The branch, master has been updated via 14b5eb9 ntlm_auth: Allow the --option parameter to work against ntlm_auth via aee83c2 ntlm_auth: Allow us to use kerberos when we are an AD DC via 0f6ad53 docs: Explain that winbindd enforces smb signing by default. via bbad2fe s3:libsmb: remove unused cli_set_username() function via 0e2b255 s3:libsmb: avoid calling cli_set_username() cliconnect.c via 98f2946 s3:libsmb: avoid calling cli_set_username() in clidfs via 97759ec s3:libsmb: avoid cli_set_username() in SMBC_server_internal() via c8dca76 s3:lib/netapi: avoid calling cli_set_username() via 40bc651 s3:torture: avoid unused cli_set_username() via 71432b9 s3:libsmb: Remove unused domain copy stored in cli_state via 2b9d6d3 s3:libsmb: Remove unused password copy stored in cli_state via 07bd866 s3-winbindd: use cli_rpc_pipe_open_with_creds() via 295b323 s3-librpc: Add cli_rpc_pipe_open_with_creds() via be994ca s3-winbindd: Use own machine account to connect to trusted domains as well via 0392ebc s3-winbindd: use a cli_credentials structure to hold the trust credentials via e9472f8 libsmb: Print the principal name that we failed to kinit for. via 37f5d82 passdb: Use common code in cli_credentials_set_machine_account_db_ctx() via e9dc642 auth/credentials: Ensure that we set the realm when reading secrets.tdb via 35b8ed7 credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account() via 89daf5d credentials: Improve error message on failure to set machine account password via adb3eb7 credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account via 72687b1 selftest: Run samba.tests.messaging in an environment where it has servers to list via 022f1ca tests: Allow "max open files" to differ from the documentation from 470af88 ctdb-tools: Fix heap-use-after-free problem
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 14b5eb90d84f109f6a3ed8694acf13afe9b68f09 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Oct 13 13:13:15 2014 +1300 ntlm_auth: Allow the --option parameter to work against ntlm_auth Change-Id: Iee386624359c2bf8437719f286e306cdfbb628c6 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Oct 17 15:20:59 CEST 2014 on sn-devel-104 commit aee83c22ff65a7afd302c7a164259ad050634c39 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Oct 13 09:42:25 2014 +1300 ntlm_auth: Allow us to use kerberos when we are an AD DC Change-Id: I88caff9ded915d914cb7fda8829ccbcd3ad64af1 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 0f6ad5370e0ed5201a63e047b7e3fef5b27b3149 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 1 20:49:23 2014 +1300 docs: Explain that winbindd enforces smb signing by default. Change-Id: I9341fa3bd7480836ac5e0c18e28458175b42d44a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit bbad2fed7cda09f5a7d7006ada6382d29f1c1a86 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:39:13 2014 +0200 s3:libsmb: remove unused cli_set_username() function Change-Id: Ib432b4ff66f966de9e733e01de6de2f486c0c728 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0e2b25562241404db70d0bba018998078361976d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:35:30 2014 +0200 s3:libsmb: avoid calling cli_set_username() cliconnect.c Change-Id: I45e44405ea51ecb1aa38c72f4fc6243a1d3d531a Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 98f2946dd1deea558cc41df93c2109754838eae1 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:33:45 2014 +0200 s3:libsmb: avoid calling cli_set_username() in clidfs Change-Id: I8b32be8a10d2bff33bb468cc68c98e555b220bde Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 97759ecfaea36555db78a6854355c02acd15053b Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:17:08 2014 +0200 s3:libsmb: avoid cli_set_username() in SMBC_server_internal() Change-Id: I32e19078a4d4948e405f39dc2a479ff925ad3684 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c8dca765a0c984602389bbd707eca7c58cd41b41 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:14:53 2014 +0200 s3:lib/netapi: avoid calling cli_set_username() Change-Id: I3ab768d2df06749187555a16d7b930f7cc8f8b9f Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 40bc651f95061fdd27db8b0ce4da0e38c209c3db Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:13:28 2014 +0200 s3:torture: avoid unused cli_set_username() Change-Id: Ia774b256093aff5f2b3338e7827e2d798fb06a96 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 71432b9eda6e36222a3fcfcdc185a2459fb07541 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Sep 26 03:10:19 2014 +0200 s3:libsmb: Remove unused domain copy stored in cli_state Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2b9d6d3d9b6766ba2e48523b005a7eecf3e05412 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 23 14:19:35 2014 -0700 s3:libsmb: Remove unused password copy stored in cli_state Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 07bd866f59f8a6a29521fbf0e17963aaef8575de Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 23 09:12:20 2014 -0700 s3-winbindd: use