12217d454e
Guenther
12525 lines
438 KiB
Diff
12525 lines
438 KiB
Diff
From 2d3ad48f0c7337cda08a6588b06183120fc0731a Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 13 Jul 2020 16:15:03 +0200
|
|
Subject: [PATCH 001/104] libcli:smb2: Do not leak ptext on error
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
libcli/smb/smb2_signing.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
|
|
index 230475480c2..cfb3b613f9d 100644
|
|
--- a/libcli/smb/smb2_signing.c
|
|
+++ b/libcli/smb/smb2_signing.c
|
|
@@ -515,6 +515,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
|
|
|
|
ctext = talloc_size(talloc_tos(), ctext_size);
|
|
if (ctext == NULL) {
|
|
+ TALLOC_FREE(ptext);
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto out;
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 630c6314778894a668c20fe2aa7d04627ed517a7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 13 Jul 2020 17:23:37 +0200
|
|
Subject: [PATCH 002/104] libcli:smb2: Use talloc NULL context if we don't have
|
|
a stackframe
|
|
|
|
If we execute this code from python we don't have a talloc stackframe
|
|
around and segfault with talloc_tos().
|
|
|
|
To fix the crash we use the NULL context as we take care for freeing the
|
|
memory as soon as possible.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
libcli/smb/smb2_signing.c | 30 ++++++++++++++++++++++++++----
|
|
1 file changed, 26 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
|
|
index cfb3b613f9d..b1e0253948f 100644
|
|
--- a/libcli/smb/smb2_signing.c
|
|
+++ b/libcli/smb/smb2_signing.c
|
|
@@ -506,14 +506,25 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
|
|
uint8_t *ctext = NULL;
|
|
size_t len = 0;
|
|
int i;
|
|
+ TALLOC_CTX *tmp_ctx = NULL;
|
|
|
|
- ptext = talloc_size(talloc_tos(), ptext_size);
|
|
+ /*
|
|
+ * If we come from python bindings, we don't have a stackframe
|
|
+ * around, so use the NULL context.
|
|
+ *
|
|
+ * This is fine as we make sure we free the memory.
|
|
+ */
|
|
+ if (talloc_stackframe_exists()) {
|
|
+ tmp_ctx = talloc_tos();
|
|
+ }
|
|
+
|
|
+ ptext = talloc_size(tmp_ctx, ptext_size);
|
|
if (ptext == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto out;
|
|
}
|
|
|
|
- ctext = talloc_size(talloc_tos(), ctext_size);
|
|
+ ctext = talloc_size(tmp_ctx, ctext_size);
|
|
if (ctext == NULL) {
|
|
TALLOC_FREE(ptext);
|
|
status = NT_STATUS_NO_MEMORY;
|
|
@@ -705,16 +716,27 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
|
|
uint8_t *ptext = NULL;
|
|
size_t len = 0;
|
|
int i;
|
|
+ TALLOC_CTX *tmp_ctx = NULL;
|
|
+
|
|
+ /*
|
|
+ * If we come from python bindings, we don't have a stackframe
|
|
+ * around, so use the NULL context.
|
|
+ *
|
|
+ * This is fine as we make sure we free the memory.
|
|
+ */
|
|
+ if (talloc_stackframe_exists()) {
|
|
+ tmp_ctx = talloc_tos();
|
|
+ }
|
|
|
|
/* GnuTLS doesn't have a iovec API for decryption yet */
|
|
|
|
- ptext = talloc_size(talloc_tos(), ptext_size);
|
|
+ ptext = talloc_size(tmp_ctx, ptext_size);
|
|
if (ptext == NULL) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto out;
|
|
}
|
|
|
|
- ctext = talloc_size(talloc_tos(), ctext_size);
|
|
+ ctext = talloc_size(tmp_ctx, ctext_size);
|
|
if (ctext == NULL) {
|
|
TALLOC_FREE(ptext);
|
|
status = NT_STATUS_NO_MEMORY;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 63cefdebe5c0e435b6174ff6bc72b48d12cec312 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Wed, 6 Nov 2019 17:37:45 +0100
|
|
Subject: [PATCH 003/104] auth:creds: Introduce CRED_SMB_CONF
|
|
|
|
We have several places where we check '> CRED_UNINITIALISED',
|
|
so we better don't use CRED_UNINITIALISED for values from
|
|
our smb.conf.
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
auth/credentials/credentials.c | 6 +++---
|
|
auth/credentials/credentials.h | 1 +
|
|
auth/credentials/pycredentials.c | 1 +
|
|
python/samba/tests/credentials.py | 4 ++--
|
|
4 files changed, 7 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
|
index 81f9dbb9eb3..80a31b248ae 100644
|
|
--- a/auth/credentials/credentials.c
|
|
+++ b/auth/credentials/credentials.c
|
|
@@ -902,12 +902,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
|
|
if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
|
|
cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_SPECIFIED);
|
|
} else {
|
|
- cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_UNINITIALISED);
|
|
+ cli_credentials_set_domain(cred, lpcfg_workgroup(lp_ctx), CRED_SMB_CONF);
|
|
}
|
|
if (lpcfg_parm_is_cmdline(lp_ctx, "netbios name")) {
|
|
cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SPECIFIED);
|
|
} else {
|
|
- cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_UNINITIALISED);
|
|
+ cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_SMB_CONF);
|
|
}
|
|
if (realm != NULL && strlen(realm) == 0) {
|
|
realm = NULL;
|
|
@@ -915,7 +915,7 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
|
|
if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
|
|
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
|
|
} else {
|
|
- cli_credentials_set_realm(cred, realm, CRED_UNINITIALISED);
|
|
+ cli_credentials_set_realm(cred, realm, CRED_SMB_CONF);
|
|
}
|
|
|
|
sep = lpcfg_winbind_separator(lp_ctx);
|
|
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
|
|
index 9fe6a82b1ea..7154c2a008c 100644
|
|
--- a/auth/credentials/credentials.h
|
|
+++ b/auth/credentials/credentials.h
|
|
@@ -42,6 +42,7 @@ struct db_context;
|
|
/* In order of priority */
|
|
enum credentials_obtained {
|
|
CRED_UNINITIALISED = 0, /* We don't even have a guess yet */
|
|
+ CRED_SMB_CONF, /* Current value should be used, which comes from smb.conf */
|
|
CRED_CALLBACK, /* Callback should be used to obtain value */
|
|
CRED_GUESS_ENV, /* Current value should be used, which was guessed */
|
|
CRED_GUESS_FILE, /* A guess from a file (or file pointed at in env variable) */
|
|
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
|
|
index a5d0f9e051c..68edc282741 100644
|
|
--- a/auth/credentials/pycredentials.c
|
|
+++ b/auth/credentials/pycredentials.c
|
|
@@ -1275,6 +1275,7 @@ MODULE_INIT_FUNC(credentials)
|
|
return NULL;
|
|
|
|
PyModule_AddObject(m, "UNINITIALISED", PyLong_FromLong(CRED_UNINITIALISED));
|
|
+ PyModule_AddObject(m, "SMB_CONF", PyLong_FromLong(CRED_SMB_CONF));
|
|
PyModule_AddObject(m, "CALLBACK", PyLong_FromLong(CRED_CALLBACK));
|
|
PyModule_AddObject(m, "GUESS_ENV", PyLong_FromLong(CRED_GUESS_ENV));
|
|
PyModule_AddObject(m, "GUESS_FILE", PyLong_FromLong(CRED_GUESS_FILE));
|
|
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py
|
|
index d2a81506de3..6454ac9ff7c 100644
|
|
--- a/python/samba/tests/credentials.py
|
|
+++ b/python/samba/tests/credentials.py
|
|
@@ -332,7 +332,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
|
|
os.environ["USER"] = "env_user"
|
|
creds.guess(lp)
|
|
realm = "realm.example.com"
|
|
- creds.set_realm(realm, credentials.UNINITIALISED)
|
|
+ creds.set_realm(realm, credentials.SMB_CONF)
|
|
creds.parse_string("user")
|
|
self.assertEqual(creds.get_username(), "user")
|
|
self.assertEqual(creds.get_domain(), lp.get("workgroup").upper())
|
|
@@ -360,7 +360,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
|
|
os.environ["USER"] = "env_user"
|
|
creds.guess(lp)
|
|
realm = "realm.example.com"
|
|
- creds.set_realm(realm, credentials.UNINITIALISED)
|
|
+ creds.set_realm(realm, credentials.SMB_CONF)
|
|
self.assertEqual(creds.get_username(), "env_user")
|
|
self.assertEqual(creds.get_domain(), lp.get("workgroup").upper())
|
|
self.assertEqual(creds.get_realm(), realm.upper())
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 0120aad504663c5e75054c2e322f1277acae63dd Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 10 Oct 2019 14:18:23 +0200
|
|
Subject: [PATCH 004/104] param: Add 'server smb encrypt' parameter
|
|
|
|
And this also makes 'smb encrypt' a synonym of that.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
.../smbdotconf/security/serversmbencrypt.xml | 241 ++++++++++++++++++
|
|
docs-xml/smbdotconf/security/smbencrypt.xml | 241 +-----------------
|
|
source3/param/loadparm.c | 2 +-
|
|
source3/smbd/service.c | 4 +-
|
|
source3/smbd/smb2_negprot.c | 2 +-
|
|
source3/smbd/smb2_sesssetup.c | 4 +-
|
|
source3/smbd/smb2_tcon.c | 4 +-
|
|
source3/smbd/trans2.c | 2 +-
|
|
8 files changed, 257 insertions(+), 243 deletions(-)
|
|
create mode 100644 docs-xml/smbdotconf/security/serversmbencrypt.xml
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml
|
|
new file mode 100644
|
|
index 00000000000..714aacbf1ca
|
|
--- /dev/null
|
|
+++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml
|
|
@@ -0,0 +1,241 @@
|
|
+<samba:parameter name="server smb encrypt"
|
|
+ context="S"
|
|
+ type="enum"
|
|
+ enumlist="enum_smb_signing_vals"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+<description>
|
|
+ <para>
|
|
+ This parameter controls whether a remote client is allowed or required
|
|
+ to use SMB encryption. It has different effects depending on whether
|
|
+ the connection uses SMB1 or SMB2 and newer:
|
|
+ </para>
|
|
+
|
|
+ <itemizedlist>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ If the connection uses SMB1, then this option controls the use
|
|
+ of a Samba-specific extension to the SMB protocol introduced in
|
|
+ Samba 3.2 that makes use of the Unix extensions.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ If the connection uses SMB2 or newer, then this option controls
|
|
+ the use of the SMB-level encryption that is supported in SMB
|
|
+ version 3.0 and above and available in Windows 8 and newer.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </itemizedlist>
|
|
+
|
|
+ <para>
|
|
+ This parameter can be set globally and on a per-share bases.
|
|
+ Possible values are
|
|
+
|
|
+ <emphasis>off</emphasis>,
|
|
+ <emphasis>if_required</emphasis>,
|
|
+ <emphasis>desired</emphasis>,
|
|
+ and
|
|
+ <emphasis>required</emphasis>.
|
|
+ A special value is <emphasis>default</emphasis> which is
|
|
+ the implicit default setting of <emphasis>if_required</emphasis>.
|
|
+ </para>
|
|
+
|
|
+ <variablelist>
|
|
+ <varlistentry>
|
|
+ <term><emphasis>Effects for SMB1</emphasis></term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ The Samba-specific encryption of SMB1 connections is an
|
|
+ extension to the SMB protocol negotiated as part of the UNIX
|
|
+ extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
|
|
+ ability to encrypt and sign every request/response in a SMB
|
|
+ protocol stream. When enabled it provides a secure method of
|
|
+ SMB/CIFS communication, similar to an ssh protected session, but
|
|
+ using SMB/CIFS authentication to negotiate encryption and
|
|
+ signing keys. Currently this is only supported smbclient of by
|
|
+ Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
|
|
+ clients. Windows clients do not support this feature.
|
|
+ </para>
|
|
+
|
|
+ <para>This may be set on a per-share
|
|
+ basis, but clients may chose to encrypt the entire session, not
|
|
+ just traffic to a specific share. If this is set to mandatory
|
|
+ then all traffic to a share <emphasis>must</emphasis>
|
|
+ be encrypted once the connection has been made to the share.
|
|
+ The server would return "access denied" to all non-encrypted
|
|
+ requests on such a share. Selecting encrypted traffic reduces
|
|
+ throughput as smaller packet sizes must be used (no huge UNIX
|
|
+ style read/writes allowed) as well as the overhead of encrypting
|
|
+ and signing all the data.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ If SMB encryption is selected, Windows style SMB signing (see
|
|
+ the <smbconfoption name="server signing"/> option) is no longer
|
|
+ necessary, as the GSSAPI flags use select both signing and
|
|
+ sealing of the data.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ When set to auto or default, SMB encryption is offered, but not
|
|
+ enforced. When set to mandatory, SMB encryption is required and
|
|
+ if set to disabled, SMB encryption can not be negotiated.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+
|
|
+ <varlistentry>
|
|
+ <term><emphasis>Effects for SMB2 and newer</emphasis></term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Native SMB transport encryption is available in SMB version 3.0
|
|
+ or newer. It is only offered by Samba if
|
|
+ <emphasis>server max protocol</emphasis> is set to
|
|
+ <emphasis>SMB3</emphasis> or newer.
|
|
+ Clients supporting this type of encryption include
|
|
+ Windows 8 and newer,
|
|
+ Windows server 2012 and newer,
|
|
+ and smbclient of Samba 4.1 and newer.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ The protocol implementation offers various options:
|
|
+ </para>
|
|
+
|
|
+ <itemizedlist>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ The capability to perform SMB encryption can be
|
|
+ negotiated during protocol negotiation.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Data encryption can be enabled globally. In that case,
|
|
+ an encryption-capable connection will have all traffic
|
|
+ in all its sessions encrypted. In particular all share
|
|
+ connections will be encrypted.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Data encryption can also be enabled per share if not
|
|
+ enabled globally. For an encryption-capable connection,
|
|
+ all connections to an encryption-enabled share will be
|
|
+ encrypted.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Encryption can be enforced. This means that session
|
|
+ setups will be denied on non-encryption-capable
|
|
+ connections if data encryption has been enabled
|
|
+ globally. And tree connections will be denied for
|
|
+ non-encryption capable connections to shares with data
|
|
+ encryption enabled.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </itemizedlist>
|
|
+
|
|
+ <para>
|
|
+ These features can be controlled with settings of
|
|
+ <emphasis>server smb encrypt</emphasis> as follows:
|
|
+ </para>
|
|
+
|
|
+ <itemizedlist>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Leaving it as default, explicitly setting
|
|
+ <emphasis>default</emphasis>, or setting it to
|
|
+ <emphasis>if_required</emphasis> globally will enable
|
|
+ negotiation of encryption but will not turn on
|
|
+ data encryption globally or per share.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>desired</emphasis> globally
|
|
+ will enable negotiation and will turn on data encryption
|
|
+ on sessions and share connections for those clients
|
|
+ that support it.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>required</emphasis> globally
|
|
+ will enable negotiation and turn on data encryption
|
|
+ on sessions and share connections. Clients that do
|
|
+ not support encryption will be denied access to the
|
|
+ server.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>off</emphasis> globally will
|
|
+ completely disable the encryption feature for all
|
|
+ connections. Setting <parameter>server smb encrypt =
|
|
+ required</parameter> for individual shares (while it's
|
|
+ globally off) will deny access to this shares for all
|
|
+ clients.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>desired</emphasis> on a share
|
|
+ will turn on data encryption for this share for clients
|
|
+ that support encryption if negotiation has been
|
|
+ enabled globally.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>required</emphasis> on a share
|
|
+ will enforce data encryption for this share if
|
|
+ negotiation has been enabled globally. I.e. clients that
|
|
+ do not support encryption will be denied access to the
|
|
+ share.
|
|
+ </para>
|
|
+ <para>
|
|
+ Note that this allows per-share enforcing to be
|
|
+ controlled in Samba differently from Windows:
|
|
+ In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
|
|
+ is a global setting, and if it is set, all shares with
|
|
+ data encryption turned on
|
|
+ are automatically enforcing encryption. In order to
|
|
+ achieve the same effect in Samba, one
|
|
+ has to globally set <emphasis>server smb encrypt</emphasis> to
|
|
+ <emphasis>if_required</emphasis>, and then set all shares
|
|
+ that should be encrypted to
|
|
+ <emphasis>required</emphasis>.
|
|
+ Additionally, it is possible in Samba to have some
|
|
+ shares with encryption <emphasis>required</emphasis>
|
|
+ and some other shares with encryption only
|
|
+ <emphasis>desired</emphasis>, which is not possible in
|
|
+ Windows.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>off</emphasis> or
|
|
+ <emphasis>if_required</emphasis> for a share has
|
|
+ no effect.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </itemizedlist>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+ </variablelist>
|
|
+</description>
|
|
+
|
|
+<value type="default">default</value>
|
|
+</samba:parameter>
|
|
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
|
|
index 32a22cb58f5..798e616b765 100644
|
|
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
|
|
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
|
|
@@ -1,241 +1,14 @@
|
|
<samba:parameter name="smb encrypt"
|
|
- context="S"
|
|
- type="enum"
|
|
- enumlist="enum_smb_signing_vals"
|
|
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+ context="S"
|
|
+ type="enum"
|
|
+ enumlist="enum_smb_signing_vals"
|
|
+ function="server_smb_encrypt"
|
|
+ synonym="1"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>
|
|
- This parameter controls whether a remote client is allowed or required
|
|
- to use SMB encryption. It has different effects depending on whether
|
|
- the connection uses SMB1 or SMB2 and newer:
|
|
+ This is a synonym for <smbconfoption name="server smb encrypt"/>.
|
|
</para>
|
|
-
|
|
- <itemizedlist>
|
|
- <listitem>
|
|
- <para>
|
|
- If the connection uses SMB1, then this option controls the use
|
|
- of a Samba-specific extension to the SMB protocol introduced in
|
|
- Samba 3.2 that makes use of the Unix extensions.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- If the connection uses SMB2 or newer, then this option controls
|
|
- the use of the SMB-level encryption that is supported in SMB
|
|
- version 3.0 and above and available in Windows 8 and newer.
|
|
- </para>
|
|
- </listitem>
|
|
- </itemizedlist>
|
|
-
|
|
- <para>
|
|
- This parameter can be set globally and on a per-share bases.
|
|
- Possible values are
|
|
- <emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
|
|
- <emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
|
|
- <emphasis>if_required</emphasis>),
|
|
- <emphasis>desired</emphasis>,
|
|
- and
|
|
- <emphasis>required</emphasis>
|
|
- (or <emphasis>mandatory</emphasis>).
|
|
- A special value is <emphasis>default</emphasis> which is
|
|
- the implicit default setting of <emphasis>enabled</emphasis>.
|
|
- </para>
|
|
-
|
|
- <variablelist>
|
|
- <varlistentry>
|
|
- <term><emphasis>Effects for SMB1</emphasis></term>
|
|
- <listitem>
|
|
- <para>
|
|
- The Samba-specific encryption of SMB1 connections is an
|
|
- extension to the SMB protocol negotiated as part of the UNIX
|
|
- extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
|
|
- ability to encrypt and sign every request/response in a SMB
|
|
- protocol stream. When enabled it provides a secure method of
|
|
- SMB/CIFS communication, similar to an ssh protected session, but
|
|
- using SMB/CIFS authentication to negotiate encryption and
|
|
- signing keys. Currently this is only supported smbclient of by
|
|
- Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
|
|
- clients. Windows clients do not support this feature.
|
|
- </para>
|
|
-
|
|
- <para>This may be set on a per-share
|
|
- basis, but clients may chose to encrypt the entire session, not
|
|
- just traffic to a specific share. If this is set to mandatory
|
|
- then all traffic to a share <emphasis>must</emphasis>
|
|
- be encrypted once the connection has been made to the share.
|
|
- The server would return "access denied" to all non-encrypted
|
|
- requests on such a share. Selecting encrypted traffic reduces
|
|
- throughput as smaller packet sizes must be used (no huge UNIX
|
|
- style read/writes allowed) as well as the overhead of encrypting
|
|
- and signing all the data.
|
|
- </para>
|
|
-
|
|
- <para>
|
|
- If SMB encryption is selected, Windows style SMB signing (see
|
|
- the <smbconfoption name="server signing"/> option) is no longer
|
|
- necessary, as the GSSAPI flags use select both signing and
|
|
- sealing of the data.
|
|
- </para>
|
|
-
|
|
- <para>
|
|
- When set to auto or default, SMB encryption is offered, but not
|
|
- enforced. When set to mandatory, SMB encryption is required and
|
|
- if set to disabled, SMB encryption can not be negotiated.
|
|
- </para>
|
|
- </listitem>
|
|
- </varlistentry>
|
|
-
|
|
- <varlistentry>
|
|
- <term><emphasis>Effects for SMB2</emphasis></term>
|
|
- <listitem>
|
|
- <para>
|
|
- Native SMB transport encryption is available in SMB version 3.0
|
|
- or newer. It is only offered by Samba if
|
|
- <emphasis>server max protocol</emphasis> is set to
|
|
- <emphasis>SMB3</emphasis> or newer.
|
|
- Clients supporting this type of encryption include
|
|
- Windows 8 and newer,
|
|
- Windows server 2012 and newer,
|
|
- and smbclient of Samba 4.1 and newer.
|
|
- </para>
|
|
-
|
|
- <para>
|
|
- The protocol implementation offers various options:
|
|
- </para>
|
|
-
|
|
- <itemizedlist>
|
|
- <listitem>
|
|
- <para>
|
|
- The capability to perform SMB encryption can be
|
|
- negotiated during protocol negotiation.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Data encryption can be enabled globally. In that case,
|
|
- an encryption-capable connection will have all traffic
|
|
- in all its sessions encrypted. In particular all share
|
|
- connections will be encrypted.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Data encryption can also be enabled per share if not
|
|
- enabled globally. For an encryption-capable connection,
|
|
- all connections to an encryption-enabled share will be
|
|
- encrypted.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Encryption can be enforced. This means that session
|
|
- setups will be denied on non-encryption-capable
|
|
- connections if data encryption has been enabled
|
|
- globally. And tree connections will be denied for
|
|
- non-encryption capable connections to shares with data
|
|
- encryption enabled.
|
|
- </para>
|
|
- </listitem>
|
|
- </itemizedlist>
|
|
-
|
|
- <para>
|
|
- These features can be controlled with settings of
|
|
- <emphasis>smb encrypt</emphasis> as follows:
|
|
- </para>
|
|
-
|
|
- <itemizedlist>
|
|
- <listitem>
|
|
- <para>
|
|
- Leaving it as default, explicitly setting
|
|
- <emphasis>default</emphasis>, or setting it to
|
|
- <emphasis>enabled</emphasis> globally will enable
|
|
- negotiation of encryption but will not turn on
|
|
- data encryption globally or per share.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Setting it to <emphasis>desired</emphasis> globally
|
|
- will enable negotiation and will turn on data encryption
|
|
- on sessions and share connections for those clients
|
|
- that support it.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Setting it to <emphasis>required</emphasis> globally
|
|
- will enable negotiation and turn on data encryption
|
|
- on sessions and share connections. Clients that do
|
|
- not support encryption will be denied access to the
|
|
- server.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Setting it to <emphasis>off</emphasis> globally will
|
|
- completely disable the encryption feature for all
|
|
- connections. Setting <parameter>smb encrypt =
|
|
- required</parameter> for individual shares (while it's
|
|
- globally off) will deny access to this shares for all
|
|
- clients.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Setting it to <emphasis>desired</emphasis> on a share
|
|
- will turn on data encryption for this share for clients
|
|
- that support encryption if negotiation has been
|
|
- enabled globally.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Setting it to <emphasis>required</emphasis> on a share
|
|
- will enforce data encryption for this share if
|
|
- negotiation has been enabled globally. I.e. clients that
|
|
- do not support encryption will be denied access to the
|
|
- share.
|
|
- </para>
|
|
- <para>
|
|
- Note that this allows per-share enforcing to be
|
|
- controlled in Samba differently from Windows:
|
|
- In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
|
|
- is a global setting, and if it is set, all shares with
|
|
- data encryption turned on
|
|
- are automatically enforcing encryption. In order to
|
|
- achieve the same effect in Samba, one
|
|
- has to globally set <emphasis>smb encrypt</emphasis> to
|
|
- <emphasis>enabled</emphasis>, and then set all shares
|
|
- that should be encrypted to
|
|
- <emphasis>required</emphasis>.
|
|
- Additionally, it is possible in Samba to have some
|
|
- shares with encryption <emphasis>required</emphasis>
|
|
- and some other shares with encryption only
|
|
- <emphasis>desired</emphasis>, which is not possible in
|
|
- Windows.
|
|
- </para>
|
|
- </listitem>
|
|
-
|
|
- <listitem>
|
|
- <para>
|
|
- Setting it to <emphasis>off</emphasis> or
|
|
- <emphasis>enabled</emphasis> for a share has
|
|
- no effect.
|
|
- </para>
|
|
- </listitem>
|
|
- </itemizedlist>
|
|
- </listitem>
|
|
- </varlistentry>
|
|
- </variablelist>
|
|
</description>
|
|
|
|
<value type="default">default</value>
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index a3abaa2ec67..c0070b716a5 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -241,7 +241,7 @@ static const struct loadparm_service _sDefault =
|
|
.aio_write_size = 1,
|
|
.map_readonly = MAP_READONLY_NO,
|
|
.directory_name_cache_size = 100,
|
|
- .smb_encrypt = SMB_SIGNING_DEFAULT,
|
|
+ .server_smb_encrypt = SMB_SIGNING_DEFAULT,
|
|
.kernel_share_modes = true,
|
|
.durable_handles = true,
|
|
.check_parent_directory_delete_on_close = false,
|
|
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
|
|
index 3802d16179b..9aa89e3eb02 100644
|
|
--- a/source3/smbd/service.c
|
|
+++ b/source3/smbd/service.c
|
|
@@ -558,9 +558,9 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
|
|
/* Case options for the share. */
|
|
conn_setup_case_options(conn);
|
|
|
|
- conn->encrypt_level = lp_smb_encrypt(snum);
|
|
+ conn->encrypt_level = lp_server_smb_encrypt(snum);
|
|
if (conn->encrypt_level > SMB_SIGNING_OFF) {
|
|
- if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
|
|
+ if (lp_server_smb_encrypt(-1) == SMB_SIGNING_OFF) {
|
|
if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
|
|
DBG_ERR("Service [%s] requires encryption, but "
|
|
"it is disabled globally!\n",
|
|
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
|
|
index 4071f42b5e0..674942b71de 100644
|
|
--- a/source3/smbd/smb2_negprot.c
|
|
+++ b/source3/smbd/smb2_negprot.c
|
|
@@ -335,7 +335,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
|
|
}
|
|
|
|
if ((protocol >= PROTOCOL_SMB2_24) &&
|
|
- (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
|
|
+ (lp_server_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
|
|
(in_capabilities & SMB2_CAP_ENCRYPTION)) {
|
|
capabilities |= SMB2_CAP_ENCRYPTION;
|
|
}
|
|
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
|
|
index 2b6b3a820d4..8957411e167 100644
|
|
--- a/source3/smbd/smb2_sesssetup.c
|
|
+++ b/source3/smbd/smb2_sesssetup.c
|
|
@@ -292,12 +292,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
|
|
x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED;
|
|
}
|
|
|
|
- if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
|
|
+ if ((lp_server_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
|
|
(xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
|
|
x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED;
|
|
}
|
|
|
|
- if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
|
|
+ if (lp_server_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
|
|
x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED |
|
|
SMBXSRV_ENCRYPTION_DESIRED;
|
|
}
|
|
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
|
|
index 76112d04889..0dd3c653b4b 100644
|
|
--- a/source3/smbd/smb2_tcon.c
|
|
+++ b/source3/smbd/smb2_tcon.c
|
|
@@ -302,13 +302,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
|
|
TALLOC_FREE(proxy);
|
|
}
|
|
|
|
- if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
|
|
+ if ((lp_server_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
|
|
(conn->smb2.server.cipher != 0))
|
|
{
|
|
encryption_desired = true;
|
|
}
|
|
|
|
- if (lp_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
|
|
+ if (lp_server_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
|
|
encryption_desired = true;
|
|
encryption_required = true;
|
|
}
|
|
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
|
|
index 7acde285a90..b745e0906b1 100644
|
|
--- a/source3/smbd/trans2.c
|
|
+++ b/source3/smbd/trans2.c
|
|
@@ -4484,7 +4484,7 @@ static void call_trans2setfsinfo(connection_struct *conn,
|
|
return;
|
|
}
|
|
|
|
- if (lp_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) {
|
|
+ if (lp_server_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) {
|
|
reply_nterror(
|
|
req,
|
|
NT_STATUS_NOT_SUPPORTED);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From a351d15240e7c8638883155404fe2f3d70029e7e Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 10:04:19 +0200
|
|
Subject: [PATCH 005/104] param: Create and use enum_smb_encryption_vals
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
.../smbdotconf/security/serversmbencrypt.xml | 2 +-
|
|
docs-xml/smbdotconf/security/smbencrypt.xml | 2 +-
|
|
lib/param/param_table.c | 23 +++++++++++++++++++
|
|
libcli/smb/smb_constants.h | 9 ++++++++
|
|
4 files changed, 34 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml
|
|
index 714aacbf1ca..5f38b46419e 100644
|
|
--- a/docs-xml/smbdotconf/security/serversmbencrypt.xml
|
|
+++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml
|
|
@@ -1,7 +1,7 @@
|
|
<samba:parameter name="server smb encrypt"
|
|
context="S"
|
|
type="enum"
|
|
- enumlist="enum_smb_signing_vals"
|
|
+ enumlist="enum_smb_encryption_vals"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>
|
|
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
|
|
index 798e616b765..60271200c0a 100644
|
|
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
|
|
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
|
|
@@ -1,7 +1,7 @@
|
|
<samba:parameter name="smb encrypt"
|
|
context="S"
|
|
type="enum"
|
|
- enumlist="enum_smb_signing_vals"
|
|
+ enumlist="enum_smb_encryption_vals"
|
|
function="server_smb_encrypt"
|
|
synonym="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
|
|
index 47b85de1f87..e2f737279dc 100644
|
|
--- a/lib/param/param_table.c
|
|
+++ b/lib/param/param_table.c
|
|
@@ -138,6 +138,29 @@ static const struct enum_list enum_smb_signing_vals[] = {
|
|
{-1, NULL}
|
|
};
|
|
|
|
+static const struct enum_list enum_smb_encryption_vals[] = {
|
|
+ {SMB_ENCRYPTION_DEFAULT, "default"},
|
|
+ {SMB_ENCRYPTION_OFF, "No"},
|
|
+ {SMB_ENCRYPTION_OFF, "False"},
|
|
+ {SMB_ENCRYPTION_OFF, "0"},
|
|
+ {SMB_ENCRYPTION_OFF, "Off"},
|
|
+ {SMB_ENCRYPTION_OFF, "disabled"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "if_required"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "Yes"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "True"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "1"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "On"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "enabled"},
|
|
+ {SMB_ENCRYPTION_IF_REQUIRED, "auto"},
|
|
+ {SMB_ENCRYPTION_DESIRED, "desired"},
|
|
+ {SMB_ENCRYPTION_REQUIRED, "required"},
|
|
+ {SMB_ENCRYPTION_REQUIRED, "mandatory"},
|
|
+ {SMB_ENCRYPTION_REQUIRED, "force"},
|
|
+ {SMB_ENCRYPTION_REQUIRED, "forced"},
|
|
+ {SMB_ENCRYPTION_REQUIRED, "enforced"},
|
|
+ {-1, NULL}
|
|
+};
|
|
+
|
|
static const struct enum_list enum_mdns_name_values[] = {
|
|
{MDNS_NAME_NETBIOS, "netbios"},
|
|
{MDNS_NAME_MDNS, "mdns"},
|
|
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
|
|
index d2345f094e1..8ee99e25566 100644
|
|
--- a/libcli/smb/smb_constants.h
|
|
+++ b/libcli/smb/smb_constants.h
|
|
@@ -106,6 +106,15 @@ enum smb_signing_setting {
|
|
SMB_SIGNING_REQUIRED = 3,
|
|
};
|
|
|
|
+/* This MUST align with 'enum smb_signing_setting' */
|
|
+enum smb_encryption_setting {
|
|
+ SMB_ENCRYPTION_DEFAULT = SMB_SIGNING_DEFAULT,
|
|
+ SMB_ENCRYPTION_OFF = SMB_SIGNING_OFF,
|
|
+ SMB_ENCRYPTION_IF_REQUIRED = SMB_SIGNING_IF_REQUIRED,
|
|
+ SMB_ENCRYPTION_DESIRED = SMB_SIGNING_DESIRED,
|
|
+ SMB_ENCRYPTION_REQUIRED = SMB_SIGNING_REQUIRED,
|
|
+};
|
|
+
|
|
/* types of buffers in core SMB protocol */
|
|
#define SMB_DATA_BLOCK 0x1
|
|
#define SMB_ASCII4 0x4
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 021975ea03413244d02d35940973f67956adec2b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 26 May 2020 09:34:54 +0200
|
|
Subject: [PATCH 006/104] s3:smbd: Use 'enum smb_encryption_setting' values
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/param/loadparm.c | 2 +-
|
|
source3/smbd/service.c | 8 ++++----
|
|
source3/smbd/smb2_negprot.c | 2 +-
|
|
source3/smbd/smb2_sesssetup.c | 4 ++--
|
|
source3/smbd/smb2_tcon.c | 4 ++--
|
|
source3/smbd/trans2.c | 3 ++-
|
|
6 files changed, 12 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index c0070b716a5..4ad541301b3 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -241,7 +241,7 @@ static const struct loadparm_service _sDefault =
|
|
.aio_write_size = 1,
|
|
.map_readonly = MAP_READONLY_NO,
|
|
.directory_name_cache_size = 100,
|
|
- .server_smb_encrypt = SMB_SIGNING_DEFAULT,
|
|
+ .server_smb_encrypt = SMB_ENCRYPTION_DEFAULT,
|
|
.kernel_share_modes = true,
|
|
.durable_handles = true,
|
|
.check_parent_directory_delete_on_close = false,
|
|
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
|
|
index 9aa89e3eb02..d7d17d3dee1 100644
|
|
--- a/source3/smbd/service.c
|
|
+++ b/source3/smbd/service.c
|
|
@@ -559,16 +559,16 @@ static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
|
|
conn_setup_case_options(conn);
|
|
|
|
conn->encrypt_level = lp_server_smb_encrypt(snum);
|
|
- if (conn->encrypt_level > SMB_SIGNING_OFF) {
|
|
- if (lp_server_smb_encrypt(-1) == SMB_SIGNING_OFF) {
|
|
- if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
|
|
+ if (conn->encrypt_level > SMB_ENCRYPTION_OFF) {
|
|
+ if (lp_server_smb_encrypt(-1) == SMB_ENCRYPTION_OFF) {
|
|
+ if (conn->encrypt_level == SMB_ENCRYPTION_REQUIRED) {
|
|
DBG_ERR("Service [%s] requires encryption, but "
|
|
"it is disabled globally!\n",
|
|
lp_const_servicename(snum));
|
|
status = NT_STATUS_ACCESS_DENIED;
|
|
goto err_root_exit;
|
|
}
|
|
- conn->encrypt_level = SMB_SIGNING_OFF;
|
|
+ conn->encrypt_level = SMB_ENCRYPTION_OFF;
|
|
}
|
|
}
|
|
|
|
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
|
|
index 674942b71de..99303f1b07b 100644
|
|
--- a/source3/smbd/smb2_negprot.c
|
|
+++ b/source3/smbd/smb2_negprot.c
|
|
@@ -335,7 +335,7 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
|
|
}
|
|
|
|
if ((protocol >= PROTOCOL_SMB2_24) &&
|
|
- (lp_server_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
|
|
+ (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
|
|
(in_capabilities & SMB2_CAP_ENCRYPTION)) {
|
|
capabilities |= SMB2_CAP_ENCRYPTION;
|
|
}
|
|
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
|
|
index 8957411e167..907dd92321e 100644
|
|
--- a/source3/smbd/smb2_sesssetup.c
|
|
+++ b/source3/smbd/smb2_sesssetup.c
|
|
@@ -292,12 +292,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
|
|
x->global->signing_flags = SMBXSRV_SIGNING_REQUIRED;
|
|
}
|
|
|
|
- if ((lp_server_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
|
|
+ if ((lp_server_smb_encrypt(-1) >= SMB_ENCRYPTION_DESIRED) &&
|
|
(xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
|
|
x->global->encryption_flags = SMBXSRV_ENCRYPTION_DESIRED;
|
|
}
|
|
|
|
- if (lp_server_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
|
|
+ if (lp_server_smb_encrypt(-1) == SMB_ENCRYPTION_REQUIRED) {
|
|
x->global->encryption_flags = SMBXSRV_ENCRYPTION_REQUIRED |
|
|
SMBXSRV_ENCRYPTION_DESIRED;
|
|
}
|
|
diff --git a/source3/smbd/smb2_tcon.c b/source3/smbd/smb2_tcon.c
|
|
index 0dd3c653b4b..d7e0cf90f47 100644
|
|
--- a/source3/smbd/smb2_tcon.c
|
|
+++ b/source3/smbd/smb2_tcon.c
|
|
@@ -302,13 +302,13 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
|
|
TALLOC_FREE(proxy);
|
|
}
|
|
|
|
- if ((lp_server_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) &&
|
|
+ if ((lp_server_smb_encrypt(snum) >= SMB_ENCRYPTION_DESIRED) &&
|
|
(conn->smb2.server.cipher != 0))
|
|
{
|
|
encryption_desired = true;
|
|
}
|
|
|
|
- if (lp_server_smb_encrypt(snum) == SMB_SIGNING_REQUIRED) {
|
|
+ if (lp_server_smb_encrypt(snum) == SMB_ENCRYPTION_REQUIRED) {
|
|
encryption_desired = true;
|
|
encryption_required = true;
|
|
}
|
|
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
|
|
index b745e0906b1..2f2fdcb7260 100644
|
|
--- a/source3/smbd/trans2.c
|
|
+++ b/source3/smbd/trans2.c
|
|
@@ -4484,7 +4484,8 @@ static void call_trans2setfsinfo(connection_struct *conn,
|
|
return;
|
|
}
|
|
|
|
- if (lp_server_smb_encrypt(SNUM(conn)) == SMB_SIGNING_OFF) {
|
|
+ if (lp_server_smb_encrypt(SNUM(conn)) ==
|
|
+ SMB_ENCRYPTION_OFF) {
|
|
reply_nterror(
|
|
req,
|
|
NT_STATUS_NOT_SUPPORTED);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 7153b9b229a2feea129f1bb1cd423dd4e79d5a05 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 9 Apr 2020 10:38:41 +0200
|
|
Subject: [PATCH 007/104] docs-xml: Add 'client smb encrypt'
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
.../smbdotconf/security/clientsmbencrypt.xml | 126 ++++++++++++++++++
|
|
lib/param/loadparm.c | 4 +
|
|
source3/param/loadparm.c | 2 +
|
|
3 files changed, 132 insertions(+)
|
|
create mode 100644 docs-xml/smbdotconf/security/clientsmbencrypt.xml
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/clientsmbencrypt.xml b/docs-xml/smbdotconf/security/clientsmbencrypt.xml
|
|
new file mode 100644
|
|
index 00000000000..05df152e734
|
|
--- /dev/null
|
|
+++ b/docs-xml/smbdotconf/security/clientsmbencrypt.xml
|
|
@@ -0,0 +1,126 @@
|
|
+<samba:parameter name="client smb encrypt"
|
|
+ context="G"
|
|
+ type="enum"
|
|
+ enumlist="enum_smb_encryption_vals"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+<description>
|
|
+ <para>
|
|
+ This parameter controls whether a client should try or is required
|
|
+ to use SMB encryption. It has different effects depending on whether
|
|
+ the connection uses SMB1 or SMB3:
|
|
+ </para>
|
|
+
|
|
+ <itemizedlist>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ If the connection uses SMB1, then this option controls the use
|
|
+ of a Samba-specific extension to the SMB protocol introduced in
|
|
+ Samba 3.2 that makes use of the Unix extensions.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ If the connection uses SMB2 or newer, then this option controls
|
|
+ the use of the SMB-level encryption that is supported in SMB
|
|
+ version 3.0 and above and available in Windows 8 and newer.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </itemizedlist>
|
|
+
|
|
+ <para>
|
|
+ This parameter can be set globally. Possible values are
|
|
+
|
|
+ <emphasis>off</emphasis>,
|
|
+ <emphasis>if_required</emphasis>,
|
|
+ <emphasis>desired</emphasis>,
|
|
+ and
|
|
+ <emphasis>required</emphasis>.
|
|
+ A special value is <emphasis>default</emphasis> which is
|
|
+ the implicit default setting of <emphasis>if_required</emphasis>.
|
|
+ </para>
|
|
+
|
|
+ <variablelist>
|
|
+ <varlistentry>
|
|
+ <term><emphasis>Effects for SMB1</emphasis></term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ The Samba-specific encryption of SMB1 connections is an
|
|
+ extension to the SMB protocol negotiated as part of the UNIX
|
|
+ extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
|
|
+ ability to encrypt and sign every request/response in a SMB
|
|
+ protocol stream. When enabled it provides a secure method of
|
|
+ SMB/CIFS communication, similar to an ssh protected session, but
|
|
+ using SMB/CIFS authentication to negotiate encryption and
|
|
+ signing keys. Currently this is only supported smbclient of by
|
|
+ Samba 3.2 and newer. Windows does not support this feature.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ When set to default, SMB encryption is probed, but not
|
|
+ enforced. When set to required, SMB encryption is required and
|
|
+ if set to disabled, SMB encryption can not be negotiated.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+
|
|
+ <varlistentry>
|
|
+ <term><emphasis>Effects for SMB3 and newer</emphasis></term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Native SMB transport encryption is available in SMB version 3.0
|
|
+ or newer. It is only used by Samba if
|
|
+ <emphasis>client max protocol</emphasis> is set to
|
|
+ <emphasis>SMB3</emphasis> or newer.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ These features can be controlled with settings of
|
|
+ <emphasis>client smb encrypt</emphasis> as follows:
|
|
+ </para>
|
|
+
|
|
+ <itemizedlist>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Leaving it as default, explicitly setting
|
|
+ <emphasis>default</emphasis>, or setting it to
|
|
+ <emphasis>if_required</emphasis> globally will enable
|
|
+ negotiation of encryption but will not turn on
|
|
+ data encryption globally.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>desired</emphasis> globally
|
|
+ will enable negotiation and will turn on data encryption
|
|
+ on sessions and share connections for those servers
|
|
+ that support it.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>required</emphasis> globally
|
|
+ will enable negotiation and turn on data encryption
|
|
+ on sessions and share connections. Clients that do
|
|
+ not support encryption will be denied access to the
|
|
+ server.
|
|
+ </para>
|
|
+ </listitem>
|
|
+
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Setting it to <emphasis>off</emphasis> globally will
|
|
+ completely disable the encryption feature for all
|
|
+ connections.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </itemizedlist>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+ </variablelist>
|
|
+</description>
|
|
+
|
|
+<value type="default">default</value>
|
|
+</samba:parameter>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 006caabc092..67f5709b213 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -3079,6 +3079,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
lpcfg_do_global_parameter(
|
|
lp_ctx, "ldap max search request size", "256000");
|
|
|
|
+ lpcfg_do_global_parameter(lp_ctx,
|
|
+ "client smb encrypt",
|
|
+ "default");
|
|
+
|
|
for (i = 0; parm_table[i].label; i++) {
|
|
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
|
|
lp_ctx->flags[i] |= FLAG_DEFAULT;
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index 4ad541301b3..6418a42b6eb 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -960,6 +960,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
Globals.ldap_max_authenticated_request_size = 16777216;
|
|
Globals.ldap_max_search_request_size = 256000;
|
|
|
|
+ Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT;
|
|
+
|
|
/* Now put back the settings that were set with lp_set_cmdline() */
|
|
apply_lp_set_cmdline();
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From f151e19473330373801c4d85ef3d5ce0918ac17d Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 22 Jul 2020 17:48:25 +0200
|
|
Subject: [PATCH 008/104] lib:param: Add lpcfg_parse_enum_vals()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
lib/param/loadparm.c | 30 ++++++++++++++++++++++++++++++
|
|
lib/param/loadparm.h | 2 ++
|
|
2 files changed, 32 insertions(+)
|
|
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 67f5709b213..b1410791c60 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -3675,3 +3675,33 @@ char *lpcfg_substituted_string(TALLOC_CTX *mem_ctx,
|
|
raw_value,
|
|
lp_sub->private_data);
|
|
}
|
|
+
|
|
+/**
|
|
+ * @brief Parse a string value of a given parameter to its integer enum value.
|
|
+ *
|
|
+ * @param[in] param_name The parameter name (e.g. 'client smb encrypt')
|
|
+ *
|
|
+ * @param[in] param_value The parameter value (e.g. 'required').
|
|
+ *
|
|
+ * @return The integer value of the enum the param_value matches or INT32_MIN
|
|
+ * on error.
|
|
+ */
|
|
+int32_t lpcfg_parse_enum_vals(const char *param_name,
|
|
+ const char *param_value)
|
|
+{
|
|
+ struct parm_struct *parm = NULL;
|
|
+ int32_t ret = INT32_MIN;
|
|
+ bool ok;
|
|
+
|
|
+ parm = lpcfg_parm_struct(NULL, param_name);
|
|
+ if (parm == NULL) {
|
|
+ return INT32_MIN;
|
|
+ }
|
|
+
|
|
+ ok = lp_set_enum_parm(parm, param_value, &ret);
|
|
+ if (!ok) {
|
|
+ return INT32_MIN;
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
+}
|
|
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
|
|
index 323fcf84523..e66ce2324b4 100644
|
|
--- a/lib/param/loadparm.h
|
|
+++ b/lib/param/loadparm.h
|
|
@@ -316,6 +316,8 @@ bool lp_do_section(const char *pszSectionName, void *userdata);
|
|
bool store_lp_set_cmdline(const char *pszParmName, const char *pszParmValue);
|
|
|
|
int num_parameters(void);
|
|
+int32_t lpcfg_parse_enum_vals(const char *param_name,
|
|
+ const char *param_value);
|
|
|
|
struct loadparm_substitution;
|
|
#ifdef LOADPARM_SUBSTITUTION_INTERNALS
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 6364c5bcde41ed5bdb478747511003796a601e74 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 9 Oct 2019 09:38:08 +0200
|
|
Subject: [PATCH 009/104] libcli:smb: Add smb_signing_setting_translate()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
libcli/smb/smb_util.h | 7 ++++
|
|
libcli/smb/test_util_translate.c | 64 ++++++++++++++++++++++++++++++++
|
|
libcli/smb/util.c | 20 ++++++++++
|
|
libcli/smb/wscript | 5 +++
|
|
selftest/tests.py | 2 +
|
|
5 files changed, 98 insertions(+)
|
|
create mode 100644 libcli/smb/test_util_translate.c
|
|
|
|
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
|
|
index 8861741c92f..15bdbe856d1 100644
|
|
--- a/libcli/smb/smb_util.h
|
|
+++ b/libcli/smb/smb_util.h
|
|
@@ -24,6 +24,9 @@
|
|
#include "smb_constants.h"
|
|
#include <talloc.h>
|
|
|
|
+#ifndef _SMB_UTIL_H
|
|
+#define _SMB_UTIL_H
|
|
+
|
|
const char *smb_protocol_types_string(enum protocol_types protocol);
|
|
char *attrib_string(TALLOC_CTX *mem_ctx, uint32_t attrib);
|
|
uint32_t unix_perms_to_wire(mode_t perms);
|
|
@@ -46,3 +49,7 @@ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
|
|
const uint8_t *buf, size_t buf_len,
|
|
const uint8_t *position,
|
|
size_t *_consumed);
|
|
+
|
|
+enum smb_signing_setting smb_signing_setting_translate(const char *str);
|
|
+
|
|
+#endif /* _SMB_UTIL_H */
|
|
diff --git a/libcli/smb/test_util_translate.c b/libcli/smb/test_util_translate.c
|
|
new file mode 100644
|
|
index 00000000000..4b81984affa
|
|
--- /dev/null
|
|
+++ b/libcli/smb/test_util_translate.c
|
|
@@ -0,0 +1,64 @@
|
|
+/*
|
|
+ * Unix SMB/CIFS implementation.
|
|
+ *
|
|
+ * Copyright (C) 2020 Andreas Schneider <asn@samba.org>
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation; either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#include <stdarg.h>
|
|
+#include <stddef.h>
|
|
+#include <stdint.h>
|
|
+#include <setjmp.h>
|
|
+#include <cmocka.h>
|
|
+
|
|
+#include "lib/replace/replace.h"
|
|
+#include <talloc.h>
|
|
+
|
|
+#include "libcli/smb/util.c"
|
|
+
|
|
+static void test_smb_signing_setting_translate(void **state)
|
|
+{
|
|
+ enum smb_signing_setting signing_state;
|
|
+
|
|
+ signing_state = smb_signing_setting_translate("wurst");
|
|
+ assert_int_equal(signing_state, SMB_SIGNING_REQUIRED);
|
|
+
|
|
+ signing_state = smb_signing_setting_translate("off");
|
|
+ assert_int_equal(signing_state, SMB_SIGNING_OFF);
|
|
+
|
|
+ signing_state = smb_signing_setting_translate("if_required");
|
|
+ assert_int_equal(signing_state, SMB_SIGNING_IF_REQUIRED);
|
|
+
|
|
+ signing_state = smb_signing_setting_translate("mandatory");
|
|
+ assert_int_equal(signing_state, SMB_SIGNING_REQUIRED);
|
|
+
|
|
+}
|
|
+
|
|
+int main(int argc, char *argv[])
|
|
+{
|
|
+ int rc;
|
|
+ const struct CMUnitTest tests[] = {
|
|
+ cmocka_unit_test(test_smb_signing_setting_translate),
|
|
+ };
|
|
+
|
|
+ if (argc == 2) {
|
|
+ cmocka_set_test_filter(argv[1]);
|
|
+ }
|
|
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
|
|
+
|
|
+ rc = cmocka_run_group_tests(tests, NULL, NULL);
|
|
+
|
|
+ return rc;
|
|
+}
|
|
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
|
|
index 6fdf35fbbf3..da0e4db2bf3 100644
|
|
--- a/libcli/smb/util.c
|
|
+++ b/libcli/smb/util.c
|
|
@@ -22,6 +22,7 @@
|
|
#include "includes.h"
|
|
#include "libcli/smb/smb_common.h"
|
|
#include "system/filesys.h"
|
|
+#include "lib/param/loadparm.h"
|
|
|
|
const char *smb_protocol_types_string(enum protocol_types protocol)
|
|
{
|
|
@@ -428,3 +429,22 @@ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
|
|
return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
|
|
buf, buf_len, position, _consumed);
|
|
}
|
|
+
|
|
+/**
|
|
+ * @brief Translate SMB signing settings as string to an enum.
|
|
+ *
|
|
+ * @param[in] str The string to translate.
|
|
+ *
|
|
+ * @return A corresponding enum @smb_signing_setting tranlated from the string.
|
|
+ */
|
|
+enum smb_signing_setting smb_signing_setting_translate(const char *str)
|
|
+{
|
|
+ enum smb_signing_setting signing_state = SMB_SIGNING_REQUIRED;
|
|
+ int32_t val = lpcfg_parse_enum_vals("client signing", str);
|
|
+
|
|
+ if (val != INT32_MIN) {
|
|
+ signing_state = val;
|
|
+ }
|
|
+
|
|
+ return signing_state;
|
|
+}
|
|
diff --git a/libcli/smb/wscript b/libcli/smb/wscript
|
|
index 86e377f570b..c047fd33278 100644
|
|
--- a/libcli/smb/wscript
|
|
+++ b/libcli/smb/wscript
|
|
@@ -72,3 +72,8 @@ def build(bld):
|
|
source='test_smb1cli_session.c',
|
|
deps='cmocka cli_smb_common',
|
|
for_selftest=True)
|
|
+
|
|
+ bld.SAMBA_BINARY('test_util_translate',
|
|
+ source='test_util_translate.c',
|
|
+ deps='cmocka cli_smb_common',
|
|
+ for_selftest=True)
|
|
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
index 6918e1306c3..20981754db4 100644
|
|
--- a/selftest/tests.py
|
|
+++ b/selftest/tests.py
|
|
@@ -376,6 +376,8 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
|
|
plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
+plantestsuite("samba.unittests.smb_util_translate", "none",
|
|
+ [os.path.join(bindir(), "default/libcli/smb/test_util_translate")])
|
|
|
|
plantestsuite("samba.unittests.talloc_keep_secret", "none",
|
|
[os.path.join(bindir(), "default/lib/util/test_talloc_keep_secret")])
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 8ceec22ead224c3581b18b0fc95cb7f7f9c061a8 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 26 May 2020 08:39:34 +0200
|
|
Subject: [PATCH 010/104] libcli:smb: Add smb_encryption_setting_translate()
|
|
|
|
Add encryption enum and function to avoid confusion when reading the
|
|
code.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
libcli/smb/smb_util.h | 1 +
|
|
libcli/smb/test_util_translate.c | 19 +++++++++++++++++++
|
|
libcli/smb/util.c | 20 ++++++++++++++++++++
|
|
3 files changed, 40 insertions(+)
|
|
|
|
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
|
|
index 15bdbe856d1..2a727db8b6f 100644
|
|
--- a/libcli/smb/smb_util.h
|
|
+++ b/libcli/smb/smb_util.h
|
|
@@ -51,5 +51,6 @@ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
|
|
size_t *_consumed);
|
|
|
|
enum smb_signing_setting smb_signing_setting_translate(const char *str);
|
|
+enum smb_encryption_setting smb_encryption_setting_translate(const char *str);
|
|
|
|
#endif /* _SMB_UTIL_H */
|
|
diff --git a/libcli/smb/test_util_translate.c b/libcli/smb/test_util_translate.c
|
|
index 4b81984affa..b300af52c09 100644
|
|
--- a/libcli/smb/test_util_translate.c
|
|
+++ b/libcli/smb/test_util_translate.c
|
|
@@ -46,11 +46,30 @@ static void test_smb_signing_setting_translate(void **state)
|
|
|
|
}
|
|
|
|
+static void test_smb_encryption_setting_translate(void **state)
|
|
+{
|
|
+ enum smb_encryption_setting encryption_state;
|
|
+
|
|
+ encryption_state = smb_encryption_setting_translate("wurst");
|
|
+ assert_int_equal(encryption_state, SMB_ENCRYPTION_REQUIRED);
|
|
+
|
|
+ encryption_state = smb_encryption_setting_translate("off");
|
|
+ assert_int_equal(encryption_state, SMB_ENCRYPTION_OFF);
|
|
+
|
|
+ encryption_state = smb_encryption_setting_translate("if_required");
|
|
+ assert_int_equal(encryption_state, SMB_ENCRYPTION_IF_REQUIRED);
|
|
+
|
|
+ encryption_state = smb_encryption_setting_translate("mandatory");
|
|
+ assert_int_equal(encryption_state, SMB_ENCRYPTION_REQUIRED);
|
|
+
|
|
+}
|
|
+
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int rc;
|
|
const struct CMUnitTest tests[] = {
|
|
cmocka_unit_test(test_smb_signing_setting_translate),
|
|
+ cmocka_unit_test(test_smb_encryption_setting_translate),
|
|
};
|
|
|
|
if (argc == 2) {
|
|
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
|
|
index da0e4db2bf3..ac2887ee5c4 100644
|
|
--- a/libcli/smb/util.c
|
|
+++ b/libcli/smb/util.c
|
|
@@ -448,3 +448,23 @@ enum smb_signing_setting smb_signing_setting_translate(const char *str)
|
|
|
|
return signing_state;
|
|
}
|
|
+
|
|
+/**
|
|
+ * @brief Translate SMB encryption settings as string to an enum.
|
|
+ *
|
|
+ * @param[in] str The string to translate.
|
|
+ *
|
|
+ * @return A corresponding enum @smb_encryption_setting tranlated from the
|
|
+ * string.
