The branch, v4-9-test has been updated via 7cd5db7a63d ctdb-tests: Make the debug hung script test cope with unreadable stacks via 041e0945cb5 s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd via 77cf7167374 s4:torture/smb2/session: session reauth response must be signed via f2c456aa1b7 s4:torture/smb2/session: add force_signing to test_session_expire1i via 2b164eca304 s4:torture/smb2/session: require a signed session setup reauth response via ff0db7ec9c2 s4:torture/smb2/session: invalidate credential cache via 6c3577a5885 libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming() via 6ca7a8a2ffb libcli/smb: defer singing check a little bit via cd8ea322a32 libcli/smb: maintain require_signed_response in smbXcli_req_state via 4f5af7ba729 libcli/smb: add smb2cli_session_require_signed_response() via 052df0f679d s3:selftest: also run smb2.session torture testsuite against ad_member via e71252ecb2b s3:selftest: split "raw.session" and "smb2.session" from 299e6edd0e6 torture: Fix the 32-bit build
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test - Log ----------------------------------------------------------------- commit 7cd5db7a63db2746c600e740e33e426a975bd901 Author: Martin Schwenke <mar...@meltin.net> Date: Wed Nov 14 14:09:42 2018 +1100 ctdb-tests: Make the debug hung script test cope with unreadable stacks Ideally this would just involve using "test -r". However, operating system security features may mean that kernel stacks are not readable even though they appear to be. Instead, try reading that stack of a process on the test node. If that succeeds then so should reading the stack of the "stuck" sleep process in the test. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13684 Signed-off-by: Martin Schwenke <mar...@meltin.net> Reviewed-by: Tim Beale <timbe...@catalyst.net.nz> Autobuild-User(master): Tim Beale <timbe...@samba.org> Autobuild-Date(master): Thu Nov 15 08:15:32 CET 2018 on sn-devel-144 (cherry picked from commit c1dd6382e3211792e313f7d559b943f55c9cb0e1) Autobuild-User(v4-9-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-9-test): Tue Nov 20 15:50:33 CET 2018 on sn-devel-144 commit 041e0945cb559c492a3f741cdaab48c85c0dde04 Author: Ralph Boehme <s...@samba.org> Date: Thu Nov 8 17:31:41 2018 +0100 s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd We talloc_move() session_info to session->global->auth_session_info which sets session_info to NULL. This means security_session_user_level(NULL, NULL) will always return SECURITY_ANONYMOUS so we never sign the session setup response. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Tue Nov 13 14:22:46 CET 2018 on sn-devel-144 (cherry picked from commit bb93e691ca9b1922bf552363a1e7d70792749d67) commit 77cf7167374b65258ff9da9aaf6118ba0e63f1aa Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 9 12:39:41 2018 +0100 s4:torture/smb2/session: session reauth response must be signed This test checks that a session setup reauth is signed even when neither client nor server require signing. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 181f18c4bf70754a6f3132375d06250baab2871b) commit f2c456aa1b7d0a90d73265085d53275d868b56ac Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 9 12:19:16 2018 +0100 s4:torture/smb2/session: add force_signing to test_session_expire1i Existing callers pass true, so no change in behaviour. The next commit adds an additional test that passes force_signing=false. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 5fdea4095ac82536192c8d91c411b22e2683a5c1) commit 2b164eca30453381d666b9ed190880272ba7a165 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 9 15:34:24 2018 +0100 s4:torture/smb2/session: require a signed session setup reauth response All existing tests using this function require signing, so currently this passes. A subsequent commit adds a test where neither client nor server require signing and that's where this trap will explode. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit ffc424ee6bedc3c208acb4c0c83da836a12d6123) commit ff0db7ec9c2f7bae0b90b92dabbb611520f8d310 Author: Ralph Boehme <s...