fpdpbuilder_pel7x64builder0
6 years ago
commit
56015c2d68
14 changed files with 7247 additions and 0 deletions
@ -0,0 +1,199 @@ |
|||||||
|
From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001 |
||||||
|
From: Jeremy Allison <jra@samba.org> |
||||||
|
Date: Fri, 15 Jun 2018 15:07:17 -0700 |
||||||
|
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in |
||||||
|
buffer. |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 |
||||||
|
|
||||||
|
CVE-2018-10858: Insufficient input validation on client directory |
||||||
|
listing in libsmbclient. |
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org> |
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org> |
||||||
|
--- |
||||||
|
source3/libsmb/libsmb_path.c | 9 +++++++-- |
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c |
||||||
|
index 01b0a61e483..ed70ab37550 100644 |
||||||
|
--- a/source3/libsmb/libsmb_path.c |
||||||
|
+++ b/source3/libsmb/libsmb_path.c |
||||||
|
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest, |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
- *dest++ = '\0'; |
||||||
|
- max_dest_len--; |
||||||
|
+ if (max_dest_len == 0) { |
||||||
|
+ /* Ensure we return -1 if no null termination. */ |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ *dest++ = '\0'; |
||||||
|
+ max_dest_len--; |
||||||
|
|
||||||
|
return max_dest_len; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.11.0 |
||||||
|
|
||||||
|
|
||||||
|
From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Jeremy Allison <jra@samba.org> |
||||||
|
Date: Fri, 15 Jun 2018 15:08:17 -0700 |
||||||
|
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns |
||||||
|
from malicious servers. |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 |
||||||
|
|
||||||
|
CVE-2018-10858: Insufficient input validation on client directory |
||||||
|
listing in libsmbclient. |
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org> |
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org> |
||||||
|
--- |
||||||
|
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------ |
||||||
|
source3/libsmb/libsmb_path.c | 2 +- |
||||||
|
2 files changed, 51 insertions(+), 8 deletions(-) |
||||||
|
|
||||||
|
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c |
||||||
|
index 72441c46736..54c2bcb3c73 100644 |
||||||
|
--- a/source3/libsmb/libsmb_dir.c |
||||||
|
+++ b/source3/libsmb/libsmb_dir.c |
||||||
|
@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context, |
||||||
|
|
||||||
|
} |
||||||
|
|
||||||
|
-static void |
||||||
|
+static int |
||||||
|
smbc_readdir_internal(SMBCCTX * context, |
||||||
|
struct smbc_dirent *dest, |
||||||
|
struct smbc_dirent *src, |
||||||
|
int max_namebuf_len) |
||||||
|
{ |
||||||
|
if (smbc_getOptionUrlEncodeReaddirEntries(context)) { |
||||||
|
+ int remaining_len; |
||||||
|
|
||||||
|
/* url-encode the name. get back remaining buffer space */ |
||||||
|
- max_namebuf_len = |
||||||
|
+ remaining_len = |
||||||
|
smbc_urlencode(dest->name, src->name, max_namebuf_len); |
||||||
|
|
||||||
|
+ /* -1 means no null termination. */ |
||||||
|
+ if (remaining_len < 0) { |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
/* We now know the name length */ |
||||||
|
dest->namelen = strlen(dest->name); |
||||||
|
|
||||||
|
+ if (dest->namelen + 1 < 1) { |
||||||
|
+ /* Integer wrap. */ |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (dest->namelen + 1 >= max_namebuf_len) { |
||||||
|
+ /* Out of space for comment. */ |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
/* Save the pointer to the beginning of the comment */ |
||||||
|
dest->comment = dest->name + dest->namelen + 1; |
||||||
|
|
||||||
|
+ if (remaining_len < 1) { |
||||||
|
+ /* No room for comment null termination. */ |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
/* Copy the comment */ |
||||||
|
- strncpy(dest->comment, src->comment, max_namebuf_len - 1); |
||||||
|
- dest->comment[max_namebuf_len - 1] = '\0'; |
||||||
|
+ strlcpy(dest->comment, src->comment, remaining_len); |
||||||
|
|
||||||
|
/* Save other fields */ |
||||||
|
dest->smbc_type = src->smbc_type; |
||||||
|
@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context, |
||||||
|
} else { |
||||||
|
|
||||||
|
/* No encoding. Just copy the entry as is. */ |
||||||
|
+ if (src->dirlen > max_namebuf_len) { |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
memcpy(dest, src, src->dirlen); |
||||||
|
+ if (src->namelen + 1 < 1) { |
||||||
|
+ /* Integer wrap */ |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ if (src->namelen + 1 >= max_namebuf_len) { |
||||||
|
+ /* Comment off the end. */ |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
dest->comment = (char *)(&dest->name + src->namelen + 1); |
||||||
|
} |
||||||
|
- |
||||||
|
+ return 0; |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context, |
||||||
|
SMBCFILE *dir) |
||||||
|
{ |
||||||
|
int maxlen; |
||||||
|
+ int ret; |
||||||
|
struct smbc_dirent *dirp, *dirent; |
||||||
|
TALLOC_CTX *frame = talloc_stackframe(); |
||||||
|
|
||||||
|
@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context, |
||||||
|
dirp = &context->internal->dirent; |
||||||
|
maxlen = sizeof(context->internal->_dirent_name); |
||||||
|
|
||||||
|
- smbc_readdir_internal(context, dirp, dirent, maxlen); |
||||||
|
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen); |
||||||
|
+ if (ret == -1) { |
||||||
|
+ errno = EINVAL; |
||||||
|
+ TALLOC_FREE(frame); |
||||||
|
+ return NULL; |
||||||
|
+ } |
||||||
|
|
||||||
|
dir->dir_next = dir->dir_next->next; |
||||||
|
|
||||||
|
@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context, |
||||||
|
*/ |
||||||
|
|
||||||
|
while ((dirlist = dir->dir_next)) { |
||||||
|
+ int ret; |
||||||
|
struct smbc_dirent *dirent; |
||||||
|
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir; |
||||||
|
|
||||||
|
@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context, |
||||||
|
/* Do urlencoding of next entry, if so selected */ |
||||||
|
dirent = &context->internal->dirent; |
||||||
|
maxlen = sizeof(context->internal->_dirent_name); |
||||||
|
- smbc_readdir_internal(context, dirent, |
||||||
|
+ ret = smbc_readdir_internal(context, dirent, |
||||||
|
dirlist->dirent, maxlen); |
||||||
|
+ if (ret == -1) { |
||||||
|
+ errno = EINVAL; |
||||||
|
+ TALLOC_FREE(frame); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
|
||||||
|
reqd = dirent->dirlen; |
||||||
|
|
||||||
|
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c |
||||||
|
index ed70ab37550..5b53b386a67 100644 |
||||||
|
--- a/source3/libsmb/libsmb_path.c |
||||||
|
+++ b/source3/libsmb/libsmb_path.c |
||||||
|
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest, |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
- if (max_dest_len == 0) { |
||||||
|
+ if (max_dest_len <= 0) { |
||||||
|
/* Ensure we return -1 if no null termination. */ |
||||||
|
return -1; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.11.0 |
||||||
|
|
@ -0,0 +1,753 @@ |
|||||||
|
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> |
||||||
|
Date: Thu, 22 Feb 2018 11:54:45 +1300 |
||||||
|
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set |
||||||
|
with_cmocka flag |
||||||
|
|
||||||
|
We have cmocka in third_party, so we are never without it. |
||||||
|
|
||||||
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> |
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
||||||
|
|
||||||
|
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6 |
||||||
|
by Andrew Bartlett) |
||||||
|
--- |
||||||
|
selftest/tests.py | 18 ++++++++---------- |
||||||
|
1 file changed, 8 insertions(+), 10 deletions(-) |
||||||
|
|
||||||
|
diff --git a/selftest/tests.py b/selftest/tests.py |
||||||
|
index 126e1184230..3f5097b680c 100644 |
||||||
|
--- a/selftest/tests.py |
||||||
|
+++ b/selftest/tests.py |
||||||
|
@@ -38,7 +38,6 @@ finally: |
||||||
|
f.close() |
||||||
|
|
||||||
|
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) |
||||||
|
-with_cmocka = ("HAVE_CMOCKA" in config_hash) |
||||||
|
with_pam = ("WITH_PAM" in config_hash) |
||||||
|
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"] |
||||||
|
|
||||||
|
@@ -168,13 +167,12 @@ if with_pam: |
||||||
|
valgrindify(python), pam_wrapper_so_path, |
||||||
|
"$DOMAIN", "alice", "Secret007"]) |
||||||
|
|
||||||
|
-if with_cmocka: |
||||||
|
- plantestsuite("samba.unittests.krb5samba", "none", |
||||||
|
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) |
||||||
|
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none", |
