The branch, master has been updated via d515c6c s3: Fix auth_netlogond to cope with netlogon_creds_CredentialState via 47d07df s3: Fix a potential memleak in secrets_fetch_trusted_domain_password via 843825f s3: Fetch the machinepw via ldapi in pdb_ads via 8c36716 s3: In pdb_ads, cope with artificial samu structs via 08f2a85 s3: Use strlcpy in pdb_ads_connect via 8af7400 s3: Fix some nonempty blank lines from 56b1cff s4 torture: add new rpc torture tests for backup key remote protocol
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d515c6cd5c4884d781f6a84290f16925a3e34af6 Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 6 15:50:04 2011 +0100 s3: Fix auth_netlogond to cope with netlogon_creds_CredentialState Autobuild-User: Volker Lendecke <vlen...@samba.org> Autobuild-Date: Sun Feb 6 17:30:48 CET 2011 on sn-devel-104 commit 47d07df37f5b089ff16ee0e28cde23ed9470f214 Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 6 15:33:26 2011 +0100 s3: Fix a potential memleak in secrets_fetch_trusted_domain_password commit 843825f56728a6cec2b0b00cc32f97b4b05b3ea8 Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 5 14:42:01 2011 +0100 s3: Fetch the machinepw via ldapi in pdb_ads commit 8c367162f09c7772091a80d8426de6bead0c030d Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 6 10:15:50 2011 +0100 s3: In pdb_ads, cope with artificial samu structs commit 08f2a8562f67982f69f4bbf5b1034a42529ab226 Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 5 14:41:52 2011 +0100 s3: Use strlcpy in pdb_ads_connect commit 8af7400d553f9552df78ab4958da7536f15eddf2 Author: Volker Lendecke <v...@samba.org> Date: Thu Feb 3 21:47:42 2011 +0100 s3: Fix some nonempty blank lines ----------------------------------------------------------------------- Summary of changes: source3/auth/auth_netlogond.c | 240 +++++++++++++++++++++++++++--------- source3/include/secrets.h | 2 - source3/nmbd/nmbd.c | 7 +- source3/passdb/pdb_ads.c | 16 ++- source3/passdb/secrets.c | 29 +---- source3/rpc_client/cli_netlogon.c | 2 +- source3/smbd/process.c | 6 +- 7 files changed, 202 insertions(+), 100 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c index 1e3ccb1..854060b 100644 --- a/source3/auth/auth_netlogond.c +++ b/source3/auth/auth_netlogond.c @@ -20,16 +20,74 @@ #include "includes.h" #include "../libcli/auth/libcli_auth.h" #include "../librpc/gen_ndr/ndr_netlogon.h" +#include "librpc/gen_ndr/ndr_schannel.h" #include "rpc_client/cli_netlogon.h" #include "secrets.h" +#include "tldap.h" +#include "tldap_util.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +static bool secrets_store_local_schannel_creds( + const struct netlogon_creds_CredentialState *creds) +{ + DATA_BLOB blob; + enum ndr_err_code ndr_err; + bool ret; + + ndr_err = ndr_push_struct_blob( + &blob, talloc_tos(), creds, + (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: " + "%s\n", ndr_errstr(ndr_err))); + return false; + } + ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY, + blob.data, blob.length); + data_blob_free(&blob); + return ret; +} + +static struct netlogon_creds_CredentialState * +secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx) +{ + struct netlogon_creds_CredentialState *creds; + enum ndr_err_code ndr_err; + DATA_BLOB blob; + + blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY, + &blob.length); + if (blob.data == NULL) { + DEBUG(10, ("secrets_fetch failed\n")); + return NULL; + } + + creds = talloc(mem_ctx, struct netlogon_creds_CredentialState); + if (creds == NULL) { + DEBUG(10, ("talloc failed\n")); + SAFE_FREE(blob.data); + return NULL; + } + ndr_err = ndr_pull_struct_blob( + &blob, creds, creds, + (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState); + SAFE_FREE(blob.data); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: " + "%s\n", ndr_errstr(ndr_err))); + TALLOC_FREE(creds); + return