The branch, master has been updated via ed42d6e s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly via 4194a67 gensec:spnego: Add debug message for the failed principal from 70923b7 ndr: Use resizing array instead of linked lists (breaking ABI)
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ed42d6e81f6c7cf4ed78b2bc9fcdf6c9d970ca55 Author: Andreas Schneider <a...@samba.org> Date: Mon Feb 27 17:18:15 2017 +0100 s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly This will make sure we correctly fall back to NTLMSSP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Thu Mar 2 12:41:40 CET 2017 on sn-devel-144 commit 4194a67c7efcb58ef2bb7efa1d1556d5fa0ce2e0 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 20 17:15:49 2017 +0100 gensec:spnego: Add debug message for the failed principal BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/gensec/spnego.c | 58 +++++++++++++++++++++++++++++++++++++++++---- source3/librpc/crypto/gse.c | 46 ++++++++++++++++++++++++++++++----- 2 files changed, 93 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 4787892..f063f7b 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) || NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) || NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) { - /* Pretend we never started it (lets the first run find some incompatible demand) */ + const char *next = NULL; + const char *principal = NULL; + int dbg_level = DBGLVL_WARNING; + + if (all_sec[i+1].op != NULL) { + next = all_sec[i+1].op->name; + dbg_level = DBGLVL_NOTICE; + } + + if (gensec_security->target.principal != NULL) { + principal = gensec_security->target.principal; + } else if (gensec_security->target.service != NULL && + gensec_security->target.hostname != NULL) + { + principal = talloc_asprintf(spnego_state->sub_sec_security, + "%s/%s", + gensec_security->target.service, + gensec_security->target.hostname); + } else { + principal = gensec_security->target.hostname; + } + + DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n", + spnego_state->sub_sec_security->ops->name, + principal, + next, nt_errstr(nt_status))); - DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n", - spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); + /* Pretend we never started it (lets the first run find some incompatible demand) */ talloc_free(spnego_state->sub_sec_security); spnego_state->sub_sec_security = NULL; continue; @@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", - spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); + const char *next = NULL; + const char *principal = NULL; + int dbg_level = DBGLVL_WARNING; + + if (all_sec[i+1].op != NULL) { + next = all_sec[i+1].op->name; + dbg_level = DBGLVL_NOTICE; + } + + if (gensec_security->target.principal != NULL) { + principal = gensec_security->target.principal; + } else if (gensec_security->target.service != NULL && + gensec_security->target.hostname != NULL) + { + principal = talloc_asprintf(spnego_state->sub_sec_security, + "%s/%s", + gensec_security->target.service, + gensec_security->target.hostname); + } else { + principal = gensec_security->target.hostname; + } + + DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n", + spnego_state->sub_sec_security->ops->name, + principal, + next, nt_errstr(nt_status))); talloc_free(spnego_state->sub_sec_security); spnego_state->sub_sec_security = NULL; /* Pretend we never started it (lets the first run find some incompatible demand) */ diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 99971d3..abf20bc 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -345,14 +345,48 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, /* we will need a third leg */ status = NT_STATUS_MORE_PROCESSING_REQUIRED; break; - default: - if ((gss_maj == GSS_S_FAILURE) && - (gss_min == (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED)) { + case GSS_S_CONTEXT_EXPIRED: + /* Make SPNEGO ignore us, we can't go any further here */ + DBG_NOTICE("Context expired\n"); + status = NT_STATUS_INVALID_PARAMETER; + goto done; + case GSS_S_FAILURE: + switch (gss_min) { + case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: + DBG_NOTICE("Server principal not found\n"); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_INVALID_PARAMETER; + goto done; + case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED: DBG_NOTICE("Ticket expired\n"); - } else { - DBG_ERR("gss_init_sec_context failed with [%s]\n", - gse_errstr(talloc_tos(), gss_maj, gss_min)); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_INVALID_PARAMETER; + goto done; + case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV: + DBG_NOTICE("Clockskew\n"); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_TIME_DIFFERENCE_AT_DC; + goto done; + case (OM_uint32)KRB5_KDC_UNREACH: + DBG_NOTICE("KDC unreachable\n"); + /* Make SPNEGO ignore us, we can't go any further here */ + status = NT_STATUS_NO_LOGON_SERVERS; + goto done; + case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE: + /* Garbage input, possibly from the auto-mech detection */ + status = NT_STATUS_INVALID_PARAMETER; + goto done; + default: + DBG_ERR("gss_init_sec_context failed with [%s](%u)\n", + gse_errstr(talloc_tos(), gss_maj, gss_min), + gss_min); + status = NT_STATUS_LOGON_FAILURE; + goto done; } + break; + default: + DBG_ERR("gss_init_sec_context failed with [%s]\n", + gse_errstr(talloc_tos(), gss_maj, gss_min)); status = NT_STATUS_INTERNAL_ERROR; goto done; } -- Samba Shared Repository