||||||
|
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) |
||||||
|
- plantestsuite("samba.unittests.lib_util_modules", "none", |
||||||
|
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) |
||||||
|
+plantestsuite("samba.unittests.krb5samba", "none", |
||||||
|
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) |
||||||
|
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none", |
||||||
|
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) |
||||||
|
+plantestsuite("samba.unittests.lib_util_modules", "none", |
||||||
|
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) |
||||||
|
|
||||||
|
- plantestsuite("samba.unittests.smb1cli_session", "none", |
||||||
|
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) |
||||||
|
+plantestsuite("samba.unittests.smb1cli_session", "none", |
||||||
|
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) |
||||||
|
-- |
||||||
|
2.14.4 |
||||||
|
|
||||||
|
|
||||||
|
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andrew Bartlett <abartlet@samba.org> |
||||||
|
Date: Fri, 27 Jul 2018 08:44:24 +1200 |
||||||
|
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for |
||||||
|
ntlm_password_check() |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 |
||||||
|
|
||||||
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org> |
||||||
|
--- |
||||||
|
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++ |
||||||
|
libcli/auth/wscript_build | 13 ++ |
||||||
|
selftest/knownfail.d/ntlm | 2 + |
||||||
|
selftest/tests.py | 2 + |
||||||
|
4 files changed, 430 insertions(+) |
||||||
|
create mode 100644 libcli/auth/tests/ntlm_check.c |
||||||
|
create mode 100644 selftest/knownfail.d/ntlm |
||||||
|
|
||||||
|
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c |
||||||
|
new file mode 100644 |
||||||
|
index 00000000000..e87a0a276d4 |
||||||
|
--- /dev/null |
||||||
|
+++ b/libcli/auth/tests/ntlm_check.c |
||||||
|
@@ -0,0 +1,413 @@ |
||||||
|
+/* |
||||||
|
+ * Unit tests for the ntlm_check password hash check library. |
||||||
|
+ * |
||||||
|
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018 |
||||||
|
+ * |
||||||
|
+ * This program is free software; you can redistribute it and/or modify |
||||||
|
+ * it under the terms of the GNU General Public License as published by |
||||||
|
+ * the Free Software Foundation; either version 3 of the License, or |
||||||
|
+ * (at your option) any later version. |
||||||
|
+ * |
||||||
|
+ * This program is distributed in the hope that it will be useful, |
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||||
|
+ * GNU General Public License for more details. |
||||||
|
+ * |
||||||
|
+ * You should have received a copy of the GNU General Public License |
||||||
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>. |
||||||
|
+ * |
||||||
|
+ */ |
||||||
|
+ |
||||||
|
+/* |
||||||
|
+ * from cmocka.c: |
||||||
|
+ * These headers or their equivalents should be included prior to |
||||||
|
+ * including |
||||||
|
+ * this header file. |
||||||
|
+ * |
||||||
|
+ * #include <stdarg.h> |
||||||
|
+ * #include <stddef.h> |
||||||
|
+ * #include <setjmp.h> |
||||||
|
+ * |
||||||
|
+ * This allows test applications to use custom definitions of C standard |
||||||
|
+ * library functions and types. |
||||||
|
+ * |
||||||
|
+ */ |
||||||
|
+ |
||||||
|
+/* |
||||||
|
+ * Note that the messaging routines (audit_message_send and get_event_server) |
||||||
|
+ * are not tested by these unit tests. Currently they are for integration |
||||||
|
+ * test support, and as such are exercised by the integration tests. |
||||||
|
+ */ |
||||||
|
+#include <stdarg.h> |
||||||
|
+#include <stddef.h> |
||||||
|
+#include <setjmp.h> |
||||||
|
+#include <cmocka.h> |
||||||
|
+ |
||||||
|
+#include "includes.h" |
||||||
|
+#include "../lib/crypto/crypto.h" |
||||||
|
+#include "librpc/gen_ndr/netlogon.h" |
||||||
|
+#include "libcli/auth/libcli_auth.h" |
||||||
|
+#include "auth/credentials/credentials.h" |
||||||
|
+ |
||||||
|
+struct ntlm_state { |
||||||
|
+ const char *username; |
||||||
|
+ const char *domain; |
||||||
|
+ DATA_BLOB challenge; |
||||||
|
+ DATA_BLOB ntlm; |
||||||
|
+ DATA_BLOB lm; |
||||||
|
+ DATA_BLOB ntlm_key; |
||||||
|
+ DATA_BLOB lm_key; |
||||||
|
+ const struct samr_Password *nt_hash; |
||||||
|
+}; |
||||||
|
+ |
||||||
|
+static int test_ntlm_setup_with_options(void **state, |
||||||
|
+ int flags, bool upn) |
||||||
|
+{ |
||||||
|
+ NTSTATUS status; |
||||||
|
+ DATA_BLOB challenge = { |
||||||
|
+ .data = discard_const_p(uint8_t, "I am a teapot"), |
||||||
|
+ .length = 8 |
||||||
|
+ }; |
||||||
|
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state); |
||||||
|
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state, |
||||||
|
+ NULL, |
||||||
|
+ "serverdom"); |
||||||
|
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state); |
||||||
|
+ cli_credentials_set_username(creds, |
||||||
|
+ "testuser", |
||||||
|
+ CRED_SPECIFIED); |
||||||
|
+ cli_credentials_set_domain(creds, |
||||||
|
+ "testdom", |
||||||
|
+ CRED_SPECIFIED); |
||||||
|
+ cli_credentials_set_workstation(creds, |
||||||
|
+ "testwksta", |
||||||
|
+ CRED_SPECIFIED); |
||||||
|
+ cli_credentials_set_password(creds, |
||||||
|
+ "testpass", |
||||||
|
+ CRED_SPECIFIED); |
||||||
|
+ |
||||||
|
+ if (upn) { |
||||||
|
+ cli_credentials_set_principal(creds, |
||||||
|
+ "testuser@samba.org", |
||||||
|
+ CRED_SPECIFIED); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ cli_credentials_get_ntlm_username_domain(creds, |
||||||
|
+ ntlm_state, |
||||||
|
+ &ntlm_state->username, |
||||||
|
+ &ntlm_state->domain); |
||||||
|
+ |
||||||
|
+ status = cli_credentials_get_ntlm_response(creds, |
||||||
|
+ ntlm_state, |
||||||
|
+ &flags, |
||||||
|
+ challenge, |
||||||
|
+ NULL, |
||||||
|
+ target_info, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ &ntlm_state->lm_key, |
||||||
|
+ &ntlm_state->ntlm_key); |
||||||
|
+ ntlm_state->challenge = challenge; |
||||||
|
+ |
||||||
|
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds, |
||||||
|
+ ntlm_state); |
||||||
|
+ |
||||||
|
+ if (!NT_STATUS_IS_OK(status)) { |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ *state = ntlm_state; |
||||||
|
+ return 0; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int test_ntlm_setup(void **state) { |
||||||
|
+ return test_ntlm_setup_with_options(state, 0, false); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int test_ntlm_and_lm_setup(void **state) { |
||||||
|
+ return test_ntlm_setup_with_options(state, |
||||||
|
+ CLI_CRED_LANMAN_AUTH, |
||||||
|
+ false); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int test_ntlm2_setup(void **state) { |
||||||
|
+ return test_ntlm_setup_with_options(state, |
||||||
|
+ CLI_CRED_NTLM2, |
||||||
|
+ false); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int test_ntlmv2_setup(void **state) { |
||||||
|
+ return test_ntlm_setup_with_options(state, |
||||||
|
+ CLI_CRED_NTLMv2_AUTH, |
||||||
|
+ false); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int test_ntlm_teardown(void **state) |
||||||
|
+{ |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ TALLOC_FREE(ntlm_state); |
||||||
|
+ *state = NULL; |
||||||
|
+ return 0; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlm_allowed(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_ON, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlm_allowed_lm_supplied(void **state) |
||||||
|
+{ |
||||||
|
+ return test_ntlm_allowed(state); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlm_disabled(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_DISABLED, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlm2(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_ON, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ /* |
||||||
|
+ * NTLM2 session security (where the real challenge is the |
||||||
|
+ * MD5(challenge, client-challenge) (in the first 8 bytes of |
||||||
|
+ * the lm) isn't decoded by ntlm_password_check(), it must |
||||||
|
+ * first be converted back into normal NTLM by the NTLMSSP |
||||||
|
+ * layer |
||||||
|
+ */ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), |
||||||
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlm_mschapv2_only_allowed(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, |
||||||
|
+ MSV1_0_ALLOW_MSVCHAPV2, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlm_mschapv2_only_denied(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), |
||||||
