summaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch')
-rw-r--r--meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch988
1 files changed, 988 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
new file mode 100644
index 000000000..a939e7066
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
@@ -0,0 +1,988 @@
1From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Wed, 24 Sep 2014 22:16:20 +0200
4Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Guenther
10
11Signed-off-by: Günther Deschner <gd@samba.org>
12Reviewed-by: Andreas Schneider <asn@samba.org>
13Reviewed-by: Stefan Metzmacher <metze@samba.org>
14---
15 source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
16 1 file changed, 308 insertions(+)
17
18diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
19index 8b8e719..5f18bf4 100644
20--- a/source3/utils/net_ads.c
21+++ b/source3/utils/net_ads.c
22@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
23 return net_run_function(c, argc, argv, "net ads kerberos", func);
24 }
25
26+static int net_ads_enctype_lookup_account(struct net_context *c,
27+ ADS_STRUCT *ads,
28+ const char *account,
29+ LDAPMessage **res,
30+ const char **enctype_str)
31+{
32+ const char *filter;
33+ const char *attrs[] = {
34+ "msDS-SupportedEncryptionTypes",
35+ NULL
36+ };
37+ int count;
38+ int ret = -1;
39+ ADS_STATUS status;
40+
41+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
42+ account);
43+ if (filter == NULL) {
44+ goto done;
45+ }
46+
47+ status = ads_search(ads, res, filter, attrs);
48+ if (!ADS_ERR_OK(status)) {
49+ d_printf(_("no account found with filter: %s\n"), filter);
50+ goto done;
51+ }
52+
53+ count = ads_count_replies(ads, *res);
54+ switch (count) {
55+ case 1:
56+ break;
57+ case 0:
58+ d_printf(_("no account found with filter: %s\n"), filter);
59+ goto done;
60+ default:
61+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
62+ goto done;
63+ }
64+
65+ if (enctype_str) {
66+ *enctype_str = ads_pull_string(ads, c, *res,
67+ "msDS-SupportedEncryptionTypes");
68+ if (*enctype_str == NULL) {
69+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
70+ goto done;
71+ }
72+ }
73+
74+ ret = 0;
75+ done:
76+ return ret;
77+}
78+
79+static void net_ads_enctype_dump_enctypes(const char *username,
80+ const char *enctype_str)
81+{
82+ int enctypes;
83+
84+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
85+
86+ enctypes = atoi(enctype_str);
87+
88+ printf("[%s] 0x%08x DES-CBC-CRC\n",
89+ enctypes & ENC_CRC32 ? "X" : " ",
90+ ENC_CRC32);
91+ printf("[%s] 0x%08x DES-CBC-MD5\n",
92+ enctypes & ENC_RSA_MD5 ? "X" : " ",
93+ ENC_RSA_MD5);
94+ printf("[%s] 0x%08x RC4-HMAC\n",
95+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
96+ ENC_RC4_HMAC_MD5);
97+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
98+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
99+ ENC_HMAC_SHA1_96_AES128);
100+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
101+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
102+ ENC_HMAC_SHA1_96_AES256);
103+}
104+
105+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
106+{
107+ int ret = -1;
108+ ADS_STATUS status;
109+ ADS_STRUCT *ads = NULL;
110+ LDAPMessage *res = NULL;
111+ const char *str = NULL;
112+
113+ if (c->display_usage || (argc < 1)) {
114+ d_printf( "%s\n"
115+ "net ads enctypes list\n"
116+ " %s\n",
117+ _("Usage:"),
118+ _("List supported enctypes"));
119+ return 0;
120+ }
121+
122+ status = ads_startup(c, false, &ads);