@samba.org> Date: Thu Nov 8 15:42:46 2018 +0100 s4:torture/smb2/session: invalidate credential cache Invalidate credential cache before connecting to the server, otherwise we will reuse the credentials from the credential cache populated by the preceeding tests. Also invalidate it at the end, otherwise subsequent tests might run into problems if the credentials expire while authenticating. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 368e1860654e737aa2fa9516cdd3668fa644009a) commit 6c3577a588599f638fdd70ddea28301a6940f220 Author: Ralph Boehme <s...@samba.org> Date: Sat Nov 10 22:00:04 2018 +0100 libcli/smb: use require_signed_response in smb2cli_conn_dispatch_incoming() This can be used by the upper layers to force checking a response is signed. It will be used to implement verification of session setup reauth responses in a torture test. That comes next. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 53fe148476a5566b7a8204d7e44b6e75ce7d45bc) commit 6ca7a8a2ffb1c87f633dc0890b285dab73337bc2 Author: Ralph Boehme <s...@samba.org> Date: Sat Nov 10 21:56:28 2018 +0100 libcli/smb: defer singing check a little bit This allows adding an additional condition to the if check where the condition state may be modified in the "if (opcode == SMB2_OP_SESSSETUP)" case directly above. No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 7abf3900218e3d27c075b405735b2c38ec0fc4ca) commit cd8ea322a32bf83ef0555815d99ab8c740665540 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 9 15:26:44 2018 +0100 libcli/smb: maintain require_signed_response in smbXcli_req_state Not used for now, that comes next. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 67cfb01611869b7590ccd836dd13a80e53545714) commit 4f5af7ba7292fea93fb4607b7e6a18c8082247c2 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 9 15:17:19 2018 +0100 libcli/smb: add smb2cli_session_require_signed_response() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit d407201d9bd4ee5ae5609dd107e3ab9ee7afbeb0) commit 052df0f679d1135f93fabcdbfdca00ae020ce6c7 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 9 12:33:29 2018 +0100 s3:selftest: also run smb2.session torture testsuite against ad_member The next commit adds a subtest to the smb2.session testsuite that requires Kerberos (ad_dc would work), but where neither SMB2 server or client must require signing (ad_dc, being an AD DC, requires signing). The ad_member environment supports Kerberos with the SMB2 server not mandating signing, that'll do. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit b86c94f0b929f2d9e521d41396c4e1611f5a4c5b) commit e71252ecb2b755dec4aa0d4d41181120026d9183 Author: Ralph Boehme <s...@samba.org> Date: Thu Nov 8 16:24:45 2018 +0100 s3:selftest: split "raw.session" and "smb2.session" The next commit is going to add a testsuite to "smb2.session". Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit d0a8899ed57c2b368c3870b3899a3422251222aa) ----------------------------------------------------------------------- Summary of changes: ctdb/tests/simple/90_debug_hung_script.sh | 17 +++++++++++--- libcli/smb/smbXcli_base.c | 37 ++++++++++++++++++++++++++----- libcli/smb/smbXcli_base.h | 2 ++ source3/selftest/tests.py | 8 ++++++- source3/smbd/smb2_sesssetup.c | 8 +++---- source4/torture/smb2/session.c | 31 +++++++++++++++++++++++++- 6 files changed, 88 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/tests/simple/90_debug_hung_script.sh b/ctdb/tests/simple/90_debug_hung_script.sh index 846188fc716..8b8e22b3239 100755 --- a/ctdb/tests/simple/90_debug_hung_script.sh +++ b/ctdb/tests/simple/90_debug_hung_script.sh @@ -61,9 +61,21 @@ wait_until 60 onnode $test_node test -s "$debug_output" echo "Checking output of hung script debugging..." try_command_on_node -v $test_node cat "$debug_output" +hung_script_output="$out" + +# Can we actually read kernel stacks +if try_command_on_node $test_node "cat /proc/$$/stack >/dev/null 2>&1" ; then + stackpat=' +---- Stack trace of interesting process [0-9]*\\[sleep\\] ---- +[<[0-9a-f]*>] .*sleep+.* +' +else + stackpat='' +fi while IFS="" read pattern ; do - if grep -- "^${pattern}\$" <<<"$out" >/dev/null ; then + [ -n "$pattern" ] || continue + if grep -- "^${pattern}\$" <<<"$hung_script_output" >/dev/null ; then printf 'GOOD: output contains "%s"\n' "$pattern" else printf 'BAD: output does not contain "%s"\n' "$pattern" @@ -75,8 +87,7 @@ done <<EOF pstree -p -a .