The branch, master has been updated via 687139144a2 s3:auth: allow real plaintext authentication via 66e9d3fe01f selftest: setup pam_matrix in the simpleserver env via 108724ac346 s3:auth: let smb_pam_conv() handle resp=NULL via 97f0408f776 third_party/pam_wrapper: add pam_matrix module via 9afe7b7a0f2 s3:passdb: don't clear the LM HASH without a password change via 8e35933ceb5 s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests via f7574a59226 selftest:Samba3: allow lanman auth in setup_nt4_member via 1e21b99b643 selftest:Samba3: add simpleserver globals before include = global_inject.conf via 8937dce1334 libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2() from eaed0cd9403 s3:lib: Fix a typo in MACRO
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 687139144a2f6210aae570accedafca9250753e1 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jul 12 17:12:46 2024 +0200 s3:auth: allow real plaintext authentication In standalone setups we use the PAM stack to verify the plaintext authentication, so we need to pass it down... There are still production systems out there (legacy audio/video recording systems...) using this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Jul 17 11:17:54 UTC 2024 on atb-devel-224 commit 66e9d3fe01f80f19264aaf8250d92c82a707162a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jul 12 20:23:52 2024 +0200 selftest: setup pam_matrix in the simpleserver env This allows testing a plaintext password authentication on a standalone server using the PAM stack to verify it. There are still production systems out in the wild using this... BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 108724ac34663a234ab0a506a1e5d5e0a106af9c Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 15 18:47:24 2024 +0200 s3:auth: let smb_pam_conv() handle resp=NULL pam_matrix calls smb_pam_conv() with resp=NULL in some situation, we should not segfault... BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 97f0408f776ecbde4bec6d3001d0bdc82f9d86eb Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 15 18:43:37 2024 +0200 third_party/pam_wrapper: add pam_matrix module This allows testing pam with simple passwords. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9afe7b7a0f248d2d31dfc2a13bd61906d113c932 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jul 12 19:38:40 2024 +0200 s3:passdb: don't clear the LM HASH without a password change Updating things like the bad pwd count should not clear the stored LM HASH with 'lanman auth = no'. This allows testing with 'lanman auth = no' and 'lanman auth = yes'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8e35933ceb5bcede2b45d8223766bd8b2ebd7ef1 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 15 18:32:42 2024 +0200 s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests This demonstrates that we currently have problems with plaintext and lanman authentication. In both domain member and standalone setups. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f7574a59226ed65c6048af64507c0be0d044eb8c Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jul 15 18:31:18 2024 +0200 selftest:Samba3: allow lanman auth in setup_nt4_member Note that the LM HASH is only generated for passwords up to 14 characters... We use extra_options_before_inject in order to allow overriding any existing parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1e21b99b643c4d2177c382a296c2edfc2b7e7f91 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jul 12 18:26:07 2024 +0200 selftest:Samba3: add simpleserver globals before include = global_inject.conf This allows overriding any existing parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8937dce133485ff5e8fd0291f096adbaffba56be Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jun 3 12:56:02 2024 +0200 libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/auth/smbencrypt.c | 11 +- python/samba/tests/s3passdb.py | 2 +- script/autobuild.py | 4 +- script/compare_cc_results.py | 1 + selftest/knownfail | 6 +- selftest/selftest.pl | 13 + selftest/target/Samba.pm | 24 + selftest/target/Samba3.pm | 41 +- selftest/wscript | 2 + source3/auth/auth_ntlmssp.c | 2 +- source3/auth/pampass.c | 13 +- source3/passdb/pdb_get_set.c | 2 +- source3/script/tests/test_smb1_lanman_plaintext.sh | 63 ++ source3/selftest/tests.py | 8 + third_party/pam_wrapper/modules/pam_matrix.c | 842 +++++++++++++++++++++ third_party/pam_wrapper/wscript | 10 + 16 files changed, 1024 insertions(+), 20 deletions(-) create mode 100755 source3/script/tests/test_smb1_lanman_plaintext.sh create mode 100644 third_party/pam_wrapper/modules/pam_matrix.c Changeset truncated at 500 lines: diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c index 725bdcb9f50..bddc843f524 100644 --- a/libcli/auth/smbencrypt.c +++ b/libcli/auth/smbencrypt.c @@ -344,16 +344,17 @@ NTSTATUS SMBOWFencrypt_ntv2(const uint8_t kr[16], goto out; } + + status = NT_STATUS_OK; +out: + gnutls_hmac_deinit(hmac_hnd, resp_buf); #ifdef DEBUG_PASSWORD - DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf\n")); + DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, smbcli_chal, resp_buf: %s\n", + nt_errstr(status))); dump_data(100, srv_chal->data, srv_chal->length); dump_data(100, smbcli_chal->data, smbcli_chal->length); dump_data(100, resp_buf, 16); #endif - - status = NT_STATUS_OK; -out: - gnutls_hmac_deinit(hmac_hnd, resp_buf); return status; } diff --git a/python/samba/tests/s3passdb.py b/python/samba/tests/s3passdb.py index b584e07fc98..eac3be6163e 100644 --- a/python/samba/tests/s3passdb.py +++ b/python/samba/tests/s3passdb.py @@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir): self.assertEqual([-1 for i in range(21)], user.hours) self.assertEqual(21, user.hours_len) self.assertEqual(9223372036854775807, user.kickoff_time) - self.assertEqual(None, user.lanman_passwd) + self.assertEqual(b'U)\x02\x03\x1b\xed\xe9\xef\xaa\xd3\xb45\xb5\x14\x04\xee', user.lanman_passwd) self.assertEqual(9223372036854775807, user.logoff_time) self.assertEqual(0, user.logon_count) self.assertEqual(168, user.logon_divs) diff --git a/script/autobuild.py b/script/autobuild.py index 7d9dc008bcf..5bea99f1fde 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -998,7 +998,7 @@ tasks = { ("allprivate-def-configure", "./configure.developer " + samba_configure_params + " --private-libraries=ALL"), ("allprivate-def-make", "make -j"), # note wrapper libraries need to be public - ("allprivate-def-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so' | wc -l | grep -q '^0'"), + ("allprivate-def-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"), ("allprivate-def-only-private-ext", "ls ./bin/shared/private | egrep 'private-samba' | wc -l | grep -q '^0' && exit 1; exit 0"), ("allprivate-def-no-non-private-ext", "ls ./bin/shared/private | egrep -v 'private-samba|^libpypamtest.so$' | wc -l | grep -q '^0'"), ("allprivate-def-test", make_test(TESTS="samba3.smb2.create.*nt4_dc")), @@ -1012,7 +1012,7 @@ tasks = { ("allprivate-ext-configure", "./configure.developer " + samba_configure_params + " --private-libraries=ALL --private-library-extension=private-library --private-extension-exception=pac,ndr"), ("allprivate-ext-make", "make -j"), # note wrapper libraries need to be public - ("allprivate-ext-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so' | wc -l | grep -q '^0'"), + ("allprivate-ext-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"), ("allprivate-ext-no-private-default-ext", "ls ./bin/shared/private | grep 'private-samba' | wc -l | grep -q '^0'"), ("allprivate-ext-has-private-ext", "ls ./bin/shared/private | grep 'private-library' | wc -l | grep -q '^0' && exit 1; exit 0"), ("allprivate-ext-libndr-no-private-ext", "ls ./bin/shared/private | grep -v 'private-library' | grep 'libndr' | wc -l | grep -q '^1'"), diff --git a/script/compare_cc_results.py b/script/compare_cc_results.py index 9bf24adffec..d97050c1870 100755 --- a/script/compare_cc_results.py +++ b/script/compare_cc_results.py @@ -16,6 +16,7 @@ exceptions = [ 'LIBNSS_WRAPPER_SO_PATH', 'LIBPAM_WRAPPER_SO_PATH', 'PAM_SET_ITEMS_SO_PATH', + 'PAM_MATRIX_SO_PATH', 'LIBUID_WRAPPER_SO_PATH', 'LIBRESOLV_WRAPPER_SO_PATH', ] diff --git a/selftest/knownfail b/selftest/knownfail index e0db191e2f4..9507b142089 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -321,9 +321,9 @@ ^samba4.smb.signing.*disabled.*client-protection=off.*\(ad_dc\) # fl2000dc doesn't support AES ^samba4.krb5.kdc.