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlmv2_only_ntlmv2(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_NTLMV2_ONLY, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlmv2_only_ntlm(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_NTLMV2_ONLY, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &ntlm_state->lm, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), |
||||||
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlmv2_only_ntlm_and_lanman(void **state) |
||||||
|
+{ |
||||||
|
+ return test_ntlmv2_only_ntlm(state); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void test_ntlmv2_only_ntlm_once(void **state) |
||||||
|
+{ |
||||||
|
+ DATA_BLOB user_sess_key, lm_sess_key; |
||||||
|
+ struct ntlm_state *ntlm_state |
||||||
|
+ = talloc_get_type_abort(*state, |
||||||
|
+ struct ntlm_state); |
||||||
|
+ NTSTATUS status; |
||||||
|
+ status = ntlm_password_check(ntlm_state, |
||||||
|
+ false, |
||||||
|
+ NTLM_AUTH_NTLMV2_ONLY, |
||||||
|
+ 0, |
||||||
|
+ &ntlm_state->challenge, |
||||||
|
+ &data_blob_null, |
||||||
|
+ &ntlm_state->ntlm, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->username, |
||||||
|
+ ntlm_state->domain, |
||||||
|
+ NULL, |
||||||
|
+ ntlm_state->nt_hash, |
||||||
|
+ &user_sess_key, |
||||||
|
+ &lm_sess_key); |
||||||
|
+ |
||||||
|
+ assert_int_equal(NT_STATUS_V(status), |
||||||
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+int main(int argc, const char **argv) |
||||||
|
+{ |
||||||
|
+ const struct CMUnitTest tests[] = { |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed, |
||||||
|
+ test_ntlm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied, |
||||||
|
+ test_ntlm_and_lm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled, |
||||||
|
+ test_ntlm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlm2, |
||||||
|
+ test_ntlm2_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed, |
||||||
|
+ test_ntlm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied, |
||||||
|
+ test_ntlm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm, |
||||||
|
+ test_ntlm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman, |
||||||
|
+ test_ntlm_and_lm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once, |
||||||
|
+ test_ntlm_setup, |
||||||
|
+ test_ntlm_teardown), |
||||||
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2, |
||||||
|
+ test_ntlmv2_setup, |
||||||
|
+ test_ntlm_teardown) |
||||||
|
+ }; |
||||||
|
+ |
||||||
|
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); |
||||||
|
+ return cmocka_run_group_tests(tests, NULL, NULL); |
||||||
|
+} |
||||||
|
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build |
||||||
|
index 475b7d69406..d319d9b879e 100644 |
||||||
|
--- a/libcli/auth/wscript_build |
||||||
|
+++ b/libcli/auth/wscript_build |
||||||
|
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS', |
||||||
|
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE', |
||||||
|
source='spnego_parse.c', |
||||||
|
deps='asn1util') |
||||||
|
+ |
||||||
|
+bld.SAMBA_BINARY( |
||||||
|
+ 'test_ntlm_check', |
||||||
|
+ source='tests/ntlm_check.c', |
||||||
|
+ deps=''' |
||||||
|
+ NTLM_CHECK |
||||||
|
+ CREDENTIALS_NTLM |
||||||
|
+ samba-credentials |
||||||
|
+ cmocka |
||||||
|
+ talloc |
||||||
|
+ ''', |
||||||
|
+ install=False |
||||||
|
+ ) |
||||||
|
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm |
||||||
|
new file mode 100644 |
||||||
|
index 00000000000..c6e6a3739ba |
||||||
|
--- /dev/null |
||||||
|
+++ b/selftest/knownfail.d/ntlm |
||||||
|
@@ -0,0 +1,2 @@ |
||||||
|
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied |
||||||
|
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( |
||||||
|
diff --git a/selftest/tests.py b/selftest/tests.py |
||||||
|
index 3f5097b680c..dc6486c13f8 100644 |
||||||
|
--- a/selftest/tests.py |
||||||
|
+++ b/selftest/tests.py |
||||||
|
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none", |
||||||
|
|
||||||
|
plantestsuite("samba.unittests.smb1cli_session", "none", |
||||||
|
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) |
||||||
|
+plantestsuite("samba.unittests.ntlm_check", "none", |
||||||
|
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) |
||||||
|
-- |
||||||
|
2.14.4 |
||||||
|
|
||||||
|
|
||||||
|
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001 |
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
||||||
|
Date: Wed, 14 Mar 2018 15:36:05 +0100 |
||||||
|
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in |
||||||
|
hash_password_check() |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 |
||||||
|
|
||||||
|
CVE-2018-1139: Weak authentication protocol allowed. |
||||||
|
|
||||||
|
Guenther |
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org> |
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
||||||
|
--- |
||||||
|
libcli/auth/ntlm_check.c | 8 ++++---- |
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c |
||||||
|
index 3b02adc1d48..1c6499bd210 100644 |
||||||
|
--- a/libcli/auth/ntlm_check.c |
||||||
|
+++ b/libcli/auth/ntlm_check.c |
||||||
|
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, |
||||||
|
const struct samr_Password *stored_nt) |
||||||
|
{ |
||||||
|
if (stored_nt == NULL) { |
||||||
|
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", |
||||||
|
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n", |
||||||
|
username)); |
||||||
|
} |
||||||
|
|
||||||
|
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, |
||||||
|
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) { |
||||||
|
return NT_STATUS_OK; |
||||||
|
} else { |
||||||
|
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", |
||||||
|
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n", |
||||||
|
username)); |
||||||
|
return NT_STATUS_WRONG_PASSWORD; |
||||||
|
} |
||||||
|
|
||||||
|
} else if (client_lanman && stored_lanman) { |
||||||
|
if (!lanman_auth) { |
||||||
|
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", |
||||||
|
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", |
||||||
|
username)); |
||||||
|
return NT_STATUS_WRONG_PASSWORD; |
||||||
|
} |
||||||
|
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, |
||||||
|
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { |
||||||
|
return NT_STATUS_OK; |
||||||
|
} else { |
||||||
|
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n", |
||||||
|
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n", |
||||||
|
username)); |
||||||
|
return NT_STATUS_WRONG_PASSWORD; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.14.4 |
||||||
|
|
||||||
|
|
||||||
|
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001 |
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
||||||
|
Date: Wed, 14 Mar 2018 15:35:01 +0100 |
||||||
|
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in |
||||||
|
ntlm_password_check(). |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 |
||||||
|
|
||||||
|
CVE-2018-1139: Weak authentication protocol allowed. |
||||||
|
|
||||||
|
Guenther |
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org> |
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
||||||
|
--- |
||||||
|
source3/utils/ntlm_auth.c | 6 ++++-- |
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c |
||||||
|
index 3f544902a24..8f77680416f 100644 |
||||||
|
--- a/source3/utils/ntlm_auth.c |
||||||
|
+++ b/source3/utils/ntlm_auth.c |
||||||
|
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context, |
||||||
|
*pauthoritative = 1; |
||||||
|
|
||||||
|
nt_status = ntlm_password_check(mem_ctx, |
||||||
|
- true, true, 0, |
||||||
|
+ true, NTLM_AUTH_ON, 0, |
||||||
|
&auth4_context->challenge.data, |
||||||
|
&user_info->password.response.lanman, |
||||||
|
&user_info->password.response.nt, |
||||||
|
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod |
||||||
|
|
||||||
|
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); |
||||||
|
nt_status = ntlm_password_check(mem_ctx, |
||||||
|
- true, true, 0, |
||||||
|
+ true, |
||||||
|
+ NTLM_AUTH_ON, |
||||||
|
+ 0, |
||||||
|
&challenge, |
||||||
|
&lm_response, |
||||||
|
&nt_response, |
||||||
|
-- |
||||||
|
2.14.4 |
||||||
|
|
||||||
|
|
||||||
|
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001 |
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
||||||
|
Date: Fri, 16 Mar 2018 17:25:12 +0100 |
||||||
|
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used |
||||||
|
via SMB1 when it is disabled. |
||||||
|
|
||||||
|
Right now, this test will succeed. |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 |
