The branch, v4-12-test has been updated via 8c846741a45 s3/auth: implement "winbind:ignore domains" via 7362b5b31cd winbind: check for allowed domains in winbindd_pam_auth_pac_verify() via 3505998d0a7 winbind: check for allowed domains in winbindd_dual_pam_chauthtok() via cf410814e25 winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap() via 2a73dfcf27a winbind: check for allowed domains in winbindd_dual_pam_auth_crap() via 56d9705ca76 winbind: check for allowed domains in winbindd_dual_pam_auth() via f3c47cdc1d3 winbind: move "winbind:ignore domain" logic to a seperate function via 6b9669863b8 winbind: handle MSG_SMB_CONF_UPDATED in the winbinds children via 32c2b3cf610 winbind: set logfile after reloading config via aaa8dac1550 winbind: move config-reloading code to winbindd_dual.c from e9700e67719 script/release.sh: always select the GPG key by it's ID
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test - Log ----------------------------------------------------------------- commit 8c846741a4514fc01513ddd3f83afc61f186806a Author: Ralph Boehme <s...@samba.org> Date: Fri Jan 15 12:56:25 2021 +0100 s3/auth: implement "winbind:ignore domains" Under the following conditions a user from an ignored domain might be able to authenticate: - using Kerberos - successfully previous authentication so the idmap and name caches are filled - winbind not running (fwiw, winbindd is mandatory on a domain member) - nscd running with a cached getpwnam for the ignored user (otherwise auth fails because getpwnam fails) - lookup_name() function being modified to look into the name cache before contacting winbindd. Currently it talks directly to winbindd and that will check the cache. Currently, authentication will only fail because creating the local token for the user fails because an LSA lookupname RPC call fails (because winbindd is not running). All of this makes a successfull authentication unlikelly, but that is more by accident then by design. To ensures that if winbindd is not running and as such winbindd itself can not enforce the restriction, also implement the ignored domains check in the auth system as a last line of defense. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 RN: "winbind:ignore domains" doesn't prevent user login from trusted domain Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit df5fe2d835169161d3930acf1e9c750dd2bc64b6) Autobuild-User(v4-12-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-12-test): Thu Jan 28 10:14:02 UTC 2021 on sn-devel-184 commit 7362b5b31cd75ab1f8cdd84fb0a800376d097e2c Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 14 10:42:53 2021 +0100 winbind: check for allowed domains in winbindd_pam_auth_pac_verify() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003) commit 3505998d0a76011f21b8238e1beb9369f709c11d Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 11 17:59:48 2021 +0100 winbind: check for allowed domains in winbindd_dual_pam_chauthtok() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3) commit cf410814e252886b8bce28289654a237616d8a52 Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 11 17:19:05 2021 +0100 winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 4bc17600bc50fbc0e54d9d019d8db67001fc3eef) commit 2a73dfcf27a7407f932112fd978fc84d47d29682 Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 11 17:10:19 2021 +0100 winbind: check for allowed domains in winbindd_dual_pam_auth_crap() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (backported from commit c17bc9c6115e4e92132f3cb912547eac78227938) [s...@samba.org: removed knownfail entry] commit 56d9705ca7618856e735447c4a54b256fdbbf5b5 Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 11 16:50:31 2021 +0100 winbind: check for allowed domains in winbindd_dual_pam_auth() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 4cefdf03fec91cdcf700922b1a5ceca02407e259) commit f3c47cdc1d3fe5a03879bec7f2892a393e3b0211 Author: Ralph Boehme <s...@samba.org> Date: Mon Jan 11 16:15:15 2021 +0100 winbind: move "winbind:ignore domain" logic to a seperate function BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 894caca79476d25a0268d89b2ad8a5758b7e31f3) commit 6b9669863b81075b494f03bb146b7fea3df4e7de Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 20 12:00:16 2021 +0100 winbind: handle MSG_SMB_CONF_UPDATED in the winbinds children BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 072ef48001710ed8326c83295f2d3cc301d27cfe) commit 32c2b3cf6106755099b9cec3eecc611a8bf8214e Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 20 12:27:23 2021 +0100 winbind: set logfile after reloading config lp_load_global() will overwrite whatever we've set with lp_set_logfile(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac) commit aaa8dac1550519161a5e8a83ef77a185e0487531 Author: Ralph Boehme <s...