*: 00\\\\.test\\\\.script,.* *\`-sleep,.* ----- Stack trace of interesting process [0-9]*\\\\[sleep\\\\] ---- -[<[0-9a-f]*>] .*sleep+.* +${stackpat} ---- ctdb scriptstatus monitor: ---- 00\\.test *TIMEDOUT.* *OUTPUT: Sleeping for [0-9]* seconds\\\\.\\\\.\\\\. diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 9edb6292777..d0cc33b8b05 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -161,6 +161,7 @@ struct smb2cli_session { uint64_t nonce_low; uint16_t channel_sequence; bool replay_active; + bool require_signed_response; }; struct smbXcli_session { @@ -289,6 +290,7 @@ struct smbXcli_req_state { uint64_t encryption_session_id; bool signing_skipped; + bool require_signed_response; bool notify_async; bool got_async; uint16_t cancel_flags; @@ -2962,6 +2964,8 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx, state->smb2.should_sign = session->smb2->should_sign; state->smb2.should_encrypt = session->smb2->should_encrypt; + state->smb2.require_signed_response = + session->smb2->require_signed_response; if (cmd == SMB2_OP_SESSSETUP && session->smb2_channel.signing_key.length == 0 && @@ -3749,12 +3753,6 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, } last_session = session; - if (state->smb2.should_sign) { - if (!(flags & SMB2_HDR_FLAG_SIGNED)) { - return NT_STATUS_ACCESS_DENIED; - } - } - if (flags & SMB2_HDR_FLAG_SIGNED) { uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID); @@ -3801,6 +3799,27 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, */ signing_key = NULL; } + + if (!NT_STATUS_IS_OK(status)) { + /* + * Only check the signature of the last response + * of a successfull session auth. This matches + * Windows behaviour for NTLM auth and reauth. + */ + state->smb2.require_signed_response = false; + } + } + + if (state->smb2.should_sign || + state->smb2.require_signed_response) + { + if (!(flags & SMB2_HDR_FLAG_SIGNED)) { + return NT_STATUS_ACCESS_DENIED; + } + } + + if (signing_key == NULL && state->smb2.require_signed_response) { + signing_key = &session->smb2_channel.signing_key; } if (cur[0].iov_len == SMB2_TF_HDR_SIZE) { @@ -5719,6 +5738,12 @@ void smb2cli_session_stop_replay(struct smbXcli_session *session) session->smb2->replay_active = false; } +void smb2cli_session_require_signed_response(struct smbXcli_session *session, + bool require_signed_response) +{ + session->smb2->require_signed_response = require_signed_response; +} + NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session, const struct iovec *iov) { diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h index 536c7ab60f4..42c2519c7ff 100644 --- a/libcli/smb/smbXcli_base.h +++ b/libcli/smb/smbXcli_base.h @@ -492,6 +492,8 @@ uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session, uint16_t smb2cli_session_current_channel_sequence(struct smbXcli_session *session); void smb2cli_session_start_replay(struct smbXcli_session *session); void smb2cli_session_stop_replay(struct smbXcli_session *session); +void smb2cli_session_require_signed_response(struct smbXcli_session *session, + bool require_signed_response); NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session, const struct iovec *iov); NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 2763b1bf146..09cd5159a0d 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -458,11 +458,17 @@ for t in tests: plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') plansmbtorture4testsuite(t, "simpleserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD') - elif t == "raw.session" or t == "smb2.session": + elif t == "raw.session": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain') plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc') plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm') plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5') + elif t == "smb2.session": + plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'plain') + plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmpenc -U$USERNAME%$PASSWORD', 'enc') + plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k no -U$USERNAME%$PASSWORD', 'ntlm') + plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -k yes -U$USERNAME%$PASSWORD', 'krb5') + plansmbtorture4testsuite(t, "ad_member", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5') elif