cli_rpc_pipe_open_with_creds() Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 295b323b1c65cd8387b3977a189f81253c139b43 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 23 09:12:20 2014 -0700 s3-librpc: Add cli_rpc_pipe_open_with_creds() This provides a credentials-based interface. In the long term, we will want to change this not to reference the credentials, but for now this suits the caller in winbindd_cm.c Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit be994ca579c6c302d9d6487c863699b3e4457210 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 11 15:10:39 2013 +1300 s3-winbindd: Use own machine account to connect to trusted domains as well This relies on a two-way trust, which we may not have, but is the only secure way to do this. To do this correctly we need to split NETLOGON from normal authentication, as we need to use the machine account for the SMB level, but the inter-domain trust account for the NETLOGON level. Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b Author: Stefan Metzmacher <me...@samba.org> Date: Thu Aug 8 13:58:34 2013 +0200 s3-winbindd: use a cli_credentials structure to hold the trust credentials Later we can pass this down directly and have a much more sane handling of credentials and the spnego handshake. Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca Signed-off-by: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> commit e9472f8e821acd988fee9a1a288986282a138fc6 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Oct 4 07:06:35 2014 +1300 libsmb: Print the principal name that we failed to kinit for. This should aid debugging when this is called from an automated process. Andrew Bartlett Change-Id: I2c7291ab3f67f9f7462d7c52c8c9a4b042f7ec5a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 37f5d822d636d4286bd8ee64c7e9e44ae1a297e1 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 06:35:28 2014 +1300 passdb: Use common code in cli_credentials_set_machine_account_db_ctx() This avoids some duplication in setting the machine account passsword for the domain member and DC case. This does not yet remove the duplication, that requires a bigger restructure of the various routines used here to obtain the machine and domain trust secrets. Also no longer used is the timeout/2 code to not set the previous password. It is now always passed to the caller. Andrew Bartlett Change-Id: Idd5bafedf4cbac30b174955d743ec4128a6902ee Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e9dc6423d3f1ab3401314e134ecc574fc5d4c18b Author: Andrew Bartlett <abart...@samba.org> Date: Mon Oct 6 13:51:25 2014 +1300 auth/credentials: Ensure that we set the realm when reading secrets.tdb Otherwise, we try and kinit as host$@DOMAIN and that will not work. Andrew Bartlett Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 35b8ed7710f60abcc70e0b070afc16bf3faef263 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 06:32:39 2014 +1300 credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account() This adds a new wrapper, cli_credentials_set_machine_account_db_ctx() Andrew Bartlett Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 89daf5dc534ab03724a2622d3b6b4d6783756bae Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 05:14:56 2014 +1300 credentials: Improve error message on failure to set machine account password Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit adb3eb79ea828b6e6e1858c3d1b8b5ffe868f8ed Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 3 05:14:21 2014 +1300 credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account This should ensure more parts of the source4 code can work with a password set in secrets.tdb. Andrew Bartlett Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 72687b19dc4554d793651db399f16fc615b7efee Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 8 10:58:54 2014 +1300 selftest: Run samba.tests.messaging in an environment where it has servers to list The previous code would run on empty databases. Andrew Bartlett Change-Id: I8f8e736b9ad475b5b3d10e32834450c76edc5ca2 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 022f1ca7fc2b3bea9d86c26d2ed275e828acae8b Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 8 10:43:41 2014 +1300 tests: Allow "max open files" to differ from the documentation It is system-dependent. Andrew Bartlett Change-Id: Icf21476c00295a428ad808bc56ab8153f109627f Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials.h | 16 + auth/credentials/credentials_secrets.c | 87 +++- docs-xml/smbdotconf/security/clientsigning.xml | 7 +- python/samba/tests/docs.py | 3 +- selftest/tests.py | 2 +- source3/include/auth_generic.h | 2 + source3/include/client.h | 5 - source3/lib/netapi/cm.c | 6 +- source3/libsmb/auth_generic.c | 8 + source3/libsmb/cliconnect.c | 49 +-- source3/libsmb/clidfs.c | 3 - source3/libsmb/clientgen.c | 61 --- source3/libsmb/libsmb_server.c | 8 - source3/libsmb/passchange.c | 18 - source3/libsmb/proto.h | 4 - source3/passdb/passdb.c | 66 ++- source3/rpc_client/cli_pipe.c | 