IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5294dc8009)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Thu Mar 17 10:12:38 UTC 2022 on sn-devel-184
Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:
commit 791be84c3e
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300
s4:kdc: hdb_samba4_audit() is only called once per request
Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR
To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.
For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b01388da8a)
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184
(cherry picked from commit 68d181ee67)
In SMBC_server_internal(), when authentication fails, the errno value is
currently hard-coded to EPERM, while it should be EACCES instead. Use the
NT_STATUS map to set the appropriate value.
This bug was found because it breaks listing printers protected by
authentication in GNOME Control Panel.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14983
Signed-off-by: Elia Geretto <elia.f.geretto@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 16 19:44:18 UTC 2022 on sn-devel-184
(cherry picked from commit 70b9977a46)
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.
Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.
Currently this only applies to an RODC that forwards
the request to an RWDC.
But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
(cherry picked from commit 40f2070d3b)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Mar 16 14:40:08 UTC 2022 on sn-devel-184
The optional user_info->orig_client.{account,domain}_name are
the once really used by the client and should be used in
audit logging. But we still fallback to
user_info->client.{account,domain}_name.
This will be important for the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 24b580cae2)
This makes it much clearer what it is used for and
it is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in
authsam_check_password_internals().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 427125d182)
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals()
This doesn't apply here. We should also handle wbinfo -a
authentication UPN names, e.g. administrator@DOMAIN,
even if the account belongs to the local sam.
With this change the behavior is consistent also locally on DCs and
also an RODC can handle these requests locally for cached accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8dfdbe095a)
When winbindd forwards wbinfo -a via netrLogonSamLogon* to a remote
DC work fine for upn names, e.g. administrator@DOMAIN.
But it currently fails locally on a DC against the local sam.
For the RODC only work because it forwards the request to
an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e1d2c59d36)
mapped_state is only evaluated in authsam_check_password_internals()
of auth_sam.c in source4, so setting it in the auth3 code
doesn't make any difference. I've proved that with
an SMB_ASSERT() and a full pipeline not triggering it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c56cb12f34)
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals().
But that code will be changed in the next commits, so we can simplify
the logic and only check for user_info->mapped.account_name being NULL.
As it's the important factor that user_info->mapped.account_name is
non-NULL down in the auth stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c7b8c71b2b)
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 52787b9c1e)
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ca6948642b)
mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 99efe5f4e9)
We already use talloc_zero() and mapped_state will be removed in the
next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 859c781735)
We already use talloc_zero() and mapped_state will be removed in the
next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9a4ac8ab2e)
user_info->mapped_state has nothing to do with enum auth_password_state,
user_info->password_state is the one that holds the auth_password_state value.
Luckily user_info->password_state was never referenced in the
encrypt_user_info() callers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a6fb598d9d)
I've seen that in LogonSamLogonEx request triggered
by a simple bind with a user of a trusted domain
within the same forest. Note simple binds don't
work with users for another forest/external domain,
as the DsCrackNames call on the bind_dn fails.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 31db704882)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62fb6c1dc8)
Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
It means an LDAP simble bind will now honour
'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2ad4468622)
This is not really relevant for now, as USER_INFO_INTERACTIVE_LOGON is
not evaluated in the source3/auth stack. But better add it to
be consistent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 012bd9f5b7)
This makes it possible to catch failures with knownfail entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 751ce671a4)
This will make further changes easier.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a3214c990)
The call to sdb_free_entry() was forgotten.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15000
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 11:05:55 UTC 2022 on sn-devel-184
(cherry picked from commit b7bc1f6ddd)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Mar 14 15:24:28 UTC 2022 on sn-devel-184
This fixes the regressions against KDCs without FAST support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184
(cherry picked from commit 9b48e7f7ed)
