diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch')
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 |
1 files changed, 988 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch new file mode 100644 index 0000000000..a939e70663 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch @@ -0,0 +1,988 @@ +From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> +Date: Wed, 24 Sep 2014 22:16:20 +0200 +Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}". +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner <gd@samba.org> +Reviewed-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> +--- + source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 308 insertions(+) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 8b8e719..5f18bf4 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv) + return net_run_function(c, argc, argv, "net ads kerberos", func); + } + ++static int net_ads_enctype_lookup_account(struct net_context *c, ++ ADS_STRUCT *ads, ++ const char *account, ++ LDAPMessage **res, ++ const char **enctype_str) ++{ ++ const char *filter; ++ const char *attrs[] = { ++ "msDS-SupportedEncryptionTypes", ++ NULL ++ }; ++ int count; ++ int ret = -1; ++ ADS_STATUS status; ++ ++ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))", ++ account); ++ if (filter == NULL) { ++ goto done; ++ } ++ ++ status = ads_search(ads, res, filter, attrs); ++ if (!ADS_ERR_OK(status)) { ++ d_printf(_("no account found with filter: %s\n"), filter); ++ goto done; ++ } ++ ++ count = ads_count_replies(ads, *res); ++ switch (count) { ++ case 1: ++ break; ++ case 0: ++ d_printf(_("no account found with filter: %s\n"), filter); ++ goto done; ++ default: ++ d_printf(_("multiple accounts found with filter: %s\n"), filter); ++ goto done; ++ } ++ ++ if (enctype_str) { ++ *enctype_str = ads_pull_string(ads, c, *res, ++ "msDS-SupportedEncryptionTypes"); ++ if (*enctype_str == NULL) { ++ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n")); ++ goto done; ++ } ++ } ++ ++ ret = 0; ++ done: ++ return ret; ++} ++ ++static void net_ads_enctype_dump_enctypes(const char *username, ++ const char *enctype_str) ++{ ++ int enctypes; ++ ++ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username); ++ ++ enctypes = atoi(enctype_str); ++ ++ printf("[%s] 0x%08x DES-CBC-CRC\n", ++ enctypes & ENC_CRC32 ? "X" : " ", ++ ENC_CRC32); ++ printf("[%s] 0x%08x DES-CBC-MD5\n", ++ enctypes & ENC_RSA_MD5 ? "X" : " ", ++ ENC_RSA_MD5); ++ printf("[%s] 0x%08x RC4-HMAC\n", ++ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ", ++ ENC_RC4_HMAC_MD5); ++ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n", ++ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ", ++ ENC_HMAC_SHA1_96_AES128); ++ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n", ++ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ", ++ ENC_HMAC_SHA1_96_AES256); ++} ++ ++static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv) ++{ ++ int ret = -1; ++ ADS_STATUS status; ++ ADS_STRUCT *ads = NULL; ++ LDAPMessage *res = NULL; ++ const char *str = NULL; ++ ++ if (c->display_usage || (argc < 1)) { ++ d_printf( "%s\n" ++ "net ads enctypes list\n" ++ " %s\n", ++ _("Usage:"), ++ _("List supported enctypes")); ++ return 0; ++ } ++ ++ status = ads_startup(c, false, &ads); ++ if (!ADS_ERR_OK(status)) { ++ printf("startup failed\n"); ++ return ret; ++ } ++ ++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str); ++ if (ret) { ++ goto done; ++ } ++ ++ net_ads_enctype_dump_enctypes(argv[0], str); ++ ++ ret = 0; ++ done: ++ ads_msgfree(ads, res); ++ ads_destroy(&ads); ++ ++ return ret; ++} ++ ++static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv) ++{ ++ int ret = -1; ++ ADS_STATUS status; ++ ADS_STRUCT *ads; ++ LDAPMessage *res = NULL; ++ const char *etype_list_str; ++ const char *dn; ++ ADS_MODLIST mods; ++ uint32_t etype_list; ++ const char *str; ++ ++ if (c->display_usage || argc < 1) { ++ d_printf( "%s\n" ++ "net ads enctypes set <sAMAccountName> [enctypes]\n" ++ " %s\n", ++ _("Usage:"), ++ _("Set supported enctypes")); ++ return 0; ++ } ++ ++ status = ads_startup(c, false, &ads); ++ if (!ADS_ERR_OK(status)) { ++ printf("startup failed\n"); ++ return ret; ++ } ++ ++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL); ++ if (ret) { ++ goto done; ++ } ++ ++ dn = ads_get_dn(ads, c, res); ++ if (dn == NULL) { ++ goto done; ++ } ++ ++ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES128; ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES256; ++#endif ++ ++ if (argv[1] != NULL) { ++ sscanf(argv[1], "%i", &etype_list); ++ } ++ ++ etype_list_str = talloc_asprintf(c, "%d", etype_list); ++ if (!etype_list_str) { ++ goto done; ++ } ++ ++ mods = ads_init_mods(c); ++ if (!mods) { ++ goto done; ++ } ++ ++ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", ++ etype_list_str); ++ if (!ADS_ERR_OK(status)) { ++ goto done; ++ } ++ ++ status = ads_gen_mod(ads, dn, mods); ++ if (!ADS_ERR_OK(status)) { ++ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"), ++ ads_errstr(status)); ++ goto done; ++ } ++ ++ ads_msgfree(ads, res); ++ ++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str); ++ if (ret) { ++ goto done; ++ } ++ ++ net_ads_enctype_dump_enctypes(argv[0], str); ++ ++ ret = 0; ++ done: ++ ads_msgfree(ads, res); ++ ads_destroy(&ads); ++ ++ return ret; ++} ++ ++static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv) ++{ ++ int ret = -1; ++ ADS_STATUS status; ++ ADS_STRUCT *ads; ++ LDAPMessage *res = NULL; ++ const char *dn; ++ ADS_MODLIST mods; ++ ++ if (c->display_usage || argc < 1) { ++ d_printf( "%s\n" ++ "net ads enctypes delete <sAMAccountName>\n" ++ " %s\n", ++ _("Usage:"), ++ _("Delete supported enctypes")); ++ return 0; ++ } ++ ++ status = ads_startup(c, false, &ads); ++ if (!ADS_ERR_OK(status)) { ++ printf("startup failed\n"); ++ return ret; ++ } ++ ++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL); ++ if (ret) { ++ goto done; ++ } ++ ++ dn = ads_get_dn(ads, c, res); ++ if (dn == NULL) { ++ goto done; ++ } ++ ++ mods = ads_init_mods(c); ++ if (!mods) { ++ goto done; ++ } ++ ++ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL); ++ if (!ADS_ERR_OK(status)) { ++ goto done; ++ } ++ ++ status = ads_gen_mod(ads, dn, mods); ++ if (!ADS_ERR_OK(status)) { ++ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"), ++ ads_errstr(status)); ++ goto done; ++ } ++ ++ ret = 0; ++ ++ done: ++ ads_msgfree(ads, res); ++ ads_destroy(&ads); ++ return ret; ++} ++ ++static int net_ads_enctypes(struct net_context *c, int argc, const char **argv) ++{ ++ struct functable func[] = { ++ { ++ "list", ++ net_ads_enctypes_list, ++ NET_TRANSPORT_ADS, ++ N_("List the supported encryption types"), ++ N_("net ads enctypes list\n" ++ " List the supported encryption types") ++ }, ++ { ++ "set", ++ net_ads_enctypes_set, ++ NET_TRANSPORT_ADS, ++ N_("Set the supported encryption types"), ++ N_("net ads enctypes set\n" ++ " Set the supported encryption types") ++ }, ++ { ++ "delete", ++ net_ads_enctypes_delete, ++ NET_TRANSPORT_ADS, ++ N_("Delete the supported encryption types"), ++ N_("net ads enctypes delete\n" ++ " Delete the supported encryption types") ++ }, ++ ++ {NULL, NULL, 0, NULL, NULL} ++ }; ++ ++ return net_run_function(c, argc, argv, "net ads enctypes", func); ++} ++ ++ + int net_ads(struct net_context *c, int argc, const char **argv) + { + struct functable func[] = { +@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv) + N_("net ads kerberos\n" + " Manage kerberos keytab") + }, ++ { ++ "enctypes", ++ net_ads_enctypes, ++ NET_TRANSPORT_ADS, ++ N_("List/modify supported encryption types"), ++ N_("net ads enctypes\n" ++ " List/modify enctypes") ++ }, + {NULL, NULL, 0, NULL, NULL} + }; + +-- +1.9.3 + + +From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> +Date: Wed, 24 Sep 2014 23:36:19 +0200 +Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes". +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner <gd@samba.org> +Reviewed-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> +--- + docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index f39b420..9e982e3 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1339,6 +1339,59 @@ to show in the result. + </refsect2> + + <refsect2> ++ <title>ADS ENCTYPES</title> ++ ++<para> ++ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD. ++</para> ++ ++<para> ++ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values: ++</para> ++ ++<para>0x00000001 DES-CBC-CRC</para> ++<para>0x00000002 DES-CBC-MD5</para> ++<para>0x00000004 RC4-HMAC</para> ++<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para> ++<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para> ++ ++</refsect2> ++ ++<refsect2> ++ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title> ++ ++<para> ++ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account. ++</para> ++ ++<para>Example: <userinput>net ads enctypes list Computername</userinput></para> ++ ++</refsect2> ++ ++<refsect2> ++ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title> ++ ++<para> ++ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types. ++</para> ++ ++<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para> ++ ++</refsect2> ++ ++<refsect2> ++ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title> ++ ++<para> ++ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME. ++</para> ++ ++<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para> ++ ++</refsect2> ++ ++ ++<refsect2> + <title>SAM CREATEBUILTINGROUP <NAME></title> + + <para> +-- +1.9.3 + + +From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> +Date: Fri, 23 Nov 2012 12:34:27 +0100 +Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in + AD >= 2008. