From 17520c7143ad9c22c45d161823cf57edb9c01406 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 23 Mar 2015 10:00:51 +0000 Subject: [PATCH 1/2] BUG11130: s4:kdc:db-glue: allow TGS for computer@EXAMPLE.COM This is only possible if computer@EXAMPLE.COM is unique, if a user 'computer' exists it's not possible. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130 --- source4/kdc/db-glue.c | 41 ++++++++++++++++++++++++++++++++++------- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index edee0aa..a2c0ca2 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1651,6 +1651,9 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, int lret; char *short_princ; krb5_principal enterprise_prinicpal = NULL; + char *name1 = NULL; + size_t len1 = 0; + char *filter = NULL; if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) { char *str = NULL; @@ -1691,24 +1694,48 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, return ret; } + name1 = ldb_binary_encode_string(mem_ctx, short_princ); + SAFE_FREE(short_princ); + if (name1 == NULL) { + return ENOMEM; + } + len1 = strlen(name1); + if (len1 >= 1 && name1[len1 - 1] != '$') { + filter = talloc_asprintf(mem_ctx, + "(&(objectClass=user)(|(samAccountName=%s)(samAccountName=%s$))", + name1, name1); + if (filter == NULL) { + return ENOMEM; + } + } else { + filter = talloc_asprintf(mem_ctx, + "(&(objectClass=user)(samAccountName=%s))", + name1); + if (filter == NULL) { + return ENOMEM; + } + } + lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg, *realm_dn, LDB_SCOPE_SUBTREE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, - "(&(objectClass=user)(samAccountName=%s))", - ldb_binary_encode_string(mem_ctx, short_princ)); + "%s", filter); if (lret == LDB_ERR_NO_SUCH_OBJECT) { - DEBUG(3, ("Failed to find an entry for %s\n", short_princ)); - free(short_princ); + DEBUG(3, ("Failed to find an entry for %s filter:%s\n", + name1, filter)); + return HDB_ERR_NOENTRY; + } + if (lret == LDB_ERR_CONSTRAINT_VIOLATION) { + DEBUG(3, ("Failed to find unique entry for %s filter:%s\n", + name1, filter)); return HDB_ERR_NOENTRY; } if (lret != LDB_SUCCESS) { DEBUG(3, ("Failed single search for %s - %s\n", - short_princ, ldb_errstring(kdc_db_ctx->samdb))); - free(short_princ); + name1, ldb_errstring(kdc_db_ctx->samdb))); return HDB_ERR_NOENTRY; } - free(short_princ); return 0; } return HDB_ERR_NOENTRY; -- 1.9.1 From 128877cd077ec6beb4838acda552929732b10c55 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 23 Mar 2015 22:10:02 +0000 Subject: [PATCH 2/2] BUG11130: samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal TODO --- source4/selftest/tests.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 17d0158..39f5204 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -181,6 +181,10 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc", "fl2008r2dc", "ad_dc"]: plansmbtorture4testsuite('rpc.pac', env, ["%s:$SERVER[]" % (transport, ), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.pac on %s" % (transport,)) plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,)) plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,)) + #plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal" % (transport,)) + plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=dcom/$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dcom" % (transport,)) + plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME\$]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal dollar" % (transport,)) + plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[target_principal=$NETBIOSNAME]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s with Kerberos - netbios name principal" % (transport,)) plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport) plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport) for transport in transports: -- 1.9.1