From d0953630c343833d51d89e2e1c1d8a26c9041018 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Sat, 22 Oct 2016 13:33:42 +0300 Subject: [PATCH 1/3] selftest: test NTLM user@realm authentication BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherry picked from commit 6e4c66e339d2eb11c5cb981aac2e20fcff464025) --- selftest/knownfail | 2 ++ source3/selftest/tests.py | 1 + 2 files changed, 3 insertions(+) diff --git a/selftest/knownfail b/selftest/knownfail index c1899da..3caf7c4 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -292,3 +292,5 @@ #ntvfs server blocks copychunk with execute access on read handle ^samba4.smb2.ioctl.copy_chunk_bad_access ^samba4.drs.getnc_exop.python.*getnc_exop.DrsReplicaPrefixMapTestCase.test_regular_prefix_map_ex_attid.* +#ad_member does not support for user@realm NTLM authentication +^samba3.unix.whoami ntlm user@realm.*\(ad_member diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 3e37ad1..7cfebd6 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -340,6 +340,7 @@ for t in tests: plansmbtorture4testsuite(t, env, '//$SERVER/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER') plansmbtorture4testsuite(t, env, '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD --option=torture:addc=$DC_SERVER', description='kerberos connection') plansmbtorture4testsuite(t, env, '//$SERVER/tmpguest -U% --option=torture:addc=$DC_SERVER', description='anonymous connection') + plansmbtorture4testsuite(t, env, '//$SERVER/tmp -k no -U$DC_USERNAME@$REALM%$DC_PASSWORD', description='ntlm user@realm') elif t == "raw.samba3posixtimedlock": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/nt4_dc/share') plansmbtorture4testsuite(t, "ad_dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/ad_dc/share') -- 2.9.3 From c353b9db0e009c97bbd81b03d740f4aa72cbd2c3 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Sat, 22 Oct 2016 22:40:26 +0300 Subject: [PATCH 2/3] winbindd: do not modify credentials in NTLM passthrough When doing NTLM validation of credentials, do not modify the credentials - they might be used in the calculation of the response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherry picked from commit 8e88b56ebc314a5e3a722d63ca23b4a49b7ac2dc) --- source3/winbindd/winbindd_pam_auth_crap.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c index ffbc322..e6a47c8 100644 --- a/source3/winbindd/winbindd_pam_auth_crap.c +++ b/source3/winbindd/winbindd_pam_auth_crap.c @@ -37,6 +37,7 @@ struct tevent_req *winbindd_pam_auth_crap_send( struct tevent_req *req, *subreq; struct winbindd_pam_auth_crap_state *state; struct winbindd_domain *domain; + const char *auth_domain = NULL; req = tevent_req_create(mem_ctx, &state, struct winbindd_pam_auth_crap_state); @@ -77,14 +78,12 @@ struct tevent_req *winbindd_pam_auth_crap_send( return tevent_req_post(req, ev); } - if ((request->data.auth_crap.domain[0] == '\0') - && lp_winbind_use_default_domain()) { - fstrcpy(request->data.auth_crap.domain, - lp_workgroup()); + auth_domain = request->data.auth_crap.domain; + if (auth_domain[0] == '\0') { + auth_domain = lp_workgroup(); } - domain = find_auth_domain( - request->flags, request->data.auth_crap.domain); + domain = find_auth_domain(request->flags, auth_domain); if (domain == NULL) { tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return tevent_req_post(req, ev); -- 2.9.3 From 24236e29bb71932a0448923e5e537818d01fbc68 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Sat, 22 Oct 2016 22:47:08 +0300 Subject: [PATCH 3/3] smbd: in ntlm auth, do not map empty domain in case of \user@realm When mapping user and domain during NTLM authentication, an empty domain is mapped to the local SAM db. However, an empty domain may legitimately be used if the user field has both user and domain in upn@realm format. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherry picked from commit 3f82db56cbf2727abd465e28ac02ad2242b47c29) --- selftest/knownfail | 2 -- source3/auth/auth_util.c | 10 +++++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 3caf7c4..c1899da 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -292,5 +292,3 @@ #ntvfs server blocks copychunk with execute access on read handle ^samba4.smb2.ioctl.copy_chunk_bad_access ^samba4.drs.getnc_exop.python.*getnc_exop.DrsReplicaPrefixMapTestCase.test_regular_prefix_map_ex_attid.* -#ad_member does not support for user@realm NTLM authentication -^samba3.unix.whoami ntlm user@realm.*\(ad_member diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 663c0bc..4ae1b71 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -107,6 +107,11 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, NTSTATUS result; bool was_mapped; char *internal_username = NULL; + bool upn_form = false; + + if (client_domain[0] == '\0' && strchr(smb_name, '@')) { + upn_form = true; + } was_mapped = map_username(talloc_tos(), smb_name, &internal_username); if (!internal_username) { @@ -126,10 +131,9 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, * non-domain member box will also map to WORKSTATION\user. * This also deals with the client passing in a "" domain */ - if (!is_trusted_domain(domain) && + if (!upn_form && !is_trusted_domain(domain) && !strequal(domain, my_sam_name()) && - !strequal(domain, get_global_sam_name())) - { + !strequal(domain, get_global_sam_name())) { if (lp_map_untrusted_to_domain()) domain = my_sam_name(); else -- 2.9.3