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner <gd@samba.org> +Reviewed-by: Andreas Schneider <asn@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> +--- + source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 381a59c..e70e11a 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, + /**************************************************************** + ****************************************************************/ + ++static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, ++ struct libnet_JoinCtx *r) ++{ ++ ADS_STATUS status; ++ ADS_MODLIST mods; ++ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++ const char *etype_list_str; ++ ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES128; ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES256; ++#endif ++ ++ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); ++ if (!etype_list_str) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ ++ /* Find our DN */ ++ ++ status = libnet_join_find_machine_acct(mem_ctx, r); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ ++ /* now do the mods */ ++ ++ mods = ads_init_mods(mem_ctx); ++ if (!mods) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ ++ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", ++ etype_list_str); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ ++ return ads_gen_mod(r->in.ads, r->out.dn, mods); ++} ++ ++/**************************************************************** ++****************************************************************/ ++ + static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { +@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { + ADS_STATUS status; ++ uint32_t func_level = 0; + + if (!r->in.ads) { + status = libnet_join_connect_ads(mem_ctx, r); +@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + return status; + } + ++ status = ads_domain_func_level(r->in.ads, &func_level); ++ if (!ADS_ERR_OK(status)) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "failed to query domain controller functional level: %s", ++ ads_errstr(status)); ++ return status; ++ } ++ ++ if (func_level >= DS_DOMAIN_FUNCTION_2008) { ++ status = libnet_join_set_etypes(mem_ctx, r); ++ if (!ADS_ERR_OK(status)) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "failed to set machine kerberos encryption types: %s", ++ ads_errstr(status)); ++ return status; ++ } ++ } ++ + if (!libnet_join_derive_salting_principal(mem_ctx, r)) { + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } +-- +1.9.3 + + +From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> +Date: Fri, 26 Sep 2014 21:06:38 +0200 +Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure + hostname is lowercase. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Found at MS interop event while working on AES kerberos key support. + +Guenther + +Signed-off-by: Günther Deschner <gd@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +--- + source4/auth/kerberos/srv_keytab.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c +index d81e27d..3baba14 100644 +--- a/source4/auth/kerberos/srv_keytab.c ++++ b/source4/auth/kerberos/srv_keytab.c +@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx, + return ENOMEM; + } + +- machine_username = talloc_strdup(tmp_ctx, samAccountName); ++ machine_username = strlower_talloc(tmp_ctx, samAccountName); + if (!machine_username) { + *error_string = "Cannot duplicate samAccountName"; + talloc_free(tmp_ctx); +-- +1.9.3 + +From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Mon, 16 Jun 2014 22:49:29 -0700 +Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 * + arguments of copy_netr_SamInfo3() and make_server_info_info3() + +Both functions only read from the struct netr_SamInfo3 * argument. + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> +Reviewed-by: Simo Sorce <idra@samba.org> + +Conflicts: + source3/auth/proto.h + source3/auth/server_info.c +--- + source3/auth/auth_util.c | 2 +- + source3/auth/proto.h | 4 ++-- + source3/auth/server_info.