t == "rpc.lsa": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ') plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ') diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index fe5835b83f3..5420d4f09bb 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -525,6 +525,10 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session, reload_services(smb2req->sconn, conn_snum_used, true); + if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { + smb2req->do_signing = true; + } + session->status = NT_STATUS_OK; TALLOC_FREE(session->global->auth_session_info); session->global->auth_session_info = talloc_move(session->global, @@ -551,10 +555,6 @@ static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session, conn_clear_vuid_caches(xconn->client->sconn, session->compat->vuid); - if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { - smb2req->do_signing = true; - } - *out_session_id = session->global->session_wire_id; return NT_STATUS_OK; diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c index 7dc9ba19ee6..57a5addcfcc 100644 --- a/source4/torture/smb2/session.c +++ b/source4/torture/smb2/session.c @@ -1047,6 +1047,7 @@ done: static bool test_session_expire1i(struct torture_context *tctx, + bool force_signing, bool force_encryption) { NTSTATUS status; @@ -1073,10 +1074,14 @@ static bool test_session_expire1i(struct torture_context *tctx, torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS, "please use -k yes"); + cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); + lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4"); lpcfg_smbcli_options(tctx->lp_ctx, &options); - options.signing = SMB_SIGNING_REQUIRED; + if (force_signing) { + options.signing = SMB_SIGNING_REQUIRED; + } status = smb2_connect(tctx, host, @@ -1152,12 +1157,20 @@ static bool test_session_expire1i(struct torture_context *tctx, */ cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); + if (!force_encryption) { + smb2cli_session_require_signed_response( + tree->session->smbXcli, true); + } + torture_comment(tctx, "reauth => OK\n"); status = smb2_session_setup_spnego(tree->session, credentials, 0 /* previous_session_id */); torture_assert_ntstatus_ok_goto(tctx, status, ret, done, "smb2_session_setup_spnego failed"); + + smb2cli_session_require_signed_response( + tree->session->smbXcli, false); } ZERO_STRUCT(qfinfo.access_information.out); @@ -1167,6 +1180,8 @@ static bool test_session_expire1i(struct torture_context *tctx, ret = true; done: + cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); + if (h1 != NULL) { smb2_util_close(tree, *h1); } @@ -1176,15 +1191,24 @@ done: return ret; } +static bool test_session_expire1n(struct torture_context *tctx) +{ + return test_session_expire1i(tctx, + false, /* force_signing */ + false); /* force_encryption */ +} + static bool test_session_expire1s(struct torture_context *tctx) { return test_session_expire1i(tctx, + true, /* force_signing */ false); /* force_encryption */ } static bool test_session_expire1e(struct torture_context *tctx) { return test_session_expire1i(tctx, + true, /* force_signing */ true); /* force_encryption */ } @@ -1236,6 +1260,8 @@ static bool test_session_expire2i(struct torture_context *tctx, torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS, "please use -k yes"); + cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); + lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4"); lpcfg_smbcli_options(tctx->lp_ctx, &options); @@ -1547,6 +1573,8 @@ static bool test_session_expire2i(struct torture_context *tctx, ret = true; done: + cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); + if (h1 != NULL) { smb2_util_close(tree, *h1); } @@ -1721,6 +1749,7 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx) torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4); torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5); torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6); + torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n); torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s); torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e); torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s); -- Samba Shared Repository