123+ if (!ADS_ERR_OK(status)) {
124+ printf("startup failed\n");
125+ return ret;
126+ }
127+
128+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
129+ if (ret) {
130+ goto done;
131+ }
132+
133+ net_ads_enctype_dump_enctypes(argv[0], str);
134+
135+ ret = 0;
136+ done:
137+ ads_msgfree(ads, res);
138+ ads_destroy(&ads);
139+
140+ return ret;
141+}
142+
143+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
144+{
145+ int ret = -1;
146+ ADS_STATUS status;
147+ ADS_STRUCT *ads;
148+ LDAPMessage *res = NULL;
149+ const char *etype_list_str;
150+ const char *dn;
151+ ADS_MODLIST mods;
152+ uint32_t etype_list;
153+ const char *str;
154+
155+ if (c->display_usage || argc < 1) {
156+ d_printf( "%s\n"
157+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
158+ " %s\n",
159+ _("Usage:"),
160+ _("Set supported enctypes"));
161+ return 0;
162+ }
163+
164+ status = ads_startup(c, false, &ads);
165+ if (!ADS_ERR_OK(status)) {
166+ printf("startup failed\n");
167+ return ret;
168+ }
169+
170+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
171+ if (ret) {
172+ goto done;
173+ }
174+
175+ dn = ads_get_dn(ads, c, res);
176+ if (dn == NULL) {
177+ goto done;
178+ }
179+
180+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
181+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
182+ etype_list |= ENC_HMAC_SHA1_96_AES128;
183+#endif
184+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
185+ etype_list |= ENC_HMAC_SHA1_96_AES256;
186+#endif
187+
188+ if (argv[1] != NULL) {
189+ sscanf(argv[1], "%i", &etype_list);
190+ }
191+
192+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
193+ if (!etype_list_str) {
194+ goto done;
195+ }
196+
197+ mods = ads_init_mods(c);
198+ if (!mods) {
199+ goto done;
200+ }
201+
202+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
203+ etype_list_str);
204+ if (!ADS_ERR_OK(status)) {
205+ goto done;
206+ }
207+
208+ status = ads_gen_mod(ads, dn, mods);
209+ if (!ADS_ERR_OK(status)) {
210+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
211+ ads_errstr(status));
212+ goto done;
213+ }
214+
215+ ads_msgfree(ads, res);
216+
217+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
218+ if (ret) {
219+ goto done;
220+ }
221+
222+ net_ads_enctype_dump_enctypes(argv[0], str);
223+
224+ ret = 0;
225+ done:
226+ ads_msgfree(ads, res);
227+ ads_destroy(&ads);
228+
229+ return ret;
230+}
231+
232+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
233+{
234+ int ret = -1;
235+ ADS_STATUS status;
236+ ADS_STRUCT *ads;
237+ LDAPMessage *res = NULL;
238+ const char *dn;
239+ ADS_MODLIST mods;
240+
241+ if (c->display_usage || argc < 1) {
242+ d_printf( "%s\n"
243+ "net ads enctypes delete <sAMAccountName>\n"
244+ " %s\n",
245+ _("Usage:"),
246+ _("Delete supported enctypes"));
247+ return 0;
248+ }
249+
250+ status = ads_startup(c, false, &ads);
251+ if (!ADS_ERR_OK(status)) {
252+ printf("startup failed\n");
253+ return ret;
254+ }
255+
256+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
257+ if (ret) {
258+ goto done;
259+ }
260+
261+ dn = ads_get_dn(ads, c, res);
262+ if (dn == NULL) {
263+ goto done;
264+ }
265+
266+ mods = ads_init_mods(c);
267+ if (!mods) {
268+ goto done;
269+ }
270+
271+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
272+ if (!ADS_ERR_OK(status)) {
273+ goto done;
274+ }
275+
276+ status = ads_gen_mod(ads, dn, mods);
277+ if (!ADS_ERR_OK(status)) {
278+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
279+ ads_errstr(status));
280+ goto done;