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index ceaa706..afa78ec 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *sent_nt_username, + const char *domain, + struct auth_serversupplied_info **server_info, +- struct netr_SamInfo3 *info3) ++ const struct netr_SamInfo3 *info3) + { + static const char zeros[16] = {0, }; + +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 76661fc..6ec206e 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *sent_nt_username, + const char *domain, + struct auth_serversupplied_info **server_info, +- struct netr_SamInfo3 *info3); ++ const struct netr_SamInfo3 *info3); + struct wbcAuthUserInfo; + NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, + const char *sent_nt_username, +@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + const struct passwd *pwd, + struct netr_SamInfo3 **pinfo3); + struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, +- struct netr_SamInfo3 *orig); ++ const struct netr_SamInfo3 *orig); + struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, + const struct wbcAuthUserInfo *info); + +diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c +index d2b7d6e..066b9a8 100644 +--- a/source3/auth/server_info.c ++++ b/source3/auth/server_info.c +@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + } } while(0) + + struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, +- struct netr_SamInfo3 *orig) ++ const struct netr_SamInfo3 *orig) + { + struct netr_SamInfo3 *info3; + unsigned int i; +-- +1.9.3 + + +From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Mon, 16 Jun 2014 22:54:45 -0700 +Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const + struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO. + +make_server_info_info3() only reads from the info3 pointer. + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> +Reviewed-by: Simo Sorce <idra@samba.org> +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/proto.h | 2 +- + source3/auth/user_krb5.c | 8 ++++---- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index a2ba4e3..2880bc9 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, +- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, ++ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 6ec206e..75d1097 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + char *ntdomain, + char *username, + struct passwd *pw, +- struct PAC_LOGON_INFO *logon_info, ++ const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, + DATA_BLOB *session_key, + struct auth_session_info **session_info); +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 974a8aa..0a538b4 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + char *ntdomain, + char *username, + struct passwd *pw, +- struct PAC_LOGON_INFO *logon_info, ++ const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, + DATA_BLOB *session_key, + struct auth_session_info **session_info) +@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + return status; + } + +- } else if (logon_info) { ++ } else if (info3) { + /* pass the unmapped username here since map_username() + will be called again in make_server_info_info3() */ + + status = make_server_info_info3(mem_ctx, + ntuser, ntdomain, + &server_info, +- &logon_info->info3); ++ info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("make_server_info_info3 failed: %s!\n", + nt_errstr(status))); +@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + char *ntdomain, + char *username, + struct passwd *pw, +- struct PAC_LOGON_INFO *logon_info, ++ const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, + DATA_BLOB *session_key, + struct auth_session_info **session_info) +-- +1.9.3 + + +From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Mon, 16 Jun 2014 23:11:58 -0700 +Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to + create a new info3 and merge resource group SIDs into it. + +Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>. + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> +Reviewed-by: Simo Sorce <idra@samba.org> +--- + source3/auth/proto.h | 3 ++ + source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+) + +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 75d1097..cc51698 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in + struct netr_SamInfo3 *sam3); + NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, + struct netr_SamInfo6 *sam6); ++NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, ++ const struct PAC_LOGON_INFO *logon_info, ++ struct netr_SamInfo3 **pp_info3); + NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + struct samu *samu, + const char *login_server, +diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c +index 066b9a8..dc84794 100644 +--- a/source3/auth/server_info.c ++++ b/source3/auth/server_info.c +@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3, + return NT_STATUS_OK; + } + ++/* ++ * Merge resource SIDs, if any, into the passed in info3 structure. ++ */ ++ ++static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info, ++ struct netr_SamInfo3 *info3) ++{ ++ uint32_t i = 0; ++ ++ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) { ++ return NT_STATUS_OK; ++ } ++ ++ /* ++ * If there are any resource groups (SID Compression) add ++ * them to the extra sids portion of the info3 in the PAC. ++ * ++ * This makes the info3 