The branch, master has been updated
via 56d5cb9 s3-winbind: don't try to do clever thing if the username is
not found while authenticating through winbind
via 7350d99 s3: check that a user in a bogus domain name is mapped to
the localnetbios name of a domain member
from 959d13a s3-auth: Remove duplicate check for
NT_STATUS_IS_OK(nt_status)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 56d5cb938651b9c67a8400d1adc61a23889a6a29
Author: Matthieu Patou <m...@matws.net>
Date: Mon Jan 30 00:05:08 2012 -0800
s3-winbind: don't try to do clever thing if the username is not found while
authenticating through winbind
This could cause that we authenticate a user with a bogus domain to
winbind's domain if the password supplied for the PAM_AUTH match.
The problem was reported by Jeff Venable (jvena...@juniper.net).
Patch from Andrew Bartlett (abartl...@samba.org).
Autobuild-User: Matthieu Patou <m...@samba.org>
Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104
commit 7350d994096efa62031f4f75cf92fb4ade2b2655
Author: Matthieu Patou <m...@matws.net>
Date: Sun Jan 29 22:12:40 2012 -0800
s3: check that a user in a bogus domain name is mapped to the localnetbios
name of a domain member
This means that if we authentify for BOGUS\administrator in AD domain
FOREST with samba being domain member with the netbiosname MEMBER then
BOGUS\administrator will be mapped to MEMBER\administrator if the
password match.
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_pam.c | 3 ++-
source4/selftest/tests.py | 1 +
testprogs/blackbox/bogus.sh | 20 ++++++++++++++++++++
3 files changed, 23 insertions(+), 1 deletions(-)
create mode 100755 testprogs/blackbox/bogus.sh
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 41f38a4..93034ad 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1079,7 +1079,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct
winbindd_domain *domain,
DEBUG(3, ("Authentication for domain for [%s] ->
[%s]\\[%s] failed as %s is not a trusted domain\n",
state->request->data.auth.user, name_domain,
name_user, name_domain));
- contact_domain = find_our_domain();
+ result = NT_STATUS_NO_SUCH_USER;
+ goto done;
}
}
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 82f0ae9..ccc899b 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -367,6 +367,7 @@ for mech in [
plansmbtorturetestsuite('base.xcopy', "plugin_s4_dc",
['//$NETBIOSNAME/xcopy_share', signoptions,
'-U$DC_USERNAME%$DC_PASSWORD'], "samba4.%s administrator" % name)
+plantestsuite("samba4.blackbox.bogusdomain", "s3member",
["testprogs/blackbox/bogus.sh", "$NETBIOSNAME", "xcopy_share", '$DC_USERNAME',
'$DC_PASSWORD'], allow_empty_output=True)
for mech in [
"-k no",
"-k no --option=usespnego=no",
diff --git a/testprogs/blackbox/bogus.sh b/testprogs/blackbox/bogus.sh
new file mode 100755
index 0000000..019957b
--- /dev/null
+++ b/testprogs/blackbox/bogus.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: blackbox_newuser.sh PREFIX
+EOF
+exit 1;
+fi
+
+. `dirname $0`/subunit.sh
+
+SERVER=$1
+SHARE=$2
+USER=$3
+PWD=$4
+smbclient="$BINDIR/smbclient"
+testit_expect_failure "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET
-U$USER%$PWD -c "dir"&& failed=`expr $failed + 1`
+./bin/net rpc user add $USER $PWD -W $SERVER -U$USER%$PWD -S $SERVER
+testit "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$USER%$PWD -c
"dir"|| failed=`expr $failed + 1`
+exit $failed
--
Samba Shared Repository