@samba.org> Date: Wed Jan 20 11:17:22 2021 +0100 winbind: move config-reloading code to winbindd_dual.c In preperation of forwarding MSG_SMB_CONF_UPDATED to all childs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 81edc65e79aba121db800ec53aadd766e61a0001) ----------------------------------------------------------------------- Summary of changes: source3/auth/auth_util.c | 8 +++++++ source3/include/proto.h | 1 + source3/lib/util_names.c | 20 ++++++++++++++++++ source3/winbindd/winbindd.c | 29 ++++++++------------------ source3/winbindd/winbindd_dual.c | 37 ++++++++++++++++++++++++++++++++ source3/winbindd/winbindd_pam.c | 44 +++++++++++++++++++++++++++++++++++++++ source3/winbindd/winbindd_proto.h | 7 +++++++ source3/winbindd/winbindd_util.c | 10 ++------- 8 files changed, 128 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3e0fcea2410..39713df539f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -486,6 +486,14 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_LOGON_FAILURE; } + if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + server_info->info3->base.account_name.string, + server_info->info3->base.logon_domain.string); + return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + } + if (server_info->cached_session_info != NULL) { session_info = copy_session_info(mem_ctx, server_info->cached_session_info); diff --git a/source3/include/proto.h b/source3/include/proto.h index 5d5da28bbb5..921b92830c2 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -319,6 +319,7 @@ struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const char *user); /* The following definitions come from lib/util_names.c */ const char *get_global_sam_name(void); const char *my_sam_name(void); +bool is_allowed_domain(const char *domain_name); /* The following definitions come from lib/util.c */ diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c index dc5c530346c..efef88f4f7b 100644 --- a/source3/lib/util_names.c +++ b/source3/lib/util_names.c @@ -185,3 +185,23 @@ const char *my_sam_name(void) return lp_workgroup(); } + +bool is_allowed_domain(const char *domain_name) +{ + const char **ignored_domains = NULL; + const char **dom = NULL; + + ignored_domains = lp_parm_string_list(-1, + "winbind", + "ignore domains", + NULL); + + for (dom = ignored_domains; dom != NULL && *dom != NULL; dom++) { + if (gen_fnmatch(*dom, domain_name) == 0) { + DBG_NOTICE("Ignoring domain '%s'\n", domain_name); + return false; + } + } + + return true; +} diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 57d93f5a769..44790ea3429 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -99,7 +99,7 @@ struct imessaging_context *winbind_imessaging_context(void) /* Reload configuration */ -static bool reload_services_file(const char *lfile) +bool winbindd_reload_services_file(const char *lfile) { const struct loadparm_substitution *lp_sub = loadparm_s3_global_substitution(); @@ -114,15 +114,15 @@ static bool reload_services_file(const char *lfile) TALLOC_FREE(fname); } + reopen_logs(); + ret = lp_load_global(get_dyn_CONFIGFILE()); + /* if this is a child, restore the logfile to the special name - <domain>, idmap, etc. */ if (lfile && *lfile) { lp_set_logfile(lfile); } - reopen_logs(); - ret = lp_load_global(get_dyn_CONFIGFILE()); - reopen_logs(); load_interfaces(); winbindd_setup_max_fds(); @@ -153,7 +153,7 @@ static void winbindd_status(void) /* Flush client cache */ -static void flush_caches(void) +void winbindd_flush_caches(void) { /* We need to invalidate cached user list entries on a SIGHUP otherwise cached access denied errors due to restrict anonymous @@ -360,7 +360,7 @@ static void winbindd_sig_hup_handler(struct tevent_context *ev, DEBUG(1,("Reloading services after SIGHUP\n")); flush_caches_noinit(); - reload_services_file(file); + winbindd_reload_services_file(file); } bool winbindd_setup_sig_hup_handler(const char *lfile) @@ -444,18 +444,6 @@ static bool winbindd_setup_sig_usr2_handler(void) return true; } -/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ -static void msg_reload_services(struct messaging_context *msg, - void *private_data, - uint32_t msg_type, - struct server_id server_id, - DATA_BLOB *data) -{ - /* Flush various caches */ - flush_caches(); - reload_services_file((const char *) private_data); -} - /* React on 'smbcontrol winbindd shutdown' in the same way as on SIGTERM*/ static void msg_shutdown(struct messaging_context *msg, void *private_data, @@ -1417,7 +1405,8 @@ static void winbindd_register_handlers(struct messaging_context *msg_ctx, /* React on 'smbcontrol winbindd reload-config' in the same way as to SIGHUP signal */ messaging_register(msg_ctx, NULL, - MSG_SMB_CONF_UPDATED, msg_reload_services); + MSG_SMB_CONF_UPDATED, + winbindd_msg_reload_services_parent); messaging_register(msg_ctx, NULL, MSG_SHUTDOWN, msg_shutdown); @@ -1806,7 +1795,7 @@ int main(int argc, const char **argv) exit(1); } - if (!reload_services_file(NULL)) { + if (!winbindd_reload_services_file(NULL)) { DEBUG(0, ("error opening config file\n")); exit(1); } diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 73715b4b57d..9f14dfdb4f1 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -927,6 +927,39 @@ void winbind_disconnect_dc_parent(struct messaging_context *msg_ctx, forall_children(winbind_msg_relay_fn, &state); } +static