||||||
|
|
||||||
|
CVE-2018-1139: Weak authentication protocol allowed. |
||||||
|
|
||||||
|
Guenther |
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org> |
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
||||||
|
--- |
||||||
|
source3/selftest/tests.py | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py |
||||||
|
index 9092c1776c8..034c014e5b8 100755 |
||||||
|
--- a/source3/selftest/tests.py |
||||||
|
+++ b/source3/selftest/tests.py |
||||||
|
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb |
||||||
|
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) |
||||||
|
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) |
||||||
|
|
||||||
|
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]: |
||||||
|
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]: |
||||||
|
for env in ["nt4_member", "ad_member"]: |
||||||
|
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) |
||||||
|
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options]) |
||||||
|
-- |
||||||
|
2.14.4 |
||||||
|
|
||||||
|
|
||||||
|
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001 |
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
||||||
|
Date: Tue, 13 Mar 2018 16:56:20 +0100 |
||||||
|
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 |
||||||
|
when it is disabled via "ntlm auth". |
||||||
|
|
||||||
|
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. |
||||||
|
|
||||||
|
Found by Vivek Das <vdas@redhat.com> (Red Hat QE). |
||||||
|
|
||||||
|
In order to demonstrate simply run: |
||||||
|
|
||||||
|
smbclient //server/share -U user%password -mNT1 -c quit \ |
||||||
|
--option="client ntlmv2 auth"=no \ |
||||||
|
--option="client use spnego"=no |
||||||
|
|
||||||
|
against a server that uses "ntlm auth = ntlmv2-only" (our default |
||||||
|
setting). |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 |
||||||
|
|
||||||
|
CVE-2018-1139: Weak authentication protocol allowed. |
||||||
|
|
||||||
|
Guenther |
||||||
|
|
||||||
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> |
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org> |
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
||||||
|
--- |
||||||
|
libcli/auth/ntlm_check.c | 2 +- |
||||||
|
selftest/knownfail | 3 ++- |
||||||
|
selftest/knownfail.d/ntlm | 2 -- |
||||||
|
3 files changed, 3 insertions(+), 4 deletions(-) |
||||||
|
delete mode 100644 selftest/knownfail.d/ntlm |
||||||
|
|
||||||
|
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c |
||||||
|
index 1c6499bd210..b68e9c87888 100644 |
||||||
|
--- a/libcli/auth/ntlm_check.c |
||||||
|
+++ b/libcli/auth/ntlm_check.c |
||||||
|
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, |
||||||
|
- I think this is related to Win9X pass-though authentication |
||||||
|
*/ |
||||||
|
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n")); |
||||||
|
- if (ntlm_auth) { |
||||||
|
+ if (ntlm_auth == NTLM_AUTH_ON) { |
||||||
|
if (smb_pwd_check_ntlmv1(mem_ctx, |
||||||
|
lm_response, |
||||||
|
stored_nt->hash, challenge, |
||||||
|
diff --git a/selftest/knownfail b/selftest/knownfail |
||||||
|
index ba16fd72290..84776d4f35d 100644 |
||||||
|
--- a/selftest/knownfail |
||||||
|
+++ b/selftest/knownfail |
||||||
|
@@ -303,8 +303,9 @@ |
||||||
|
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\) |
||||||
|
# fl2000dc doesn't support AES |
||||||
|
^samba4.krb5.kdc.*as-req-aes.*fl2000dc |
||||||
|
-# nt4_member and ad_member don't support ntlmv1 |
||||||
|
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1) |
||||||
|
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user |
||||||
|
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user |
||||||
|
#nt-vfs server blocks read with execute access |
||||||
|
^samba4.smb2.read.access |
||||||
|
#ntvfs server blocks copychunk with execute access on read handle |
||||||
|
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm |
||||||
|
deleted file mode 100644 |
||||||
|
index c6e6a3739ba..00000000000 |
||||||
|
--- a/selftest/knownfail.d/ntlm |
||||||
|
+++ /dev/null |
||||||
|
@@ -1,2 +0,0 @@ |
||||||
|
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied |
||||||
|
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( |
||||||
|
-- |
||||||
|
2.14.4 |
||||||
|
|
@ -0,0 +1,20 @@ |
|||||||
|
MIT Kerberos 5 Support |
||||||
|
======================= |
||||||
|
|
||||||
|
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of |
||||||
|
choice. The Samba build in Fedora is using MIT Kerberos implementation in order |
||||||
|
to allow system-wide interoperability between both desktop and server |
||||||
|
applications running on the same machine. |
||||||
|
|
||||||
|
At the moment the Samba Active Directory Domain Controller implementation is |
||||||
|
not available with MIT Kereberos. FreeIPA and Samba Team members are currently |
||||||
|
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux |
||||||
|
distribution integration of Samba AD DC features. |
||||||
|
|
||||||
|
We have just finished migrating the file server and all client utilities to MIT |
||||||
|
Kerberos. The result of this work is available in samba-* packages in Fedora. |
||||||
|
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos |
||||||
|
KDC will be ready. |
||||||
|
|
||||||
|
In case of further questions do not hesitate to send your inquiries to |
||||||
|
samba-owner@fedoraproject.org |
@ -0,0 +1,29 @@ |
|||||||
|
Downgrading Samba |
||||||
|
================= |
||||||
|
|
||||||
|
Short version: data-preserving downgrades between Samba versions are not supported |
||||||
|
|
||||||
|
Long version: |
||||||
|
With Samba development there are cases when on-disk database format evolves. |
||||||
|
In general, Samba Team attempts to maintain forward compatibility and |
||||||
|
automatically upgrade databases during runtime when requires. |
||||||
|
However, when downgrade is required Samba will not perform downgrade to |
||||||
|
existing databases. It may be impossible if new features that caused database |
||||||
|
upgrade are in use. Thus, one needs to consider a downgrade procedure before |
||||||
|
actually downgrading Samba setup. |
||||||
|
|
||||||
|
Please always perform back up prior both upgrading and downgrading across major |
||||||
|
version changes. Restoring database files is easiest and simplest way to get to |
||||||
|
previously working setup. |
||||||
|
|
||||||
|
Easiest way to downgrade is to remove all created databases and start from scratch. |
||||||
|
This means losing all authentication and domain relationship data, as well as |
||||||
|
user databases (in case of tdb storage), printers, registry settings, and winbindd |
||||||
|
caches. |
||||||
|
|
||||||
|
Remove databases in following locations: |
||||||
|
/var/lib/samba/*.tdb |
||||||
|
/var/lib/samba/private/*.tdb |
||||||
|
|
||||||
|
In particular, registry settings are known to prevent running downgraded versions |
||||||
|
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4. |
Binary file not shown.
@ -0,0 +1,38 @@ |
|||||||
|
# |
||||||
|
# pam_winbind configuration file |
||||||
|
# |
||||||
|
# /etc/security/pam_winbind.conf |
||||||
|
# |
||||||
|
|
||||||
|
[global] |
||||||
|
|
||||||
|
# turn on debugging |
||||||
|
;debug = no |
||||||
|
|
||||||
|
# turn on extended PAM state debugging |
||||||
|
;debug_state = no |
||||||
|
|
||||||
|
# request a cached login if possible |
||||||
|
# (needs "winbind offline logon = yes" in smb.conf) |
||||||
|
;cached_login = no |
||||||
|
|
||||||
|
# authenticate using kerberos |
||||||
|
;krb5_auth = no |
||||||
|
|
||||||
|
# when using kerberos, request a "FILE" krb5 credential cache type |
||||||
|
# (leave empty to just do krb5 authentication but not have a ticket |
||||||
|
# afterwards) |
||||||
|
;krb5_ccache_type = |
||||||
|
|
||||||
|
# make successful authentication dependend on membership of one SID |
||||||
|
# (can also take a name) |
||||||
|
;require_membership_of = |
||||||
|
|
||||||
|
# password expiry warning period in days |
||||||
|
;warn_pwd_expire = 14 |
||||||
|
|
||||||
|
# omit pam conversations |
||||||
|
;silent = no |
||||||
|
|
||||||
|
# create homedirectory on the fly |
||||||
|
;mkhomedir = no |
@ -0,0 +1,270 @@ |
|||||||
|
From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andreas Schneider <asn@samba.org> |
||||||
|
Date: Wed, 27 Jun 2018 14:06:39 +0200 |
||||||
|
Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 |
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Alexander Bokovoy <ab@samba.org> |
||||||
