Fix force user/group issues with 'allow trusted domains = yes'
resolves: RHEL-2118
This commit is contained in:
parent
b52ed4b3cb
commit
33becdc606
325
samba-4.19-fix-force-user-trusted-domains.patch
Normal file
325
samba-4.19-fix-force-user-trusted-domains.patch
Normal file
@ -0,0 +1,325 @@
|
|||||||
|
From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 4 Sep 2023 16:29:46 +0200
|
||||||
|
Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no'
|
||||||
|
firewalls Unix User|Group
|
||||||
|
|
||||||
|
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
|
||||||
|
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
|
||||||
|
---
|
||||||
|
selftest/knownfail.d/forceuser_trusteddomains | 2 ++
|
||||||
|
selftest/target/Samba3.pm | 1 +
|
||||||
|
2 files changed, 3 insertions(+)
|
||||||
|
create mode 100644 selftest/knownfail.d/forceuser_trusteddomains
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..b515400cd90
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/selftest/knownfail.d/forceuser_trusteddomains
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
|
||||||
|
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
|
||||||
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||||
|
index 39831afc599..85e69e4b72d 100755
|
||||||
|
--- a/selftest/target/Samba3.pm
|
||||||
|
+++ b/selftest/target/Samba3.pm
|
||||||
|
@@ -1689,6 +1689,7 @@ sub setup_simpleserver
|
||||||
|
vfs objects = xattr_tdb streams_depot
|
||||||
|
change notify = no
|
||||||
|
server smb encrypt = off
|
||||||
|
+ allow trusted domains = no
|
||||||
|
|
||||||
|
[vfs_aio_pthread]
|
||||||
|
path = $prefix_abs/share
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
|
||||||
|
From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Fri, 8 Sep 2023 12:50:32 +0200
|
||||||
|
Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
|
||||||
|
---
|
||||||
|
source3/auth/auth_util.c | 64 ++++++++++++++++++++--------------------
|
||||||
|
1 file changed, 32 insertions(+), 32 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
|
||||||
|
index 293523f4272..e5863d2272b 100644
|
||||||
|
--- a/source3/auth/auth_util.c
|
||||||
|
+++ b/source3/auth/auth_util.c
|
||||||
|
@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
/****************************************************************************
|
||||||
|
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
|
||||||
|
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
|
||||||
|
Decrypt and encrypt the passwords.
|
||||||
|
****************************************************************************/
|
||||||
|
|
||||||
|
bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
|
||||||
|
struct auth_usersupplied_info **user_info,
|
||||||
|
- const char *smb_name,
|
||||||
|
- const char *client_domain,
|
||||||
|
+ const char *smb_name,
|
||||||
|
+ const char *client_domain,
|
||||||
|
const char *workstation_name,
|
||||||
|
const struct tsocket_address *remote_address,
|
||||||
|
const struct tsocket_address *local_address,
|
||||||
|
@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
|
||||||
|
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
|
||||||
|
|
||||||
|
status = make_user_info_map(mem_ctx, user_info,
|
||||||
|
- smb_name, client_domain,
|
||||||
|
+ smb_name, client_domain,
|
||||||
|
workstation_name,
|
||||||
|
remote_address,
|
||||||
|
local_address,
|
||||||
|
"SamLogon",
|
||||||
|
- lm_pwd_len ? &lm_blob : NULL,
|
||||||
|
+ lm_pwd_len ? &lm_blob : NULL,
|
||||||
|
nt_pwd_len ? &nt_blob : NULL,
|
||||||
|
NULL, NULL, NULL,
|
||||||
|
AUTH_PASSWORD_RESPONSE);
|
||||||
|
@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
/****************************************************************************
|
||||||
|
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
|
||||||
|
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
|
||||||
|
Decrypt and encrypt the passwords.
