |
1184 | ||
1185 | From f07614228629e650b0e0a27dd4d15b6e5eef5baa Mon Sep 17 00:00:00 2001 | |
1186 | From: Andreas Schneider <asn@samba.org> | |
1187 | Date: Wed, 28 May 2014 15:12:29 +0200 | |
1188 | Subject: [PATCH 18/20] PATCHSET1: Allocate server_info on the correct memory | |
1189 | context. | |
1190 | ||
1191 | This fixes a talloc double free PANIC when connecting to share. | |
1192 | ||
1193 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
1194 | --- | |
1195 | source3/auth/auth_ntlmssp.c | 2 +- | |
1196 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
1197 | ||
1198 | diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c | |
1199 | index 097501c..3c7e324 100644 | |
1200 | --- a/source3/auth/auth_ntlmssp.c | |
1201 | +++ b/source3/auth/auth_ntlmssp.c | |
1202 | @@ -143,7 +143,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, | |
1203 | ||
1204 | user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; | |
1205 | ||
1206 | - nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(mem_ctx, | |
1207 | + nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state, | |
1208 | auth_ntlmssp_state->auth_context, | |
1209 | user_info, | |
1210 | &auth_ntlmssp_state->server_info); | |
1211 | -- | |
1212 | 1.9.0 | |
1213 | ||
1214 | commit 0c6838663d42a04a80e25a8a3827710926952077 | |
1215 | Author: Andreas Schneider <asn@samba.org> | |
1216 | AuthorDate: Wed Jul 2 16:39:22 2014 +0200 | |
1217 | Commit: Andreas Schneider <asn@samba.org> | |
1218 | CommitDate: Wed Jul 2 16:47:43 2014 +0200 | |
1219 | ||
1220 | PATCHSET1 s3-auth: Do not double free the result. | |
1221 | ||
1222 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
1223 | Reviewed-by: Guenther Deschner <gd@samba.org> | |
1224 | --- | |
1225 | source3/auth/auth_util.c | 4 ---- | |
1226 | 1 file changed, 4 deletions(-) | |
1227 | ||
1228 | diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c | |
1229 | index 5ffdb25f..1f1fed9 100644 | |
1230 | --- a/source3/auth/auth_util.c | |
1231 | +++ b/source3/auth/auth_util.c | |
1232 | @@ -883,10 +883,6 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, | |
1233 | *presult = talloc_steal(mem_ctx, result); | |
1234 | done: | |
1235 | talloc_free(tmp_ctx); | |
1236 | - if (!NT_STATUS_IS_OK(status)) { | |
1237 | - TALLOC_FREE(result); | |
1238 | - return status; | |
1239 | - } | |
1240 | ||
1241 | return status; | |
1242 | } | |
1243 | commit 879e576d439fddf33ab2353b4a54ccd162020a03 | |
1244 | Author: Andreas Schneider <asn@samba.org> | |
1245 | AuthorDate: Tue Jul 8 10:26:51 2014 +0200 | |
1246 | Commit: Andreas Schneider <asn@samba.org> | |
1247 | CommitDate: Tue Jul 8 17:08:10 2014 +0200 | |
1248 | ||
1249 | PATCHSET1 s3-auth: Fix support for 'security = share' in passwd_to_SamInfo3(). | |
1250 | ||
1251 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
1252 | --- | |
1253 | source3/auth/server_info.c | 19 ++++++++++++++++--- | |
1254 | 1 file changed, 16 insertions(+), 3 deletions(-) | |
1255 | ||
1256 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | |
1257 | index 077bb6b..e627892 100644 | |
1258 | --- a/source3/auth/server_info.c | |
1259 | +++ b/source3/auth/server_info.c | |
1260 | @@ -575,9 +575,21 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
1261 | ||
1262 | ZERO_STRUCT(domain_sid); | |
1263 | ||
1264 | - sid_copy(&domain_sid, &user_sid); | |
1265 | - sid_split_rid(&domain_sid, &info3->base.rid); | |
1266 | - info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); | |
1267 | + /* | |
1268 | + * Check if this is a "Unix Users" domain user, | |
1269 | + * we need to handle it in a special way if that's the case. | |
1270 | + */ | |
1271 | + if (sid_check_is_in_unix_users(&user_sid)) { | |
1272 | + /* | |
1273 | + * In info3 you can only set rids for the user and the | |
1274 | + * primary group, and the domain sid must be that of | |
1275 | + * the sam domain. | |
1276 | + */ | |
1277 | + sid_copy(&domain_sid, get_global_sam_sid()); | |
1278 | + } else { | |
1279 | + sid_copy(&domain_sid, &user_sid); | |
1280 | + sid_split_rid(&domain_sid, &info3->base.rid); | |
1281 | + } | |
1282 | ||
1283 | ok = sid_peek_check_rid(&domain_sid, &group_sid, | |
1284 | &info3->base.primary_gid); | |
1285 | @@ -592,6 +604,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
1286 | goto done; | |
1287 | } | |
1288 | ||
1289 | + info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); | |
1290 | info3->base.acct_flags = ACB_NORMAL; | |
1291 | ||
1292 | if (num_sids) { |