|
|
+ */
|
|
+enum smb_encryption_setting smb_encryption_setting_translate(const char *str)
|
|
+{
|
|
+ enum smb_encryption_setting encryption_state = SMB_ENCRYPTION_REQUIRED;
|
|
+ int32_t val = lpcfg_parse_enum_vals("client smb encrypt", str);
|
|
+
|
|
+ if (val != INT32_MIN) {
|
|
+ encryption_state = val;
|
|
+ }
|
|
+
|
|
+ return encryption_state;
|
|
+}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From dc53c158acdeffc6e53436359a56bcf7071b3d83 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 9 Oct 2019 09:47:59 +0200
|
|
Subject: [PATCH 011/104] s3:lib: Use smb_signing_setting_translate for cmdline
|
|
parsing
|
|
|
|
The function will be removed soon.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/lib/util_cmdline.c | 17 +++--------------
|
|
source3/wscript_build | 2 +-
|
|
2 files changed, 4 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
|
|
index 90ee67c4cb7..bc1f1c3ed25 100644
|
|
--- a/source3/lib/util_cmdline.c
|
|
+++ b/source3/lib/util_cmdline.c
|
|
@@ -28,6 +28,7 @@
|
|
#include "librpc/gen_ndr/samr.h"
|
|
#include "auth/credentials/credentials.h"
|
|
#include "auth/gensec/gensec.h"
|
|
+#include "libcli/smb/smb_util.h"
|
|
|
|
/**************************************************************************n
|
|
Code to cope with username/password auth options from the commandline.
|
|
@@ -240,20 +241,8 @@ void set_cmdline_auth_info_password(struct user_auth_info *auth_info,
|
|
bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
|
|
const char *arg)
|
|
{
|
|
- auth_info->signing_state = SMB_SIGNING_DEFAULT;
|
|
- if (strequal(arg, "off") || strequal(arg, "no") ||
|
|
- strequal(arg, "false")) {
|
|
- auth_info->signing_state = SMB_SIGNING_OFF;
|
|
- } else if (strequal(arg, "on") || strequal(arg, "yes") ||
|
|
- strequal(arg, "if_required") ||
|
|
- strequal(arg, "true") || strequal(arg, "auto")) {
|
|
- auth_info->signing_state = SMB_SIGNING_IF_REQUIRED;
|
|
- } else if (strequal(arg, "force") || strequal(arg, "required") ||
|
|
- strequal(arg, "forced")) {
|
|
- auth_info->signing_state = SMB_SIGNING_REQUIRED;
|
|
- } else {
|
|
- return false;
|
|
- }
|
|
+ auth_info->signing_state = smb_signing_setting_translate(arg);
|
|
+
|
|
return true;
|
|
}
|
|
|
|
diff --git a/source3/wscript_build b/source3/wscript_build
|
|
index d86a9fcadbf..c1051c62393 100644
|
|
--- a/source3/wscript_build
|
|
+++ b/source3/wscript_build
|
|
@@ -279,7 +279,7 @@ bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
|
|
|
|
bld.SAMBA3_LIBRARY('util_cmdline',
|
|
source='lib/util_cmdline.c',
|
|
- deps='secrets3 samba-credentials',
|
|
+ deps='secrets3 samba-credentials cli_smb_common',
|
|
private_library=True)
|
|
|
|
bld.SAMBA3_LIBRARY('cmdline_contexts',
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From c6f52fc629ca09e450b3bd0c1bdc56fdabeae141 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 23 Jul 2020 07:47:18 +0200
|
|
Subject: [PATCH 012/104] auth:creds: Remove unused credentials autoproto
|
|
header
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/credentials_krb5.c | 1 -
|
|
auth/credentials/credentials_secrets.c | 1 -
|
|
auth/credentials/wscript_build | 1 -
|
|
source4/auth/kerberos/kerberos_util.c | 1 -
|
|
source4/auth/tests/kerberos.c | 1 -
|
|
5 files changed, 5 deletions(-)
|
|
|
|
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
|
|
index 20e677e521a..259b35b73b0 100644
|
|
--- a/auth/credentials/credentials_krb5.c
|
|
+++ b/auth/credentials/credentials_krb5.c
|
|
@@ -27,7 +27,6 @@
|
|
#include "auth/kerberos/kerberos.h"
|
|
#include "auth/credentials/credentials.h"
|
|
#include "auth/credentials/credentials_internal.h"
|
|
-#include "auth/credentials/credentials_proto.h"
|
|
#include "auth/credentials/credentials_krb5.h"
|
|
#include "auth/kerberos/kerberos_credentials.h"
|
|
#include "auth/kerberos/kerberos_srv_keytab.h"
|
|
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
|
|
index 54f3ce2d078..52a89d4d5b4 100644
|
|
--- a/auth/credentials/credentials_secrets.c
|
|
+++ b/auth/credentials/credentials_secrets.c
|
|
@@ -29,7 +29,6 @@
|
|
#include "system/filesys.h"
|
|
#include "auth/credentials/credentials.h"
|
|
#include "auth/credentials/credentials_internal.h"
|
|
-#include "auth/credentials/credentials_proto.h"
|
|
#include "auth/credentials/credentials_krb5.h"
|
|
#include "auth/kerberos/kerberos_util.h"
|
|
#include "param/param.h"
|
|
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
|
|
index f5aba1de248..564a04fe8dd 100644
|
|
--- a/auth/credentials/wscript_build
|
|
+++ b/auth/credentials/wscript_build
|
|
@@ -2,7 +2,6 @@
|
|
|
|
bld.SAMBA_LIBRARY('samba-credentials',
|
|
source='credentials.c',
|
|
- autoproto='credentials_proto.h',
|
|
public_headers='credentials.h',
|
|
pc_files='samba-credentials.pc',
|
|
deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5',
|
|
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
|
|
index ffef24f285c..544d9d853cc 100644
|
|
--- a/source4/auth/kerberos/kerberos_util.c
|
|
+++ b/source4/auth/kerberos/kerberos_util.c
|
|
@@ -24,7 +24,6 @@
|
|
#include "system/kerberos.h"
|
|
#include "auth/kerberos/kerberos.h"
|
|
#include "auth/credentials/credentials.h"
|
|
-#include "auth/credentials/credentials_proto.h"
|
|
#include "auth/credentials/credentials_krb5.h"
|
|
#include "auth/kerberos/kerberos_credentials.h"
|
|
#include "auth/kerberos/kerberos_util.h"
|
|
diff --git a/source4/auth/tests/kerberos.c b/source4/auth/tests/kerberos.c
|
|
index 7711eac2afa..d9be3562adb 100644
|
|
--- a/source4/auth/tests/kerberos.c
|
|
+++ b/source4/auth/tests/kerberos.c
|
|
@@ -10,7 +10,6 @@
|
|
#include "system/kerberos.h"
|
|
#include "auth/kerberos/kerberos.h"
|
|
#include "auth/credentials/credentials.h"
|
|
-#include "auth/credentials/credentials_proto.h"
|
|
#include "auth/credentials/credentials_krb5.h"
|
|
#include "auth/kerberos/kerberos_credentials.h"
|
|
#include "auth/kerberos/kerberos_util.h"
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 62bca83b540c9402d86f0668839150d2abf3adec Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 26 May 2020 09:32:44 +0200
|
|
Subject: [PATCH 013/104] auth:creds: Add
|
|
cli_credentials_(get|set)_smb_signing()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/credentials.c | 45 +++++++++++++++++++++++++
|
|
auth/credentials/credentials.h | 7 ++++
|
|
auth/credentials/credentials_internal.h | 4 +++
|
|
3 files changed, 56 insertions(+)
|
|
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
|
index 80a31b248ae..365a6def7ea 100644
|
|
--- a/auth/credentials/credentials.c
|
|
+++ b/auth/credentials/credentials.c
|
|
@@ -44,6 +44,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
|
|
|
|
cred->winbind_separator = '\\';
|
|
|
|
+ cred->signing_state = SMB_SIGNING_DEFAULT;
|
|
+
|
|
return cred;
|
|
}
|
|
|
|
@@ -922,6 +924,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
|
|
if (sep != NULL && sep[0] != '\0') {
|
|
cred->winbind_separator = *lpcfg_winbind_separator(lp_ctx);
|
|
}
|
|
+
|
|
+ if (cred->signing_state_obtained <= CRED_SMB_CONF) {
|
|
+ /* Will be set to default for invalid smb.conf values */
|
|
+ cred->signing_state = lpcfg_client_signing(lp_ctx);
|
|
+ cred->signing_state_obtained = CRED_SMB_CONF;
|
|
+ }
|
|
}
|
|
|
|
/**
|
|
@@ -1304,6 +1312,43 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credenti
|
|
return true;
|
|
}
|
|
|
|
+/**
|
|
+ * @brief Set the SMB signing state to request for a SMB connection.
|
|
+ *
|
|
+ * @param[in] creds The credentials structure to update.
|
|
+ *
|
|
+ * @param[in] signing_state The signing state to set.
|
|
+ *
|
|
+ * @param obtained This way the described signing state was specified.
|
|
+ *
|
|
+ * @return true if we could set the signing state, false otherwise.
|
|
+ */
|
|
+_PUBLIC_ bool cli_credentials_set_smb_signing(struct cli_credentials *creds,
|
|
+ enum smb_signing_setting signing_state,
|
|
+ enum credentials_obtained obtained)
|
|
+{
|
|
+ if (obtained >= creds->signing_state_obtained) {
|
|
+ creds->signing_state_obtained = obtained;
|
|
+ creds->signing_state = signing_state;
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ return false;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * @brief Obtain the SMB signing state from a credentials structure.
|
|
+ *
|
|
+ * @param[in] creds The credential structure to obtain the SMB signing state
|
|
+ * from.
|
|
+ *
|
|
+ * @return The SMB singing state.
|
|
+ */
|
|
+_PUBLIC_ enum smb_signing_setting
|
|
+cli_credentials_get_smb_signing(struct cli_credentials *creds)
|
|
+{
|
|
+ return creds->signing_state;
|
|
+}
|
|
|
|
/**
|
|
* Encrypt a data blob using the session key and the negotiated encryption
|
|
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
|
|
index 7154c2a008c..422391ad585 100644
|
|
--- a/auth/credentials/credentials.h
|
|
+++ b/auth/credentials/credentials.h
|
|
@@ -38,6 +38,7 @@ struct gssapi_creds_container;
|
|
struct smb_krb5_context;
|
|
struct keytab_container;
|
|
struct db_context;
|
|
+enum smb_signing_setting;
|
|
|
|
/* In order of priority */
|
|
enum credentials_obtained {
|
|
@@ -290,6 +291,12 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
|
|
#define cli_credentials_callback_data_void(_cred) \
|
|
_cli_credentials_callback_data(_cred)
|
|
|
|
+bool cli_credentials_set_smb_signing(struct cli_credentials *cred,
|
|
+ enum smb_signing_setting signing_state,
|
|
+ enum credentials_obtained obtained);
|
|
+enum smb_signing_setting
|
|
+cli_credentials_get_smb_signing(struct cli_credentials *cred);
|
|
+
|
|
/**
|
|
* Return attached NETLOGON credentials
|
|
*/
|
|
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
|
|
index 68f1f25dce1..9cde0000b5f 100644
|
|
--- a/auth/credentials/credentials_internal.h
|
|
+++ b/auth/credentials/credentials_internal.h
|
|
@@ -24,6 +24,7 @@
|
|
|
|
#include "../lib/util/data_blob.h"
|
|
#include "librpc/gen_ndr/misc.h"
|
|
+#include "libcli/smb/smb_constants.h"
|
|
|
|
struct cli_credentials {
|
|
enum credentials_obtained workstation_obtained;
|
|
@@ -36,6 +37,7 @@ struct cli_credentials {
|
|
enum credentials_obtained principal_obtained;
|
|
enum credentials_obtained keytab_obtained;
|
|
enum credentials_obtained server_gss_creds_obtained;
|
|
+ enum credentials_obtained signing_state_obtained;
|
|
|
|
/* Threshold values (essentially a MAX() over a number of the
|
|
* above) for the ccache and GSS credentials, to ensure we
|
|
@@ -117,6 +119,8 @@ struct cli_credentials {
|
|
char winbind_separator;
|
|
|
|
bool password_will_be_nt_hash;
|
|
+
|
|
+ enum smb_signing_setting signing_state;
|
|
};
|
|
|
|
#endif /* __CREDENTIALS_INTERNAL_H__ */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From a14f3c5f3f39173650bd56ee034bd35ea111ee07 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 3 Jun 2020 11:56:01 +0200
|
|
Subject: [PATCH 014/104] auth:creds: Add python bindings for
|
|
(get|set)_smb_signing
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/pycredentials.c | 63 +++++++++++++++++++++++++++++++
|
|
python/samba/tests/credentials.py | 6 +++
|
|
2 files changed, 69 insertions(+)
|
|
|
|
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
|
|
index 68edc282741..846c418419f 100644
|
|
--- a/auth/credentials/pycredentials.c
|
|
+++ b/auth/credentials/pycredentials.c
|
|
@@ -34,6 +34,7 @@
|
|
#include "auth/credentials/credentials_internal.h"
|
|
#include "system/kerberos.h"
|
|
#include "auth/kerberos/kerberos.h"
|
|
+#include "libcli/smb/smb_constants.h"
|
|
|
|
void initcredentials(void);
|
|
|
|
@@ -929,6 +930,52 @@ static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
|
|
Py_RETURN_NONE;
|
|
}
|
|
|
|
+static PyObject *py_creds_get_smb_signing(PyObject *self, PyObject *unused)
|
|
+{
|
|
+ enum smb_signing_setting signing_state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ signing_state = cli_credentials_get_smb_signing(creds);
|
|
+ return PyLong_FromLong(signing_state);
|
|
+}
|
|
+
|
|
+static PyObject *py_creds_set_smb_signing(PyObject *self, PyObject *args)
|
|
+{
|
|
+ enum smb_signing_setting signing_state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+ enum credentials_obtained obt = CRED_SPECIFIED;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+ if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ switch (signing_state) {
|
|
+ case SMB_SIGNING_DEFAULT:
|
|
+ case SMB_SIGNING_OFF:
|
|
+ case SMB_SIGNING_IF_REQUIRED:
|
|
+ case SMB_SIGNING_DESIRED:
|
|
+ case SMB_SIGNING_REQUIRED:
|
|
+ break;
|
|
+ default:
|
|
+ PyErr_Format(PyExc_TypeError, "Invalid signing state value");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ cli_credentials_set_smb_signing(creds, signing_state, obt);
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
static PyMethodDef py_creds_methods[] = {
|
|
{
|
|
.ml_name = "get_username",
|
|
@@ -1209,6 +1256,16 @@ static PyMethodDef py_creds_methods[] = {
|
|
"Encrypt the supplied password using the session key and\n"
|
|
"the negotiated encryption algorithm in place\n"
|
|
"i.e. it overwrites the original data"},
|
|
+ {
|
|
+ .ml_name = "get_smb_signing",
|
|
+ .ml_meth = py_creds_get_smb_signing,
|
|
+ .ml_flags = METH_NOARGS,
|
|
+ },
|
|
+ {
|
|
+ .ml_name = "set_smb_signing",
|
|
+ .ml_meth = py_creds_set_smb_signing,
|
|
+ .ml_flags = METH_VARARGS,
|
|
+ },
|
|
{ .ml_name = NULL }
|
|
};
|
|
|
|
@@ -1295,6 +1352,12 @@ MODULE_INIT_FUNC(credentials)
|
|
PyModule_AddObject(m, "CLI_CRED_NTLM_AUTH", PyLong_FromLong(CLI_CRED_NTLM_AUTH));
|
|
PyModule_AddObject(m, "CLI_CRED_CLEAR_AUTH", PyLong_FromLong(CLI_CRED_CLEAR_AUTH));
|
|
|
|
+ PyModule_AddObject(m, "SMB_SIGNING_DEFAULT", PyLong_FromLong(SMB_SIGNING_DEFAULT));
|
|
+ PyModule_AddObject(m, "SMB_SIGNING_OFF", PyLong_FromLong(SMB_SIGNING_OFF));
|
|
+ PyModule_AddObject(m, "SMB_SIGNING_IF_REQUIRED", PyLong_FromLong(SMB_SIGNING_IF_REQUIRED));
|
|
+ PyModule_AddObject(m, "SMB_SIGNING_DESIRED", PyLong_FromLong(SMB_SIGNING_DESIRED));
|
|
+ PyModule_AddObject(m, "SMB_SIGNING_REQUIRED", PyLong_FromLong(SMB_SIGNING_REQUIRED));
|
|
+
|
|
Py_INCREF(&PyCredentials);
|
|
PyModule_AddObject(m, "Credentials", (PyObject *)&PyCredentials);
|
|
Py_INCREF(&PyCredentialCacheContainer);
|
|
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py
|
|
index 6454ac9ff7c..e5f8122fa21 100644
|
|
--- a/python/samba/tests/credentials.py
|
|
+++ b/python/samba/tests/credentials.py
|
|
@@ -456,3 +456,9 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
|
|
self.assertEqual(creds.get_principal(), "user@samba.org")
|
|
self.assertEqual(creds.is_anonymous(), False)
|
|
self.assertEqual(creds.authentication_requested(), True)
|
|
+
|
|
+ def test_smb_signing(self):
|
|
+ creds = credentials.Credentials()
|
|
+ self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_DEFAULT)
|
|
+ creds.set_smb_signing(credentials.SMB_SIGNING_REQUIRED)
|
|
+ self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 9fdc98da5c625acd11205b2bb28deb780ef905ec Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 16:31:35 +0200
|
|
Subject: [PATCH 015/104] auth:creds: Add
|
|
cli_credentials_(get|set)_smb_ipc_signing()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/credentials.c | 51 +++++++++++++++++++++++++
|
|
auth/credentials/credentials.h | 6 +++
|
|
auth/credentials/credentials_internal.h | 3 ++
|
|
3 files changed, 60 insertions(+)
|
|
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
|
index 365a6def7ea..dc5d51f1424 100644
|
|
--- a/auth/credentials/credentials.c
|
|
+++ b/auth/credentials/credentials.c
|
|
@@ -46,6 +46,12 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
|
|
|
|
cred->signing_state = SMB_SIGNING_DEFAULT;
|
|
|
|
+ /*
|
|
+ * The default value of lpcfg_client_ipc_signing() is REQUIRED, so use
|
|
+ * the same value here.
|
|
+ */
|
|
+ cred->ipc_signing_state = SMB_SIGNING_REQUIRED;
|
|
+
|
|
return cred;
|
|
}
|
|
|
|
@@ -930,6 +936,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
|
|
cred->signing_state = lpcfg_client_signing(lp_ctx);
|
|
cred->signing_state_obtained = CRED_SMB_CONF;
|
|
}
|
|
+
|
|
+ if (cred->ipc_signing_state_obtained <= CRED_SMB_CONF) {
|
|
+ /* Will be set to required for invalid smb.conf values */
|
|
+ cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx);
|
|
+ cred->ipc_signing_state_obtained = CRED_SMB_CONF;
|
|
+ }
|
|
}
|
|
|
|
/**
|
|
@@ -1350,6 +1362,45 @@ cli_credentials_get_smb_signing(struct cli_credentials *creds)
|
|
return creds->signing_state;
|
|
}
|
|
|
|
+/**
|
|
+ * @brief Set the SMB IPC signing state to request for a SMB connection.
|
|
+ *
|
|
+ * @param[in] creds The credentials structure to update.
|
|
+ *
|
|
+ * @param[in] signing_state The signing state to set.
|
|
+ *
|
|
+ * @param obtained This way the described signing state was specified.
|
|
+ *
|
|
+ * @return true if we could set the signing state, false otherwise.
|
|
+ */
|
|
+_PUBLIC_ bool
|
|
+cli_credentials_set_smb_ipc_signing(struct cli_credentials *creds,
|
|
+ enum smb_signing_setting ipc_signing_state,
|
|
+ enum credentials_obtained obtained)
|
|
+{
|
|
+ if (obtained >= creds->ipc_signing_state_obtained) {
|
|
+ creds->ipc_signing_state_obtained = obtained;
|
|
+ creds->ipc_signing_state = ipc_signing_state;
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ return false;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * @brief Obtain the SMB IPC signing state from a credentials structure.
|
|
+ *
|
|
+ * @param[in] creds The credential structure to obtain the SMB IPC signing
|
|
+ * state from.
|
|
+ *
|
|
+ * @return The SMB singing state.
|
|
+ */
|
|
+_PUBLIC_ enum smb_signing_setting
|
|
+cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
|
|
+{
|
|
+ return creds->ipc_signing_state;
|
|
+}
|
|
+
|
|
/**
|
|
* Encrypt a data blob using the session key and the negotiated encryption
|
|
* algorithm
|
|
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
|
|
index 422391ad585..25bec916278 100644
|
|
--- a/auth/credentials/credentials.h
|
|
+++ b/auth/credentials/credentials.h
|
|
@@ -297,6 +297,12 @@ bool cli_credentials_set_smb_signing(struct cli_credentials *cred,
|
|
enum smb_signing_setting
|
|
cli_credentials_get_smb_signing(struct cli_credentials *cred);
|
|
|
|
+bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred,
|
|
+ enum smb_signing_setting ipc_signing_state,
|
|
+ enum credentials_obtained obtained);
|
|
+enum smb_signing_setting
|
|
+cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred);
|
|
+
|
|
/**
|
|
* Return attached NETLOGON credentials
|
|
*/
|
|
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
|
|
index 9cde0000b5f..54e8271471f 100644
|
|
--- a/auth/credentials/credentials_internal.h
|
|
+++ b/auth/credentials/credentials_internal.h
|
|
@@ -38,6 +38,7 @@ struct cli_credentials {
|
|
enum credentials_obtained keytab_obtained;
|
|
enum credentials_obtained server_gss_creds_obtained;
|
|
enum credentials_obtained signing_state_obtained;
|
|
+ enum credentials_obtained ipc_signing_state_obtained;
|
|
|
|
/* Threshold values (essentially a MAX() over a number of the
|
|
* above) for the ccache and GSS credentials, to ensure we
|
|
@@ -121,6 +122,8 @@ struct cli_credentials {
|
|
bool password_will_be_nt_hash;
|
|
|
|
enum smb_signing_setting signing_state;
|
|
+
|
|
+ enum smb_signing_setting ipc_signing_state;
|
|
};
|
|
|
|
#endif /* __CREDENTIALS_INTERNAL_H__ */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From d8e43a7c8058a6a395493360cf2faae24f64e2e2 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 3 Jun 2020 12:32:46 +0200
|
|
Subject: [PATCH 016/104] auth:creds: Add python bindings for
|
|
(get|set)_smb_ipc_signing
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/pycredentials.c | 56 +++++++++++++++++++++++++++++++
|
|
python/samba/tests/credentials.py | 6 ++++
|
|
2 files changed, 62 insertions(+)
|
|
|
|
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
|
|
index 846c418419f..1a83c506088 100644
|
|
--- a/auth/credentials/pycredentials.c
|
|
+++ b/auth/credentials/pycredentials.c
|
|
@@ -976,6 +976,52 @@ static PyObject *py_creds_set_smb_signing(PyObject *self, PyObject *args)
|
|
Py_RETURN_NONE;
|
|
}
|
|
|
|
+static PyObject *py_creds_get_smb_ipc_signing(PyObject *self, PyObject *unused)
|
|
+{
|
|
+ enum smb_signing_setting signing_state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ signing_state = cli_credentials_get_smb_ipc_signing(creds);
|
|
+ return PyLong_FromLong(signing_state);
|
|
+}
|
|
+
|
|
+static PyObject *py_creds_set_smb_ipc_signing(PyObject *self, PyObject *args)
|
|
+{
|
|
+ enum smb_signing_setting signing_state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+ enum credentials_obtained obt = CRED_SPECIFIED;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+ if (!PyArg_ParseTuple(args, "i|i", &signing_state, &obt)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ switch (signing_state) {
|
|
+ case SMB_SIGNING_DEFAULT:
|
|
+ case SMB_SIGNING_OFF:
|
|
+ case SMB_SIGNING_IF_REQUIRED:
|
|
+ case SMB_SIGNING_DESIRED:
|
|
+ case SMB_SIGNING_REQUIRED:
|
|
+ break;
|
|
+ default:
|
|
+ PyErr_Format(PyExc_TypeError, "Invalid signing state value");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ cli_credentials_set_smb_ipc_signing(creds, signing_state, obt);
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
static PyMethodDef py_creds_methods[] = {
|
|
{
|
|
.ml_name = "get_username",
|
|
@@ -1266,6 +1312,16 @@ static PyMethodDef py_creds_methods[] = {
|
|
.ml_meth = py_creds_set_smb_signing,
|
|
.ml_flags = METH_VARARGS,
|
|
},
|
|
+ {
|
|
+ .ml_name = "get_smb_ipc_signing",
|
|
+ .ml_meth = py_creds_get_smb_ipc_signing,
|
|
+ .ml_flags = METH_NOARGS,
|
|
+ },
|
|
+ {
|
|
+ .ml_name = "set_smb_ipc_signing",
|
|
+ .ml_meth = py_creds_set_smb_ipc_signing,
|
|
+ .ml_flags = METH_VARARGS,
|
|
+ },
|
|
{ .ml_name = NULL }
|
|
};
|
|
|
|
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py
|
|
index e5f8122fa21..8edf13ce6ff 100644
|
|
--- a/python/samba/tests/credentials.py
|
|
+++ b/python/samba/tests/credentials.py
|
|
@@ -462,3 +462,9 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
|
|
self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_DEFAULT)
|
|
creds.set_smb_signing(credentials.SMB_SIGNING_REQUIRED)
|
|
self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
+
|
|
+ def test_smb_ipc_signing(self):
|
|
+ creds = credentials.Credentials()
|
|
+ self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
+ creds.set_smb_ipc_signing(credentials.SMB_SIGNING_OFF)
|
|
+ self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_OFF)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 767d356f718965b4595b8322729556b63e66425d Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 16:10:52 +0200
|
|
Subject: [PATCH 017/104] auth:creds: Add
|
|
cli_credentials_(get|set)_smb_encryption()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/credentials.c | 45 +++++++++++++++++++++++++
|
|
auth/credentials/credentials.h | 7 ++++
|
|
auth/credentials/credentials_internal.h | 3 ++
|
|
3 files changed, 55 insertions(+)
|
|
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
|
index dc5d51f1424..9168b92d3ec 100644
|
|
--- a/auth/credentials/credentials.c
|
|
+++ b/auth/credentials/credentials.c
|
|
@@ -51,6 +51,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
|
|
* the same value here.
|
|
*/
|
|
cred->ipc_signing_state = SMB_SIGNING_REQUIRED;
|
|
+ cred->encryption_state = SMB_ENCRYPTION_DEFAULT;
|
|
|
|
return cred;
|
|
}
|
|
@@ -942,6 +943,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
|
|
cred->ipc_signing_state = lpcfg_client_ipc_signing(lp_ctx);
|
|
cred->ipc_signing_state_obtained = CRED_SMB_CONF;
|
|
}
|
|
+
|
|
+ if (cred->encryption_state_obtained <= CRED_SMB_CONF) {
|
|
+ /* Will be set to default for invalid smb.conf values */
|
|
+ cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
|
|
+ cred->encryption_state_obtained = CRED_SMB_CONF;
|
|
+ }
|
|
}
|
|
|
|
/**
|
|
@@ -1401,6 +1408,44 @@ cli_credentials_get_smb_ipc_signing(struct cli_credentials *creds)
|
|
return creds->ipc_signing_state;
|
|
}
|
|
|
|
+/**
|
|
+ * @brief Set the SMB encryption state to request for a SMB connection.
|
|
+ *
|
|
+ * @param[in] creds The credentials structure to update.
|
|
+ *
|
|
+ * @param[in] encryption_state The encryption state to set.
|
|
+ *
|
|
+ * @param obtained This way the described encryption state was specified.
|
|
+ *
|
|
+ * @return true if we could set the encryption state, false otherwise.
|
|
+ */
|
|
+_PUBLIC_ bool cli_credentials_set_smb_encryption(struct cli_credentials *creds,
|
|
+ enum smb_encryption_setting encryption_state,
|
|
+ enum credentials_obtained obtained)
|
|
+{
|
|
+ if (obtained >= creds->encryption_state_obtained) {
|
|
+ creds->encryption_state_obtained = obtained;
|
|
+ creds->encryption_state = encryption_state;
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ return false;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * @brief Obtain the SMB encryption state from a credentials structure.
|
|
+ *
|
|
+ * @param[in] creds The credential structure to obtain the SMB encryption state
|
|
+ * from.
|
|
+ *
|
|
+ * @return The SMB singing state.
|
|
+ */
|
|
+_PUBLIC_ enum smb_encryption_setting
|
|
+cli_credentials_get_smb_encryption(struct cli_credentials *creds)
|
|
+{
|
|
+ return creds->encryption_state;
|
|
+}
|
|
+
|
|
/**
|
|
* Encrypt a data blob using the session key and the negotiated encryption
|
|
* algorithm
|
|
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
|
|
index 25bec916278..7d0cf53194b 100644
|
|
--- a/auth/credentials/credentials.h
|
|
+++ b/auth/credentials/credentials.h
|
|
@@ -39,6 +39,7 @@ struct smb_krb5_context;
|
|
struct keytab_container;
|
|
struct db_context;
|
|
enum smb_signing_setting;
|
|
+enum smb_encryption_setting;
|
|
|
|
/* In order of priority */
|
|
enum credentials_obtained {
|
|
@@ -303,6 +304,12 @@ bool cli_credentials_set_smb_ipc_signing(struct cli_credentials *cred,
|
|
enum smb_signing_setting
|
|
cli_credentials_get_smb_ipc_signing(struct cli_credentials *cred);
|
|
|
|
+bool cli_credentials_set_smb_encryption(struct cli_credentials *cred,
|
|
+ enum smb_encryption_setting encryption_state,
|
|
+ enum credentials_obtained obtained);
|
|
+enum smb_encryption_setting
|
|
+cli_credentials_get_smb_encryption(struct cli_credentials *cred);
|
|
+
|
|
/**
|
|
* Return attached NETLOGON credentials
|
|
*/
|
|
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
|
|
index 54e8271471f..3b86b742448 100644
|
|
--- a/auth/credentials/credentials_internal.h
|
|
+++ b/auth/credentials/credentials_internal.h
|
|
@@ -39,6 +39,7 @@ struct cli_credentials {
|
|
enum credentials_obtained server_gss_creds_obtained;
|
|
enum credentials_obtained signing_state_obtained;
|
|
enum credentials_obtained ipc_signing_state_obtained;
|
|
+ enum credentials_obtained encryption_state_obtained;
|
|
|
|
/* Threshold values (essentially a MAX() over a number of the
|
|
* above) for the ccache and GSS credentials, to ensure we
|
|
@@ -124,6 +125,8 @@ struct cli_credentials {
|
|
enum smb_signing_setting signing_state;
|
|
|
|
enum smb_signing_setting ipc_signing_state;
|
|
+
|
|
+ enum smb_encryption_setting encryption_state;
|
|
};
|
|
|
|
#endif /* __CREDENTIALS_INTERNAL_H__ */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 88dd0d8871ae2a54bc089f1e761ded6940b270b0 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 3 Jun 2020 12:38:30 +0200
|
|
Subject: [PATCH 018/104] auth:creds: Add python bindings for
|
|
(get|set)_smb_encryption
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/pycredentials.c | 62 +++++++++++++++++++++++++++++++
|
|
python/samba/tests/credentials.py | 6 +++
|
|
2 files changed, 68 insertions(+)
|
|
|
|
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
|
|
index 1a83c506088..628aae6500b 100644
|
|
--- a/auth/credentials/pycredentials.c
|
|
+++ b/auth/credentials/pycredentials.c
|
|
@@ -1022,6 +1022,52 @@ static PyObject *py_creds_set_smb_ipc_signing(PyObject *self, PyObject *args)
|
|
Py_RETURN_NONE;
|
|
}
|
|
|
|
+static PyObject *py_creds_get_smb_encryption(PyObject *self, PyObject *unused)
|
|
+{
|
|
+ enum smb_encryption_setting encryption_state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ encryption_state = cli_credentials_get_smb_encryption(creds);
|
|
+ return PyLong_FromLong(encryption_state);
|
|
+}
|
|
+
|
|
+static PyObject *py_creds_set_smb_encryption(PyObject *self, PyObject *args)
|
|
+{
|
|
+ enum smb_encryption_setting encryption_state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+ enum credentials_obtained obt = CRED_SPECIFIED;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+ if (!PyArg_ParseTuple(args, "i|i", &encryption_state, &obt)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ switch (encryption_state) {
|
|
+ case SMB_ENCRYPTION_DEFAULT:
|
|
+ case SMB_ENCRYPTION_OFF:
|
|
+ case SMB_ENCRYPTION_IF_REQUIRED:
|
|
+ case SMB_ENCRYPTION_DESIRED:
|
|
+ case SMB_ENCRYPTION_REQUIRED:
|
|
+ break;
|
|
+ default:
|
|
+ PyErr_Format(PyExc_TypeError, "Invalid encryption state value");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ cli_credentials_set_smb_encryption(creds, encryption_state, obt);
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
static PyMethodDef py_creds_methods[] = {
|
|
{
|
|
.ml_name = "get_username",
|
|
@@ -1322,6 +1368,16 @@ static PyMethodDef py_creds_methods[] = {
|
|
.ml_meth = py_creds_set_smb_ipc_signing,
|
|
.ml_flags = METH_VARARGS,
|
|
},
|
|
+ {
|
|
+ .ml_name = "get_smb_encryption",
|
|
+ .ml_meth = py_creds_get_smb_encryption,
|
|
+ .ml_flags = METH_NOARGS,
|
|
+ },
|
|
+ {
|
|
+ .ml_name = "set_smb_encryption",
|
|
+ .ml_meth = py_creds_set_smb_encryption,
|
|
+ .ml_flags = METH_VARARGS,
|
|
+ },
|
|
{ .ml_name = NULL }
|
|
};
|
|
|
|
@@ -1414,6 +1470,12 @@ MODULE_INIT_FUNC(credentials)
|
|
PyModule_AddObject(m, "SMB_SIGNING_DESIRED", PyLong_FromLong(SMB_SIGNING_DESIRED));
|
|
PyModule_AddObject(m, "SMB_SIGNING_REQUIRED", PyLong_FromLong(SMB_SIGNING_REQUIRED));
|
|
|
|
+ PyModule_AddObject(m, "SMB_ENCRYPTION_DEFAULT", PyLong_FromLong(SMB_ENCRYPTION_DEFAULT));
|
|
+ PyModule_AddObject(m, "SMB_ENCRYPTION_OFF", PyLong_FromLong(SMB_ENCRYPTION_OFF));
|
|
+ PyModule_AddObject(m, "SMB_ENCRYPTION_IF_REQUIRED", PyLong_FromLong(SMB_ENCRYPTION_IF_REQUIRED));
|
|
+ PyModule_AddObject(m, "SMB_ENCRYPTION_DESIRED", PyLong_FromLong(SMB_ENCRYPTION_DESIRED));
|
|
+ PyModule_AddObject(m, "SMB_ENCRYPTION_REQUIRED", PyLong_FromLong(SMB_ENCRYPTION_REQUIRED));
|
|
+
|
|
Py_INCREF(&PyCredentials);
|
|
PyModule_AddObject(m, "Credentials", (PyObject *)&PyCredentials);
|
|
Py_INCREF(&PyCredentialCacheContainer);
|
|
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py
|
|
index 8edf13ce6ff..e0a6248d37a 100644
|
|
--- a/python/samba/tests/credentials.py
|
|
+++ b/python/samba/tests/credentials.py
|
|
@@ -468,3 +468,9 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
|
|
self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
creds.set_smb_ipc_signing(credentials.SMB_SIGNING_OFF)
|
|
self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_OFF)
|
|
+
|
|
+ def test_smb_encryption(self):
|
|
+ creds = credentials.Credentials()
|
|
+ self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_DEFAULT)
|
|
+ creds.set_smb_encryption(credentials.SMB_ENCRYPTION_REQUIRED)
|
|
+ self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_REQUIRED)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 41df2d5330c051066691576af9ccf505cb0573e3 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 4 Jun 2020 11:19:53 +0200
|
|
Subject: [PATCH 019/104] auth:creds: Add python bindings for
|
|
cli_credentials_set_conf()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/pycredentials.c | 41 +++++++++++++++++++++++++++++++
|
|
python/samba/tests/credentials.py | 33 +++++++++++++++++++++++++
|
|
2 files changed, 74 insertions(+)
|
|
|
|
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
|
|
index 628aae6500b..17c90573f09 100644
|
|
--- a/auth/credentials/pycredentials.c
|
|
+++ b/auth/credentials/pycredentials.c
|
|
@@ -621,6 +621,42 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
|
|
Py_RETURN_NONE;
|
|
}
|
|
|
|
+static PyObject *py_creds_set_conf(PyObject *self, PyObject *args)
|
|
+{
|
|
+ PyObject *py_lp_ctx = Py_None;
|
|
+ struct loadparm_context *lp_ctx;
|
|
+ TALLOC_CTX *mem_ctx;
|
|
+ struct cli_credentials *creds;
|
|
+
|
|
+ creds = PyCredentials_AsCliCredentials(self);
|
|
+ if (creds == NULL) {
|
|
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ mem_ctx = talloc_new(NULL);
|
|
+ if (mem_ctx == NULL) {
|
|
+ PyErr_NoMemory();
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
|
|
+ if (lp_ctx == NULL) {
|
|
+ talloc_free(mem_ctx);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ cli_credentials_set_conf(creds, lp_ctx);
|
|
+
|
|
+ talloc_free(mem_ctx);
|
|
+
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
static PyObject *py_creds_guess(PyObject *self, PyObject *args)
|
|
{
|
|
PyObject *py_lp_ctx = Py_None;
|
|
@@ -1279,6 +1315,11 @@ static PyMethodDef py_creds_methods[] = {
|
|
.ml_meth = py_creds_set_krb_forwardable,
|
|
.ml_flags = METH_VARARGS,
|
|
},
|
|
+ {
|
|
+ .ml_name = "set_conf",
|
|
+ .ml_meth = py_creds_set_conf,
|
|
+ .ml_flags = METH_VARARGS,
|
|
+ },
|
|
{
|
|
.ml_name = "guess",
|
|
.ml_meth = py_creds_guess,
|
|
diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py
|
|
index e0a6248d37a..6187bded0b6 100644
|
|
--- a/python/samba/tests/credentials.py
|
|
+++ b/python/samba/tests/credentials.py
|
|
@@ -463,14 +463,47 @@ class CredentialsTests(samba.tests.TestCaseInTempDir):
|
|
creds.set_smb_signing(credentials.SMB_SIGNING_REQUIRED)
|
|
self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
|
|
+ def test_smb_signing_set_conf(self):
|
|
+ lp = samba.tests.env_loadparm()
|
|
+
|
|
+ creds = credentials.Credentials()
|
|
+ creds.set_conf(lp)
|
|
+ self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_DEFAULT)
|
|
+ creds.set_smb_signing(credentials.SMB_SIGNING_OFF)
|
|
+ self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_OFF)
|
|
+ creds.set_conf(lp)
|
|
+ self.assertEqual(creds.get_smb_signing(), credentials.SMB_SIGNING_OFF)
|
|
+
|
|
def test_smb_ipc_signing(self):
|
|
creds = credentials.Credentials()
|
|
self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
creds.set_smb_ipc_signing(credentials.SMB_SIGNING_OFF)
|
|
self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_OFF)
|
|
|
|
+ def test_smb_ipc_signing_set_conf(self):
|
|
+ lp = samba.tests.env_loadparm()
|
|
+
|
|
+ creds = credentials.Credentials()
|
|
+ creds.set_conf(lp)
|
|
+ self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_REQUIRED)
|
|
+ creds.set_smb_ipc_signing(credentials.SMB_SIGNING_OFF)
|
|
+ self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_OFF)
|
|
+ creds.set_conf(lp)
|
|
+ self.assertEqual(creds.get_smb_ipc_signing(), credentials.SMB_SIGNING_OFF)
|
|
+
|
|
def test_smb_encryption(self):
|
|
creds = credentials.Credentials()
|
|
self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_DEFAULT)
|
|
creds.set_smb_encryption(credentials.SMB_ENCRYPTION_REQUIRED)
|
|
self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ def test_smb_encryption_set_conf(self):
|
|
+ lp = samba.tests.env_loadparm()
|
|
+
|
|
+ creds = credentials.Credentials()
|
|
+ creds.set_conf(lp)
|
|
+ self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_DEFAULT)
|
|
+ creds.set_smb_encryption(credentials.SMB_ENCRYPTION_OFF)
|
|
+ self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_OFF)
|
|
+ creds.set_conf(lp)
|
|
+ self.assertEqual(creds.get_smb_encryption(), credentials.SMB_ENCRYPTION_OFF)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From cdb470d7c408baa07eabf83ec566baecc8e5138c Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 23 Jul 2020 08:14:23 +0200
|
|
Subject: [PATCH 020/104] auth:creds: Bump library version
|
|
|
|
We added new functions so bump the version.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
auth/credentials/wscript_build | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
|
|
index 564a04fe8dd..1e3302e3e48 100644
|
|
--- a/auth/credentials/wscript_build
|
|
+++ b/auth/credentials/wscript_build
|
|
@@ -5,7 +5,7 @@ bld.SAMBA_LIBRARY('samba-credentials',
|
|
public_headers='credentials.h',
|
|
pc_files='samba-credentials.pc',
|
|
deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5',
|
|
- vnum='0.0.1'
|
|
+ vnum='0.1.0'
|
|
)
|
|
|
|
bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From a11a02e0802dbb3300d9b3232b936b74b1f89a32 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 27 May 2020 11:10:30 +0200
|
|
Subject: [PATCH 021/104] s3:lib: Use cli_credential_(get|set)_smb_signing()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/lib/util_cmdline.c | 18 ++++++++++++------
|
|
1 file changed, 12 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
|
|
index bc1f1c3ed25..6038ec11515 100644
|
|
--- a/source3/lib/util_cmdline.c
|
|
+++ b/source3/lib/util_cmdline.c
|
|
@@ -40,7 +40,6 @@ struct user_auth_info {
|
|
struct loadparm_context *lp_ctx;
|
|
bool got_username;
|
|
bool got_pass;
|
|
- int signing_state;
|
|
bool smb_encrypt;
|
|
bool use_machine_account;
|
|
bool use_pw_nt_hash;
|
|
@@ -70,7 +69,6 @@ struct user_auth_info *user_auth_info_init(TALLOC_CTX *mem_ctx)
|
|
|
|
cli_credentials_set_conf(result->creds, result->lp_ctx);
|
|
|
|
- result->signing_state = SMB_SIGNING_DEFAULT;
|
|
return result;
|
|
}
|
|
|
|
@@ -241,15 +239,23 @@ void set_cmdline_auth_info_password(struct user_auth_info *auth_info,
|
|
bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
|
|
const char *arg)
|
|
{
|
|
- auth_info->signing_state = smb_signing_setting_translate(arg);
|
|
+ enum smb_signing_setting signing_state =
|
|
+ smb_signing_setting_translate(arg);
|
|
+ bool ok;
|
|
|
|
- return true;
|
|
+ ok = cli_credentials_set_smb_signing(auth_info->creds,
|
|
+ signing_state,
|
|
+ CRED_SPECIFIED);
|
|
+
|
|
+ return ok;
|
|
}
|
|
|
|
void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
|
|
int signing_state)
|
|
{
|
|
- auth_info->signing_state = signing_state;
|
|
+ cli_credentials_set_smb_signing(auth_info->creds,
|
|
+ signing_state,
|
|
+ CRED_SPECIFIED);
|
|
}
|
|
|
|
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
|
|
@@ -257,7 +263,7 @@ int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
|
|
if (auth_info->smb_encrypt) {
|
|
return SMB_SIGNING_REQUIRED;
|
|
}
|
|
- return auth_info->signing_state;
|
|
+ return cli_credentials_get_smb_signing(auth_info->creds);
|
|
}
|
|
|
|
void set_cmdline_auth_info_use_ccache(struct user_auth_info *auth_info, bool b)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 6e5fba172b910545f722d33aa3fb185f48492c18 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:45:34 +0200
|
|
Subject: [PATCH 022/104] s3:lib: Set smb encryption also via cli creds API
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/lib/util_cmdline.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
|
|
index 6038ec11515..9c9e2f0ac0f 100644
|
|
--- a/source3/lib/util_cmdline.c
|
|
+++ b/source3/lib/util_cmdline.c
|
|
@@ -377,6 +377,9 @@ void set_cmdline_auth_info_use_krb5_ticket(struct user_auth_info *auth_info)
|
|
/* This should only be used by lib/popt_common.c JRA */
|
|
void set_cmdline_auth_info_smb_encrypt(struct user_auth_info *auth_info)
|
|
{
|
|
+ cli_credentials_set_smb_encryption(auth_info->creds,
|
|
+ SMB_ENCRYPTION_REQUIRED,
|
|
+ CRED_SPECIFIED);
|
|
auth_info->smb_encrypt = true;
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 01eb7d2f16a4f16931a0adffc395ec0b5946ef56 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 13 Aug 2020 10:40:23 +0200
|
|
Subject: [PATCH 023/104] python: Remove unused sign argument from
|
|
smb_connection()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
python/samba/netcmd/gpo.py | 9 ++++-----
|
|
1 file changed, 4 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
|
|
index 1e2c2918ebe..ad60cda0690 100644
|
|
--- a/python/samba/netcmd/gpo.py
|
|
+++ b/python/samba/netcmd/gpo.py
|
|
@@ -382,13 +382,13 @@ def create_directory_hier(conn, remotedir):
|
|
if not conn.chkpath(path):
|
|
conn.mkdir(path)
|
|
|
|
-def smb_connection(dc_hostname, service, lp, creds, sign=False):
|
|
+def smb_connection(dc_hostname, service, lp, creds):
|
|
# SMB connect to DC
|
|
try:
|
|
# the SMB bindings rely on having a s3 loadparm
|
|
s3_lp = s3param.get_context()
|
|
s3_lp.load(lp.configfile)
|
|
- conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds, sign=sign)
|
|
+ conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds, sign=True)
|
|
except Exception:
|
|
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
|
|
return conn
|
|
@@ -998,7 +998,7 @@ class cmd_fetch(GPOCommand):
|
|
|
|
# SMB connect to DC
|
|
conn = smb_connection(dc_hostname, service, lp=self.lp,
|
|
- creds=self.creds, sign=True)
|
|
+ creds=self.creds)
|
|
|
|
# Copy GPT
|
|
tmpdir, gpodir = self.construct_tmpdir(tmpdir, gpo)
|
|
@@ -1629,8 +1629,7 @@ class cmd_admxload(Command):
|
|
conn = smb_connection(dc_hostname,
|
|
'sysvol',
|
|
lp=self.lp,
|
|
- creds=self.creds,
|
|
- sign=True)
|
|
+ creds=self.creds)
|
|
|
|
smb_dir = '\\'.join([self.lp.get('realm').lower(),
|
|
'Policies', 'PolicyDefinitions'])
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 7ad70308d9f5b5d892e507a58eb946839be33374 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 3 Jun 2020 14:02:37 +0200
|
|
Subject: [PATCH 024/104] python: Set smb signing via the creds API
|
|
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
python/samba/gpclass.py | 7 +++++++
|
|
python/samba/netcmd/domain_backup.py | 10 +++++++++-
|
|
python/samba/netcmd/gpo.py | 6 ++++++
|
|
3 files changed, 22 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
|
|
index cc574e12a42..1781a55a618 100644
|
|
--- a/python/samba/gpclass.py
|
|
+++ b/python/samba/gpclass.py
|
|
@@ -38,6 +38,7 @@ from tempfile import NamedTemporaryFile
|
|
from samba.dcerpc import preg
|
|
from samba.dcerpc import misc
|
|
from samba.ndr import ndr_pack, ndr_unpack
|
|
+from samba.credentials import SMB_SIGNING_REQUIRED
|
|
|
|
try:
|
|
from enum import Enum
|
|
@@ -421,7 +422,13 @@ def check_refresh_gpo_list(dc_hostname, lp, creds, gpos):
|
|
# the SMB bindings rely on having a s3 loadparm
|
|
s3_lp = s3param.get_context()
|
|
s3_lp.load(lp.configfile)
|
|
+
|
|
+ # Force signing for the connection
|
|
+ saved_signing_state = creds.get_smb_signing()
|
|
+ creds.set_smb_signing(SMB_SIGNING_REQUIRED)
|
|
conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds, sign=True)
|
|
+ # Reset signing state
|
|
+ creds.set_smb_signing(saved_signing_state)
|
|
cache_path = lp.cache_path('gpo_cache')
|
|
for gpo in gpos:
|
|
if not gpo.file_sys_path:
|
|
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
|
|
index a3dc7fb454f..a9e0ba5bc67 100644
|
|
--- a/python/samba/netcmd/domain_backup.py
|
|
+++ b/python/samba/netcmd/domain_backup.py
|
|
@@ -54,6 +54,7 @@ from subprocess import CalledProcessError
|
|
from samba import sites
|
|
from samba.dsdb import _dsdb_load_udv_v2
|
|
from samba.ndr import ndr_pack
|
|
+from samba.credentials import SMB_SIGNING_REQUIRED
|
|
|
|
|
|
# work out a SID (based on a free RID) to use when the domain gets restored.
|
|
@@ -115,7 +116,14 @@ def smb_sysvol_conn(server, lp, creds):
|
|
# the SMB bindings rely on having a s3 loadparm
|
|
s3_lp = s3param.get_context()
|
|
s3_lp.load(lp.configfile)
|
|
- return libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)
|
|
+
|
|
+ # Force signing for the connection
|
|
+ saved_signing_state = creds.get_smb_signing()
|
|
+ creds.set_smb_signing(SMB_SIGNING_REQUIRED)
|
|
+ conn = libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)
|
|
+ # Reset signing state
|
|
+ creds.set_smb_signing(saved_signing_state)
|
|
+ return conn
|
|
|
|
|
|
def get_timestamp():
|
|
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
|
|
index ad60cda0690..0f2f6520fc3 100644
|
|
--- a/python/samba/netcmd/gpo.py
|
|
+++ b/python/samba/netcmd/gpo.py
|
|
@@ -62,6 +62,7 @@ from samba.gp_parse.gp_csv import GPAuditCsvParser
|
|
from samba.gp_parse.gp_inf import GptTmplInfParser
|
|
from samba.gp_parse.gp_aas import GPAasParser
|
|
from samba import param
|
|
+from samba.credentials import SMB_SIGNING_REQUIRED
|
|
|
|
|
|
def attr_default(msg, attrname, default):
|
|
@@ -384,6 +385,9 @@ def create_directory_hier(conn, remotedir):
|
|
|
|
def smb_connection(dc_hostname, service, lp, creds):
|
|
# SMB connect to DC
|
|
+ # Force signing for the smb connection
|
|
+ saved_signing_state = creds.get_smb_signing()
|
|
+ creds.set_smb_signing(SMB_SIGNING_REQUIRED)
|
|
try:
|
|
# the SMB bindings rely on having a s3 loadparm
|
|
s3_lp = s3param.get_context()
|
|
@@ -391,6 +395,8 @@ def smb_connection(dc_hostname, service, lp, creds):
|
|
conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds, sign=True)
|
|
except Exception:
|
|
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
|
|
+ # Reset signing state
|
|
+ creds.set_smb_signing(saved_signing_state)
|
|
return conn
|
|
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 70b7a6d80c3699727f7bf36a4a9255bb90c67cec Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 17:22:12 +0200
|
|
Subject: [PATCH 025/104] s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
examples/winexe/winexe.c | 2 +-
|
|
source3/include/client.h | 1 +
|
|
source3/libnet/libnet_join.c | 6 +++---
|
|
source3/libsmb/cliconnect.c | 3 ++-
|
|
source3/rpc_server/spoolss/srv_spoolss_nt.c | 4 +++-
|
|
source3/rpcclient/cmd_spoolss.c | 2 +-
|
|
source3/rpcclient/rpcclient.c | 2 +-
|
|
source3/utils/mdfind.c | 2 +-
|
|
source3/utils/net_ads.c | 3 ++-
|
|
source3/utils/net_util.c | 9 +++++++--
|
|
source3/utils/netlookup.c | 4 +++-
|
|
11 files changed, 25 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c
|
|
index fc6b15f8e52..bb9c27e2e6d 100644
|
|
--- a/examples/winexe/winexe.c
|
|
+++ b/examples/winexe/winexe.c
|
|
@@ -1919,7 +1919,7 @@ int main(int argc, const char *argv[])
|
|
"IPC$",
|
|
"?????",
|
|
options.credentials,
|
|
- 0,
|
|
+ CLI_FULL_CONNECTION_IPC,
|
|
0);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/include/client.h b/source3/include/client.h
|
|
index 6a3b1b02ff3..19a738900b7 100644
|
|
--- a/source3/include/client.h
|
|
+++ b/source3/include/client.h
|
|
@@ -121,5 +121,6 @@ struct file_info {
|
|
#define CLI_FULL_CONNECTION_FORCE_ASCII 0x0100
|
|
#define CLI_FULL_CONNECTION_FORCE_SMB1 0x0400
|
|
#define CLI_FULL_CONNECTION_DISABLE_SMB1 0x0800
|
|
+#define CLI_FULL_CONNECTION_IPC 0x1000
|
|
|
|
#endif /* _CLIENT_H */
|
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
|
index 34938603606..392e3eff74f 100644
|
|
--- a/source3/libnet/libnet_join.c
|
|
+++ b/source3/libnet/libnet_join.c
|
|
@@ -1068,7 +1068,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
|
|
bool use_ccache = false;
|
|
bool pw_nt_hash = false;
|
|
struct cli_credentials *creds = NULL;
|
|
- int flags = 0;
|
|
+ int flags = CLI_FULL_CONNECTION_IPC;
|
|
NTSTATUS status;
|
|
|
|
if (use_kerberos && pass) {
|
|
@@ -1684,7 +1684,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
|
|
struct netlogon_creds_CredentialState *creds = NULL;
|
|
uint32_t netlogon_flags = 0;
|
|
NTSTATUS status;
|
|
- int flags = 0;
|
|
+ int flags = CLI_FULL_CONNECTION_IPC;
|
|
|
|
if (!dc_name) {
|
|
TALLOC_FREE(frame);
|
|
@@ -1734,7 +1734,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
|
|
NULL, 0,
|
|
"IPC$", "IPC",
|
|
anon_creds,
|
|
- 0,
|
|
+ flags,
|
|
SMB_SIGNING_OFF);
|
|
}
|
|
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index 1fb1f0127b9..f20146378e3 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -2788,7 +2788,7 @@ static struct tevent_req *cli_start_connection_send(
|
|
}
|
|
state->ev = ev;
|
|
|
|
- if (signing_state == SMB_SIGNING_IPC_DEFAULT) {
|
|
+ if (flags & CLI_FULL_CONNECTION_IPC) {
|
|
state->min_protocol = lp_client_ipc_min_protocol();
|
|
state->max_protocol = lp_client_ipc_max_protocol();
|
|
} else {
|
|
@@ -3673,6 +3673,7 @@ struct cli_state *get_ipc_connect(char *server,
|
|
uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
|
|
|
|
flags |= CLI_FULL_CONNECTION_FORCE_SMB1;
|
|
+ flags |= CLI_FULL_CONNECTION_IPC;
|
|
|
|
nt_status = cli_full_connection_creds(&cli, NULL, server, server_ss, 0, "IPC$", "IPC",
|
|
get_cmdline_auth_info_creds(user_info),
|
|
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
index 10c1b1d54f2..f578f1c4131 100644
|
|
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
@@ -2482,7 +2482,9 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe, struct c
|
|
/* setup the connection */
|
|
ret = cli_full_connection_creds( pp_cli, lp_netbios_name(), remote_machine,
|
|
&rm_addr, 0, "IPC$", "IPC",
|
|
- anon_creds, 0, SMB_SIGNING_OFF);
|
|
+ anon_creds,
|
|
+ CLI_FULL_CONNECTION_IPC,
|
|
+ SMB_SIGNING_OFF);
|
|
TALLOC_FREE(anon_creds);
|
|
if ( !NT_STATUS_IS_OK( ret ) ) {
|
|
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
|
|
diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
|
|
index a7e0c673a65..7198a451ab7 100644
|
|
--- a/source3/rpcclient/cmd_spoolss.c
|
|
+++ b/source3/rpcclient/cmd_spoolss.c
|
|
@@ -3537,7 +3537,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
|
|
"IPC$", "IPC",
|
|
get_cmdline_auth_info_creds(
|
|
popt_get_cmdline_auth_info()),
|
|
- 0, /* flags */
|
|
+ CLI_FULL_CONNECTION_IPC,
|
|
get_cmdline_auth_info_signing_state(
|
|
popt_get_cmdline_auth_info()));
|
|
|
|
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
|
|
index 67a1066fc15..c86474d08f1 100644
|
|
--- a/source3/rpcclient/rpcclient.c
|
|
+++ b/source3/rpcclient/rpcclient.c
|
|
@@ -1019,7 +1019,7 @@ out_free:
|
|
static int opt_port = 0;
|
|
int result = 0;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
- uint32_t flags = 0;
|
|
+ uint32_t flags = CLI_FULL_CONNECTION_IPC;
|
|
struct dcerpc_binding *binding = NULL;
|
|
enum dcerpc_transport_t transport;
|
|
uint32_t bflags = 0;
|
|
diff --git a/source3/utils/mdfind.c b/source3/utils/mdfind.c
|
|
index 2f952c29b4f..a3c879e75fb 100644
|
|
--- a/source3/utils/mdfind.c
|
|
+++ b/source3/utils/mdfind.c
|
|
@@ -70,7 +70,7 @@ int main(int argc, char **argv)
|
|
const char *mds_query = NULL;
|
|
struct cli_state *cli = NULL;
|
|
char *basepath = NULL;
|
|
- uint32_t flags = 0;
|
|
+ uint32_t flags = CLI_FULL_CONNECTION_IPC;
|
|
int signing_state = SMB_SIGNING_IPC_DEFAULT;
|
|
uint64_t *cnids = NULL;
|
|
size_t ncnids;
|
|
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
|
index e5db844c2f2..28ef6dc9974 100644
|
|
--- a/source3/utils/net_ads.c
|
|
+++ b/source3/utils/net_ads.c
|
|
@@ -2437,7 +2437,8 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
|
|
nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
|
|
&server_ss, 0,
|
|
"IPC$", "IPC",
|
|
- creds, 0,
|
|
+ creds,
|
|
+ CLI_FULL_CONNECTION_IPC,
|
|
SMB_SIGNING_IPC_DEFAULT);
|
|
|
|
if (NT_STATUS_IS_ERR(nt_status)) {
|
|
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
|
|
index c566ecc9000..d01b2d8c771 100644
|
|
--- a/source3/utils/net_util.c
|
|
+++ b/source3/utils/net_util.c
|
|
@@ -110,6 +110,7 @@ NTSTATUS connect_to_service(struct net_context *c,
|
|
NTSTATUS nt_status;
|
|
enum smb_signing_setting signing_setting = SMB_SIGNING_DEFAULT;
|
|
struct cli_credentials *creds = NULL;
|
|
+ int flags = 0;
|
|
|
|
creds = net_context_creds(c, c);
|
|
if (creds == NULL) {
|
|
@@ -119,12 +120,14 @@ NTSTATUS connect_to_service(struct net_context *c,
|
|
|
|
if (strequal(service_type, "IPC")) {
|
|
signing_setting = SMB_SIGNING_IPC_DEFAULT;
|
|
+ flags |= CLI_FULL_CONNECTION_IPC;
|
|
}
|
|
|
|
nt_status = cli_full_connection_creds(cli_ctx, NULL, server_name,
|
|
server_ss, c->opt_port,
|
|
service_name, service_type,
|
|
- creds, 0,
|
|
+ creds,
|
|
+ flags,
|
|
signing_setting);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
d_fprintf(stderr, _("Could not connect to server %s\n"),
|
|
@@ -195,7 +198,9 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
|
|
nt_status = cli_full_connection_creds(cli_ctx, c->opt_requester_name,
|
|
server_name, server_ss, c->opt_port,
|
|
"IPC$", "IPC",
|
|
- anon_creds, 0, SMB_SIGNING_OFF);
|
|
+ anon_creds,
|
|
+ CLI_FULL_CONNECTION_IPC,
|
|
+ SMB_SIGNING_OFF);
|
|
|
|
if (NT_STATUS_IS_OK(nt_status)) {
|
|
return nt_status;
|
|
diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
|
|
index 6cea2ee306c..2241beb331f 100644
|
|
--- a/source3/utils/netlookup.c
|
|
+++ b/source3/utils/netlookup.c
|
|
@@ -98,7 +98,9 @@ static struct con_struct *create_cs(struct net_context *c,
|
|
nt_status = cli_full_connection_creds(&cs->cli, lp_netbios_name(), lp_netbios_name(),
|
|
&loopback_ss, 0,
|
|
"IPC$", "IPC",
|
|
- anon_creds, 0, SMB_SIGNING_OFF);
|
|
+ anon_creds,
|
|
+ CLI_FULL_CONNECTION_IPC,
|
|
+ SMB_SIGNING_OFF);
|
|
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(2,("create_cs: Connect failed. Error was %s\n", nt_errstr(nt_status)));
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 19ac5889da3b5bec1fddba0e08daed7cbe24f604 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 17:29:25 +0200
|
|
Subject: [PATCH 026/104] s3:pylibsmb: Add ipc=True support for
|
|
CLI_FULL_CONNECTION_IPC
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/libsmb/pylibsmb.c | 13 +++++++++++--
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
|
|
index 3fcc3424a57..3579a040830 100644
|
|
--- a/source3/libsmb/pylibsmb.c
|
|
+++ b/source3/libsmb/pylibsmb.c
|
|
@@ -445,6 +445,8 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
int signing_state = SMB_SIGNING_DEFAULT;
|
|
PyObject *py_force_smb1 = Py_False;
|
|
bool force_smb1 = false;
|
|
+ PyObject *py_ipc = Py_False;
|
|
+ bool use_ipc = false;
|
|
struct tevent_req *req;
|
|
bool ret;
|
|
int flags = 0;
|
|
@@ -452,6 +454,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
static const char *kwlist[] = {
|
|
"host", "share", "lp", "creds",
|
|
"multi_threaded", "sign", "force_smb1",
|
|
+ "ipc",
|
|
NULL
|
|
};
|
|
|
|
@@ -462,12 +465,13 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
}
|
|
|
|
ret = ParseTupleAndKeywords(
|
|
- args, kwds, "ssO|O!OOO", kwlist,
|
|
+ args, kwds, "ssO|O!OOOO", kwlist,
|
|
&host, &share, &py_lp,
|
|
py_type_Credentials, &creds,
|
|
&py_multi_threaded,
|
|
&py_sign,
|
|
- &py_force_smb1);
|
|
+ &py_force_smb1,
|
|
+ &py_ipc);
|
|
|
|
Py_DECREF(py_type_Credentials);
|
|
|
|
@@ -493,6 +497,11 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
flags = CLI_FULL_CONNECTION_FORCE_SMB1;
|
|
}
|
|
|
|
+ use_ipc = PyObject_IsTrue(py_ipc);
|
|
+ if (use_ipc) {
|
|
+ flags |= CLI_FULL_CONNECTION_IPC;
|
|
+ }
|
|
+
|
|
if (multi_threaded) {
|
|
#ifdef HAVE_PTHREAD
|
|
ret = py_cli_state_setup_mt_ev(self);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From ff93a26bdd480edb3e488b207b1fb6529cd52a38 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 24 Jul 2020 09:47:11 +0200
|
|
Subject: [PATCH 027/104] python:tests: Mark libsmb connection as an IPC
|
|
connection
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
python/samba/tests/dcerpc/raw_testcase.py | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/python/samba/tests/dcerpc/raw_testcase.py b/python/samba/tests/dcerpc/raw_testcase.py
|
|
index ba7440df13b..2c028d381db 100644
|
|
--- a/python/samba/tests/dcerpc/raw_testcase.py
|
|
+++ b/python/samba/tests/dcerpc/raw_testcase.py
|
|
@@ -43,7 +43,7 @@ class smb_pipe_socket(object):
|
|
lp3 = s3param.get_context()
|
|
lp3.load(lp.configfile)
|
|
self.smbconn = libsmb.Conn(target_hostname, 'IPC$', lp3,
|
|
- creds=creds, sign=True)
|
|
+ creds=creds, ipc=True, sign=True)
|
|
self.smbfid = self.smbconn.create(pipename,
|
|
DesiredAccess=0x12019f,
|
|
ShareAccess=0x7,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b904f4bf9279264438e7b50ba90930562f4146fa Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 17 Aug 2020 12:52:39 +0200
|
|
Subject: [PATCH 028/104] python:tests: Set smb ipc signing via the creds API
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
python/samba/tests/dcerpc/raw_testcase.py | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/python/samba/tests/dcerpc/raw_testcase.py b/python/samba/tests/dcerpc/raw_testcase.py
|
|
index 2c028d381db..d6f5de7440a 100644
|
|
--- a/python/samba/tests/dcerpc/raw_testcase.py
|
|
+++ b/python/samba/tests/dcerpc/raw_testcase.py
|
|
@@ -36,14 +36,18 @@ from samba.ntstatus import (
|
|
from samba import NTSTATUSError
|
|
from samba.samba3 import param as s3param
|
|
from samba.samba3 import libsmb_samba_internal as libsmb
|
|
+from samba.credentials import SMB_SIGNING_REQUIRED
|
|
|
|
class smb_pipe_socket(object):
|
|
|
|
def __init__(self, target_hostname, pipename, creds, impersonation_level, lp):
|
|
lp3 = s3param.get_context()
|
|
lp3.load(lp.configfile)
|
|
+ saved_signing_state = creds.get_smb_ipc_signing()
|
|
+ creds.set_smb_ipc_signing(SMB_SIGNING_REQUIRED)
|
|
self.smbconn = libsmb.Conn(target_hostname, 'IPC$', lp3,
|
|
creds=creds, ipc=True, sign=True)
|
|
+ creds.set_smb_ipc_signing(saved_signing_state)
|
|
self.smbfid = self.smbconn.create(pipename,
|
|
DesiredAccess=0x12019f,
|
|
ShareAccess=0x7,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 19c1b06e7ca4ae26f36207b7dd070b33a853ff29 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 17:59:19 +0200
|
|
Subject: [PATCH 029/104] s3:libsmb: Use 'enum smb_signing_setting' in
|
|
cliconnect.c
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/libsmb/cliconnect.c | 14 +++++++-------
|
|
source3/libsmb/proto.h | 10 +++++-----
|
|
2 files changed, 12 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index f20146378e3..bb20aa59385 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -2631,7 +2631,7 @@ static NTSTATUS cli_connect_sock_recv(struct tevent_req *req,
|
|
|
|
struct cli_connect_nb_state {
|
|
const char *desthost;
|
|
- int signing_state;
|
|
+ enum smb_signing_setting signing_state;
|
|
int flags;
|
|
struct cli_state *cli;
|
|
};
|
|
@@ -2642,7 +2642,7 @@ static struct tevent_req *cli_connect_nb_send(
|
|
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
|
|
const char *host, const struct sockaddr_storage *dest_ss,
|
|
uint16_t port, int name_type, const char *myname,
|
|
- int signing_state, int flags)
|
|
+ enum smb_signing_setting signing_state, int flags)
|
|
{
|
|
struct tevent_req *req, *subreq;
|
|
struct cli_connect_nb_state *state;
|
|
@@ -2727,7 +2727,7 @@ static NTSTATUS cli_connect_nb_recv(struct tevent_req *req,
|
|
|
|
NTSTATUS cli_connect_nb(const char *host, const struct sockaddr_storage *dest_ss,
|
|
uint16_t port, int name_type, const char *myname,
|
|
- int signing_state, int flags, struct cli_state **pcli)
|
|
+ enum smb_signing_setting signing_state, int flags, struct cli_state **pcli)
|
|
{
|
|
struct tevent_context *ev;
|
|
struct tevent_req *req;
|
|
@@ -2776,7 +2776,7 @@ static struct tevent_req *cli_start_connection_send(
|
|
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
|
|
const char *my_name, const char *dest_host,
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
- int signing_state, int flags)
|
|
+ enum smb_signing_setting signing_state, int flags)
|
|
{
|
|
struct tevent_req *req, *subreq;
|
|
struct cli_start_connection_state *state;
|
|
@@ -2881,7 +2881,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli,
|
|
const char *my_name,
|
|
const char *dest_host,
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
- int signing_state, int flags)
|
|
+ enum smb_signing_setting signing_state, int flags)
|
|
{
|
|
struct tevent_context *ev;
|
|
struct tevent_req *req;
|
|
@@ -3361,7 +3361,7 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
- int flags, int signing_state)
|
|
+ int flags, enum smb_signing_setting signing_state)
|
|
{
|
|
struct tevent_req *req, *subreq;
|
|
struct cli_full_connection_creds_state *state;
|
|
@@ -3520,7 +3520,7 @@ NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
int flags,
|
|
- int signing_state)
|
|
+ enum smb_signing_setting signing_state)
|
|
{
|
|
struct tevent_context *ev;
|
|
struct tevent_req *req;
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index d214cdabca4..995187e21b4 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -86,12 +86,12 @@ NTSTATUS cli_tree_connect(struct cli_state *cli, const char *share,
|
|
NTSTATUS cli_tdis(struct cli_state *cli);
|
|
NTSTATUS cli_connect_nb(const char *host, const struct sockaddr_storage *dest_ss,
|
|
uint16_t port, int name_type, const char *myname,
|
|
- int signing_state, int flags, struct cli_state **pcli);
|
|
+ enum smb_signing_setting signing_state, int flags, struct cli_state **pcli);
|
|
NTSTATUS cli_start_connection(struct cli_state **output_cli,
|
|
const char *my_name,
|
|
const char *dest_host,
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
- int signing_state, int flags);
|
|
+ enum smb_signing_setting signing_state, int flags);
|
|
NTSTATUS cli_smb1_setup_encryption(struct cli_state *cli,
|
|
struct cli_credentials *creds);
|
|
struct tevent_req *cli_full_connection_creds_send(
|
|
@@ -100,7 +100,7 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
- int flags, int signing_state);
|
|
+ int flags, enum smb_signing_setting signing_state);
|
|
NTSTATUS cli_full_connection_creds_recv(struct tevent_req *req,
|
|
struct cli_state **output_cli);
|
|
NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
@@ -110,7 +110,7 @@ NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
int flags,
|
|
- int signing_state);
|
|
+ enum smb_signing_setting signing_state);
|
|
NTSTATUS cli_raw_tcon(struct cli_state *cli,
|
|
const char *service, const char *pass, const char *dev,
|
|
uint16_t *max_xmit, uint16_t *tid);
|
|
@@ -177,7 +177,7 @@ extern struct GUID cli_state_client_guid;
|
|
struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx,
|
|
int fd,
|
|
const char *remote_name,
|
|
- int signing_state,
|
|
+ enum smb_signing_setting signing_state,
|
|
int flags);
|
|
void cli_nt_pipes_close(struct cli_state *cli);
|
|
void cli_shutdown(struct cli_state *cli);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 8ecad37d1fcc8d6fe07560df1bab35f2f70595f7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 18:11:31 +0200
|
|
Subject: [PATCH 030/104] s3:client: Turn off smb signing for message op
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
python/samba/gpclass.py | 2 +-
|
|
python/samba/netcmd/domain_backup.py | 2 +-
|
|
python/samba/netcmd/gpo.py | 2 +-
|
|
python/samba/tests/dcerpc/raw_testcase.py | 2 +-
|
|
source3/client/client.c | 5 ++++-
|
|
source3/libsmb/pylibsmb.c | 20 +++++++++-----------
|
|
6 files changed, 17 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
|
|
index 1781a55a618..2c00f5349a0 100644
|
|
--- a/python/samba/gpclass.py
|
|
+++ b/python/samba/gpclass.py
|
|
@@ -426,7 +426,7 @@ def check_refresh_gpo_list(dc_hostname, lp, creds, gpos):
|
|
# Force signing for the connection
|
|
saved_signing_state = creds.get_smb_signing()
|
|
creds.set_smb_signing(SMB_SIGNING_REQUIRED)
|
|
- conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds, sign=True)
|
|
+ conn = libsmb.Conn(dc_hostname, 'sysvol', lp=s3_lp, creds=creds)
|
|
# Reset signing state
|
|
creds.set_smb_signing(saved_signing_state)
|
|
cache_path = lp.cache_path('gpo_cache')
|
|
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
|
|
index a9e0ba5bc67..2977b071ec3 100644
|
|
--- a/python/samba/netcmd/domain_backup.py
|
|
+++ b/python/samba/netcmd/domain_backup.py
|
|
@@ -120,7 +120,7 @@ def smb_sysvol_conn(server, lp, creds):
|
|
# Force signing for the connection
|
|
saved_signing_state = creds.get_smb_signing()
|
|
creds.set_smb_signing(SMB_SIGNING_REQUIRED)
|
|
- conn = libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds, sign=True)
|
|
+ conn = libsmb.Conn(server, "sysvol", lp=s3_lp, creds=creds)
|
|
# Reset signing state
|
|
creds.set_smb_signing(saved_signing_state)
|
|
return conn
|
|
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py
|
|
index 0f2f6520fc3..bbaa0c17881 100644
|
|
--- a/python/samba/netcmd/gpo.py
|
|
+++ b/python/samba/netcmd/gpo.py
|
|
@@ -392,7 +392,7 @@ def smb_connection(dc_hostname, service, lp, creds):
|
|
# the SMB bindings rely on having a s3 loadparm
|
|
s3_lp = s3param.get_context()
|
|
s3_lp.load(lp.configfile)
|
|
- conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds, sign=True)
|
|
+ conn = libsmb.Conn(dc_hostname, service, lp=s3_lp, creds=creds)
|
|
except Exception:
|
|
raise CommandError("Error connecting to '%s' using SMB" % dc_hostname)
|
|
# Reset signing state
|
|
diff --git a/python/samba/tests/dcerpc/raw_testcase.py b/python/samba/tests/dcerpc/raw_testcase.py
|
|
index d6f5de7440a..34785e2a2a7 100644
|
|
--- a/python/samba/tests/dcerpc/raw_testcase.py
|
|
+++ b/python/samba/tests/dcerpc/raw_testcase.py
|
|
@@ -46,7 +46,7 @@ class smb_pipe_socket(object):
|
|
saved_signing_state = creds.get_smb_ipc_signing()
|
|
creds.set_smb_ipc_signing(SMB_SIGNING_REQUIRED)
|
|
self.smbconn = libsmb.Conn(target_hostname, 'IPC$', lp3,
|
|
- creds=creds, ipc=True, sign=True)
|
|
+ creds=creds, ipc=True)
|
|
creds.set_smb_ipc_signing(saved_signing_state)
|
|
self.smbfid = self.smbconn.create(pipename,
|
|
DesiredAccess=0x12019f,
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index 8c7ceb644aa..56309efcea7 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -6164,7 +6164,10 @@ static int do_message_op(struct user_auth_info *a_info)
|
|
|
|
status = cli_connect_nb(desthost, have_ip ? &dest_ss : NULL,
|
|
port ? port : NBT_SMB_PORT, name_type,
|
|
- lp_netbios_name(), SMB_SIGNING_DEFAULT, 0, &cli);
|
|
+ lp_netbios_name(),
|
|
+ SMB_SIGNING_OFF,
|
|
+ 0,
|
|
+ &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Connection to %s failed. Error %s\n", desthost, nt_errstr(status));
|
|
return 1;
|
|
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
|
|
index 3579a040830..f8a4d56cf53 100644
|
|
--- a/source3/libsmb/pylibsmb.c
|
|
+++ b/source3/libsmb/pylibsmb.c
|
|
@@ -440,9 +440,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
PyObject *py_lp = Py_None;
|
|
PyObject *py_multi_threaded = Py_False;
|
|
bool multi_threaded = false;
|
|
- PyObject *py_sign = Py_False;
|
|
- bool sign = false;
|
|
- int signing_state = SMB_SIGNING_DEFAULT;
|
|
+ enum smb_signing_setting signing_state = SMB_SIGNING_DEFAULT;
|
|
PyObject *py_force_smb1 = Py_False;
|
|
bool force_smb1 = false;
|
|
PyObject *py_ipc = Py_False;
|
|
@@ -453,7 +451,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
|
|
static const char *kwlist[] = {
|
|
"host", "share", "lp", "creds",
|
|
- "multi_threaded", "sign", "force_smb1",
|
|
+ "multi_threaded", "force_smb1",
|
|
"ipc",
|
|
NULL
|
|
};
|
|
@@ -465,11 +463,10 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
}
|
|
|
|
ret = ParseTupleAndKeywords(
|
|
- args, kwds, "ssO|O!OOOO", kwlist,
|
|
+ args, kwds, "ssO|O!OOO", kwlist,
|
|
&host, &share, &py_lp,
|
|
py_type_Credentials, &creds,
|
|
&py_multi_threaded,
|
|
- &py_sign,
|
|
&py_force_smb1,
|
|
&py_ipc);
|
|
|
|
@@ -480,13 +477,8 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
}
|
|
|
|
multi_threaded = PyObject_IsTrue(py_multi_threaded);
|
|
- sign = PyObject_IsTrue(py_sign);
|
|
force_smb1 = PyObject_IsTrue(py_force_smb1);
|
|
|
|
- if (sign) {
|
|
- signing_state = SMB_SIGNING_REQUIRED;
|
|
- }
|
|
-
|
|
if (force_smb1) {
|
|
/*
|
|
* As most of the cli_*_send() function
|
|
@@ -532,6 +524,12 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
cli_creds = PyCredentials_AsCliCredentials(creds);
|
|
}
|
|
|
|
+ if (use_ipc) {
|
|
+ signing_state = cli_credentials_get_smb_ipc_signing(cli_creds);
|
|
+ } else {
|
|
+ signing_state = cli_credentials_get_smb_signing(cli_creds);
|
|
+ }
|
|
+
|
|
req = cli_full_connection_creds_send(
|
|
NULL, self->ev, "myname", host, NULL, 0, share, "?????",
|
|
cli_creds, flags, signing_state);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 5325ea198e03bf4a51b101c74788df548eeedbac Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 28 May 2020 18:20:02 +0200
|
|
Subject: [PATCH 031/104] s3:libsmb: Remove signing_state from
|
|
cli_full_connection_creds_send()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/libsmb/cliconnect.c | 11 +++++++++--
|
|
source3/libsmb/proto.h | 2 +-
|
|
source3/libsmb/pylibsmb.c | 9 +--------
|
|
3 files changed, 11 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index bb20aa59385..0ff9c283e39 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -3361,10 +3361,11 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
- int flags, enum smb_signing_setting signing_state)
|
|
+ int flags)
|
|
{
|
|
struct tevent_req *req, *subreq;
|
|
struct cli_full_connection_creds_state *state;
|
|
+ enum smb_signing_setting signing_state;
|
|
|
|
req = tevent_req_create(mem_ctx, &state,
|
|
struct cli_full_connection_creds_state);
|
|
@@ -3379,6 +3380,12 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
state->creds = creds;
|
|
state->flags = flags;
|
|
|
|
+ if (flags & CLI_FULL_CONNECTION_IPC) {
|
|
+ signing_state = cli_credentials_get_smb_ipc_signing(creds);
|
|
+ } else {
|
|
+ signing_state = cli_credentials_get_smb_signing(creds);
|
|
+ }
|
|
+
|
|
subreq = cli_start_connection_send(
|
|
state, ev, my_name, dest_host, dest_ss, port,
|
|
signing_state, flags);
|
|
@@ -3532,7 +3539,7 @@ NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
}
|
|
req = cli_full_connection_creds_send(
|
|
ev, ev, my_name, dest_host, dest_ss, port, service,
|
|
- service_type, creds, flags, signing_state);
|
|
+ service_type, creds, flags);
|
|
if (req == NULL) {
|
|
goto fail;
|
|
}
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index 995187e21b4..bef04d32638 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -100,7 +100,7 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
- int flags, enum smb_signing_setting signing_state);
|
|
+ int flags);
|
|
NTSTATUS cli_full_connection_creds_recv(struct tevent_req *req,
|
|
struct cli_state **output_cli);
|
|
NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
|
|
index f8a4d56cf53..c7a2d73afcb 100644
|
|
--- a/source3/libsmb/pylibsmb.c
|
|
+++ b/source3/libsmb/pylibsmb.c
|
|
@@ -440,7 +440,6 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
PyObject *py_lp = Py_None;
|
|
PyObject *py_multi_threaded = Py_False;
|
|
bool multi_threaded = false;
|
|
- enum smb_signing_setting signing_state = SMB_SIGNING_DEFAULT;
|
|
PyObject *py_force_smb1 = Py_False;
|
|
bool force_smb1 = false;
|
|
PyObject *py_ipc = Py_False;
|
|
@@ -524,15 +523,9 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
|
cli_creds = PyCredentials_AsCliCredentials(creds);
|
|
}
|
|
|
|
- if (use_ipc) {
|
|
- signing_state = cli_credentials_get_smb_ipc_signing(cli_creds);
|
|
- } else {
|
|
- signing_state = cli_credentials_get_smb_signing(cli_creds);
|
|
- }
|
|
-
|
|
req = cli_full_connection_creds_send(
|
|
NULL, self->ev, "myname", host, NULL, 0, share, "?????",
|
|
- cli_creds, flags, signing_state);
|
|
+ cli_creds, flags);
|
|
if (!py_tevent_req_wait_exc(self, req)) {
|
|
return -1;
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 1517d0eb1036056851871e994849c647217ef36d Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 4 Jun 2020 14:59:14 +0200
|
|
Subject: [PATCH 032/104] s3:libsmb: Remove signing_state from
|
|
cli_full_connection_creds()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
examples/fuse/smb2mount.c | 3 +--
|
|
examples/winexe/winexe.c | 4 +---
|
|
source3/libnet/libnet_join.c | 9 +++------
|
|
source3/libsmb/cliconnect.c | 6 ++----
|
|
source3/libsmb/libsmb_server.c | 8 +-------
|
|
source3/libsmb/proto.h | 3 +--
|
|
source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 +--
|
|
source3/rpcclient/cmd_spoolss.c | 5 +----
|
|
source3/rpcclient/rpcclient.c | 3 +--
|
|
source3/torture/locktest2.c | 11 +++++++++--
|
|
source3/torture/torture.c | 6 ++----
|
|
source3/utils/mdfind.c | 3 +--
|
|
source3/utils/net_ads.c | 3 +--
|
|
source3/utils/net_util.c | 8 ++------
|
|
source3/utils/netlookup.c | 3 +--
|
|
source3/utils/smbcacls.c | 3 +--
|
|
source3/utils/smbcquotas.c | 4 +---
|
|
17 files changed, 30 insertions(+), 55 deletions(-)
|
|
|
|
diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c
|
|
index ea1d9a11e0b..6206c3a9701 100644
|
|
--- a/examples/fuse/smb2mount.c
|
|
+++ b/examples/fuse/smb2mount.c
|
|
@@ -37,8 +37,7 @@ static struct cli_state *connect_one(const struct user_auth_info *auth_info,
|
|
NULL, port,
|
|
share, "?????",
|
|
get_cmdline_auth_info_creds(auth_info),
|
|
- flags,
|
|
- get_cmdline_auth_info_signing_state(auth_info));
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DBG_ERR("cli_full_connection failed! (%s)\n",
|
|
nt_errstr(nt_status));
|
|
diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c
|
|
index bb9c27e2e6d..03e7ec85198 100644
|
|
--- a/examples/winexe/winexe.c
|
|
+++ b/examples/winexe/winexe.c
|
|
@@ -360,7 +360,6 @@ static NTSTATUS winexe_svc_upload(
|
|
"ADMIN$",
|
|
"?????",
|
|
credentials,
|
|
- 0,
|
|
0);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_WARNING("cli_full_connection_creds failed: %s\n",
|
|
@@ -1919,8 +1918,7 @@ int main(int argc, const char *argv[])
|
|
"IPC$",
|
|
"?????",
|
|
options.credentials,
|
|
- CLI_FULL_CONNECTION_IPC,
|
|
- 0);
|
|
+ CLI_FULL_CONNECTION_IPC);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_WARNING("cli_full_connection_creds failed: %s\n",
|
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
|
index 392e3eff74f..f3bf27e6c00 100644
|
|
--- a/source3/libnet/libnet_join.c
|
|
+++ b/source3/libnet/libnet_join.c
|
|
@@ -1095,8 +1095,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
|
|
NULL, 0,
|
|
"IPC$", "IPC",
|
|
creds,
|
|
- flags,
|
|
- SMB_SIGNING_IPC_DEFAULT);
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
TALLOC_FREE(frame);
|
|
return status;
|
|
@@ -1716,8 +1715,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
|
|
NULL, 0,
|
|
"IPC$", "IPC",
|
|
cli_creds,
|
|
- flags,
|
|
- SMB_SIGNING_IPC_DEFAULT);
|
|
+ flags);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
struct cli_credentials *anon_creds = NULL;
|
|
@@ -1734,8 +1732,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
|
|
NULL, 0,
|
|
"IPC$", "IPC",
|
|
anon_creds,
|
|
- flags,
|
|
- SMB_SIGNING_OFF);
|
|
+ flags);
|
|
}
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index 0ff9c283e39..b24743d789b 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -3526,8 +3526,7 @@ NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
- int flags,
|
|
- enum smb_signing_setting signing_state)
|
|
+ int flags)
|
|
{
|
|
struct tevent_context *ev;
|
|
struct tevent_req *req;
|
|
@@ -3684,8 +3683,7 @@ struct cli_state *get_ipc_connect(char *server,
|
|
|
|
nt_status = cli_full_connection_creds(&cli, NULL, server, server_ss, 0, "IPC$", "IPC",
|
|
get_cmdline_auth_info_creds(user_info),
|
|
- flags,
|
|
- SMB_SIGNING_DEFAULT);
|
|
+ flags);
|
|
|
|
if (NT_STATUS_IS_OK(nt_status)) {
|
|
return cli;
|
|
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
|
|
index 3d1cd602f6c..33dc8419deb 100644
|
|
--- a/source3/libsmb/libsmb_server.c
|
|
+++ b/source3/libsmb/libsmb_server.c
|
|
@@ -785,7 +785,6 @@ SMBC_attr_server(TALLOC_CTX *ctx,
|
|
pp_workgroup, pp_username, pp_password);
|
|
if (!ipc_srv) {
|
|
struct cli_credentials *creds = NULL;
|
|
- int signing_state = SMB_SIGNING_DEFAULT;
|
|
|
|
/* We didn't find a cached connection. Get the password */
|
|
if (!*pp_password || (*pp_password)[0] == '\0') {
|
|
@@ -812,16 +811,11 @@ SMBC_attr_server(TALLOC_CTX *ctx,
|
|
return NULL;
|
|
}
|
|
|
|
- if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
|
|
- signing_state = SMB_SIGNING_REQUIRED;
|
|
- }
|
|
-
|
|
nt_status = cli_full_connection_creds(&ipc_cli,
|
|
lp_netbios_name(), server,
|
|
NULL, 0, "IPC$", "?????",
|
|
creds,
|
|
- flags,
|
|
- signing_state);
|
|
+ flags);
|
|
if (! NT_STATUS_IS_OK(nt_status)) {
|
|
TALLOC_FREE(creds);
|
|
DEBUG(1,("cli_full_connection failed! (%s)\n",
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index bef04d32638..850cf12c8a6 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -109,8 +109,7 @@ NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
|
|
const struct sockaddr_storage *dest_ss, int port,
|
|
const char *service, const char *service_type,
|
|
struct cli_credentials *creds,
|
|
- int flags,
|
|
- enum smb_signing_setting signing_state);
|
|
+ int flags);
|
|
NTSTATUS cli_raw_tcon(struct cli_state *cli,
|
|
const char *service, const char *pass, const char *dev,
|
|
uint16_t *max_xmit, uint16_t *tid);
|
|
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
index f578f1c4131..906fab2adb5 100644
|
|
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
|
|
@@ -2483,8 +2483,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe, struct c
|
|
ret = cli_full_connection_creds( pp_cli, lp_netbios_name(), remote_machine,
|
|
&rm_addr, 0, "IPC$", "IPC",
|
|
anon_creds,
|
|
- CLI_FULL_CONNECTION_IPC,
|
|
- SMB_SIGNING_OFF);
|
|
+ CLI_FULL_CONNECTION_IPC);
|
|
TALLOC_FREE(anon_creds);
|
|
if ( !NT_STATUS_IS_OK( ret ) ) {
|
|
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
|
|
diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
|
|
index 7198a451ab7..02889a0a666 100644
|
|
--- a/source3/rpcclient/cmd_spoolss.c
|
|
+++ b/source3/rpcclient/cmd_spoolss.c
|
|
@@ -3537,10 +3537,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
|
|
"IPC$", "IPC",
|
|
get_cmdline_auth_info_creds(
|
|
popt_get_cmdline_auth_info()),
|
|
- CLI_FULL_CONNECTION_IPC,
|
|
- get_cmdline_auth_info_signing_state(
|
|
- popt_get_cmdline_auth_info()));
|
|
-
|
|
+ CLI_FULL_CONNECTION_IPC);
|
|
if ( !NT_STATUS_IS_OK(nt_status) )
|
|
return WERR_GEN_FAILURE;
|
|
|
|
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
|
|
index c86474d08f1..2ead6cc7ba5 100644
|
|
--- a/source3/rpcclient/rpcclient.c
|
|
+++ b/source3/rpcclient/rpcclient.c
|
|
@@ -1206,8 +1206,7 @@ out_free:
|
|
"IPC$", "IPC",
|
|
get_cmdline_auth_info_creds(
|
|
popt_get_cmdline_auth_info()),
|
|
- flags,
|
|
- SMB_SIGNING_IPC_DEFAULT);
|
|
+ flags);
|
|
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0,("Cannot connect to server. Error was %s\n", nt_errstr(nt_status)));
|
|
diff --git a/source3/torture/locktest2.c b/source3/torture/locktest2.c
|
|
index 84c335f959f..92ddb7629b9 100644
|
|
--- a/source3/torture/locktest2.c
|
|
+++ b/source3/torture/locktest2.c
|
|
@@ -217,8 +217,15 @@ static struct cli_state *connect_one(char *share)
|
|
|
|
slprintf(myname,sizeof(myname), "lock-%lu-%u", (unsigned long)getpid(), count++);
|
|
|
|
- nt_status = cli_full_connection_creds(&c, myname, server_n, NULL, 0, share, "?????",
|
|
- creds, 0, SMB_SIGNING_DEFAULT);
|
|
+ nt_status = cli_full_connection_creds(&c,
|
|
+ myname,
|
|
+ server_n,
|
|
+ NULL,
|
|
+ 0,
|
|
+ share,
|
|
+ "?????",
|
|
+ creds,
|
|
+ 0);
|
|
TALLOC_FREE(creds);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0, ("cli_full_connection failed with error %s\n", nt_errstr(nt_status)));
|
|
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
|
|
index 2a3133373e9..a4edeefd628 100644
|
|
--- a/source3/torture/torture.c
|
|
+++ b/source3/torture/torture.c
|
|
@@ -345,8 +345,7 @@ static bool torture_open_connection_share(struct cli_state **c,
|
|
sharename,
|
|
"?????",
|
|
torture_creds,
|
|
- flags,
|
|
- signing_state);
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("failed to open share connection: //%s/%s port:%d - %s\n",
|
|
hostname, sharename, port_to_use, nt_errstr(status));
|
|
@@ -1523,8 +1522,7 @@ static bool run_tcon_devtype_test(int dummy)
|
|
NULL, /* service */
|
|
NULL, /* service_type */
|
|
torture_creds,
|
|
- flags,
|
|
- signing_state);
|
|
+ flags);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
printf("could not open connection\n");
|
|
diff --git a/source3/utils/mdfind.c b/source3/utils/mdfind.c
|
|
index a3c879e75fb..2ac4fde7daf 100644
|
|
--- a/source3/utils/mdfind.c
|
|
+++ b/source3/utils/mdfind.c
|
|
@@ -153,8 +153,7 @@ int main(int argc, char **argv)
|
|
"IPC$",
|
|
"IPC",
|
|
creds,
|
|
- flags,
|
|
- SMB_SIGNING_IPC_DEFAULT);
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("Cannot connect to server: %s\n", nt_errstr(status));
|
|
goto fail;
|
|
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
|
index 28ef6dc9974..7f5b9c3a440 100644
|
|
--- a/source3/utils/net_ads.c
|
|
+++ b/source3/utils/net_ads.c
|
|
@@ -2438,8 +2438,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
|
|
&server_ss, 0,
|
|
"IPC$", "IPC",
|
|
creds,
|
|
- CLI_FULL_CONNECTION_IPC,
|
|
- SMB_SIGNING_IPC_DEFAULT);
|
|
+ CLI_FULL_CONNECTION_IPC);
|
|
|
|
if (NT_STATUS_IS_ERR(nt_status)) {
|
|
d_fprintf(stderr, _("Unable to open a connection to %s to "
|
|
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
|
|
index d01b2d8c771..b139fb2d0da 100644
|
|
--- a/source3/utils/net_util.c
|
|
+++ b/source3/utils/net_util.c
|
|
@@ -108,7 +108,6 @@ NTSTATUS connect_to_service(struct net_context *c,
|
|
const char *service_type)
|
|
{
|
|
NTSTATUS nt_status;
|
|
- enum smb_signing_setting signing_setting = SMB_SIGNING_DEFAULT;
|
|
struct cli_credentials *creds = NULL;
|
|
int flags = 0;
|
|
|
|
@@ -119,7 +118,6 @@ NTSTATUS connect_to_service(struct net_context *c,
|
|
}
|
|
|
|
if (strequal(service_type, "IPC")) {
|
|
- signing_setting = SMB_SIGNING_IPC_DEFAULT;
|
|
flags |= CLI_FULL_CONNECTION_IPC;
|
|
}
|
|
|
|
@@ -127,8 +125,7 @@ NTSTATUS connect_to_service(struct net_context *c,
|
|
server_ss, c->opt_port,
|
|
service_name, service_type,
|
|
creds,
|
|
- flags,
|
|
- signing_setting);
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
d_fprintf(stderr, _("Could not connect to server %s\n"),
|
|
server_name);
|
|
@@ -199,8 +196,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
|
|
server_name, server_ss, c->opt_port,
|
|
"IPC$", "IPC",
|
|
anon_creds,
|
|
- CLI_FULL_CONNECTION_IPC,
|
|
- SMB_SIGNING_OFF);
|
|
+ CLI_FULL_CONNECTION_IPC);
|
|
|
|
if (NT_STATUS_IS_OK(nt_status)) {
|
|
return nt_status;
|
|
diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
|
|
index 2241beb331f..aaf78b0977a 100644
|
|
--- a/source3/utils/netlookup.c
|
|
+++ b/source3/utils/netlookup.c
|
|
@@ -99,8 +99,7 @@ static struct con_struct *create_cs(struct net_context *c,
|
|
&loopback_ss, 0,
|
|
"IPC$", "IPC",
|
|
anon_creds,
|
|
- CLI_FULL_CONNECTION_IPC,
|
|
- SMB_SIGNING_OFF);
|
|
+ CLI_FULL_CONNECTION_IPC);
|
|
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(2,("create_cs: Connect failed. Error was %s\n", nt_errstr(nt_status)));
|
|
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
|
|
index f3209c31877..5983ebbd0a5 100644
|
|
--- a/source3/utils/smbcacls.c
|
|
+++ b/source3/utils/smbcacls.c
|
|
@@ -778,8 +778,7 @@ static struct cli_state *connect_one(const struct user_auth_info *auth_info,
|
|
NULL, 0,
|
|
share, "?????",
|
|
get_cmdline_auth_info_creds(auth_info),
|
|
- flags,
|
|
- get_cmdline_auth_info_signing_state(auth_info));
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
|
|
return NULL;
|
|
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
|
|
index 954d6eba804..fea066ce468 100644
|
|
--- a/source3/utils/smbcquotas.c
|
|
+++ b/source3/utils/smbcquotas.c
|
|
@@ -527,9 +527,7 @@ static struct cli_state *connect_one(const char *share)
|
|
share, "?????",
|
|
get_cmdline_auth_info_creds(
|
|
popt_get_cmdline_auth_info()),
|
|
- flags,
|
|
- get_cmdline_auth_info_signing_state(
|
|
- popt_get_cmdline_auth_info()));
|
|
+ flags);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0,("cli_full_connection failed! (%s)\n", nt_errstr(nt_status)));
|
|
return NULL;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 07ccfed08ceadd0b7497e7259e855b1937522129 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Mon, 8 Jun 2020 08:04:24 +0200
|
|
Subject: [PATCH 033/104] s3:libsmb: Add encryption support to
|
|
cli_full_connection_creds*()
|
|
|
|
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
source3/libsmb/cliconnect.c | 166 ++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 166 insertions(+)
|
|
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index b24743d789b..abfd18bfaf1 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -3352,6 +3352,10 @@ static int cli_full_connection_creds_state_destructor(
|
|
static void cli_full_connection_creds_conn_done(struct tevent_req *subreq);
|
|
static void cli_full_connection_creds_sess_start(struct tevent_req *req);
|
|
static void cli_full_connection_creds_sess_done(struct tevent_req *subreq);
|
|
+static void cli_full_connection_creds_enc_start(struct tevent_req *req);
|
|
+static void cli_full_connection_creds_enc_tcon(struct tevent_req *subreq);
|
|
+static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq);
|
|
+static void cli_full_connection_creds_enc_done(struct tevent_req *subreq);
|
|
static void cli_full_connection_creds_tcon_start(struct tevent_req *req);
|
|
static void cli_full_connection_creds_tcon_done(struct tevent_req *subreq);
|
|
|
|
@@ -3366,6 +3370,8 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
struct tevent_req *req, *subreq;
|
|
struct cli_full_connection_creds_state *state;
|
|
enum smb_signing_setting signing_state;
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(creds);
|
|
|
|
req = tevent_req_create(mem_ctx, &state,
|
|
struct cli_full_connection_creds_state);
|
|
@@ -3386,6 +3392,16 @@ struct tevent_req *cli_full_connection_creds_send(
|
|
signing_state = cli_credentials_get_smb_signing(creds);
|
|
}
|
|
|
|
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
|
|
+ if (flags & CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK) {
|
|
+ encryption_state = SMB_ENCRYPTION_DESIRED;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
|
+ signing_state = SMB_SIGNING_REQUIRED;
|
|
+ }
|
|
+
|
|
subreq = cli_start_connection_send(
|
|
state, ev, my_name, dest_host, dest_ss, port,
|
|
signing_state, flags);
|
|
@@ -3460,6 +3476,156 @@ static void cli_full_connection_creds_sess_done(struct tevent_req *subreq)
|
|
return;
|
|
}
|
|
|
|
+ cli_full_connection_creds_enc_start(req);
|
|
+}
|
|
+
|
|
+static void cli_full_connection_creds_enc_start(struct tevent_req *req)
|
|
+{
|
|
+ struct cli_full_connection_creds_state *state = tevent_req_data(
|
|
+ req, struct cli_full_connection_creds_state);
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(state->creds);
|
|
+ struct tevent_req *subreq = NULL;
|
|
+ NTSTATUS status;
|
|
+
|
|
+ if (encryption_state < SMB_ENCRYPTION_DESIRED) {
|
|
+ cli_full_connection_creds_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
|
|
+ status = smb2cli_session_encryption_on(state->cli->smb2.session);
|
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
|
+ if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
|
|
+ cli_full_connection_creds_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+ d_printf("Encryption required and "
|
|
+ "server doesn't support "
|
|
+ "SMB3 encryption - failing connect\n");
|
|
+ tevent_req_nterror(req, status);
|
|
+ return;
|
|
+ } else if (!NT_STATUS_IS_OK(status)) {
|
|
+ d_printf("Encryption required and "
|
|
+ "setup failed with error %s.\n",
|
|
+ nt_errstr(status));
|
|
+ tevent_req_nterror(req, status);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cli_full_connection_creds_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (!SERVER_HAS_UNIX_CIFS(state->cli)) {
|
|
+ if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
|
|
+ cli_full_connection_creds_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ status = NT_STATUS_NOT_SUPPORTED;
|
|
+ d_printf("Encryption required and "
|
|
+ "server doesn't support "
|
|
+ "SMB1 Unix Extensions - failing connect\n");
|
|
+ tevent_req_nterror(req, status);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * We do a tcon on IPC$ just to setup the encryption,
|
|
+ * the real tcon will be encrypted then.
|
|
+ */
|
|
+ subreq = cli_tree_connect_send(state, state->ev, state->cli,
|
|
+ "IPC$", "IPC", NULL);
|
|
+ if (tevent_req_nomem(subreq, req)) {
|
|
+ return;
|
|
+ }
|
|
+ tevent_req_set_callback(subreq, cli_full_connection_creds_enc_tcon, req);
|
|
+}
|
|
+
|
|
+static void cli_full_connection_creds_enc_tcon(struct tevent_req *subreq)
|
|
+{
|
|
+ struct tevent_req *req = tevent_req_callback_data(
|
|
+ subreq, struct tevent_req);
|
|
+ struct cli_full_connection_creds_state *state = tevent_req_data(
|
|
+ req, struct cli_full_connection_creds_state);
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = cli_tree_connect_recv(subreq);
|
|
+ TALLOC_FREE(subreq);
|
|
+ if (tevent_req_nterror(req, status)) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ subreq = cli_unix_extensions_version_send(state, state->ev, state->cli);
|
|
+ if (tevent_req_nomem(subreq, req)) {
|
|
+ return;
|
|
+ }
|
|
+ tevent_req_set_callback(subreq, cli_full_connection_creds_enc_ver, req);
|
|
+}
|
|
+
|
|
+static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq)
|
|
+{
|
|
+ struct tevent_req *req = tevent_req_callback_data(
|
|
+ subreq, struct tevent_req);
|
|
+ struct cli_full_connection_creds_state *state = tevent_req_data(
|
|
+ req, struct cli_full_connection_creds_state);
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(state->creds);
|
|
+ uint16_t major, minor;
|
|
+ uint32_t caplow, caphigh;
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = cli_unix_extensions_version_recv(subreq,
|
|
+ &major, &minor,
|
|
+ &caplow,
|
|
+ &caphigh);
|
|
+ TALLOC_FREE(subreq);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
|
|
+ cli_full_connection_creds_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+ DEBUG(10, ("%s: cli_unix_extensions_version "
|
|
+ "returned %s\n", __func__, nt_errstr(status)));
|
|
+ tevent_req_nterror(req, NT_STATUS_UNKNOWN_REVISION);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) {
|
|
+ if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
|
|
+ cli_full_connection_creds_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+ DEBUG(10, ("%s: CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP "
|
|
+ "not supported\n", __func__));
|
|
+ tevent_req_nterror(req, NT_STATUS_UNSUPPORTED_COMPRESSION);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ subreq = cli_smb1_setup_encryption_send(state, state->ev,
|
|
+ state->cli,
|
|
+ state->creds);
|
|
+ if (tevent_req_nomem(subreq, req)) {
|
|
+ return;
|
|
+ }
|
|
+ tevent_req_set_callback(subreq,
|
|
+ cli_full_connection_creds_enc_done,
|
|
+ req);
|
|
+}
|
|
+
|
|
+static void cli_full_connection_creds_enc_done(struct tevent_req *subreq)
|
|
+{
|
|
+ struct tevent_req *req = tevent_req_callback_data(
|
|
+ subreq, struct tevent_req);
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = cli_smb1_setup_encryption_recv(subreq);
|
|
+ TALLOC_FREE(subreq);
|
|
+ if (tevent_req_nterror(req, status)) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
cli_full_connection_creds_tcon_start(req);
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From bf05adca0d32212d4eead676ef89d4a96d3949a0 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 11:26:00 +0200
|
|
Subject: [PATCH 034/104] python: Add a test for SMB encryption
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
python/samba/tests/libsmb.py | 37 ++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 37 insertions(+)
|
|
|
|
diff --git a/python/samba/tests/libsmb.py b/python/samba/tests/libsmb.py
|
|
index e8f8e7fe94d..81d4e482644 100644
|
|
--- a/python/samba/tests/libsmb.py
|
|
+++ b/python/samba/tests/libsmb.py
|
|
@@ -21,10 +21,12 @@ from samba.samba3 import libsmb_samba_internal as libsmb
|
|
from samba.dcerpc import security
|
|
from samba.samba3 import param as s3param
|
|
from samba import credentials
|
|
+from samba.credentials import SMB_ENCRYPTION_REQUIRED
|
|
import samba.tests
|
|
import threading
|
|
import sys
|
|
import os
|
|
+import random
|
|
|
|
|
|
class LibsmbTestCase(samba.tests.TestCase):
|
|
@@ -77,6 +79,41 @@ class LibsmbTestCase(samba.tests.TestCase):
|
|
if t.exc:
|
|
raise t.exc[0](t.exc[1])
|
|
|
|
+ def test_SMB3EncryptionRequired(self):
|
|
+ test_dir = 'testing_%d' % random.randint(0, 0xFFFF)
|
|
+
|
|
+ lp = s3param.get_context()
|
|
+ lp.load(os.getenv("SMB_CONF_PATH"))
|
|
+
|
|
+ creds = credentials.Credentials()
|
|
+ creds.guess(lp)
|
|
+ creds.set_username(os.getenv("USERNAME"))
|
|
+ creds.set_password(os.getenv("PASSWORD"))
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp",
|
|
+ lp, creds)
|
|
+
|
|
+ c.mkdir(test_dir)
|
|
+ c.rmdir(test_dir)
|
|
+
|
|
+ def test_SMB1EncryptionRequired(self):
|
|
+ test_dir = 'testing_%d' % random.randint(0, 0xFFFF)
|
|
+
|
|
+ lp = s3param.get_context()
|
|
+ lp.load(os.getenv("SMB_CONF_PATH"))
|
|
+
|
|
+ creds = credentials.Credentials()
|
|
+ creds.guess(lp)
|
|
+ creds.set_username(os.getenv("USERNAME"))
|
|
+ creds.set_password(os.getenv("PASSWORD"))
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ c = libsmb.Conn(os.getenv("SERVER_IP"), "tmp",
|
|
+ lp, creds, force_smb1=True)
|
|
+
|
|
+ c.mkdir(test_dir)
|
|
+ c.rmdir(test_dir)
|
|
|
|
if __name__ == "__main__":
|
|
import unittest
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 86954cbf471bf391f50866d5d983c57cf8a4f064 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:31:02 +0200
|
|
Subject: [PATCH 035/104] s3:net: Use cli_credentials_set_smb_encryption()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/utils/net_util.c | 16 ++++++----------
|
|
1 file changed, 6 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
|
|
index b139fb2d0da..5829d891075 100644
|
|
--- a/source3/utils/net_util.c
|
|
+++ b/source3/utils/net_util.c
|
|
@@ -148,16 +148,6 @@ NTSTATUS connect_to_service(struct net_context *c,
|
|
return nt_status;
|
|
}
|
|
|
|
- if (c->smb_encrypt) {
|
|
- nt_status = cli_cm_force_encryption_creds(*cli_ctx,
|
|
- creds,
|
|
- service_name);
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- cli_shutdown(*cli_ctx);
|
|
- *cli_ctx = NULL;
|
|
- }
|
|
- }
|
|
-
|
|
return nt_status;
|
|
}
|
|
|
|
@@ -577,6 +567,12 @@ struct cli_credentials *net_context_creds(struct net_context *c,
|
|
CRED_SPECIFIED);
|
|
}
|
|
|
|
+ if (c->smb_encrypt) {
|
|
+ cli_credentials_set_smb_encryption(creds,
|
|
+ SMB_ENCRYPTION_REQUIRED,
|
|
+ CRED_SPECIFIED);
|
|
+ }
|
|
+
|
|
return creds;
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 1d065c5960ea2bce6bab5420476a0c21ba40d26e Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:40:13 +0200
|
|
Subject: [PATCH 036/104] s3:libsmb: Use cli_credentials_set_smb_encryption()
|
|
|
|
This also adds a SMBC_ENCRYPTLEVEL_DEFAULT to 'enum
|
|
smbc_smb_encrypt_level' in order to use the smb.conf default value.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/include/libsmbclient.h | 1 +
|
|
source3/libsmb/ABI/smbclient-0.7.0.sigs | 188 ++++++++++++++++++++++++
|
|
source3/libsmb/libsmb_context.c | 4 +-
|
|
source3/libsmb/libsmb_server.c | 72 +++------
|
|
source3/libsmb/wscript | 2 +-
|
|
5 files changed, 216 insertions(+), 51 deletions(-)
|
|
create mode 100644 source3/libsmb/ABI/smbclient-0.7.0.sigs
|
|
|
|
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
|
|
index c47e7c2a872..84c98089251 100644
|
|
--- a/source3/include/libsmbclient.h
|
|
+++ b/source3/include/libsmbclient.h
|
|
@@ -225,6 +225,7 @@ typedef enum smbc_share_mode
|
|
*/
|
|
typedef enum smbc_smb_encrypt_level
|
|
{
|
|
+ SMBC_ENCRYPTLEVEL_DEFAULT = -1,
|
|
SMBC_ENCRYPTLEVEL_NONE = 0,
|
|
SMBC_ENCRYPTLEVEL_REQUEST = 1,
|
|
SMBC_ENCRYPTLEVEL_REQUIRE = 2
|
|
diff --git a/source3/libsmb/ABI/smbclient-0.7.0.sigs b/source3/libsmb/ABI/smbclient-0.7.0.sigs
|
|
new file mode 100644
|
|
index 00000000000..ee758e21b50
|
|
--- /dev/null
|
|
+++ b/source3/libsmb/ABI/smbclient-0.7.0.sigs
|
|
@@ -0,0 +1,188 @@
|
|
+smbc_chmod: int (const char *, mode_t)
|
|
+smbc_close: int (int)
|
|
+smbc_closedir: int (int)
|
|
+smbc_creat: int (const char *, mode_t)
|
|
+smbc_fgetxattr: int (int, const char *, const void *, size_t)
|
|
+smbc_flistxattr: int (int, char *, size_t)
|
|
+smbc_free_context: int (SMBCCTX *, int)
|
|
+smbc_fremovexattr: int (int, const char *)
|
|
+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
|
|
+smbc_fstat: int (int, struct stat *)
|
|
+smbc_fstatvfs: int (int, struct statvfs *)
|
|
+smbc_ftruncate: int (int, off_t)
|
|
+smbc_getDebug: int (SMBCCTX *)
|
|
+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
|
|
+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
|
|
+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
|
|
+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
|
|
+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
|
|
+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
|
|
+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
|
|
+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
|
|
+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
|
|
+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
|
|
+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
|
|
+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
|
|
+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
|
|
+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
|
|
+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
|
|
+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
|
|
+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
|
|
+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
|
|
+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
|
|
+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
|
|
+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
|
|
+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
|
|
+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
|
|
+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
|
|
+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
|
|
+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
|
|
+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
|
|
+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
|
|
+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
|
|
+smbc_getFunctionReaddirPlus2: smbc_readdirplus2_fn (SMBCCTX *)
|
|
+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
|
|
+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
|
|
+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
|
|
+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
|
|
+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
|
|
+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
|
|
+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
|
|
+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
|
|
+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
|
|
+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
|
|
+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
|
|
+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
|
|
+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
|
|
+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
|
|
+smbc_getNetbiosName: const char *(SMBCCTX *)
|
|
+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
|
|
+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
|
|
+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
|
|
+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
|
|
+smbc_getOptionUserData: void *(SMBCCTX *)
|
|
+smbc_getPort: uint16_t (SMBCCTX *)
|
|
+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
|
|
+smbc_getTimeout: int (SMBCCTX *)
|
|
+smbc_getUser: const char *(SMBCCTX *)
|
|
+smbc_getWorkgroup: const char *(SMBCCTX *)
|
|
+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
|
|
+smbc_getxattr: int (const char *, const char *, const void *, size_t)
|
|
+smbc_init: int (smbc_get_auth_data_fn, int)
|
|
+smbc_init_context: SMBCCTX *(SMBCCTX *)
|
|
+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
|
|
+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
|
|
+smbc_listxattr: int (const char *, char *, size_t)
|
|
+smbc_llistxattr: int (const char *, char *, size_t)
|
|
+smbc_lremovexattr: int (const char *, const char *)
|
|
+smbc_lseek: off_t (int, off_t, int)
|
|
+smbc_lseekdir: int (int, off_t)
|
|
+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
|
|
+smbc_mkdir: int (const char *, mode_t)
|
|
+smbc_new_context: SMBCCTX *(void)
|
|
+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
|
|
+smbc_open: int (const char *, int, mode_t)
|
|
+smbc_open_print_job: int (const char *)
|
|
+smbc_opendir: int (const char *)
|
|
+smbc_option_get: void *(SMBCCTX *, char *)
|
|
+smbc_option_set: void (SMBCCTX *, char *, ...)