|
||||||
|
****************************************************************************/
|
||||||
|
|
||||||
|
bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
|
||||||
|
struct auth_usersupplied_info **user_info,
|
||||||
|
- const char *smb_name,
|
||||||
|
- const char *client_domain,
|
||||||
|
+ const char *smb_name,
|
||||||
|
+ const char *client_domain,
|
||||||
|
const char *workstation_name,
|
||||||
|
const struct tsocket_address *remote_address,
|
||||||
|
const struct tsocket_address *local_address,
|
||||||
|
uint32_t logon_parameters,
|
||||||
|
- const uchar chal[8],
|
||||||
|
- const uchar lm_interactive_pwd[16],
|
||||||
|
+ const uchar chal[8],
|
||||||
|
+ const uchar lm_interactive_pwd[16],
|
||||||
|
const uchar nt_interactive_pwd[16])
|
||||||
|
{
|
||||||
|
struct samr_Password lm_pwd;
|
||||||
|
@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
nt_status = make_user_info_map(
|
||||||
|
mem_ctx,
|
||||||
|
- user_info,
|
||||||
|
+ user_info,
|
||||||
|
smb_name, client_domain, workstation_name,
|
||||||
|
remote_address,
|
||||||
|
local_address,
|
||||||
|
@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
|
||||||
|
struct auth_usersupplied_info **user_info,
|
||||||
|
- const char *smb_name,
|
||||||
|
+ const char *smb_name,
|
||||||
|
const char *client_domain,
|
||||||
|
const struct tsocket_address *remote_address,
|
||||||
|
const struct tsocket_address *local_address,
|
||||||
|
@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
/* We can't do an NT hash here, as the password needs to be
|
||||||
|
case insensitive */
|
||||||
|
- local_nt_blob = data_blob_null;
|
||||||
|
+ local_nt_blob = data_blob_null;
|
||||||
|
} else {
|
||||||
|
- local_lm_blob = data_blob_null;
|
||||||
|
- local_nt_blob = data_blob_null;
|
||||||
|
+ local_lm_blob = data_blob_null;
|
||||||
|
+ local_nt_blob = data_blob_null;
|
||||||
|
}
|
||||||
|
|
||||||
|
plaintext_password_string = talloc_strndup(talloc_tos(),
|
||||||
|
@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = make_user_info(mem_ctx,
|
||||||
|
- user_info, smb_name, smb_name, client_domain, client_domain,
|
||||||
|
+ user_info, smb_name, smb_name, client_domain, client_domain,
|
||||||
|
get_remote_machine_name(),
|
||||||
|
remote_address,
|
||||||
|
local_address,
|
||||||
|
@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
nt_status = make_user_info(mem_ctx,
|
||||||
|
user_info,
|
||||||
|
- "","",
|
||||||
|
- "","",
|
||||||
|
- "",
|
||||||
|
+ "","",
|
||||||
|
+ "","",
|
||||||
|
+ "",
|
||||||
|
remote_address,
|
||||||
|
local_address,
|
||||||
|
service_description,
|
||||||
|
- NULL, NULL,
|
||||||
|
- NULL, NULL,
|
||||||
|
+ NULL, NULL,
|
||||||
|
+ NULL, NULL,
|
||||||
|
NULL,
|
||||||
|
AUTH_PASSWORD_RESPONSE);
|
||||||
|
|
||||||
|
@@ -1258,7 +1258,7 @@ done:
|
||||||
|
}
|
||||||
|
|
||||||
|
session_info->unique_session_token = GUID_random();
|
||||||
|
-
|
||||||
|
+
|
||||||
|
*session_info_out = talloc_move(mem_ctx, &session_info);
|
||||||
|
TALLOC_FREE(frame);
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
|
||||||
|
*pwd = passwd;
|
||||||
|
|
||||||
|
/* This is pointless -- there is no support for differing
|
||||||
|
- unix and windows names. Make sure to always store the
|
||||||
|
+ unix and windows names. Make sure to always store the
|
||||||
|
one we actually looked up and succeeded. Have I mentioned
|
||||||
|
- why I hate the 'winbind use default domain' parameter?
|
||||||
|
+ why I hate the 'winbind use default domain' parameter?
|
||||||
|
--jerry */
|
||||||
|
|
||||||
|
*found_username = talloc_strdup( mem_ctx, real_username );
|
||||||
|
@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
|
||||||
|
}
|
||||||
|
|
||||||
|
/****************************************************************************
|
||||||
|
- Wrapper to allow the getpwnam() call to strip the domain name and
|
||||||
|
- try again in case a local UNIX user is already there. Also run through
|
||||||
|
+ Wrapper to allow the getpwnam() call to strip the domain name and
|
||||||
|
+ try again in case a local UNIX user is already there. Also run through
|
||||||
|
the username if we fallback to the username only.
|
||||||
|
****************************************************************************/
|
||||||
|
|
||||||
|
@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
|
||||||
|
char *p = NULL;
|
||||||
|
const char *username = NULL;
|
||||||
|
|
||||||
|
- /* we only save a copy of the username it has been mangled
|
||||||
|
+ /* we only save a copy of the username it has been mangled
|
||||||
|
by winbindd use default domain */
|
||||||
|
*p_save_username = NULL;
|
||||||
|
|
||||||
|
- /* don't call map_username() here since it has to be done higher
|
||||||
|
+ /* don't call map_username() here since it has to be done higher
|
||||||
|
up the stack so we don't call it multiple times */
|
||||||
|
|
||||||
|
username = talloc_strdup(mem_ctx, domuser);
|
||||||
|
@@ -2068,10 +2068,10 @@ username_only:
|
||||||
|
}
|
||||||
|
|
||||||
|
/***************************************************************************
|
||||||
|
- Make a server_info struct from the info3 returned by a domain logon
|
||||||
|
+ Make a server_info struct from the info3 returned by a domain logon
|
||||||
|
***************************************************************************/
|
||||||
|
|
||||||
|
-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
|
||||||
|
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
|
||||||
|
const char *sent_nt_username,
|
||||||
|
const char *domain,
|
||||||
|
struct auth_serversupplied_info **server_info,
|
||||||
|
@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
|
||||||
|
struct dom_sid sid;
|
||||||
|
TALLOC_CTX *tmp_ctx = talloc_stackframe();
|
||||||
|
|
||||||
|
- /*
|
||||||
|
+ /*
|
||||||
|
Here is where we should check the list of
|
||||||
|
- trusted domains, and verify that the SID
|
||||||
|
+ trusted domains, and verify that the SID
|
||||||
|
matches.