281+ }
282+
283+ ret = 0;
284+
285+ done:
286+ ads_msgfree(ads, res);
287+ ads_destroy(&ads);
288+ return ret;
289+}
290+
291+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
292+{
293+ struct functable func[] = {
294+ {
295+ "list",
296+ net_ads_enctypes_list,
297+ NET_TRANSPORT_ADS,
298+ N_("List the supported encryption types"),
299+ N_("net ads enctypes list\n"
300+ " List the supported encryption types")
301+ },
302+ {
303+ "set",
304+ net_ads_enctypes_set,
305+ NET_TRANSPORT_ADS,
306+ N_("Set the supported encryption types"),
307+ N_("net ads enctypes set\n"
308+ " Set the supported encryption types")
309+ },
310+ {
311+ "delete",
312+ net_ads_enctypes_delete,
313+ NET_TRANSPORT_ADS,
314+ N_("Delete the supported encryption types"),
315+ N_("net ads enctypes delete\n"
316+ " Delete the supported encryption types")
317+ },
318+
319+ {NULL, NULL, 0, NULL, NULL}
320+ };
321+
322+ return net_run_function(c, argc, argv, "net ads enctypes", func);
323+}
324+
325+
326 int net_ads(struct net_context *c, int argc, const char **argv)
327 {
328 struct functable func[] = {
329@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
330 N_("net ads kerberos\n"
331 " Manage kerberos keytab")
332 },
333+ {
334+ "enctypes",
335+ net_ads_enctypes,
336+ NET_TRANSPORT_ADS,
337+ N_("List/modify supported encryption types"),
338+ N_("net ads enctypes\n"
339+ " List/modify enctypes")
340+ },
341 {NULL, NULL, 0, NULL, NULL}
342 };
343
344--
3451.9.3
346
347
348From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
349From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
350Date: Wed, 24 Sep 2014 23:36:19 +0200
351Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
352MIME-Version: 1.0
353Content-Type: text/plain; charset=UTF-8
354Content-Transfer-Encoding: 8bit
355
356Guenther
357
358Signed-off-by: Günther Deschner <gd@samba.org>
359Reviewed-by: Andreas Schneider <asn@samba.org>
360Reviewed-by: Stefan Metzmacher <metze@samba.org>
361---
362 docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
363 1 file changed, 53 insertions(+)
364
365diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
366index f39b420..9e982e3 100644
367--- a/docs-xml/manpages/net.8.xml
368+++ b/docs-xml/manpages/net.8.xml
369@@ -1339,6 +1339,59 @@ to show in the result.
370 </refsect2>
371
372 <refsect2>
373+ <title>ADS ENCTYPES</title>
374+
375+<para>
376+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
377+</para>
378+
379+<para>
380+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
381+</para>
382+
383+<para>0x00000001 DES-CBC-CRC</para>
384+<para>0x00000002 DES-CBC-MD5</para>
385+<para>0x00000004 RC4-HMAC</para>
386+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
387+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
388+
389+</refsect2>
390+
391+<refsect2>
392+ <title>ADS ENCTYPES LIST <replaceable>&lt;ACCOUNTNAME&gt;</replaceable></title>
393+
394+<para>
395+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
396+</para>
397+
398+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
399+
400+</refsect2>
401+
402+<refsect2>
403+ <title>ADS ENCTYPES SET <replaceable>&lt;ACCOUNTNAME&gt;</replaceable> <replaceable>[enctypes]</replaceable></title>
404+
405+<para>
406+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
407+</para>
408+
409+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
410+
411+</refsect2>
412+
413+<refsect2>
414+ <title>ADS ENCTYPES DELETE <replaceable>&lt;ACCOUNTNAME&gt;</replaceable></title>
