s3: Fall back to raw NTLMSSP for the gss-spnego protocol
This is to handle the mod_auth_ntlm_winbind protocol
sending "Negotiate" to IE, which sends raw NTLMSSP
instead of a SPNEGO wrapped NTLMSSP blob.
(cherry picked from commit 70ab7eb5303a5ff058939541dd5bc1f81113a48e)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 13 Nov 2010 17:03:25 +0000 (18:03 +0100)]
s3: Fix "force group" with ntlmssp guest session setup
This one is subtle: Set "force group = <somegroup>" together with "guest ok =
yes". Then try "smbclient //server/share -U%". Works. Then try to connect to
the same share from Windows 2003 using an anonymous connection. Breaks with
make_connection: connection to share denied due to security descriptor
although the share_info.tdb is empty. I've seen reports of this on the lists,
but I could never ever nail it until a customer gave me access to such a box.
What happens? With an empty share_info.tdb we create a security descriptor
allow everything to the world. The problem with the above parameter combination
is that S-1-1-0 (World) is lost in the token. When you look at the callers of
create_local_token, they are only called if the preceding check_ntlm_password
did not create server_info->ptok. Not so with the one in auth_ntlmssp.c. So, if
we get a NTLMSSP session setup with user="", domain="", pass="" we call
create_local_token even though check_guest_security() via
make_server_info_guest() has already correctly done so. In this case
create_local_token puts S-1-1-0 into user_sids[1], which is supposed to be the
primary group sid of the user logging in. "force group" then overwrites this ->
the world is gone -> "denied due to security descriptor".
Why don't you see it with smbclient -U% (anonymous connection)? smbclient does
not use ntlmssp for anon session setup.
Volker Lendecke [Thu, 18 Nov 2010 12:28:47 +0000 (13:28 +0100)]
s3: Make winbind recover from a signing error
When winbind sees a signing error on the smb connection to a DC (for whatever
reason, our bug, network glitch, etc) it should recover properly. The "old"
code in clientgen.c just closed the socket in this case. This is the right
thing to do, this connection is spoiled anyway. The new, async code did not do
this so far, which led to the code in winbindd_cm.c not detect that we need to
reconnect.
Fix bug #7800 (winbind does not recover from smb signing errors).
Jeremy Allison [Tue, 23 Nov 2010 22:21:25 +0000 (14:21 -0800)]
Fix bug #7812 - vfs_acl_xattr/vfs_acl_tdb: ACL inheritance cannot be disabled
We were losing the incoming security descriptor revision number and
most importantly the "type" field as sent by the client. Ensure we
correctly store these in the xattr object.
Jeremy Allison [Sat, 23 Oct 2010 00:28:58 +0000 (17:28 -0700)]
Add acl_xattr:ignore system acls boolean (normally false) to allow Samba ACL module to ignore mapping to lower POSIX layer. With this fix Samba 3.6.x now passes RAW-ACLs (with certain smb.conf parameters set).
Jeremy Allison [Fri, 15 Oct 2010 20:30:07 +0000 (13:30 -0700)]
Fix bug #7733 - Invalid client DOS attributes on create can cause incorrect unix mode_t to be generated.
It turns out a client can send an NTCreateX call for a new file, but specify
FILE_ATTRIBUTE_DIRECTORY in the attribute list. Windows silently strips this,
but we don't - causing the unix_mode() function to go through the "mode bits
for new directory" codepath, instead of the "mode bits for new file" codepath.
Jeremy Allison [Tue, 23 Nov 2010 19:16:31 +0000 (11:16 -0800)]
Fix bug #7785 - atime limit.
On a 64-bit time_t system make MAX_TIME_T the max value that
can be represented in a struct tm. This allows applications to
set times in the future beyond the 32-bit time_t limit (2037).
This is only in source3/configure.in, needs adding to the waf
configure/build system (but I'll need help with that).
Jeremy Allison [Thu, 11 Nov 2010 17:44:21 +0000 (09:44 -0800)]
Fix bug #7791 - gvfsd-smb (Gnome vfs) fails to copy files from a SMB share using SMB signing.
The underlying problem is that the old code invoked by cli_write() increments
cli->mid directly when issuing outstanding writes. This should now be done only
in libsmb/clientgen.c to make metze's new signing engine works correctly. Just
deleting this code fixes the problem.
Jeremy Allison [Wed, 20 Oct 2010 20:58:15 +0000 (13:58 -0700)]
Fix bug #7744 - "dfree cache time" doesn't work.
There is a bug in processing the dfree cache time, which is associated with the
smbd idle timer. The idle timer call conn_idle_all(), which updates the
conn->lastused timestamp. The dfree cache time code in smbd/dfree.c depends on
conn->lastused being up to date to refresh the cached dfree value.
Unfortunately the conn_idle_all() returns early if any of the connection
structs is not idle, never updating any further conn->lastused timestamps. If
(as is common due to an IPC$ connection) there are more than one used
connection struct, then the conn->lastused timestamps after the IPC$ connection
in the connection list will never be updated.