|
|
+smbc_print_file: int (const char *, const char *)
|
|
+smbc_read: ssize_t (int, void *, size_t)
|
|
+smbc_readdir: struct smbc_dirent *(unsigned int)
|
|
+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
|
|
+smbc_readdirplus2: const struct libsmb_file_info *(unsigned int, struct stat *)
|
|
+smbc_removexattr: int (const char *, const char *)
|
|
+smbc_rename: int (const char *, const char *)
|
|
+smbc_rmdir: int (const char *)
|
|
+smbc_setConfiguration: int (SMBCCTX *, const char *)
|
|
+smbc_setDebug: void (SMBCCTX *, int)
|
|
+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
|
|
+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
|
|
+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
|
|
+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
|
|
+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
|
|
+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
|
|
+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
|
|
+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
|
|
+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
|
|
+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
|
|
+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
|
|
+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
|
|
+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
|
|
+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
|
|
+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
|
|
+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
|
|
+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
|
|
+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
|
|
+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
|
|
+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
|
|
+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
|
|
+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
|
|
+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
|
|
+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
|
|
+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
|
|
+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
|
|
+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
|
|
+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
|
|
+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
|
|
+smbc_setFunctionReaddirPlus2: void (SMBCCTX *, smbc_readdirplus2_fn)
|
|
+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
|
|
+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
|
|
+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
|
|
+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
|
|
+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
|
|
+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
|
|
+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
|
|
+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
|
|
+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
|
|
+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
|
|
+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
|
|
+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
|
|
+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
|
|
+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
|
|
+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
|
|
+smbc_setNetbiosName: void (SMBCCTX *, const char *)
|
|
+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
|
|
+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
|
|
+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
|
|
+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
|
|
+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
|
|
+smbc_setOptionUserData: void (SMBCCTX *, void *)
|
|
+smbc_setPort: void (SMBCCTX *, uint16_t)
|
|
+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
|
|
+smbc_setTimeout: void (SMBCCTX *, int)
|
|
+smbc_setUser: void (SMBCCTX *, const char *)
|
|
+smbc_setWorkgroup: void (SMBCCTX *, const char *)
|
|
+smbc_set_context: SMBCCTX *(SMBCCTX *)
|
|
+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
|
|
+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
|
|
+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
|
|
+smbc_stat: int (const char *, struct stat *)
|
|
+smbc_statvfs: int (char *, struct statvfs *)
|
|
+smbc_telldir: off_t (int)
|
|
+smbc_unlink: int (const char *)
|
|
+smbc_unlink_print_job: int (const char *, int)
|
|
+smbc_urldecode: int (char *, char *, size_t)
|
|
+smbc_urlencode: int (char *, char *, int)
|
|
+smbc_utime: int (const char *, struct utimbuf *)
|
|
+smbc_utimes: int (const char *, struct timeval *)
|
|
+smbc_version: const char *(void)
|
|
+smbc_write: ssize_t (int, const void *, size_t)
|
|
diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
|
|
index eaa0cdeca93..ea741f41c7d 100644
|
|
--- a/source3/libsmb/libsmb_context.c
|
|
+++ b/source3/libsmb/libsmb_context.c
|
|
@@ -171,7 +171,7 @@ smbc_new_context(void)
|
|
|
|
smbc_setOptionFullTimeNames(context, False);
|
|
smbc_setOptionOpenShareMode(context, SMBC_SHAREMODE_DENY_NONE);
|
|
- smbc_setOptionSmbEncryptionLevel(context, SMBC_ENCRYPTLEVEL_NONE);
|
|
+ smbc_setOptionSmbEncryptionLevel(context, SMBC_ENCRYPTLEVEL_DEFAULT);
|
|
smbc_setOptionUseCCache(context, True);
|
|
smbc_setOptionCaseSensitive(context, False);
|
|
smbc_setOptionBrowseMaxLmbCount(context, 3); /* # LMBs to query */
|
|
@@ -474,6 +474,8 @@ smbc_option_get(SMBCCTX *context,
|
|
} else if (strcmp(option_name, "smb_encrypt_level") == 0) {
|
|
switch(smbc_getOptionSmbEncryptionLevel(context))
|
|
{
|
|
+ case SMBC_ENCRYPTLEVEL_DEFAULT:
|
|
+ return discard_const_p(void, "default");
|
|
case 0:
|
|
return discard_const_p(void, "none");
|
|
case 1:
|
|
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
|
|
index 33dc8419deb..eb58d7c6ac9 100644
|
|
--- a/source3/libsmb/libsmb_server.c
|
|
+++ b/source3/libsmb/libsmb_server.c
|
|
@@ -284,6 +284,29 @@ static struct cli_credentials *SMBC_auth_credentials(TALLOC_CTX *mem_ctx,
|
|
return NULL;
|
|
}
|
|
|
|
+ switch (context->internal->smb_encryption_level) {
|
|
+ case SMBC_ENCRYPTLEVEL_DEFAULT:
|
|
+ /* Use the config option */
|
|
+ break;
|
|
+ case SMBC_ENCRYPTLEVEL_NONE:
|
|
+ cli_credentials_set_smb_encryption(creds,
|
|
+ SMB_ENCRYPTION_OFF,
|
|
+ CRED_SPECIFIED);
|
|
+ break;
|
|
+ case SMBC_ENCRYPTLEVEL_REQUEST:
|
|
+ cli_credentials_set_smb_encryption(creds,
|
|
+ SMB_ENCRYPTION_DESIRED,
|
|
+ CRED_SPECIFIED);
|
|
+ break;
|
|
+ case SMBC_ENCRYPTLEVEL_REQUIRE:
|
|
+ default:
|
|
+ cli_credentials_set_smb_encryption(creds,
|
|
+ SMB_ENCRYPTION_REQUIRED,
|
|
+ CRED_SPECIFIED);
|
|
+ break;
|
|
+ }
|
|
+
|
|
+
|
|
return creds;
|
|
}
|
|
|
|
@@ -625,30 +648,6 @@ SMBC_server_internal(TALLOC_CTX *ctx,
|
|
smbXcli_tcon_set_fs_attributes(tcon, fs_attrs);
|
|
}
|
|
|
|
- if (context->internal->smb_encryption_level) {
|
|
- /* Attempt encryption. */
|
|
- status = cli_cm_force_encryption_creds(c,
|
|
- creds,
|
|
- share);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
-
|
|
- /*
|
|
- * context->smb_encryption_level == 1
|
|
- * means don't fail if encryption can't be negotiated,
|
|
- * == 2 means fail if encryption can't be negotiated.
|
|
- */
|
|
-
|
|
- DEBUG(4,(" SMB encrypt failed\n"));
|
|
-
|
|
- if (context->internal->smb_encryption_level == 2) {
|
|
- cli_shutdown(c);
|
|
- errno = EPERM;
|
|
- return NULL;
|
|
- }
|
|
- }
|
|
- DEBUG(4,(" SMB encrypt ok\n"));
|
|
- }
|
|
-
|
|
/*
|
|
* Ok, we have got a nice connection
|
|
* Let's allocate a server structure.
|
|
@@ -825,31 +824,6 @@ SMBC_attr_server(TALLOC_CTX *ctx,
|
|
}
|
|
talloc_steal(ipc_cli, creds);
|
|
|
|
- if (context->internal->smb_encryption_level) {
|
|
- /* Attempt encryption. */
|
|
- nt_status = cli_cm_force_encryption_creds(ipc_cli,
|
|
- creds,
|
|
- "IPC$");
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
-
|
|
- /*
|
|
- * context->smb_encryption_level ==
|
|
- * 1 means don't fail if encryption can't be
|
|
- * negotiated, == 2 means fail if encryption
|
|
- * can't be negotiated.
|
|
- */
|
|
-
|
|
- DEBUG(4,(" SMB encrypt failed on IPC$\n"));
|
|
-
|
|
- if (context->internal->smb_encryption_level == 2) {
|
|
- cli_shutdown(ipc_cli);
|
|
- errno = EPERM;
|
|
- return NULL;
|
|
- }
|
|
- }
|
|
- DEBUG(4,(" SMB encrypt ok on IPC$\n"));
|
|
- }
|
|
-
|
|
ipc_srv = SMB_MALLOC_P(SMBCSRV);
|
|
if (!ipc_srv) {
|
|
errno = ENOMEM;
|
|
diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
|
|
index ec4a516b2ee..61503d0a98b 100644
|
|
--- a/source3/libsmb/wscript
|
|
+++ b/source3/libsmb/wscript
|
|
@@ -26,5 +26,5 @@ def build(bld):
|
|
public_headers='../include/libsmbclient.h',
|
|
abi_directory='ABI',
|
|
abi_match='smbc_*',
|
|
- vnum='0.6.0',
|
|
+ vnum='0.7.0',
|
|
pc_files='smbclient.pc')
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From a35be10e055edb18b961c30c106fbefd08cd8c42 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:43:33 +0200
|
|
Subject: [PATCH 037/104] s3:client: Remove unused smb encryption code
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/client/smbspool.c | 10 ----------
|
|
1 file changed, 10 deletions(-)
|
|
|
|
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
|
|
index f56dc323b6e..16a8d44c069 100644
|
|
--- a/source3/client/smbspool.c
|
|
+++ b/source3/client/smbspool.c
|
|
@@ -584,16 +584,6 @@ smb_complete_connection(struct cli_state **output_cli,
|
|
|
|
return nt_status;
|
|
}
|
|
-#if 0
|
|
- /* Need to work out how to specify this on the URL. */
|
|
- if (smb_encrypt) {
|
|
- if (!cli_cm_force_encryption_creds(cli, creds, share)) {
|
|
- fprintf(stderr, "ERROR: encryption setup failed\n");
|
|
- cli_shutdown(cli);
|
|
- return NULL;
|
|
- }
|
|
- }
|
|
-#endif
|
|
|
|
*output_cli = cli;
|
|
return NT_STATUS_OK;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 59362e873109a541d5381fe9a302a9464b83b549 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:47:05 +0200
|
|
Subject: [PATCH 038/104] s3:utils: Remove obsolete force encryption from
|
|
smbacls
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/utils/smbcacls.c | 10 ----------
|
|
1 file changed, 10 deletions(-)
|
|
|
|
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
|
|
index 5983ebbd0a5..8fd9fcc5780 100644
|
|
--- a/source3/utils/smbcacls.c
|
|
+++ b/source3/utils/smbcacls.c
|
|
@@ -784,16 +784,6 @@ static struct cli_state *connect_one(const struct user_auth_info *auth_info,
|
|
return NULL;
|
|
}
|
|
|
|
- if (get_cmdline_auth_info_smb_encrypt(auth_info)) {
|
|
- nt_status = cli_cm_force_encryption_creds(c,
|
|
- get_cmdline_auth_info_creds(auth_info),
|
|
- share);
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- cli_shutdown(c);
|
|
- c = NULL;
|
|
- }
|
|
- }
|
|
-
|
|
return c;
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From d642ed3f0e60699c5650eb80ba02f9552b8f7bd9 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:48:18 +0200
|
|
Subject: [PATCH 039/104] s3:utils: Remove obsolete force encryption from
|
|
mdfind
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/utils/mdfind.c | 7 -------
|
|
1 file changed, 7 deletions(-)
|
|
|
|
diff --git a/source3/utils/mdfind.c b/source3/utils/mdfind.c
|
|
index 2ac4fde7daf..ef2657e4fa5 100644
|
|
--- a/source3/utils/mdfind.c
|
|
+++ b/source3/utils/mdfind.c
|
|
@@ -159,13 +159,6 @@ int main(int argc, char **argv)
|
|
goto fail;
|
|
}
|
|
|
|
- if (get_cmdline_auth_info_smb_encrypt(auth)) {
|
|
- status = cli_cm_force_encryption_creds(cli, creds, "IPC$");
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- goto fail;
|
|
- }
|
|
- }
|
|
-
|
|
status = cli_rpc_pipe_open_noauth_transport(cli,
|
|
NCACN_NP,
|
|
&ndr_table_mdssvc,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 4588a03309c7ce7404f54e010f4a93656bf9ff47 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:49:28 +0200
|
|
Subject: [PATCH 040/104] s3:utils: Remove obsolete force encryption from
|
|
smbcquotas
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/utils/smbcquotas.c | 11 -----------
|
|
1 file changed, 11 deletions(-)
|
|
|
|
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
|
|
index fea066ce468..4ceac7b3ab0 100644
|
|
--- a/source3/utils/smbcquotas.c
|
|
+++ b/source3/utils/smbcquotas.c
|
|
@@ -533,17 +533,6 @@ static struct cli_state *connect_one(const char *share)
|
|
return NULL;
|
|
}
|
|
|
|
- if (get_cmdline_auth_info_smb_encrypt(popt_get_cmdline_auth_info())) {
|
|
- nt_status = cli_cm_force_encryption_creds(c,
|
|
- get_cmdline_auth_info_creds(
|
|
- popt_get_cmdline_auth_info()),
|
|
- share);
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- cli_shutdown(c);
|
|
- return NULL;
|
|
- }
|
|
- }
|
|
-
|
|
return c;
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 23b759045448c9072f8342778ea36b721c481bfd Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 10 Jun 2020 12:51:18 +0200
|
|
Subject: [PATCH 041/104] s3:rpcclient: Remove obsolete force encryption from
|
|
rpcclient
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/rpcclient/rpcclient.c | 11 -----------
|
|
1 file changed, 11 deletions(-)
|
|
|
|
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
|
|
index 2ead6cc7ba5..575a42ebf70 100644
|
|
--- a/source3/rpcclient/rpcclient.c
|
|
+++ b/source3/rpcclient/rpcclient.c
|
|
@@ -1214,17 +1214,6 @@ out_free:
|
|
goto done;
|
|
}
|
|
|
|
- if (get_cmdline_auth_info_smb_encrypt(popt_get_cmdline_auth_info())) {
|
|
- nt_status = cli_cm_force_encryption_creds(cli,
|
|
- get_cmdline_auth_info_creds(
|
|
- popt_get_cmdline_auth_info()),
|
|
- "IPC$");
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- result = 1;
|
|
- goto done;
|
|
- }
|
|
- }
|
|
-
|
|
#if 0 /* COMMENT OUT FOR TESTING */
|
|
memset(cmdline_auth_info.password,'X',sizeof(cmdline_auth_info.password));
|
|
#endif
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b42861ddc3b16cdda39c86d0549ed3af8e22cf7b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 6 Jul 2020 10:58:36 +0200
|
|
Subject: [PATCH 042/104] examples: Remove obsolete force encryption from
|
|
smb2mount
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
examples/fuse/smb2mount.c | 11 -----------
|
|
1 file changed, 11 deletions(-)
|
|
|
|
diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c
|
|
index 6206c3a9701..c64be573462 100644
|
|
--- a/examples/fuse/smb2mount.c
|
|
+++ b/examples/fuse/smb2mount.c
|
|
@@ -44,17 +44,6 @@ static struct cli_state *connect_one(const struct user_auth_info *auth_info,
|
|
return NULL;
|
|
}
|
|
|
|
- if (get_cmdline_auth_info_smb_encrypt(auth_info)) {
|
|
- nt_status = cli_cm_force_encryption_creds(
|
|
- c,
|
|
- get_cmdline_auth_info_creds(auth_info),
|
|
- share);
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- cli_shutdown(c);
|
|
- c = NULL;
|
|
- }
|
|
- }
|
|
-
|
|
return c;
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 9718e834445fa9fb77a947aee35ff49f9ce98572 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 6 Jul 2020 11:05:59 +0200
|
|
Subject: [PATCH 043/104] s3:libsmb: Make cli_cm_force_encryption_creds()
|
|
static
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/libsmb/clidfs.c | 6 +++---
|
|
source3/libsmb/proto.h | 3 ---
|
|
2 files changed, 3 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index 4495a027830..aff998f6187 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -43,9 +43,9 @@
|
|
Ensure a connection is encrypted.
|
|
********************************************************************/
|
|
|
|
-NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
|
- struct cli_credentials *creds,
|
|
- const char *sharename)
|
|
+static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
|
+ struct cli_credentials *creds,
|
|
+ const char *sharename)
|
|
{
|
|
uint16_t major, minor;
|
|
uint32_t caplow, caphigh;
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index 850cf12c8a6..eeabcaa7463 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -123,9 +123,6 @@ struct cli_state *get_ipc_connect_master_ip(TALLOC_CTX *ctx,
|
|
|
|
/* The following definitions come from libsmb/clidfs.c */
|
|
|
|
-NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
|
- struct cli_credentials *creds,
|
|
- const char *sharename);
|
|
NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
struct cli_state *referring_cli,
|
|
const char *server,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 7e0b354aca307a2eaf45dcf0ca2e1203e7784fd3 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 13 Aug 2020 16:16:55 +0200
|
|
Subject: [PATCH 044/104] s4:libcli: Return NTSTATUS errors for
|
|
smb_composite_connect_send()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/libcli/smb_composite/connect.c | 40 +++++++++++++++++++-------
|
|
1 file changed, 29 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/source4/libcli/smb_composite/connect.c b/source4/libcli/smb_composite/connect.c
|
|
index 582d43ef173..ad50ae0ac81 100644
|
|
--- a/source4/libcli/smb_composite/connect.c
|
|
+++ b/source4/libcli/smb_composite/connect.c
|
|
@@ -420,15 +420,25 @@ struct composite_context *smb_composite_connect_send(struct smb_composite_connec
|
|
struct connect_state *state;
|
|
|
|
c = talloc_zero(mem_ctx, struct composite_context);
|
|
- if (c == NULL) goto failed;
|
|
-
|
|
- c->event_ctx = event_ctx;
|
|
- if (c->event_ctx == NULL) goto failed;
|
|
+ if (c == NULL) {
|
|
+ goto nomem;
|
|
+ }
|
|
|
|
state = talloc_zero(c, struct connect_state);
|
|
- if (state == NULL) goto failed;
|
|
+ if (state == NULL) {
|
|
+ goto nomem;
|
|
+ }
|
|
+
|
|
+ c->event_ctx = event_ctx;
|
|
+ if (c->event_ctx == NULL) {
|
|
+ composite_error(c, NT_STATUS_INVALID_PARAMETER_MIX);
|
|
+ return c;
|
|
+ }
|
|
|
|
- if (io->in.gensec_settings == NULL) goto failed;
|
|
+ if (io->in.gensec_settings == NULL) {
|
|
+ composite_error(c, NT_STATUS_INVALID_PARAMETER_MIX);
|
|
+ return c;
|
|
+ }
|
|
state->io = io;
|
|
|
|
c->state = COMPOSITE_STATE_IN_PROGRESS;
|
|
@@ -449,12 +459,14 @@ struct composite_context *smb_composite_connect_send(struct smb_composite_connec
|
|
&io->in.options,
|
|
&state->transport);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- goto failed;
|
|
+ composite_error(c, status);
|
|
+ return c;
|
|
}
|
|
|
|
status = connect_send_session(c, io);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- goto failed;
|
|
+ composite_error(c, status);
|
|
+ return c;
|
|
}
|
|
|
|
return c;
|
|
@@ -468,15 +480,18 @@ struct composite_context *smb_composite_connect_send(struct smb_composite_connec
|
|
io->in.socket_options,
|
|
&state->calling,
|
|
&state->called);
|
|
- if (state->creq == NULL) goto failed;
|
|
+ if (state->creq == NULL) {
|
|
+ composite_error(c, NT_STATUS_NO_MEMORY);
|
|
+ return c;
|
|
+ }
|
|
|
|
state->stage = CONNECT_SOCKET;
|
|
state->creq->async.private_data = c;
|
|
state->creq->async.fn = composite_handler;
|
|
|
|
return c;
|
|
-failed:
|
|
- talloc_free(c);
|
|
+nomem:
|
|
+ TALLOC_FREE(c);
|
|
return NULL;
|
|
}
|
|
|
|
@@ -506,5 +521,8 @@ NTSTATUS smb_composite_connect(struct smb_composite_connect *io, TALLOC_CTX *mem
|
|
struct tevent_context *ev)
|
|
{
|
|
struct composite_context *c = smb_composite_connect_send(io, mem_ctx, resolve_ctx, ev);
|
|
+ if (c == NULL) {
|
|
+ return NT_STATUS_NO_MEMORY;
|
|
+ }
|
|
return smb_composite_connect_recv(c, mem_ctx);
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 667f1730533b589820c2c7c492000fb86445797a Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 7 Jul 2020 12:54:26 +0200
|
|
Subject: [PATCH 045/104] s4:libcli: Return if encryption is requested for SMB1
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/libcli/smb_composite/sesssetup.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
|
|
index 6ee4929e8d7..51e121bdce6 100644
|
|
--- a/source4/libcli/smb_composite/sesssetup.c
|
|
+++ b/source4/libcli/smb_composite/sesssetup.c
|
|
@@ -620,10 +620,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
|
|
struct composite_context *c;
|
|
struct sesssetup_state *state;
|
|
NTSTATUS status;
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(io->in.credentials);
|
|
|
|
c = composite_create(session, session->transport->ev);
|
|
if (c == NULL) return NULL;
|
|
|
|
+ if (encryption_state > SMB_ENCRYPTION_DESIRED) {
|
|
+ composite_error(c, NT_STATUS_PROTOCOL_NOT_SUPPORTED);
|
|
+ return c;
|
|
+ }
|
|
+
|
|
state = talloc_zero(c, struct sesssetup_state);
|
|
if (composite_nomem(state, c)) return c;
|
|
c->private_data = state;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 97ce0f36abf29c234fbc4d8846ce0b68b2e4a6ab Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 7 Jul 2020 12:29:39 +0200
|
|
Subject: [PATCH 046/104] s3:libcli: Split out smb2_connect_tcon_start()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/libcli/smb2/connect.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c
|
|
index 6fc3993a4e8..95ff05eac8f 100644
|
|
--- a/source4/libcli/smb2/connect.c
|
|
+++ b/source4/libcli/smb2/connect.c
|
|
@@ -237,6 +237,7 @@ static void smb2_connect_session_start(struct tevent_req *req)
|
|
tevent_req_set_callback(subreq, smb2_connect_session_done, req);
|
|
}
|
|
|
|
+static void smb2_connect_tcon_start(struct tevent_req *req);
|
|
static void smb2_connect_tcon_done(struct tevent_req *subreq);
|
|
|
|
static void smb2_connect_session_done(struct tevent_req *subreq)
|
|
@@ -248,7 +249,6 @@ static void smb2_connect_session_done(struct tevent_req *subreq)
|
|
tevent_req_data(req,
|
|
struct smb2_connect_state);
|
|
NTSTATUS status;
|
|
- uint32_t timeout_msec;
|
|
|
|
status = smb2_session_setup_spnego_recv(subreq);
|
|
TALLOC_FREE(subreq);
|
|
@@ -289,6 +289,17 @@ static void smb2_connect_session_done(struct tevent_req *subreq)
|
|
return;
|
|
}
|
|
|
|
+ smb2_connect_tcon_start(req);
|
|
+}
|
|
+
|
|
+static void smb2_connect_tcon_start(struct tevent_req *req)
|
|
+{
|
|
+ struct smb2_connect_state *state =
|
|
+ tevent_req_data(req,
|
|
+ struct smb2_connect_state);
|
|
+ struct tevent_req *subreq = NULL;
|
|
+ uint32_t timeout_msec;
|
|
+
|
|
timeout_msec = state->transport->options.request_timeout * 1000;
|
|
|
|
subreq = smb2cli_tcon_send(state, state->ev,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From bf357c3c06df5ac5aeea7851a7e285d68f3ab974 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 7 Jul 2020 12:44:26 +0200
|
|
Subject: [PATCH 047/104] s4:libcli: Add smb2_connect_enc_start()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/libcli/smb2/connect.c | 38 +++++++++++++++++++++++++++++++++++
|
|
1 file changed, 38 insertions(+)
|
|
|
|
diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c
|
|
index 95ff05eac8f..3a3ecdf20e8 100644
|
|
--- a/source4/libcli/smb2/connect.c
|
|
+++ b/source4/libcli/smb2/connect.c
|
|
@@ -237,6 +237,7 @@ static void smb2_connect_session_start(struct tevent_req *req)
|
|
tevent_req_set_callback(subreq, smb2_connect_session_done, req);
|
|
}
|
|
|
|
+static void smb2_connect_enc_start(struct tevent_req *req);
|
|
static void smb2_connect_tcon_start(struct tevent_req *req);
|
|
static void smb2_connect_tcon_done(struct tevent_req *subreq);
|
|
|
|
@@ -289,6 +290,43 @@ static void smb2_connect_session_done(struct tevent_req *subreq)
|
|
return;
|
|
}
|
|
|
|
+ smb2_connect_enc_start(req);
|
|
+}
|
|
+
|
|
+static void smb2_connect_enc_start(struct tevent_req *req)
|
|
+{
|
|
+ struct smb2_connect_state *state =
|
|
+ tevent_req_data(req,
|
|
+ struct smb2_connect_state);
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(state->credentials);
|
|
+ NTSTATUS status;
|
|
+
|
|
+ if (encryption_state < SMB_ENCRYPTION_DESIRED) {
|
|
+ smb2_connect_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ status = smb2cli_session_encryption_on(state->session->smbXcli);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
|
+ if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
|
|
+ smb2_connect_tcon_start(req);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ DBG_ERR("Encryption required and server doesn't support "
|
|
+ "SMB3 encryption - failing connect\n");
|
|
+ tevent_req_nterror(req, status);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ DBG_ERR("Encryption required and setup failed with error %s.\n",
|
|
+ nt_errstr(status));
|
|
+ tevent_req_nterror(req, NT_STATUS_PROTOCOL_NOT_SUPPORTED);
|
|
+ return;
|
|
+ }
|
|
+
|
|
smb2_connect_tcon_start(req);
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 5a984891f73b07211d64e5a2f262915386aea7f4 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 24 Jul 2020 10:18:52 +0200
|
|
Subject: [PATCH 048/104] s4:libcli: Require signing for SMB encryption
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source4/libcli/smb2/connect.c | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c
|
|
index 3a3ecdf20e8..9540704491e 100644
|
|
--- a/source4/libcli/smb2/connect.c
|
|
+++ b/source4/libcli/smb2/connect.c
|
|
@@ -31,6 +31,7 @@
|
|
#include "param/param.h"
|
|
#include "auth/credentials/credentials.h"
|
|
#include "../libcli/smb/smbXcli_base.h"
|
|
+#include "smb2_constants.h"
|
|
|
|
struct smb2_connect_state {
|
|
struct tevent_context *ev;
|
|
@@ -76,6 +77,8 @@ struct tevent_req *smb2_connect_send(TALLOC_CTX *mem_ctx,
|
|
struct smb2_connect_state *state;
|
|
struct composite_context *creq;
|
|
static const char *default_ports[] = { "445", "139", NULL };
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(credentials);
|
|
|
|
req = tevent_req_create(mem_ctx, &state,
|
|
struct smb2_connect_state);
|
|
@@ -99,6 +102,10 @@ struct tevent_req *smb2_connect_send(TALLOC_CTX *mem_ctx,
|
|
state->ports = default_ports;
|
|
}
|
|
|
|
+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
|
+ state->options.signing = SMB_SIGNING_REQUIRED;
|
|
+ }
|
|
+
|
|
make_nbt_name_client(&state->calling,
|
|
cli_credentials_get_workstation(credentials));
|
|
|
|
@@ -116,7 +123,7 @@ struct tevent_req *smb2_connect_send(TALLOC_CTX *mem_ctx,
|
|
|
|
status = smb2_transport_raw_init(state, ev,
|
|
existing_conn,
|
|
- options,
|
|
+ &state->options,
|
|
&state->transport);
|
|
if (tevent_req_nterror(req, status)) {
|
|
return tevent_req_post(req, ev);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b733749b324891e6352fbb9ef51fa0452baa313e Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 7 Jul 2020 14:27:07 +0200
|
|
Subject: [PATCH 049/104] python:tests: Add test for SMB encrypted DCERPC
|
|
connection
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
Autobuild-Date(master): Wed Aug 19 17:46:28 UTC 2020 on sn-devel-184
|
|
---
|
|
python/samba/tests/dcerpc/binding.py | 82 ++++++++++++++++++++++++++++
|
|
selftest/tests.py | 1 +
|
|
2 files changed, 83 insertions(+)
|
|
create mode 100644 python/samba/tests/dcerpc/binding.py
|
|
|
|
diff --git a/python/samba/tests/dcerpc/binding.py b/python/samba/tests/dcerpc/binding.py
|
|
new file mode 100644
|
|
index 00000000000..8e0d6a5ef0a
|
|
--- /dev/null
|
|
+++ b/python/samba/tests/dcerpc/binding.py
|
|
@@ -0,0 +1,82 @@
|
|
+#
|
|
+# Unix SMB/CIFS implementation.
|
|
+# Copyright (c) 2020 Andreas Schneider <asn@samba.org>
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+"""Tests for samba.dcerpc., credentials and binding strings"""
|
|
+
|
|
+import samba.tests
|
|
+from samba.tests import RpcInterfaceTestCase, TestCase
|
|
+from samba.dcerpc import lsa
|
|
+import samba.dcerpc.security as security
|
|
+from samba.credentials import Credentials, SMB_ENCRYPTION_REQUIRED
|
|
+from samba import NTSTATUSError
|
|
+
|
|
+class RpcBindingTests(RpcInterfaceTestCase):
|
|
+ def setUp(self):
|
|
+ super(RpcBindingTests, self).setUp()
|
|
+
|
|
+ def get_user_creds(self):
|
|
+ c = Credentials()
|
|
+ c.guess()
|
|
+ domain = samba.tests.env_get_var_value('DOMAIN')
|
|
+ username = samba.tests.env_get_var_value('USERNAME')
|
|
+ password = samba.tests.env_get_var_value('PASSWORD')
|
|
+ c.set_domain(domain)
|
|
+ c.set_username(username)
|
|
+ c.set_password(password)
|
|
+ return c
|
|
+
|
|
+ def test_smb3_dcerpc_encryption(self):
|
|
+ creds = self.get_user_creds()
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ lp = self.get_loadparm()
|
|
+ lp.set('client ipc max protocol', 'SMB3')
|
|
+ lp.set('client ipc min protocol', 'SMB3')
|
|
+
|
|
+ binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
|
|
+ lsa_conn = lsa.lsarpc(binding_string, lp, creds)
|
|
+
|
|
+ objectAttr = lsa.ObjectAttribute()
|
|
+ objectAttr.sec_qos = lsa.QosInfo()
|
|
+
|
|
+ pol_handle = lsa_conn.OpenPolicy2('',
|
|
+ objectAttr,
|
|
+ security.SEC_FLAG_MAXIMUM_ALLOWED)
|
|
+ self.assertIsNotNone(pol_handle)
|
|
+
|
|
+ def test_smb2_dcerpc_encryption(self):
|
|
+ creds = self.get_user_creds()
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ lp = self.get_loadparm()
|
|
+ lp.set('client ipc max protocol', 'SMB2')
|
|
+ lp.set('client ipc min protocol', 'SMB2')
|
|
+
|
|
+ binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
|
|
+ self.assertRaises(NTSTATUSError, lsa.lsarpc, binding_string, lp, creds)
|
|
+
|
|
+ def test_smb1_dcerpc_encryption(self):
|
|
+ creds = self.get_user_creds()
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ lp = self.get_loadparm()
|
|
+ lp.set('client ipc max protocol', 'NT1')
|
|
+ lp.set('client ipc min protocol', 'NT1')
|
|
+
|
|
+ binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
|
|
+ self.assertRaises(NTSTATUSError, lsa.lsarpc, binding_string, lp, creds)
|
|
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
index 20981754db4..adcb5b53189 100644
|
|
--- a/selftest/tests.py
|
|
+++ b/selftest/tests.py
|
|
@@ -92,6 +92,7 @@ planpythontestsuite(
|
|
extra_path=[os.path.join(samba4srcdir, "..", "buildtools"),
|
|
os.path.join(samba4srcdir, "..", "third_party", "waf")])
|
|
planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest")
|
|
+planpythontestsuite("nt4_dc_smb1", "samba.tests.dcerpc.binding")
|
|
|
|
|
|
def cmdline(script, *args):
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 141c2ebfb18be8ca2b313e900539cfa6b5927ded Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Fri, 4 Sep 2020 10:47:54 +0200
|
|
Subject: [PATCH 050/104] auth:gensec: Add gensec_security_sasl_names()
|
|
|
|
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit b34e8dc8982b625d946e2ac8794ee41311bc41c2)
|
|
---
|
|
auth/gensec/gensec.h | 2 +
|
|
auth/gensec/gensec_start.c | 87 ++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 89 insertions(+)
|
|
|
|
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
|
|
index d424067d02c..fe26fff171a 100644
|
|
--- a/auth/gensec/gensec.h
|
|
+++ b/auth/gensec/gensec.h
|
|
@@ -308,6 +308,8 @@ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx
|
|
|
|
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
|
|
const char *sasl_name);
|
|
+const char **gensec_security_sasl_names(struct gensec_security *gensec_security,
|
|
+ TALLOC_CTX *mem_ctx);
|
|
|
|
int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
|
|
bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
|
|
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
|
|
index d2d62d6652e..4eb45643714 100644
|
|
--- a/auth/gensec/gensec_start.c
|
|
+++ b/auth/gensec/gensec_start.c
|
|
@@ -299,6 +299,93 @@ const struct gensec_security_ops *gensec_security_by_name(struct gensec_security
|
|
return NULL;
|
|
}
|
|
|
|
+static const char **gensec_security_sasl_names_from_ops(
|
|
+ struct gensec_security *gensec_security,
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ const struct gensec_security_ops * const *ops)
|
|
+{
|
|
+ const char **sasl_names = NULL;
|
|
+ size_t i, sasl_names_count = 0;
|
|
+
|
|
+ if (ops == NULL) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ sasl_names = talloc_array(mem_ctx, const char *, 1);
|
|
+ if (sasl_names == NULL) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ for (i = 0; ops[i] != NULL; i++) {
|
|
+ enum gensec_role role = GENSEC_SERVER;
|
|
+ const char **tmp = NULL;
|
|
+
|
|
+ if (ops[i]->sasl_name == NULL) {
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ if (gensec_security != NULL) {
|
|
+ if (!gensec_security_ops_enabled(ops[i],
|
|
+ gensec_security)) {
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ role = gensec_security->gensec_role;
|
|
+ }
|
|
+
|
|
+ switch (role) {
|
|
+ case GENSEC_CLIENT:
|
|
+ if (ops[i]->client_start == NULL) {
|
|
+ continue;
|
|
+ }
|
|
+ break;
|
|
+ case GENSEC_SERVER:
|
|
+ if (ops[i]->server_start == NULL) {
|
|
+ continue;
|
|
+ }
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ tmp = talloc_realloc(mem_ctx,
|
|
+ sasl_names,
|
|
+ const char *,
|
|
+ sasl_names_count + 2);
|
|
+ if (tmp == NULL) {
|
|
+ TALLOC_FREE(sasl_names);
|
|
+ return NULL;
|
|
+ }
|
|
+ sasl_names = tmp;
|
|
+
|
|
+ sasl_names[sasl_names_count] = ops[i]->sasl_name;
|
|
+ sasl_names_count++;
|
|
+ }
|
|
+ sasl_names[sasl_names_count] = NULL;
|
|
+
|
|
+ return sasl_names;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * @brief Get the sasl names from the gensec security context.
|
|
+ *
|
|
+ * @param[in] gensec_security The gensec security context.
|
|
+ *
|
|
+ * @param[in] mem_ctx The memory context to allocate memory on.
|
|
+ *
|
|
+ * @return An allocated array with sasl names, NULL on error.
|
|
+ */
|
|
+_PUBLIC_
|
|
+const char **gensec_security_sasl_names(struct gensec_security *gensec_security,
|
|
+ TALLOC_CTX *mem_ctx)
|
|
+{
|
|
+ const struct gensec_security_ops **ops = NULL;
|
|
+
|
|
+ ops = gensec_security_mechs(gensec_security, mem_ctx);
|
|
+
|
|
+ return gensec_security_sasl_names_from_ops(gensec_security,
|
|
+ mem_ctx,
|
|
+ ops);
|
|
+}
|
|
+
|
|
/**
|
|
* Return a unique list of security subsystems from those specified in
|
|
* the list of SASL names.
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b68a26966dddb4ec8a7bc7ec3441dbf03efd6af9 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Fri, 4 Sep 2020 10:48:27 +0200
|
|
Subject: [PATCH 051/104] s4:ldap_server: Use samba_server_gensec_start() in
|
|
ldapsrv_backend_Init()
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit 5e3363e0b82193700f91a9bae5080aae0b744e5c)
|
|
---
|
|
source4/dsdb/samdb/ldb_modules/rootdse.c | 4 +-
|
|
source4/ldap_server/ldap_backend.c | 49 +++++++++++-------------
|
|
2 files changed, 25 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
|
|
index 55340fa4f1e..4be9550747c 100644
|
|
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
|
|
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
|
|
@@ -230,7 +230,7 @@ static int rootdse_add_dynamic(struct rootdse_context *ac, struct ldb_message *m
|
|
struct ldb_context *ldb;
|
|
struct rootdse_private_data *priv = talloc_get_type(ldb_module_get_private(ac->module), struct rootdse_private_data);
|
|
const char * const *attrs = ac->req->op.search.attrs;
|
|
- char **server_sasl;
|
|
+ const char **server_sasl = NULL;
|
|
const struct dsdb_schema *schema;
|
|
int *val;
|
|
struct ldb_control *edn_control;
|
|
@@ -341,7 +341,7 @@ static int rootdse_add_dynamic(struct rootdse_context *ac, struct ldb_message *m
|
|
}
|
|
|
|
server_sasl = talloc_get_type(ldb_get_opaque(ldb, "supportedSASLMechanisms"),
|
|
- char *);
|
|
+ const char *);
|
|
if (server_sasl && do_attribute(attrs, "supportedSASLMechanisms")) {
|
|
for (i = 0; server_sasl && server_sasl[i]; i++) {
|
|
char *sasl_name = talloc_strdup(msg, server_sasl[i]);
|
|
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
|
|
index 2839082daef..915d9b94f9b 100644
|
|
--- a/source4/ldap_server/ldap_backend.c
|
|
+++ b/source4/ldap_server/ldap_backend.c
|
|
@@ -33,6 +33,7 @@
|
|
#include "ldb_wrap.h"
|
|
#include "lib/tsocket/tsocket.h"
|
|
#include "libcli/ldap/ldap_proto.h"
|
|
+#include "source4/auth/auth.h"
|
|
|
|
static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
|
|
const char *add_err_string, const char **errstring)
|
|
@@ -199,37 +200,33 @@ int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
|
|
}
|
|
|
|
if (conn->server_credentials) {
|
|
- char **sasl_mechs = NULL;
|
|
- const struct gensec_security_ops * const *backends = gensec_security_all();
|
|
- const struct gensec_security_ops **ops
|
|
- = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
|
|
- unsigned int i, j = 0;
|
|
- for (i = 0; ops && ops[i]; i++) {
|
|
- if (!lpcfg_parm_bool(conn->lp_ctx, NULL, "gensec", ops[i]->name, ops[i]->enabled))
|
|
- continue;
|
|
-
|
|
- if (ops[i]->sasl_name && ops[i]->server_start) {
|
|
- char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name);
|
|
-
|
|
- if (!sasl_name) {
|
|
- return LDB_ERR_OPERATIONS_ERROR;
|
|
- }
|
|
- sasl_mechs = talloc_realloc(conn, sasl_mechs, char *, j + 2);
|
|
- if (!sasl_mechs) {
|
|
- return LDB_ERR_OPERATIONS_ERROR;
|
|
- }
|
|
- sasl_mechs[j] = sasl_name;
|
|
- talloc_steal(sasl_mechs, sasl_name);
|
|
- sasl_mechs[j+1] = NULL;
|
|
- j++;
|
|
- }
|
|
+ struct gensec_security *gensec_security = NULL;
|
|
+ const char **sasl_mechs = NULL;
|
|
+ NTSTATUS status;
|
|
+
|
|
+ status = samba_server_gensec_start(conn,
|
|
+ conn->connection->event.ctx,
|
|
+ conn->connection->msg_ctx,
|
|
+ conn->lp_ctx,
|
|
+ conn->server_credentials,
|
|
+ "ldap",
|
|
+ &gensec_security);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("samba_server_gensec_start failed: %s\n",
|
|
+ nt_errstr(status));
|
|
+ return LDB_ERR_OPERATIONS_ERROR;
|
|
}
|
|
- talloc_unlink(conn, ops);
|
|
|
|
/* ldb can have a different lifetime to conn, so we
|
|
need to ensure that sasl_mechs lives as long as the
|
|
ldb does */
|
|
- talloc_steal(conn->ldb, sasl_mechs);
|
|
+ sasl_mechs = gensec_security_sasl_names(gensec_security,
|
|
+ conn->ldb);
|
|
+ TALLOC_FREE(gensec_security);
|
|
+ if (sasl_mechs == NULL) {
|
|
+ DBG_ERR("Failed to get sasl mechs!\n");
|
|
+ return LDB_ERR_OPERATIONS_ERROR;
|
|
+ }
|
|
|
|
ldb_set_opaque(conn->ldb, "supportedSASLMechanisms", sasl_mechs);
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From fa5761777851f6d2ecdaa88fdea3260e42dc634c Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Fri, 4 Sep 2020 14:39:15 +0200
|
|
Subject: [PATCH 052/104] auth:gensec: Make gensec_use_kerberos_mechs() a
|
|
static function
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit 2186d4131ad4c7961d0c830bf9d48f3d06d27924)
|
|
---
|
|
auth/gensec/gensec.h | 3 ---
|
|
auth/gensec/gensec_start.c | 7 ++++---
|
|
2 files changed, 4 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
|
|
index fe26fff171a..8bece3c3458 100644
|
|
--- a/auth/gensec/gensec.h
|
|
+++ b/auth/gensec/gensec.h
|
|
@@ -302,9 +302,6 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
|
|
|
|
const struct gensec_security_ops * const *gensec_security_all(void);
|
|
bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
|
|
-const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
|
|
- const struct gensec_security_ops * const *old_gensec_list,
|
|
- struct cli_credentials *creds);
|
|
|
|
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
|
|
const char *sasl_name);
|
|
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
|
|
index 4eb45643714..ebcab76999a 100644
|
|
--- a/auth/gensec/gensec_start.c
|
|
+++ b/auth/gensec/gensec_start.c
|
|
@@ -83,9 +83,10 @@ bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct g
|
|
* more compplex.
|
|
*/
|
|
|
|
-_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
|
|
- const struct gensec_security_ops * const *old_gensec_list,
|
|
- struct cli_credentials *creds)
|
|
+static const struct gensec_security_ops **gensec_use_kerberos_mechs(
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ const struct gensec_security_ops * const *old_gensec_list,
|
|
+ struct cli_credentials *creds)
|
|
{
|
|
const struct gensec_security_ops **new_gensec_list;
|
|
int i, j, num_mechs_in;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 3c052ba053b6fee6c97f13aca8eafe680321ded8 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Fri, 4 Sep 2020 14:41:43 +0200
|
|
Subject: [PATCH 053/104] auth:gensec: Pass use_kerberos and keep_schannel to
|
|
gensec_use_kerberos_mechs()
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit a33a40bbc848e5691869cf264009d23a03128f31)
|
|
---
|
|
auth/gensec/gensec_start.c | 26 ++++++++++++++------------
|
|
1 file changed, 14 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
|
|
index ebcab76999a..8d1b41fec74 100644
|
|
--- a/auth/gensec/gensec_start.c
|
|
+++ b/auth/gensec/gensec_start.c
|
|
@@ -86,19 +86,11 @@ bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct g
|
|
static const struct gensec_security_ops **gensec_use_kerberos_mechs(
|
|
TALLOC_CTX *mem_ctx,
|
|
const struct gensec_security_ops * const *old_gensec_list,
|
|
- struct cli_credentials *creds)
|
|
+ enum credentials_use_kerberos use_kerberos,
|
|
+ bool keep_schannel)
|
|
{
|
|
const struct gensec_security_ops **new_gensec_list;
|
|
int i, j, num_mechs_in;
|
|
- enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
|
|
- bool keep_schannel = false;
|
|
-
|
|
- if (creds) {
|
|
- use_kerberos = cli_credentials_get_kerberos_state(creds);
|
|
- if (cli_credentials_get_netlogon_creds(creds) != NULL) {
|
|
- keep_schannel = true;
|
|
- }
|
|
- }
|
|
|
|
for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
|
|
/* noop */
|
|
@@ -163,18 +155,28 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
|
|
struct gensec_security *gensec_security,
|
|
TALLOC_CTX *mem_ctx)
|
|
{
|
|
- struct cli_credentials *creds = NULL;
|
|
const struct gensec_security_ops * const *backends = gensec_security_all();
|
|
+ enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
|
|
+ bool keep_schannel = false;
|
|
|
|
if (gensec_security != NULL) {
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
creds = gensec_get_credentials(gensec_security);
|
|
+ if (creds != NULL) {
|
|
+ use_kerberos = cli_credentials_get_kerberos_state(creds);
|
|
+ if (cli_credentials_get_netlogon_creds(creds) != NULL) {
|
|
+ keep_schannel = true;
|
|
+ }
|
|
+ }
|
|
|
|
if (gensec_security->settings->backends) {
|
|
backends = gensec_security->settings->backends;
|
|
}
|
|
}
|
|
|
|
- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
|
|
+ return gensec_use_kerberos_mechs(mem_ctx, backends,
|
|
+ use_kerberos, keep_schannel);
|
|
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From ec9c5e93a31763c48d5c2d0e8859d9750aa36ed1 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Fri, 4 Sep 2020 17:00:45 +0200
|
|
Subject: [PATCH 054/104] auth:gensec: If Kerberos is required, keep schannel
|
|
for machine account auth
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit 515cffb1f20eacb041ff7b3d43f8a122a82ddfbd)
|
|
---
|
|
auth/gensec/gensec_start.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
|
|
index 8d1b41fec74..3f42d611140 100644
|
|
--- a/auth/gensec/gensec_start.c
|
|
+++ b/auth/gensec/gensec_start.c
|
|
@@ -168,6 +168,15 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
|
|
if (cli_credentials_get_netlogon_creds(creds) != NULL) {
|
|
keep_schannel = true;
|
|
}
|
|
+
|
|
+ /*
|
|
+ * Even if Kerberos is set to REQUIRED, keep the
|
|
+ * schannel auth mechanism that machine accounts are
|
|
+ * able to authenticate via netlogon.
|
|
+ */
|
|
+ if (gensec_security->gensec_role == GENSEC_SERVER) {
|
|
+ keep_schannel = true;
|
|
+ }
|
|
}
|
|
|
|
if (gensec_security->settings->backends) {
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From d3f6c14e95159b4fed2034d563479607b48ee9ea Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 4 Sep 2020 12:21:21 +0200
|
|
Subject: [PATCH 055/104] auth:creds: Add cli_credentials_init_server()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 2c00bea2aefdcc69608dffdafa7ce581d31f9354)
|
|
---
|
|
auth/credentials/credentials.c | 25 +++++++++++++++++++++++++
|
|
auth/credentials/credentials.h | 2 ++
|
|
2 files changed, 27 insertions(+)
|
|
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
|
index 9168b92d3ec..77c35dd104b 100644
|
|
--- a/auth/credentials/credentials.c
|
|
+++ b/auth/credentials/credentials.c
|
|
@@ -56,6 +56,31 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
|
|
return cred;
|
|
}
|
|
|
|
+_PUBLIC_
|
|
+struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx,
|
|
+ struct loadparm_context *lp_ctx)
|
|
+{
|
|
+ struct cli_credentials *server_creds = NULL;
|
|
+ NTSTATUS status;
|
|
+
|
|
+ server_creds = cli_credentials_init(mem_ctx);
|
|
+ if (server_creds == NULL) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ cli_credentials_set_conf(server_creds, lp_ctx);
|
|
+
|
|
+ status = cli_credentials_set_machine_account(server_creds, lp_ctx);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DEBUG(1, ("Failed to obtain server credentials: %s\n",
|
|
+ nt_errstr(status)));
|
|
+ TALLOC_FREE(server_creds);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ return server_creds;
|
|
+}
|
|
+
|
|
_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
|
|
void *callback_data)
|
|
{
|
|
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
|
|
index 7d0cf53194b..438bcdce232 100644
|
|
--- a/auth/credentials/credentials.h
|
|
+++ b/auth/credentials/credentials.h
|
|
@@ -76,6 +76,8 @@ bool cli_credentials_set_workstation(struct cli_credentials *cred,
|
|
enum credentials_obtained obtained);
|
|
bool cli_credentials_is_anonymous(struct cli_credentials *cred);
|
|
struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx);
|
|
+struct cli_credentials *cli_credentials_init_server(TALLOC_CTX *mem_ctx,
|
|
+ struct loadparm_context *lp_ctx);
|
|
void cli_credentials_set_anonymous(struct cli_credentials *cred);
|
|
bool cli_credentials_wrong_password(struct cli_credentials *cred);
|
|
const char *cli_credentials_get_password(struct cli_credentials *cred);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b6249e4af652be9f02741ed0de59889734bff13f Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 4 Sep 2020 12:21:36 +0200
|
|
Subject: [PATCH 056/104] s4:rpc_server: Use cli_credentials_init_server()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit 6c94ebf77fdb7383be2042f5e20ba2ef598cd4a4)
|
|
---
|
|
source4/rpc_server/dcerpc_server.c | 17 +++--------------
|
|
1 file changed, 3 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
|
|
index 084857a44bf..e64148ef788 100644
|
|
--- a/source4/rpc_server/dcerpc_server.c
|
|
+++ b/source4/rpc_server/dcerpc_server.c
|
|
@@ -673,25 +673,14 @@ NTSTATUS dcesrv_gensec_prepare(TALLOC_CTX *mem_ctx,
|
|
struct cli_credentials *server_creds = NULL;
|
|
struct imessaging_context *imsg_ctx =
|
|
dcesrv_imessaging_context(call->conn);
|
|
- NTSTATUS status;
|
|
|
|
- server_creds = cli_credentials_init(call->auth_state);
|
|
- if (!server_creds) {
|
|
+ server_creds = cli_credentials_init_server(call->auth_state,
|
|
+ call->conn->dce_ctx->lp_ctx);
|
|
+ if (server_creds == NULL) {
|
|
DEBUG(1, ("Failed to init server credentials\n"));
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
- cli_credentials_set_conf(server_creds, call->conn->dce_ctx->lp_ctx);
|
|
-
|
|
- status = cli_credentials_set_machine_account(server_creds,
|
|
- call->conn->dce_ctx->lp_ctx);
|
|
- if (!NT_STATUS_IS_OK(status)) {
|
|
- DEBUG(1, ("Failed to obtain server credentials: %s\n",
|
|
- nt_errstr(status)));
|
|
- talloc_free(server_creds);
|
|
- return status;
|
|
- }
|
|
-
|
|
return samba_server_gensec_start(mem_ctx,
|
|
call->event_ctx,
|
|
imsg_ctx,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b0db24f086aad67ca9e536c6c94ef413983b5586 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 7 Sep 2020 09:19:43 +0200
|
|
Subject: [PATCH 057/104] s4:smb_server: Use cli_credentials_init_server() for
|
|
negprot
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
|
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
|
Autobuild-Date(master): Mon Sep 7 13:22:26 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit 0b742ec6a0558397d5cf01b99a401f8e2bc0e2e0)
|
|
---
|
|
source4/smb_server/smb/negprot.c | 28 ++++++++++++++--------------
|
|
source4/smb_server/smb2/negprot.c | 25 +++++++++++++------------
|
|
2 files changed, 27 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
|
|
index a6177a72019..04b69dd9883 100644
|
|
--- a/source4/smb_server/smb/negprot.c
|
|
+++ b/source4/smb_server/smb/negprot.c
|
|
@@ -374,22 +374,22 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
|
|
DATA_BLOB blob = data_blob_null;
|
|
const char *oid;
|
|
NTSTATUS nt_status;
|
|
-
|
|
- server_credentials
|
|
- = cli_credentials_init(req);
|
|
- if (!server_credentials) {
|
|
- smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n");
|
|
- return;
|
|
- }
|
|
-
|
|
- cli_credentials_set_conf(server_credentials, req->smb_conn->lp_ctx);
|
|
- nt_status = cli_credentials_set_machine_account(server_credentials, req->smb_conn->lp_ctx);
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(nt_status)));
|
|
+
|
|
+ server_credentials =
|
|
+ cli_credentials_init_server(req, req->smb_conn->lp_ctx);
|
|
+ if (server_credentials == NULL) {
|
|
+ DBG_DEBUG("Failed to obtain server credentials, "
|
|
+ "perhaps a standalone server?\n");
|
|
/*
|
|
- * We keep the server_credentials as anonymous
|
|
- * this is required for the spoolss.notify test
|
|
+ * Create anon server credentials for for the
|
|
+ * spoolss.notify test.
|
|
*/
|
|
+ server_credentials = cli_credentials_init_anon(req);
|
|
+ if (server_credentials == NULL) {
|
|
+ smbsrv_terminate_connection(req->smb_conn,
|
|
+ "Failed to init server credentials\n");
|
|
+ return;
|
|
+ }
|
|
}
|
|
|
|
nt_status = samba_server_gensec_start(req,
|
|
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
|
|
index 4aaaf46793b..c433eb194bd 100644
|
|
--- a/source4/smb_server/smb2/negprot.c
|
|
+++ b/source4/smb_server/smb2/negprot.c
|
|
@@ -39,20 +39,21 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB *
|
|
NTSTATUS nt_status;
|
|
struct cli_credentials *server_credentials;
|
|
|
|
- server_credentials = cli_credentials_init(req);
|
|
- if (!server_credentials) {
|
|
- smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n");
|
|
- return NT_STATUS_NO_MEMORY;
|
|
- }
|
|
-
|
|
- cli_credentials_set_conf(server_credentials, req->smb_conn->lp_ctx);
|
|
- nt_status = cli_credentials_set_machine_account(server_credentials, req->smb_conn->lp_ctx);
|
|
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
- DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(nt_status)));
|
|
+ server_credentials =
|
|
+ cli_credentials_init_server(req, req->smb_conn->lp_ctx);
|
|
+ if (server_credentials == NULL) {
|
|
+ DBG_DEBUG("Failed to obtain server credentials, "
|
|
+ "perhaps a standalone server?\n");
|
|
/*
|
|
- * We keep the server_credentials as anonymous
|
|
- * this is required for the spoolss.notify test
|
|
+ * Create anon server credentials for for the
|
|
+ * spoolss.notify test.