NULL; + } + + return creds; +} + static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx, const struct auth_context *auth_context, const char *ncalrpc_sockname, - uint8_t schannel_key[16], + struct netlogon_creds_CredentialState *creds, const struct auth_usersupplied_info *user_info, struct netr_SamInfo3 **pinfo3, NTSTATUS *schannel_bind_result) @@ -49,17 +107,7 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx, return status; } - /* - * We have to fake a struct dcinfo, so that - * rpccli_netlogon_sam_network_logon_ex can decrypt the session keys. - */ - - p->dc = netlogon_creds_client_init_session_key(p, schannel_key); - if (p->dc == NULL) { - DEBUG(0, ("talloc failed\n")); - TALLOC_FREE(p); - return NT_STATUS_NO_MEMORY; - } + p->dc = creds; status = rpccli_schannel_bind_data(p, lp_workgroup(), DCERPC_AUTH_LEVEL_PRIVACY, @@ -107,51 +155,125 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -static char *mymachinepw(TALLOC_CTX *mem_ctx) +static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld) { - fstring pwd; - const char *script; - char *to_free = NULL; - ssize_t nread; - int ret, fd; - - script = lp_parm_const_string( - GLOBAL_SECTION_SNUM, "auth_netlogond", "machinepwscript", - NULL); - - if (script == NULL) { - to_free = talloc_asprintf(talloc_tos(), "%s/%s", - get_dyn_SBINDIR(), "mymachinepw"); - script = to_free; - } - if (script == NULL) { - return NULL; + struct tldap_context *ld; + struct sockaddr_un addr; + char *sockaddr; + int fd; + NTSTATUS status; + int res; + + sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi", + lp_private_dir()); + if (sockaddr == NULL) { + DEBUG(10, ("talloc failed\n")); + return NT_STATUS_NO_MEMORY; } - ret = smbrun(script, &fd); - DEBUG(ret ? 0 : 3, ("mymachinepw: Running the command `%s' gave %d\n", - script, ret)); - TALLOC_FREE(to_free); + ZERO_STRUCT(addr); + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path)); + TALLOC_FREE(sockaddr); - if (ret != 0) { - return NULL; + status = open_socket_out((struct sockaddr_storage *)(void *)&addr, + 0, 0, &fd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path, + nt_errstr(status))); + return status; } + set_blocking(fd, false); - nread = read(fd, pwd, sizeof(pwd)-1); - close(fd); + ld = tldap_context_create(mem_ctx, fd); + if (ld == NULL) { + close(fd); + return NT_STATUS_NO_MEMORY; + } + res = tldap_fetch_rootdse(ld); + if (res != TLDAP_SUCCESS) { + DEBUG(10, ("tldap_fetch_rootdse failed: %s\n", + tldap_errstr(talloc_tos(), ld, res))); + TALLOC_FREE(ld); + return NT_STATUS_LDAP(res); + } + *pld = ld; + return NT_STATUS_OK;; +} - if (nread <= 0) { - DEBUG(3, ("mymachinepwd: Could not read password\n")); - return NULL; +static NTSTATUS mymachinepw(uint8_t pwd[16]) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct tldap_context *ld; + struct tldap_message *rootdse, **msg; + const char *attrs[1] = { "unicodePwd" }; + char *default_nc, *myname; + int rc, num_msg; + DATA_BLOB pwdblob; + NTSTATUS status; + + status = get_ldapi_ctx(talloc_tos(), &ld); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + rootdse = tldap_rootdse(ld); + if (rootdse == NULL) { + DEBUG(10, ("Could not get rootdse\n")); + status = NT_STATUS_INTERNAL_ERROR; + goto fail; + } + default_nc = tldap_talloc_single_attribute( + rootdse, "defaultNamingContext", talloc_tos()); + if (default_nc == NULL) { + DEBUG(10, ("Could not get defaultNamingContext\n")); + status = NT_STATUS_NO_MEMORY; + goto fail; } + DEBUG(10, ("default_nc = %s\n", default_nc)); - pwd[nread] = '\0'; + myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$", + global_myname()); + if (myname == NULL) { + DEBUG(10, ("talloc failed\n")); + status = NT_STATUS_NO_MEMORY; + goto fail; + } - if (pwd[nread-1] == '\n') { - pwd[nread-1] = '\0'; + rc = tldap_search_fmt( + ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0, + talloc_tos(), &msg, + "(&(sAMAccountName=%s)(objectClass=computer))", myname); + if (rc != TLDAP_SUCCESS) { + DEBUG(10, ("Could not retrieve our account: %s\n", + tldap_errstr(talloc_tos(), ld, rc))); + status = NT_STATUS_LDAP(rc); + goto fail; + } + num_msg = talloc_array_length(msg); + if (num_msg != 1) { + DEBUG(10, ("Got %d accounts, expected one\n", num_msg)); + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + goto fail; + } + if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) { + char *dn = NULL; + tldap_entry_dn(msg[0], &dn); + DEBUG(10, ("No unicodePwd attribute in %s\n", + dn ? dn : "<unknown DN>")); + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + goto fail; } + if (pwdblob.length != 16) { + DEBUG(10, ("Password hash hash has length %d, expected 16\n", + (int)pwdblob.length)); + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + goto fail; + } + memcpy(pwd, pwdblob.data, 16); - return talloc_strdup(mem_ctx, pwd); +fail: + TALLOC_FREE(frame); + return status; } static NTSTATUS check_netlogond_security(const struct auth_context *auth_context, @@ -165,9 +287,8 @@ static NTSTATUS check_netlogond_security(const struct auth_context *auth_context struct rpc_pipe_client *p = NULL; struct pipe_auth_data *auth = NULL; uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; - char *plaintext_machinepw = NULL; uint8_t machine_password[16]; - uint8_t schannel_key[16]; + struct netlogon_creds_CredentialState *creds; NTSTATUS schannel_bind_result, status; struct named_mutex *mutex = NULL; const char *ncalrpcsock; @@ -187,12 +308,13 @@ static NTSTATUS check_netlogond_security(const struct auth_context *auth_context goto done; } - if (!secrets_fetch_local_schannel_key(schannel_key)) { + creds = secrets_fetch_local_schannel_creds(talloc_tos()); + if (creds == NULL) { goto new_key; } status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock, - schannel_key, user_info, &info3, + creds, user_info, &info3, &schannel_bind_result); DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status))); @@ -241,15 +363,14 @@ static NTSTATUS check_netlogond_security(const struct auth_context *auth_context goto done; } - plaintext_machinepw = mymachinepw(talloc_tos()); - if (plaintext_machinepw == NULL) { - status = NT_STATUS_NO_MEMORY; + status = mymachinepw(machine_password); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("mymachinepw failed: %s\n", nt_errstr(status))); goto done; } - E_md4hash(plaintext_machinepw, machine_password); - - TALLOC_FREE(plaintext_machinepw); + DEBUG(10, ("machinepw ")); + dump_data(10, machine_password, 16); status = rpccli_netlogon_setup_creds( p, global_myname(), lp_workgroup(), global_myname(), @@ -261,10 +382,7 @@ static NTSTATUS check_netlogond_security(const struct auth_context *auth_context goto done; } - memcpy(schannel_key, p->dc->session_key, 16); - secrets_store_local_schannel_key(schannel_key); - - TALLOC_FREE(p); + secrets_store_local_schannel_creds(p->dc); /* * Retry the authentication with the mutex held. This way nobody else @@ -272,9 +390,11 @@ static NTSTATUS check_netlogond_security(const struct auth_context *auth_context */ status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock, - schannel_key, user_info, &info3, + creds, user_info, &info3, &schannel_bind_result); + TALLOC_FREE(p); + DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status))); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/include/secrets.h b/source3/include/secrets.h index 095ab6e..7120655 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -123,7 +123,5 @@ void secrets_fetch_ipc_userpass(char **username, char **domain, char **password) bool secrets_store_generic(const char *owner, const char *key, const char *secret); char *secrets_fetch_generic(const char *owner, const