void winbindd_msg_reload_services_child(struct messaging_context *msg, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data) +{ + DBG_DEBUG("Got reload-config message\n"); + winbindd_reload_services_file((const char *)private_data); +} + +/* React on 'smbcontrol winbindd reload-config' in the same way as on SIGHUP*/ +void winbindd_msg_reload_services_parent(struct messaging_context *msg, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data) +{ + struct winbind_msg_relay_state state = { + .msg_ctx = msg, + .msg_type = msg_type, + .data = data, + }; + + DBG_DEBUG("Got reload-config message\n"); + + /* Flush various caches */ + winbindd_flush_caches(); + + winbindd_reload_services_file((const char *)private_data); + + forall_children(winbind_msg_relay_fn, &state); +} + /* Set our domains as offline and forward the offline message to our children. */ struct winbind_msg_on_offline_state { @@ -1759,6 +1792,10 @@ static bool fork_domain_child(struct winbindd_child *child) messaging_register(global_messaging_context(), NULL, MSG_WINBIND_DISCONNECT_DC, winbind_msg_disconnect_dc); + messaging_register(global_messaging_context(), + override_logfile ? NULL : child->logfilename, + MSG_SMB_CONF_UPDATED, + winbindd_msg_reload_services_child); primary_domain = find_our_domain(); diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index a3d8716f781..94416498be7 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2404,6 +2404,15 @@ process_result: goto done; } + if (!is_allowed_domain(info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info3->base.account_name.string, + info3->base.logon_domain.string); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + result = append_auth_data(state->mem_ctx, state->response, state->request->flags, validation_level, @@ -2757,6 +2766,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, goto done; } + if (!is_allowed_domain(info3->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info3->base.account_name.string, + info3->base.logon_domain.string); + state->response->data.auth.authoritative = true; + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + result = append_auth_data(state->mem_ctx, state->response, state->request->flags, validation_level, @@ -2825,6 +2844,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact goto done; } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + user, domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + /* Change password */ oldpass = state->request->data.chauthtok.oldpass; @@ -3086,6 +3113,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai fstrcpy(domain,lp_workgroup()); } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + state->request->data.chng_pswd_auth_crap.user, + domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + if(!*user) { fstrcpy(user, state->request->data.chng_pswd_auth_crap.user); } @@ -3288,6 +3324,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state, return result; } + if (!is_allowed_domain(info6->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info6->base.account_name.string, + info6->base.logon_domain.string); + return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + } + result = map_info6_to_validation(state->mem_ctx, info6, &validation_level, diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 2a829b0171a..6d4ffa726f1 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -31,6 +31,8 @@ bool winbindd_setup_sig_hup_handler(const char *lfile); bool winbindd_use_idmap_cache(void); bool winbindd_use_cache(void); char *get_winbind_priv_pipe_dir(void); +void winbindd_flush_caches(void); +bool winbindd_reload_services_file(const char *lfile); /* The following definitions come from winbindd/winbindd_ads.c */ @@ -341,6 +343,11 @@ void winbind_msg_ip_dropped_parent(struct messaging_context *msg_ctx, uint32_t msg_type, struct server_id server_id, DATA_BLOB *data); +void winbindd_msg_reload_services_parent(struct messaging_context *msg, + void *private_data, + uint32_t msg_type, + struct server_id server_id, + DATA_BLOB *data); NTSTATUS winbindd_reinit_after_fork(const struct winbindd_child *myself, const char *logfilename); struct winbindd_domain *wb_child_domain(void); diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index c2f02b74211..bec706f87de 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -123,8 +123,6 @@ static NTSTATUS add_trusted_domain(const char *domain_name, struct winbindd_domain **_d) { struct winbindd_domain *domain = NULL; - const char **ignored_domains = NULL; - const char **dom = NULL; int role = lp_server_role(); struct dom_sid_buf buf; @@ -133,12 +131,8 @@ static NTSTATUS add_trusted_domain(const char *domain_name, return NT_STATUS_INVALID_PARAMETER; } - ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); - for (dom=ignored_domains; dom && *dom; dom++) { - if (gen_fnmatch(*dom, domain_name) == 0) { - DEBUG(2,("Ignoring domain '%s'\n", domain_name)); - return NT_STATUS_NO_SUCH_DOMAIN; - } + if (!is_allowed_domain(domain_name)) { + return NT_STATUS_NO_SUCH_DOMAIN; } /* -- Samba Shared Repository