look like it would if we got the info ++ * from the DC rather than the PAC. ++ */ ++ ++ /* ++ * Construct a SID for each RID in the list and then append it ++ * to the info3. ++ */ ++ for (i = 0; i < logon_info->res_groups.count; i++) { ++ NTSTATUS status; ++ struct dom_sid new_sid; ++ uint32_t attributes = logon_info->res_groups.rids[i].attributes; ++ ++ sid_compose(&new_sid, ++ logon_info->res_group_dom_sid, ++ logon_info->res_groups.rids[i].rid); ++ ++ DEBUG(10, ("Adding SID %s to extra SIDS\n", ++ sid_string_dbg(&new_sid))); ++ ++ status = append_netr_SidAttr(info3, &info3->sids, ++ &info3->sidcount, ++ &new_sid, ++ attributes); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n", ++ sid_string_dbg(&new_sid), ++ nt_errstr(status))); ++ return status; ++ } ++ } ++ ++ return NT_STATUS_OK; ++} ++ ++/* ++ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO, ++ * then merge resource SIDs, if any, into it. If successful return ++ * the created info3 struct. ++ */ ++ ++NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, ++ const struct PAC_LOGON_INFO *logon_info, ++ struct netr_SamInfo3 **pp_info3) ++{ ++ NTSTATUS status; ++ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx, ++ &logon_info->info3); ++ if (info3 == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ status = merge_resource_sids(logon_info, info3); ++ if (!NT_STATUS_IS_OK(status)) { ++ TALLOC_FREE(info3); ++ return status; ++ } ++ *pp_info3 = info3; ++ return NT_STATUS_OK; ++} ++ + #define RET_NOMEM(ptr) do { \ + if (!ptr) { \ + TALLOC_FREE(info3); \ +-- +1.9.3 + + +From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Mon, 16 Jun 2014 23:15:21 -0700 +Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use + a copy of the info3 struct from the struct PAC_LOGON_INFO. + +Call create_info3_from_pac_logon_info() to add in any resource SIDs +from the struct PAC_LOGON_INFO to the info3. + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> +Reviewed-by: Simo Sorce <idra@samba.org> +--- + source3/auth/auth_generic.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 2880bc9..f841f0c 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + { + TALLOC_CTX *tmp_ctx; + struct PAC_LOGON_INFO *logon_info = NULL; ++ struct netr_SamInfo3 *info3_copy = NULL; + bool is_mapped; + bool is_guest; + char *ntuser; +@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + + /* save the PAC data if we have it */ + if (logon_info) { +- netsamlogon_cache_store(ntuser, &logon_info->info3); ++ status = create_info3_from_pac_logon_info(tmp_ctx, ++ logon_info, ++ &info3_copy); ++ if (!NT_STATUS_IS_OK(status)) { ++ goto done; ++ } ++ netsamlogon_cache_store(ntuser, info3_copy); + } + + /* setup the string used by %U */ +@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, +- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, ++ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", +-- +1.9.3 + + +From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Mon, 16 Jun 2014 23:27:35 -0700 +Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a + new info3 and merge in resource groups from a trusted PAC. + +Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>. + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> +Reviewed-by: Simo Sorce <idra@samba.org> + +Autobuild-User(master): Jeremy Allison <jra@samba.org> +Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104 +--- + source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index c356686..0f1ca28 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, + struct winbindd_request *req = state->request; + DATA_BLOB pac_blob; + struct PAC_LOGON_INFO *logon_info = NULL; ++ struct netr_SamInfo3 *info3_copy = NULL; + NTSTATUS result; + + pac_blob = data_blob_const(req->extra_data.data, req->extra_len); +@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, + + if (logon_info) { + /* Signature verification succeeded, trust the PAC */ +- netsamlogon_cache_store(NULL, &logon_info->info3); ++ result = create_info3_from_pac_logon_info(state->mem_ctx, ++ logon_info, ++ &info3_copy); ++ if (!NT_STATUS_IS_OK(result)) { ++ return result; ++ } ++ netsamlogon_cache_store(NULL, info3_copy); + + } else { + /* Try without signature verification */ +@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, + nt_errstr(result))); + return result; + } ++ if (logon_info) { ++ /* ++ * Don't strictly need to copy here, ++ * but it makes it explicit we're ++ * returning a copy talloc'ed off ++ * the state->mem_ctx. ++ */ ++ info3_copy = copy_netr_SamInfo3(state->mem_ctx, ++ &logon_info->info3); ++ if (info3_copy == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } + } + +- *info3 = &logon_info->info3; ++ *info3 = info3_copy; + + return NT_STATUS_OK; + } +-- +1.9.3 + |