The branch, master has been updated
via 825180b auth3: Simplify auth_check_ntlm_password logic with a "goto
fail"
via 66f94e5 auth3: Simplify auth_check_ntlm_password logic with a "goto
fail"
via 56b0303 auth3: Simplify auth_check_ntlm_password server_info
handling
via b19868c auth3: Simplify auth_check_ntlm_password talloc handling
via d31bf0e auth3: Use talloc_move instead of _steal
via 1bbbc152d auth3: Centralize auth_check_ntlm_password failure
handling
from 57286d5 s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
wrapper
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 825180bcd226ea9223de2c992a84895fd3e53902
Author: Volker Lendecke <v...@samba.org>
Date: Sat Feb 11 11:38:56 2017 +0100
auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic
Best viewed with "git show -b"
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Thu Mar 9 02:01:35 CET 2017 on sn-devel-144
commit 66f94e557eecc4a48762543414cda690c08ff8cb
Author: Volker Lendecke <v...@samba.org>
Date: Sat Feb 11 11:38:56 2017 +0100
auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
No intended code change, just reformatting and a goto fail with
inverted logic
Best viewed with "git show -b" :-)
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 56b0303a611d1fdcee4f37285164fe94866fda59
Author: Volker Lendecke <v...@samba.org>
Date: Sat Feb 11 11:34:58 2017 +0100
auth3: Simplify auth_check_ntlm_password server_info handling
Instead of directly assigning (*pserver_info), work on a local copy
first and assign it once when successful
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit b19868ce6ab823e447a6195d29291b9205422e67
Author: Volker Lendecke <v...@samba.org>
Date: Sat Feb 11 11:26:09 2017 +0100
auth3: Simplify auth_check_ntlm_password talloc handling
Use talloc_stackframe and talloc_tos. Don't bother to talloc_free
within the loop, we don't have many iterations.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit d31bf0e29d7982c24dadea1c9fb481ef26db72dd
Author: Volker Lendecke <v...@samba.org>
Date: Sun Feb 19 14:23:58 2017 +0100
auth3: Use talloc_move instead of _steal
That's the more "modern" way to steal
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 1bbbc152d30b8872898f5cef8c5e820b36e0d90b
Author: Volker Lendecke <v...@samba.org>
Date: Sat Feb 11 11:24:22 2017 +0100
auth3: Centralize auth_check_ntlm_password failure handling
Preparation for simplified talloc handling. Slight behaviour change:
We now ZERO_STRUCTP(pserver_info) in all failure cases.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth.c | 113 ++++++++++++++++++++++++++++------------------------
1 file changed, 60 insertions(+), 53 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 50d0188..1cbe46e 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -165,15 +165,19 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info
*user_info,
struct auth_serversupplied_info
**pserver_info)
{
+ TALLOC_CTX *frame;
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
const char *unix_username;
auth_methods *auth_method;
+ struct auth_serversupplied_info *server_info;
if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
return NT_STATUS_LOGON_FAILURE;
}
+ frame = talloc_stackframe();
+
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user
[%s]\\[%s]@[%s] with the new password interface\n",
user_info->client.domain_name,
user_info->client.account_name, user_info->workstation_name));
@@ -182,7 +186,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
if (auth_context->challenge.length != 8) {
DEBUG(0, ("check_ntlm_password: Invalid challenge stored for
this auth context - cannot continue\n"));
- return NT_STATUS_LOGON_FAILURE;
+ nt_status = NT_STATUS_LOGON_FAILURE;
+ goto fail;
}
if (auth_context->challenge_set_by)
@@ -202,12 +207,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
#endif
/* This needs to be sorted: If it doesn't match, what should we do? */
- if (!check_domain_match(user_info->client.account_name,
user_info->mapped.domain_name))
- return NT_STATUS_LOGON_FAILURE;
+ if (!check_domain_match(user_info->client.account_name,
+ user_info->mapped.domain_name)) {
+ nt_status = NT_STATUS_LOGON_FAILURE;
+ goto fail;
+ }