*as-req-aes.fl2000dc -# nt4_member and ad_member don't support ntlmv1 (not even over SMB1) -^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*_member -^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*_member +# ad_member don't support ntlmv1 (not even over SMB1) +^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member +^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member #nt-vfs server blocks read with execute access ^samba4.smb2.read.access #ntvfs server blocks copychunk with execute access on read handle diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 3dbaa4f0c18..26b1663b5b6 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -62,6 +62,8 @@ my $opt_libnss_wrapper_so_path = ""; my $opt_libresolv_wrapper_so_path = ""; my $opt_libsocket_wrapper_so_path = ""; my $opt_libuid_wrapper_so_path = ""; +my $opt_libpam_wrapper_so_path = ""; +my $opt_libpam_matrix_so_path = ""; my $opt_libasan_so_path = ""; my $opt_libcrypt_so_path = ""; my $opt_use_dns_faking = 0; @@ -255,6 +257,8 @@ my $result = GetOptions ( 'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path, 'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path, 'uid_wrapper_so_path=s' => \$opt_libuid_wrapper_so_path, + 'pam_wrapper_so_path=s' => \$opt_libpam_wrapper_so_path, + 'pam_matrix_so_path=s' => \$opt_libpam_matrix_so_path, 'asan_so_path=s' => \$opt_libasan_so_path, 'crypt_so_path=s' => \$opt_libcrypt_so_path, 'use-dns-faking' => \$opt_use_dns_faking @@ -402,6 +406,14 @@ if ($opt_libuid_wrapper_so_path) { } } +if ($opt_libpam_wrapper_so_path) { + if ($ld_preload) { + $ld_preload = "$ld_preload:$opt_libpam_wrapper_so_path"; + } else { + $ld_preload = "$opt_libpam_wrapper_so_path"; + } +} + if (defined($ENV{USE_NAMESPACES})) { print "Using linux containerization for selftest testenv(s)...\n"; @@ -469,6 +481,7 @@ if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") { $target = new Samba($bindir, $srcdir, $server_maxtime, $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap, + $opt_libpam_matrix_so_path, $opt_default_ldb_backend); unless ($opt_list) { if ($opt_target eq "samba") { diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 516684ee900..15d7692b5d6 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -16,11 +16,13 @@ use IO::Poll qw(POLLIN); sub new($$$$$) { my ($classname, $bindir, $srcdir, $server_maxtime, $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap, + $opt_libpam_matrix_so_path, $default_ldb_backend) = @_; my $self = { opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap, opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap, + opt_libpam_matrix_so_path => $opt_libpam_matrix_so_path, }; $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime); $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime, $default_ldb_backend); @@ -178,6 +180,14 @@ sub nss_wrapper_winbind_so_path($) { return $ret; } +sub pam_matrix_so_path($) { + my ($self) = @_; + my $SambaCtx = $self; + $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx}); + + return $SambaCtx->{opt_libpam_matrix_so_path}; +} + sub copy_file_content($$) { my ($in, $out) = @_; @@ -795,6 +805,20 @@ sub get_env_for_process if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) { $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE}; } + + if (defined($env_vars->{PAM_WRAPPER})) { + $proc_envs->{PAM_WRAPPER} = $env_vars->{PAM_WRAPPER}; + } + if (defined($env_vars->{PAM_WRAPPER_KEEP_DIR})) { + $proc_envs->{PAM_WRAPPER_KEEP_DIR} = $env_vars->{PAM_WRAPPER_KEEP_DIR}; + } + if (defined($env_vars->{PAM_WRAPPER_SERVICE_DIR})) { + $proc_envs->{PAM_WRAPPER_SERVICE_DIR} = $env_vars->{PAM_WRAPPER_SERVICE_DIR}; + } + if (defined($env_vars->{PAM_WRAPPER_DEBUGLEVEL})) { + $proc_envs->{PAM_WRAPPER_DEBUGLEVEL} = $env_vars->{PAM_WRAPPER_DEBUGLEVEL}; + } + return $proc_envs; } diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 291e3888fc6..c7cdbefc72d 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -423,6 +423,8 @@ sub setup_nt4_member my $member_options = " security = domain + lanman auth = yes + ntlm auth = yes dbwrap_tdb_mutexes:* = yes ${require_mutexes} "; @@ -430,8 +432,8 @@ sub setup_nt4_member prefix => $prefix, domain => $nt4_dc_vars->{DOMAIN}, server => "LOCALNT4MEMBER3", - password => "localnt4member3pass", - extra_options => $member_options); + password => "Lnt4member3p14", + extra_options_before_inject => $member_options); $ret or return undef; @@ -1716,14 +1718,16 @@ sub setup_simpleserver