415+
416+<para>
417+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
418+</para>
419+
420+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
421+
422+</refsect2>
423+
424+
425+<refsect2>
426 <title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
427
428 <para>
429--
4301.9.3
431
432
433From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
434From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
435Date: Fri, 23 Nov 2012 12:34:27 +0100
436Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
437 AD >= 2008.
438MIME-Version: 1.0
439Content-Type: text/plain; charset=UTF-8
440Content-Transfer-Encoding: 8bit
441
442Guenther
443
444Signed-off-by: Günther Deschner <gd@samba.org>
445Reviewed-by: Andreas Schneider <asn@samba.org>
446Reviewed-by: Stefan Metzmacher <metze@samba.org>
447---
448 source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
449 1 file changed, 65 insertions(+)
450
451diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
452index 381a59c..e70e11a 100644
453--- a/source3/libnet/libnet_join.c
454+++ b/source3/libnet/libnet_join.c
455@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
456 /****************************************************************
457 ****************************************************************/
458
459+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
460+ struct libnet_JoinCtx *r)
461+{
462+ ADS_STATUS status;
463+ ADS_MODLIST mods;
464+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
465+ const char *etype_list_str;
466+
467+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
468+ etype_list |= ENC_HMAC_SHA1_96_AES128;
469+#endif
470+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
471+ etype_list |= ENC_HMAC_SHA1_96_AES256;
472+#endif
473+
474+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
475+ if (!etype_list_str) {
476+ return ADS_ERROR(LDAP_NO_MEMORY);
477+ }
478+
479+ /* Find our DN */
480+
481+ status = libnet_join_find_machine_acct(mem_ctx, r);
482+ if (!ADS_ERR_OK(status)) {
483+ return status;
484+ }
485+
486+ /* now do the mods */
487+
488+ mods = ads_init_mods(mem_ctx);
489+ if (!mods) {
490+ return ADS_ERROR(LDAP_NO_MEMORY);
491+ }
492+
493+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
494+ etype_list_str);
495+ if (!ADS_ERR_OK(status)) {
496+ return status;
497+ }
498+
499+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
500+}
501+
502+/****************************************************************
503+****************************************************************/
504+
505 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
506 struct libnet_JoinCtx *r)
507 {
508@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
509 struct libnet_JoinCtx *r)
510 {
511 ADS_STATUS status;
512+ uint32_t func_level = 0;
513
514 if (!r->in.ads) {
515 status = libnet_join_connect_ads(mem_ctx, r);
516@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
517 return status;
518 }
519
520+ status = ads_domain_func_level(r->in.ads, &func_level);
521+ if (!ADS_ERR_OK(status)) {
522+ libnet_join_set_error_string(mem_ctx, r,
523+ "failed to query domain controller functional level: %s",
524+ ads_errstr(status));
525+ return status;
526+ }
527+
528+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
529+ status = libnet_join_set_etypes(mem_ctx, r);
530+ if (!ADS_ERR_OK(status)) {
531+ libnet_join_set_error_string(mem_ctx, r,
532+ "failed to set machine kerberos encryption types: %s",
533+ ads_errstr(status));
534+ return status;
535+ }
536+ }
537+
538 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
539 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
540 }
541--
5421.9.3
543
544
545From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
546From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
547Date: Fri, 26 Sep 2014 21:06:38 +0200
548Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
549 hostname is lowercase.
550MIME-Version: 1.0
551Content-Type: text/plain; charset=UTF-8
552Content-Transfer-Encoding: 8bit
553
554Found at MS interop event while working on AES kerberos key support.
555
556Guenther
557
558Signed-off-by: Günther Deschner <gd@samba.org>
559Reviewed-by: Andrew Bartlett <abartlet@samba.org>
560---
561 source4/auth/kerberos/srv_keytab.c | 2 +-
562 1 file changed, 1 insertion(+), 1 deletion(-)
563
564diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
565index d81e27d..3baba14 100644
566--- a/source4/auth/kerberos/srv_keytab.c
567+++ b/source4/auth/kerberos/srv_keytab.c
568@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
569 return ENOMEM;
570 }
571
572- machine_username = talloc_strdup(tmp_ctx, samAccountName);
573+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
574 if (!machine_username) {
575 *error_string = "Cannot duplicate samAccountName";
576 talloc_free(tmp_ctx);
577--
5781.9.3
579
580From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
581From: Jeremy Allison <jra@samba.org>
582Date: Mon, 16 Jun 2014 22:49:29 -0700
583Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
584 arguments of copy_netr_SamInfo3() and make_server_info_info3()
585
586Both functions only read from the struct netr_SamInfo3 * argument.