|
--- |
||||||
|
nsswitch/wscript_build | 12 +++++++----- |
||||||
|
1 file changed, 7 insertions(+), 5 deletions(-) |
||||||
|
|
||||||
|
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build |
||||||
|
index 15e93db2f05..576855bb56c 100644 |
||||||
|
--- a/nsswitch/wscript_build |
||||||
|
+++ b/nsswitch/wscript_build |
||||||
|
@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'): |
||||||
|
) |
||||||
|
|
||||||
|
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): |
||||||
|
- bld.SAMBA_LIBRARY('winbind_krb5_locator', |
||||||
|
- source='winbind_krb5_locator.c', |
||||||
|
- deps='wbclient krb5 com_err', |
||||||
|
- realname='winbind_krb5_locator.so') |
||||||
|
+ bld.SAMBA_LIBRARY('winbind_krb5_locator', |
||||||
|
+ source='winbind_krb5_locator.c', |
||||||
|
+ deps='wbclient krb5 com_err', |
||||||
|
+ realname='winbind_krb5_locator.so', |
||||||
|
+ install_path='${MODULESDIR}/krb5') |
||||||
|
|
||||||
|
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'): |
||||||
|
bld.SAMBA_LIBRARY('winbind_krb5_localauth', |
||||||
|
source='krb5_plugin/winbind_krb5_localauth.c', |
||||||
|
deps='wbclient krb5 com_err', |
||||||
|
- realname='winbind-krb5-localauth.so') |
||||||
|
+ realname='winbind_krb5_localauth.so', |
||||||
|
+ install_path='${MODULESDIR}/krb5') |
||||||
|
|
||||||
|
bld.SAMBA_SUBSYSTEM('WB_REQTRANS', |
||||||
|
source='wb_reqtrans.c', |
||||||
|
-- |
||||||
|
2.17.1 |
||||||
|
|
||||||
|
|
||||||
|
From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andreas Schneider <asn@samba.org> |
||||||
|
Date: Wed, 27 Jun 2018 14:08:56 +0200 |
||||||
|
Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin |
||||||
|
subdir |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 |
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Alexander Bokovoy <ab@samba.org> |
||||||
|
--- |
||||||
|
nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0 |
||||||
|
nsswitch/wscript_build | 2 +- |
||||||
|
2 files changed, 1 insertion(+), 1 deletion(-) |
||||||
|
rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%) |
||||||
|
|
||||||
|
diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c |
||||||
|
similarity index 100% |
||||||
|
rename from nsswitch/winbind_krb5_locator.c |
||||||
|
rename to nsswitch/krb5_plugin/winbind_krb5_locator.c |
||||||
|
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build |
||||||
|
index 576855bb56c..dd1952b799b 100644 |
||||||
|
--- a/nsswitch/wscript_build |
||||||
|
+++ b/nsswitch/wscript_build |
||||||
|
@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'): |
||||||
|
|
||||||
|
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): |
||||||
|
bld.SAMBA_LIBRARY('winbind_krb5_locator', |
||||||
|
- source='winbind_krb5_locator.c', |
||||||
|
+ source='krb5_plugin/winbind_krb5_locator.c', |
||||||
|
deps='wbclient krb5 com_err', |
||||||
|
realname='winbind_krb5_locator.so', |
||||||
|
install_path='${MODULESDIR}/krb5') |
||||||
|
-- |
||||||
|
2.17.1 |
||||||
|
|
||||||
|
|
||||||
|
From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andreas Schneider <asn@samba.org> |
||||||
|
Date: Wed, 27 Jun 2018 15:14:15 +0200 |
||||||
|
Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8 |
||||||
|
|
||||||
|
The vfs and idmap manpages are in volume 8 too. |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 |
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Alexander Bokovoy <ab@samba.org> |
||||||
|
--- |
||||||
|
...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++--- |
||||||
|
docs-xml/wscript_build | 2 +- |
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-) |
||||||
|
rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%) |
||||||
|
|
||||||
|
diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml |
||||||
|
similarity index 96% |
||||||
|
rename from docs-xml/manpages/winbind_krb5_locator.7.xml |
||||||
|
rename to docs-xml/manpages/winbind_krb5_locator.8.xml |
||||||
|
index 17e401a9da0..0af0c2cc95f 100644 |
||||||
|
--- a/docs-xml/manpages/winbind_krb5_locator.7.xml |
||||||
|
+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml |
||||||
|
@@ -1,12 +1,12 @@ |
||||||
|
<?xml version="1.0" encoding="iso-8859-1"?> |
||||||
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> |
||||||
|
-<refentry id="winbind_krb5_locator.7"> |
||||||
|
+<refentry id="winbind_krb5_locator.8"> |
||||||
|
|
||||||
|
<refmeta> |
||||||
|
<refentrytitle>winbind_krb5_locator</refentrytitle> |
||||||
|
- <manvolnum>7</manvolnum> |
||||||
|
+ <manvolnum>8</manvolnum> |
||||||
|
<refmiscinfo class="source">Samba</refmiscinfo> |
||||||
|
- <refmiscinfo class="manual">7</refmiscinfo> |
||||||
|
+ <refmiscinfo class="manual">8</refmiscinfo> |
||||||
|
<refmiscinfo class="version">&doc.version;</refmiscinfo> |
||||||
|
</refmeta> |
||||||
|
|
||||||
|
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build |
||||||
|
index 954c62a29bc..2d686eb38b0 100644 |
||||||
|
--- a/docs-xml/wscript_build |
||||||
|
+++ b/docs-xml/wscript_build |
||||||
|
@@ -103,7 +103,7 @@ pam_winbind_manpages = ''' |
||||||
|
manpages/pam_winbind.conf.5 |
||||||
|
''' |
||||||
|
|
||||||
|
-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7' |
||||||
|
+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8' |
||||||
|
|
||||||
|
def smbdotconf_generate_parameter_list(task): |
||||||
|
parameter_all = task.outputs[0].bldpath(task.env) |
||||||
|
-- |
||||||
|
2.17.1 |
||||||
|
|
||||||
|
|
||||||
|
From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andreas Schneider <asn@samba.org> |
||||||
|
Date: Wed, 27 Jun 2018 15:06:07 +0200 |
||||||
|
Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8 |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 |
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Alexander Bokovoy <ab@samba.org> |
||||||
|
--- |
||||||
|
.../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++ |
||||||
|
docs-xml/wscript_build | 4 + |
||||||
|
2 files changed, 90 insertions(+) |
||||||
|
create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml |
||||||
|
|
||||||
|
diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml |
||||||
|
new file mode 100644 |
||||||
|
index 00000000000..a382e71ead3 |
||||||
|
--- /dev/null |
||||||
|
+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml |
||||||
|
@@ -0,0 +1,86 @@ |
||||||
|
+<?xml version="1.0" encoding="iso-8859-1"?> |
||||||
|
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> |
||||||
|
+<refentry id="winbind_krb5_localauth.8"> |
||||||
|
+ |
||||||
|
+<refmeta> |
||||||
|
+ <refentrytitle>winbind_krb5_localauth</refentrytitle> |
||||||
|
+ <manvolnum>8</manvolnum> |
||||||
|
+ <refmiscinfo class="source">Samba</refmiscinfo> |
||||||
|
+ <refmiscinfo class="manual">8</refmiscinfo> |
||||||
|
+ <refmiscinfo class="version">&doc.version;</refmiscinfo> |
||||||
|
+</refmeta> |
||||||
|
+ |
||||||
|
+ |
||||||
|
+<refnamediv> |
||||||
|
+ <refname>winbind_krb5_localauth</refname> |
||||||
|
+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose> |
||||||
|
+</refnamediv> |
||||||
|
+ |
||||||
|
+ |
||||||
|
+<refsect1> |
||||||
|
+ <title>DESCRIPTION</title> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ This plugin is part of the |
||||||
|
+ <citerefentry><refentrytitle>samba</refentrytitle> |
||||||
|
+ <manvolnum>7</manvolnum></citerefentry> suite. |
||||||
|
+ </para> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ <command>winbind_krb5_localauth</command> is a plugin that |
||||||
|
+ permits the MIT Kerberos libraries that Kerberos principals can |
||||||
|
+ be validated against local user accounts. |
||||||
|
+ </para> |
||||||
|
+</refsect1> |
||||||
|
+<refsect1> |
||||||
|
+ <title>PREREQUISITES</title> |
||||||
|
+ <para> |
||||||
|
+ MIT Kerberos (at least version 1.12) is required. |
||||||
|
+ </para> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle> |
||||||
|
+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured |
||||||
|
+ and started separately. |
||||||
|
+ </para> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ The following sections needs to be added to the |
||||||
|
+ <filename>krb5.conf</filename> file. |
||||||
|
+ |
||||||
|
+ <programlisting> |
||||||
|
+[plugins] |
||||||
|
+ localauth = { |
||||||
|
+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so |
||||||
|
+ enable_only = winbind |
||||||
|
+ } |
||||||
|
+ </programlisting> |
||||||
|
+ </para> |
||||||
|
+</refsect1> |
||||||
|
+ |
||||||
|
+<refsect1> |
||||||
|
+ <title>VERSION</title> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ This man page is part of version &doc.version; of the Samba |
