Fix force user/group issues with 'allow trusted domains = yes'

resolves: RHEL-2118
2023-12-04 16:09:00 +01:00 · 2023-12-04 16:09:00 +01:00 · 33becdc606
parent b52ed4b3cb
commit 33becdc606
2 changed files with 328 additions and 0 deletions
--- a/samba-4.19-fix-force-user-trusted-domains.patch
+++ b/samba-4.19-fix-force-user-trusted-domains.patch
@ -0,0 +1,325 @@
+From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Sep 2023 16:29:46 +0200
+Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no'
+ firewalls Unix User|Group
+
+UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
+REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
+---
+ selftest/knownfail.d/forceuser_trusteddomains | 2 ++
+ selftest/target/Samba3.pm                     | 1 +
+ 2 files changed, 3 insertions(+)
+ create mode 100644 selftest/knownfail.d/forceuser_trusteddomains
+
+diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
+new file mode 100644
+index 00000000000..b515400cd90
+--- /dev/null
+++ b/selftest/knownfail.d/forceuser_trusteddomains
+@@ -0,0 +1,2 @@
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 39831afc599..85e69e4b72d 100755
+--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
+@@ -1689,6 +1689,7 @@ sub setup_simpleserver
+ 	vfs objects = xattr_tdb streams_depot
+ 	change notify = no
+ 	server smb encrypt = off
+        allow trusted domains = no
+ 
+ [vfs_aio_pthread]
+ 	path = $prefix_abs/share
+-- 
+2.43.0
+
+
+From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 8 Sep 2023 12:50:32 +0200
+Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
+---
+ source3/auth/auth_util.c | 64 ++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 32 deletions(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 293523f4272..e5863d2272b 100644
+--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
+@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
+ }
+ 
+ /****************************************************************************
+- Create an auth_usersupplied_data, making the DATA_BLOBs here. 
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
+  Decrypt and encrypt the passwords.
+ ****************************************************************************/
+ 
+ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
+ 				     struct auth_usersupplied_info **user_info,
+-				     const char *smb_name, 
+-				     const char *client_domain, 
+				     const char *smb_name,
+				     const char *client_domain,
+ 				     const char *workstation_name,
+ 				     const struct tsocket_address *remote_address,
+ 				     const struct tsocket_address *local_address,
+@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
+ 	DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
+ 
+ 	status = make_user_info_map(mem_ctx, user_info,
+-				    smb_name, client_domain, 
+				    smb_name, client_domain,
+ 				    workstation_name,
+ 				    remote_address,
+ 				    local_address,
+ 				    "SamLogon",
+-				    lm_pwd_len ? &lm_blob : NULL, 
+				    lm_pwd_len ? &lm_blob : NULL,
+ 				    nt_pwd_len ? &nt_blob : NULL,
+ 				    NULL, NULL, NULL,
+ 				    AUTH_PASSWORD_RESPONSE);
+@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
+ }
+ 
+ /****************************************************************************
+- Create an auth_usersupplied_data, making the DATA_BLOBs here. 
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
+  Decrypt and encrypt the passwords.
+ ****************************************************************************/
+ 
+ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
+ 					 struct auth_usersupplied_info **user_info,
+-					 const char *smb_name, 
+-					 const char *client_domain, 
+					 const char *smb_name,
+					 const char *client_domain,
+ 					 const char *workstation_name,
+ 					 const struct tsocket_address *remote_address,
+ 					 const struct tsocket_address *local_address,
+ 					 uint32_t logon_parameters,
+-					 const uchar chal[8], 
+-					 const uchar lm_interactive_pwd[16], 
+					 const uchar chal[8],
+					 const uchar lm_interactive_pwd[16],
+ 					 const uchar nt_interactive_pwd[16])
+ {
+ 	struct samr_Password lm_pwd;
+@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
+ 
+ 		nt_status = make_user_info_map(
+ 			mem_ctx,
+-			user_info, 
+			user_info,
+ 			smb_name, client_domain, workstation_name,
+ 			remote_address,
+ 			local_address,
+@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
+ 
+ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
+ 			      struct auth_usersupplied_info **user_info,
+-			      const char *smb_name, 
+			      const char *smb_name,
+ 			      const char *client_domain,
+ 			      const struct tsocket_address *remote_address,
+ 			      const struct tsocket_address *local_address,
+@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
+ 
+ 		/* We can't do an NT hash here, as the password needs to be
+ 		   case insensitive */
+-		local_nt_blob = data_blob_null; 
+		local_nt_blob = data_blob_null;
+ 	} else {
+-		local_lm_blob = data_blob_null; 
+-		local_nt_blob = data_blob_null; 
+		local_lm_blob = data_blob_null;
+		local_nt_blob = data_blob_null;
+ 	}
+ 
+ 	plaintext_password_string = talloc_strndup(talloc_tos(),
+@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	ret = make_user_info(mem_ctx,
+-		user_info, smb_name, smb_name, client_domain, client_domain, 
+		user_info, smb_name, smb_name, client_domain, client_domain,
+ 		get_remote_machine_name(),
+ 		remote_address,
+ 		local_address,
+@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
+ 
+ 	nt_status = make_user_info(mem_ctx,
+ 				   user_info,
+-				   "","", 
+-				   "","", 
+-				   "", 