587
588Signed-off-by: Jeremy Allison <jra@samba.org>
589Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
590Reviewed-by: Simo Sorce <idra@samba.org>
591
592Conflicts:
593 source3/auth/proto.h
594 source3/auth/server_info.c
595---
596 source3/auth/auth_util.c | 2 +-
597 source3/auth/proto.h | 4 ++--
598 source3/auth/server_info.c | 2 +-
599 3 files changed, 4 insertions(+), 4 deletions(-)
600
601diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
602index ceaa706..afa78ec 100644
603--- a/source3/auth/auth_util.c
604+++ b/source3/auth/auth_util.c
605@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
606 const char *sent_nt_username,
607 const char *domain,
608 struct auth_serversupplied_info **server_info,
609- struct netr_SamInfo3 *info3)
610+ const struct netr_SamInfo3 *info3)
611 {
612 static const char zeros[16] = {0, };
613
614diff --git a/source3/auth/proto.h b/source3/auth/proto.h
615index 76661fc..6ec206e 100644
616--- a/source3/auth/proto.h
617+++ b/source3/auth/proto.h
618@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
619 const char *sent_nt_username,
620 const char *domain,
621 struct auth_serversupplied_info **server_info,
622- struct netr_SamInfo3 *info3);
623+ const struct netr_SamInfo3 *info3);
624 struct wbcAuthUserInfo;
625 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
626 const char *sent_nt_username,
627@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
628 const struct passwd *pwd,
629 struct netr_SamInfo3 **pinfo3);
630 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
631- struct netr_SamInfo3 *orig);
632+ const struct netr_SamInfo3 *orig);
633 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
634 const struct wbcAuthUserInfo *info);
635
636diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
637index d2b7d6e..066b9a8 100644
638--- a/source3/auth/server_info.c
639+++ b/source3/auth/server_info.c
640@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
641 } } while(0)
642
643 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
644- struct netr_SamInfo3 *orig)
645+ const struct netr_SamInfo3 *orig)
646 {
647 struct netr_SamInfo3 *info3;
648 unsigned int i;
649--
6501.9.3
651
652
653From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
654From: Jeremy Allison <jra@samba.org>
655Date: Mon, 16 Jun 2014 22:54:45 -0700
656Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
657 struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
658
659make_server_info_info3() only reads from the info3 pointer.
660
661Signed-off-by: Jeremy Allison <jra@samba.org>
662Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
663Reviewed-by: Simo Sorce <idra@samba.org>
664---
665 source3/auth/auth_generic.c | 2 +-
666 source3/auth/proto.h | 2 +-
667 source3/auth/user_krb5.c | 8 ++++----
668 3 files changed, 6 insertions(+), 6 deletions(-)
669
670diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
671index a2ba4e3..2880bc9 100644
672--- a/source3/auth/auth_generic.c
673+++ b/source3/auth/auth_generic.c
674@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
675
676 status = make_session_info_krb5(mem_ctx,
677 ntuser, ntdomain, username, pw,
678- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
679+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
680 session_info);
681 if (!NT_STATUS_IS_OK(status)) {
682 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
683diff --git a/source3/auth/proto.h b/source3/auth/proto.h
684index 6ec206e..75d1097 100644
685--- a/source3/auth/proto.h
686+++ b/source3/auth/proto.h
687@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
688 char *ntdomain,
689 char *username,
690 struct passwd *pw,
691- struct PAC_LOGON_INFO *logon_info,
692+ const struct netr_SamInfo3 *info3,
693 bool mapped_to_guest, bool username_was_mapped,
694 DATA_BLOB *session_key,
695 struct auth_session_info **session_info);
696diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
697index 974a8aa..0a538b4 100644
698--- a/source3/auth/user_krb5.c
699+++ b/source3/auth/user_krb5.c
700@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
701 char *ntdomain,
702 char *username,
703 struct passwd *pw,
704- struct PAC_LOGON_INFO *logon_info,
705+ const struct netr_SamInfo3 *info3,
706 bool mapped_to_guest, bool username_was_mapped,
707 DATA_BLOB *session_key,
708 struct auth_session_info **session_info)
709@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
710 return status;
711 }
712
713- } else if (logon_info) {
714+ } else if (info3) {
715 /* pass the unmapped username here since map_username()
716 will be called again in make_server_info_info3() */
717
718 status = make_server_info_info3(mem_ctx,
719 ntuser, ntdomain,
720 &server_info,
721- &logon_info->info3);
722+ info3);
723 if (!NT_STATUS_IS_OK(status)) {
724 DEBUG(1, ("make_server_info_info3 failed: %s!\n",
725 nt_errstr(status)));
726@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
727 char *ntdomain,
728 char *username,
729 struct passwd *pw,
730- struct PAC_LOGON_INFO *logon_info,
731+ const struct netr_SamInfo3 *info3,
732 bool mapped_to_guest, bool username_was_mapped,
733 DATA_BLOB *session_key,
734 struct auth_session_info **session_info)
735--
7361.9.3
737
738
739From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
740From: Jeremy Allison <jra@samba.org>
741Date: Mon, 16 Jun 2014 23:11:58 -0700
742Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
743 create a new info3 and merge resource group SIDs into it.
