The branch, master has been updated
via ed42d6e s3:librpc: Handle gss_min in gse_get_client_auth_token()
correctly
via 4194a67 gensec:spnego: Add debug message for the failed principal
from 70923b7 ndr: Use resizing array instead of linked lists (breaking
ABI)
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ed42d6e81f6c7cf4ed78b2bc9fcdf6c9d970ca55
Author: Andreas Schneider <a...@samba.org>
Date: Mon Feb 27 17:18:15 2017 +0100
s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly
This will make sure we correctly fall back to NTLMSSP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Thu Mar 2 12:41:40 CET 2017 on sn-devel-144
commit 4194a67c7efcb58ef2bb7efa1d1556d5fa0ce2e0
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jan 20 17:15:49 2017 +0100
gensec:spnego: Add debug message for the failed principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 58 +++++++++++++++++++++++++++++++++++++++++----
source3/librpc/crypto/gse.c | 46 ++++++++++++++++++++++++++++++-----
2 files changed, 93 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 4787892..f063f7b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct
gensec_security *gensec_
NT_STATUS_EQUAL(nt_status,
NT_STATUS_NO_LOGON_SERVERS) ||
NT_STATUS_EQUAL(nt_status,
NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
NT_STATUS_EQUAL(nt_status,
NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
- /* Pretend we never started it (lets
the first run find some incompatible demand) */
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
+
+ if (all_sec[i+1].op != NULL) {
+ next = all_sec[i+1].op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ if (gensec_security->target.principal
!= NULL) {
+ principal =
gensec_security->target.principal;
+ } else if
(gensec_security->target.service != NULL &&
+
gensec_security->target.hostname != NULL)
+ {
+ principal =
talloc_asprintf(spnego_state->sub_sec_security,
+
"%s/%s",
+
gensec_security->target.service,
+
gensec_security->target.hostname);
+ } else {
+ principal =
gensec_security->target.hostname;
+ }
+
+ DEBUG(dbg_level, ("SPNEGO(%s) creating
NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+
spnego_state->sub_sec_security->ops->name,
+ principal,
+ next,
nt_errstr(nt_status)));
- DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT
failed: %s\n",
-
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ /* Pretend we never started it (lets
the first run find some incompatible demand) */
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
continue;
@@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct
gensec_security *gensec
if (!NT_STATUS_EQUAL(nt_status,
NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT
failed: %s\n",
-
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
+
+ if (all_sec[i+1].op != NULL) {
+ next = all_sec[i+1].op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ if (gensec_security->target.principal != NULL) {
+ principal =
gensec_security->target.principal;
+ } else if (gensec_security->target.service !=
NULL &&
+ gensec_security->target.hostname !=
NULL)
+ {
+ principal =
talloc_asprintf(spnego_state->sub_sec_security,
+ "%s/%s",
+
gensec_security->target.service,
+
gensec_security->target.hostname);
+ } else {
+ principal =
gensec_security->target.hostname;
+ }
+
+ DEBUG(dbg_level, ("SPNEGO(%s) creating
NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
+
spnego_state->sub_sec_security->ops->name,
+ principal,
+ next, nt_errstr(nt_status)));
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
/* Pretend we never started it (lets the first
run find some incompatible demand) */
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 99971d3..abf20bc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -345,14 +345,48 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX
*mem_ctx,
/* we will need a third leg */
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
break;
- default:
- if ((gss_maj == GSS_S_FAILURE) &&
- (gss_min == (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED)) {
+ case GSS_S_CONTEXT_EXPIRED:
+ /* Make SPNEGO ignore us, we can't go any further here */
+ DBG_NOTICE("Context expired\n");
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ case GSS_S_FAILURE:
+ switch (gss_min) {
+ case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+ DBG_NOTICE("Server principal not found\n");
+ /* Make SPNEGO ignore us, we can't go any further here
*/
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
DBG_NOTICE("Ticket expired\n");
- } else {
- DBG_ERR("gss_init_sec_context failed with [%s]\n",
- gse_errstr(talloc_tos(), gss_maj, gss_min));
+ /* Make SPNEGO ignore us, we can't go any further here
*/
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV:
+ DBG_NOTICE("Clockskew\n");
+ /* Make SPNEGO ignore us, we can't go any further here
*/
+ status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ goto done;
+ case (OM_uint32)KRB5_KDC_UNREACH:
+ DBG_NOTICE("KDC unreachable\n");
+ /* Make SPNEGO ignore us, we can't go any further here
*/
+ status = NT_STATUS_NO_LOGON_SERVERS;
+ goto done;
+ case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE:
+ /* Garbage input, possibly from the auto-mech detection
*/
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ default:
+ DBG_ERR("gss_init_sec_context failed with [%s](%u)\n",
+ gse_errstr(talloc_tos(), gss_maj, gss_min),
+ gss_min);
+ status = NT_STATUS_LOGON_FAILURE;
+ goto done;
}
+ break;
+ default:
+ DBG_ERR("gss_init_sec_context failed with [%s]\n",
+ gse_errstr(talloc_tos(), gss_maj, gss_min));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
}
--
Samba Shared Repository
