1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

571 Commits

Author SHA1 Message Date
Joe Guo
211c9a5f85 PEP8: fix E302: expected 2 blank lines, found 1
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:29 +02:00
Joe Guo
5d532543ab PEP8: fix E128: continuation line under-indented for visual indent
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:27 +02:00
Joe Guo
bbb9f57603 PEP8: fix E127: continuation line over-indented for visual indent
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-08-24 07:49:26 +02:00
Gary Lockyer
79f494e51e json: Modify API to use return codes
Modify the auditing JSON API to return a response code, as the consensus
was that the existing error handling was aesthetically displeasing.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-25 06:29:50 +02:00
Andrew Bartlett
5bb60e2dd7 build: Move --without-json-audit and json lib detection to lib/audit_logging
This is the common location of the audit logging code now

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-06-25 23:01:20 +02:00
Andrew Bartlett
1bb2a1c6b3 auth: For NTLM and KDC authentication, log the authentication duration
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.

Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.

This complements a similar patch set to log the transaction duration.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-25 08:32:14 +02:00
Gary Lockyer
77e66b86db lib audit_logging: re-factor and add functions.
Re-factor the common calls to json_dumps DEBUGC and audit_message_send
into a separate function.
Add functions to retrieve json object and json array elements

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-01 08:28:26 +02:00
Gary Lockyer
2d47f9e160 auth_log: Rename the json variables
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 04:07:16 +02:00
Gary Lockyer
c15fc1442b auth_log: tidy up code formatting
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 04:07:16 +02:00
Gary Lockyer
75097275a7 auth_log: Use common code from audit_logging
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 04:07:16 +02:00
Stefan Metzmacher
c7a3ce95ac auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.

This fixes a regession in the combination of commits
77adac8c3c and
3a0b835408.

We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).

As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
2018-05-16 03:26:03 +02:00
Stefan Metzmacher
7f2bebf09c auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
This will be used to similate a Windows client only
using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
on an LDAP connection, which is indicated internally by
GENSEC_FEATURE_LDAP_STYLE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 00:13:19 +02:00
Andrew Bartlett
6fda57d309 build: Make --with-json-audit the default
Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage.

This means that those not wanting to link to libarchive will just need to
build --without-json-audit.

In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-15 03:36:08 +02:00
Noel Power
26c4084ad2 auth/credentials/test: py2/py3 compat always decode result of b64encode
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
2018-05-13 00:24:35 +02:00
Joe Guo
656ec98e5b pycredentials: add py_creds_get_secure_channel_type
We have only set, need get.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-12 02:09:28 +02:00
Gary Lockyer
52a3318be8 auth log: Log the unique session GUID
Log the unique_session_token GUID on successful Authorizations.
This patch adds the "sessionID" attribute to the Authorization object
and increments the version to 1.1

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:22 +02:00
Douglas Bagnall
f94c9a1357 auth/ntlmssp_client: correct spelling of response
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
a66f941619 auth/pycredentials: correct spelling of reponse
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Volker Lendecke
1aeac2f85d dbwrap: Remove calls to loadparm
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
7f09fd2b4c credentials: Call dbwrap_local_open with the correct tdb_flags
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Volker Lendecke
7e183a22a7 credentials: Call dbwrap_local_open with the correct hash size
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Björn Baumbach
57d9969f5c build: fix build without JSON audit support
Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Fri Apr 20 21:12:33 CEST 2018 on sn-devel-144
2018-04-20 21:12:33 +02:00
Björn Baumbach
cc1eed99bd build: add option to choose to build with or without JSON audit support
Add a new configure option:

  --with-json-audit
            Build with JSON auth audit support (default=auto). This requires
	    the jansson devel package.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master):  <bbaumbach@samba.org>
Autobuild-Date(master): Wed Apr 18 15:25:42 CEST 2018 on sn-devel-144
2018-04-18 15:25:42 +02:00
Noel Power
4a58393b2b wscript_build: make sure we link extra-python versions of libraries
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-04-13 07:27:11 +02:00
Arvid Requate
490756a840 Check "auth event notification" param in log_json
When Samba is compiled with JSON support it logs an error message
at log level 3 by default for every authentication event:

get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND

This patch adjusts the log_json function to consider the smb.conf
parameter "auth event notification" before calling auth_message_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13381

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 12 08:12:39 CEST 2018 on sn-devel-144
2018-04-12 08:12:39 +02:00
Volker Lendecke
dff196a157 credentials: Fix CID 1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 11 21:58:00 CEST 2018 on sn-devel-144
2018-04-11 21:58:00 +02:00
Volker Lendecke
7a9df79660 credentials: Fix line length
... just because I'll modify that line in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
56a8739e22 credentials: Revert "credentials: Fix CID 1414796 Explicit null dereferenced"
This reverts commit 90c02ec64d.

We have code to take care of password==NULL, this CID must be fixed in a
different way

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
cc746385bf credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-05 01:10:09 +02:00
Volker Lendecke
90c02ec64d credentials: Fix CID 1414796 Explicit null dereferenced
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-05 01:10:09 +02:00
Noel Power
7b897d6d1c auth/credentials/test: convert print func to be py2/py3 compatible
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-03-23 07:28:24 +01:00
Matt Selsky
7ab4ceffb4 auth/kerberos: Fix typo in error message regarding fetching PAC using Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311

Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-19 07:33:44 +01:00
Stefan Metzmacher
6ff8911958 auth: add auth_user_info_copy() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:17 +01:00
Andreas Schneider
654a66b72d auth:credentials: Avoid an 'else' branch
This moves the 'return' statement to the end of the 'case' and makes clear
we leave here.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 14:49:45 +01:00
Andreas Schneider
9a971bcd07 auth:credentials: Add FALL_THROUGH statements in credentials.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 14:49:45 +01:00
Andreas Schneider
2a646a7485 auth:gensec: Add FALL_THROUGH statements in spnego.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
d123638a82 auth:credentials: Add FALL_THROUGH statements in credentials_secrets.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Garming Sam
2e49a97777 tests/bind.py: Add a bind test with NTLMSSP with no domain
Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-22 23:15:17 +01:00
Andrew Bartlett
8e54bc463a selftest: Require jansson support for selftest of the AD DC
This avoids this code becoming untested if a package is not installed or
the configure test is accidentially broken.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-02-15 00:18:29 +01:00
kkplein
d39664fc66 define DBGC_AUTH class
Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-08 03:34:17 +01:00
Andreas Schneider
11239f0759 credentials: Simplify cli_credentials_get_server_gss_creds()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan  3 14:37:12 CET 2018 on sn-devel-144
2018-01-03 14:37:12 +01:00
Stefan Metzmacher
7074a1b7e0 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-09-20 13:04:10 +02:00
Volker Lendecke
adf46ff0ea cli_credentials: Apply some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 16 12:28:17 CEST 2017 on sn-devel-144
2017-09-16 12:28:17 +02:00
Volker Lendecke
1e4c32e3ff cli_credentials: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  7 05:56:14 CEST 2017 on sn-devel-144
2017-09-07 05:56:14 +02:00
Volker Lendecke
f8b491fac4 cli_credentials: Fix a return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep  5 23:06:42 CEST 2017 on sn-devel-144
2017-09-05 23:06:41 +02:00
Stefan Metzmacher
e8264d9678 auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
7d43aecb50 auth/ntlmssp: merge ntlmssp_server_check_password() into ntlmssp_server_auth_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
260e535252 auth/ntlmssp: introduce ntlmssp_server_auth_send/recv
We still use the sync ntlmssp_server_check_password().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
da3baf64d5 auth/ntlmssp: prepare update_send/recv for real async processing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Andrew Bartlett
dc940ad0e0 pycredentials: Add set_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00