744
745Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
746
747Signed-off-by: Jeremy Allison <jra@samba.org>
748Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
749Reviewed-by: Simo Sorce <idra@samba.org>
750---
751 source3/auth/proto.h | 3 ++
752 source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
753 2 files changed, 80 insertions(+)
754
755diff --git a/source3/auth/proto.h b/source3/auth/proto.h
756index 75d1097..cc51698 100644
757--- a/source3/auth/proto.h
758+++ b/source3/auth/proto.h
759@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
760 struct netr_SamInfo3 *sam3);
761 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
762 struct netr_SamInfo6 *sam6);
763+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
764+ const struct PAC_LOGON_INFO *logon_info,
765+ struct netr_SamInfo3 **pp_info3);
766 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
767 struct samu *samu,
768 const char *login_server,
769diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
770index 066b9a8..dc84794 100644
771--- a/source3/auth/server_info.c
772+++ b/source3/auth/server_info.c
773@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
774 return NT_STATUS_OK;
775 }
776
777+/*
778+ * Merge resource SIDs, if any, into the passed in info3 structure.
779+ */
780+
781+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
782+ struct netr_SamInfo3 *info3)
783+{
784+ uint32_t i = 0;
785+
786+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
787+ return NT_STATUS_OK;
788+ }
789+
790+ /*
791+ * If there are any resource groups (SID Compression) add
792+ * them to the extra sids portion of the info3 in the PAC.
793+ *
794+ * This makes the info3 look like it would if we got the info
795+ * from the DC rather than the PAC.
796+ */
797+
798+ /*
799+ * Construct a SID for each RID in the list and then append it
800+ * to the info3.
801+ */
802+ for (i = 0; i < logon_info->res_groups.count; i++) {
803+ NTSTATUS status;
804+ struct dom_sid new_sid;
805+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
806+
807+ sid_compose(&new_sid,
808+ logon_info->res_group_dom_sid,
809+ logon_info->res_groups.rids[i].rid);
810+
811+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
812+ sid_string_dbg(&new_sid)));
813+
814+ status = append_netr_SidAttr(info3, &info3->sids,
815+ &info3->sidcount,
816+ &new_sid,
817+ attributes);
818+ if (!NT_STATUS_IS_OK(status)) {
819+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
820+ sid_string_dbg(&new_sid),
821+ nt_errstr(status)));
822+ return status;
823+ }
824+ }
825+
826+ return NT_STATUS_OK;
827+}
828+
829+/*
830+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
831+ * then merge resource SIDs, if any, into it. If successful return
832+ * the created info3 struct.
833+ */
834+
835+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
836+ const struct PAC_LOGON_INFO *logon_info,
837+ struct netr_SamInfo3 **pp_info3)
838+{
839+ NTSTATUS status;
840+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
841+ &logon_info->info3);
842+ if (info3 == NULL) {
843+ return NT_STATUS_NO_MEMORY;
844+ }
845+ status = merge_resource_sids(logon_info, info3);
846+ if (!NT_STATUS_IS_OK(status)) {
847+ TALLOC_FREE(info3);
848+ return status;
849+ }
850+ *pp_info3 = info3;
851+ return NT_STATUS_OK;
852+}
853+
854 #define RET_NOMEM(ptr) do { \
855 if (!ptr) { \
856 TALLOC_FREE(info3); \
857--
8581.9.3
859
860
861From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
862From: Jeremy Allison <jra@samba.org>
863Date: Mon, 16 Jun 2014 23:15:21 -0700
864Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
865 a copy of the info3 struct from the struct PAC_LOGON_INFO.