remove_tree($external_streams_depot); mkdir($external_streams_depot, 0777); - my $simpleserver_options = " + my $simpleserver_options_globals = " lanman auth = yes ntlm auth = yes vfs objects = xattr_tdb streams_depot change notify = no server smb encrypt = off allow trusted domains = no +"; + my $simpleserver_options = " [vfs_aio_pthread] path = $prefix_abs/share read only = no @@ -1781,10 +1785,34 @@ sub setup_simpleserver domain => "WORKGROUP", server => "LOCALSHARE4", password => "local4pass", + extra_options_before_inject => $simpleserver_options_globals, extra_options => $simpleserver_options); $vars or return undef; + my $pam_service_dir = "$prefix_abs/pam_services"; + remove_tree($pam_service_dir); + mkdir($pam_service_dir, 0777); + my $pam_service_file = "$pam_service_dir/samba"; + my $pam_matrix_passdb = "$pam_service_dir/samba_pam_matrix_passdb"; + my $pam_matrix_so_path = Samba::pam_matrix_so_path($self); + + open(FILE, "> $pam_service_file"); + print FILE "auth required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n"; + print FILE "account required ${pam_matrix_so_path} passdb=${pam_matrix_passdb} verbose\n"; + close(FILE); + + my $tmpusername = $vars->{USERNAME}; + my $tmppassword = $vars->{PASSWORD}; + open(FILE, "> $pam_matrix_passdb"); + print FILE "$tmpusername:$tmppassword:samba"; + close(FILE); + + $vars->{PAM_WRAPPER} = "1"; + $vars->{PAM_WRAPPER_KEEP_DIR} = "1"; + $vars->{PAM_WRAPPER_SERVICE_DIR} = $pam_service_dir; + $vars->{PAM_WRAPPER_DEBUGLEVEL} = "3"; + if (not $self->check_or_start( env_vars => $vars, nmbd => "yes", @@ -2554,7 +2582,8 @@ sub provision($$) my $realm = $args{realm}; my $server = $args{server}; my $password = $args{password}; - my $extra_options = $args{extra_options}; + my $extra_options_before_inject = $args{extra_options_before_inject} // ""; + my $extra_options = $args{extra_options} // ""; my $resolv_conf = $args{resolv_conf}; my $no_delete_prefix= $args{no_delete_prefix}; my $netbios_name = $args{netbios_name} // $server; @@ -3004,6 +3033,10 @@ sub provision($$) #it just means we ALLOW one to be configured. allow insecure wide links = yes + # Begin extra options before global inject + $extra_options_before_inject + # End extra options befoore global inject + include = $globalinjectconf # Begin extra options diff --git a/selftest/wscript b/selftest/wscript index b8faf6dbc84..2d7e192c14f 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -253,6 +253,8 @@ def cmd_testonly(opt): env.OPTIONS += " --nss_wrapper_so_path=" + CONFIG_GET(opt, 'LIBNSS_WRAPPER_SO_PATH') env.OPTIONS += " --resolv_wrapper_so_path=" + CONFIG_GET(opt, 'LIBRESOLV_WRAPPER_SO_PATH') env.OPTIONS += " --uid_wrapper_so_path=" + CONFIG_GET(opt, 'LIBUID_WRAPPER_SO_PATH') + env.OPTIONS += " --pam_wrapper_so_path=" + CONFIG_GET(opt, 'LIBPAM_WRAPPER_SO_PATH') + env.OPTIONS += " --pam_matrix_so_path=" + CONFIG_GET(opt, 'PAM_MATRIX_SO_PATH') # selftest can optionally use kernel namespaces instead of socket-wrapper if os.environ.get('USE_NAMESPACES') is None: diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 73938dc2b88..9d5d87646c9 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -183,7 +183,7 @@ struct tevent_req *auth3_check_password_send( user_info->service_description, user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL, user_info->password.response.nt.data ? &user_info->password.response.nt : NULL, - NULL, NULL, NULL, + NULL, NULL, user_info->password.plaintext, AUTH_PASSWORD_RESPONSE); if (tevent_req_nterror(req, nt_status)) { diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 3e764f32f7d..0be7f9f9d1f 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -131,7 +131,9 @@ static int smb_pam_conv(int num_msg, struct pam_response *reply = NULL; struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr; - *resp = NULL; + if (resp != NULL) { + *resp = NULL; + } if (num_msg <= 0) return PAM_CONV_ERR; @@ -183,8 +185,13 @@ static int smb_pam_conv(int num_msg, return PAM_CONV_ERR; } } - if (reply) - *resp = reply; + if (reply != NULL) { + if (resp != NULL) { + *resp = reply; + } else { + SAFE_FREE(reply); + } + } return PAM_SUCCESS; } diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 6789cc0824e..a6e45a59b13 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -857,7 +857,7 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8_t pwd[LM_HASH_LEN], /* on keep the password if we are allowing LANMAN authentication */ - if (pwd && lp_lanman_auth() ) { + if (pwd && (flag != PDB_CHANGED || lp_lanman_auth())) { sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN); } else { sampass->lm_pw = data_blob_null; diff --git a/source3/script/tests/test_smb1_lanman_plaintext.sh b/source3/script/tests/test_smb1_lanman_plaintext.sh new file mode 100755 index 00000000000..669a22e5f4c --- /dev/null +++ b/source3/script/tests/test_smb1_lanman_plaintext.