The branch, master has been updated via f231a072d5c s4-auth: Allow simple bind login of a user with an @ in the samAccountName via 8fbdff5c3d7 auth/credentials: Test connecting to LDAP with a "virtual user" style account from 7e78d275424 gensec: Fix CID 1458419 Control flow issues (NO_EFFECT)
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f231a072d5c09a61e75091c294f722622dcd45da Author: Andrew Bartlett <abart...@samba.org> Date: Mon Feb 10 11:52:33 2020 +1300 s4-auth: Allow simple bind login of a user with an @ in the samAccountName LDAP Simple BIND authentications have already been mapped to a DOMAIN\username pair and should not be mapped twice. This appears to be a regression in 09e24ce40f89ac2f03d0c5fefa8b59f0d113fa6b included in Samba 4.7. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Autobuild-User(master): Isaac Boukris <ibouk...@samba.org> Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184 commit 8fbdff5c3d7bc68b4c89ac460914a5d18775244e Author: Andrew Bartlett <abart...@samba.org> Date: Mon Feb 10 11:07:27 2020 +1300 auth/credentials: Test connecting to LDAP with a "virtual user" style account This type of account is often used by e-mail hosting platforms that do not wish to create an AD domain for each DNS domain that they host mail for. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/tests/bind.py | 52 +++++++++++++++++++++++++++++++++++++++++- source4/auth/ntlm/auth_sam.c | 22 +++++++++++++++++- 2 files changed, 72 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py index 79bf93355b1..8bee6f96c62 100755 --- a/auth/credentials/tests/bind.py +++ b/auth/credentials/tests/bind.py @@ -14,7 +14,7 @@ from samba.tests.subunitrun import SubunitOptions, TestProgram import samba.getopt as options -from ldb import SCOPE_BASE, SCOPE_SUBTREE +from ldb import SCOPE_BASE, SCOPE_SUBTREE, LdbError, ERR_INVALID_CREDENTIALS from samba import gensec import samba.tests @@ -48,6 +48,7 @@ creds = credopts.get_credentials(lp) creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL) creds_machine = create_credential(lp, creds) +creds_virtual = create_credential(lp, creds) creds_user1 = create_credential(lp, creds) creds_user2 = create_credential(lp, creds) creds_user3 = create_credential(lp, creds) @@ -71,13 +72,62 @@ class BindTests(samba.tests.TestCase): self.schema_dn = self.info_dc["schemaNamingContext"][0] self.domain_dn = self.info_dc["defaultNamingContext"][0] self.config_dn = self.info_dc["configurationNamingContext"][0] + self.realm = self.info_dc["ldapServiceName"][0].split(b'@')[1].decode('utf-8') self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn + self.virtual_user_dn = "CN=frednurk@%s,CN=Computers,%s" % (self.realm, self.domain_dn) self.password = "P@ssw0rd" self.username = "BindTestUser" def tearDown(self): + delete_force(self.ldb, self.virtual_user_dn) super(BindTests, self).tearDown() + def test_virtual_email_account_style_bind(self): + # create a user in the style often deployed for authentication + # of virtual email account at a hosting provider + # + # The userPrincipalName must not match the samAccountName for + # this test to detect when the LDAP DN is being double-parsed + # but must be in the user@realm style to allow the account to + # be created + self.ldb.add_ldif(""" +dn: """ + self.virtual_user_dn + """ +cn: frednurk@""" + self.realm + """ +displayName: Fred Nurk +sAMAccountName: frednurk@""" + self.realm + """ +userPrincipalName: frednurk@NOT.""" + self.realm + """ +countryCode: 0 +objectClass: computer +objectClass: organizationalPerson +objectClass: person +objectClass: top +objectClass: user +""") + self.addCleanup(delete_force, self.ldb, self.virtual_user_dn) + self.ldb.modify_ldif(""" +dn: """ + self.virtual_user_dn + """ +changetype: modify +replace: unicodePwd +unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """ +""") + + self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn) + + # do a simple bind and search with the machine account + creds_virtual.set_bind_dn(self.virtual_user_dn) + creds_virtual.set_password(self.password) + print("BindTest with: " + creds_virtual.get_bind_dn()) + try: + ldb_virtual = samba.tests.connect_samdb(host, credentials=creds_virtual, + lp=lp, ldap_only=True) + except LdbError as e: + (num, msg) = e.args + if num != ERR_INVALID_CREDENTIALS: + raise + self.fail(msg) + + res = ldb_virtual.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"]) + def test_computer_account_bind(self): # create a computer acocount for the test delete_force(self.ldb, self.computer_dn) diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index fb88cb87f66..70eddc12c53 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_NO_SUCH_DOMAIN; } - p = strchr_m(account_name, '@'); + /* + * If we have not already mapped this user, then now is a good + * time to do so, before we look it up. We used to do this + * earlier, but in a multi-forest environment we want to do + * this mapping at the final domain. + * + * However, on the flip side we may have already mapped the + * user if this was an LDAP simple bind, in which case we + * really, really want to get back to exactly the same account + * we got the DN for. + */ + if (user_info->mapped_state == false) { + p = strchr_m(account_name, '@'); + } else { + /* + * This is slightly nicer than double-indenting the + * block below + */ + p = NULL; + } + if (p != NULL) { const char *nt4_domain = NULL; const char *nt4_account = NULL; -- Samba Shared Repository