866
867Call create_info3_from_pac_logon_info() to add in any resource SIDs
868from the struct PAC_LOGON_INFO to the info3.
869
870Signed-off-by: Jeremy Allison <jra@samba.org>
871Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
872Reviewed-by: Simo Sorce <idra@samba.org>
873---
874 source3/auth/auth_generic.c | 11 +++++++++--
875 1 file changed, 9 insertions(+), 2 deletions(-)
876
877diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
878index 2880bc9..f841f0c 100644
879--- a/source3/auth/auth_generic.c
880+++ b/source3/auth/auth_generic.c
881@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
882 {
883 TALLOC_CTX *tmp_ctx;
884 struct PAC_LOGON_INFO *logon_info = NULL;
885+ struct netr_SamInfo3 *info3_copy = NULL;
886 bool is_mapped;
887 bool is_guest;
888 char *ntuser;
889@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
890
891 /* save the PAC data if we have it */
892 if (logon_info) {
893- netsamlogon_cache_store(ntuser, &logon_info->info3);
894+ status = create_info3_from_pac_logon_info(tmp_ctx,
895+ logon_info,
896+ &info3_copy);
897+ if (!NT_STATUS_IS_OK(status)) {
898+ goto done;
899+ }
900+ netsamlogon_cache_store(ntuser, info3_copy);
901 }
902
903 /* setup the string used by %U */
904@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
905
906 status = make_session_info_krb5(mem_ctx,
907 ntuser, ntdomain, username, pw,
908- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
909+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
910 session_info);
911 if (!NT_STATUS_IS_OK(status)) {
912 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
913--
9141.9.3
915
916
917From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
918From: Jeremy Allison <jra@samba.org>
919Date: Mon, 16 Jun 2014 23:27:35 -0700
920Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
921 new info3 and merge in resource groups from a trusted PAC.
922
923Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
924
925Signed-off-by: Jeremy Allison <jra@samba.org>
926Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
927Reviewed-by: Simo Sorce <idra@samba.org>
928
929Autobuild-User(master): Jeremy Allison <jra@samba.org>
930Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
931---
932 source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
933 1 file changed, 22 insertions(+), 2 deletions(-)
934
935diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
936index c356686..0f1ca28 100644
937--- a/source3/winbindd/winbindd_pam.c
938+++ b/source3/winbindd/winbindd_pam.c
939@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
940 struct winbindd_request *req = state->request;
941 DATA_BLOB pac_blob;
942 struct PAC_LOGON_INFO *logon_info = NULL;
943+ struct netr_SamInfo3 *info3_copy = NULL;
944 NTSTATUS result;
945
946 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
947@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
948
949 if (logon_info) {
950 /* Signature verification succeeded, trust the PAC */
951- netsamlogon_cache_store(NULL, &logon_info->info3);
952+ result = create_info3_from_pac_logon_info(state->mem_ctx,
953+ logon_info,
954+ &info3_copy);
955+ if (!NT_STATUS_IS_OK(result)) {
956+ return result;
957+ }
958+ netsamlogon_cache_store(NULL, info3_copy);
959
960 } else {
961 /* Try without signature verification */
962@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
963 nt_errstr(result)));
964 return result;
965 }
966+ if (logon_info) {
967+ /*
968+ * Don't strictly need to copy here,
969+ * but it makes it explicit we're
970+ * returning a copy talloc'ed off
971+ * the state->mem_ctx.
972+ */
973+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
974+ &logon_info->info3);
975+ if (info3_copy == NULL) {
976+ return NT_STATUS_NO_MEMORY;
977+ }
978+ }
979 }
980
981- *info3 = &logon_info->info3;
982+ *info3 = info3_copy;
983
984 return NT_STATUS_OK;
985 }
986--
9871.9.3
988
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-28 21:02:46 +0000