|
|
*/
|
|
+ server_credentials = cli_credentials_init_anon(req);
|
|
+ if (server_credentials == NULL) {
|
|
+ smbsrv_terminate_connection(req->smb_conn,
|
|
+ "Failed to init server credentials\n");
|
|
+ return NT_STATUS_NO_MEMORY;
|
|
+ }
|
|
}
|
|
|
|
req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 96aae2c7cf11aeaadc98e0e18f88d1c9387019a7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 8 Sep 2020 10:15:22 +0200
|
|
Subject: [PATCH 058/104] selftest: Rename 'smb encrypt' to 'server smb
|
|
encrypt'
|
|
|
|
This makes it more clear what we want. 'smb encrypt' is a synonym for
|
|
'server smb encrypt'.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit c75e8ff47b4d79b37240f9461ddae10a4f03c892)
|
|
---
|
|
selftest/target/Samba3.pm | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
index e141f102ef1..c070086ca49 100755
|
|
--- a/selftest/target/Samba3.pm
|
|
+++ b/selftest/target/Samba3.pm
|
|
@@ -1178,7 +1178,7 @@ sub setup_simpleserver
|
|
ntlm auth = yes
|
|
vfs objects = xattr_tdb streams_depot
|
|
change notify = no
|
|
- smb encrypt = off
|
|
+ server smb encrypt = off
|
|
|
|
[vfs_aio_pthread]
|
|
path = $prefix_abs/share
|
|
@@ -1245,7 +1245,7 @@ sub setup_simpleserver
|
|
[enc_desired]
|
|
path = $prefix_abs/share
|
|
vfs objects =
|
|
- smb encrypt = desired
|
|
+ server smb encrypt = desired
|
|
|
|
[hidenewfiles]
|
|
path = $prefix_abs/share
|
|
@@ -2351,7 +2351,7 @@ sub provision($$)
|
|
[tmpenc]
|
|
path = $shrdir
|
|
comment = encrypt smb username is [%U]
|
|
- smb encrypt = required
|
|
+ server smb encrypt = required
|
|
vfs objects = dirsort
|
|
[tmpguest]
|
|
path = $shrdir
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From f4d1c495b4eb8a3125812e1d1d81639afdd15c06 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 8 Sep 2020 12:30:08 +0200
|
|
Subject: [PATCH 059/104] selftest: Move enc_desired to provision to have it in
|
|
'fileserver' too
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 1b67943f938ae774360dc3db73db940f9982243b)
|
|
---
|
|
selftest/target/Samba3.pm | 11 ++++++-----
|
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
index c070086ca49..fa3ca8962a5 100755
|
|
--- a/selftest/target/Samba3.pm
|
|
+++ b/selftest/target/Samba3.pm
|
|
@@ -1242,11 +1242,6 @@ sub setup_simpleserver
|
|
hide files = /hidefile/
|
|
hide dot files = yes
|
|
|
|
-[enc_desired]
|
|
- path = $prefix_abs/share
|
|
- vfs objects =
|
|
- server smb encrypt = desired
|
|
-
|
|
[hidenewfiles]
|
|
path = $prefix_abs/share
|
|
hide new files timeout = 5
|
|
@@ -2833,7 +2828,13 @@ sub provision($$)
|
|
[delete_readonly]
|
|
path = $prefix_abs/share
|
|
delete readonly = yes
|
|
+
|
|
+[enc_desired]
|
|
+ path = $prefix_abs/share
|
|
+ vfs objects =
|
|
+ server smb encrypt = desired
|
|
";
|
|
+
|
|
close(CONF);
|
|
|
|
my $net = Samba::bindir_path($self, "net");
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From c69630ece0849fdca724003600f1b39d6411e194 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 8 Sep 2020 10:15:20 +0200
|
|
Subject: [PATCH 060/104] s3:tests: Add smbclient tests for 'client smb
|
|
encrypt'
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit e7577ab6cbc83b496ac091c3e425c7c7fea29cdb)
|
|
---
|
|
selftest/knownfail.d/smbclient-encryption | 2 +
|
|
selftest/target/Samba3.pm | 5 ++
|
|
.../script/tests/test_smbclient_encryption.sh | 72 +++++++++++++++++++
|
|
source3/selftest/tests.py | 6 ++
|
|
4 files changed, 85 insertions(+)
|
|
create mode 100644 selftest/knownfail.d/smbclient-encryption
|
|
create mode 100755 source3/script/tests/test_smbclient_encryption.sh
|
|
|
|
diff --git a/selftest/knownfail.d/smbclient-encryption b/selftest/knownfail.d/smbclient-encryption
|
|
new file mode 100644
|
|
index 00000000000..972096bdc8b
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/smbclient-encryption
|
|
@@ -0,0 +1,2 @@
|
|
+^samba3.blackbox.smbclient.encryption.smbclient.smb3.client.encrypt.required...LOCALSHARE4.enc_desired..simpleserver
|
|
+^samba3.blackbox.smbclient.encryption.smbclient.smb3.client.encrypt.required...LOCALSHARE4.tmp..simpleserver
|
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
|
index fa3ca8962a5..ffc19c7d5a2 100755
|
|
--- a/selftest/target/Samba3.pm
|
|
+++ b/selftest/target/Samba3.pm
|
|
@@ -2833,6 +2833,11 @@ sub provision($$)
|
|
path = $prefix_abs/share
|
|
vfs objects =
|
|
server smb encrypt = desired
|
|
+
|
|
+[enc_off]
|
|
+ path = $prefix_abs/share
|
|
+ vfs objects =
|
|
+ server smb encrypt = off
|
|
";
|
|
|
|
close(CONF);
|
|
diff --git a/source3/script/tests/test_smbclient_encryption.sh b/source3/script/tests/test_smbclient_encryption.sh
|
|
new file mode 100755
|
|
index 00000000000..9a717cdac4f
|
|
--- /dev/null
|
|
+++ b/source3/script/tests/test_smbclient_encryption.sh
|
|
@@ -0,0 +1,72 @@
|
|
+#!/bin/sh
|
|
+
|
|
+if [ $# -lt 5 ]; then
|
|
+cat <<EOF
|
|
+Usage: test_smbclient_encryption.sh USERNAME PASSWORD SERVER SMBCLIENT TARGET
|
|
+EOF
|
|
+exit 1;
|
|
+fi
|
|
+
|
|
+USERNAME="$1"
|
|
+PASSWORD="$2"
|
|
+SERVER="$3"
|
|
+SMBCLIENT="$VALGRIND $4"
|
|
+TARGET="$5"
|
|
+shift 5
|
|
+
|
|
+incdir=`dirname $0`/../../../testprogs/blackbox
|
|
+. $incdir/subunit.sh
|
|
+
|
|
+failed=0
|
|
+
|
|
+#
|
|
+# Server configuration for fileserver:
|
|
+#
|
|
+# global: 'server smb encrypt = default'
|
|
+# enc_desired: 'server smb encrypt = desired'
|
|
+# tmpenc: 'server smb encrypt = required'
|
|
+# tmp: has the global default 'server smb encrypt'
|
|
+#
|
|
+# Server configuration for simpleserver:
|
|
+#
|
|
+# global: 'server smb encrypt = off'
|
|
+# enc_desired: 'server smb encrypt = desired'
|
|
+# tmpenc: 'server smb encrypt = required'
|
|
+# tmp: has the global default 'server smb encrypt'
|
|
+#
|
|
+
|
|
+testit "smbclient.smb3.client.encrypt.desired[//$SERVER/enc_desired]" $SMBCLIENT //$SERVER/enc_desired -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=desired -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+if [ "$TARGET" = "fileserver" ]; then
|
|
+ testit "smbclient.smb3.client.encrypt.desired[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=desired -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+elif [ "$TARGET" = "simpleserver" ]; then # Encryption is globally disabled
|
|
+ testit_expect_failure "smbclient.smb3.client.encrypt.desired[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=desired -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+fi
|
|
+testit "smbclient.smb3.client.encrypt.desired[//$SERVER/tmp]" $SMBCLIENT //$SERVER/tmp -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=desired -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+
|
|
+testit "smbclient.smb3.client.encrypt.if_required[//$SERVER/enc_desired]" $SMBCLIENT //$SERVER/enc_desired -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=if_required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+if [ "$TARGET" = "fileserver" ]; then
|
|
+ testit "smbclient.smb3.client.encrypt.if_required[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=if_required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+elif [ "$TARGET" = "simpleserver" ]; then # Encryption is globally disabled
|
|
+ testit_expect_failure "smbclient.smb3.client.encrypt.if_required[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=if_required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+fi
|
|
+testit "smbclient.smb3.client.encrypt.if_required[//$SERVER/tmp]" $SMBCLIENT //$SERVER/tmp -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=if_required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+
|
|
+if [ "$TARGET" = "fileserver" ]; then
|
|
+ testit "smbclient.smb3.client.encrypt.required[//$SERVER/enc_desired]" $SMBCLIENT //$SERVER/enc_desired -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+ testit "smbclient.smb3.client.encrypt.required[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+ testit "smbclient.smb3.client.encrypt.required[//$SERVER/tmp]" $SMBCLIENT //$SERVER/tmp -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+elif [ "$TARGET" = "simpleserver" ]; then # Encryption is globally disabled
|
|
+ testit_expect_failure "smbclient.smb3.client.encrypt.required[//$SERVER/enc_desired]" $SMBCLIENT //$SERVER/enc_desired -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+ testit_expect_failure "smbclient.smb3.client.encrypt.required[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+ testit_expect_failure "smbclient.smb3.client.encrypt.required[//$SERVER/tmp]" $SMBCLIENT //$SERVER/tmp -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=required -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+fi
|
|
+
|
|
+testit "smbclient.smb3.client.encrypt.off[//$SERVER/enc_desired]" $SMBCLIENT //$SERVER/enc_desired -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=off -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+if [ "$TARGET" = "fileserver" ]; then
|
|
+ testit "smbclient.smb3.client.encrypt.off[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=off -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+elif [ "$TARGET" = "simpleserver" ]; then # Encryption is globally disabled
|
|
+ testit_expect_failure "smbclient.smb3.client.encrypt.off[//$SERVER/tmpenc]" $SMBCLIENT //$SERVER/tmpenc -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=off -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+fi
|
|
+testit "smbclient.smb3.client.encrypt.off[//$SERVER/tmp]" $SMBCLIENT //$SERVER/tmp -U$USERNAME%$PASSWORD -mSMB3 --option=clientsmbencrypt=off -c 'ls; quit' || failed=`expr $failed + 1`
|
|
+
|
|
+testok $0 $failed
|
|
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
|
index 27dc7587b17..46bf274227c 100755
|
|
--- a/source3/selftest/tests.py
|
|
+++ b/source3/selftest/tests.py
|
|
@@ -1040,6 +1040,12 @@ plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver",
|
|
"$USERNAME", "$PASSWORD", "$SERVER",
|
|
smbclient3])
|
|
|
|
+for env in ['fileserver', 'simpleserver']:
|
|
+ plantestsuite("samba3.blackbox.smbclient.encryption", env,
|
|
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
|
|
+ "$USERNAME", "$PASSWORD", "$SERVER",
|
|
+ smbclient3, env])
|
|
+
|
|
plantestsuite("samba3.blackbox.rpcclient_netsessenum", "ad_member",
|
|
[os.path.join(samba3srcdir,
|
|
"script/tests/test_rpcclient_netsessenum.sh"),
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 5b15d0dd8783b8431e3d3913ee129b6e0f111de7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 15:19:27 +0200
|
|
Subject: [PATCH 061/104] s3:client: Remove global smb_encrypt
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 1189b20cb7ea09cfed5c246cf977442a51ef72cb)
|
|
---
|
|
source3/client/client.c | 25 ++++++++++++++++---------
|
|
1 file changed, 16 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index 56309efcea7..60d4fb3c5ee 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -96,9 +96,6 @@ static unsigned int put_total_time_ms = 0;
|
|
/* totals globals */
|
|
static double dir_total;
|
|
|
|
-/* encrypted state. */
|
|
-static bool smb_encrypt;
|
|
-
|
|
/* root cli_state connection */
|
|
|
|
struct cli_state *cli;
|
|
@@ -2758,7 +2755,7 @@ static int cmd_posix_encrypt(void)
|
|
d_printf("posix_encrypt failed with error %s\n", nt_errstr(status));
|
|
} else {
|
|
d_printf("encryption on\n");
|
|
- smb_encrypt = true;
|
|
+ set_cmdline_auth_info_smb_encrypt(popt_get_cmdline_auth_info());
|
|
}
|
|
|
|
return 0;
|
|
@@ -5283,6 +5280,9 @@ int cmd_iosize(void)
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
char *buf;
|
|
int iosize;
|
|
+ bool smb_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(
|
|
+ popt_get_cmdline_auth_info());
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
|
|
@@ -5546,6 +5546,9 @@ static int process_command_string(const char *cmd_in)
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
char *cmd = talloc_strdup(ctx, cmd_in);
|
|
int rc = 0;
|
|
+ bool smb_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(
|
|
+ popt_get_cmdline_auth_info());
|
|
|
|
if (!cmd) {
|
|
return 1;
|
|
@@ -5999,6 +6002,9 @@ static int process(const char *base_directory)
|
|
{
|
|
int rc = 0;
|
|
NTSTATUS status;
|
|
+ bool smb_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(
|
|
+ popt_get_cmdline_auth_info());
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
@@ -6037,6 +6043,9 @@ static int process(const char *base_directory)
|
|
static int do_host_query(const char *query_host)
|
|
{
|
|
NTSTATUS status;
|
|
+ bool smb_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(
|
|
+ popt_get_cmdline_auth_info());
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
query_host,
|
|
@@ -6114,6 +6123,9 @@ static int do_tar_op(const char *base_directory)
|
|
{
|
|
struct tar *tar_ctx = tar_get_ctx();
|
|
int ret = 0;
|
|
+ bool smb_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(
|
|
+ popt_get_cmdline_auth_info());
|
|
|
|
/* do we already have a connection? */
|
|
if (!cli) {
|
|
@@ -6459,9 +6471,6 @@ int main(int argc,char *argv[])
|
|
case 'q':
|
|
quiet=true;
|
|
break;
|
|
- case 'e':
|
|
- smb_encrypt=true;
|
|
- break;
|
|
case 'B':
|
|
return(do_smb_browse());
|
|
|
|
@@ -6531,8 +6540,6 @@ int main(int argc,char *argv[])
|
|
|
|
/* Ensure we have a password (or equivalent). */
|
|
popt_common_credentials_post();
|
|
- smb_encrypt = get_cmdline_auth_info_smb_encrypt(
|
|
- popt_get_cmdline_auth_info());
|
|
|
|
max_protocol = lp_client_max_protocol();
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 1c461fb323ba59539c8dab2547032bdb48c60178 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 15:24:27 +0200
|
|
Subject: [PATCH 062/104] s3:libsmb: Remove force_encrypt from cli_cm_open()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit a9fbc8dae878ddfa54153e91cc1128c307816b76)
|
|
---
|
|
source3/client/client.c | 21 ++++-----------------
|
|
source3/lib/netapi/cm.c | 1 -
|
|
source3/libsmb/clidfs.c | 4 ++--
|
|
source3/libsmb/proto.h | 1 -
|
|
4 files changed, 6 insertions(+), 21 deletions(-)
|
|
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index 60d4fb3c5ee..3a610086511 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -5546,9 +5546,6 @@ static int process_command_string(const char *cmd_in)
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
char *cmd = talloc_strdup(ctx, cmd_in);
|
|
int rc = 0;
|
|
- bool smb_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(
|
|
- popt_get_cmdline_auth_info());
|
|
|
|
if (!cmd) {
|
|
return 1;
|
|
@@ -5561,7 +5558,6 @@ static int process_command_string(const char *cmd_in)
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
service, popt_get_cmdline_auth_info(),
|
|
- smb_encrypt,
|
|
max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type,
|
|
@@ -6002,14 +5998,11 @@ static int process(const char *base_directory)
|
|
{
|
|
int rc = 0;
|
|
NTSTATUS status;
|
|
- bool smb_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(
|
|
- popt_get_cmdline_auth_info());
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
service, popt_get_cmdline_auth_info(),
|
|
- smb_encrypt, max_protocol,
|
|
+ max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6043,14 +6036,11 @@ static int process(const char *base_directory)
|
|
static int do_host_query(const char *query_host)
|
|
{
|
|
NTSTATUS status;
|
|
- bool smb_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(
|
|
- popt_get_cmdline_auth_info());
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
query_host,
|
|
"IPC$", popt_get_cmdline_auth_info(),
|
|
- smb_encrypt, max_protocol,
|
|
+ max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6097,7 +6087,7 @@ static int do_host_query(const char *query_host)
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
query_host,
|
|
"IPC$", popt_get_cmdline_auth_info(),
|
|
- smb_encrypt, max_proto,
|
|
+ max_proto,
|
|
have_ip ? &dest_ss : NULL, NBT_SMB_PORT,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6123,9 +6113,6 @@ static int do_tar_op(const char *base_directory)
|
|
{
|
|
struct tar *tar_ctx = tar_get_ctx();
|
|
int ret = 0;
|
|
- bool smb_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(
|
|
- popt_get_cmdline_auth_info());
|
|
|
|
/* do we already have a connection? */
|
|
if (!cli) {
|
|
@@ -6134,7 +6121,7 @@ static int do_tar_op(const char *base_directory)
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
service, popt_get_cmdline_auth_info(),
|
|
- smb_encrypt, max_protocol,
|
|
+ max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
|
|
index 1b8f2a4e97a..0fd31ef3d5a 100644
|
|
--- a/source3/lib/netapi/cm.c
|
|
+++ b/source3/lib/netapi/cm.c
|
|
@@ -110,7 +110,6 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
|
|
status = cli_cm_open(ctx, NULL,
|
|
server_name, "IPC$",
|
|
auth_info,
|
|
- false,
|
|
lp_client_ipc_max_protocol(),
|
|
NULL, 0, 0x20, &cli_ipc);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index aff998f6187..4825b8f3fae 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -383,7 +383,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
const struct user_auth_info *auth_info,
|
|
- bool force_encrypt,
|
|
int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
@@ -393,6 +392,8 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
/* Try to reuse an existing connection in this list. */
|
|
struct cli_state *c = cli_cm_find(referring_cli, server, share);
|
|
NTSTATUS status;
|
|
+ bool force_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(auth_info);
|
|
|
|
if (c) {
|
|
*pcli = c;
|
|
@@ -962,7 +963,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
smbXcli_conn_remote_name(rootcli->conn),
|
|
"IPC$",
|
|
dfs_auth_info,
|
|
- cli_state_is_encryption_on(rootcli),
|
|
smbXcli_conn_protocol(rootcli->conn),
|
|
NULL, /* dest_ss not needed, we reuse the transport */
|
|
0,
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index eeabcaa7463..bb3e9e6874e 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -128,7 +128,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
const struct user_auth_info *auth_info,
|
|
- bool force_encrypt,
|
|
int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 411587b7301ec115398e430bcac16c5a22bdfe41 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 15:26:39 +0200
|
|
Subject: [PATCH 063/104] s3:libsmb: Remove force_encrypt from cli_cm_connect()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit d27e237cf37fb254646d94827935d9c302c379ff)
|
|
---
|
|
source3/libsmb/clidfs.c | 7 ++-----
|
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index 4825b8f3fae..b0032005398 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -287,7 +287,6 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
const struct user_auth_info *auth_info,
|
|
- bool force_encrypt,
|
|
int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
@@ -296,6 +295,8 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
{
|
|
struct cli_state *cli = NULL;
|
|
NTSTATUS status;
|
|
+ bool force_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(auth_info);
|
|
|
|
status = do_connect(ctx, server, share,
|
|
auth_info,
|
|
@@ -392,8 +393,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
/* Try to reuse an existing connection in this list. */
|
|
struct cli_state *c = cli_cm_find(referring_cli, server, share);
|
|
NTSTATUS status;
|
|
- bool force_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(auth_info);
|
|
|
|
if (c) {
|
|
*pcli = c;
|
|
@@ -414,7 +413,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
server,
|
|
share,
|
|
auth_info,
|
|
- force_encrypt,
|
|
max_protocol,
|
|
dest_ss,
|
|
port,
|
|
@@ -1020,7 +1018,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
dfs_refs[count].server,
|
|
dfs_refs[count].share,
|
|
dfs_auth_info,
|
|
- cli_state_is_encryption_on(rootcli),
|
|
smbXcli_conn_protocol(rootcli->conn),
|
|
NULL, /* dest_ss */
|
|
0, /* port */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From af532caa1ba9727663abf17465b04768c6f7173e Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 15:28:28 +0200
|
|
Subject: [PATCH 064/104] s3:libsmb: Remove force_encrypt from clidfs
|
|
do_connect()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 615a9a68166bdeb0ab7dbacf395c6125ec70f288)
|
|
---
|
|
source3/libsmb/clidfs.c | 9 ++++-----
|
|
1 file changed, 4 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index b0032005398..5503506de97 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -107,7 +107,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
const struct user_auth_info *auth_info,
|
|
- bool force_encrypt,
|
|
int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
@@ -123,6 +122,8 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
enum protocol_types protocol = PROTOCOL_NONE;
|
|
int signing_state = get_cmdline_auth_info_signing_state(auth_info);
|
|
struct cli_credentials *creds = NULL;
|
|
+ bool force_encrypt =
|
|
+ get_cmdline_auth_info_smb_encrypt(auth_info);
|
|
|
|
if (force_encrypt) {
|
|
signing_state = SMB_SIGNING_REQUIRED;
|
|
@@ -233,7 +234,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
cli_shutdown(c);
|
|
return do_connect(ctx, newserver,
|
|
newshare, auth_info,
|
|
- force_encrypt, max_protocol,
|
|
+ max_protocol,
|
|
NULL, port, name_type, pcli);
|
|
}
|
|
|
|
@@ -295,12 +296,10 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
{
|
|
struct cli_state *cli = NULL;
|
|
NTSTATUS status;
|
|
- bool force_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(auth_info);
|
|
|
|
status = do_connect(ctx, server, share,
|
|
auth_info,
|
|
- force_encrypt, max_protocol,
|
|
+ max_protocol,
|
|
dest_ss, port, name_type, &cli);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 918aa81d36bcd8b28fa98deadd811b8602fb3f6d Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 15:52:11 +0200
|
|
Subject: [PATCH 065/104] s3:libsmb: Remove force_encrypt from
|
|
cli_check_msdfs_proxy()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 4ddec1ca257fff418847c5d1e83a3fb7cb5ade1a)
|
|
---
|
|
source3/libsmb/clidfs.c | 17 ++++++++++++-----
|
|
source3/libsmb/libsmb_server.c | 4 ----
|
|
source3/libsmb/proto.h | 1 -
|
|
3 files changed, 12 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index 5503506de97..736c565a7a8 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -230,7 +230,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
if (smbXcli_conn_dfs_supported(c->conn) &&
|
|
cli_check_msdfs_proxy(ctx, c, sharename,
|
|
&newserver, &newshare,
|
|
- force_encrypt, creds)) {
|
|
+ creds)) {
|
|
cli_shutdown(c);
|
|
return do_connect(ctx, newserver,
|
|
newshare, auth_info,
|
|
@@ -1176,7 +1176,6 @@ bool cli_check_msdfs_proxy(TALLOC_CTX *ctx,
|
|
const char *sharename,
|
|
char **pp_newserver,
|
|
char **pp_newshare,
|
|
- bool force_encrypt,
|
|
struct cli_credentials *creds)
|
|
{
|
|
struct client_dfs_referral *refs = NULL;
|
|
@@ -1188,6 +1187,8 @@ bool cli_check_msdfs_proxy(TALLOC_CTX *ctx,
|
|
char *newextrapath = NULL;
|
|
NTSTATUS status;
|
|
const char *remote_name;
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(creds);
|
|
|
|
if (!cli || !sharename) {
|
|
return false;
|
|
@@ -1223,11 +1224,17 @@ bool cli_check_msdfs_proxy(TALLOC_CTX *ctx,
|
|
return false;
|
|
}
|
|
|
|
- if (force_encrypt) {
|
|
+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
|
status = cli_cm_force_encryption_creds(cli, creds, "IPC$");
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- cli_state_restore_tcon(cli, orig_tcon);
|
|
- return false;
|
|
+ switch (encryption_state) {
|
|
+ case SMB_ENCRYPTION_DESIRED:
|
|
+ break;
|
|
+ case SMB_ENCRYPTION_REQUIRED:
|
|
+ default:
|
|
+ cli_state_restore_tcon(cli, orig_tcon);
|
|
+ return false;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
|
|
index eb58d7c6ac9..5a1055ba773 100644
|
|
--- a/source3/libsmb/libsmb_server.c
|
|
+++ b/source3/libsmb/libsmb_server.c
|
|
@@ -587,10 +587,6 @@ SMBC_server_internal(TALLOC_CTX *ctx,
|
|
if (smbXcli_conn_dfs_supported(c->conn) &&
|
|
cli_check_msdfs_proxy(ctx, c, share,
|
|
&newserver, &newshare,
|
|
- /* FIXME: cli_check_msdfs_proxy() does
|
|
- not support smbc_smb_encrypt_level type */
|
|
- context->internal->smb_encryption_level ?
|
|
- true : false,
|
|
creds)) {
|
|
cli_shutdown(c);
|
|
srv = SMBC_server_internal(ctx, context, connect_if_not_found,
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index bb3e9e6874e..f2b0a8c5ff8 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -161,7 +161,6 @@ bool cli_check_msdfs_proxy(TALLOC_CTX *ctx,
|
|
const char *sharename,
|
|
char **pp_newserver,
|
|
char **pp_newshare,
|
|
- bool force_encrypt,
|
|
struct cli_credentials *creds);
|
|
|
|
/* The following definitions come from libsmb/clientgen.c */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 00bba24fda3f117eced7f306d5d4019f14595d38 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 18 Aug 2020 17:15:09 +0200
|
|
Subject: [PATCH 066/104] s3:libsmb: Pass cli_credentials to clidfs
|
|
do_connect()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 276563de06f2071ec2ed9a8b73f92215ab621bba)
|
|
---
|
|
selftest/knownfail.d/smbclient-encryption | 2 --
|
|
source3/libsmb/clidfs.c | 34 +++++++++++++----------
|
|
2 files changed, 20 insertions(+), 16 deletions(-)
|
|
delete mode 100644 selftest/knownfail.d/smbclient-encryption
|
|
|
|
diff --git a/selftest/knownfail.d/smbclient-encryption b/selftest/knownfail.d/smbclient-encryption
|
|
deleted file mode 100644
|
|
index 972096bdc8b..00000000000
|
|
--- a/selftest/knownfail.d/smbclient-encryption
|
|
+++ /dev/null
|
|
@@ -1,2 +0,0 @@
|
|
-^samba3.blackbox.smbclient.encryption.smbclient.smb3.client.encrypt.required...LOCALSHARE4.enc_desired..simpleserver
|
|
-^samba3.blackbox.smbclient.encryption.smbclient.smb3.client.encrypt.required...LOCALSHARE4.tmp..simpleserver
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index 736c565a7a8..d536e0597af 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -106,7 +106,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
|
|
static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
- const struct user_auth_info *auth_info,
|
|
+ struct cli_credentials *creds,
|
|
int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
@@ -120,12 +120,12 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
NTSTATUS status;
|
|
int flags = 0;
|
|
enum protocol_types protocol = PROTOCOL_NONE;
|
|
- int signing_state = get_cmdline_auth_info_signing_state(auth_info);
|
|
- struct cli_credentials *creds = NULL;
|
|
- bool force_encrypt =
|
|
- get_cmdline_auth_info_smb_encrypt(auth_info);
|
|
+ enum smb_signing_setting signing_state =
|
|
+ cli_credentials_get_smb_signing(creds);
|
|
+ enum smb_encryption_setting encryption_state =
|
|
+ cli_credentials_get_smb_encryption(creds);
|
|
|
|
- if (force_encrypt) {
|
|
+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
|
signing_state = SMB_SIGNING_REQUIRED;
|
|
}
|
|
|
|
@@ -192,13 +192,12 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
|
|
}
|
|
|
|
- creds = get_cmdline_auth_info_creds(auth_info);
|
|
-
|
|
status = cli_session_setup_creds(c, creds);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
/* If a password was not supplied then
|
|
* try again with a null username. */
|
|
- if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
|
|
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED ||
|
|
+ smbXcli_conn_signing_mandatory(c->conn) ||
|
|
cli_credentials_authentication_requested(creds) ||
|
|
cli_credentials_is_anonymous(creds) ||
|
|
!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
|
|
@@ -233,7 +232,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
creds)) {
|
|
cli_shutdown(c);
|
|
return do_connect(ctx, newserver,
|
|
- newshare, auth_info,
|
|
+ newshare, creds,
|
|
max_protocol,
|
|
NULL, port, name_type, pcli);
|
|
}
|
|
@@ -247,13 +246,19 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
return status;
|
|
}
|
|
|
|
- if (force_encrypt) {
|
|
+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
|
|
status = cli_cm_force_encryption_creds(c,
|
|
creds,
|
|
sharename);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
- cli_shutdown(c);
|
|
- return status;
|
|
+ switch (encryption_state) {
|
|
+ case SMB_ENCRYPTION_DESIRED:
|
|
+ break;
|
|
+ case SMB_ENCRYPTION_REQUIRED:
|
|
+ default:
|
|
+ cli_shutdown(c);
|
|
+ return status;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -295,10 +300,11 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
struct cli_state **pcli)
|
|
{
|
|
struct cli_state *cli = NULL;
|
|
+ struct cli_credentials *creds = get_cmdline_auth_info_creds(auth_info);
|
|
NTSTATUS status;
|
|
|
|
status = do_connect(ctx, server, share,
|
|
- auth_info,
|
|
+ creds,
|
|
max_protocol,
|
|
dest_ss, port, name_type, &cli);
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 0dfe1d347c131b66172d324a5a16336875b24d50 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 18 Aug 2020 17:18:16 +0200
|
|
Subject: [PATCH 067/104] s3:libsmb: Pass cli_credentials to cli_cm_connect()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit c8349111243fec81a2b95484e56a6d6bebaba80e)
|
|
---
|
|
source3/libsmb/clidfs.c | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index d536e0597af..a2c6f5fe5ec 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -292,7 +292,7 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
struct cli_state *referring_cli,
|
|
const char *server,
|
|
const char *share,
|
|
- const struct user_auth_info *auth_info,
|
|
+ struct cli_credentials *creds,
|
|
int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
@@ -300,7 +300,6 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
struct cli_state **pcli)
|
|
{
|
|
struct cli_state *cli = NULL;
|
|
- struct cli_credentials *creds = get_cmdline_auth_info_creds(auth_info);
|
|
NTSTATUS status;
|
|
|
|
status = do_connect(ctx, server, share,
|
|
@@ -397,6 +396,7 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
{
|
|
/* Try to reuse an existing connection in this list. */
|
|
struct cli_state *c = cli_cm_find(referring_cli, server, share);
|
|
+ struct cli_credentials *creds = get_cmdline_auth_info_creds(auth_info);
|
|
NTSTATUS status;
|
|
|
|
if (c) {
|
|
@@ -417,7 +417,7 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
referring_cli,
|
|
server,
|
|
share,
|
|
- auth_info,
|
|
+ creds,
|
|
max_protocol,
|
|
dest_ss,
|
|
port,
|
|
@@ -886,6 +886,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
struct smbXcli_tcon *root_tcon = NULL;
|
|
struct smbXcli_tcon *target_tcon = NULL;
|
|
struct cli_dfs_path_split *dfs_refs = NULL;
|
|
+ struct cli_credentials *creds = get_cmdline_auth_info_creds(dfs_auth_info);
|
|
|
|
if ( !rootcli || !path || !targetcli ) {
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
@@ -1022,7 +1023,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
status = cli_cm_connect(ctx, rootcli,
|
|
dfs_refs[count].server,
|
|
dfs_refs[count].share,
|
|
- dfs_auth_info,
|
|
+ creds,
|
|
smbXcli_conn_protocol(rootcli->conn),
|
|
NULL, /* dest_ss */
|
|
0, /* port */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From baf5499376658651aa03ba864e6541e2daf06b3a Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 18 Aug 2020 17:26:54 +0200
|
|
Subject: [PATCH 068/104] s3:libsmb: Pass cli_credentials to cli_cm_open()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit df1623abd7267916696e2e60c146ef8fa6c9dfc9)
|
|
---
|
|
source3/client/client.c | 23 ++++++++++++++++++-----
|
|
source3/lib/netapi/cm.c | 4 +++-
|
|
source3/libsmb/clidfs.c | 25 ++++++++++++-------------
|
|
source3/libsmb/proto.h | 18 +++++++++---------
|
|
4 files changed, 42 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index 3a610086511..c54b5065b44 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -5546,6 +5546,8 @@ static int process_command_string(const char *cmd_in)
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
char *cmd = talloc_strdup(ctx, cmd_in);
|
|
int rc = 0;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
|
|
if (!cmd) {
|
|
return 1;
|
|
@@ -5557,7 +5559,8 @@ static int process_command_string(const char *cmd_in)
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
- service, popt_get_cmdline_auth_info(),
|
|
+ service,
|
|
+ creds,
|
|
max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type,
|
|
@@ -5998,10 +6001,13 @@ static int process(const char *base_directory)
|
|
{
|
|
int rc = 0;
|
|
NTSTATUS status;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
- service, popt_get_cmdline_auth_info(),
|
|
+ service,
|
|
+ creds,
|
|
max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
@@ -6036,10 +6042,13 @@ static int process(const char *base_directory)
|
|
static int do_host_query(const char *query_host)
|
|
{
|
|
NTSTATUS status;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
query_host,
|
|
- "IPC$", popt_get_cmdline_auth_info(),
|
|
+ "IPC$",
|
|
+ creds,
|
|
max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
@@ -6086,7 +6095,8 @@ static int do_host_query(const char *query_host)
|
|
d_printf("Reconnecting with SMB1 for workgroup listing.\n");
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
query_host,
|
|
- "IPC$", popt_get_cmdline_auth_info(),
|
|
+ "IPC$",
|
|
+ creds,
|
|
max_proto,
|
|
have_ip ? &dest_ss : NULL, NBT_SMB_PORT,
|
|
name_type, &cli);
|
|
@@ -6113,6 +6123,8 @@ static int do_tar_op(const char *base_directory)
|
|
{
|
|
struct tar *tar_ctx = tar_get_ctx();
|
|
int ret = 0;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
|
|
/* do we already have a connection? */
|
|
if (!cli) {
|
|
@@ -6120,7 +6132,8 @@ static int do_tar_op(const char *base_directory)
|
|
|
|
status = cli_cm_open(talloc_tos(), NULL,
|
|
desthost,
|
|
- service, popt_get_cmdline_auth_info(),
|
|
+ service,
|
|
+ creds,
|
|
max_protocol,
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
|
|
index 0fd31ef3d5a..943f7498e8c 100644
|
|
--- a/source3/lib/netapi/cm.c
|
|
+++ b/source3/lib/netapi/cm.c
|
|
@@ -71,6 +71,7 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
|
|
struct cli_state *cli_ipc = NULL;
|
|
struct client_ipc_connection *p;
|
|
NTSTATUS status;
|
|
+ struct cli_credentials *creds = NULL;
|
|
|
|
if (!ctx || !pp || !server_name) {
|
|
return WERR_INVALID_PARAMETER;
|
|
@@ -106,10 +107,11 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
|
|
if (ctx->use_ccache) {
|
|
set_cmdline_auth_info_use_ccache(auth_info, true);
|
|
}
|
|
+ creds = get_cmdline_auth_info_creds(auth_info);
|
|
|
|
status = cli_cm_open(ctx, NULL,
|
|
server_name, "IPC$",
|
|
- auth_info,
|
|
+ creds,
|
|
lp_client_ipc_max_protocol(),
|
|
NULL, 0, 0x20, &cli_ipc);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index a2c6f5fe5ec..ef75fb36a45 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -384,19 +384,18 @@ static struct cli_state *cli_cm_find(struct cli_state *cli,
|
|
****************************************************************************/
|
|
|
|
NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
- struct cli_state *referring_cli,
|
|
- const char *server,
|
|
- const char *share,
|
|
- const struct user_auth_info *auth_info,
|
|
- int max_protocol,
|
|
- const struct sockaddr_storage *dest_ss,
|
|
- int port,
|
|
- int name_type,
|
|
- struct cli_state **pcli)
|
|
+ struct cli_state *referring_cli,
|
|
+ const char *server,
|
|
+ const char *share,
|
|
+ struct cli_credentials *creds,
|
|
+ int max_protocol,
|
|
+ const struct sockaddr_storage *dest_ss,
|
|
+ int port,
|
|
+ int name_type,
|
|
+ struct cli_state **pcli)
|
|
{
|
|
/* Try to reuse an existing connection in this list. */
|
|
struct cli_state *c = cli_cm_find(referring_cli, server, share);
|
|
- struct cli_credentials *creds = get_cmdline_auth_info_creds(auth_info);
|
|
NTSTATUS status;
|
|
|
|
if (c) {
|
|
@@ -404,11 +403,11 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
- if (auth_info == NULL) {
|
|
+ if (creds == NULL) {
|
|
/* Can't do a new connection
|
|
* without auth info. */
|
|
d_printf("cli_cm_open() Unable to open connection [\\%s\\%s] "
|
|
- "without auth info\n",
|
|
+ "without client credentials\n",
|
|
server, share );
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
@@ -966,7 +965,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
rootcli,
|
|
smbXcli_conn_remote_name(rootcli->conn),
|
|
"IPC$",
|
|
- dfs_auth_info,
|
|
+ creds,
|
|
smbXcli_conn_protocol(rootcli->conn),
|
|
NULL, /* dest_ss not needed, we reuse the transport */
|
|
0,
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index f2b0a8c5ff8..0b8cf2a6036 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -124,15 +124,15 @@ struct cli_state *get_ipc_connect_master_ip(TALLOC_CTX *ctx,
|
|
/* The following definitions come from libsmb/clidfs.c */
|
|
|
|
NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
- struct cli_state *referring_cli,
|
|
- const char *server,
|
|
- const char *share,
|
|
- const struct user_auth_info *auth_info,
|
|
- int max_protocol,
|
|
- const struct sockaddr_storage *dest_ss,
|
|
- int port,
|
|
- int name_type,
|
|
- struct cli_state **pcli);
|
|
+ struct cli_state *referring_cli,
|
|
+ const char *server,
|
|
+ const char *share,
|
|
+ struct cli_credentials *creds,
|
|
+ int max_protocol,
|
|
+ const struct sockaddr_storage *dest_ss,
|
|
+ int port,
|
|
+ int name_type,
|
|
+ struct cli_state **pcli);
|
|
void cli_cm_display(struct cli_state *c);
|
|
struct client_dfs_referral;
|
|
NTSTATUS cli_dfs_get_referral_ex(TALLOC_CTX *ctx,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From ee496daf60a5340ab9e4f16430e2d93fd121659b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 18 Aug 2020 17:42:25 +0200
|
|
Subject: [PATCH 069/104] s3:libsmb: Pass cli_credentials to
|
|
cli_resolve_path(), using helper variables.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 5245ab3c4dacc88d5cbe3bb1e3e339e4fb77a4db)
|
|
---
|
|
source3/client/client.c | 148 +++++++++++++++++++++++++++-------
|
|
source3/libsmb/clidfs.c | 5 +-
|
|
source3/libsmb/libsmb_dir.c | 43 ++++++++--
|
|
source3/libsmb/libsmb_file.c | 13 ++-
|
|
source3/libsmb/libsmb_stat.c | 6 +-
|
|
source3/libsmb/libsmb_xattr.c | 13 ++-
|
|
source3/libsmb/proto.h | 2 +-
|
|
source3/utils/smbcacls.c | 5 +-
|
|
8 files changed, 188 insertions(+), 47 deletions(-)
|
|
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index c54b5065b44..13e48f80a01 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -298,9 +298,14 @@ static int do_dskattr(void)
|
|
struct cli_state *targetcli = NULL;
|
|
char *targetpath = NULL;
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(), cli,
|
|
+ status = cli_resolve_path(ctx,
|
|
+ "",
|
|
+ creds,
|
|
+ cli,
|
|
client_get_cur_dir(), &targetcli,
|
|
&targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -390,6 +395,8 @@ static int do_cd(const char *new_dir)
|
|
uint32_t attributes;
|
|
int ret = 1;
|
|
TALLOC_CTX *ctx = talloc_stackframe();
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
newdir = talloc_strdup(ctx, new_dir);
|
|
@@ -432,7 +439,8 @@ static int do_cd(const char *new_dir)
|
|
new_cd = client_clean_name(ctx, new_cd);
|
|
client_set_cur_dir(new_cd);
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, new_cd, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("cd %s: %s\n", new_cd, nt_errstr(status));
|
|
@@ -809,6 +817,8 @@ NTSTATUS do_list(const char *mask,
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
struct cli_state *targetcli = NULL;
|
|
char *targetpath = NULL;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS ret_status = NT_STATUS_OK;
|
|
NTSTATUS status = NT_STATUS_OK;
|
|
|
|
@@ -832,7 +842,7 @@ NTSTATUS do_list(const char *mask,
|
|
/* check for dfs */
|
|
|
|
status = cli_resolve_path(ctx, "",
|
|
- popt_get_cmdline_auth_info(),
|
|
+ creds,
|
|
cli, head, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("do_list: [%s] %s\n", head,
|
|
@@ -1042,6 +1052,8 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
|
|
struct cli_state *targetcli = NULL;
|
|
char *targetname = NULL;
|
|
char *lname = NULL;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
lname = talloc_strdup(ctx, lname_in);
|
|
@@ -1056,7 +1068,8 @@ static int do_get(const char *rname, const char *lname_in, bool reget)
|
|
}
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, rname, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Failed to open %s: %s\n", rname, nt_errstr(status));
|
|
@@ -1413,9 +1426,12 @@ static bool do_mkdir(const char *name)
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
struct cli_state *targetcli;
|
|
char *targetname = NULL;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, name, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("mkdir %s: %s\n", name, nt_errstr(status));
|
|
@@ -1474,6 +1490,8 @@ static int cmd_mkdir(void)
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
char *mask = NULL;
|
|
char *buf = NULL;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
mask = talloc_strdup(ctx, client_get_cur_dir());
|
|
@@ -1510,7 +1528,8 @@ static int cmd_mkdir(void)
|
|
}
|
|
|
|
status = cli_resolve_path(ctx, "",
|
|
- popt_get_cmdline_auth_info(), cli, mask,
|
|
+ creds,
|
|
+ cli, mask,
|
|
&targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return 1;
|
|
@@ -1824,9 +1843,12 @@ static int do_put(const char *rname, const char *lname, bool reput)
|
|
struct cli_state *targetcli;
|
|
char *targetname = NULL;
|
|
struct push_state state;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, rname, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Failed to open %s: %s\n", rname, nt_errstr(status));
|
|
@@ -2601,6 +2623,8 @@ static int cmd_wdel(void)
|
|
uint32_t attribute;
|
|
struct cli_state *targetcli;
|
|
char *targetname = NULL;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -2626,7 +2650,8 @@ static int cmd_wdel(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("cmd_wdel %s: %s\n", mask, nt_errstr(status));
|
|
@@ -2652,6 +2677,8 @@ static int cmd_open(void)
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
uint16_t fnum = (uint16_t)-1;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -2671,7 +2698,8 @@ static int cmd_open(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("open %s: %s\n", mask, nt_errstr(status));
|
|
@@ -2773,6 +2801,8 @@ static int cmd_posix_open(void)
|
|
struct cli_state *targetcli;
|
|
mode_t mode;
|
|
uint16_t fnum;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -2797,7 +2827,8 @@ static int cmd_posix_open(void)
|
|
}
|
|
mode = (mode_t)strtol(buf, (char **)NULL, 8);
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("posix_open %s: %s\n", mask, nt_errstr(status));
|
|
@@ -2832,6 +2863,8 @@ static int cmd_posix_mkdir(void)
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
mode_t mode;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -2856,7 +2889,8 @@ static int cmd_posix_mkdir(void)
|
|
}
|
|
mode = (mode_t)strtol(buf, (char **)NULL, 8);
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("posix_mkdir %s: %s\n", mask, nt_errstr(status));
|
|
@@ -2880,6 +2914,8 @@ static int cmd_posix_unlink(void)
|
|
char *buf = NULL;
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -2898,7 +2934,8 @@ static int cmd_posix_unlink(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("posix_unlink %s: %s\n", mask, nt_errstr(status));
|
|
@@ -2923,6 +2960,8 @@ static int cmd_posix_rmdir(void)
|
|
char *buf = NULL;
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -2941,7 +2980,8 @@ static int cmd_posix_rmdir(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("posix_rmdir %s: %s\n", mask, nt_errstr(status));
|
|
@@ -3230,6 +3270,8 @@ static int cmd_rmdir(void)
|
|
char *buf = NULL;
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -3248,7 +3290,8 @@ static int cmd_rmdir(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, mask, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("rmdir %s: %s\n", mask, nt_errstr(status));
|
|
@@ -3277,6 +3320,8 @@ static int cmd_link(void)
|
|
char *buf2 = NULL;
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
@@ -3307,7 +3352,8 @@ static int cmd_link(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, oldname, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("link %s: %s\n", oldname, nt_errstr(status));
|
|
@@ -3340,6 +3386,8 @@ static int cmd_readlink(void)
|
|
char *targetname = NULL;
|
|
char *linkname = NULL;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
|
|
@@ -3358,7 +3406,8 @@ static int cmd_readlink(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, name, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("readlink %s: %s\n", name, nt_errstr(status));
|
|
@@ -3397,6 +3446,8 @@ static int cmd_symlink(void)
|
|
char *buf = NULL;
|
|
char *buf2 = NULL;
|
|
struct cli_state *newcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
@@ -3419,7 +3470,8 @@ static int cmd_symlink(void)
|
|
}
|
|
/* New name must be present in share namespace. */
|
|
status = cli_resolve_path(ctx, "",
|
|
- popt_get_cmdline_auth_info(), cli, newname,
|
|
+ creds,
|
|
+ cli, newname,
|
|
&newcli, &newname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("link %s: %s\n", newname,
|
|
@@ -3455,6 +3507,8 @@ static int cmd_chmod(void)
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
mode_t mode;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
@@ -3476,7 +3530,8 @@ static int cmd_chmod(void)
|
|
|
|
mode = (mode_t)strtol(buf, NULL, 8);
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("chmod %s: %s\n", src, nt_errstr(status));
|
|
@@ -3620,6 +3675,8 @@ static int cmd_getfacl(void)
|
|
size_t num_dir_acls = 0;
|
|
size_t expected_buflen;
|
|
uint16_t i;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&name,NULL)) {
|
|
@@ -3638,7 +3695,8 @@ static int cmd_getfacl(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("stat %s: %s\n", src, nt_errstr(status));
|
|
@@ -3803,6 +3861,8 @@ static int cmd_geteas(void)
|
|
NTSTATUS status;
|
|
size_t i, num_eas;
|
|
struct ea_struct *eas;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&name,NULL)) {
|
|
d_printf("geteas filename\n");
|
|
@@ -3820,7 +3880,8 @@ static int cmd_geteas(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("stat %s: %s\n", src, nt_errstr(status));
|
|
@@ -3859,6 +3920,8 @@ static int cmd_setea(void)
|
|
char *eavalue = NULL;
|
|
char *targetname = NULL;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr, &name, NULL)
|
|
@@ -3881,7 +3944,8 @@ static int cmd_setea(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("stat %s: %s\n", src, nt_errstr(status));
|
|
@@ -3913,6 +3977,8 @@ static int cmd_stat(void)
|
|
SMB_STRUCT_STAT sbuf;
|
|
struct tm *lt;
|
|
time_t tmp_time;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&name,NULL)) {
|
|
@@ -3931,7 +3997,8 @@ static int cmd_stat(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("stat %s: %s\n", src, nt_errstr(status));
|
|
@@ -4020,6 +4087,8 @@ static int cmd_chown(void)
|
|
char *buf, *buf2, *buf3;
|
|
struct cli_state *targetcli;
|
|
char *targetname = NULL;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
@@ -4043,7 +4112,8 @@ static int cmd_chown(void)
|
|
if (src == NULL) {
|
|
return 1;
|
|
}
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("chown %s: %s\n", src, nt_errstr(status));
|
|
@@ -4077,6 +4147,8 @@ static int cmd_rename(void)
|
|
struct cli_state *targetcli;
|
|
char *targetsrc;
|
|
char *targetdest;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
bool replace = false;
|
|
|
|
@@ -4115,14 +4187,16 @@ static int cmd_rename(void)
|
|
replace = true;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetsrc);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("rename %s: %s\n", src, nt_errstr(status));
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, dest, &targetcli, &targetdest);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("rename %s: %s\n", dest, nt_errstr(status));
|
|
@@ -4179,6 +4253,8 @@ static int cmd_scopy(void)
|
|
off_t written = 0;
|
|
struct scopy_timing st;
|
|
int rc = 0;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
@@ -4211,14 +4287,16 @@ static int cmd_scopy(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetsrc);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("scopy %s: %s\n", src, nt_errstr(status));
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, dest, &targetcli, &targetdest);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("scopy %s: %s\n", dest, nt_errstr(status));
|
|
@@ -4317,6 +4395,8 @@ static int cmd_hardlink(void)
|
|
char *buf, *buf2;
|
|
struct cli_state *targetcli;
|
|
char *targetname;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
|
|
@@ -4349,7 +4429,8 @@ static int cmd_hardlink(void)
|
|
return 1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, src, &targetcli, &targetname);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("hardlink %s: %s\n", src, nt_errstr(status));
|
|
@@ -5023,9 +5104,13 @@ static int cmd_show_connect( void )
|
|
TALLOC_CTX *ctx = talloc_tos();
|
|
struct cli_state *targetcli;
|
|
char *targetpath;
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(), cli,
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
+ cli,
|
|
client_get_cur_dir(), &targetcli,
|
|
&targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -5685,6 +5770,8 @@ static char **remote_completion(const char *text, int len)
|
|
struct cli_state *targetcli = NULL;
|
|
int i;
|
|
struct completion_remote info = { NULL, NULL, 1, 0, NULL, 0 };
|
|
+ struct cli_credentials *creds =
|
|
+ get_cmdline_auth_info_creds(popt_get_cmdline_auth_info());
|
|
NTSTATUS status;
|
|
|
|
/* can't have non-static initialisation on Sun CC, so do it
|
|
@@ -5745,7 +5832,8 @@ static char **remote_completion(const char *text, int len)
|
|
goto cleanup;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", popt_get_cmdline_auth_info(),
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, dirmask, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto cleanup;
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index ef75fb36a45..e6695159a96 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -859,7 +859,7 @@ struct cli_dfs_path_split {
|
|
|
|
NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
const char *mountpt,
|
|
- const struct user_auth_info *dfs_auth_info,
|
|
+ struct cli_credentials *creds,
|
|
struct cli_state *rootcli,
|
|
const char *path,
|
|
struct cli_state **targetcli,
|
|
@@ -885,7 +885,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
struct smbXcli_tcon *root_tcon = NULL;
|
|
struct smbXcli_tcon *target_tcon = NULL;
|
|
struct cli_dfs_path_split *dfs_refs = NULL;
|
|
- struct cli_credentials *creds = get_cmdline_auth_info_creds(dfs_auth_info);
|
|
|
|
if ( !rootcli || !path || !targetcli ) {
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
@@ -1130,7 +1129,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
if (!strequal(*pp_targetpath, "\\") && !strequal(*pp_targetpath, "/")) {
|
|
status = cli_resolve_path(ctx,
|
|
newmount,
|
|
- dfs_auth_info,
|
|
+ creds,
|
|
*targetcli,
|
|
*pp_targetpath,
|
|
&newcli,
|
|
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
|
|
index 12abb734c2d..0326f27125b 100644
|
|
--- a/source3/libsmb/libsmb_dir.c
|
|
+++ b/source3/libsmb/libsmb_dir.c
|
|
@@ -911,6 +911,7 @@ SMBC_opendir_ctx(SMBCCTX *context,
|
|
*/
|
|
char *targetpath;
|
|
struct cli_state *targetcli;
|
|
+ struct cli_credentials *creds = NULL;
|
|
NTSTATUS status;
|
|
|
|
/* We connect to the server and list the directory */
|
|
@@ -943,8 +944,12 @@ SMBC_opendir_ctx(SMBCCTX *context,
|
|
return NULL;
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(
|
|
+ context->internal->auth_info);
|
|
+
|
|
status = cli_resolve_path(
|
|
- frame, "", context->internal->auth_info,
|
|
+ frame, "",
|
|
+ creds,
|
|
srv->cli, path, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path);
|
|
@@ -1543,6 +1548,7 @@ SMBC_mkdir_ctx(SMBCCTX *context,
|
|
char *targetpath = NULL;
|
|
uint16_t port = 0;
|
|
struct cli_state *targetcli = NULL;
|
|
+ struct cli_credentials *creds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -1595,8 +1601,11 @@ SMBC_mkdir_ctx(SMBCCTX *context,
|
|
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info);
|
|
+
|
|
/*d_printf(">>>mkdir: resolving %s\n", path);*/
|
|
- status = cli_resolve_path(frame, "", context->internal->auth_info,
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ creds,
|
|
srv->cli, path, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path);
|
|
@@ -1654,6 +1663,7 @@ SMBC_rmdir_ctx(SMBCCTX *context,
|
|
char *targetpath = NULL;
|
|
uint16_t port = 0;
|
|
struct cli_state *targetcli = NULL;
|
|
+ struct cli_credentials *creds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -1706,8 +1716,11 @@ SMBC_rmdir_ctx(SMBCCTX *context,
|
|
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info),
|
|
+
|
|
/*d_printf(">>>rmdir: resolving %s\n", path);*/
|
|
- status = cli_resolve_path(frame, "", context->internal->auth_info,
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ creds,
|
|
srv->cli, path, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path);
|
|
@@ -1959,6 +1972,7 @@ SMBC_chmod_ctx(SMBCCTX *context,
|
|
char *path = NULL;
|
|
uint32_t attr;
|
|
uint16_t port = 0;
|
|
+ struct cli_credentials *creds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -2010,8 +2024,11 @@ SMBC_chmod_ctx(SMBCCTX *context,
|
|
return -1; /* errno set by SMBC_server */
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info);
|
|
+
|
|
/*d_printf(">>>unlink: resolving %s\n", path);*/
|
|
- status = cli_resolve_path(frame, "", context->internal->auth_info,
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ creds,
|
|
srv->cli, path, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path);
|
|
@@ -2152,6 +2169,7 @@ SMBC_unlink_ctx(SMBCCTX *context,
|
|
uint16_t port = 0;
|
|
struct cli_state *targetcli = NULL;
|
|
SMBCSRV *srv = NULL;
|
|
+ struct cli_credentials *creds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -2204,8 +2222,11 @@ SMBC_unlink_ctx(SMBCCTX *context,
|
|
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info);
|
|
+
|
|
/*d_printf(">>>unlink: resolving %s\n", path);*/
|
|
- status = cli_resolve_path(frame, "", context->internal->auth_info,
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ creds,
|
|
srv->cli, path, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path);
|
|
@@ -2282,6 +2303,8 @@ SMBC_rename_ctx(SMBCCTX *ocontext,
|
|
SMBCSRV *srv = NULL;
|
|
uint16_t port1 = 0;
|
|
uint16_t port2 = 0;
|
|
+ struct cli_credentials *ocreds = NULL;
|
|
+ struct cli_credentials *ncreds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -2375,7 +2398,10 @@ SMBC_rename_ctx(SMBCCTX *ocontext,
|
|
password1);
|
|
|
|
/*d_printf(">>>rename: resolving %s\n", path1);*/
|
|
- status = cli_resolve_path(frame, "", ocontext->internal->auth_info,
|
|
+ ocreds = get_cmdline_auth_info_creds(ocontext->internal->auth_info);
|
|
+
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ ocreds,
|
|
srv->cli, path1, &targetcli1, &targetpath1);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path1);
|
|
@@ -2392,7 +2418,10 @@ SMBC_rename_ctx(SMBCCTX *ocontext,
|
|
|
|
/*d_printf(">>>rename: resolved path as %s\n", targetpath1);*/
|
|
/*d_printf(">>>rename: resolving %s\n", path2);*/
|
|
- status = cli_resolve_path(frame, "", ncontext->internal->auth_info,
|
|
+ ncreds = get_cmdline_auth_info_creds(ncontext->internal->auth_info);
|
|
+
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ ncreds,
|
|
srv->cli, path2, &targetcli2, &targetpath2);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path2);
|
|
diff --git a/source3/libsmb/libsmb_file.c b/source3/libsmb/libsmb_file.c
|
|
index 0791df36690..a44925e0e0e 100644
|
|
--- a/source3/libsmb/libsmb_file.c
|
|
+++ b/source3/libsmb/libsmb_file.c
|
|
@@ -103,6 +103,8 @@ SMBC_open_ctx(SMBCCTX *context,
|
|
if (strlen(path) > 0 && path[strlen(path) - 1] == '\\') {
|
|
status = NT_STATUS_OBJECT_PATH_INVALID;
|
|
} else {
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
file = SMB_MALLOC_P(SMBCFILE);
|
|
if (!file) {
|
|
errno = ENOMEM;
|
|
@@ -112,9 +114,12 @@ SMBC_open_ctx(SMBCCTX *context,
|
|
|
|
ZERO_STRUCTP(file);
|
|
|
|
+ creds = get_cmdline_auth_info_creds(
|
|
+ context->internal->auth_info);
|
|
/*d_printf(">>>open: resolving %s\n", path);*/
|
|
status = cli_resolve_path(
|
|
- frame, "", context->internal->auth_info,
|
|
+ frame, "",
|
|
+ creds,
|
|
srv->cli, path, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("Could not resolve %s\n", path);
|
|
@@ -461,6 +466,7 @@ SMBC_getatr(SMBCCTX * context,
|
|
struct timespec change_time_ts = {0};
|
|
time_t write_time = 0;
|
|
SMB_INO_T ino = 0;
|
|
+ struct cli_credentials *creds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -490,7 +496,10 @@ SMBC_getatr(SMBCCTX * context,
|
|
}
|
|
DEBUG(4,("SMBC_getatr: sending qpathinfo\n"));
|
|
|
|
- status = cli_resolve_path(frame, "", context->internal->auth_info,
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info);
|
|
+
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ creds,
|
|
srv->cli, fixedpath,
|
|
&targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/libsmb/libsmb_stat.c b/source3/libsmb/libsmb_stat.c
|
|
index 790934bd565..1260928d0ff 100644
|
|
--- a/source3/libsmb/libsmb_stat.c
|
|
+++ b/source3/libsmb/libsmb_stat.c
|
|
@@ -242,6 +242,7 @@ SMBC_fstat_ctx(SMBCCTX *context,
|
|
struct cli_state *targetcli = NULL;
|
|
SMB_INO_T ino = 0;
|
|
uint16_t port = 0;
|
|
+ struct cli_credentials *creds = NULL;
|
|
TALLOC_CTX *frame = talloc_stackframe();
|
|
NTSTATUS status;
|
|
|
|
@@ -279,8 +280,11 @@ SMBC_fstat_ctx(SMBCCTX *context,
|
|
return -1;
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info);
|
|
+
|
|
/*d_printf(">>>fstat: resolving %s\n", path);*/
|
|
- status = cli_resolve_path(frame, "", context->internal->auth_info,
|
|
+ status = cli_resolve_path(frame, "",
|
|
+ creds,
|
|
file->srv->cli, path,
|
|
&targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c
|
|
index d1b6548eb90..8b74d0a39e3 100644
|
|
--- a/source3/libsmb/libsmb_xattr.c
|
|
+++ b/source3/libsmb/libsmb_xattr.c
|
|
@@ -860,13 +860,18 @@ cacl_get(SMBCCTX *context,
|
|
if (ipc_cli && (all || some_nt || all_nt_acls)) {
|
|
char *targetpath = NULL;
|
|
struct cli_state *targetcli = NULL;
|
|
+ struct cli_credentials *creds = NULL;
|
|
NTSTATUS status;
|
|
|
|
/* Point to the portion after "system.nt_sec_desc." */
|
|
name += 19; /* if (all) this will be invalid but unused */
|
|
|
|
+ creds = get_cmdline_auth_info_creds(
|
|
+ context->internal->auth_info);
|
|
+
|
|
status = cli_resolve_path(
|
|
- ctx, "", context->internal->auth_info,
|
|
+ ctx, "",
|
|
+ creds,
|
|
cli, filename, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DEBUG(5, ("cacl_get Could not resolve %s\n",
|
|
@@ -1511,6 +1516,7 @@ cacl_set(SMBCCTX *context,
|
|
bool numeric = True;
|
|
char *targetpath = NULL;
|
|
struct cli_state *targetcli = NULL;
|
|
+ struct cli_credentials *creds = NULL;
|
|
NTSTATUS status;
|
|
|
|
/* the_acl will be null for REMOVE_ALL operations */
|
|
@@ -1540,7 +1546,10 @@ cacl_set(SMBCCTX *context,
|
|
return -1;
|
|
}
|
|
|
|
- status = cli_resolve_path(ctx, "", context->internal->auth_info,
|
|
+ creds = get_cmdline_auth_info_creds(context->internal->auth_info);
|
|
+
|
|
+ status = cli_resolve_path(ctx, "",
|
|
+ creds,
|
|
cli, filename, &targetcli, &targetpath);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DEBUG(5,("cacl_set: Could not resolve %s\n", filename));
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index 0b8cf2a6036..517738dbcd7 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -150,7 +150,7 @@ NTSTATUS cli_dfs_get_referral(TALLOC_CTX *ctx,
|
|
size_t *consumed);
|
|
NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
const char *mountpt,
|
|
- const struct user_auth_info *dfs_auth_info,
|
|
+ struct cli_credentials *creds,
|
|
struct cli_state *rootcli,
|
|
const char *path,
|
|
struct cli_state **targetcli,
|
|
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
|
|
index 8fd9fcc5780..4989ec633c3 100644
|
|
--- a/source3/utils/smbcacls.c
|
|
+++ b/source3/utils/smbcacls.c
|
|
@@ -806,6 +806,7 @@ int main(int argc, char *argv[])
|
|
than going via LSA calls to resolve them */
|
|
int numeric = 0;
|
|
struct cli_state *targetcli = NULL;
|
|
+ struct cli_credentials *creds = NULL;
|
|
char *targetfile = NULL;
|
|
NTSTATUS status;
|
|
|
|
@@ -1069,9 +1070,11 @@ int main(int argc, char *argv[])
|
|
}
|
|
}
|
|
|
|
+ creds = get_cmdline_auth_info_creds(popt_get_cmdline_auth_info()),
|
|
+
|
|
status = cli_resolve_path(frame,
|
|
"",
|
|
- popt_get_cmdline_auth_info(),
|
|
+ creds,
|
|
cli,
|
|
filename,
|
|
&targetcli,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From aa21292bdc66f8f26244da5f1422bc41afafa6f7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 16:40:49 +0200
|
|
Subject: [PATCH 070/104] s3:client: Remove global max_protocol
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit d07f28645f37c1f976017d5b89864791a18d1943)
|
|
---
|
|
source3/client/client.c | 13 +++++--------
|
|
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index 13e48f80a01..902cdec8b64 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -61,7 +61,6 @@ static int io_bufsize = 0; /* we use the default size */
|
|
static int io_timeout = (CLIENT_TIMEOUT/1000); /* Per operation timeout (in seconds). */
|
|
|
|
static int name_type = 0x20;
|
|
-static int max_protocol = -1;
|
|
|
|
static int process_tok(char *tok);
|
|
static int cmd_help(void);
|
|
@@ -5646,7 +5645,7 @@ static int process_command_string(const char *cmd_in)
|
|
desthost,
|
|
service,
|
|
creds,
|
|
- max_protocol,
|
|
+ lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type,
|
|
&cli);
|
|
@@ -6096,7 +6095,7 @@ static int process(const char *base_directory)
|
|
desthost,
|
|
service,
|
|
creds,
|
|
- max_protocol,
|
|
+ lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6137,7 +6136,7 @@ static int do_host_query(const char *query_host)
|
|
query_host,
|
|
"IPC$",
|
|
creds,
|
|
- max_protocol,
|
|
+ lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6172,7 +6171,7 @@ static int do_host_query(const char *query_host)
|
|
if (port != NBT_SMB_PORT ||
|
|
smbXcli_conn_protocol(cli->conn) > PROTOCOL_NT1)
|
|
{
|
|
- int max_proto = MIN(max_protocol, PROTOCOL_NT1);
|
|
+ int max_proto = MIN(lp_client_max_protocol(), PROTOCOL_NT1);
|
|
|
|
/*
|
|
* Workgroups simply don't make sense over anything
|
|
@@ -6222,7 +6221,7 @@ static int do_tar_op(const char *base_directory)
|
|
desthost,
|
|
service,
|
|
creds,
|
|
- max_protocol,
|
|
+ lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6629,8 +6628,6 @@ int main(int argc,char *argv[])
|
|
/* Ensure we have a password (or equivalent). */
|
|
popt_common_credentials_post();
|
|
|
|
- max_protocol = lp_client_max_protocol();
|
|
-
|
|
if (tar_to_process(tar_ctx)) {
|
|
if (cmdstr)
|
|
process_command_string(cmdstr);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 517baf60c6597388cfd1a17bf998272586d3bfc9 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 16:43:46 +0200
|
|
Subject: [PATCH 071/104] s3:libsmb: Remove max_protocol from cli_cm_open()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 4aac9daf095e7c2de6a27697a13385ee87a4b634)
|
|
---
|
|
source3/client/client.c | 7 -------
|
|
source3/lib/netapi/cm.c | 1 -
|
|
source3/libsmb/clidfs.c | 4 +---
|
|
source3/libsmb/proto.h | 1 -
|
|
4 files changed, 1 insertion(+), 12 deletions(-)
|
|
|
|
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
index 902cdec8b64..82764c5ca16 100644
|
|
--- a/source3/client/client.c
|
|
+++ b/source3/client/client.c
|
|
@@ -5645,7 +5645,6 @@ static int process_command_string(const char *cmd_in)
|
|
desthost,
|
|
service,
|
|
creds,
|
|
- lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type,
|
|
&cli);
|
|
@@ -6095,7 +6094,6 @@ static int process(const char *base_directory)
|
|
desthost,
|
|
service,
|
|
creds,
|
|
- lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6136,7 +6134,6 @@ static int do_host_query(const char *query_host)
|
|
query_host,
|
|
"IPC$",
|
|
creds,
|
|
- lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6171,8 +6168,6 @@ static int do_host_query(const char *query_host)
|
|
if (port != NBT_SMB_PORT ||
|
|
smbXcli_conn_protocol(cli->conn) > PROTOCOL_NT1)
|
|
{
|
|
- int max_proto = MIN(lp_client_max_protocol(), PROTOCOL_NT1);
|
|
-
|
|
/*
|
|
* Workgroups simply don't make sense over anything
|
|
* else but port 139 and SMB1.