|
||||||
|
*/
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
|
||||||
|
From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Thu, 30 Nov 2023 10:54:07 +0100
|
||||||
|
Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
|
||||||
|
local token
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
|
||||||
|
---
|
||||||
|
selftest/knownfail.d/forceuser_trusteddomains | 2 --
|
||||||
|
source3/auth/auth_util.c | 17 ++++++++++++++++-
|
||||||
|
2 files changed, 16 insertions(+), 3 deletions(-)
|
||||||
|
delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains
|
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
|
||||||
|
deleted file mode 100644
|
||||||
|
index b515400cd90..00000000000
|
||||||
|
--- a/selftest/knownfail.d/forceuser_trusteddomains
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,2 +0,0 @@
|
||||||
|
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
|
||||||
|
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
|
||||||
|
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
|
||||||
|
index e5863d2272b..2a35fea5061 100644
|
||||||
|
--- a/source3/auth/auth_util.c
|
||||||
|
+++ b/source3/auth/auth_util.c
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#include "dom_sid.h"
|
||||||
|
#include "includes.h"
|
||||||
|
#include "auth.h"
|
||||||
|
#include "lib/util_unixsids.h"
|
||||||
|
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
|
||||||
|
struct dom_sid tmp_sid;
|
||||||
|
struct auth_session_info *session_info = NULL;
|
||||||
|
struct unixid *ids;
|
||||||
|
+ bool is_allowed = false;
|
||||||
|
|
||||||
|
/* Ensure we can't possible take a code path leading to a
|
||||||
|
* null deref. */
|
||||||
|
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
|
||||||
|
return NT_STATUS_LOGON_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
|
||||||
|
+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
|
||||||
|
+ is_allowed = true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check if we have extra info about the user. */
|
||||||
|
+ if (dom_sid_in_domain(&global_sid_Unix_Users,
|
||||||
|
+ &server_info->extra.user_sid) ||
|
||||||
|
+ dom_sid_in_domain(&global_sid_Unix_Groups,
|
||||||
|
+ &server_info->extra.pgid_sid))
|
||||||
|
+ {
|
||||||
|
+ is_allowed = true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!is_allowed) {
|
||||||
|
DBG_NOTICE("Authentication failed for user [%s] "
|
||||||
|
"from firewalled domain [%s]\n",
|
||||||
|
server_info->info3->base.account_name.string,
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -243,6 +243,8 @@ Source17: samba-usershares-systemd-sysusers.conf
|
|||||||
Source201: README.downgrade
|
Source201: README.downgrade
|
||||||
Source202: samba.abignore
|
Source202: samba.abignore
|
||||||
|
|
||||||
|
Patch0: samba-4.19-fix-force-user-trusted-domains.patch
|
||||||
|
|
||||||
Requires(pre): /usr/sbin/groupadd
|
Requires(pre): /usr/sbin/groupadd
|
||||||
|
|
||||||
Requires(pre): %{name}-common = %{samba_depver}
|
Requires(pre): %{name}-common = %{samba_depver}
|
||||||
@ -4481,6 +4483,7 @@ fi
|
|||||||
CVE-2023-4091 CVE-2023-42669
|
CVE-2023-4091 CVE-2023-42669
|
||||||
- resolves: RHEL-18030 - Logging Format Enhancement
|
- resolves: RHEL-18030 - Logging Format Enhancement
|
||||||
- resolves: RHEL-1960 - Fix smbget issues with DFS shares
|
- resolves: RHEL-1960 - Fix smbget issues with DFS shares
|
||||||
|
- resolves: RHEL-2118 - Fix force user/group issues with 'allow trusted domains = yes'
|
||||||
|
|
||||||
* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-100
|
* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-100
|
||||||
- related: rhbz#2190415 - Update to version 4.18.6
|
- related: rhbz#2190415 - Update to version 4.18.6
|
||||||
|
Loading…
Reference in New Issue
Block a user