mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
So far this is only on the AD DC Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
parent
b6baf35ebd
commit
a2f6327f9f
@ -39,6 +39,7 @@ enum auth_password_state {
|
||||
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
|
||||
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
|
||||
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
|
||||
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
|
||||
|
||||
struct auth_usersupplied_info
|
||||
{
|
||||
|
@ -62,6 +62,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
|
||||
}
|
||||
|
||||
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
session_info_flags |= AUTH_SESSION_INFO_NTLM;
|
||||
|
||||
if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
|
||||
nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx,
|
||||
|
@ -403,7 +403,8 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
|
||||
server_info,
|
||||
user_info->client.account_name,
|
||||
AUTH_SESSION_INFO_UNIX_TOKEN |
|
||||
AUTH_SESSION_INFO_DEFAULT_GROUPS,
|
||||
AUTH_SESSION_INFO_DEFAULT_GROUPS |
|
||||
AUTH_SESSION_INFO_NTLM,
|
||||
session_info);
|
||||
TALLOC_FREE(server_info);
|
||||
}
|
||||
|
@ -333,6 +333,7 @@ MODULE_INIT_FUNC(auth)
|
||||
ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS);
|
||||
ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED);
|
||||
ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES);
|
||||
ADD_FLAG(AUTH_SESSION_INFO_NTLM);
|
||||
|
||||
return m;
|
||||
}
|
||||
|
@ -154,6 +154,15 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
num_sids++;
|
||||
}
|
||||
|
||||
if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
|
||||
sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
|
||||
NT_STATUS_HAVE_NO_MEMORY(sids);
|
||||
|
||||
if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids])) {
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
num_sids++;
|
||||
}
|
||||
|
||||
|
||||
if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
|
||||
|
@ -24,7 +24,7 @@ from samba.dsdb import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GRO
|
||||
import samba.tests
|
||||
from samba.tests import delete_force
|
||||
from samba.dcerpc import samr, security
|
||||
from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
|
||||
from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, AUTH_SESSION_INFO_NTLM
|
||||
|
||||
|
||||
parser = optparse.OptionParser("token_group.py [options] <host>")
|
||||
@ -71,6 +71,9 @@ class StaticTokenTest(samba.tests.TestCase):
|
||||
session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
|
||||
AUTH_SESSION_INFO_AUTHENTICATED |
|
||||
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
|
||||
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
|
||||
session_info_flags |= AUTH_SESSION_INFO_NTLM
|
||||
|
||||
session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
|
||||
session_info_flags=session_info_flags)
|
||||
|
||||
@ -118,6 +121,9 @@ class StaticTokenTest(samba.tests.TestCase):
|
||||
self.fail(msg="calculated groups don't match against user DN tokenGroups")
|
||||
|
||||
def test_pac_groups(self):
|
||||
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
|
||||
self.skipTest("Kerberos disabled, skipping PAC test")
|
||||
|
||||
settings = {}
|
||||
settings["lp_ctx"] = lp
|
||||
settings["target_hostname"] = lp.get("netbios name")
|
||||
@ -276,6 +282,10 @@ class DynamicTokenTest(samba.tests.TestCase):
|
||||
session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
|
||||
AUTH_SESSION_INFO_AUTHENTICATED |
|
||||
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
|
||||
|
||||
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
|
||||
session_info_flags |= AUTH_SESSION_INFO_NTLM
|
||||
|
||||
session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
|
||||
session_info_flags=session_info_flags)
|
||||
|
||||
@ -336,6 +346,10 @@ class DynamicTokenTest(samba.tests.TestCase):
|
||||
|
||||
sidset1 = set(dn_tokengroups)
|
||||
sidset2 = set(self.user_sids)
|
||||
|
||||
# The SIDs on the DN do not include the NTLM authentication SID
|
||||
sidset2.discard(samba.dcerpc.security.SID_NT_NTLM_AUTHENTICATION)
|
||||
|
||||
if len(sidset1.difference(sidset2)):
|
||||
print("token sids don't match")
|
||||
print("difference : %s" % sidset1.difference(sidset2))
|
||||
|
@ -591,7 +591,8 @@ planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.dcerpc.dnsserver", extra_args
|
||||
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'])
|
||||
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.raw_protocol", extra_args=['-U"$USERNAME%$PASSWORD"'])
|
||||
plantestsuite_loadlist("samba4.ldap.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
|
||||
plantestsuite_loadlist("samba4.tokengroups.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
|
||||
plantestsuite_loadlist("samba4.tokengroups.krb5.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'yes', '$LOADLIST', '$LISTOPT'])
|
||||
plantestsuite_loadlist("samba4.tokengroups.ntlm.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'no', '$LOADLIST', '$LISTOPT'])
|
||||
plantestsuite("samba4.sam.python(fl2008r2dc)", "fl2008r2dc", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
|
||||
plantestsuite("samba4.sam.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
|
||||
plantestsuite("samba4.user_account_control.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/user_account_control.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
|
||||
|
Loading…
Reference in New Issue
Block a user