for (auth_method = auth_context->auth_method_list;auth_method;
auth_method = auth_method->next) {
- struct auth_serversupplied_info *server_info;
- TALLOC_CTX *tmp_ctx;
NTSTATUS result;
if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY
@@ -215,23 +221,15 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
continue;
}
- tmp_ctx = talloc_named(mem_ctx,
- 0,
- "%s authentication for user %s\\%s",
- auth_method->name,
- user_info->mapped.domain_name,
- user_info->client.account_name);
-
result = auth_method->auth(auth_context,
auth_method->private_data,
- tmp_ctx,
+ talloc_tos(),
user_info,
&server_info);
/* check if the module did anything */
if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
DEBUG(10,("check_ntlm_password: %s had nothing to
say\n", auth_method->name));
- TALLOC_FREE(tmp_ctx);
if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) {
/* we don't expose the NT_STATUS_NOT_IMPLEMENTED
* internals, except when the caller is only
probing
@@ -253,61 +251,68 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
}
if (NT_STATUS_IS_OK(nt_status)) {
- *pserver_info = talloc_steal(mem_ctx, server_info);
- TALLOC_FREE(tmp_ctx);
break;
}
-
- TALLOC_FREE(tmp_ctx);
}
/* successful authentication */
- if (NT_STATUS_IS_OK(nt_status)) {
- unix_username = (*pserver_info)->unix_name;
-
- /* We skip doing this step if the caller asked us not to */
- if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ)
- && !(*pserver_info)->guest) {
- const char *rhost;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ goto fail;
+ }
- if (tsocket_address_is_inet(user_info->remote_host,
"ip")) {
- rhost =
tsocket_address_inet_addr_string(user_info->remote_host,
-
talloc_tos());
- if (rhost == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- } else {
- rhost = "127.0.0.1";
- }
+ unix_username = server_info->unix_name;
- /* We might not be root if we are an RPC call */
- become_root();
- nt_status = smb_pam_accountcheck(unix_username,
- rhost);
- unbecome_root();
+ /* We skip doing this step if the caller asked us not to */
+ if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ)
+ && !(server_info->guest)) {
+ const char *rhost;
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_ntlm_password: PAM Account
for user [%s] succeeded\n",
- unix_username));
- } else {
- DEBUG(3, ("check_ntlm_password: PAM Account
for user [%s] FAILED with error %s\n",
- unix_username, nt_errstr(nt_status)));
- }
+ if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
+ rhost = tsocket_address_inet_addr_string(
+ user_info->remote_host, talloc_tos());
+ if (rhost == NULL) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ } else {
+ rhost = "127.0.0.1";
}
+ /* We might not be root if we are an RPC call */
+ become_root();
+ nt_status = smb_pam_accountcheck(unix_username, rhost);
+ unbecome_root();
+
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG((*pserver_info)->guest ? 5 : 2,
- ("check_ntlm_password: %sauthentication for user
[%s] -> [%s] -> [%s] succeeded\n",
- (*pserver_info)->guest ? "guest " : "",
- user_info->client.account_name,
- user_info->mapped.account_name,
- unix_username));
+ DEBUG(5, ("check_ntlm_password: PAM Account for user
[%s] "
+ "succeeded\n", unix_username));
+ } else {
+ DEBUG(3, ("check_ntlm_password: PAM Account for user
[%s] "
+ "FAILED with error %s\n",
+ unix_username, nt_errstr(nt_status)));
}
+ }
- return nt_status;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ goto fail;
}
+ DEBUG(server_info->guest ? 5 : 2,
+ ("check_ntlm_password: %sauthentication for user "
+ "[%s] -> [%s] -> [%s] succeeded\n",
+ server_info->guest ? "guest " : "",
+ user_info->client.account_name,
+ user_info->mapped.account_name,
+ unix_username));
+
+ *pserver_info = talloc_move(mem_ctx, &server_info);
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+
+fail:
+
/* failed authentication; check for guest lapping */
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s]
FAILED with error %s\n",
@@ -315,6 +320,8 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
nt_errstr(nt_status)));
ZERO_STRUCTP(pserver_info);
+ TALLOC_FREE(frame);
+
return nt_status;
}
--
Samba Shared Repository