char *key); bool secrets_delete_generic(const char *owner, const char *key); -bool secrets_store_local_schannel_key(uint8_t schannel_key[16]); -bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16]); #endif /* _SECRETS_H */ diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c index b2230c3..2ed4212 100644 --- a/source3/nmbd/nmbd.c +++ b/source3/nmbd/nmbd.c @@ -4,20 +4,19 @@ Copyright (C) Andrew Tridgell 1994-1998 Copyright (C) Jeremy Allison 1997-2002 Copyright (C) Jelmer Vernooij 2002,2003 (Conversion to popt) - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. - */ #include "includes.h" diff --git a/source3/passdb/pdb_ads.c b/source3/passdb/pdb_ads.c index 01f730e..68ce2b4 100644 --- a/source3/passdb/pdb_ads.c +++ b/source3/passdb/pdb_ads.c @@ -974,8 +974,7 @@ static NTSTATUS pdb_ads_enum_group_memberships(struct pdb_methods *m, { struct pdb_ads_state *state = talloc_get_type_abort( m->private_data, struct pdb_ads_state); - struct pdb_ads_samu_private *priv = pdb_ads_get_samu_private( - m, user); + struct pdb_ads_samu_private *priv; const char *attrs[1] = { "objectSid" }; struct tldap_message **groups; int i, rc, count; @@ -983,6 +982,15 @@ static NTSTATUS pdb_ads_enum_group_memberships(struct pdb_methods *m, struct dom_sid *group_sids; gid_t *gids; + priv = pdb_ads_get_samu_private(m, user); + if (priv == NULL) { + DEBUG(10, ("Could not get pdb_ads_samu_private\n")); + *pp_sids = NULL; + *pp_gids = NULL; + *p_num_groups = 0; + return NT_STATUS_OK; + } + rc = pdb_ads_search_fmt( state, state->domaindn, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0, talloc_tos(), &groups, @@ -2206,8 +2214,8 @@ static NTSTATUS pdb_ads_connect(struct pdb_ads_state *state, ZERO_STRUCT(state->socket_address); state->socket_address.sun_family = AF_UNIX; - strncpy(state->socket_address.sun_path, location, - sizeof(state->socket_address.sun_path) - 1); + strlcpy(state->socket_address.sun_path, location, + sizeof(state->socket_address.sun_path)); ld = pdb_ads_ld(state); if (ld == NULL) { diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index 28a725a..45f8e15 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -169,31 +169,6 @@ bool secrets_delete(const char *key) return NT_STATUS_IS_OK(status); } -bool secrets_store_local_schannel_key(uint8_t schannel_key[16]) -{ - return secrets_store(SECRETS_LOCAL_SCHANNEL_KEY, schannel_key, 16); -} - -bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16]) -{ - size_t size = 0; - uint8_t *key; - - key = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY, &size); - if (key == NULL) { - return false; - } - - if (size != 16) { - SAFE_FREE(key); - return false; - } - - memcpy(schannel_key, key, 16); - SAFE_FREE(key); - return true; -} - /** * Form a key for fetching a trusted domain password * @@ -235,11 +210,13 @@ bool secrets_fetch_trusted_domain_password(const char *domain, char** pwd, /* unpack trusted domain password */ ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), &pass, (ndr_pull_flags_fn_t)ndr_pull_TRUSTED_DOM_PASS); + + SAFE_FREE(blob.data); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } - SAFE_FREE(blob.data); /* the trust's password */ if (pwd) { diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index f34d794..8dc232f 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -84,7 +84,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, } /* Calculate the session key and client credentials */ - + cli->dc = netlogon_creds_client_init(cli, mach_acct, clnt_name, diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 75bd770..6c2908d 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -3,17 +3,17 @@ process incoming packets - main loop Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Volker Lendecke 2005-2007 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. -- Samba Shared Repository