116 +++++ source3/rpc_client/cli_pipe.h | 15 + source3/rpcclient/rpcclient.c | 2 +- source3/torture/torture.c | 6 - source3/utils/ntlm_auth.c | 3 +- source3/winbindd/winbindd_cm.c | 635 +++++++++++++++--------- 22 files changed, 692 insertions(+), 430 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index fdd35bb..2da47d2 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -36,6 +36,7 @@ struct ccache_container; struct gssapi_creds_container; struct smb_krb5_context; struct keytab_container; +struct db_context; /* In order of priority */ enum credentials_obtained { @@ -161,6 +162,21 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, const char *serviceprincipal); NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx); +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx); + bool cli_credentials_authentication_requested(struct cli_credentials *cred); void cli_credentials_guess(struct cli_credentials *cred, struct loadparm_context *lp_ctx); diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 625ce20..d259a4d 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -231,6 +231,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, struct loadparm_context *lp_ctx) { + struct db_context *db_ctx; + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0, + TDB_DEFAULT, O_RDWR, 0600, + DBWRAP_LOCK_ORDER_1, + DBWRAP_FLAG_NONE); + TALLOC_FREE(secrets_tdb_path); + + /* + * We do not check for errors here, we might not have a + * secrets.tdb at all, and so we just need to check the + * secrets.ldb + */ + return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx); +} + +/** + * Fill in credentials for the machine trust account, from the + * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB). + * + * This version is used in parts of the code that can link in the + * CTDB dbwrap backend, by passing down the already open handle. + * + * @param cred Credentials structure to fill in + * @param db_ctx dbwrap context for secrets.tdb + * @retval NTSTATUS error detailing any failure + */ +_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred, + struct loadparm_context *lp_ctx, + struct db_context *db_ctx) +{ NTSTATUS status; char *filter; char *error_string; @@ -239,24 +276,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr time_t secrets_tdb_lct = 0; char *secrets_tdb_password = NULL; char *secrets_tdb_old_password = NULL; + uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; char *keystr; char *keystr_upper = NULL; - char *secrets_tdb; - struct db_context *db_ctx; TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - secrets_tdb = lpcfg_private_db_path(cred, lp_ctx, "secrets"); - if (!secrets_tdb) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0, - TDB_DEFAULT, O_RDWR, 0600, - DBWRAP_LOCK_ORDER_1, - DBWRAP_FLAG_NONE); + /* Bleh, nasty recursion issues: We are setting a machine * account here, so we don't want the 'pending' flag around * any more */ @@ -287,6 +314,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (NT_STATUS_IS_OK(status)) { secrets_tdb_password = (char *)dbuf.dptr; } + keystr = talloc_asprintf(tmp_ctx, "%s/%s", SECRETS_MACHINE_PASSWORD_PREV, domain); @@ -296,6 +324,16 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr if (NT_STATUS_IS_OK(status)) { secrets_tdb_old_password = (char *)dbuf.dptr; } + + keystr = talloc_asprintf(tmp_ctx, "%s/%s", + SECRETS_MACHINE_SEC_CHANNEL_TYPE, + domain); + keystr_upper = strupper_talloc(tmp_ctx, keystr); + status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper), + &dbuf); + if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) { + secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0); + } } filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, @@ -321,20 +359,35 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); + if (strequal(domain, lpcfg_workgroup(lp_ctx))) { + cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + } cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); + cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); status = NT_STATUS_OK; } else if (!NT_STATUS_IS_OK(status)) { if (db_ctx) { - error_string = talloc_asprintf(cred, - "Failed to fetch machine account password from " - "secrets.ldb: %s and failed to fetch %s from %s", - error_string, keystr_upper, secrets_tdb); + error_string + = talloc_asprintf(cred, + "Failed to fetch machine account password for %s from both " + "secrets.ldb (%s) and from %s", + domain, error_string, + dbwrap_name(db_ctx)); } else { + char *secrets_tdb_path; + + secrets_tdb_path = lpcfg_private_db_path(tmp_ctx, + lp_ctx, + "secrets"); + if (secrets_tdb_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + error_string = talloc_asprintf(cred, "Failed to fetch machine account password from " "secrets.ldb: %s and failed to open %s", - error_string, secrets_tdb); + error_string, secrets_tdb_path); } DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n", error_string, nt_errstr(status))); diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml index 34fce3e..3b5687f 100644 --- a/docs-xml/smbdotconf/security/clientsigning.xml +++ b/docs-xml/smbdotconf/security/clientsigning.xml @@ -9,8 +9,11 @@ and <emphasis>disabled</emphasis>. </para> - <para>When set to auto or default, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set + <para>When set to auto or default, SMB signing is offered, but not + enforced, except in winbindd, where it is enforced to Active + Directory Domain Controllers. </para> + + <para>When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either. </para> </description> diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py index 0d71e68..a6a1a15 100644 --- a/python/samba/tests/docs.py +++ b/python/samba/tests/docs.py @@ -131,7 +131,8 @@ class SmbDotConfTests(TestCase): 'ctdbd socket', 'printing', 'printcap name', 'queueresume command', 'queuepause command','lpresume command', 'lppause command', 'lprm command', 'lpq command', 'print command', 'template homedir', - 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build']) + 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build', + 'max open files']) def setUp(self): super(SmbDotConfTests, self).setUp() diff --git a/selftest/tests.py b/selftest/tests.py index 7191fab..e83b236 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -56,7 +56,7 @@ planpythontestsuite("none", "samba.tests.netcmd") planpythontestsuite("none", "samba.tests.dcerpc.rpc_talloc") planpythontestsuite("none", "samba.tests.samdb") planpythontestsuite("none", "samba.tests.hostconfig") -planpythontestsuite("none", "samba.tests.messaging") +planpythontestsuite("dc:local", "samba.tests.messaging") planpythontestsuite("none", "samba.tests.samba3sam") planpythontestsuite( "none", "wafsamba.tests.test_suite", diff --git a/source3/include/auth_generic.h b/source3/include/auth_generic.h index 96b07cd..07df62a 100644 --- a/source3/include/auth_generic.h +++ b/source3/include/auth_generic.h @@ -37,6 +37,8 @@ NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans, const char *domain); NTSTATUS auth_generic_set_password(struct auth_generic_state *ans, const char *password); +NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans, + struct cli_credentials *creds); NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **_ans); NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid); diff --git a/source3/include/client.h b/source3/include/client.h index 59fb104..25c44ba 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -52,11 +52,6 @@ struct cli_state { NTSTATUS raw_status; /* maybe via NT_STATUS_DOS() */ bool map_dos_errors; - /* The credentials used to open the cli_state connection. */ - char *domain; - char *user_name; - char *password; /* Can be null to force use of zero NTLMSSP session key. */ - /* * The following strings are the * ones returned by the server if diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c index 801e61f..0e05af8 100644 --- a/source3/lib/netapi/cm.c +++ b/source3/lib/netapi/cm.c @@ -113,11 +113,7 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx, false, false, lp_client_max_protocol(), 0, 0x20, &cli_ipc); - if (NT_STATUS_IS_OK(status)) { - cli_set_username(cli_ipc, ctx->username); - cli_set_password(cli_ipc, ctx->password); - cli_set_domain(cli_ipc, ctx->workgroup); - } else { + if (!NT_STATUS_IS_OK(status)) { cli_ipc = NULL; } TALLOC_FREE(auth_info); diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c index 1f6c681..68d1451 100644 --- a/source3/libsmb/auth_generic.c +++ b/source3/libsmb/auth_generic.c @@ -48,6 +48,14 @@ NTSTATUS auth_generic_set_password(struct auth_generic_state *ans, return NT_STATUS_OK; } +NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans, + struct cli_credentials *creds) +{ + talloc_unlink(ans->credentials, creds); + ans->credentials = creds; + return NT_STATUS_OK; +} + NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_generic_state) { struct auth_generic_state *ans; diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9508651..789a85d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -279,10 +279,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq) } p += ret; - status = cli_set_username(cli, state->user); - if (tevent_req_nterror(req, status)) { - return; - } tevent_req_done(req); } @@ -486,11 +482,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq) } p += ret; - status = cli_set_username(cli, ""); - if (!NT_STATUS_IS_OK(status)) { - tevent_req_nterror(req, status); - return; - } tevent_req_done(req); } @@ -650,11 +641,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq) } p += ret; - status = cli_set_username(cli, state->user); - if (tevent_req_nterror(req, status)) { - return; - } - tevent_req_done(req); } @@ -963,10 +949,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq) } p += ret; - status = cli_set_username(cli, state->user); - if (tevent_req_nterror(req, status)) { - return; - } if (smb1cli_conn_activate_signing(cli->conn, state->session_key, state->response) && !smb1cli_conn_check_signing(cli->conn, (uint8_t *)in, 1)) { tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); @@ -1811,13 +1793,6 @@ static struct tevent_req *cli_session_setup_spnego_send( DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); - status = cli_set_username(cli, user); - if (!NT_STATUS_IS_OK(status)) { - state->result = ADS_ERROR_NT(status); - tevent_req_done(req); - return tevent_req_post(req, ev); - } - #ifdef HAVE_KRB5 /* If password is set we reauthenticate to kerberos server * and do not store results */ @@ -1826,6 +1801,12 @@ static struct tevent_req *cli_session_setup_spnego_send( const char *remote_name = smbXcli_conn_remote_name(cli->conn); char *tmp; + + tmp = cli_session_setup_get_principal( + talloc_tos(), principal, remote_name, dest_realm); + TALLOC_FREE(principal); + principal = tmp; + if (pass && *pass) { int ret; @@ -1833,8 +1814,8 @@ static struct tevent_req *cli_session_setup_spnego_send( ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); if (ret){ + DEBUG(0, ("Kinit for %s to access %s failed: %s\n", user, principal, error_message(ret))); TALLOC_FREE(principal); - DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); if (cli->fallback_after_kerberos) goto ntlmssp; state->result = ADS_ERROR_KRB5(ret); @@ -1843,11 +1824,6 @@ static struct tevent_req *cli_session_setup_spnego_send( } } - tmp = cli_session_setup_get_principal( - talloc_tos(), principal, remote_name, dest_realm); - TALLOC_FREE(principal); - principal = tmp; - if (principal) { subreq = cli_session_setup_kerberos_send( state, ev, cli, principal); @@ -3388,11 +3364,6 @@ static void cli_full_connection_sess_set_up(struct tevent_req *subreq) return; } - status = cli_init_creds(state->cli, state->user, state->domain, - state->password); - if (tevent_req_nterror(req, status)) { - return; - } tevent_req_done(req); } @@ -3409,11 +3380,7 @@ static void cli_full_connection_done(struct tevent_req *subreq) if (tevent_req_nterror(req, status)) { return; } - status = cli_init_creds(state->cli, state->user, state->domain, - state->password); - if (tevent_req_nterror(req, status)) { - return; - } + tevent_req_done(req); } diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index 93f04c5..e5c03a8 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -207,9 +207,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, return status; } d_printf("Anonymous login successful\n"); - status = cli_init_creds(c, "", lp_workgroup(), ""); - } else { - status = cli_init_creds(c, username, lp_workgroup(), password); } if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index 71ec1dc..3b737d4 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -66,67 +66,6 @@ bool cli_set_backup_intent(struct cli_state *cli, bool flag) } /**************************************************************************** - Initialize Domain, user or password. -****************************************************************************/ - -NTSTATUS cli_set_domain(struct cli_state *cli, const char *domain) -{ - TALLOC_FREE(cli->domain); - cli->domain = talloc_strdup(cli, domain ? domain : ""); - if (cli->domain == NULL) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -NTSTATUS cli_set_username(struct cli_state *cli, const char *username) -{ - TALLOC_FREE(cli->user_name); - cli->user_name = talloc_strdup(cli, username ? username : ""); - if (cli->user_name == NULL) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; -} - -NTSTATUS cli_set_password(struct cli_state *cli, const char *password) -{ - TALLOC_FREE(cli->password); - - /* Password can be NULL. */ - if (password) { - cli->password = talloc_strdup(cli, password); - if (cli->password == NULL) { - return NT_STATUS_NO_MEMORY; - } - } else { - /* Use zero NTLMSSP hashes and session key. */ - cli->password = NULL; - } - - return NT_STATUS_OK; -} - -/**************************************************************************** - Initialise credentials of a client structure. -****************************************************************************/ - -NTSTATUS cli_init_creds(struct cli_state *cli, const char *username, const char *domain, const char *password) -{ - NTSTATUS status = cli_set_username(cli, username); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - status = cli_set_domain(cli, domain); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - DEBUG(10,("cli_init_creds: user %s domain %s\n", cli->user_name, cli->domain)); - - return cli_set_password(cli, password); -} - -/**************************************************************************** Initialise a client structure. Always returns a talloc'ed struct. Set the signing state (used from the command line). ****************************************************************************/ diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c index d89b9ec..8f68a40 100644 --- a/source3/libsmb/libsmb_server.c +++ b/source3/libsmb/libsmb_server.c @@ -488,14 +488,6 @@ SMBC_server_internal(TALLOC_CTX *ctx, -- Samba Shared Repository