||||||
|
+ suite. |
||||||
|
+ </para> |
||||||
|
+</refsect1> |
||||||
|
+ |
||||||
|
+<refsect1> |
||||||
|
+ <title>AUTHOR</title> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ The original Samba software and related utilities were created |
||||||
|
+ by Andrew Tridgell. Samba is now developed by the Samba Team as |
||||||
|
+ an Open Source project similar to the way the Linux kernel is |
||||||
|
+ developed. |
||||||
|
+ </para> |
||||||
|
+ |
||||||
|
+ <para> |
||||||
|
+ The winbind_krb5_localauth manpage was written by Andreas |
||||||
|
+ Schneider. |
||||||
|
+ </para> |
||||||
|
+</refsect1> |
||||||
|
+ |
||||||
|
+</refentry> |
||||||
|
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build |
||||||
|
index 2d686eb38b0..ec5d28fc62a 100644 |
||||||
|
--- a/docs-xml/wscript_build |
||||||
|
+++ b/docs-xml/wscript_build |
||||||
|
@@ -104,6 +104,7 @@ pam_winbind_manpages = ''' |
||||||
|
''' |
||||||
|
|
||||||
|
krb5_locator_manpages = 'manpages/winbind_krb5_locator.8' |
||||||
|
+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8' |
||||||
|
|
||||||
|
def smbdotconf_generate_parameter_list(task): |
||||||
|
parameter_all = task.outputs[0].bldpath(task.env) |
||||||
|
@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']): |
||||||
|
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): |
||||||
|
bld.SAMBAMANPAGES(krb5_locator_manpages) |
||||||
|
|
||||||
|
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'): |
||||||
|
+ bld.SAMBAMANPAGES(krb5_localauth_manpages) |
||||||
|
+ |
||||||
|
if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'): |
||||||
|
bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8') |
||||||
|
-- |
||||||
|
2.17.1 |
||||||
|
|
@ -0,0 +1,216 @@ |
|||||||
|
From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andreas Schneider <asn@samba.org> |
||||||
|
Date: Mon, 2 Jul 2018 16:18:52 +0200 |
||||||
|
Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503 |
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org> |
||||||
|
(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c) |
||||||
|
--- |
||||||
|
nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++----- |
||||||
|
selftest/knownfail.d/upn_handling | 2 + |
||||||
|
source3/selftest/tests.py | 4 +- |
||||||
|
3 files changed, 66 insertions(+), 11 deletions(-) |
||||||
|
|
||||||
|
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh |
||||||
|
index 2803ac1408b..da30f97be74 100755 |
||||||
|
--- a/nsswitch/tests/test_wbinfo_user_info.sh |
||||||
|
+++ b/nsswitch/tests/test_wbinfo_user_info.sh |
||||||
|
@@ -2,19 +2,20 @@ |
||||||
|
# Blackbox test for wbinfo lookup for account name and upn |
||||||
|
# Copyright (c) 2018 Andreas Schneider <asn@samba.org> |
||||||
|
|
||||||
|
-if [ $# -lt 5 ]; then |
||||||
|
+if [ $# -lt 6 ]; then |
||||||
|
cat <<EOF |
||||||
|
-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2 |
||||||
|
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2 |
||||||
|
EOF |
||||||
|
exit 1; |
||||||
|
fi |
||||||
|
|
||||||
|
DOMAIN=$1 |
||||||
|
REALM=$2 |
||||||
|
-USERNAME1=$3 |
||||||
|
-UPN_NAME1=$4 |
||||||
|
-USERNAME2=$5 |
||||||
|
-UPN_NAME2=$6 |
||||||
|
+OWN_DOMAIN=$3 |
||||||
|
+USERNAME1=$4 |
||||||
|
+UPN_NAME1=$5 |
||||||
|
+USERNAME2=$6 |
||||||
|
+UPN_NAME2=$7 |
||||||
|
shift 6 |
||||||
|
|
||||||
|
failed=0 |
||||||
|
@@ -31,9 +32,9 @@ test_user_info() |
||||||
|
{ |
||||||
|
local cmd out ret user domain upn userinfo |
||||||
|
|
||||||
|
- domain="$1" |
||||||
|
- user="$2" |
||||||
|
- upn="$3" |
||||||
|
+ local domain="$1" |
||||||
|
+ local user="$2" |
||||||
|
+ local upn="$3" |
||||||
|
|
||||||
|
if [ $# -lt 3 ]; then |
||||||
|
userinfo="$domain/$user" |
||||||
|
@@ -62,6 +63,39 @@ test_user_info() |
||||||
|
return 0 |
||||||
|
} |
||||||
|
|
||||||
|
+test_getpwnam() |
||||||
|
+{ |
||||||
|
+ local cmd out ret |
||||||
|
+ |
||||||
|
+ local lookup_username=$1 |
||||||
|
+ local expected_return=$2 |
||||||
|
+ local expected_output=$3 |
||||||
|
+ |
||||||
|
+ cmd='getent passwd $lookup_username' |
||||||
|
+ eval echo "$cmd" |
||||||
|
+ out=$(eval $cmd) |
||||||
|
+ ret=$? |
||||||
|
+ |
||||||
|
+ if [ $ret -ne $expected_return ]; then |
||||||
|
+ echo "return code: $ret, expected return code is: $expected_return" |
||||||
|
+ echo "$out" |
||||||
|
+ return 1 |
||||||
|
+ fi |
||||||
|
+ |
||||||
|
+ if [ -n "$expected_output" ]; then |
||||||
|
+ echo "$out" | grep "$expected_output" |
||||||
|
+ ret=$? |
||||||
|
+ |
||||||
|
+ if [ $ret -ne 0 ]; then |
||||||
|
+ echo "Unable to find $expected_output in:" |
||||||
|
+ echo "$out" |
||||||
|
+ return 1 |
||||||
|
+ fi |
||||||
|
+ fi |
||||||
|
+ |
||||||
|
+ return 0 |
||||||
|
+} |
||||||
|
+ |
||||||
|
testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1) |
||||||
|
testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1) |
||||||
|
|
||||||
|
@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn" |
||||||
|
testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1) |
||||||
|
testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1) |
||||||
|
|
||||||
|
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1) |
||||||
|
+ |
||||||
|
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1) |
||||||
|
+ |
||||||
|
+# We should not be able to lookup the user just by the name |
||||||
|
+test_ret=0 |
||||||
|
+test_output="$DOMAIN/$USERNAME1" |
||||||
|
+ |
||||||
|
+if [ "$ENVNAME" = "ad_member" ]; then |
||||||
|
+ test_ret=2 |
||||||
|
+ test_output="" |
||||||
|
+fi |
||||||
|
+if [ "$ENVNAME" = "fl2008r2dc" ]; then |
||||||
|
+ test_ret=0 |
||||||
|
+ test_output="$OWN_DOMAIN/$USERNAME1" |
||||||
|
+fi |
||||||
|
+ |
||||||
|
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1) |
||||||
|
+ |
||||||
|
exit $failed |
||||||
|
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling |
||||||
|
index bcbedb4f903..7dc9b71dc5e 100644 |
||||||
|
--- a/selftest/knownfail.d/upn_handling |
||||||
|
+++ b/selftest/knownfail.d/upn_handling |
||||||
|
@@ -1,8 +1,10 @@ |
||||||
|
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member |
||||||
|
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc |
||||||
|
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc |
||||||
|
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py |
||||||
|
index f43d2b14d3a..a9cb2dad792 100755 |
||||||
|
--- a/source3/selftest/tests.py |
||||||
|
+++ b/source3/selftest/tests.py |
||||||
|
@@ -216,13 +216,13 @@ env = "ad_member:local" |
||||||
|
plantestsuite("samba3.wbinfo_user_info", env, |
||||||
|
[ os.path.join(srcdir(), |
||||||
|
"nsswitch/tests/test_wbinfo_user_info.sh"), |
||||||
|
- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ]) |
||||||
|
+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ]) |
||||||
|
|
||||||
|
env = "fl2008r2dc:local" |
||||||
|
plantestsuite("samba3.wbinfo_user_info", env, |
||||||
|
[ os.path.join(srcdir(), |
||||||
|
"nsswitch/tests/test_wbinfo_user_info.sh"), |
||||||
|
- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ]) |
||||||
|
+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ]) |
||||||
|
|
||||||
|
env = "ad_member" |
||||||
|
t = "WBCLIENT-MULTI-PING" |
||||||
|
-- |
||||||
|
2.13.6 |
||||||
|
|
||||||
|
|
||||||
|
From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001 |
||||||
|
From: Andreas Schneider <asn@samba.org> |
||||||
|
Date: Mon, 2 Jul 2018 16:38:01 +0200 |
||||||
|
Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD |
||||||
|
MIME-Version: 1.0 |
||||||
|
Content-Type: text/plain; charset=UTF-8 |
||||||
|
Content-Transfer-Encoding: 8bit |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503 |
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org> |
||||||
|
|
||||||
|
Autobuild-User(master): Ralph Böhme <slow@samba.org> |
||||||
|
Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144 |
||||||
|
|
||||||
|
(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c) |
||||||
|
--- |
||||||
|
selftest/knownfail.d/upn_handling | 2 -- |
||||||
|
source3/winbindd/winbindd_util.c | 2 ++ |
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling |
||||||
|
index 7dc9b71dc5e..bcbedb4f903 100644 |
||||||
|
--- a/selftest/knownfail.d/upn_handling |
||||||
|
+++ b/selftest/knownfail.d/upn_handling |
||||||
|
@@ -1,10 +1,8 @@ |
||||||
|
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member |
||||||
|
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc |
||||||
|
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc |
||||||
|
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc |
||||||
|
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c |
||||||
|
index aa633419c9a..7a5fb73cdef 100644 |
||||||
|
--- a/source3/winbindd/winbindd_util.c |
||||||
|
+++ b/source3/winbindd/winbindd_util.c |
||||||
|
@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser, |
||||||
|
} else if (assume_domain(lp_workgroup())) { |
||||||
|
fstrcpy(domain, lp_workgroup()); |
||||||
|
fstrcpy(namespace, domain); |
||||||
|
+ } else { |
||||||
|
+ fstrcpy(namespace, lp_netbios_name()); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.13.6 |
||||||
|
|
@ -0,0 +1,64 @@ |
|||||||
|
From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Justin Stephenson <jstephen@redhat.com> |
||||||
|
Date: Mon, 25 Jun 2018 09:58:56 -0400 |
||||||
|
Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient |
||||||
|
MIME-Version: 1.0 |
||||||
|
Content-Type: text/plain; charset=UTF-8 |
||||||
|
Content-Transfer-Encoding: 8bit |
||||||
|
|
||||||
|
Add quiet command-line argument to allow suppressing the help log |
||||||
|
message printed automatically after establishing a smbclient connection |
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485 |
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com> |
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
||||||
|
Reviewed-by: Björn Baumbach <bb@sernet.de> |
||||||
|
(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72) |
||||||
|
--- |
||||||
|
source3/client/client.c | 9 ++++++++- |
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/source3/client/client.c b/source3/client/client.c |
||||||
|
index 2c1c76036f7..c836e5a0477 100644 |
||||||
|
--- a/source3/client/client.c |
||||||
|
+++ b/source3/client/client.c |
||||||
|
@@ -52,6 +52,7 @@ static int port = 0; |
||||||
|
static char *service; |
||||||
|
static char *desthost; |
||||||
|
static bool grepable = false; |
||||||
|
+static bool quiet = false; |
||||||
|
static char *cmdstr = NULL; |
||||||
|
const char *cmd_ptr = NULL; |
||||||
|
|
||||||
|
@@ -6059,7 +6060,9 @@ static int process_stdin(void) |
||||||
|
{ |
||||||
|
int rc = 0; |
||||||
|
|
||||||
|
- d_printf("Try \"help\" to get a list of possible commands.\n"); |
||||||
|
+ if (!quiet) { |
||||||
|
+ d_printf("Try \"help\" to get a list of possible commands.\n"); |
||||||
|
+ } |
||||||
|
|
||||||
|
while (!finished) { |
||||||
|
TALLOC_CTX *frame = talloc_stackframe(); |
||||||
|
@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[]) |
||||||
|
{ "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" }, |
||||||
|
{ "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" }, |
||||||
|
{ "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" }, |
||||||
|
+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" }, |
||||||
|
{ "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" }, |
||||||
|
POPT_COMMON_SAMBA |
||||||
|
POPT_COMMON_CONNECTION |
||||||
|
@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[]) |
||||||
|
case 'g': |
||||||
|
grepable=true; |
||||||
|
break; |
||||||
|
+ case 'q': |
||||||
|
+ quiet=true; |
||||||
|
+ break; |
||||||
|
case 'e': |
||||||
|
smb_encrypt=true; |
||||||
|
break; |
||||||
|
-- |
||||||
|
2.17.1 |
@ -0,0 +1,7 @@ |
|||||||
|
/var/log/samba/* { |
||||||
|
notifempty |
||||||
|
olddir /var/log/samba/old |
||||||
|
missingok |
||||||
|
sharedscripts |
||||||
|
copytruncate |
||||||
|
} |
@ -0,0 +1,6 @@ |
|||||||
|
#%PAM-1.0 |
||||||
|
auth required pam_nologin.so |
||||||
|
auth include password-auth |
||||||
|
account include password-auth |
||||||
|
session include password-auth |
||||||
|
password include password-auth |
@ -0,0 +1,313 @@ |
|||||||
|
# This is the main Samba configuration file. For detailed information about the |
||||||
|
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge |
||||||
|
# number of configurable options, most of which are not shown in this example. |
||||||
|
# |
||||||
|
# The Samba Wiki contains a lot of step-by-step guides installing, configuring, |
||||||
|
# and using Samba: |
||||||
|
# https://wiki.samba.org/index.php/User_Documentation |
||||||
|
# |
||||||
|
# In this file, lines starting with a semicolon (;) or a hash (#) are |
||||||
|
# comments and are ignored. This file uses hashes to denote commentary and |
||||||
|
# semicolons for parts of the file you may wish to configure. |
||||||
|
# |
||||||
|
# NOTE: Run the "testparm" command after modifying this file to check for basic |
||||||
|
# syntax errors. |
||||||
|
# |
||||||
|
#--------------- |
||||||
|
# Security-Enhanced Linux (SELinux) Notes: |
||||||
|
# |
||||||
|
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the |
||||||
|
# useradd and groupadd family of binaries. Run the following command as the |
||||||
|
# root user to turn this Boolean on: |
||||||
|
# setsebool -P samba_domain_controller on |
||||||
|
# |
||||||
|
# Turn the samba_enable_home_dirs Boolean on if you want to share home |
||||||
|
# directories via Samba. Run the following command as the root user to turn this |
||||||
|
# Boolean on: |
||||||
|
# setsebool -P samba_enable_home_dirs on |
||||||
|
# |
||||||
|
# If you create a new directory, such as a new top-level directory, label it |
||||||
|
# with samba_share_t so that SELinux allows Samba to read and write to it. Do |
||||||
|
# not label system directories, such as /etc/ and /home/, with samba_share_t, as |
||||||
|
# such directories should already have an SELinux label. |
||||||
|
# |
||||||
|
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux |
||||||
|
# label for a given directory. |
||||||
|
# |
||||||
|
# Set SELinux labels only on files and directories you have created. Use the |
||||||
|
# chcon command to temporarily change a label: |
||||||
|
# chcon -t samba_share_t /path/to/directory |
||||||
|
# |
||||||
|
# Changes made via chcon are lost when the file system is relabeled or commands |
||||||
|
# such as restorecon are run. |
||||||
|
# |
||||||
|
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system |
||||||
|
# directories. To share such directories and only allow read-only permissions: |
||||||
|
# setsebool -P samba_export_all_ro on |
||||||
|
# To share such directories and allow read and write permissions: |
||||||
|
# setsebool -P samba_export_all_rw on |
||||||
|
# |
||||||
|
# To run scripts (preexec/root prexec/print command/...), copy them to the |
||||||
|
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. |
||||||
|
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain |
||||||
|
# their existing SELinux labels, which may be labels that SELinux does not allow |
||||||
|
# smbd to run. Copying the scripts will result in the correct SELinux labels. |
||||||
|
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to |
||||||
|
# apply the correct SELinux labels to these files. |
||||||
|
# |
||||||
|
#-------------- |
||||||
|
# |
||||||
|
#======================= Global Settings ===================================== |
||||||
|
|
||||||
|
[global] |
||||||
|
|
||||||
|
# ----------------------- Network-Related Options ------------------------- |
||||||
|
# |
||||||
|
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. |
||||||
|
# |
||||||
|
# server string = the equivalent of the Windows NT Description field. |
||||||
|
# |
||||||
|
# netbios name = used to specify a server name that is not tied to the hostname, |
||||||
|
# maximum is 15 characters. |
||||||
|
# |
||||||
|
# interfaces = used to configure Samba to listen on multiple network interfaces. |
||||||
|
# If you have multiple interfaces, you can use the "interfaces =" option to |
||||||
|
# configure which of those interfaces Samba listens on. Never omit the localhost |
||||||
|
# interface (lo). |
||||||
|
# |
||||||
|
# hosts allow = the hosts allowed to connect. This option can also be used on a |
||||||
|
# per-share basis. |
||||||
|
# |
||||||
|
# hosts deny = the hosts not allowed to connect. This option can also be used on |
||||||
|
# a per-share basis. |
||||||
|
# |
||||||
|
workgroup = MYGROUP |
||||||
|
server string = Samba Server Version %v |
||||||
|
|
||||||
|
; netbios name = MYSERVER |
||||||
|
|
||||||
|
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 |
||||||
|
; hosts allow = 127. 192.168.12. 192.168.13. |
||||||
|
|
||||||
|
# --------------------------- Logging Options ----------------------------- |
||||||
|
# |
||||||
|
# log file = specify where log files are written to and how they are split. |
||||||
|
# |
||||||
|
