The branch, master has been updated via 825180b auth3: Simplify auth_check_ntlm_password logic with a "goto fail" via 66f94e5 auth3: Simplify auth_check_ntlm_password logic with a "goto fail" via 56b0303 auth3: Simplify auth_check_ntlm_password server_info handling via b19868c auth3: Simplify auth_check_ntlm_password talloc handling via d31bf0e auth3: Use talloc_move instead of _steal via 1bbbc152d auth3: Centralize auth_check_ntlm_password failure handling from 57286d5 s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 825180bcd226ea9223de2c992a84895fd3e53902 Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 11 11:38:56 2017 +0100 auth3: Simplify auth_check_ntlm_password logic with a "goto fail" No intended code change, just reformatting and a goto fail with inverted logic Best viewed with "git show -b" Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Mar 9 02:01:35 CET 2017 on sn-devel-144 commit 66f94e557eecc4a48762543414cda690c08ff8cb Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 11 11:38:56 2017 +0100 auth3: Simplify auth_check_ntlm_password logic with a "goto fail" No intended code change, just reformatting and a goto fail with inverted logic Best viewed with "git show -b" :-) Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 56b0303a611d1fdcee4f37285164fe94866fda59 Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 11 11:34:58 2017 +0100 auth3: Simplify auth_check_ntlm_password server_info handling Instead of directly assigning (*pserver_info), work on a local copy first and assign it once when successful Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit b19868ce6ab823e447a6195d29291b9205422e67 Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 11 11:26:09 2017 +0100 auth3: Simplify auth_check_ntlm_password talloc handling Use talloc_stackframe and talloc_tos. Don't bother to talloc_free within the loop, we don't have many iterations. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit d31bf0e29d7982c24dadea1c9fb481ef26db72dd Author: Volker Lendecke <v...@samba.org> Date: Sun Feb 19 14:23:58 2017 +0100 auth3: Use talloc_move instead of _steal That's the more "modern" way to steal Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 1bbbc152d30b8872898f5cef8c5e820b36e0d90b Author: Volker Lendecke <v...@samba.org> Date: Sat Feb 11 11:24:22 2017 +0100 auth3: Centralize auth_check_ntlm_password failure handling Preparation for simplified talloc handling. Slight behaviour change: We now ZERO_STRUCTP(pserver_info) in all failure cases. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/auth/auth.c | 113 ++++++++++++++++++++++++++++------------------------ 1 file changed, 60 insertions(+), 53 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 50d0188..1cbe46e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -165,15 +165,19 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **pserver_info) { + TALLOC_CTX *frame; /* if all the modules say 'not for me' this is reasonable */ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; const char *unix_username; auth_methods *auth_method; + struct auth_serversupplied_info *server_info; if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { return NT_STATUS_LOGON_FAILURE; } + frame = talloc_stackframe(); + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); @@ -182,7 +186,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, if (auth_context->challenge.length != 8) { DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n")); - return NT_STATUS_LOGON_FAILURE; + nt_status = NT_STATUS_LOGON_FAILURE; + goto fail; } if (auth_context->challenge_set_by) @@ -202,12 +207,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, #endif /* This needs to be sorted: If it doesn't match, what should we do? */ - if (!check_domain_match(user_info->client.account_name, user_info->mapped.domain_name)) - return NT_STATUS_LOGON_FAILURE; + if (!check_domain_match(user_info->client.account_name, + user_info->mapped.domain_name)) { + nt_status = NT_STATUS_LOGON_FAILURE; + goto fail; + } for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { - struct auth_serversupplied_info *server_info; - TALLOC_CTX *tmp_ctx; NTSTATUS result; if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY @@ -215,23 +221,15 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, continue; } - tmp_ctx = talloc_named(mem_ctx, - 0, - "%s authentication for user %s\\%s", - auth_method->name, - user_info->mapped.domain_name, - user_info->client.account_name); - result = auth_method->auth(auth_context, auth_method->private_data, - tmp_ctx, + talloc_tos(), user_info, &server_info); /* check if the module did anything */ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); - TALLOC_FREE(tmp_ctx); if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) { /* we don't expose the NT_STATUS_NOT_IMPLEMENTED * internals, except when the caller is only probing @@ -253,61 +251,68 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, } if (NT_STATUS_IS_OK(nt_status)) { - *pserver_info = talloc_steal(mem_ctx, server_info); - TALLOC_FREE(tmp_ctx); break; } - - TALLOC_FREE(tmp_ctx); } /* successful authentication */ - if (NT_STATUS_IS_OK(nt_status)) { - unix_username = (*pserver_info)->unix_name; - - /* We skip doing this step if the caller asked us not to */ - if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) - && !(*pserver_info)->guest) { - const char *rhost; + if (!NT_STATUS_IS_OK(nt_status)) { + goto fail; + } - if (tsocket_address_is_inet(user_info->remote_host, "ip")) { - rhost = tsocket_address_inet_addr_string(user_info->remote_host, - talloc_tos()); - if (rhost == NULL) { - return NT_STATUS_NO_MEMORY; - } - } else { - rhost = "127.0.0.1"; - } + unix_username = server_info->unix_name; - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(unix_username, - rhost); - unbecome_root(); + /* We skip doing this step if the caller asked us not to */ + if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) + && !(server_info->guest)) { + const char *rhost; - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n", - unix_username)); - } else { - DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n", - unix_username, nt_errstr(nt_status))); - } + if (tsocket_address_is_inet(user_info->remote_host, "ip")) { + rhost = tsocket_address_inet_addr_string( + user_info->remote_host, talloc_tos()); + if (rhost == NULL) { + nt_status = NT_STATUS_NO_MEMORY; + goto fail; + } + } else { + rhost = "127.0.0.1"; } + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(unix_username, rhost); + unbecome_root(); + if (NT_STATUS_IS_OK(nt_status)) { - DEBUG((*pserver_info)->guest ? 5 : 2, - ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", - (*pserver_info)->guest ? "guest " : "", - user_info->client.account_name, - user_info->mapped.account_name, - unix_username)); + DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] " + "succeeded\n", unix_username)); + } else { + DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] " + "FAILED with error %s\n", + unix_username, nt_errstr(nt_status))); } + } - return nt_status; + if (!NT_STATUS_IS_OK(nt_status)) { + goto fail; } + DEBUG(server_info->guest ? 5 : 2, + ("check_ntlm_password: %sauthentication for user " + "[%s] -> [%s] -> [%s] succeeded\n", + server_info->guest ? "guest " : "", + user_info->client.account_name, + user_info->mapped.account_name, + unix_username)); + + *pserver_info = talloc_move(mem_ctx, &server_info); + + TALLOC_FREE(frame); + return NT_STATUS_OK; + +fail: + /* failed authentication; check for guest lapping */ DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", @@ -315,6 +320,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, nt_errstr(nt_status))); ZERO_STRUCTP(pserver_info); + TALLOC_FREE(frame); + return nt_status; } -- Samba Shared Repository