sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth

Browse Source 
So far this is only on the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2017-03-06 12:11:18 +13:00
parent b6baf35ebd
commit a2f6327f9f
7 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
auth/common_auth.h
View File

@ -39,6 +39,7 @@ enum auth_password_state {
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ #define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */ #define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */ #define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */
struct auth_usersupplied_info struct auth_usersupplied_info
{ {

1
auth/ntlmssp/gensec_ntlmssp_server.c
View File

@ -62,6 +62,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
} }
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
session_info_flags |= AUTH_SESSION_INFO_NTLM;
if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) { if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx, nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx,

3
source3/auth/auth_generic.c
View File

@ -403,7 +403,8 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
server_info, server_info,
user_info->client.account_name, user_info->client.account_name,
AUTH_SESSION_INFO_UNIX_TOKEN | AUTH_SESSION_INFO_UNIX_TOKEN |
AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_NTLM,
session_info); session_info);
TALLOC_FREE(server_info); TALLOC_FREE(server_info);
} }

1
source4/auth/pyauth.c
View File

@ -333,6 +333,7 @@ MODULE_INIT_FUNC(auth)
ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS); ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS);
ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED); ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED);
ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES); ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES);
ADD_FLAG(AUTH_SESSION_INFO_NTLM);
return m; return m;
} }

9
source4/auth/session.c
View File

@ -154,6 +154,15 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
num_sids++; num_sids++;
} }
if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(sids);
if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids])) {
return NT_STATUS_INTERNAL_ERROR;
}
num_sids++;
}
if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) { if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {

16
source4/dsdb/tests/python/token_group.py
View File

@ -24,7 +24,7 @@ from samba.dsdb import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GRO
import samba.tests import samba.tests
from samba.tests import delete_force from samba.tests import delete_force
from samba.dcerpc import samr, security from samba.dcerpc import samr, security
from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, AUTH_SESSION_INFO_NTLM
parser = optparse.OptionParser("token_group.py [options] <host>") parser = optparse.OptionParser("token_group.py [options] <host>")
@ -71,6 +71,9 @@ class StaticTokenTest(samba.tests.TestCase):
session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS | session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_AUTHENTICATED | AUTH_SESSION_INFO_AUTHENTICATED |
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
session_info_flags |= AUTH_SESSION_INFO_NTLM
session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn, session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
session_info_flags=session_info_flags) session_info_flags=session_info_flags)
@ -118,6 +121,9 @@ class StaticTokenTest(samba.tests.TestCase):
self.fail(msg="calculated groups don't match against user DN tokenGroups") self.fail(msg="calculated groups don't match against user DN tokenGroups")
def test_pac_groups(self): def test_pac_groups(self):
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
self.skipTest("Kerberos disabled, skipping PAC test")
settings = {} settings = {}
settings["lp_ctx"] = lp settings["lp_ctx"] = lp
settings["target_hostname"] = lp.get("netbios name") settings["target_hostname"] = lp.get("netbios name")
@ -276,6 +282,10 @@ class DynamicTokenTest(samba.tests.TestCase):
session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS | session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
AUTH_SESSION_INFO_AUTHENTICATED | AUTH_SESSION_INFO_AUTHENTICATED |
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
if creds.get_kerberos_state() == DONT_USE_KERBEROS:
session_info_flags |= AUTH_SESSION_INFO_NTLM
session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn, session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
session_info_flags=session_info_flags) session_info_flags=session_info_flags)
@ -336,6 +346,10 @@ class DynamicTokenTest(samba.tests.TestCase):
sidset1 = set(dn_tokengroups) sidset1 = set(dn_tokengroups)
sidset2 = set(self.user_sids) sidset2 = set(self.user_sids)
# The SIDs on the DN do not include the NTLM authentication SID
sidset2.discard(samba.dcerpc.security.SID_NT_NTLM_AUTHENTICATION)
if len(sidset1.difference(sidset2)): if len(sidset1.difference(sidset2)):
print("token sids don't match") print("token sids don't match")
print("difference : %s" % sidset1.difference(sidset2)) print("difference : %s" % sidset1.difference(sidset2))

3
source4/selftest/tests.py
View File

@ -591,7 +591,8 @@ planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.dcerpc.dnsserver", extra_args
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.raw_protocol", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.raw_protocol", extra_args=['-U"$USERNAME%$PASSWORD"'])
plantestsuite_loadlist("samba4.ldap.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) plantestsuite_loadlist("samba4.ldap.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
plantestsuite_loadlist("samba4.tokengroups.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT']) plantestsuite_loadlist("samba4.tokengroups.krb5.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'yes', '$LOADLIST', '$LISTOPT'])
plantestsuite_loadlist("samba4.tokengroups.ntlm.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'no', '$LOADLIST', '$LISTOPT'])
plantestsuite("samba4.sam.python(fl2008r2dc)", "fl2008r2dc", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN']) plantestsuite("samba4.sam.python(fl2008r2dc)", "fl2008r2dc", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
plantestsuite("samba4.sam.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN']) plantestsuite("samba4.sam.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
plantestsuite("samba4.user_account_control.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/user_account_control.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN']) plantestsuite("samba4.user_account_control.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/user_account_control.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])