|
|
@@ -6184,7 +6179,6 @@ static int do_host_query(const char *query_host)
|
|
query_host,
|
|
"IPC$",
|
|
creds,
|
|
- max_proto,
|
|
have_ip ? &dest_ss : NULL, NBT_SMB_PORT,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -6221,7 +6215,6 @@ static int do_tar_op(const char *base_directory)
|
|
desthost,
|
|
service,
|
|
creds,
|
|
- lp_client_max_protocol(),
|
|
have_ip ? &dest_ss : NULL, port,
|
|
name_type, &cli);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
|
|
index 943f7498e8c..3f4e188b396 100644
|
|
--- a/source3/lib/netapi/cm.c
|
|
+++ b/source3/lib/netapi/cm.c
|
|
@@ -112,7 +112,6 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
|
|
status = cli_cm_open(ctx, NULL,
|
|
server_name, "IPC$",
|
|
creds,
|
|
- lp_client_ipc_max_protocol(),
|
|
NULL, 0, 0x20, &cli_ipc);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
cli_ipc = NULL;
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index e6695159a96..fb1a0c72e6d 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -388,7 +388,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
struct cli_credentials *creds,
|
|
- int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
int name_type,
|
|
@@ -417,7 +416,7 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
server,
|
|
share,
|
|
creds,
|
|
- max_protocol,
|
|
+ lp_client_max_protocol(),
|
|
dest_ss,
|
|
port,
|
|
name_type,
|
|
@@ -965,7 +964,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
smbXcli_conn_remote_name(rootcli->conn),
|
|
"IPC$",
|
|
creds,
|
|
- smbXcli_conn_protocol(rootcli->conn),
|
|
NULL, /* dest_ss not needed, we reuse the transport */
|
|
0,
|
|
0x20,
|
|
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
|
index 517738dbcd7..8aaaff2cb1e 100644
|
|
--- a/source3/libsmb/proto.h
|
|
+++ b/source3/libsmb/proto.h
|
|
@@ -128,7 +128,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
struct cli_credentials *creds,
|
|
- int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
int name_type,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From b35001a76bc0ff7fc10bd319abfda481b8a81c9b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 16:45:12 +0200
|
|
Subject: [PATCH 072/104] s3:libcmb: Remove max_protocol from cli_cm_connect()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 2159582610ecc932047b85a77ec321b3d3ac806f)
|
|
---
|
|
source3/libsmb/clidfs.c | 5 +----
|
|
1 file changed, 1 insertion(+), 4 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index fb1a0c72e6d..023dd4d2757 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -293,7 +293,6 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
struct cli_credentials *creds,
|
|
- int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
int name_type,
|
|
@@ -304,7 +303,7 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
|
|
status = do_connect(ctx, server, share,
|
|
creds,
|
|
- max_protocol,
|
|
+ lp_client_max_protocol(),
|
|
dest_ss, port, name_type, &cli);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -416,7 +415,6 @@ NTSTATUS cli_cm_open(TALLOC_CTX *ctx,
|
|
server,
|
|
share,
|
|
creds,
|
|
- lp_client_max_protocol(),
|
|
dest_ss,
|
|
port,
|
|
name_type,
|
|
@@ -1020,7 +1018,6 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
|
dfs_refs[count].server,
|
|
dfs_refs[count].share,
|
|
creds,
|
|
- smbXcli_conn_protocol(rootcli->conn),
|
|
NULL, /* dest_ss */
|
|
0, /* port */
|
|
0x20,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 4e405a5acc748c07f74a27ed57deeffc4e2c20d7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 27 Aug 2020 16:46:29 +0200
|
|
Subject: [PATCH 073/104] s3:libsmb: Remove max_protocol from clidfs
|
|
do_connect()
|
|
|
|
The if check for max_protocol == 0 is part of lp_client_max_protocol().
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit 50b59b4c28bc816094a4ca97f64450860e2495b2)
|
|
---
|
|
source3/libsmb/clidfs.c | 8 +-------
|
|
1 file changed, 1 insertion(+), 7 deletions(-)
|
|
|
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
|
index 023dd4d2757..ee5becf76a6 100644
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -107,7 +107,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
const char *server,
|
|
const char *share,
|
|
struct cli_credentials *creds,
|
|
- int max_protocol,
|
|
const struct sockaddr_storage *dest_ss,
|
|
int port,
|
|
int name_type,
|
|
@@ -167,14 +166,11 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
return status;
|
|
}
|
|
|
|
- if (max_protocol == 0) {
|
|
- max_protocol = PROTOCOL_LATEST;
|
|
- }
|
|
DEBUG(4,(" session request ok\n"));
|
|
|
|
status = smbXcli_negprot(c->conn, c->timeout,
|
|
lp_client_min_protocol(),
|
|
- max_protocol);
|
|
+ lp_client_max_protocol());
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
d_printf("protocol negotiation failed: %s\n",
|
|
@@ -233,7 +229,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
|
cli_shutdown(c);
|
|
return do_connect(ctx, newserver,
|
|
newshare, creds,
|
|
- max_protocol,
|
|
NULL, port, name_type, pcli);
|
|
}
|
|
|
|
@@ -303,7 +298,6 @@ static NTSTATUS cli_cm_connect(TALLOC_CTX *ctx,
|
|
|
|
status = do_connect(ctx, server, share,
|
|
creds,
|
|
- lp_client_max_protocol(),
|
|
dest_ss, port, name_type, &cli);
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From c710bcf3600beb7f9a08c56108c0c93f32a9139b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 10 Aug 2020 15:47:35 +0200
|
|
Subject: [PATCH 074/104] s3:include: Move loadparm prototypes to own header
|
|
file
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
(cherry picked from commit d4d8218b9618dd289f54b41f13d7015f1b3994fd)
|
|
---
|
|
source3/include/includes.h | 3 +
|
|
source3/include/proto.h | 167 -------------------------------
|
|
source3/param/loadparm.h | 200 +++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 203 insertions(+), 167 deletions(-)
|
|
create mode 100644 source3/param/loadparm.h
|
|
|
|
diff --git a/source3/include/includes.h b/source3/include/includes.h
|
|
index 8fa65cc3122..c94f919ed59 100644
|
|
--- a/source3/include/includes.h
|
|
+++ b/source3/include/includes.h
|
|
@@ -293,6 +293,9 @@ typedef char fstring[FSTRING_LEN];
|
|
#endif
|
|
|
|
#include "lib/param/loadparm.h"
|
|
+#include "source3/param/loadparm.h"
|
|
+/* Automatically generated by generate_param.py. */
|
|
+#include "source3/param/param_proto.h"
|
|
|
|
/* String routines */
|
|
|
|
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
|
index 12aa392abae..b9a6cb7f116 100644
|
|
--- a/source3/include/proto.h
|
|
+++ b/source3/include/proto.h
|
|
@@ -739,173 +739,6 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
|
|
const char *dcname,
|
|
bool force);
|
|
|
|
-/* The following definitions come from param/loadparm.c */
|
|
-
|
|
-const struct loadparm_substitution *loadparm_s3_global_substitution(void);
|
|
-
|
|
-char *lp_parm_substituted_string(TALLOC_CTX *mem_ctx,
|
|
- const struct loadparm_substitution *lp_sub,
|
|
- int snum,
|
|
- const char *type,
|
|
- const char *option,
|
|
- const char *def);
|
|
-
|
|
-#include "source3/param/param_proto.h"
|
|
-
|
|
-char *lp_servicename(TALLOC_CTX *ctx, const struct loadparm_substitution *, int);
|
|
-const char *lp_const_servicename(int);
|
|
-bool lp_autoloaded(int);
|
|
-const char *lp_dnsdomain(void);
|
|
-int lp_winbind_max_domain_connections(void);
|
|
-bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
|
|
-bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
|
|
-const char *lp_idmap_backend(const char *domain_name);
|
|
-const char *lp_idmap_default_backend (void);
|
|
-int lp_security(void);
|
|
-int lp_client_max_protocol(void);
|
|
-int lp_client_ipc_min_protocol(void);
|
|
-int lp_client_ipc_max_protocol(void);
|
|
-int lp_client_ipc_signing(void);
|
|
-int lp_smb2_max_credits(void);
|
|
-int lp_cups_encrypt(void);
|
|
-bool lp_widelinks(int );
|
|
-int lp_rpc_low_port(void);
|
|
-int lp_rpc_high_port(void);
|
|
-bool lp_lanman_auth(void);
|
|
-enum samba_weak_crypto lp_weak_crypto(void);
|
|
-
|
|
-int lp_wi_scan_global_parametrics(
|
|
- const char *regex, size_t max_matches,
|
|
- bool (*cb)(const char *string, regmatch_t matches[],
|
|
- void *private_data),
|
|
- void *private_data);
|
|
-
|
|
-const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
|
|
-struct loadparm_service;
|
|
-const char *lp_parm_const_string_service(struct loadparm_service *service, const char *type,
|
|
- const char *option, const char *def);
|
|
-const char **lp_parm_string_list(int snum, const char *type, const char *option, const char **def);
|
|
-int lp_parm_int(int snum, const char *type, const char *option, int def);
|
|
-unsigned long lp_parm_ulong(int snum, const char *type, const char *option, unsigned long def);
|
|
-unsigned long long lp_parm_ulonglong(int snum, const char *type,
|
|
- const char *option,
|
|
- unsigned long long def);
|
|
-bool lp_parm_bool(int snum, const char *type, const char *option, bool def);
|
|
-struct enum_list;
|
|
-int lp_parm_enum(int snum, const char *type, const char *option,
|
|
- const struct enum_list *_enum, int def);
|
|
-char *canonicalize_servicename(TALLOC_CTX *ctx, const char *src);
|
|
-bool lp_add_home(const char *pszHomename, int iDefaultService,
|
|
- const char *user, const char *pszHomedir);
|
|
-int lp_add_service(const char *pszService, int iDefaultService);
|
|
-bool lp_add_printer(const char *pszPrintername, int iDefaultService);
|
|
-bool lp_parameter_is_valid(const char *pszParmName);
|
|
-bool lp_parameter_is_global(const char *pszParmName);
|
|
-bool lp_canonicalize_parameter(const char *parm_name, const char **canon_parm,
|
|
- bool *inverse);
|
|
-bool lp_canonicalize_parameter_with_value(const char *parm_name,
|
|
- const char *val,
|
|
- const char **canon_parm,
|
|
- const char **canon_val);
|
|
-void show_parameter_list(void);
|
|
-bool lp_invert_boolean(const char *str, const char **inverse_str);
|
|
-bool lp_canonicalize_boolean(const char *str, const char**canon_str);
|
|
-bool process_registry_service(const char *service_name);
|
|
-bool process_registry_shares(void);
|
|
-bool lp_config_backend_is_registry(void);
|
|
-bool lp_config_backend_is_file(void);
|
|
-bool lp_file_list_changed(void);
|
|
-const char *lp_ldap_machine_suffix(TALLOC_CTX *ctx);
|
|
-const char *lp_ldap_user_suffix(TALLOC_CTX *ctx);
|
|
-const char *lp_ldap_group_suffix(TALLOC_CTX *ctx);
|
|
-const char *lp_ldap_idmap_suffix(TALLOC_CTX *ctx);
|
|
-struct parm_struct;
|
|
-/* Return a pointer to a service by name. */
|
|
-struct loadparm_service *lp_service(const char *pszServiceName);
|
|
-struct loadparm_service *lp_servicebynum(int snum);
|
|
-struct loadparm_service *lp_default_loadparm_service(void);
|
|
-void *lp_parm_ptr(struct loadparm_service *service, struct parm_struct *parm);
|
|
-void *lp_local_ptr_by_snum(int snum, struct parm_struct *parm);
|
|
-bool lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue);
|
|
-bool lp_set_cmdline(const char *pszParmName, const char *pszParmValue);
|
|
-bool dump_a_parameter(int snum, char *parm_name, FILE * f, bool isGlobal);
|
|
-bool lp_snum_ok(int iService);
|
|
-void lp_add_one_printer(const char *name, const char *comment,
|
|
- const char *location, void *pdata);
|
|
-bool lp_loaded(void);
|
|
-void lp_killunused(struct smbd_server_connection *sconn,
|
|
- bool (*snumused) (struct smbd_server_connection *, int));
|
|
-void lp_kill_all_services(void);
|
|
-void lp_killservice(int iServiceIn);
|
|
-const char* server_role_str(uint32_t role);
|
|
-enum usershare_err parse_usershare_file(TALLOC_CTX *ctx,
|
|
- SMB_STRUCT_STAT *psbuf,
|
|
- const char *servicename,
|
|
- int snum,
|
|
- char **lines,
|
|
- int numlines,
|
|
- char **pp_sharepath,
|
|
- char **pp_comment,
|
|
- char **pp_cp_share_name,
|
|
- struct security_descriptor **ppsd,
|
|
- bool *pallow_guest);
|
|
-int load_usershare_service(const char *servicename);
|
|
-int load_usershare_shares(struct smbd_server_connection *sconn,
|
|
- bool (*snumused) (struct smbd_server_connection *, int));
|
|
-void gfree_loadparm(void);
|
|
-bool lp_load_initial_only(const char *pszFname);
|
|
-bool lp_load_global(const char *file_name);
|
|
-bool lp_load_with_shares(const char *file_name);
|
|
-bool lp_load_client(const char *file_name);
|
|
-bool lp_load_global_no_reinit(const char *file_name);
|
|
-bool lp_load_no_reinit(const char *file_name);
|
|
-bool lp_load_client_no_reinit(const char *file_name);
|
|
-bool lp_load_with_registry_shares(const char *pszFname);
|
|
-int lp_numservices(void);
|
|
-void lp_dump(FILE *f, bool show_defaults, int maxtoprint);
|
|
-void lp_dump_one(FILE * f, bool show_defaults, int snum);
|
|
-int lp_servicenumber(const char *pszServiceName);
|
|
-const char *volume_label(TALLOC_CTX *ctx, int snum);
|
|
-bool lp_domain_master(void);
|
|
-bool lp_preferred_master(void);
|
|
-void lp_remove_service(int snum);
|
|
-void lp_copy_service(int snum, const char *new_name);
|
|
-int lp_default_server_announce(void);
|
|
-const char *lp_printername(TALLOC_CTX *ctx,
|
|
- const struct loadparm_substitution *lp_sub,
|
|
- int snum);
|
|
-void lp_set_logfile(const char *name);
|
|
-int lp_maxprintjobs(int snum);
|
|
-const char *lp_printcapname(void);
|
|
-bool lp_disable_spoolss( void );
|
|
-void lp_set_spoolss_state( uint32_t state );
|
|
-uint32_t lp_get_spoolss_state( void );
|
|
-struct smb_signing_state;
|
|
-void set_use_sendfile(int snum, bool val);
|
|
-void lp_set_mangling_method(const char *new_method);
|
|
-bool lp_posix_pathnames(void);
|
|
-void lp_set_posix_pathnames(void);
|
|
-enum brl_flavour lp_posix_cifsu_locktype(files_struct *fsp);
|
|
-void lp_set_posix_default_cifsx_readwrite_locktype(enum brl_flavour val);
|
|
-int lp_min_receive_file_size(void);
|
|
-void widelinks_warning(int snum);
|
|
-const char *lp_ncalrpc_dir(void);
|
|
-void _lp_set_server_role(int server_role);
|
|
-
|
|
-/* The following definitions come from param/loadparm_ctx.c */
|
|
-
|
|
-const struct loadparm_s3_helpers *loadparm_s3_helpers(void);
|
|
-
|
|
-/* The following definitions come from param/loadparm_server_role.c */
|
|
-
|
|
-int lp_server_role(void);
|
|
-void set_server_role(void);
|
|
-
|
|
-/* The following definitions come from param/util.c */
|
|
-
|
|
-uint32_t get_int_param( const char* param );
|
|
-char* get_string_param( const char* param );
|
|
-
|
|
/* The following definitions come from lib/server_contexts.c */
|
|
struct tevent_context *global_event_context(void);
|
|
void global_event_context_free(void);
|
|
diff --git a/source3/param/loadparm.h b/source3/param/loadparm.h
|
|
new file mode 100644
|
|
index 00000000000..7686877ccf1
|
|
--- /dev/null
|
|
+++ b/source3/param/loadparm.h
|
|
@@ -0,0 +1,200 @@
|
|
+/*
|
|
+ *
|
|
+ * Unix SMB/CIFS implementation.
|
|
+ *
|
|
+ * Type definitions for loadparm
|
|
+ *
|
|
+ * Copyright (c) 2020 Andreas Schneider <asn@samba.org>
|
|
+ * This program is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#ifndef _S3_LOADPARM_H
|
|
+#define _S3_LOADPARM_H
|
|
+
|
|
+#include <talloc.h>
|
|
+#include <regex.h>
|
|
+
|
|
+/* Forward declarations */
|
|
+typedef struct stat_ex SMB_STRUCT_STAT;
|
|
+typedef struct files_struct files_struct;
|
|
+struct smbd_server_connection;
|
|
+struct security_descriptor;
|
|
+
|
|
+/* The following definitions come from param/loadparm.c */
|
|
+
|
|
+const struct loadparm_substitution *loadparm_s3_global_substitution(void);
|
|
+
|
|
+char *lp_parm_substituted_string(TALLOC_CTX *mem_ctx,
|
|
+ const struct loadparm_substitution *lp_sub,
|
|
+ int snum,
|
|
+ const char *type,
|
|
+ const char *option,
|
|
+ const char *def);
|
|
+
|
|
+char *lp_servicename(TALLOC_CTX *ctx, const struct loadparm_substitution *, int);
|
|
+const char *lp_const_servicename(int);
|
|
+bool lp_autoloaded(int);
|
|
+const char *lp_dnsdomain(void);
|
|
+int lp_winbind_max_domain_connections(void);
|
|
+bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
|
|
+bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
|
|
+const char *lp_idmap_backend(const char *domain_name);
|
|
+const char *lp_idmap_default_backend (void);
|
|
+int lp_security(void);
|
|
+int lp_client_max_protocol(void);
|
|
+int lp_client_ipc_min_protocol(void);
|
|
+int lp_client_ipc_max_protocol(void);
|
|
+int lp_client_ipc_signing(void);
|
|
+int lp_smb2_max_credits(void);
|
|
+int lp_cups_encrypt(void);
|
|
+bool lp_widelinks(int );
|
|
+int lp_rpc_low_port(void);
|
|
+int lp_rpc_high_port(void);
|
|
+bool lp_lanman_auth(void);
|
|
+enum samba_weak_crypto lp_weak_crypto(void);
|
|
+
|
|
+int lp_wi_scan_global_parametrics(
|
|
+ const char *regex, size_t max_matches,
|
|
+ bool (*cb)(const char *string, regmatch_t matches[],
|
|
+ void *private_data),
|
|
+ void *private_data);
|
|
+
|
|
+const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
|
|
+struct loadparm_service;
|
|
+const char *lp_parm_const_string_service(struct loadparm_service *service, const char *type,
|
|
+ const char *option, const char *def);
|
|
+const char **lp_parm_string_list(int snum, const char *type, const char *option, const char **def);
|
|
+int lp_parm_int(int snum, const char *type, const char *option, int def);
|
|
+unsigned long lp_parm_ulong(int snum, const char *type, const char *option, unsigned long def);
|
|
+unsigned long long lp_parm_ulonglong(int snum, const char *type,
|
|
+ const char *option,
|
|
+ unsigned long long def);
|
|
+bool lp_parm_bool(int snum, const char *type, const char *option, bool def);
|
|
+struct enum_list;
|
|
+int lp_parm_enum(int snum, const char *type, const char *option,
|
|
+ const struct enum_list *_enum, int def);
|
|
+char *canonicalize_servicename(TALLOC_CTX *ctx, const char *src);
|
|
+bool lp_add_home(const char *pszHomename, int iDefaultService,
|
|
+ const char *user, const char *pszHomedir);
|
|
+int lp_add_service(const char *pszService, int iDefaultService);
|
|
+bool lp_add_printer(const char *pszPrintername, int iDefaultService);
|
|
+bool lp_parameter_is_valid(const char *pszParmName);
|
|
+bool lp_parameter_is_global(const char *pszParmName);
|
|
+bool lp_canonicalize_parameter(const char *parm_name, const char **canon_parm,
|
|
+ bool *inverse);
|
|
+bool lp_canonicalize_parameter_with_value(const char *parm_name,
|
|
+ const char *val,
|
|
+ const char **canon_parm,
|
|
+ const char **canon_val);
|
|
+void show_parameter_list(void);
|
|
+bool lp_invert_boolean(const char *str, const char **inverse_str);
|
|
+bool lp_canonicalize_boolean(const char *str, const char**canon_str);
|
|
+bool process_registry_service(const char *service_name);
|
|
+bool process_registry_shares(void);
|
|
+bool lp_config_backend_is_registry(void);
|
|
+bool lp_config_backend_is_file(void);
|
|
+bool lp_file_list_changed(void);
|
|
+const char *lp_ldap_machine_suffix(TALLOC_CTX *ctx);
|
|
+const char *lp_ldap_user_suffix(TALLOC_CTX *ctx);
|
|
+const char *lp_ldap_group_suffix(TALLOC_CTX *ctx);
|
|
+const char *lp_ldap_idmap_suffix(TALLOC_CTX *ctx);
|
|
+struct parm_struct;
|
|
+/* Return a pointer to a service by name. */
|
|
+struct loadparm_service *lp_service(const char *pszServiceName);
|
|
+struct loadparm_service *lp_servicebynum(int snum);
|
|
+struct loadparm_service *lp_default_loadparm_service(void);
|
|
+void *lp_parm_ptr(struct loadparm_service *service, struct parm_struct *parm);
|
|
+void *lp_local_ptr_by_snum(int snum, struct parm_struct *parm);
|
|
+bool lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue);
|
|
+bool lp_set_cmdline(const char *pszParmName, const char *pszParmValue);
|
|
+bool dump_a_parameter(int snum, char *parm_name, FILE * f, bool isGlobal);
|
|
+bool lp_snum_ok(int iService);
|
|
+void lp_add_one_printer(const char *name, const char *comment,
|
|
+ const char *location, void *pdata);
|
|
+bool lp_loaded(void);
|
|
+void lp_killunused(struct smbd_server_connection *sconn,
|
|
+ bool (*snumused) (struct smbd_server_connection *, int));
|
|
+void lp_kill_all_services(void);
|
|
+void lp_killservice(int iServiceIn);
|
|
+const char* server_role_str(uint32_t role);
|
|
+enum usershare_err parse_usershare_file(TALLOC_CTX *ctx,
|
|
+ SMB_STRUCT_STAT *psbuf,
|
|
+ const char *servicename,
|
|
+ int snum,
|
|
+ char **lines,
|
|
+ int numlines,
|
|
+ char **pp_sharepath,
|
|
+ char **pp_comment,
|
|
+ char **pp_cp_share_name,
|
|
+ struct security_descriptor **ppsd,
|
|
+ bool *pallow_guest);
|
|
+int load_usershare_service(const char *servicename);
|
|
+int load_usershare_shares(struct smbd_server_connection *sconn,
|
|
+ bool (*snumused) (struct smbd_server_connection *, int));
|
|
+void gfree_loadparm(void);
|
|
+bool lp_load_initial_only(const char *pszFname);
|
|
+bool lp_load_global(const char *file_name);
|
|
+bool lp_load_with_shares(const char *file_name);
|
|
+bool lp_load_client(const char *file_name);
|
|
+bool lp_load_global_no_reinit(const char *file_name);
|
|
+bool lp_load_no_reinit(const char *file_name);
|
|
+bool lp_load_client_no_reinit(const char *file_name);
|
|
+bool lp_load_with_registry_shares(const char *pszFname);
|
|
+int lp_numservices(void);
|
|
+void lp_dump(FILE *f, bool show_defaults, int maxtoprint);
|
|
+void lp_dump_one(FILE * f, bool show_defaults, int snum);
|
|
+int lp_servicenumber(const char *pszServiceName);
|
|
+const char *volume_label(TALLOC_CTX *ctx, int snum);
|
|
+bool lp_domain_master(void);
|
|
+bool lp_preferred_master(void);
|
|
+void lp_remove_service(int snum);
|
|
+void lp_copy_service(int snum, const char *new_name);
|
|
+int lp_default_server_announce(void);
|
|
+const char *lp_printername(TALLOC_CTX *ctx,
|
|
+ const struct loadparm_substitution *lp_sub,
|
|
+ int snum);
|
|
+void lp_set_logfile(const char *name);
|
|
+int lp_maxprintjobs(int snum);
|
|
+const char *lp_printcapname(void);
|
|
+bool lp_disable_spoolss( void );
|
|
+void lp_set_spoolss_state( uint32_t state );
|
|
+uint32_t lp_get_spoolss_state( void );
|
|
+struct smb_signing_state;
|
|
+void set_use_sendfile(int snum, bool val);
|
|
+void lp_set_mangling_method(const char *new_method);
|
|
+bool lp_posix_pathnames(void);
|
|
+void lp_set_posix_pathnames(void);
|
|
+enum brl_flavour lp_posix_cifsu_locktype(files_struct *fsp);
|
|
+void lp_set_posix_default_cifsx_readwrite_locktype(enum brl_flavour val);
|
|
+int lp_min_receive_file_size(void);
|
|
+void widelinks_warning(int snum);
|
|
+const char *lp_ncalrpc_dir(void);
|
|
+void _lp_set_server_role(int server_role);
|
|
+uint32_t lp_get_async_dns_timeout(void);
|
|
+
|
|
+/* The following definitions come from param/loadparm_ctx.c */
|
|
+
|
|
+const struct loadparm_s3_helpers *loadparm_s3_helpers(void);
|
|
+
|
|
+/* The following definitions come from param/loadparm_server_role.c */
|
|
+
|
|
+int lp_server_role(void);
|
|
+void set_server_role(void);
|
|
+
|
|
+/* The following definitions come from param/util.c */
|
|
+
|
|
+uint32_t get_int_param( const char* param );
|
|
+char *get_string_param( const char* param );
|
|
+
|
|
+#endif /* _S3_LOADPARM_H */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 62a13e686241e752ba927da046dda68324f3a550 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 11 Aug 2020 10:41:07 +0200
|
|
Subject: [PATCH 075/104] s3:lib: Move interface prototypes to own header file
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
|
|
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
|
Autobuild-Date(master): Fri Oct 9 20:36:13 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit 925cc9aafbe17cb2cbd89f468fac70f96ae89475)
|
|
---
|
|
source3/include/proto.h | 21 +------------------
|
|
source3/lib/interface.h | 46 +++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 47 insertions(+), 20 deletions(-)
|
|
create mode 100644 source3/lib/interface.h
|
|
|
|
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
|
index b9a6cb7f116..1bbd8e9d526 100644
|
|
--- a/source3/include/proto.h
|
|
+++ b/source3/include/proto.h
|
|
@@ -84,26 +84,7 @@ NTSTATUS vfs_at_fspcwd(TALLOC_CTX *mem_ctx,
|
|
struct connection_struct *conn,
|
|
struct files_struct **_fsp);
|
|
|
|
-/* The following definitions come from lib/interface.c */
|
|
-
|
|
-bool ismyaddr(const struct sockaddr *ip);
|
|
-bool ismyip_v4(struct in_addr ip);
|
|
-bool is_local_net(const struct sockaddr *from);
|
|
-void setup_linklocal_scope_id(struct sockaddr *pss);
|
|
-bool is_local_net_v4(struct in_addr from);
|
|
-int iface_count(void);
|
|
-int iface_count_v4_nl(void);
|
|
-const struct in_addr *first_ipv4_iface(void);
|
|
-struct interface *get_interface(int n);
|
|
-const struct sockaddr_storage *iface_n_sockaddr_storage(int n);
|
|
-const struct in_addr *iface_n_ip_v4(int n);
|
|
-const struct in_addr *iface_n_bcast_v4(int n);
|
|
-const struct sockaddr_storage *iface_n_bcast(int n);
|
|
-const struct sockaddr_storage *iface_ip(const struct sockaddr *ip);
|
|
-bool iface_local(const struct sockaddr *ip);
|
|
-void load_interfaces(void);
|
|
-void gfree_interfaces(void);
|
|
-bool interfaces_changed(void);
|
|
+#include "source3/lib/interface.h"
|
|
|
|
/* The following definitions come from lib/ldap_debug_handler.c */
|
|
|
|
diff --git a/source3/lib/interface.h b/source3/lib/interface.h
|
|
new file mode 100644
|
|
index 00000000000..f45435b4a81
|
|
--- /dev/null
|
|
+++ b/source3/lib/interface.h
|
|
@@ -0,0 +1,46 @@
|
|
+/*
|
|
+ *
|
|
+ * Unix SMB/CIFS implementation.
|
|
+ *
|
|
+ * Type definitions for interfaces
|
|
+ *
|
|
+ * Copyright (c) 2020 Andreas Schneider <asn@samba.org>
|
|
+ * This program is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#ifndef _INTERFACE_H
|
|
+#define _INTERFACE_H
|
|
+
|
|
+#include <system/network.h>
|
|
+
|
|
+bool ismyaddr(const struct sockaddr *ip);
|
|
+bool ismyip_v4(struct in_addr ip);
|
|
+bool is_local_net(const struct sockaddr *from);
|
|
+void setup_linklocal_scope_id(struct sockaddr *pss);
|
|
+bool is_local_net_v4(struct in_addr from);
|
|
+int iface_count(void);
|
|
+int iface_count_v4_nl(void);
|
|
+const struct in_addr *first_ipv4_iface(void);
|
|
+struct interface *get_interface(int n);
|
|
+const struct sockaddr_storage *iface_n_sockaddr_storage(int n);
|
|
+const struct in_addr *iface_n_ip_v4(int n);
|
|
+const struct in_addr *iface_n_bcast_v4(int n);
|
|
+const struct sockaddr_storage *iface_n_bcast(int n);
|
|
+const struct sockaddr_storage *iface_ip(const struct sockaddr *ip);
|
|
+bool iface_local(const struct sockaddr *ip);
|
|
+void load_interfaces(void);
|
|
+void gfree_interfaces(void);
|
|
+bool interfaces_changed(void);
|
|
+
|
|
+#endif /* _INTERFACE_H */
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 2b704c32b55432d08eae3cae2267a4b6319c6c6c Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 7 Feb 2020 16:48:16 +0100
|
|
Subject: [PATCH 076/104] idl: Add SID_SAMBA_SMB3
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 56879ec5876625346df89110f62d52e3fd5b8934)
|
|
---
|
|
librpc/idl/security.idl | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
|
|
index a92e8f1518e..06bf7449a70 100644
|
|
--- a/librpc/idl/security.idl
|
|
+++ b/librpc/idl/security.idl
|
|
@@ -282,6 +282,9 @@ interface security
|
|
const string SID_SAMBA_UNIX_USER_OWNER = "S-1-22-1";
|
|
const string SID_SAMBA_UNIX_GROUP_OWNER = "S-1-22-2";
|
|
|
|
+ /* Information passing via security token */
|
|
+ const string SID_SAMBA_SMB3 = "S-1-22-1397571891";
|
|
+
|
|
/* SECURITY_NT_SERVICE */
|
|
const string NAME_NT_SERVICE = "NT SERVICE";
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From ae4b1eccc9ef043a753126f942345a57a92004ed Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 7 Feb 2020 16:48:29 +0100
|
|
Subject: [PATCH 077/104] s3:smbd: Add SMB3 connection information to session
|
|
info
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 905c2b9722a64ee57f3fbcff51e6bb591c6e3edc)
|
|
---
|
|
source3/include/vfs.h | 1 +
|
|
source3/smbd/pipes.c | 82 +++++++++++++++++++++++++++++++++++++-
|
|
source3/smbd/smb2_server.c | 5 +++
|
|
3 files changed, 87 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
|
|
index d527f850628..c0d60636c31 100644
|
|
--- a/source3/include/vfs.h
|
|
+++ b/source3/include/vfs.h
|
|
@@ -411,6 +411,7 @@ typedef struct files_struct {
|
|
bool use_ofd_locks : 1;
|
|
bool closing : 1;
|
|
bool lock_failure_seen : 1;
|
|
+ bool encryption_required : 1;
|
|
} fsp_flags;
|
|
|
|
struct tevent_timer *update_write_time_event;
|
|
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
|
|
index 2dd38bb7ab3..d51a3de9497 100644
|
|
--- a/source3/smbd/pipes.c
|
|
+++ b/source3/smbd/pipes.c
|
|
@@ -30,13 +30,16 @@
|
|
#include "smbd/globals.h"
|
|
#include "libcli/security/security.h"
|
|
#include "rpc_server/srv_pipe_hnd.h"
|
|
+#include "auth/auth_util.h"
|
|
|
|
NTSTATUS open_np_file(struct smb_request *smb_req, const char *name,
|
|
struct files_struct **pfsp)
|
|
{
|
|
+ struct smbXsrv_connection *xconn = smb_req->xconn;
|
|
struct connection_struct *conn = smb_req->conn;
|
|
struct files_struct *fsp;
|
|
struct smb_filename *smb_fname = NULL;
|
|
+ struct auth_session_info *session_info = conn->session_info;
|
|
NTSTATUS status;
|
|
|
|
status = file_new(smb_req, conn, &fsp);
|
|
@@ -68,10 +71,87 @@ NTSTATUS open_np_file(struct smb_request *smb_req, const char *name,
|
|
return status;
|
|
}
|
|
|
|
+ if (smb_req->smb2req != NULL && smb_req->smb2req->was_encrypted) {
|
|
+ struct security_token *security_token = NULL;
|
|
+ uint16_t dialect = xconn->smb2.server.dialect;
|
|
+ uint16_t srv_smb_encrypt = 0x0002;
|
|
+ uint16_t cipher = xconn->smb2.server.cipher;
|
|
+ char smb3_sid_str[SID_MAX_SIZE];
|
|
+ struct dom_sid smb3_dom_sid;
|
|
+ struct dom_sid smb3_sid;
|
|
+ uint32_t i;
|
|
+ bool ok;
|
|
+ int rc;
|
|
+
|
|
+ session_info = copy_session_info(fsp, conn->session_info);
|
|
+ if (session_info == NULL) {
|
|
+ DBG_ERR("Failed to copy session info\n");
|
|
+ file_free(smb_req, fsp);
|
|
+ return NT_STATUS_NO_MEMORY;
|
|
+ }
|
|
+ security_token = session_info->security_token;
|
|
+
|
|
+ ok = dom_sid_parse(SID_SAMBA_SMB3, &smb3_dom_sid);
|
|
+ if (!ok) {
|
|
+ file_free(smb_req, fsp);
|
|
+ return NT_STATUS_BUFFER_TOO_SMALL;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Security check:
|
|
+ *
|
|
+ * Make sure we don't have a SMB3 SID in the security token!
|
|
+ */
|
|
+ for (i = 0; i < security_token->num_sids; i++) {
|
|
+ int cmp;
|
|
+
|
|
+ cmp = dom_sid_compare_domain(&security_token->sids[i],
|
|
+ &smb3_dom_sid);
|
|
+ if (cmp == 0) {
|
|
+ DBG_ERR("ERROR: An SMB3 SID has already been "
|
|
+ "detected in the security token!\n");
|
|
+ file_free(smb_req, fsp);
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ rc = snprintf(smb3_sid_str,
|
|
+ sizeof(smb3_sid_str),
|
|
+ "%s-%u-%u-%u",
|
|
+ SID_SAMBA_SMB3,
|
|
+ dialect,
|
|
+ srv_smb_encrypt,
|
|
+ cipher);
|
|
+ if (rc < 0) {
|
|
+ DBG_ERR("Buffer too small\n");
|
|
+ file_free(smb_req, fsp);
|
|
+ return NT_STATUS_BUFFER_TOO_SMALL;
|
|
+ }
|
|
+
|
|
+ ok = dom_sid_parse(smb3_sid_str, &smb3_sid);
|
|
+ if (!ok) {
|
|
+ DBG_ERR("Failed to parse SMB3 SID\n");
|
|
+ file_free(smb_req, fsp);
|
|
+ return NT_STATUS_INVALID_PARAMETER;
|
|
+ }
|
|
+
|
|
+ status = add_sid_to_array_unique(security_token,
|
|
+ &smb3_sid,
|
|
+ &security_token->sids,
|
|
+ &security_token->num_sids);
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ DBG_ERR("Failed to add SMB3 SID to security token\n");
|
|
+ file_free(smb_req, fsp);
|
|
+ return status;
|
|
+ }
|
|
+
|
|
+ fsp->fsp_flags.encryption_required = true;
|
|
+ }
|
|
+
|
|
status = np_open(fsp, name,
|
|
conn->sconn->remote_address,
|
|
conn->sconn->local_address,
|
|
- conn->session_info,
|
|
+ session_info,
|
|
conn->sconn->ev_ctx,
|
|
conn->sconn->msg_ctx,
|
|
conn->sconn->dce_ctx,
|
|
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
|
|
index cf9de185c1f..cd24b7d2ed5 100644
|
|
--- a/source3/smbd/smb2_server.c
|
|
+++ b/source3/smbd/smb2_server.c
|
|
@@ -3232,6 +3232,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
|
|
return smbd_smb2_request_error(req,
|
|
NT_STATUS_FILE_CLOSED);
|
|
}
|
|
+ } else {
|
|
+ if (fsp->fsp_flags.encryption_required && !req->was_encrypted) {
|
|
+ return smbd_smb2_request_error(req,
|
|
+ NT_STATUS_ACCESS_DENIED);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 49853bdabadcde29032b0ae09f015a0adf3cd22c Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 12 Mar 2020 14:11:56 +0100
|
|
Subject: [PATCH 078/104] librpc: Add dcerpc helper
|
|
dcerpc_is_transport_encrypted()
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 8bbe5c8c94aaf75d715f558c363e5b2de49f7bf9)
|
|
---
|
|
librpc/rpc/dcerpc_helper.c | 137 +++++++++++++++++++++++++++++++++++++
|
|
librpc/rpc/dcerpc_helper.h | 26 +++++++
|
|
librpc/wscript_build | 9 +++
|
|
3 files changed, 172 insertions(+)
|
|
create mode 100644 librpc/rpc/dcerpc_helper.c
|
|
create mode 100644 librpc/rpc/dcerpc_helper.h
|
|
|
|
diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c
|
|
new file mode 100644
|
|
index 00000000000..c5443764628
|
|
--- /dev/null
|
|
+++ b/librpc/rpc/dcerpc_helper.c
|
|
@@ -0,0 +1,137 @@
|
|
+/*
|
|
+ * Copyright (c) 2020 Andreas Schneider <asn@samba.org>
|
|
+ *
|
|
+ * This program is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#include "includes.h"
|
|
+#include "librpc/gen_ndr/security.h"
|
|
+#include "librpc/gen_ndr/auth.h"
|
|
+#include "lib/crypto/gnutls_helpers.h"
|
|
+#include "libcli/security/dom_sid.h"
|
|
+#include "libcli/smb/smb2_constants.h"
|
|
+
|
|
+#include "dcerpc_helper.h"
|
|
+
|
|
+static bool smb3_sid_parse(const struct dom_sid *sid,
|
|
+ uint16_t *pdialect,
|
|
+ uint16_t *pencrypt,
|
|
+ uint16_t *pcipher)
|
|
+{
|
|
+ uint16_t dialect;
|
|
+ uint16_t encrypt;
|
|
+ uint16_t cipher;
|
|
+
|
|
+ if (sid->sub_auths[0] != 1397571891) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ dialect = sid->sub_auths[1];
|
|
+ if (dialect > 0x03ff) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ encrypt = sid->sub_auths[2];
|
|
+ if (encrypt > 0x0002) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ cipher = sid->sub_auths[3];
|
|
+ if (cipher > SMB2_ENCRYPTION_AES128_GCM) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if (pdialect != NULL) {
|
|
+ *pdialect = dialect;
|
|
+ }
|
|
+
|
|
+ if (pencrypt != NULL) {
|
|
+ *pencrypt = encrypt;
|
|
+ }
|
|
+
|
|
+ if (pcipher != NULL) {
|
|
+ *pcipher = cipher;
|
|
+ }
|
|
+
|
|
+ return true;
|
|
+}
|
|
+
|
|
+bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info)
|
|
+{
|
|
+ struct security_token *token = session_info->security_token;
|
|
+ struct dom_sid smb3_dom_sid;
|
|
+ const struct dom_sid *smb3_sid = NULL;
|
|
+ uint16_t dialect = 0;
|
|
+ uint16_t encrypt = 0;
|
|
+ uint16_t cipher = 0;
|
|
+ uint32_t i;
|
|
+ bool ok;
|
|
+
|
|
+ ok = dom_sid_parse(SID_SAMBA_SMB3, &smb3_dom_sid);
|
|
+ if (!ok) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ for (i = 0; i < token->num_sids; i++) {
|
|
+ int cmp;
|
|
+
|
|
+ /* There is only one SMB3 SID allowed! */
|
|
+ cmp = dom_sid_compare_domain(&token->sids[i], &smb3_dom_sid);
|
|
+ if (cmp == 0) {
|
|
+ if (smb3_sid == NULL) {
|
|
+ smb3_sid = &token->sids[i];
|
|
+ } else {
|
|
+ DBG_ERR("ERROR: The SMB3 SID has been detected "
|
|
+ "multiple times\n");
|
|
+ return false;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (smb3_sid == NULL) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ ok = smb3_sid_parse(smb3_sid, &dialect, &encrypt, &cipher);
|
|
+ if (!ok) {
|
|
+ DBG_ERR("Failed to parse SMB3 SID!\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ DBG_DEBUG("SMB SID - dialect: %#04x, encrypt: %#04x, cipher: %#04x\n",
|
|
+ dialect,
|
|
+ encrypt,
|
|
+ cipher);
|
|
+
|
|
+ if (dialect < SMB3_DIALECT_REVISION_300) {
|
|
+ DBG_DEBUG("Invalid SMB3 dialect!\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if (encrypt != DCERPC_SMB_ENCRYPTION_REQUIRED) {
|
|
+ DBG_DEBUG("Invalid SMB3 encryption!\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ switch (cipher) {
|
|
+ case SMB2_ENCRYPTION_AES128_CCM:
|
|
+ case SMB2_ENCRYPTION_AES128_GCM:
|
|
+ break;
|
|
+ default:
|
|
+ DBG_DEBUG("Invalid SMB3 cipher!\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ return true;
|
|
+}
|
|
diff --git a/librpc/rpc/dcerpc_helper.h b/librpc/rpc/dcerpc_helper.h
|
|
new file mode 100644
|
|
index 00000000000..c0f09ee494e
|
|
--- /dev/null
|
|
+++ b/librpc/rpc/dcerpc_helper.h
|
|
@@ -0,0 +1,26 @@
|
|
+/*
|
|
+ * Copyright (c) 2020 Andreas Schneider <asn@samba.org>
|
|
+ *
|
|
+ * This program is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#ifndef _DCERPC_HELPER_H
|
|
+#define _DCERPC_HELPER_H
|
|
+
|
|
+#define DCERPC_SMB_ENCRYPTION_OFF 0x0000
|
|
+#define DCERPC_SMB_ENCRYPTION_REQUIRED 0x0002
|
|
+
|
|
+bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info);
|
|
+
|
|
+#endif /* _DCERPC_HELPER_H */
|
|
diff --git a/librpc/wscript_build b/librpc/wscript_build
|
|
index 27b180fa63d..109a1834841 100644
|
|
--- a/librpc/wscript_build
|
|
+++ b/librpc/wscript_build
|
|
@@ -669,6 +669,15 @@ bld.SAMBA_LIBRARY('dcerpc-server-core',
|
|
autoproto='rpc/dcesrv_core_proto.h',
|
|
vnum='0.0.1')
|
|
|
|
+bld.SAMBA_SUBSYSTEM('DCERPC_HELPER',
|
|
+ source='rpc/dcerpc_helper.c',
|
|
+ public_deps='''
|
|
+ samba-hostconfig
|
|
+ samba-security
|
|
+ gnutls
|
|
+ GNUTLS_HELPERS
|
|
+ ''')
|
|
+
|
|
bld.SAMBA_SUBSYSTEM('NDR_WINBIND',
|
|
source='gen_ndr/ndr_winbind.c',
|
|
public_deps='ndr NDR_LSA'
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 0490f135fdcc293561b0af98b4ce0f4d56eb14a6 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 28 Aug 2020 16:31:17 +0200
|
|
Subject: [PATCH 079/104] s3:smbd: Use defines to set 'srv_smb_encrypt'
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 5f1a73be6311c68a21a550c0de5078baeb78f4ee)
|
|
---
|
|
source3/smbd/pipes.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
|
|
index d51a3de9497..785cbb23b5f 100644
|
|
--- a/source3/smbd/pipes.c
|
|
+++ b/source3/smbd/pipes.c
|
|
@@ -31,6 +31,7 @@
|
|
#include "libcli/security/security.h"
|
|
#include "rpc_server/srv_pipe_hnd.h"
|
|
#include "auth/auth_util.h"
|
|
+#include "librpc/rpc/dcerpc_helper.h"
|
|
|
|
NTSTATUS open_np_file(struct smb_request *smb_req, const char *name,
|
|
struct files_struct **pfsp)
|
|
@@ -74,7 +75,7 @@ NTSTATUS open_np_file(struct smb_request *smb_req, const char *name,
|
|
if (smb_req->smb2req != NULL && smb_req->smb2req->was_encrypted) {
|
|
struct security_token *security_token = NULL;
|
|
uint16_t dialect = xconn->smb2.server.dialect;
|
|
- uint16_t srv_smb_encrypt = 0x0002;
|
|
+ uint16_t srv_smb_encrypt = DCERPC_SMB_ENCRYPTION_REQUIRED;
|
|
uint16_t cipher = xconn->smb2.server.cipher;
|
|
char smb3_sid_str[SID_MAX_SIZE];
|
|
struct dom_sid smb3_dom_sid;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From bbbb58dd5f37f82b46872d4a9eb3c6f6c1939a26 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 12 Nov 2019 16:56:45 +0100
|
|
Subject: [PATCH 080/104] s3:rpc_server: Allow to use RC4 for setting passwords
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit c6a21e1897985f267bcfc681179cea95165c3c57)
|
|
---
|
|
source3/rpc_server/samr/srv_samr_chgpasswd.c | 3 +
|
|
source3/rpc_server/samr/srv_samr_nt.c | 78 +++++++++++++++++++-
|
|
source3/rpc_server/wscript_build | 2 +-
|
|
3 files changed, 81 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
|
|
index cb9837ecf01..e326745169e 100644
|
|
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
|
|
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
|
|
@@ -769,11 +769,13 @@ static NTSTATUS check_oem_password(const char *user,
|
|
.size = 16,
|
|
};
|
|
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
rc = gnutls_cipher_init(&cipher_hnd,
|
|
GNUTLS_CIPHER_ARCFOUR_128,
|
|
&enc_key,
|
|
NULL);
|
|
if (rc < 0) {
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
}
|
|
|
|
@@ -781,6 +783,7 @@ static NTSTATUS check_oem_password(const char *user,
|
|
password_encrypted,
|
|
516);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (rc < 0) {
|
|
return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
}
|
|
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
|
|
index 5ffc3331185..77cb18b6a88 100644
|
|
--- a/source3/rpc_server/samr/srv_samr_nt.c
|
|
+++ b/source3/rpc_server/samr/srv_samr_nt.c
|
|
@@ -46,6 +46,8 @@
|
|
#include "rpc_server/srv_access_check.h"
|
|
#include "../lib/tsocket/tsocket.h"
|
|
#include "lib/util/base64.h"
|
|
+#include "param/param.h"
|
|
+#include "librpc/rpc/dcerpc_helper.h"
|
|
|
|
#include "lib/crypto/gnutls_helpers.h"
|
|
#include <gnutls/gnutls.h>
|
|
@@ -1887,6 +1889,7 @@ NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
|
|
char *user_name = NULL;
|
|
char *rhost;
|
|
const char *wks = NULL;
|
|
+ bool encrypted;
|
|
|
|
DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
|
|
|
|
@@ -1915,6 +1918,12 @@ NTSTATUS _samr_ChangePasswordUser2(struct pipes_struct *p,
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
+ encrypted = dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+
|
|
/*
|
|
* UNIX username case mangling not required, pass_oem_change
|
|
* is case insensitive.
|
|
@@ -1948,6 +1957,7 @@ NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
|
|
char *user_name = NULL;
|
|
const char *wks = NULL;
|
|
char *rhost;
|
|
+ bool encrypted;
|
|
|
|
DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
|
|
|
|
@@ -1985,6 +1995,12 @@ NTSTATUS _samr_OemChangePasswordUser2(struct pipes_struct *p,
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
+ encrypted = dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+
|
|
status = pass_oem_change(user_name,
|
|
rhost,
|
|
r->in.password->data,
|
|
@@ -5200,8 +5216,13 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
char *rhost;
|
|
DATA_BLOB session_key;
|
|
struct dom_sid_buf buf;
|
|
+ struct loadparm_context *lp_ctx = NULL;
|
|
+ bool encrypted;
|
|
|
|
- DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
|
|
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
|
|
+ if (lp_ctx == NULL) {
|
|
+ return NT_STATUS_NO_MEMORY;
|
|
+ }
|
|
|
|
/* This is tricky. A WinXP domain join sets
|
|
(SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
|
|
@@ -5390,13 +5411,27 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
break;
|
|
|
|
case 23:
|
|
+ encrypted =
|
|
+ dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ break;
|
|
+ }
|
|
+
|
|
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
+ /*
|
|
+ * This can be allowed as it requires a session key
|
|
+ * which we only have if we have a SMB session.
|
|
+ */
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
status = arc4_decrypt_data(session_key,
|
|
info->info23.password.data,
|
|
516);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
@@ -5412,14 +5447,27 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
break;
|
|
|
|
case 24:
|
|
+ encrypted =
|
|
+ dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ break;
|
|
+ }
|
|
|
|
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
+ /*
|
|
+ * This can be allowed as it requires a session key
|
|
+ * which we only have if we have a SMB session.
|
|
+ */
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
status = arc4_decrypt_data(session_key,
|
|
info->info24.password.data,
|
|
516);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
@@ -5434,12 +5482,26 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
break;
|
|
|
|
case 25:
|
|
+ encrypted =
|
|
+ dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ break;
|
|
+ }
|
|
+
|
|
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
+ /*
|
|
+ * This can be allowed as it requires a session key
|
|
+ * which we only have if we have a SMB session.