Ensure we always update conn->lastused for all connections when calling
conn_idle_all().
Jeremy Allison [Wed, 20 Oct 2010 18:22:57 +0000 (11:22 -0700)]
Fix bug #7743 - Inconsistent use of system name lookup can cause a domain joined machine to fail to find users.
Ensure all username lookups go through Get_Pwnam_alloc(), which is the
correct wrapper function. We were using it *some* of the time anyway,
so this just makes us properly consistent.
Jeremy Allison [Thu, 7 Oct 2010 21:26:13 +0000 (14:26 -0700)]
Fix bug 7716 - acl_xattr and acl_tdb modules don't store unmodified copies of security descriptors.
As pointed out by an OEM, the code within smbd/posix_acl.c, even though passed
a const pointer to a security descriptor, still modifies the ACE entries within
it (which are not const pointers).
This means ACLs stored in the extended attribute by the acl_xattr module have
already been modified by the POSIX acl layer, and are not the original intent
of storing the "unmodified" ACL from the client.
Use dup_sec_desc to make a copy of the incoming ACL on talloc_tos() - that
is what is then modified inside smbd/posix_acl.c, leaving the original ACL
to be correctly stored in the xattr.
Volker Lendecke [Sat, 2 Oct 2010 09:50:26 +0000 (11:50 +0200)]
s3: Attempt to fix bug 7665
Quite a few of our internal routines put stuff on talloc_tos() these days.
In top-level netapi routines, properly allocate a stackframe and clean it
again. Also, don't leak memory in the rpccli_ callers onto the libnetapi
context.
Jeremy Allison [Sun, 26 Sep 2010 11:59:31 +0000 (04:59 -0700)]
Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
s3: Fix bug 7688, rpcclient command line completion crashing
We've grown more than 100 rpcclient commands by now, so this would overwrite
the array of 100 completions. There's nicer ways to fix this problem, but 1000
rpcclient commands should be at least a bit away.
s3:smbd: Align change notify replies on 4-byte boundary
MS-CIFS section 2.2.7.4.2 states this is mandatory. WinXP clients
don't seem to care, but a Win7 client will send an immediate Close()
to the directory handle when receiving an incorrectly aligned
change notify response.
Fix bug #7662 (Change notify replies must be aligned on 4-byte boundary for
Win7.)
Volker Lendecke [Mon, 10 May 2010 10:05:01 +0000 (12:05 +0200)]
libwbclient: Fix a fd-leak at dlclose-time
__attribute__((destructor)) makes winbind_close_sock() being called at
dlclose() time.
Found while testing apache on Linux with mod_auth_pam.
Other platforms will have to find a different fix. One possibility would be to
always close the socket after each operation, but this badly sucks
performance-wise.
Jeremy Allison [Thu, 9 Sep 2010 13:54:23 +0000 (15:54 +0200)]
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit a34c3e999bb1ea61da31c5b3e845b19663039358)
The issue with using talloc_move here is that users of that function in winbind
will only be able to have two schanneled connections, as the cached schannel
credentials pointer from the netlogon pipe will be set to NULL. Do a deep copy
of the struct instead.
Björn Jacke [Thu, 12 Aug 2010 14:18:45 +0000 (16:18 +0200)]
s3: fall back to cups-config for underlinked libs
some OpenBSD systems have underlinked cups libraries. If linking against cups
alone fails, try to link against all the cups-config --libs cruft, which we
usually don't want. (bugzila #7244)
(cherry picked from commit 616e187d68e3e7b202413a96518b31d029e9563a)
Jeremy Allison [Thu, 29 Jul 2010 20:44:35 +0000 (13:44 -0700)]
Fix bug #7589 - ntlm_auth fails to use cached credentials.
In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
of the mapped username, but fails to canonicalize the actual username
sent to the backend domain process. When "winbind default domain"
is set this can lead to credentials being cached with an index of
user: user, not DOMAIN\user. All other code paths that use
canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF)
correctly canonicalize the data sent to the backend. All calls
the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
correctly call canonicalize_username() to create the credential
lookup key.
Jeremy Allison [Tue, 27 Jul 2010 08:54:01 +0000 (01:54 -0700)]
Fix bug 7590 - offline login fails because winbind deletes cache on every startup.
Sync lib/tdb_validate.c with the change in current master.
Change tdb_validate_open() to always use O_RDWR instead of O_RDONLY,
as (from the bug report): "db_check() will always return failure for a read-only database.
Silently, without any log output, when _tdb_lockall() fails."
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
s3-librpc: Fixed GUID_from_data_blob() with length of 32.
If we hit the case that the blob length is 32. The code goes to the end
of the function and generates a GUID with garbage.
So try to convert the blob to the GUID and return.
Fix bug #7538 (Backport fixes for GUID_from_data_blob).
projects / thirdparty / samba.git / log