+				   "","",
+				   "","",
+				   "",
+ 				   remote_address,
+ 				   local_address,
+ 				   service_description,
+-				   NULL, NULL, 
+-				   NULL, NULL, 
+				   NULL, NULL,
+				   NULL, NULL,
+ 				   NULL,
+ 				   AUTH_PASSWORD_RESPONSE);
+ 
+@@ -1258,7 +1258,7 @@ done:
+ 	}
+ 
+ 	session_info->unique_session_token = GUID_random();
+-	
+
+ 	*session_info_out = talloc_move(mem_ctx, &session_info);
+ 	TALLOC_FREE(frame);
+ 	return NT_STATUS_OK;
+@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ 	*pwd = passwd;
+ 
+ 	/* This is pointless -- there is no support for differing
+-	   unix and windows names.  Make sure to always store the 
+	   unix and windows names.  Make sure to always store the
+ 	   one we actually looked up and succeeded. Have I mentioned
+-	   why I hate the 'winbind use default domain' parameter?   
+	   why I hate the 'winbind use default domain' parameter?
+ 	                                 --jerry              */
+ 
+ 	*found_username = talloc_strdup( mem_ctx, real_username );
+@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ }
+ 
+ /****************************************************************************
+- Wrapper to allow the getpwnam() call to strip the domain name and 
+- try again in case a local UNIX user is already there.  Also run through 
+ Wrapper to allow the getpwnam() call to strip the domain name and
+ try again in case a local UNIX user is already there.  Also run through
+  the username if we fallback to the username only.
+  ****************************************************************************/
+ 
+@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
+ 	char *p = NULL;
+ 	const char *username = NULL;
+ 
+-	/* we only save a copy of the username it has been mangled 
+	/* we only save a copy of the username it has been mangled
+ 	   by winbindd use default domain */
+ 	*p_save_username = NULL;
+ 
+-	/* don't call map_username() here since it has to be done higher 
+	/* don't call map_username() here since it has to be done higher
+ 	   up the stack so we don't call it multiple times */
+ 
+ 	username = talloc_strdup(mem_ctx, domuser);
+@@ -2068,10 +2068,10 @@ username_only:
+ }
+ 
+ /***************************************************************************
+- Make a server_info struct from the info3 returned by a domain logon 
+ Make a server_info struct from the info3 returned by a domain logon
+ ***************************************************************************/
+ 
+-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, 
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 				const char *sent_nt_username,
+ 				const char *domain,
+ 				struct auth_serversupplied_info **server_info,
+@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 	struct dom_sid sid;
+ 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ 
+-	/* 
+	/*
+ 	   Here is where we should check the list of
+-	   trusted domains, and verify that the SID 
+	   trusted domains, and verify that the SID
+ 	   matches.
+ 	*/
+ 
+-- 
+2.43.0
+
+
+From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 30 Nov 2023 10:54:07 +0100
+Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
+ local token
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
+---
+ selftest/knownfail.d/forceuser_trusteddomains |  2 --
+ source3/auth/auth_util.c                      | 17 ++++++++++++++++-
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+ delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains
+
+diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
+deleted file mode 100644
+index b515400cd90..00000000000
+--- a/selftest/knownfail.d/forceuser_trusteddomains
+++ /dev/null
+@@ -1,2 +0,0 @@
+-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
+-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index e5863d2272b..2a35fea5061 100644
+--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
+@@ -21,6 +21,7 @@
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
+#include "dom_sid.h"
+ #include "includes.h"
+ #include "auth.h"
+ #include "lib/util_unixsids.h"
+@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+ 	struct dom_sid tmp_sid;
+ 	struct auth_session_info *session_info = NULL;
+ 	struct unixid *ids;
+	bool is_allowed = false;
+ 
+ 	/* Ensure we can't possible take a code path leading to a
+ 	 * null deref. */
+@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+ 		return NT_STATUS_LOGON_FAILURE;
+ 	}
+ 
+-	if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+	if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+		is_allowed = true;
+	}
+
+	/* Check if we have extra info about the user. */
+	if (dom_sid_in_domain(&global_sid_Unix_Users,
+			      &server_info->extra.user_sid) ||
+	    dom_sid_in_domain(&global_sid_Unix_Groups,
+			      &server_info->extra.pgid_sid))
+	{
+		is_allowed = true;
+	}
+
+	if (!is_allowed) {
+ 		DBG_NOTICE("Authentication failed for user [%s] "
+ 			   "from firewalled domain [%s]\n",
+ 			   server_info->info3->base.account_name.string,
+-- 
+2.43.0
+
--- a/samba.spec
+++ b/samba.spec
@ -243,6 +243,8 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore

+Patch0:         samba-4.19-fix-force-user-trusted-domains.patch
+
 Requires(pre): /usr/sbin/groupadd

 Requires(pre): %{name}-common = %{samba_depver}
@ -4481,6 +4483,7 @@ fi
  CVE-2023-4091 CVE-2023-42669
 - resolves: RHEL-18030 - Logging Format Enhancement
 - resolves: RHEL-1960 - Fix smbget issues with DFS shares
+- resolves: RHEL-2118 - Fix force user/group issues with 'allow trusted domains = yes'

 * Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-100
 - related: rhbz#2190415 - Update to version 4.18.6