|
|
+ */
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
status = decode_rc4_passwd_buffer(&session_key,
|
|
&info->info25.password);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
@@ -5454,12 +5516,26 @@ NTSTATUS _samr_SetUserInfo(struct pipes_struct *p,
|
|
break;
|
|
|
|
case 26:
|
|
+ encrypted =
|
|
+ dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ status = NT_STATUS_ACCESS_DENIED;
|
|
+ break;
|
|
+ }
|
|
+
|
|
status = session_extract_session_key(p->session_info, &session_key, KEY_USE_16BYTES);
|
|
if(!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
+ /*
|
|
+ * This can be allowed as it requires a session key
|
|
+ * which we only have if we have a SMB session.
|
|
+ */
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
status = decode_rc4_passwd_buffer(&session_key,
|
|
&info->info26.password);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
|
|
index 2af02ad6fa8..eb91ac09384 100644
|
|
--- a/source3/rpc_server/wscript_build
|
|
+++ b/source3/rpc_server/wscript_build
|
|
@@ -85,7 +85,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_SAMR',
|
|
source='''samr/srv_samr_nt.c
|
|
samr/srv_samr_util.c
|
|
samr/srv_samr_chgpasswd.c''',
|
|
- deps='PLAINTEXT_AUTH SRV_ACCESS_CHECK')
|
|
+ deps='PLAINTEXT_AUTH SRV_ACCESS_CHECK DCERPC_HELPER')
|
|
|
|
bld.SAMBA3_SUBSYSTEM('RPC_SPOOLSS',
|
|
source='''spoolss/srv_spoolss_nt.c
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From c3ffe2ce09c761a69ba83ae55beb4af4e53095d7 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 15 Nov 2019 13:49:40 +0100
|
|
Subject: [PATCH 081/104] s4:rpc_server: Allow to use RC4 for setting passwords
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit a9c532c6d3e85fbe49b7040254cfc66ab54074bc)
|
|
---
|
|
source4/rpc_server/samr/samr_password.c | 30 +++++++++++++++++++++++++
|
|
source4/rpc_server/wscript_build | 2 +-
|
|
2 files changed, 31 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
|
|
index 52a644176e2..83b104fbd0e 100644
|
|
--- a/source4/rpc_server/samr/samr_password.c
|
|
+++ b/source4/rpc_server/samr/samr_password.c
|
|
@@ -31,6 +31,8 @@
|
|
#include "../lib/util/util_ldb.h"
|
|
#include "rpc_server/samr/proto.h"
|
|
#include "auth/auth_sam.h"
|
|
+#include "lib/param/loadparm.h"
|
|
+#include "librpc/rpc/dcerpc_helper.h"
|
|
|
|
#include "lib/crypto/gnutls_helpers.h"
|
|
#include <gnutls/gnutls.h>
|
|
@@ -129,6 +131,8 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
|
struct dom_sid *user_objectSid = NULL;
|
|
gnutls_cipher_hd_t cipher_hnd = NULL;
|
|
gnutls_datum_t lm_session_key;
|
|
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
+ bool encrypted;
|
|
int rc;
|
|
|
|
if (pwbuf == NULL) {
|
|
@@ -144,6 +148,12 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
|
return NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER;
|
|
}
|
|
|
|
+ encrypted = dcerpc_is_transport_encrypted(session_info);
|
|
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+
|
|
/* Connect to a SAMDB with system privileges for fetching the old pw
|
|
* hashes. */
|
|
sam_ctx = samdb_connect(mem_ctx,
|
|
@@ -188,11 +198,13 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
|
.size = sizeof(lm_pwd->hash),
|
|
};
|
|
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
rc = gnutls_cipher_init(&cipher_hnd,
|
|
GNUTLS_CIPHER_ARCFOUR_128,
|
|
&lm_session_key,
|
|
NULL);
|
|
if (rc < 0) {
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto failed;
|
|
}
|
|
@@ -201,6 +213,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
|
|
pwbuf->data,
|
|
516);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (rc < 0) {
|
|
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto failed;
|
|
@@ -607,7 +620,17 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
|
|
DATA_BLOB session_key = data_blob(NULL, 0);
|
|
gnutls_cipher_hd_t cipher_hnd = NULL;
|
|
gnutls_datum_t _session_key;
|
|
+ struct auth_session_info *session_info =
|
|
+ dcesrv_call_session_info(dce_call);
|
|
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
int rc;
|
|
+ bool encrypted;
|
|
+
|
|
+ encrypted = dcerpc_is_transport_encrypted(session_info);
|
|
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
|
|
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
@@ -621,11 +644,17 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
|
|
.size = session_key.length,
|
|
};
|
|
|
|
+ /*
|
|
+ * This is safe to support as we only have a session key
|
|
+ * over a SMB connection which we force to be encrypted.
|
|
+ */
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
rc = gnutls_cipher_init(&cipher_hnd,
|
|
GNUTLS_CIPHER_ARCFOUR_128,
|
|
&_session_key,
|
|
NULL);
|
|
if (rc < 0) {
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto out;
|
|
}
|
|
@@ -634,6 +663,7 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
|
|
pwbuf->data,
|
|
516);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (rc < 0) {
|
|
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto out;
|
|
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
|
|
index de55ad6239a..c9c1978f223 100644
|
|
--- a/source4/rpc_server/wscript_build
|
|
+++ b/source4/rpc_server/wscript_build
|
|
@@ -87,7 +87,7 @@ bld.SAMBA_MODULE('dcesrv_samr',
|
|
autoproto='samr/proto.h',
|
|
subsystem='dcerpc_server',
|
|
init_function='dcerpc_server_samr_init',
|
|
- deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS'
|
|
+ deps='samdb DCERPC_COMMON ndr-standard auth4_sam GNUTLS_HELPERS DCERPC_HELPER'
|
|
)
|
|
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 6163af4d52811d487fa3568d0588e6afd7f43167 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:45:49 +0200
|
|
Subject: [PATCH 082/104] lib:crypto: Add py binding for set_relax/strict fips
|
|
mode
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 32d4c75d6cbf9153068a0487347097707afb356a)
|
|
---
|
|
lib/crypto/py_crypto.c | 16 ++++++++++++++++
|
|
1 file changed, 16 insertions(+)
|
|
|
|
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
|
|
index 32b946eee8f..ad18d3ada0f 100644
|
|
--- a/lib/crypto/py_crypto.c
|
|
+++ b/lib/crypto/py_crypto.c
|
|
@@ -24,6 +24,7 @@
|
|
|
|
#include <gnutls/gnutls.h>
|
|
#include <gnutls/crypto.h>
|
|
+#include "lib/crypto/gnutls_helpers.h"
|
|
|
|
static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
|
|
{
|
|
@@ -85,12 +86,27 @@ static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args)
|
|
return result;
|
|
}
|
|
|
|
+static PyObject *py_crypto_set_relax_mode(PyObject *module)
|
|
+{
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
+
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
+static PyObject *py_crypto_set_strict_mode(PyObject *module)
|
|
+{
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
+
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
|
|
static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
|
|
"Encrypt the data with RC4 algorithm using the key";
|
|
|
|
static PyMethodDef py_crypto_methods[] = {
|
|
{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
|
|
+ { "set_relax_mode", (PyCFunction)py_crypto_set_relax_mode, METH_NOARGS, "Set fips to relax mode" },
|
|
+ { "set_strict_mode", (PyCFunction)py_crypto_set_strict_mode, METH_NOARGS, "Set fips to strict mode" },
|
|
{0},
|
|
};
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 0dbd9d87a529585cabd793ae4c2bc1d94044c619 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 28 Oct 2020 17:05:36 +0100
|
|
Subject: [PATCH 083/104] s4:param: Add 'weak crypto' getter to pyparam
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 7d54e4b49c235dc571f47d15e6b0a6fa63340773)
|
|
---
|
|
source4/param/pyparam.c | 22 ++++++++++++++++++++++
|
|
1 file changed, 22 insertions(+)
|
|
|
|
diff --git a/source4/param/pyparam.c b/source4/param/pyparam.c
|
|
index 4023fac4dd6..e15592b5743 100644
|
|
--- a/source4/param/pyparam.c
|
|
+++ b/source4/param/pyparam.c
|
|
@@ -463,6 +463,23 @@ static PyObject *py_lp_ctx_config_file(PyObject *self, void *closure)
|
|
return PyUnicode_FromString(configfile);
|
|
}
|
|
|
|
+static PyObject *py_lp_ctx_weak_crypto(PyObject *self, void *closure)
|
|
+{
|
|
+ enum samba_weak_crypto weak_crypto =
|
|
+ lpcfg_weak_crypto(PyLoadparmContext_AsLoadparmContext(self));
|
|
+
|
|
+ switch(weak_crypto) {
|
|
+ case SAMBA_WEAK_CRYPTO_UNKNOWN:
|
|
+ Py_RETURN_NONE;
|
|
+ case SAMBA_WEAK_CRYPTO_ALLOWED:
|
|
+ return PyUnicode_FromString("allowed");
|
|
+ case SAMBA_WEAK_CRYPTO_DISALLOWED:
|
|
+ return PyUnicode_FromString("disallowed");
|
|
+ }
|
|
+
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
static PyGetSetDef py_lp_ctx_getset[] = {
|
|
{
|
|
.name = discard_const_p(char, "default_service"),
|
|
@@ -473,6 +490,11 @@ static PyGetSetDef py_lp_ctx_getset[] = {
|
|
.get = (getter)py_lp_ctx_config_file,
|
|
.doc = discard_const_p(char, "Name of last config file that was loaded.")
|
|
},
|
|
+ {
|
|
+ .name = discard_const_p(char, "weak_crypto"),
|
|
+ .get = (getter)py_lp_ctx_weak_crypto,
|
|
+ .doc = discard_const_p(char, "If weak crypto is allowed.")
|
|
+ },
|
|
{ .name = NULL }
|
|
};
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 29e334546e28b10ff31f0de453951648c4e51296 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 21 Oct 2020 10:09:22 +0200
|
|
Subject: [PATCH 084/104] python:tests: Add SAMR password change tests for fips
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 9a3ba502d8193b25799ef92917efafd52de2e8c2)
|
|
---
|
|
.../tests/dcerpc/samr_change_password.py | 188 ++++++++++++++++++
|
|
selftest/tests.py | 2 +
|
|
2 files changed, 190 insertions(+)
|
|
create mode 100644 python/samba/tests/dcerpc/samr_change_password.py
|
|
|
|
diff --git a/python/samba/tests/dcerpc/samr_change_password.py b/python/samba/tests/dcerpc/samr_change_password.py
|
|
new file mode 100644
|
|
index 00000000000..109eeea98cc
|
|
--- /dev/null
|
|
+++ b/python/samba/tests/dcerpc/samr_change_password.py
|
|
@@ -0,0 +1,188 @@
|
|
+# Unix SMB/CIFS implementation.
|
|
+#
|
|
+# Copyright © 2020 Andreas Schneider <asn@samba.org>
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+"""Tests for samba.dcerpc.samr.password"""
|
|
+
|
|
+import os
|
|
+import ctypes
|
|
+import samba.tests
|
|
+
|
|
+from samba import crypto, generate_random_password, generate_random_bytes, ntstatus
|
|
+from samba.auth import system_session
|
|
+from samba.credentials import Credentials
|
|
+from samba.credentials import SMB_ENCRYPTION_REQUIRED
|
|
+from samba.dcerpc import samr, security, lsa
|
|
+from samba.samdb import SamDB
|
|
+from samba.tests import RpcInterfaceTestCase
|
|
+
|
|
+
|
|
+class SamrPasswordTests(RpcInterfaceTestCase):
|
|
+ def setUp(self):
|
|
+ super(SamrPasswordTests, self).setUp()
|
|
+ self.open_samdb()
|
|
+
|
|
+ self.create_user_account(10000)
|
|
+
|
|
+ self.remote_server = samba.tests.env_get_var_value('SERVER')
|
|
+ self.remote_domain = samba.tests.env_get_var_value('DOMAIN')
|
|
+ self.remote_user = samba.tests.env_get_var_value('USERNAME')
|
|
+ self.remote_password = samba.tests.env_get_var_value('PASSWORD')
|
|
+ self.remote_binding_string = "ncacn_np:%s[krb5]" % (self.remote_server)
|
|
+
|
|
+ self.remote_creds = Credentials()
|
|
+ self.remote_creds.guess(self.lp)
|
|
+ self.remote_creds.set_username(self.remote_user)
|
|
+ self.remote_creds.set_password(self.remote_password)
|
|
+
|
|
+ def tearDown(self):
|
|
+ super(SamrPasswordTests, self).tearDown()
|
|
+
|
|
+ samr.Close(self.user_handle)
|
|
+ samr.Close(self.domain_handle)
|
|
+ samr.Close(self.handle)
|
|
+
|
|
+ samba.tests.delete_force(self.samdb, self.user_dn)
|
|
+
|
|
+ #
|
|
+ # Open the samba database
|
|
+ #
|
|
+ def open_samdb(self):
|
|
+ self.lp = samba.tests.env_loadparm()
|
|
+
|
|
+ self.local_creds = Credentials()
|
|
+ self.local_creds.guess(self.lp)
|
|
+ self.session = system_session()
|
|
+ self.samdb = SamDB(session_info=self.session,
|
|
+ credentials=self.local_creds,
|
|
+ lp=self.lp)
|
|
+
|
|
+ #
|
|
+ # Open a SAMR Domain handle
|
|
+ #
|
|
+ def open_domain_handle(self):
|
|
+ self.handle = self.conn.Connect2(None,
|
|
+ security.SEC_FLAG_MAXIMUM_ALLOWED)
|
|
+
|
|
+ self.domain_sid = self.conn.LookupDomain(self.handle,
|
|
+ lsa.String(self.remote_domain))
|
|
+
|
|
+ self.domain_handle = self.conn.OpenDomain(self.handle,
|
|
+ security.SEC_FLAG_MAXIMUM_ALLOWED,
|
|
+ self.domain_sid)
|
|
+
|
|
+ def open_user_handle(self):
|
|
+ name = lsa.String(self.user_name)
|
|
+
|
|
+ rids = self.conn.LookupNames(self.domain_handle, [name])
|
|
+
|
|
+ self.user_handle = self.conn.OpenUser(self.domain_handle,
|
|
+ security.SEC_FLAG_MAXIMUM_ALLOWED,
|
|
+ rids[0].ids[0])
|
|
+ #
|
|
+ # Create a test user account
|
|
+ #
|
|
+ def create_user_account(self, user_id):
|
|
+ self.user_name = ("SAMR_USER_%d" % user_id)
|
|
+ self.user_pass = generate_random_password(32, 32)
|
|
+ self.user_dn = "cn=%s,cn=users,%s" % (self.user_name, self.samdb.domain_dn())
|
|
+
|
|
+ samba.tests.delete_force(self.samdb, self.user_dn)
|
|
+
|
|
+ self.samdb.newuser(self.user_name,
|
|
+ self.user_pass,
|
|
+ description="Password for " + self.user_name + " is " + self.user_pass,
|
|
+ givenname=self.user_name,
|
|
+ surname=self.user_name)
|
|
+
|
|
+
|
|
+ def init_samr_CryptPassword(self, password, session_key):
|
|
+
|
|
+ def encode_pw_buffer(password):
|
|
+ data = bytearray([0] * 516)
|
|
+
|
|
+ p = samba.string_to_byte_array(password.encode('utf-16-le'))
|
|
+ plen = len(p)
|
|
+
|
|
+ b = generate_random_bytes(512 - plen)
|
|
+
|
|
+ i = 512 - plen
|
|
+ data[0:i] = b
|
|
+ data[i:i+plen] = p
|
|
+ data[512:516] = plen.to_bytes(4, byteorder='little')
|
|
+
|
|
+ return bytes(data)
|
|
+
|
|
+ # This is a test, so always allow to encrypt using RC4
|
|
+ try:
|
|
+ crypto.set_relax_mode()
|
|
+ encrypted_blob = samba.arcfour_encrypt(session_key, encode_pw_buffer(password))
|
|
+ finally:
|
|
+ crypto.set_strict_mode()
|
|
+
|
|
+ out_blob = samr.CryptPassword()
|
|
+ out_blob.data = list(encrypted_blob)
|
|
+
|
|
+ return out_blob
|
|
+
|
|
+
|
|
+ def test_setUserInfo2_Password(self, password='P@ssw0rd'):
|
|
+ self.conn = samr.samr(self.remote_binding_string,
|
|
+ self.get_loadparm(),
|
|
+ self.remote_creds)
|
|
+ self.open_domain_handle()
|
|
+ self.open_user_handle()
|
|
+
|
|
+ password='P@ssw0rd'
|
|
+
|
|
+ level = 24
|
|
+ info = samr.UserInfo24()
|
|
+
|
|
+ info.password_expired = 0
|
|
+ info.password = self.init_samr_CryptPassword(password, self.conn.session_key)
|
|
+
|
|
+ # If the server is in FIPS mode, it should reject the password change!
|
|
+ try:
|
|
+ self.conn.SetUserInfo2(self.user_handle, level, info)
|
|
+ except samba.NTSTATUSError as e:
|
|
+ code = ctypes.c_uint32(e.args[0]).value
|
|
+ print(code)
|
|
+ if ((code == ntstatus.NT_STATUS_ACCESS_DENIED) and
|
|
+ (self.lp.weak_crypto == 'disallowed')):
|
|
+ pass
|
|
+ else:
|
|
+ raise
|
|
+
|
|
+
|
|
+ def test_setUserInfo2_Password_Encrypted(self, password='P@ssw0rd'):
|
|
+ self.remote_creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+
|
|
+ self.conn = samr.samr(self.remote_binding_string,
|
|
+ self.get_loadparm(),
|
|
+ self.remote_creds)
|
|
+ self.open_domain_handle()
|
|
+ self.open_user_handle()
|
|
+
|
|
+ password='P@ssw0rd'
|
|
+
|
|
+ level = 24
|
|
+ info = samr.UserInfo24()
|
|
+
|
|
+ info.password_expired = 0
|
|
+ info.password = self.init_samr_CryptPassword(password, self.conn.session_key)
|
|
+
|
|
+ self.conn.SetUserInfo2(self.user_handle, level, info)
|
|
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
index adcb5b53189..86cab3f8046 100644
|
|
--- a/selftest/tests.py
|
|
+++ b/selftest/tests.py
|
|
@@ -93,6 +93,8 @@ planpythontestsuite(
|
|
os.path.join(samba4srcdir, "..", "third_party", "waf")])
|
|
planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest")
|
|
planpythontestsuite("nt4_dc_smb1", "samba.tests.dcerpc.binding")
|
|
+for env in [ 'ad_dc:local', 'ad_dc_fips:local' ]:
|
|
+ planpythontestsuite(env, "samba.tests.dcerpc.samr_change_password")
|
|
|
|
|
|
def cmdline(script, *args):
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From de2b1caebf0183bd24d06969ebf7d03223f7d9fc Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 21 Oct 2020 10:09:22 +0200
|
|
Subject: [PATCH 085/104] python:tests: Add SAMR password change tests for fips
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
|
|
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
Autobuild-Date(master): Thu Oct 29 15:41:37 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit ebd687335b9accfdbae7dbc65c9882ab4d5c0986)
|
|
---
|
|
selftest/target/Samba4.pm | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
index 649e923ff9a..1ebdf2a5484 100755
|
|
--- a/selftest/target/Samba4.pm
|
|
+++ b/selftest/target/Samba4.pm
|
|
@@ -1040,7 +1040,7 @@ servicePrincipalName: http/testupnspn.$ctx->{dnsname}
|
|
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
|
|
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
|
|
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
|
|
- . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
|
|
+ . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account' -d10";
|
|
unless (system($samba_tool_cmd) == 0) {
|
|
warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
|
|
return undef;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 5f240ac738df737712cbc2cdd40c8a56ab9e165b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 20 Aug 2020 09:40:41 +0200
|
|
Subject: [PATCH 086/104] auth:creds: Rename CRED_USE_KERBEROS values
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 1298280a22ef7494fb85a6a5953bae15d22fa204)
|
|
---
|
|
auth/credentials/credentials.c | 8 +++++---
|
|
auth/credentials/credentials.h | 9 ++++++---
|
|
auth/credentials/credentials_krb5.c | 4 ++--
|
|
auth/credentials/credentials_ntlm.c | 2 +-
|
|
auth/credentials/credentials_secrets.c | 5 +++--
|
|
auth/credentials/pycredentials.c | 6 +++---
|
|
auth/credentials/tests/simple.c | 2 +-
|
|
auth/credentials/wscript_build | 2 +-
|
|
auth/gensec/gensec_start.c | 8 ++++----
|
|
examples/winexe/winexe.c | 4 ++--
|
|
source3/auth/auth_generic.c | 4 ++--
|
|
source3/lib/util_cmdline.c | 18 +++++++++---------
|
|
source3/libads/sasl.c | 8 ++++----
|
|
source3/libnet/libnet_join.c | 2 +-
|
|
source3/libsmb/cliconnect.c | 16 ++++++++--------
|
|
source3/passdb/passdb.c | 6 +++---
|
|
source3/passdb/pdb_samba_dsdb.c | 4 ++--
|
|
source3/rpc_client/cli_pipe.c | 2 +-
|
|
source3/rpcclient/rpcclient.c | 8 ++++----
|
|
source3/utils/net_ads.c | 2 +-
|
|
source3/utils/net_util.c | 6 +++---
|
|
source3/utils/ntlm_auth.c | 4 ++--
|
|
source3/winbindd/winbindd_cm.c | 2 +-
|
|
source4/auth/gensec/gensec_gssapi.c | 2 +-
|
|
source4/auth/session.c | 2 +-
|
|
source4/lib/cmdline/popt_credentials.c | 4 ++--
|
|
source4/torture/ldap/session_expiry.c | 2 +-
|
|
source4/torture/raw/session.c | 4 ++--
|
|
source4/torture/rpc/schannel.c | 4 ++--
|
|
source4/torture/smb2/session.c | 12 ++++++------
|
|
30 files changed, 84 insertions(+), 78 deletions(-)
|
|
|
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
|
index 77c35dd104b..1bdd6f15a09 100644
|
|
--- a/auth/credentials/credentials.c
|
|
+++ b/auth/credentials/credentials.c
|
|
@@ -44,6 +44,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
|
|
|
|
cred->winbind_separator = '\\';
|
|
|
|
+ cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
|
|
+
|
|
cred->signing_state = SMB_SIGNING_DEFAULT;
|
|
|
|
/*
|
|
@@ -360,7 +362,7 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
|
|
return true;
|
|
}
|
|
|
|
- if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
|
|
+ if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
|
|
return true;
|
|
}
|
|
|
|
@@ -1018,7 +1020,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
|
|
}
|
|
|
|
if (lp_ctx != NULL &&
|
|
- cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
|
|
+ cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) {
|
|
cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE,
|
|
&error_string);
|
|
}
|
|
@@ -1097,7 +1099,7 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
|
|
cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
|
|
cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
|
|
cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
|
|
- cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
/**
|
|
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
|
|
index 438bcdce232..f468b8558dd 100644
|
|
--- a/auth/credentials/credentials.h
|
|
+++ b/auth/credentials/credentials.h
|
|
@@ -53,9 +53,12 @@ enum credentials_obtained {
|
|
};
|
|
|
|
enum credentials_use_kerberos {
|
|
- CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
|
|
- CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
|
|
- CRED_MUST_USE_KERBEROS /* Sometimes administrators are parinoid, so always do kerberos */
|
|
+ /** Sometimes trying kerberos just does 'bad things', so don't */
|
|
+ CRED_USE_KERBEROS_DISABLED = 0,
|
|
+ /** Default, we try kerberos if available */
|
|
+ CRED_USE_KERBEROS_DESIRED,
|
|
+ /** Sometimes administrators are paranoid, so always do kerberos */
|
|
+ CRED_USE_KERBEROS_REQUIRED,
|
|
};
|
|
|
|
enum credentials_krb_forwardable {
|
|
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
|
|
index 259b35b73b0..36f6b59a72b 100644
|
|
--- a/auth/credentials/credentials_krb5.c
|
|
+++ b/auth/credentials/credentials_krb5.c
|
|
@@ -871,7 +871,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
|
|
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
|
|
&ccache, error_string);
|
|
if (ret) {
|
|
- if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
|
|
+ if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
|
|
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
|
|
} else {
|
|
DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string));
|
|
@@ -1431,7 +1431,7 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *
|
|
cred->impersonate_principal = talloc_strdup(cred, principal);
|
|
talloc_free(cred->self_service);
|
|
cred->self_service = talloc_strdup(cred, self_service);
|
|
- cli_credentials_set_kerberos_state(cred, CRED_MUST_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
|
|
}
|
|
|
|
/*
|
|
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
|
|
index f1b22a6c9e2..1bec60e5dce 100644
|
|
--- a/auth/credentials/credentials_ntlm.c
|
|
+++ b/auth/credentials/credentials_ntlm.c
|
|
@@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
|
|
const struct samr_Password *nt_hash = NULL;
|
|
int rc;
|
|
|
|
- if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
|
|
+ if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
|
|
TALLOC_FREE(frame);
|
|
return NT_STATUS_INVALID_PARAMETER_MIX;
|
|
}
|
|
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
|
|
index 52a89d4d5b4..58067a5bece 100644
|
|
--- a/auth/credentials/credentials_secrets.c
|
|
+++ b/auth/credentials/credentials_secrets.c
|
|
@@ -370,7 +370,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
|
|
}
|
|
|
|
if (secrets_tdb_password_more_recent) {
|
|
- enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
|
|
+ enum credentials_use_kerberos use_kerberos =
|
|
+ CRED_USE_KERBEROS_DISABLED;
|
|
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
|
|
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
|
|
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
|
|
@@ -386,7 +387,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
|
|
|
|
FALL_THROUGH;
|
|
case ROLE_ACTIVE_DIRECTORY_DC:
|
|
- use_kerberos = CRED_AUTO_USE_KERBEROS;
|
|
+ use_kerberos = CRED_USE_KERBEROS_DESIRED;
|
|
break;
|
|
}
|
|
}
|
|
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
|
|
index 17c90573f09..95dde276ef7 100644
|
|
--- a/auth/credentials/pycredentials.c
|
|
+++ b/auth/credentials/pycredentials.c
|
|
@@ -1492,9 +1492,9 @@ MODULE_INIT_FUNC(credentials)
|
|
PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT));
|
|
PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED));
|
|
|
|
- PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_AUTO_USE_KERBEROS));
|
|
- PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_DONT_USE_KERBEROS));
|
|
- PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_MUST_USE_KERBEROS));
|
|
+ PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED));
|
|
+ PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED));
|
|
+ PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED));
|
|
|
|
PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE", PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE));
|
|
PyModule_AddObject(m, "NO_KRB_FORWARDABLE", PyLong_FromLong(CRED_NO_KRB_FORWARDABLE));
|
|
diff --git a/auth/credentials/tests/simple.c b/auth/credentials/tests/simple.c
|
|
index 7f122bed3bc..b39d7a2251b 100644
|
|
--- a/auth/credentials/tests/simple.c
|
|
+++ b/auth/credentials/tests/simple.c
|
|
@@ -73,7 +73,7 @@ static bool test_guess(struct torture_context *tctx)
|
|
const char *passwd_fd = getenv("PASSWD_FD");
|
|
const char *passwd_file = getenv("PASSWD_FILE");
|
|
|
|
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
|
|
|
|
unsetenv("USER");
|
|
unsetenv("PASSWD_FD");
|
|
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
|
|
index 1e3302e3e48..ad16b7d8008 100644
|
|
--- a/auth/credentials/wscript_build
|
|
+++ b/auth/credentials/wscript_build
|
|
@@ -5,7 +5,7 @@ bld.SAMBA_LIBRARY('samba-credentials',
|
|
public_headers='credentials.h',
|
|
pc_files='samba-credentials.pc',
|
|
deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5',
|
|
- vnum='0.1.0'
|
|
+ vnum='1.0.0'
|
|
)
|
|
|
|
bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
|
|
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
|
|
index 3f42d611140..56306efed13 100644
|
|
--- a/auth/gensec/gensec_start.c
|
|
+++ b/auth/gensec/gensec_start.c
|
|
@@ -117,18 +117,18 @@ static const struct gensec_security_ops **gensec_use_kerberos_mechs(
|
|
}
|
|
|
|
switch (use_kerberos) {
|
|
- case CRED_AUTO_USE_KERBEROS:
|
|
+ case CRED_USE_KERBEROS_DESIRED:
|
|
keep = true;
|
|
break;
|
|
|
|
- case CRED_DONT_USE_KERBEROS:
|
|
+ case CRED_USE_KERBEROS_DISABLED:
|
|
if (old_gensec_list[i]->kerberos == false) {
|
|
keep = true;
|
|
}
|
|
|
|
break;
|
|
|
|
- case CRED_MUST_USE_KERBEROS:
|
|
+ case CRED_USE_KERBEROS_REQUIRED:
|
|
if (old_gensec_list[i]->kerberos == true) {
|
|
keep = true;
|
|
}
|
|
@@ -156,7 +156,7 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
|
|
TALLOC_CTX *mem_ctx)
|
|
{
|
|
const struct gensec_security_ops * const *backends = gensec_security_all();
|
|
- enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
|
|
+ enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED;
|
|
bool keep_schannel = false;
|
|
|
|
if (gensec_security != NULL) {
|
|
diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c
|
|
index 03e7ec85198..95386211c0a 100644
|
|
--- a/examples/winexe/winexe.c
|
|
+++ b/examples/winexe/winexe.c
|
|
@@ -283,8 +283,8 @@ static void parse_args(int argc, const char *argv[],
|
|
if (opt_kerberos) {
|
|
cli_credentials_set_kerberos_state(cred,
|
|
strcmp(opt_kerberos, "yes")
|
|
- ? CRED_MUST_USE_KERBEROS
|
|
- : CRED_DONT_USE_KERBEROS);
|
|
+ ? CRED_USE_KERBEROS_REQUIRED
|
|
+ : CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
if (options->runas == NULL && options->runas_file != NULL) {
|
|
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
|
|
index 0e9500ac08d..f314acd9559 100644
|
|
--- a/source3/auth/auth_generic.c
|
|
+++ b/source3/auth/auth_generic.c
|
|
@@ -356,9 +356,9 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
|
|
cli_credentials_set_conf(server_credentials, lp_ctx);
|
|
|
|
if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
|
|
- cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
|
|
} else {
|
|
- cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
|
|
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
|
|
index 9c9e2f0ac0f..d2af34ee19b 100644
|
|
--- a/source3/lib/util_cmdline.c
|
|
+++ b/source3/lib/util_cmdline.c
|
|
@@ -307,9 +307,9 @@ void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info,
|
|
enum credentials_use_kerberos krb5_state;
|
|
|
|
if (b) {
|
|
- krb5_state = CRED_MUST_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
|
|
} else {
|
|
- krb5_state = CRED_DONT_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_DISABLED;
|
|
}
|
|
|
|
cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
|
|
@@ -321,7 +321,7 @@ bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info)
|
|
|
|
krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
|
|
|
|
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
|
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
return true;
|
|
}
|
|
|
|
@@ -336,17 +336,17 @@ void set_cmdline_auth_info_fallback_after_kerberos(struct user_auth_info *auth_i
|
|
krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
|
|
|
|
switch (krb5_state) {
|
|
- case CRED_MUST_USE_KERBEROS:
|
|
+ case CRED_USE_KERBEROS_REQUIRED:
|
|
if (b) {
|
|
- krb5_state = CRED_AUTO_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_DESIRED;
|
|
}
|
|
break;
|
|
- case CRED_AUTO_USE_KERBEROS:
|
|
+ case CRED_USE_KERBEROS_DESIRED:
|
|
if (!b) {
|
|
- krb5_state = CRED_MUST_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
|
|
}
|
|
break;
|
|
- case CRED_DONT_USE_KERBEROS:
|
|
+ case CRED_USE_KERBEROS_DISABLED:
|
|
/* nothing to do */
|
|
break;
|
|
}
|
|
@@ -360,7 +360,7 @@ bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info *
|
|
|
|
krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
|
|
|
|
- if (krb5_state == CRED_AUTO_USE_KERBEROS) {
|
|
+ if (krb5_state == CRED_USE_KERBEROS_DESIRED) {
|
|
return true;
|
|
}
|
|
|
|
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
|
|
index 87beeafe3ed..90ffa040ec0 100644
|
|
--- a/source3/libads/sasl.c
|
|
+++ b/source3/libads/sasl.c
|
|
@@ -158,7 +158,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
|
|
use_spnego_principal = false;
|
|
}
|
|
|
|
- if (krb5_state == CRED_DONT_USE_KERBEROS) {
|
|
+ if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
|
|
use_spnego_principal = false;
|
|
}
|
|
|
|
@@ -565,7 +565,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
|
{
|
|
|
|
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
|
|
- CRED_MUST_USE_KERBEROS,
|
|
+ CRED_USE_KERBEROS_REQUIRED,
|
|
p.service, p.hostname,
|
|
blob);
|
|
if (ADS_ERR_OK(status)) {
|
|
@@ -581,7 +581,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
|
|
|
if (ADS_ERR_OK(status)) {
|
|
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
|
|
- CRED_MUST_USE_KERBEROS,
|
|
+ CRED_USE_KERBEROS_REQUIRED,
|
|
p.service, p.hostname,
|
|
blob);
|
|
if (!ADS_ERR_OK(status)) {
|
|
@@ -616,7 +616,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
|
library for HMAC_MD4 encryption */
|
|
mech = "NTLMSSP";
|
|
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
|
|
- CRED_DONT_USE_KERBEROS,
|
|
+ CRED_USE_KERBEROS_DISABLED,
|
|
p.service, p.hostname,
|
|
data_blob_null);
|
|
done:
|
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
|
index f3bf27e6c00..bd3aeec9434 100644
|
|
--- a/source3/libnet/libnet_join.c
|
|
+++ b/source3/libnet/libnet_join.c
|
|
@@ -1707,7 +1707,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
|
|
|
|
if (use_kerberos) {
|
|
cli_credentials_set_kerberos_state(cli_creds,
|
|
- CRED_MUST_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_REQUIRED);
|
|
}
|
|
|
|
status = cli_full_connection_creds(&cli, NULL,
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index abfd18bfaf1..f7b4741de89 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -124,13 +124,13 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
|
|
|
|
if (use_kerberos && fallback_after_kerberos) {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_AUTO_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_DESIRED);
|
|
} else if (use_kerberos) {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_MUST_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_REQUIRED);
|
|
} else {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_DONT_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
if (use_ccache) {
|
|
@@ -255,7 +255,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
|
krb5_state = cli_credentials_get_kerberos_state(creds);
|
|
|
|
- if (krb5_state != CRED_DONT_USE_KERBEROS) {
|
|
+ if (krb5_state != CRED_USE_KERBEROS_DISABLED) {
|
|
try_kerberos = true;
|
|
}
|
|
|
|
@@ -275,7 +275,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
try_kerberos = false;
|
|
}
|
|
|
|
- if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
|
|
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED && !try_kerberos) {
|
|
DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access "
|
|
"'%s' not possible\n",
|
|
user_principal, user_domain, user_account,
|
|
@@ -286,7 +286,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
|
|
if (pass == NULL || strlen(pass) == 0) {
|
|
need_kinit = false;
|
|
- } else if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
|
+ } else if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
need_kinit = try_kerberos;
|
|
} else {
|
|
need_kinit = try_kerberos;
|
|
@@ -321,14 +321,14 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
|
if (ret != 0) {
|
|
int dbglvl = DBGLVL_NOTICE;
|
|
|
|
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
|
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
dbglvl = DBGLVL_ERR;
|
|
}
|
|
|
|
DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
|
|
user_principal, target_hostname,
|
|
error_message(ret)));
|
|
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
|
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
TALLOC_FREE(frame);
|
|
return krb5_to_nt_status(ret);
|
|
}
|
|
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
|
|
index 8ed1bafcea3..b12c845d9d2 100644
|
|
--- a/source3/passdb/passdb.c
|
|
+++ b/source3/passdb/passdb.c
|
|
@@ -2630,7 +2630,7 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
|
|
/*
|
|
* It's not possible to use NTLMSSP with a domain trust account.
|
|
*/
|
|
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
|
|
} else {
|
|
/*
|
|
* We can't use kerberos against an NT4 domain.
|
|
@@ -2638,7 +2638,7 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
|
|
* We should have a mode that also disallows NTLMSSP here,
|
|
* as only NETLOGON SCHANNEL is possible.
|
|
*/
|
|
- cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
|
|
@@ -2656,7 +2656,7 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
|
|
/*
|
|
* We currently can't do kerberos just with an NTHASH.
|
|
*/
|
|
- cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
|
|
goto done;
|
|
}
|
|
|
|
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
|
|
index 276bda88efc..93e8f5bebe6 100644
|
|
--- a/source3/passdb/pdb_samba_dsdb.c
|
|
+++ b/source3/passdb/pdb_samba_dsdb.c
|
|
@@ -2599,13 +2599,13 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
|
|
* Force kerberos if this is an active directory domain
|
|
*/
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_MUST_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_REQUIRED);
|
|
} else {
|
|
/*
|
|
* TODO: we should allow krb5 with the raw nt hash.
|
|
*/
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_DONT_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
*_creds = talloc_move(mem_ctx, &creds);
|
|
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
|
|
index 8227ef0b0bd..ba6c86cc227 100644
|
|
--- a/source3/rpc_client/cli_pipe.c
|
|
+++ b/source3/rpc_client/cli_pipe.c
|
|
@@ -2637,7 +2637,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
|
|
NAME_NT_AUTHORITY, /* domain */
|
|
"SYSTEM",
|
|
NULL, /* password */
|
|
- CRED_DONT_USE_KERBEROS,
|
|
+ CRED_USE_KERBEROS_DISABLED,
|
|
NULL, /* netlogon_creds_CredentialState */
|
|
presult);
|
|
}
|
|
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
|
|
index 575a42ebf70..a38f69f5592 100644
|
|
--- a/source3/rpcclient/rpcclient.c
|
|
+++ b/source3/rpcclient/rpcclient.c
|
|
@@ -810,19 +810,19 @@ static NTSTATUS do_cmd(struct cli_state *cli,
|
|
case DCERPC_AUTH_TYPE_SPNEGO:
|
|
switch (pipe_default_auth_spnego_type) {
|
|
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
|
|
- krb5_state = CRED_DONT_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_DISABLED;
|
|
break;
|
|
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
|
|
- krb5_state = CRED_MUST_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
|
|
break;
|
|
case PIPE_AUTH_TYPE_SPNEGO_NONE:
|
|
- krb5_state = CRED_AUTO_USE_KERBEROS;
|
|
+ krb5_state = CRED_USE_KERBEROS_DESIRED;
|
|
break;
|
|
}
|
|
FALL_THROUGH;
|
|
case DCERPC_AUTH_TYPE_NTLMSSP:
|
|
case DCERPC_AUTH_TYPE_KRB5:
|
|
- if (krb5_state != CRED_AUTO_USE_KERBEROS) {
|
|
+ if (krb5_state != CRED_USE_KERBEROS_DESIRED) {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
krb5_state);
|
|
}
|
|
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
|
index 7f5b9c3a440..1a0e8a5c9dd 100644
|
|
--- a/source3/utils/net_ads.c
|
|
+++ b/source3/utils/net_ads.c
|
|
@@ -2432,7 +2432,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
|
|
talloc_destroy(mem_ctx);
|
|
return -1;
|
|
}
|
|
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
|
|
|
|
nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
|
|
&server_ss, 0,
|
|
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
|
|
index 5829d891075..6c5321db0fd 100644
|
|
--- a/source3/utils/net_util.c
|
|
+++ b/source3/utils/net_util.c
|
|
@@ -493,13 +493,13 @@ struct cli_credentials *net_context_creds(struct net_context *c,
|
|
|
|
if (c->opt_kerberos && c->opt_user_specified) {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_AUTO_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_DESIRED);
|
|
} else if (c->opt_kerberos) {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_MUST_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_REQUIRED);
|
|
} else {
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_DONT_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
if (c->opt_ccache) {
|
|
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
|
|
index 7f8d2688978..bfaeff5188d 100644
|
|
--- a/source3/utils/ntlm_auth.c
|
|
+++ b/source3/utils/ntlm_auth.c
|
|
@@ -1364,9 +1364,9 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx,
|
|
cli_credentials_set_conf(server_credentials, lp_ctx);
|
|
|
|
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
|
|
- cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
|
|
} else {
|
|
- cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
|
|
}
|
|
|
|
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
|
|
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
|
|
index 5fb22d7e9c8..466a0095ef2 100644
|
|
--- a/source3/winbindd/winbindd_cm.c
|
|
+++ b/source3/winbindd/winbindd_cm.c
|
|
@@ -706,7 +706,7 @@ static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx,
|
|
}
|
|
|
|
cli_credentials_set_conf(creds, lp_ctx);
|
|
- cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
|
|
|
|
ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
|
|
if (!ok) {
|
|
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
|
|
index d66abf32a7f..b668d4ed258 100644
|
|
--- a/source4/auth/gensec/gensec_gssapi.c
|
|
+++ b/source4/auth/gensec/gensec_gssapi.c
|
|
@@ -1556,7 +1556,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
|
}
|
|
|
|
/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
|
|
- cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(session_info->credentials, CRED_USE_KERBEROS_REQUIRED);
|
|
|
|
/* It has been taken from this place... */
|
|
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
|
|
diff --git a/source4/auth/session.c b/source4/auth/session.c
|
|
index c5fc226a7d7..8e44dcd24f1 100644
|
|
--- a/source4/auth/session.c
|
|
+++ b/source4/auth/session.c
|
|
@@ -295,7 +295,7 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
|
|
/* This credential handle isn't useful for password
|
|
* authentication, so ensure nobody tries to do that */
|
|
cli_credentials_set_kerberos_state(creds,
|
|
- CRED_MUST_USE_KERBEROS);
|
|
+ CRED_USE_KERBEROS_REQUIRED);
|
|
|
|
}
|
|
#endif
|
|
diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c
|
|
index 5dd61f6339c..7d8963da99e 100644
|
|
--- a/source4/lib/cmdline/popt_credentials.c
|
|
+++ b/source4/lib/cmdline/popt_credentials.c
|
|
@@ -120,8 +120,8 @@ static void popt_common_credentials_callback(poptContext con,
|
|
cli_credentials_set_kerberos_state(
|
|
popt_get_cmdline_credentials(),
|
|
use_kerberos
|
|
- ? CRED_MUST_USE_KERBEROS
|
|
- : CRED_DONT_USE_KERBEROS);
|
|
+ ? CRED_USE_KERBEROS_REQUIRED
|
|
+ : CRED_USE_KERBEROS_DISABLED);
|
|
break;
|
|
}
|
|
|
|
diff --git a/source4/torture/ldap/session_expiry.c b/source4/torture/ldap/session_expiry.c
|
|
index 35dda439b17..e5e38450745 100644
|
|
--- a/source4/torture/ldap/session_expiry.c
|
|
+++ b/source4/torture/ldap/session_expiry.c
|
|
@@ -55,7 +55,7 @@ bool torture_ldap_session_expiry(struct torture_context *torture)
|
|
torture, url!=NULL, ret, fail, "talloc_asprintf failed");
|
|
|
|
cli_credentials_set_kerberos_state(
|
|
- credentials, CRED_MUST_USE_KERBEROS);
|
|
+ credentials, CRED_USE_KERBEROS_REQUIRED);
|
|
|
|
ok = lpcfg_set_option(
|
|
torture->lp_ctx, "gensec_gssapi:requested_life_time=4");
|
|
diff --git a/source4/torture/raw/session.c b/source4/torture/raw/session.c
|
|
index 0c460ae3069..e246d25e9fb 100644
|
|
--- a/source4/torture/raw/session.c
|
|
+++ b/source4/torture/raw/session.c
|
|
@@ -245,12 +245,12 @@ static bool test_session_expire1(struct torture_context *tctx)
|
|
|
|
use_kerberos = cli_credentials_get_kerberos_state(
|
|
popt_get_cmdline_credentials());
|
|
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
|
|
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
|
|
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
|
|
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
|
|
}
|
|
|
|
- torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
|
|
+ torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
|
|
"please use -k yes");
|
|
|
|
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
|
|
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
|
|
index fff0b1aacbd..a5755041040 100644
|
|
--- a/source4/torture/rpc/schannel.c
|
|
+++ b/source4/torture/rpc/schannel.c
|
|
@@ -965,8 +965,8 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
|
|
torture_assert(torture, s->join_ctx2 != NULL,
|
|
"Failed to join domain with acct_flags=ACB_WSTRUST");
|
|
|
|
- cli_credentials_set_kerberos_state(s->wks_creds1, CRED_DONT_USE_KERBEROS);
|
|
- cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
|
|
+ cli_credentials_set_kerberos_state(s->wks_creds1, CRED_USE_KERBEROS_DISABLED);
|
|
+ cli_credentials_set_kerberos_state(s->wks_creds2, CRED_USE_KERBEROS_DISABLED);
|
|
|
|
for (i=0; i < s->nprocs; i++) {
|
|
struct cli_credentials *wks = s->wks_creds1;
|
|
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
|
|
index 07c6faebb15..701dfc10a07 100644
|
|
--- a/source4/torture/smb2/session.c
|
|
+++ b/source4/torture/smb2/session.c
|
|
@@ -956,7 +956,7 @@ bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree)
|
|
|
|
krb_state = cli_credentials_get_kerberos_state(
|
|
popt_get_cmdline_credentials());
|
|
- if (krb_state == CRED_MUST_USE_KERBEROS) {
|
|
+ if (krb_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
torture_skip(tctx,
|
|
"Can't test failing session setup with kerberos.");
|
|
}
|
|
@@ -1064,12 +1064,12 @@ static bool test_session_expire1i(struct torture_context *tctx,
|
|
size_t i;
|
|
|
|
use_kerberos = cli_credentials_get_kerberos_state(credentials);
|
|
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
|
|
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
|
|
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
|
|
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
|
|
}
|
|
|
|
- torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
|
|
+ torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
|
|
"please use -k yes");
|
|
|
|
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
|
|
@@ -1250,12 +1250,12 @@ static bool test_session_expire2i(struct torture_context *tctx,
|
|
struct smb2_notify ntf2;
|
|
|
|
use_kerberos = cli_credentials_get_kerberos_state(credentials);
|
|
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
|
|
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
|
|
torture_warning(tctx, "smb2.session.expire2 requires -k yes!");
|
|
torture_skip(tctx, "smb2.session.expire2 requires -k yes!");
|
|
}
|
|
|
|
- torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
|
|
+ torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
|
|
"please use -k yes");
|
|
|
|
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
|
|
@@ -1612,7 +1612,7 @@ static bool test_session_expire_disconnect(struct torture_context *tctx)
|
|
bool connected;
|
|
|
|
use_kerberos = cli_credentials_get_kerberos_state(credentials);
|
|
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
|
|
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
|
|
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
|
|
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
|
|
}
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 03fb4e57548098264386dfd056f37ad2c86a937a Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 1 Sep 2020 12:32:28 +0200
|
|
Subject: [PATCH 087/104] auth:creds:tests: Migrate test to a cmocka unit test
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 1a92994a9513f5e73d30604a1dc217ddeb1ac8d5)
|
|
---
|
|
auth/credentials/tests/test_creds.c | 221 ++++++++++++++++++++++++++++
|
|
auth/credentials/wscript_build | 6 +
|
|
selftest/tests.py | 2 +
|
|
source4/torture/local/local.c | 1 -
|
|
source4/torture/local/wscript_build | 2 +-
|
|
5 files changed, 230 insertions(+), 2 deletions(-)
|
|
create mode 100644 auth/credentials/tests/test_creds.c
|
|
|
|
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
|
|
new file mode 100644
|
|
index 00000000000..d2d3d30d73d
|
|
--- /dev/null
|
|
+++ b/auth/credentials/tests/test_creds.c
|
|
@@ -0,0 +1,221 @@
|
|
+/*
|
|
+ * Unix SMB/CIFS implementation.
|
|
+ *
|
|
+ * Copyright (C) 2018-2019 Andreas Schneider <asn@samba.org>
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation; either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#include <stdarg.h>
|
|
+#include <stddef.h>
|
|
+#include <stdint.h>
|
|
+#include <setjmp.h>
|
|
+#include <cmocka.h>
|
|
+
|
|
+#include "lib/replace/replace.h"
|
|
+#include "auth/credentials/credentials.c"
|
|
+
|
|
+static int setup_talloc_context(void **state)
|
|
+{
|
|
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
+
|
|
+ *state = frame;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int teardown_talloc_context(void **state)
|
|
+{
|
|
+ TALLOC_CTX *frame = *state;
|
|
+ TALLOC_FREE(frame);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static void torture_creds_init(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = *state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+ const char *username = NULL;
|
|
+ const char *domain = NULL;
|
|
+ const char *password = NULL;
|
|
+ bool ok;
|
|
+
|
|
+ creds = cli_credentials_init(mem_ctx);
|
|
+ assert_non_null(creds);
|
|
+ assert_null(creds->username);
|
|
+ assert_int_equal(creds->username_obtained, CRED_UNINITIALISED);
|
|
+
|
|
+ domain = cli_credentials_get_domain(creds);
|
|
+ assert_null(domain);
|
|
+ ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED);
|
|
+ assert_true(ok);
|
|
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
|
|
+ domain = cli_credentials_get_domain(creds);
|
|
+ assert_string_equal(domain, "WURST");
|
|
+
|
|
+ username = cli_credentials_get_username(creds);
|
|
+ assert_null(username);
|
|
+ ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED);
|
|
+ assert_true(ok);
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+ username = cli_credentials_get_username(creds);
|
|
+ assert_string_equal(username, "brot");
|
|
+
|
|
+ password = cli_credentials_get_password(creds);
|
|
+ assert_null(password);
|
|
+ ok = cli_credentials_set_password(creds, "SECRET", CRED_SPECIFIED);
|
|
+ assert_true(ok);
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+ password = cli_credentials_get_password(creds);
|
|
+ assert_string_equal(password, "SECRET");
|
|
+}
|
|
+
|
|
+static void torture_creds_init_anonymous(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = *state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
+ creds = cli_credentials_init_anon(mem_ctx);
|
|
+ assert_non_null(creds);
|
|
+
|
|
+ assert_string_equal(creds->domain, "");
|
|
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->username, "");
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_null(creds->password);
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+}
|
|
+
|
|
+static void torture_creds_guess(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = *state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+ const char *env_user = getenv("USER");
|
|
+
|
|
+ creds = cli_credentials_init(mem_ctx);
|
|
+ assert_non_null(creds);
|
|
+
|
|
+ setenv("PASSWD", "SECRET", 1);
|
|
+ cli_credentials_guess(creds, NULL);
|
|
+
|
|
+ assert_string_equal(creds->username, env_user);
|
|
+ assert_int_equal(creds->username_obtained, CRED_GUESS_ENV);
|
|
+
|
|
+ assert_string_equal(creds->password, "SECRET");
|
|
+ assert_int_equal(creds->password_obtained, CRED_GUESS_ENV);
|
|
+ unsetenv("PASSWD");
|
|
+}
|
|
+
|
|
+static void torture_creds_anon_guess(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = *state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
+ creds = cli_credentials_init_anon(mem_ctx);
|
|
+ assert_non_null(creds);
|
|
+
|
|
+ setenv("PASSWD", "SECRET", 1);
|
|
+ cli_credentials_guess(creds, NULL);
|
|
+
|
|
+ assert_string_equal(creds->username, "");
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_null(creds->password);
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+ unsetenv("PASSWD");
|
|
+}
|
|
+
|
|
+static void torture_creds_parse_string(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = *state;
|
|
+ struct cli_credentials *creds = NULL;
|
|
+
|
|
+ creds = cli_credentials_init(mem_ctx);
|
|
+ assert_non_null(creds);
|
|
+
|
|
+ /* Anonymous */
|
|
+ cli_credentials_parse_string(creds, "%", CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->domain, "");
|
|
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->username, "");
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_null(creds->password);
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ /* Username + password */
|
|
+ cli_credentials_parse_string(creds, "wurst%BROT", CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->domain, "");
|
|
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->username, "wurst");
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->password, "BROT");
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ /* Domain + username + password */
|
|
+ cli_credentials_parse_string(creds, "XXL\\wurst%BROT", CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->domain, "XXL");
|
|
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->username, "wurst");
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->password, "BROT");
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ /* Principal */
|
|
+ cli_credentials_parse_string(creds, "wurst@brot.realm", CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->domain, "");
|
|
+ assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->username, "wurst@brot.realm");
|
|
+ assert_int_equal(creds->username_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->principal, "wurst@brot.realm");
|
|
+ assert_int_equal(creds->principal_obtained, CRED_SPECIFIED);
|
|
+
|
|
+ assert_string_equal(creds->password, "BROT");
|
|
+ assert_int_equal(creds->password_obtained, CRED_SPECIFIED);
|
|
+}
|
|
+
|
|
+int main(int argc, char *argv[])
|
|
+{
|
|
+ int rc;
|
|
+ const struct CMUnitTest tests[] = {
|
|
+ cmocka_unit_test(torture_creds_init),
|
|
+ cmocka_unit_test(torture_creds_init_anonymous),
|
|
+ cmocka_unit_test(torture_creds_guess),
|
|
+ cmocka_unit_test(torture_creds_anon_guess),
|
|
+ cmocka_unit_test(torture_creds_parse_string),
|
|
+ };
|
|
+
|
|
+ if (argc == 2) {
|
|
+ cmocka_set_test_filter(argv[1]);
|
|
+ }
|
|
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
|
|
+
|
|
+ rc = cmocka_run_group_tests(tests,
|
|
+ setup_talloc_context,
|
|
+ teardown_talloc_context);
|
|
+
|
|
+ return rc;
|
|
+}
|
|
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
|
|
index ad16b7d8008..46111164b36 100644
|
|
--- a/auth/credentials/wscript_build
|
|
+++ b/auth/credentials/wscript_build
|
|
@@ -31,3 +31,9 @@ bld.SAMBA_PYTHON('pycredentials',
|
|
public_deps='samba-credentials cmdline-credentials %s %s CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pytalloc_util, pyparam_util),
|
|
realname='samba/credentials.so'
|
|
)
|
|
+
|
|
+bld.SAMBA_BINARY('test_creds',
|
|
+ source='tests/test_creds.c',
|
|
+ deps='cmocka samba-credentials',
|
|
+ local_include=False,
|
|
+ for_selftest=True)
|
|
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
index 86cab3f8046..4a968cdbe8a 100644
|
|
--- a/selftest/tests.py
|
|
+++ b/selftest/tests.py
|
|
@@ -418,3 +418,5 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
|
|
if with_elasticsearch_backend:
|
|
plantestsuite("samba.unittests.mdsparser_es", "none",
|
|
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
|
|
+plantestsuite("samba.unittests.credentials", "none",
|
|
+ [os.path.join(bindir(), "default/auth/credentials/test_creds")])
|
|
diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c
|
|
index a3186788524..d19b55e9502 100644
|
|
--- a/source4/torture/local/local.c
|
|
+++ b/source4/torture/local/local.c
|
|
@@ -70,7 +70,6 @@
|
|
torture_local_tevent_req,
|
|
torture_local_torture,
|
|
torture_local_dbspeed,
|
|
- torture_local_credentials,
|
|
torture_ldb,
|
|
torture_dsdb_dn,
|
|
torture_dsdb_syntax,
|
|
diff --git a/source4/torture/local/wscript_build b/source4/torture/local/wscript_build
|
|
index 38b6c8f4b6e..f0ab0357986 100644
|
|
--- a/source4/torture/local/wscript_build
|
|
+++ b/source4/torture/local/wscript_build
|
|
@@ -16,7 +16,7 @@ TORTURE_LOCAL_SOURCE = '''../../../lib/util/charset/tests/iconv.c
|
|
../../libcli/security/tests/sddl.c ../../../lib/tdr/testsuite.c
|
|
../../../lib/tevent/testsuite.c ../../param/tests/share.c
|
|
../../../lib/tevent/test_req.c
|
|
- ../../param/tests/loadparm.c ../../../auth/credentials/tests/simple.c local.c
|
|
+ ../../param/tests/loadparm.c local.c
|
|
dbspeed.c torture.c ../ldb/ldb.c ../../dsdb/common/tests/dsdb_dn.c
|
|
../../dsdb/schema/tests/schema_syntax.c
|
|
../../../lib/util/tests/anonymous_shared.c
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 82565bd73ee76d51b6569743644be1b916461acd Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:09:05 +0200
|
|
Subject: [PATCH 088/104] Add smb2cli_session_get_encryption_cipher()
|
|
|
|
When 'session->smb2->should_encrypt' is true, the client MUST encrypt
|
|
all transport messages (see also MS-SMB2 3.2.4.1.8).
