The branch, master has been updated via 56d5cb9 s3-winbind: don't try to do clever thing if the username is not found while authenticating through winbind via 7350d99 s3: check that a user in a bogus domain name is mapped to the localnetbios name of a domain member from 959d13a s3-auth: Remove duplicate check for NT_STATUS_IS_OK(nt_status)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 56d5cb938651b9c67a8400d1adc61a23889a6a29 Author: Matthieu Patou <m...@matws.net> Date: Mon Jan 30 00:05:08 2012 -0800 s3-winbind: don't try to do clever thing if the username is not found while authenticating through winbind This could cause that we authenticate a user with a bogus domain to winbind's domain if the password supplied for the PAM_AUTH match. The problem was reported by Jeff Venable (jvena...@juniper.net). Patch from Andrew Bartlett (abartl...@samba.org). Autobuild-User: Matthieu Patou <m...@samba.org> Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104 commit 7350d994096efa62031f4f75cf92fb4ade2b2655 Author: Matthieu Patou <m...@matws.net> Date: Sun Jan 29 22:12:40 2012 -0800 s3: check that a user in a bogus domain name is mapped to the localnetbios name of a domain member This means that if we authentify for BOGUS\administrator in AD domain FOREST with samba being domain member with the netbiosname MEMBER then BOGUS\administrator will be mapped to MEMBER\administrator if the password match. ----------------------------------------------------------------------- Summary of changes: source3/winbindd/winbindd_pam.c | 3 ++- source4/selftest/tests.py | 1 + testprogs/blackbox/bogus.sh | 20 ++++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletions(-) create mode 100755 testprogs/blackbox/bogus.sh Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 41f38a4..93034ad 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1079,7 +1079,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", state->request->data.auth.user, name_domain, name_user, name_domain)); - contact_domain = find_our_domain(); + result = NT_STATUS_NO_SUCH_USER; + goto done; } } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 82f0ae9..ccc899b 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -367,6 +367,7 @@ for mech in [ plansmbtorturetestsuite('base.xcopy', "plugin_s4_dc", ['//$NETBIOSNAME/xcopy_share', signoptions, '-U$DC_USERNAME%$DC_PASSWORD'], "samba4.%s administrator" % name) +plantestsuite("samba4.blackbox.bogusdomain", "s3member", ["testprogs/blackbox/bogus.sh", "$NETBIOSNAME", "xcopy_share", '$DC_USERNAME', '$DC_PASSWORD'], allow_empty_output=True) for mech in [ "-k no", "-k no --option=usespnego=no", diff --git a/testprogs/blackbox/bogus.sh b/testprogs/blackbox/bogus.sh new file mode 100755 index 0000000..019957b --- /dev/null +++ b/testprogs/blackbox/bogus.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat <<EOF +Usage: blackbox_newuser.sh PREFIX +EOF +exit 1; +fi + +. `dirname $0`/subunit.sh + +SERVER=$1 +SHARE=$2 +USER=$3 +PWD=$4 +smbclient="$BINDIR/smbclient" +testit_expect_failure "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$USER%$PWD -c "dir"&& failed=`expr $failed + 1` +./bin/net rpc user add $USER $PWD -W $SERVER -U$USER%$PWD -S $SERVER +testit "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$USER%$PWD -c "dir"|| failed=`expr $failed + 1` +exit $failed -- Samba Shared Repository