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +if [ $# -lt 3 ]; then + cat <<EOF +Usage: test_smb1_lanman_plaintext.sh SERVER USERNAME PASSWORD +EOF + exit 1 +fi + +# This is used by test_smbclient() +# shellcheck disable=2034 +smbclient=$1 +SERVER=$2 +USERNAME=$3 +PASSWORD=$4 +shift 4 + +incdir=$(dirname $0)/../../../testprogs/blackbox +. $incdir/subunit.sh +. $incdir/common_test_fns.inc + +failed=0 + +opt="-W ${SERVER} -U${USERNAME}%${PASSWORD}" + +# check +test_smbclient "test_default" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1) + +global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf +cat > $global_inject_conf << _EOF + server min protocol = LANMAN1 + client min protocol = LANMAN1 + lanman auth = no +_EOF + +opt="--option=clientminprotocol=LANMAN1 -m LANMAN1 -c ls --option=clientNTLMv2auth=no --option=clientlanmanauth=yes -W ${SERVER} -U${USERNAME}%${PASSWORD}" +test_smbclient_expect_failure "test_lm_fail" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1) + +cat > $global_inject_conf << _EOF + server min protocol = LANMAN1 + client min protocol = LANMAN1 + lanman auth = yes + ntlm auth = yes +_EOF + +test_smbclient "test_lm_ok" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1) + +cat > $global_inject_conf << _EOF + server min protocol = LANMAN1 + client min protocol = LANMAN1 + lanman auth = yes + ntlm auth = yes + encrypt passwords = no +_EOF + +test_smbclient_expect_failure "test_plaintext_fail_local" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1) + +opt="--option=clientminprotocol=LANMAN1 -m LANMAN1 -c ls --option=clientNTLMv2auth=no --option=clientlanmanauth=yes --option=clientplaintextauth=yes -W ${SERVER} -U${USERNAME}%${PASSWORD}" +test_smbclient "test_plaintext_ok" "ls" "//$SERVER/tmp" $opt || failed=$(expr $failed + 1) + +echo '' >$global_inject_conf + +testok $0 $failed diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 790551245ac..772dfa8672f 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1615,6 +1615,14 @@ plantestsuite("samba3.blackbox.smbd_no_krb5", "ad_member:local", [os.path.join(samba3srcdir, "script/tests/test_smbd_no_krb5.sh"), smbclient3, '$SERVER', "$DC_USERNAME", "$DC_PASSWORD", "$PREFIX"]) +plantestsuite("samba3.blackbox.smb1_lanman_plaintext", "simpleserver:local", + [os.path.join(samba3srcdir, "script/tests/test_smb1_lanman_plaintext.sh"), + smbclient3, '$SERVER', "$USERNAME", "$PASSWORD"]) + +plantestsuite("samba3.blackbox.smb1_lanman_plaintext", "nt4_member:local", + [os.path.join(samba3srcdir, "script/tests/test_smb1_lanman_plaintext.sh"), + smbclient3, '$SERVER', "$USERNAME", "$PASSWORD"]) + plantestsuite("samba3.blackbox.winbind_ignore_domain", "ad_member_idmap_ad:local", [os.path.join(samba3srcdir, "script/tests/test_winbind_ignore_domains.sh")]) diff --git a/third_party/pam_wrapper/modules/pam_matrix.c b/third_party/pam_wrapper/modules/pam_matrix.c new file mode 100644 index 00000000000..cc6fbf37e82 --- /dev/null +++ b/third_party/pam_wrapper/modules/pam_matrix.c @@ -0,0 +1,842 @@ +/* + * Copyright (c) 2015 Andreas Schneider <a...@samba.org> + * Copyright (c) 2015 Jakub Hrozek <jakub.hro...@posteo.se> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "config.h" + +#include <sys/param.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include <pwd.h> +#include <stdlib.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <unistd.h> +#include <ctype.h> +#include <errno.h> +#include <time.h> +#include <stdint.h> + +#ifndef PATH_MAX +#define PATH_MAX 4096 +#endif + +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + +#ifndef discard_const_p +#define discard_const_p(type, ptr) ((type *)discard_const(ptr)) +#endif + +#ifdef HAVE_SECURITY_PAM_APPL_H -- Samba Shared Repository