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit f0f8de9d4a4e05445e427f00bb10eb34e1110a97)
|
|
---
|
|
libcli/smb/smbXcli_base.c | 13 +++++++++++++
|
|
libcli/smb/smbXcli_base.h | 1 +
|
|
2 files changed, 14 insertions(+)
|
|
|
|
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
|
|
index 4909797543c..1be3a5506a0 100644
|
|
--- a/libcli/smb/smbXcli_base.c
|
|
+++ b/libcli/smb/smbXcli_base.c
|
|
@@ -6461,6 +6461,19 @@ NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
+uint16_t smb2cli_session_get_encryption_cipher(struct smbXcli_session *session)
|
|
+{
|
|
+ if (session->conn->protocol < PROTOCOL_SMB2_24) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (!session->smb2->should_encrypt) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ return session->conn->smb2.server.cipher;
|
|
+}
|
|
+
|
|
struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
|
|
{
|
|
struct smbXcli_tcon *tcon;
|
|
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
|
|
index 2afc7165cd9..db5f5d58799 100644
|
|
--- a/libcli/smb/smbXcli_base.h
|
|
+++ b/libcli/smb/smbXcli_base.h
|
|
@@ -518,6 +518,7 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
|
|
const DATA_BLOB channel_key,
|
|
const struct iovec *recv_iov);
|
|
NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session);
|
|
+uint16_t smb2cli_session_get_encryption_cipher(struct smbXcli_session *session);
|
|
|
|
struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx);
|
|
struct smbXcli_tcon *smbXcli_tcon_copy(TALLOC_CTX *mem_ctx,
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From f74c5cc57398ee42fecdfda17f4d442ca1abd9a5 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:18:21 +0200
|
|
Subject: [PATCH 089/104] Add dcerpc_transport_encrypted()
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 339bfcd67af2675d10287946d8f5dabba1022d57)
|
|
---
|
|
source4/librpc/rpc/dcerpc.h | 2 ++
|
|
source4/librpc/rpc/dcerpc_smb.c | 11 +++++++++++
|
|
source4/librpc/rpc/dcerpc_util.c | 13 +++++++++++++
|
|
3 files changed, 26 insertions(+)
|
|
|
|
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
|
|
index 6b0b841d64d..57124f10778 100644
|
|
--- a/source4/librpc/rpc/dcerpc.h
|
|
+++ b/source4/librpc/rpc/dcerpc.h
|
|
@@ -87,6 +87,7 @@ struct dcecli_connection {
|
|
struct dcerpc_transport {
|
|
enum dcerpc_transport_t transport;
|
|
void *private_data;
|
|
+ bool encrypted;
|
|
|
|
struct tstream_context *stream;
|
|
/** to serialize write events */
|
|
@@ -181,6 +182,7 @@ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
|
|
const struct ndr_interface_table *table);
|
|
NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
|
|
DATA_BLOB *session_key);
|
|
+bool dcerpc_transport_encrypted(struct dcerpc_pipe *p);
|
|
struct composite_context;
|
|
NTSTATUS dcerpc_secondary_connection_recv(struct composite_context *c,
|
|
struct dcerpc_pipe **p2);
|
|
diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c
|
|
index b20b154a1cb..101ed64f0cd 100644
|
|
--- a/source4/librpc/rpc/dcerpc_smb.c
|
|
+++ b/source4/librpc/rpc/dcerpc_smb.c
|
|
@@ -145,6 +145,7 @@ static void dcerpc_pipe_open_smb_done(struct tevent_req *subreq)
|
|
struct dcerpc_pipe_open_smb_state);
|
|
struct composite_context *ctx = state->ctx;
|
|
struct dcecli_connection *c = state->c;
|
|
+ uint16_t enc_cipher;
|
|
|
|
ctx->status = tstream_smbXcli_np_open_recv(subreq,
|
|
state->smb,
|
|
@@ -173,6 +174,16 @@ static void dcerpc_pipe_open_smb_done(struct tevent_req *subreq)
|
|
/* Over-ride the default session key with the SMB session key */
|
|
c->security_state.session_key = smb_session_key;
|
|
|
|
+ enc_cipher = smb2cli_session_get_encryption_cipher(state->smb->session);
|
|
+ switch (enc_cipher) {
|
|
+ case SMB2_ENCRYPTION_AES128_CCM:
|
|
+ case SMB2_ENCRYPTION_AES128_GCM:
|
|
+ c->transport.encrypted = true;
|
|
+ break;
|
|
+ default:
|
|
+ c->transport.encrypted = false;
|
|
+ }
|
|
+
|
|
c->transport.private_data = talloc_move(c, &state->smb);
|
|
|
|
composite_done(ctx);
|
|
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
|
|
index bd79a072bc8..6ea27a8d9a3 100644
|
|
--- a/source4/librpc/rpc/dcerpc_util.c
|
|
+++ b/source4/librpc/rpc/dcerpc_util.c
|
|
@@ -743,6 +743,19 @@ _PUBLIC_ NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
+_PUBLIC_ bool dcerpc_transport_encrypted(struct dcerpc_pipe *p)
|
|
+{
|
|
+ if (p == NULL) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if (p->conn == NULL) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ return p->conn->transport.encrypted;
|
|
+}
|
|
+
|
|
/*
|
|
create a secondary context from a primary connection
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 89a12dbf4a5b819dbd136e743c59025298009049 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:35:01 +0200
|
|
Subject: [PATCH 090/104] Add py binding for dcerpc_transport_encrypted
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit eba91f0dfa8e3267689b4076302e257f4cecd63b)
|
|
---
|
|
source4/librpc/rpc/pyrpc.c | 14 ++++++++++++++
|
|
1 file changed, 14 insertions(+)
|
|
|
|
diff --git a/source4/librpc/rpc/pyrpc.c b/source4/librpc/rpc/pyrpc.c
|
|
index be914ed5f14..309a6d72e26 100644
|
|
--- a/source4/librpc/rpc/pyrpc.c
|
|
+++ b/source4/librpc/rpc/pyrpc.c
|
|
@@ -293,11 +293,25 @@ static PyObject *py_iface_request(PyObject *self, PyObject *args, PyObject *kwar
|
|
return ret;
|
|
}
|
|
|
|
+static PyObject *py_iface_transport_encrypted(PyObject *self)
|
|
+{
|
|
+ dcerpc_InterfaceObject *iface = (dcerpc_InterfaceObject *)self;
|
|
+
|
|
+ if (dcerpc_transport_encrypted(iface->pipe)) {
|
|
+ Py_RETURN_TRUE;
|
|
+ }
|
|
+
|
|
+ Py_RETURN_FALSE;
|
|
+}
|
|
+
|
|
static PyMethodDef dcerpc_interface_methods[] = {
|
|
{ "request", PY_DISCARD_FUNC_SIG(PyCFunction, py_iface_request),
|
|
METH_VARARGS|METH_KEYWORDS,
|
|
"S.request(opnum, data, object=None) -> data\n"
|
|
"Make a raw request" },
|
|
+ { "transport_encrypted", PY_DISCARD_FUNC_SIG(PyCFunction, py_iface_transport_encrypted),
|
|
+ METH_NOARGS,
|
|
+ "Check if the DCE transport is encrypted" },
|
|
{ NULL, NULL, 0, NULL },
|
|
};
|
|
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From a08aab47494ab4f2972de3ebe4b022a1d23216a5 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:44:08 +0200
|
|
Subject: [PATCH 091/104] selftest: add a test for py dce transport_encrypted
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit a77551bea969ce73a3dc27384d94b4126bef04f7)
|
|
---
|
|
python/samba/tests/dcerpc/binding.py | 23 ++++++++++++++++++++++-
|
|
1 file changed, 22 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/python/samba/tests/dcerpc/binding.py b/python/samba/tests/dcerpc/binding.py
|
|
index 8e0d6a5ef0a..24e4ac77d89 100644
|
|
--- a/python/samba/tests/dcerpc/binding.py
|
|
+++ b/python/samba/tests/dcerpc/binding.py
|
|
@@ -22,7 +22,7 @@ import samba.tests
|
|
from samba.tests import RpcInterfaceTestCase, TestCase
|
|
from samba.dcerpc import lsa
|
|
import samba.dcerpc.security as security
|
|
-from samba.credentials import Credentials, SMB_ENCRYPTION_REQUIRED
|
|
+from samba.credentials import Credentials, SMB_ENCRYPTION_REQUIRED, SMB_ENCRYPTION_OFF
|
|
from samba import NTSTATUSError
|
|
|
|
class RpcBindingTests(RpcInterfaceTestCase):
|
|
@@ -40,6 +40,26 @@ class RpcBindingTests(RpcInterfaceTestCase):
|
|
c.set_password(password)
|
|
return c
|
|
|
|
+ def test_smb3_dcerpc_no_encryption(self):
|
|
+ creds = self.get_user_creds()
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_OFF)
|
|
+
|
|
+ lp = self.get_loadparm()
|
|
+ lp.set('client ipc max protocol', 'SMB3')
|
|
+ lp.set('client ipc min protocol', 'SMB3')
|
|
+
|
|
+ binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
|
|
+ lsa_conn = lsa.lsarpc(binding_string, lp, creds)
|
|
+ self.assertFalse(lsa_conn.transport_encrypted())
|
|
+
|
|
+ objectAttr = lsa.ObjectAttribute()
|
|
+ objectAttr.sec_qos = lsa.QosInfo()
|
|
+
|
|
+ pol_handle = lsa_conn.OpenPolicy2('',
|
|
+ objectAttr,
|
|
+ security.SEC_FLAG_MAXIMUM_ALLOWED)
|
|
+ self.assertIsNotNone(pol_handle)
|
|
+
|
|
def test_smb3_dcerpc_encryption(self):
|
|
creds = self.get_user_creds()
|
|
creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
@@ -50,6 +70,7 @@ class RpcBindingTests(RpcInterfaceTestCase):
|
|
|
|
binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
|
|
lsa_conn = lsa.lsarpc(binding_string, lp, creds)
|
|
+ self.assertTrue(lsa_conn.transport_encrypted())
|
|
|
|
objectAttr = lsa.ObjectAttribute()
|
|
objectAttr.sec_qos = lsa.QosInfo()
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 4e8f7954ceed5a14987eb56197f265618fd77acc Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:47:12 +0200
|
|
Subject: [PATCH 092/104] Add CreateTrustedDomainRelax wrapper for fips mode
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit c2644032b49b4160517a7c73634cebc54a76f827)
|
|
---
|
|
python/samba/trust_utils.py | 62 +++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 62 insertions(+)
|
|
create mode 100644 python/samba/trust_utils.py
|
|
|
|
diff --git a/python/samba/trust_utils.py b/python/samba/trust_utils.py
|
|
new file mode 100644
|
|
index 00000000000..b4df0fa5bb8
|
|
--- /dev/null
|
|
+++ b/python/samba/trust_utils.py
|
|
@@ -0,0 +1,62 @@
|
|
+# trust utils
|
|
+#
|
|
+# Copyright Isaac Boukris 2020
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+
|
|
+
|
|
+from samba.dcerpc import lsa, drsblobs
|
|
+from samba.ndr import ndr_pack
|
|
+from samba import arcfour_encrypt, string_to_byte_array
|
|
+import random
|
|
+from samba import crypto
|
|
+
|
|
+def CreateTrustedDomainRelax(lsaconn, policy, trust_info, mask, in_blob, out_blob):
|
|
+
|
|
+ def generate_AuthInfoInternal(session_key, incoming=None, outgoing=None):
|
|
+ confounder = [0] * 512
|
|
+ for i in range(len(confounder)):
|
|
+ confounder[i] = random.randint(0, 255)
|
|
+
|
|
+ trustpass = drsblobs.trustDomainPasswords()
|
|
+
|
|
+ trustpass.confounder = confounder
|
|
+ trustpass.outgoing = outgoing
|
|
+ trustpass.incoming = incoming
|
|
+
|
|
+ trustpass_blob = ndr_pack(trustpass)
|
|
+
|
|
+ encrypted_trustpass = arcfour_encrypt(session_key, trustpass_blob)
|
|
+
|
|
+ auth_blob = lsa.DATA_BUF2()
|
|
+ auth_blob.size = len(encrypted_trustpass)
|
|
+ auth_blob.data = string_to_byte_array(encrypted_trustpass)
|
|
+
|
|
+ auth_info = lsa.TrustDomainInfoAuthInfoInternal()
|
|
+ auth_info.auth_blob = auth_blob
|
|
+
|
|
+ return auth_info
|
|
+
|
|
+ session_key = lsaconn.session_key
|
|
+
|
|
+ try:
|
|
+ if lsaconn.transport_encrypted():
|
|
+ crypto.set_relax_mode()
|
|
+ auth_info = generate_AuthInfoInternal(session_key,
|
|
+ incoming=in_blob,
|
|
+ outgoing=out_blob)
|
|
+ finally:
|
|
+ crypto.set_strict_mode()
|
|
+
|
|
+ return lsaconn.CreateTrustedDomainEx2(policy, trust_info, auth_info, mask)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 2e16b3d7d5419e76d33b2c3a794a043be5c0a4a5 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 20 Aug 2020 12:49:17 +0200
|
|
Subject: [PATCH 093/104] Use the new CreateTrustedDomainRelax()
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit baf4e2930ee13b47c23c63c7e945fdc4444f0c69)
|
|
---
|
|
python/samba/netcmd/domain.py | 57 ++++++++---------------------------
|
|
1 file changed, 13 insertions(+), 44 deletions(-)
|
|
|
|
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
|
|
index 1d12c362911..93a3258d28d 100644
|
|
--- a/python/samba/netcmd/domain.py
|
|
+++ b/python/samba/netcmd/domain.py
|
|
@@ -102,6 +102,7 @@ from samba.netcmd.domain_backup import cmd_domain_backup
|
|
|
|
from samba.compat import binary_type
|
|
from samba.compat import get_string
|
|
+from samba.trust_utils import CreateTrustedDomainRelax
|
|
|
|
string_version_to_constant = {
|
|
"2008_R2": DS_DOMAIN_FUNCTION_2008_R2,
|
|
@@ -2528,54 +2529,20 @@ class cmd_domain_trust_create(DomainTrustCommand):
|
|
|
|
return blob
|
|
|
|
- def generate_AuthInfoInternal(session_key, incoming=None, outgoing=None):
|
|
- confounder = [0] * 512
|
|
- for i in range(len(confounder)):
|
|
- confounder[i] = random.randint(0, 255)
|
|
-
|
|
- trustpass = drsblobs.trustDomainPasswords()
|
|
-
|
|
- trustpass.confounder = confounder
|
|
- trustpass.outgoing = outgoing
|
|
- trustpass.incoming = incoming
|
|
-
|
|
- trustpass_blob = ndr_pack(trustpass)
|
|
-
|
|
- encrypted_trustpass = arcfour_encrypt(session_key, trustpass_blob)
|
|
-
|
|
- auth_blob = lsa.DATA_BUF2()
|
|
- auth_blob.size = len(encrypted_trustpass)
|
|
- auth_blob.data = string_to_byte_array(encrypted_trustpass)
|
|
-
|
|
- auth_info = lsa.TrustDomainInfoAuthInfoInternal()
|
|
- auth_info.auth_blob = auth_blob
|
|
-
|
|
- return auth_info
|
|
-
|
|
update_time = samba.current_unix_time()
|
|
incoming_blob = generate_AuthInOutBlob(incoming_secret, update_time)
|
|
outgoing_blob = generate_AuthInOutBlob(outgoing_secret, update_time)
|
|
|
|
- local_tdo_handle = None
|
|
- remote_tdo_handle = None
|
|
-
|
|
- local_auth_info = generate_AuthInfoInternal(local_lsa.session_key,
|
|
- incoming=incoming_blob,
|
|
- outgoing=outgoing_blob)
|
|
- if remote_trust_info:
|
|
- remote_auth_info = generate_AuthInfoInternal(remote_lsa.session_key,
|
|
- incoming=outgoing_blob,
|
|
- outgoing=incoming_blob)
|
|
-
|
|
try:
|
|
if remote_trust_info:
|
|
self.outf.write("Creating remote TDO.\n")
|
|
current_request = {"location": "remote", "name": "CreateTrustedDomainEx2"}
|
|
- remote_tdo_handle = \
|
|
- remote_lsa.CreateTrustedDomainEx2(remote_policy,
|
|
- remote_trust_info,
|
|
- remote_auth_info,
|
|
- lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS)
|
|
+ remote_tdo_handle = CreateTrustedDomainRelax(remote_lsa,
|
|
+ remote_policy,
|
|
+ remote_trust_info,
|
|
+ lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS,
|
|
+ outgoing_blob,
|
|
+ incoming_blob)
|
|
self.outf.write("Remote TDO created.\n")
|
|
if enc_types:
|
|
self.outf.write("Setting supported encryption types on remote TDO.\n")
|
|
@@ -2586,10 +2553,12 @@ class cmd_domain_trust_create(DomainTrustCommand):
|
|
|
|
self.outf.write("Creating local TDO.\n")
|
|
current_request = {"location": "local", "name": "CreateTrustedDomainEx2"}
|
|
- local_tdo_handle = local_lsa.CreateTrustedDomainEx2(local_policy,
|
|
- local_trust_info,
|
|
- local_auth_info,
|
|
- lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS)
|
|
+ local_tdo_handle = CreateTrustedDomainRelax(local_lsa,
|
|
+ local_policy,
|
|
+ local_trust_info,
|
|
+ lsa.LSA_TRUSTED_DOMAIN_ALL_ACCESS,
|
|
+ incoming_blob,
|
|
+ outgoing_blob)
|
|
self.outf.write("Local TDO created\n")
|
|
if enc_types:
|
|
self.outf.write("Setting supported encryption types on local TDO.\n")
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 2661a29e81b6b33dce6ca1e39c9e4eeaab53fef7 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Tue, 1 Sep 2020 20:14:29 +0300
|
|
Subject: [PATCH 094/104] selftest: add a test for the CreateTrustedDomainRelax
|
|
wrapper
|
|
|
|
Originally copied from 'source4/scripting/devel/createtrust'
|
|
(had to drop the TRUST_AUTH_TYPE_VERSION part though, as it
|
|
fails against samba DC).
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit cfaad16ff632df83a881fe5d8ec498bab102c9c9)
|
|
---
|
|
python/samba/tests/dcerpc/createtrustrelax.py | 131 ++++++++++++++++++
|
|
selftest/knownfail.d/createtrustrelax_server | 1 +
|
|
source4/selftest/tests.py | 4 +
|
|
3 files changed, 136 insertions(+)
|
|
create mode 100644 python/samba/tests/dcerpc/createtrustrelax.py
|
|
create mode 100644 selftest/knownfail.d/createtrustrelax_server
|
|
|
|
diff --git a/python/samba/tests/dcerpc/createtrustrelax.py b/python/samba/tests/dcerpc/createtrustrelax.py
|
|
new file mode 100644
|
|
index 00000000000..48beb0f9680
|
|
--- /dev/null
|
|
+++ b/python/samba/tests/dcerpc/createtrustrelax.py
|
|
@@ -0,0 +1,131 @@
|
|
+# Unix SMB/CIFS implementation.
|
|
+#
|
|
+# Copyright (C) Andrew Bartlett 2011
|
|
+# Copyright (C) Isaac Boukris 2020
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+"""Tests for the CreateTrustedDomainRelax wrapper"""
|
|
+
|
|
+import os
|
|
+import samba
|
|
+from samba.tests import TestCase
|
|
+from samba.dcerpc import lsa, security, drsblobs
|
|
+from samba.credentials import Credentials, SMB_ENCRYPTION_REQUIRED, SMB_ENCRYPTION_OFF
|
|
+from samba.trust_utils import CreateTrustedDomainRelax
|
|
+
|
|
+class CreateTrustedDomainRelaxTest(TestCase):
|
|
+ def setUp(self):
|
|
+ super(CreateTrustedDomainRelaxTest, self).setUp()
|
|
+
|
|
+ def get_user_creds(self):
|
|
+ c = Credentials()
|
|
+ c.guess()
|
|
+ domain = samba.tests.env_get_var_value('DOMAIN')
|
|
+ username = samba.tests.env_get_var_value('USERNAME')
|
|
+ password = samba.tests.env_get_var_value('PASSWORD')
|
|
+ c.set_domain(domain)
|
|
+ c.set_username(username)
|
|
+ c.set_password(password)
|
|
+ return c
|
|
+
|
|
+ def _create_trust_relax(self, smbencrypt=True):
|
|
+ creds = self.get_user_creds()
|
|
+
|
|
+ if smbencrypt:
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_REQUIRED)
|
|
+ else:
|
|
+ creds.set_smb_encryption(SMB_ENCRYPTION_OFF)
|
|
+
|
|
+ lp = self.get_loadparm()
|
|
+
|
|
+ binding_string = ("ncacn_np:%s" % (samba.tests.env_get_var_value('SERVER')))
|
|
+ lsa_conn = lsa.lsarpc(binding_string, lp, creds)
|
|
+
|
|
+ if smbencrypt:
|
|
+ self.assertTrue(lsa_conn.transport_encrypted())
|
|
+ else:
|
|
+ self.assertFalse(lsa_conn.transport_encrypted())
|
|
+
|
|
+ objectAttr = lsa.ObjectAttribute()
|
|
+ objectAttr.sec_qos = lsa.QosInfo()
|
|
+
|
|
+ pol_handle = lsa_conn.OpenPolicy2('',
|
|
+ objectAttr,
|
|
+ security.SEC_FLAG_MAXIMUM_ALLOWED)
|
|
+ self.assertIsNotNone(pol_handle)
|
|
+
|
|
+ name = lsa.String()
|
|
+ name.string = "tests.samba.example.com"
|
|
+ try:
|
|
+ info = lsa_conn.QueryTrustedDomainInfoByName(pol_handle, name,
|
|
+ lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
|
|
+
|
|
+ lsa_conn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
|
|
+ except RuntimeError:
|
|
+ pass
|
|
+
|
|
+ info = lsa.TrustDomainInfoInfoEx()
|
|
+ info.domain_name.string = name.string
|
|
+ info.netbios_name.string = "createtrustrelax"
|
|
+ info.sid = security.dom_sid("S-1-5-21-538490383-3740119673-95748416")
|
|
+ info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
|
|
+ info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
|
|
+ info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
|
|
+
|
|
+ password_blob = samba.string_to_byte_array("password".encode('utf-16-le'))
|
|
+
|
|
+ clear_value = drsblobs.AuthInfoClear()
|
|
+ clear_value.size = len(password_blob)
|
|
+ clear_value.password = password_blob
|
|
+
|
|
+ clear_authentication_information = drsblobs.AuthenticationInformation()
|
|
+ clear_authentication_information.LastUpdateTime = 0
|
|
+ clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
|
|
+ clear_authentication_information.AuthInfo = clear_value
|
|
+
|
|
+ authentication_information_array = drsblobs.AuthenticationInformationArray()
|
|
+ authentication_information_array.count = 1
|
|
+ authentication_information_array.array = [clear_authentication_information]
|
|
+
|
|
+ outgoing = drsblobs.trustAuthInOutBlob()
|
|
+ outgoing.count = 1
|
|
+ outgoing.current = authentication_information_array
|
|
+
|
|
+ trustdom_handle = None
|
|
+ try:
|
|
+ trustdom_handle = CreateTrustedDomainRelax(lsa_conn,
|
|
+ pol_handle,
|
|
+ info,
|
|
+ security.SEC_STD_DELETE,
|
|
+ outgoing,
|
|
+ outgoing)
|
|
+ except samba.NTSTATUSError as nt:
|
|
+ raise AssertionError(nt)
|
|
+ except OSError as e:
|
|
+ if smbencrypt:
|
|
+ raise AssertionError(e)
|
|
+
|
|
+ if smbencrypt:
|
|
+ self.assertIsNotNone(trustdom_handle)
|
|
+ lsa_conn.DeleteTrustedDomain(pol_handle, info.sid)
|
|
+ else:
|
|
+ self.assertIsNone(trustdom_handle)
|
|
+
|
|
+ def test_create_trust_relax_encrypt(self):
|
|
+ self._create_trust_relax(True)
|
|
+
|
|
+ def test_create_trust_relax_no_enc(self):
|
|
+ self._create_trust_relax(False)
|
|
diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server
|
|
new file mode 100644
|
|
index 00000000000..80effda8343
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/createtrustrelax_server
|
|
@@ -0,0 +1 @@
|
|
+^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\)
|
|
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
index 3a903a7eee0..96f51b68cfc 100755
|
|
--- a/source4/selftest/tests.py
|
|
+++ b/source4/selftest/tests.py
|
|
@@ -704,6 +704,10 @@ def planoldpythontestsuite(env, module, name=None, extra_path=[], environ={}, ex
|
|
name = module
|
|
plantestsuite_loadlist(name, env, args)
|
|
|
|
+if have_gnutls_crypto_policies:
|
|
+ planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'})
|
|
+ planoldpythontestsuite("ad_dc_fips", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'})
|
|
+
|
|
# Run complex search expressions test once for each database backend.
|
|
# Right now ad_dc has mdb and ad_dc_ntvfs has tdb
|
|
mdb_testenv = "ad_dc"
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 3d3a03764d56b58a81ef99123720bd5555eaf040 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 5 Nov 2020 15:38:19 +0200
|
|
Subject: [PATCH 095/104] Remove source4/scripting/devel/createtrust script
|
|
|
|
We now have the 'samba-tool domain trust' command.
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
|
|
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
|
|
Autobuild-Date(master): Fri Nov 6 11:25:02 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit 604153525afc892f57a1df710c41ffca275b0dd3)
|
|
---
|
|
source4/scripting/devel/createtrust | 125 ----------------------------
|
|
1 file changed, 125 deletions(-)
|
|
delete mode 100755 source4/scripting/devel/createtrust
|
|
|
|
diff --git a/source4/scripting/devel/createtrust b/source4/scripting/devel/createtrust
|
|
deleted file mode 100755
|
|
index 26b0d0dcb68..00000000000
|
|
--- a/source4/scripting/devel/createtrust
|
|
+++ /dev/null
|
|
@@ -1,125 +0,0 @@
|
|
-#!/usr/bin/env python3
|
|
-
|
|
-# create a domain trust
|
|
-
|
|
-import sys
|
|
-from optparse import OptionParser
|
|
-
|
|
-sys.path.insert(0, "bin/python")
|
|
-
|
|
-import samba
|
|
-import samba.getopt as options
|
|
-from samba.dcerpc import lsa, security, drsblobs
|
|
-from samba.ndr import ndr_pack
|
|
-from samba import arcfour_encrypt, string_to_byte_array
|
|
-import random
|
|
-
|
|
-########### main code ###########
|
|
-if __name__ == "__main__":
|
|
- parser = OptionParser("createtrust [options] server")
|
|
- sambaopts = options.SambaOptions(parser)
|
|
- credopts = options.CredentialsOptionsDouble(parser)
|
|
- parser.add_option_group(credopts)
|
|
-
|
|
- (opts, args) = parser.parse_args()
|
|
-
|
|
- lp = sambaopts.get_loadparm()
|
|
- creds = credopts.get_credentials(lp)
|
|
-
|
|
- if len(args) != 1:
|
|
- parser.error("You must supply a server")
|
|
-
|
|
- if not creds.authentication_requested():
|
|
- parser.error("You must supply credentials")
|
|
-
|
|
- server = args[0]
|
|
-
|
|
- binding_str = "ncacn_np:%s[print]" % server
|
|
-
|
|
- lsaconn = lsa.lsarpc(binding_str, lp, creds)
|
|
-
|
|
- objectAttr = lsa.ObjectAttribute()
|
|
- objectAttr.sec_qos = lsa.QosInfo()
|
|
-
|
|
- pol_handle = lsaconn.OpenPolicy2(''.decode('utf-8'),
|
|
- objectAttr, security.SEC_FLAG_MAXIMUM_ALLOWED)
|
|
-
|
|
- name = lsa.String()
|
|
- name.string = "sub2.win2k3.obed.home.abartlet.net"
|
|
- try:
|
|
- info = lsaconn.QueryTrustedDomainInfoByName(pol_handle, name, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
|
|
-
|
|
- lsaconn.DeleteTrustedDomain(pol_handle, info.info_ex.sid)
|
|
- except RuntimeError:
|
|
- pass
|
|
-
|
|
- info = lsa.TrustDomainInfoInfoEx()
|
|
- info.domain_name.string = "sub2.win2k3.obed.home.abartlet.net"
|
|
- info.netbios_name.string = "sub2"
|
|
- info.sid = security.dom_sid("S-1-5-21-538090388-3760119675-95745416")
|
|
- info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
|
|
- info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
|
|
- info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
|
|
-
|
|
- password_blob = string_to_byte_array("password".encode('utf-16-le'))
|
|
-
|
|
- clear_value = drsblobs.AuthInfoClear()
|
|
- clear_value.size = len(password_blob)
|
|
- clear_value.password = password_blob
|
|
-
|
|
- clear_authentication_information = drsblobs.AuthenticationInformation()
|
|
- clear_authentication_information.LastUpdateTime = 0
|
|
- clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR
|
|
- clear_authentication_information.AuthInfo = clear_value
|
|
-
|
|
- version_value = drsblobs.AuthInfoVersion()
|
|
- version_value.version = 1
|
|
-
|
|
- version = drsblobs.AuthenticationInformation()
|
|
- version.LastUpdateTime = 0
|
|
- version.AuthType = lsa.TRUST_AUTH_TYPE_VERSION
|
|
- version.AuthInfo = version_value
|
|
-
|
|
- authentication_information_array = drsblobs.AuthenticationInformationArray()
|
|
- authentication_information_array.count = 2
|
|
- authentication_information_array.array = [clear_authentication_information, version]
|
|
-
|
|
- outgoing = drsblobs.trustAuthInOutBlob()
|
|
- outgoing.count = 1
|
|
- outgoing.current = authentication_information_array
|
|
-
|
|
- trustpass = drsblobs.trustDomainPasswords()
|
|
- confounder = [3] * 512
|
|
-
|
|
- for i in range(512):
|
|
- confounder[i] = random.randint(0, 255)
|
|
-
|
|
- trustpass.confounder = confounder
|
|
-
|
|
-# print "confounder: ", trustpass.confounder
|
|
-
|
|
- trustpass.outgoing = outgoing
|
|
- trustpass.incoming = outgoing
|
|
-
|
|
- trustpass_blob = ndr_pack(trustpass)
|
|
-
|
|
-# print "trustpass_blob: ", list(trustpass_blob)
|
|
-
|
|
- encrypted_trustpass = arcfour_encrypt(lsaconn.session_key, trustpass_blob)
|
|
-
|
|
-# print "encrypted_trustpass: ", list(encrypted_trustpass)
|
|
-
|
|
- auth_blob = lsa.DATA_BUF2()
|
|
- auth_blob.size = len(encrypted_trustpass)
|
|
- auth_blob.data = string_to_byte_array(encrypted_trustpass)
|
|
-
|
|
- auth_info = lsa.TrustDomainInfoAuthInfoInternal()
|
|
- auth_info.auth_blob = auth_blob
|
|
-
|
|
-
|
|
-# print "auth_info.auth_blob.data: ", auth_info.auth_blob.data
|
|
-
|
|
- trustdom_handle = lsaconn.CreateTrustedDomainEx2(pol_handle,
|
|
- info,
|
|
- auth_info,
|
|
- security.SEC_STD_DELETE)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 8bdfdf2b2489393586dbc99b1d2282c61acdce09 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 6 Nov 2020 14:30:26 +0100
|
|
Subject: [PATCH 096/104] s3:rpc_server: Use gnutls_cipher_decrypt() in
|
|
get_trustdom_auth_blob()
|
|
|
|
It doesn't matter for RC4, but just to be correct.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit 6c11e5f42ba3248c97d85c989d422b256d2465a9)
|
|
---
|
|
source3/rpc_server/lsa/srv_lsa_nt.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
index 198387424e6..e749caf2551 100644
|
|
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
@@ -1726,7 +1726,7 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
|
|
goto out;
|
|
}
|
|
|
|
- rc = gnutls_cipher_encrypt(cipher_hnd,
|
|
+ rc = gnutls_cipher_decrypt(cipher_hnd,
|
|
auth_blob->data,
|
|
auth_blob->length);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 37fce305caff75a8ee1ab185f37e984809225239 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 6 Nov 2020 14:33:38 +0100
|
|
Subject: [PATCH 097/104] s4:rpc_server: Use gnutls_cipher_decrypt() in
|
|
get_trustdom_auth_blob()
|
|
|
|
It doesn't matter for RC4, but just to be correct.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
(cherry picked from commit c93ccebdfedd60c1d19f1b1436ac30062259952a)
|
|
---
|
|
source4/rpc_server/lsa/dcesrv_lsa.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
|
|
index 8333cb149b6..4bb8aaa9592 100644
|
|
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
|
|
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
|
|
@@ -889,7 +889,7 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
|
|
goto out;
|
|
}
|
|
|
|
- rc = gnutls_cipher_encrypt(cipher_hnd,
|
|
+ rc = gnutls_cipher_decrypt(cipher_hnd,
|
|
auth_blob->data,
|
|
auth_blob->length);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From caf59e243ed0f99056176ef81fe617b170ec6cfd Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 20 Aug 2020 13:40:21 +0200
|
|
Subject: [PATCH 098/104] s3:rpc_server: Allow to use RC4 for creating trusts
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit 4425f2c113a4dc33a8dc609d84a92018d61b4d2e)
|
|
---
|
|
source3/rpc_server/lsa/srv_lsa_nt.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
index e749caf2551..d6d606ddeca 100644
|
|
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
@@ -51,6 +51,8 @@
|
|
#include "../libcli/lsarpc/util_lsarpc.h"
|
|
#include "lsa.h"
|
|
#include "librpc/rpc/dcesrv_core.h"
|
|
+#include "librpc/rpc/dcerpc_helper.h"
|
|
+#include "lib/param/loadparm.h"
|
|
|
|
#include "lib/crypto/gnutls_helpers.h"
|
|
#include <gnutls/gnutls.h>
|
|
@@ -1706,6 +1708,14 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
|
|
gnutls_datum_t my_session_key;
|
|
NTSTATUS status;
|
|
int rc;
|
|
+ bool encrypted;
|
|
+
|
|
+ encrypted =
|
|
+ dcerpc_is_transport_encrypted(p->session_info);
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
|
|
status = session_extract_session_key(p->session_info, &lsession_key, KEY_USE_16BYTES);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
@@ -1717,11 +1727,13 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
|
|
.size = lsession_key.length,
|
|
};
|
|
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
rc = gnutls_cipher_init(&cipher_hnd,
|
|
GNUTLS_CIPHER_ARCFOUR_128,
|
|
&my_session_key,
|
|
NULL);
|
|
if (rc < 0) {
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto out;
|
|
}
|
|
@@ -1730,6 +1742,7 @@ static NTSTATUS get_trustdom_auth_blob(struct pipes_struct *p,
|
|
auth_blob->data,
|
|
auth_blob->length);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (rc < 0) {
|
|
status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto out;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 14b972e7f4224ccf87b1d08824194a4d7d37aef0 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 20 Aug 2020 13:51:39 +0200
|
|
Subject: [PATCH 099/104] s4:rpc_server: Allow to use RC4 for creating trusts
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit c75dd1ea178325b8f65343cb5c35bb93f43a49a3)
|
|
---
|
|
source4/rpc_server/lsa/dcesrv_lsa.c | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
|
|
index 4bb8aaa9592..5b3ef71d458 100644
|
|
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
|
|
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
|
|
@@ -33,6 +33,8 @@
|
|
#include "libcli/lsarpc/util_lsarpc.h"
|
|
#include "lib/messaging/irpc.h"
|
|
#include "libds/common/roles.h"
|
|
+#include "lib/param/loadparm.h"
|
|
+#include "librpc/rpc/dcerpc_helper.h"
|
|
|
|
#include "lib/crypto/gnutls_helpers.h"
|
|
#include <gnutls/gnutls.h>
|
|
@@ -869,6 +871,19 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
|
|
gnutls_cipher_hd_t cipher_hnd = NULL;
|
|
gnutls_datum_t _session_key;
|
|
int rc;
|
|
+ struct auth_session_info *session_info =
|
|
+ dcesrv_call_session_info(dce_call);
|
|
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
+ bool encrypted;
|
|
+
|
|
+ encrypted =
|
|
+ dcerpc_is_transport_encrypted(session_info);
|
|
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
|
|
+ !encrypted) {
|
|
+ DBG_ERR("Transport isn't encrypted and weak crypto disallowed!\n");
|
|
+ return NT_STATUS_ACCESS_DENIED;
|
|
+ }
|
|
+
|
|
|
|
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
@@ -880,11 +895,13 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
|
|
.size = session_key.length,
|
|
};
|
|
|
|
+ GNUTLS_FIPS140_SET_LAX_MODE();
|
|
rc = gnutls_cipher_init(&cipher_hnd,
|
|
GNUTLS_CIPHER_ARCFOUR_128,
|
|
&_session_key,
|
|
NULL);
|
|
if (rc < 0) {
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto out;
|
|
}
|
|
@@ -893,6 +910,7 @@ static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
|
|
auth_blob->data,
|
|
auth_blob->length);
|
|
gnutls_cipher_deinit(cipher_hnd);
|
|
+ GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
if (rc < 0) {
|
|
nt_status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
|
|
goto out;
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 5fdca81ab920d021e5f1c81a05cf3a91244ef405 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 6 Nov 2020 10:13:48 +0100
|
|
Subject: [PATCH 100/104] sefltest: Enable the dcerpc.createtrustrelax test
|
|
against ad_dc_fips
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
Autobuild-Date(master): Mon Nov 9 10:22:51 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit b89134013041e772418c2c8bcfffe8a9ade6db91)
|
|
---
|
|
selftest/knownfail.d/createtrustrelax_server | 1 -
|
|
1 file changed, 1 deletion(-)
|
|
delete mode 100644 selftest/knownfail.d/createtrustrelax_server
|
|
|
|
diff --git a/selftest/knownfail.d/createtrustrelax_server b/selftest/knownfail.d/createtrustrelax_server
|
|
deleted file mode 100644
|
|
index 80effda8343..00000000000
|
|
--- a/selftest/knownfail.d/createtrustrelax_server
|
|
+++ /dev/null
|
|
@@ -1 +0,0 @@
|
|
-^samba.tests.dcerpc.createtrustrelax.samba.tests.dcerpc.createtrustrelax.CreateTrustedDomainRelaxTest.test_create_trust_relax_encrypt\(ad_dc_fips\)
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 2547b1d495afa0f7235064f4949a297e46338287 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Wed, 11 Nov 2020 13:42:06 +0100
|
|
Subject: [PATCH 101/104] s3:smbd: Fix possible null pointer dereference in
|
|
token_contains_name()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
|
|
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
|
|
Autobuild-Date(master): Thu Nov 12 15:13:47 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit 8036bf9717f83e83c3e4a9cf00fded42e9a5de15)
|
|
---
|
|
source3/smbd/share_access.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
|
|
index 57754a0f766..694c0c290e8 100644
|
|
--- a/source3/smbd/share_access.c
|
|
+++ b/source3/smbd/share_access.c
|
|
@@ -79,7 +79,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
|
|
enum lsa_SidType type;
|
|
|
|
if (username != NULL) {
|
|
- size_t domain_len = strlen(domain);
|
|
+ size_t domain_len = domain != NULL ? strlen(domain) : 0;
|
|
|
|
/* Check if username starts with domain name */
|
|
if (domain_len > 0) {
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 14cba0db4c3e8a20923491f01cd6eb658c8d76ae Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <ab@samba.org>
|
|
Date: Tue, 10 Nov 2020 17:35:24 +0200
|
|
Subject: [PATCH 102/104] lookup_name: allow lookup names prefixed with DNS
|
|
forest root for FreeIPA DC
|
|
|
|
In FreeIPA deployment with active Global Catalog service, when a two-way
|
|
trust to Active Directory forest is established, Windows systems can
|
|
look up FreeIPA users and groups. When using a security tab in Windows
|
|
Explorer on AD side, a lookup over a trusted forest might come as
|
|
realm\name instead of NetBIOS domain name:
|
|
|
|
--------------------------------------------------------------------
|
|
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
|
|
lsa_LookupNames3: struct lsa_LookupNames3
|
|
in: struct lsa_LookupNames3
|
|
handle : *
|
|
handle: struct policy_handle
|
|
handle_type : 0x00000000 (0)
|
|
uuid : 0000000e-0000-0000-1c5e-a750e5810000
|
|
num_names : 0x00000001 (1)
|
|
names: ARRAY(1)
|
|
names: struct lsa_String
|
|
length : 0x001e (30)
|
|
size : 0x0020 (32)
|
|
string : *
|
|
string : 'ipa.test\admins'
|
|
sids : *
|
|
sids: struct lsa_TransSidArray3
|
|
count : 0x00000000 (0)
|
|
sids : NULL
|
|
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
|
|
count : *
|
|
count : 0x00000000 (0)
|
|
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
|
|
client_revision : LSA_CLIENT_REVISION_2 (2)
|
|
--------------------------------------------------------------------
|
|
|
|
If we are running as a DC and PASSDB supports returning domain info
|
|
(pdb_get_domain_info() returns a valid structure), check domain of the
|
|
name in lookup_name() against DNS forest name and allow the request to
|
|
be done against the primary domain. This corresponds to FreeIPA's use of
|
|
Samba as a DC. For normal domain members a realm-based lookup falls back
|
|
to a lookup over to its own domain controller with the help of winbindd.
|
|
|
|
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
|
|
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit 31c703766fd2b89737826fb7e9a707f0622bb8cd)
|
|
---
|
|
source3/passdb/lookup_sid.c | 37 ++++++++++++++++++++++++++++---------
|
|
1 file changed, 28 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
|
|
index 82c47b3145b..864246da56e 100644
|
|
--- a/source3/passdb/lookup_sid.c
|
|
+++ b/source3/passdb/lookup_sid.c
|
|
@@ -113,17 +113,36 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
|
|
full_name, domain, name));
|
|
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
|
|
|
|
- if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
|
|
- strequal(domain, get_global_sam_name()))
|
|
- {
|
|
+ if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
|
|
+ bool check_global_sam = false;
|
|
+
|
|
+ check_global_sam = strequal(domain, get_global_sam_name());
|
|
+
|
|
+ /* If we are running on a DC that has PASSDB module with domain
|
|
+ * information, check if DNS forest name is matching the domain
|
|
+ * name. This is the case of FreeIPA domain controller when
|
|
+ * trusted AD DC looks up users found in a Global Catalog of
|
|
+ * the forest root domain. */
|
|
+ if (!check_global_sam && (IS_DC)) {
|
|
+ struct pdb_domain_info *dom_info = NULL;
|
|
+ dom_info = pdb_get_domain_info(tmp_ctx);
|
|
+
|
|
+ if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
|
|
+ check_global_sam = strequal(domain, dom_info->dns_forest);
|
|
+ }
|
|
|
|
- /* It's our own domain, lookup the name in passdb */
|
|
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
|
|
- sid_compose(&sid, get_global_sam_sid(), rid);
|
|
- goto ok;
|
|
+ TALLOC_FREE(dom_info);
|
|
+ }
|
|
+
|
|
+ if (check_global_sam) {
|
|
+ /* It's our own domain, lookup the name in passdb */
|
|
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
|
|
+ sid_compose(&sid, get_global_sam_sid(), rid);
|
|
+ goto ok;
|
|
+ }
|
|
+ TALLOC_FREE(tmp_ctx);
|
|
+ return false;
|
|
}
|
|
- TALLOC_FREE(tmp_ctx);
|
|
- return false;
|
|
}
|
|
|
|
if ((flags & LOOKUP_NAME_BUILTIN) &&
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 35297bdac5cf9699234ec45ae97e54ceec75ebe9 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <ab@samba.org>
|
|
Date: Wed, 11 Nov 2020 14:42:55 +0200
|
|
Subject: [PATCH 103/104] auth_sam: use pdb_get_domain_info to look up DNS
|
|
forest information
|
|
|
|
When Samba is used as a part of FreeIPA domain controller, Windows
|
|
clients for a trusted AD forest may try to authenticate (perform logon
|
|
operation) as a REALM\name user account.
|
|
|
|
Fix auth_sam plugins to accept DNS forest name if we are running on a DC
|
|
with PASSDB module providing domain information (e.g. pdb_get_domain_info()
|
|
returning non-NULL structure). Right now, only FreeIPA or Samba AD DC
|
|
PASSDB backends return this information but Samba AD DC configuration is
|
|
explicitly ignored by the two auth_sam (strict and netlogon3) modules.
|
|
|
|
Detailed logs below:
|
|
|
|
[2020/11/11 09:23:53.281296, 1, pid=42677, effective(65534, 65534), real(65534, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:482(ndr_print_function_debug)
|
|
netr_LogonSamLogonWithFlags: struct netr_LogonSamLogonWithFlags
|
|
in: struct netr_LogonSamLogonWithFlags
|
|
server_name : *
|
|
server_name : '\\master.ipa.test'
|
|
computer_name : *
|
|
computer_name : 'AD1'
|
|
credential : *
|
|
credential: struct netr_Authenticator
|
|
cred: struct netr_Credential
|
|
data : 529f4b087c5f6546
|
|
timestamp : Wed Nov 11 09:23:55 AM 2020 UTC
|
|
return_authenticator : *
|
|
return_authenticator: struct netr_Authenticator
|
|
cred: struct netr_Credential
|
|
data : 204f28f622010000
|
|
timestamp : Fri May 2 06:37:50 AM 1986 UTC
|
|
logon_level : NetlogonNetworkTransitiveInformation (6)
|
|
logon : *
|
|
logon : union netr_LogonLevel(case 6)
|
|
network : *
|
|
network: struct netr_NetworkInfo
|
|
identity_info: struct netr_IdentityInfo
|
|
domain_name: struct lsa_String
|
|
length : 0x0010 (16)
|
|
size : 0x01fe (510)
|
|
string : *
|
|
string : 'IPA.TEST'
|
|
parameter_control : 0x00002ae0 (10976)
|
|
0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED
|
|
0: MSV1_0_UPDATE_LOGON_STATISTICS
|
|
0: MSV1_0_RETURN_USER_PARAMETERS
|
|
0: MSV1_0_DONT_TRY_GUEST_ACCOUNT
|
|
1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
|
|
1: MSV1_0_RETURN_PASSWORD_EXPIRY
|
|
1: MSV1_0_USE_CLIENT_CHALLENGE
|
|
0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY
|
|
1: MSV1_0_RETURN_PROFILE_PATH
|
|
0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY
|
|
1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
|
|
0: MSV1_0_DISABLE_PERSONAL_FALLBACK
|
|
1: MSV1_0_ALLOW_FORCE_GUEST
|
|
0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED
|
|
0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY
|
|
0: MSV1_0_ALLOW_MSVCHAPV2
|
|
0: MSV1_0_S4U2SELF
|
|
0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U
|
|
0: MSV1_0_SUBAUTHENTICATION_DLL_EX
|
|
logon_id : 0x0000000000884ef2 (8933106)
|
|
account_name: struct lsa_String
|
|
length : 0x000e (14)
|
|
size : 0x000e (14)
|
|
string : *
|
|
string : 'idmuser'
|
|
workstation: struct lsa_String
|
|
length : 0x0000 (0)
|
|
size : 0x0000 (0)
|
|
string : *
|
|
string : ''
|
|
challenge : 417207867bd33c74
|
|
nt: struct netr_ChallengeResponse
|
|
length : 0x00c0 (192)
|
|
size : 0x00c0 (192)
|
|
data : *
|
|
data: ARRAY(192)
|
|
[0000] A5 24 62 6E 31 DF 69 66 9E DC 54 D6 63 4C D6 2F .$bn1.if ..T.cL./
|
|
[0010] 01 01 00 00 00 00 00 00 50 37 D7 60 0C B8 D6 01 ........ P7.`....
|
|
[0020] 15 1B 38 4F 47 95 4D 62 00 00 00 00 02 00 0E 00 ..8OG.Mb ........
|
|
[0030] 57 00 49 00 4E 00 32 00 30 00 31 00 36 00 01 00 W.I.N.2. 0.1.6...
|
|
[0040] 06 00 41 00 44 00 31 00 04 00 18 00 77 00 69 00 ..A.D.1. ....w.i.
|
|
[0050] 6E 00 32 00 30 00 31 00 36 00 2E 00 74 00 65 00 n.2.0.1. 6...t.e.
|
|
[0060] 73 00 74 00 03 00 20 00 61 00 64 00 31 00 2E 00 s.t... . a.d.1...
|
|
[0070] 77 00 69 00 6E 00 32 00 30 00 31 00 36 00 2E 00 w.i.n.2. 0.1.6...
|
|
[0080] 74 00 65 00 73 00 74 00 05 00 18 00 77 00 69 00 t.e.s.t. ....w.i.
|
|
[0090] 6E 00 32 00 30 00 31 00 36 00 2E 00 74 00 65 00 n.2.0.1. 6...t.e.
|
|
[00A0] 73 00 74 00 07 00 08 00 50 37 D7 60 0C B8 D6 01 s.t..... P7.`....
|
|
[00B0] 06 00 04 00 02 00 00 00 00 00 00 00 00 00 00 00 ........ ........
|
|
lm: struct netr_ChallengeResponse
|
|
length : 0x0018 (24)
|
|
size : 0x0018 (24)
|
|
data : *
|
|
data : 000000000000000000000000000000000000000000000000
|
|
validation_level : 0x0006 (6)
|
|
flags : *
|
|
flags : 0x00000000 (0)
|
|
0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
|
|
0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP
|
|
0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN
|
|
0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST
|
|
|
|
In such case checks for a workgroup name will not match the DNS forest
|
|
name used in the username specification:
|
|
|
|
[2020/11/11 09:23:53.283055, 3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
|
|
check_ntlm_password: Checking password for unmapped user [IPA.TEST]\[idmuser]@[] with the new password interface
|
|
[2020/11/11 09:23:53.283073, 3, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
|
|
check_ntlm_password: mapped user is: [IPA.TEST]\[idmuser]@[]
|
|
[2020/11/11 09:23:53.283082, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:213(auth_check_ntlm_password)
|
|
check_ntlm_password: auth_context challenge created by fixed
|
|
[2020/11/11 09:23:53.283091, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:216(auth_check_ntlm_password)
|
|
challenge is:
|
|
[2020/11/11 09:23:53.283099, 5, pid=42677, effective(65534, 65534), real(65534, 0)] ../../lib/util/util.c:678(dump_data)
|
|
[0000] 41 72 07 86 7B D3 3C 74 Ar..{.<t
|
|
[2020/11/11 09:23:53.283113, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:209(auth_sam_netlogon3_auth)
|
|
auth_sam_netlogon3_auth: Check auth for: [IPA.TEST]\[idmuser]
|
|
[2020/11/11 09:23:53.283123, 5, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth_sam.c:234(auth_sam_netlogon3_auth)
|
|
auth_sam_netlogon3_auth: IPA.TEST is not our domain name (DC for IPA)
|
|
[2020/11/11 09:23:53.283131, 10, pid=42677, effective(65534, 65534), real(65534, 0), class=auth] ../../source3/auth/auth.c:249(auth_check_ntlm_password)
|
|
auth_check_ntlm_password: sam_netlogon3 had nothing to say
|
|
|
|
and overall authentication attempt will fail: auth_winbind will complain
|
|
that this domain is not a trusted one and refuse operating on it:
|
|
|
|
[2020/11/11 09:23:53.283784, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:742(process_request_send)
|
|
process_request_send: process_request: Handling async request smbd(42677):PAM_AUTH_CRAP
|
|
[2020/11/11 09:23:53.283796, 3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam_auth_crap.c:110(winbindd_pam_auth_crap_send)
|
|
[42677]: pam auth crap domain: [IPA.TEST] user: idmuser
|
|
[2020/11/11 09:23:53.283810, 3, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_pam.c:409(find_auth_domain)
|
|
Authentication for domain [IPA.TEST] refused as it is not a trusted domain
|
|
[2020/11/11 09:23:53.283825, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:810(process_request_done)
|
|
process_request_done: [smbd(42677):PAM_AUTH_CRAP]: NT_STATUS_NO_SUCH_USER
|
|
[2020/11/11 09:23:53.283844, 10, pid=42663, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:855(process_request_written)
|
|
process_request_written: [smbd(42677):PAM_AUTH_CRAP]: delivered response to client
|
|
|
|
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
(cherry picked from commit 2a8b672652dcbcf55ec59be537773d76f0f14d0a)
|
|
---
|
|
source3/auth/auth_sam.c | 45 +++++++++++++++++++++++++++++++++++++----
|
|
1 file changed, 41 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
|
|
index 3c12f959faf..e8e0d543f8c 100644
|
|
--- a/source3/auth/auth_sam.c
|
|
+++ b/source3/auth/auth_sam.c
|
|
@@ -22,6 +22,7 @@
|
|
|
|
#include "includes.h"
|
|
#include "auth.h"
|
|
+#include "passdb.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_AUTH
|
|
@@ -142,10 +143,28 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
|
|
break;
|
|
case ROLE_DOMAIN_PDC:
|
|
case ROLE_DOMAIN_BDC:
|
|
- if ( !is_local_name && !is_my_domain ) {
|
|
- DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
|
|
- effective_domain));
|
|
- return NT_STATUS_NOT_IMPLEMENTED;
|
|
+ if (!is_local_name && !is_my_domain) {
|
|
+ /* If we are running on a DC that has PASSDB module with domain
|
|
+ * information, check if DNS forest name is matching the domain
|
|
+ * name. This is the case of FreeIPA domain controller when
|
|
+ * trusted AD DCs attempt to authenticate FreeIPA users using
|
|
+ * the forest root domain (which is the only domain in FreeIPA).
|
|
+ */
|
|
+ struct pdb_domain_info *dom_info = NULL;
|
|
+
|
|
+ dom_info = pdb_get_domain_info(mem_ctx);
|
|
+ if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
|
|
+ is_my_domain = strequal(user_info->mapped.domain_name,
|
|
+ dom_info->dns_forest);
|
|
+ }
|
|
+
|
|
+ TALLOC_FREE(dom_info);
|
|
+ if (!is_my_domain) {
|
|
+ DEBUG(6,("check_samstrict_security: %s is not one "
|
|
+ "of my local names or domain name (DC)\n",
|
|
+ effective_domain));
|
|
+ return NT_STATUS_NOT_IMPLEMENTED;
|
|
+ }
|
|
}
|
|
|
|
break;
|
|
@@ -230,6 +249,24 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
|
|
}
|
|
|
|
is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
|
|
+ if (!is_my_domain) {
|
|
+ /* If we are running on a DC that has PASSDB module with domain
|
|
+ * information, check if DNS forest name is matching the domain
|
|
+ * name. This is the case of FreeIPA domain controller when
|
|
+ * trusted AD DCs attempt to authenticate FreeIPA users using
|
|
+ * the forest root domain (which is the only domain in FreeIPA).
|
|
+ */
|
|
+ struct pdb_domain_info *dom_info = NULL;
|
|
+ dom_info = pdb_get_domain_info(mem_ctx);
|
|
+
|
|
+ if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
|
|
+ is_my_domain = strequal(user_info->mapped.domain_name,
|
|
+ dom_info->dns_forest);
|
|
+ }
|
|
+
|
|
+ TALLOC_FREE(dom_info);
|
|
+ }
|
|
+
|
|
if (!is_my_domain) {
|
|
DBG_INFO("%s is not our domain name (DC for %s)\n",
|
|
effective_domain, lp_workgroup());
|
|
--
|
|
2.29.2
|
|
|
|
|
|
From 173cabf40d71470a233b7648b1bf8795f8bda091 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Fri, 27 Nov 2020 11:22:15 +0100
|
|
Subject: [PATCH 104/104] docs-xml: Add a section about weak crypto in testparm
|
|
manpage
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14583
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
|
|
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
Autobuild-Date(master): Fri Nov 27 13:48:20 UTC 2020 on sn-devel-184
|
|
|
|
(cherry picked from commit 5c27740aeff273bcd5f027d36874e56170234146)
|
|
---
|
|
docs-xml/manpages/testparm.1.xml | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/docs-xml/manpages/testparm.1.xml b/docs-xml/manpages/testparm.1.xml
|
|
index 9099cda010f..7c7abf50e8b 100644
|
|
--- a/docs-xml/manpages/testparm.1.xml
|
|
+++ b/docs-xml/manpages/testparm.1.xml
|
|
@@ -171,6 +171,15 @@
|
|
errors and warnings if the file did not load. If the file was
|
|
loaded OK, the program then dumps all known service details
|
|
to stdout. </para>
|
|
+
|
|
+ <para>For certain use cases, SMB protocol requires use of
|
|
+ cryptographic algorithms which are known to be weak and already
|
|
+ broken. DES and ARCFOUR (RC4) ciphers and the SHA1 and MD5 hash
|
|
+ algorithms are considered weak but they are required for backward
|
|
+ compatibility. The testparm utility shows whether the Samba tools
|
|
+ will fall back to these weak crypto algorithms if it is not possible
|
|
+ to use strong cryptography by default.
|
|
+ In FIPS mode weak crypto cannot be enabled.</para>
|
|
</refsect1>
|
|
|
|
|
|
--
|
|
2.29.2
|
|
|