# max log size = specify the maximum size log files are allowed to reach. Log |
||||||
|
# files are rotated when they reach the size specified with "max log size". |
||||||
|
# |
||||||
|
|
||||||
|
# log files split per-machine: |
||||||
|
log file = /var/log/samba/log.%m |
||||||
|
# maximum size of 50KB per log file, then rotate: |
||||||
|
max log size = 50 |
||||||
|
|
||||||
|
# ----------------------- Standalone Server Options ------------------------ |
||||||
|
# |
||||||
|
# security = the mode Samba runs in. This can be set to user, share |
||||||
|
# (deprecated), or server (deprecated). |
||||||
|
# |
||||||
|
# passdb backend = the backend used to store user information in. New |
||||||
|
# installations should use either tdbsam or ldapsam. No additional configuration |
||||||
|
# is required for tdbsam. The "smbpasswd" utility is available for backwards |
||||||
|
# compatibility. |
||||||
|
# |
||||||
|
|
||||||
|
security = user |
||||||
|
passdb backend = tdbsam |
||||||
|
|
||||||
|
|
||||||
|
# ----------------------- Domain Members Options ------------------------ |
||||||
|
# |
||||||
|
# security = must be set to domain or ads. |
||||||
|
# |
||||||
|
# passdb backend = the backend used to store user information in. New |
||||||
|
# installations should use either tdbsam or ldapsam. No additional configuration |
||||||
|
# is required for tdbsam. The "smbpasswd" utility is available for backwards |
||||||
|
# compatibility. |
||||||
|
# |
||||||
|
# realm = only use the realm option when the "security = ads" option is set. |
||||||
|
# The realm option specifies the Active Directory realm the host is a part of. |
||||||
|
# |
||||||
|
# password server = only use this option when the "security = server" |
||||||
|
# option is set, or if you cannot use DNS to locate a Domain Controller. The |
||||||
|
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: |
||||||
|
# |
||||||
|
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] |
||||||
|
# |
||||||
|
# Use "password server = *" to automatically locate Domain Controllers. |
||||||
|
|
||||||
|
; security = domain |
||||||
|
; passdb backend = tdbsam |
||||||
|
; realm = MY_REALM |
||||||
|
|
||||||
|
; password server = <NT-Server-Name> |
||||||
|
|
||||||
|
# ----------------------- Domain Controller Options ------------------------ |
||||||
|
# |
||||||
|
# security = must be set to user for domain controllers. |
||||||
|
# |
||||||
|
# passdb backend = the backend used to store user information in. New |
||||||
|
# installations should use either tdbsam or ldapsam. No additional configuration |
||||||
|
# is required for tdbsam. The "smbpasswd" utility is available for backwards |
||||||
|
# compatibility. |
||||||
|
# |
||||||
|
# domain master = specifies Samba to be the Domain Master Browser, allowing |
||||||
|
# Samba to collate browse lists between subnets. Do not use the "domain master" |
||||||
|
# option if you already have a Windows NT domain controller performing this task. |
||||||
|
# |
||||||
|
# domain logons = allows Samba to provide a network logon service for Windows |
||||||
|
# workstations. |
||||||
|
# |
||||||
|
# logon script = specifies a script to run at login time on the client. These |
||||||
|
# scripts must be provided in a share named NETLOGON. |
||||||
|
# |
||||||
|
# logon path = specifies (with a UNC path) where user profiles are stored. |
||||||
|
# |
||||||
|
# |
||||||
|
; security = user |
||||||
|
; passdb backend = tdbsam |
||||||
|
|
||||||
|
; domain master = yes |
||||||
|
; domain logons = yes |
||||||
|
|
||||||
|
# the following login script name is determined by the machine name |
||||||
|
# (%m): |
||||||
|
; logon script = %m.bat |
||||||
|
# the following login script name is determined by the UNIX user used: |
||||||
|
; logon script = %u.bat |
||||||
|
; logon path = \\%L\Profiles\%u |
||||||
|
# use an empty path to disable profile support: |
||||||
|
; logon path = |
||||||
|
|
||||||
|
# various scripts can be used on a domain controller or a stand-alone |
||||||
|
# machine to add or delete corresponding UNIX accounts: |
||||||
|
|
||||||
|
; add user script = /usr/sbin/useradd "%u" -n -g users |
||||||
|
; add group script = /usr/sbin/groupadd "%g" |
||||||
|
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" |
||||||
|
; delete user script = /usr/sbin/userdel "%u" |
||||||
|
; delete user from group script = /usr/sbin/userdel "%u" "%g" |
||||||
|
; delete group script = /usr/sbin/groupdel "%g" |
||||||
|
|
||||||
|
|
||||||
|
# ----------------------- Browser Control Options ---------------------------- |
||||||
|
# |
||||||
|
# local master = when set to no, Samba does not become the master browser on |
||||||
|
# your network. When set to yes, normal election rules apply. |
||||||
|
# |
||||||
|
# os level = determines the precedence the server has in master browser |
||||||
|
# elections. The default value should be reasonable. |
||||||
|
# |
||||||
|
# preferred master = when set to yes, Samba forces a local browser election at |
||||||
|
# start up (and gives itself a slightly higher chance of winning the election). |
||||||
|
# |
||||||
|
; local master = no |
||||||
|
; os level = 33 |
||||||
|
; preferred master = yes |
||||||
|
|
||||||
|
#----------------------------- Name Resolution ------------------------------- |
||||||
|
# |
||||||
|
# This section details the support for the Windows Internet Name Service (WINS). |
||||||
|
# |
||||||
|
# Note: Samba can be either a WINS server or a WINS client, but not both. |
||||||
|
# |
||||||
|
# wins support = when set to yes, the NMBD component of Samba enables its WINS |
||||||
|
# server. |
||||||
|
# |
||||||
|
# wins server = tells the NMBD component of Samba to be a WINS client. |
||||||
|
# |
||||||
|
# wins proxy = when set to yes, Samba answers name resolution queries on behalf |
||||||
|
# of a non WINS capable client. For this to work, there must be at least one |
||||||
|
# WINS server on the network. The default is no. |
||||||
|
# |
||||||
|
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS |
||||||
|
# nslookups. |
||||||
|
|
||||||
|
; wins support = yes |
||||||
|
; wins server = w.x.y.z |
||||||
|
; wins proxy = yes |
||||||
|
|
||||||
|
; dns proxy = yes |
||||||
|
|
||||||
|
# --------------------------- Printing Options ----------------------------- |
||||||
|
# |
||||||
|
# The options in this section allow you to configure a non-default printing |
||||||
|
# system. |
||||||
|
# |
||||||
|
# load printers = when set you yes, the list of printers is automatically |
||||||
|
# loaded, rather than setting them up individually. |
||||||
|
# |
||||||
|
# cups options = allows you to pass options to the CUPS library. Setting this |
||||||
|
# option to raw, for example, allows you to use drivers on your Windows clients. |
||||||
|
# |
||||||
|
# printcap name = used to specify an alternative printcap file. |
||||||
|
# |
||||||
|
|
||||||
|
load printers = yes |
||||||
|
cups options = raw |
||||||
|
|
||||||
|
; printcap name = /etc/printcap |
||||||
|
# obtain a list of printers automatically on UNIX System V systems: |
||||||
|
; printcap name = lpstat |
||||||
|
; printing = cups |
||||||
|
|
||||||
|
# --------------------------- File System Options --------------------------- |
||||||
|
# |
||||||
|
# The options in this section can be un-commented if the file system supports |
||||||
|
# extended attributes, and those attributes are enabled (usually via the |
||||||
|
# "user_xattr" mount option). These options allow the administrator to specify |
||||||
|
# that DOS attributes are stored in extended attributes and also make sure that |
||||||
|
# Samba does not change the permission bits. |
||||||
|
# |
||||||
|
# Note: These options can be used on a per-share basis. Setting them globally |
||||||
|
# (in the [global] section) makes them the default for all shares. |
||||||
|
|
||||||
|
; map archive = no |
||||||
|
; map hidden = no |
||||||
|
; map read only = no |
||||||
|
; map system = no |
||||||
|
; store dos attributes = yes |
||||||
|
|
||||||
|
|
||||||
|
#============================ Share Definitions ============================== |
||||||
|
|
||||||
|
[homes] |
||||||
|
comment = Home Directories |
||||||
|
browseable = no |
||||||
|
writable = yes |
||||||
|
; valid users = %S |
||||||
|
; valid users = MYDOMAIN\%S |
||||||
|
|
||||||
|
[printers] |
||||||
|
comment = All Printers |
||||||
|
path = /var/spool/samba |
||||||
|
browseable = no |
||||||
|
guest ok = no |
||||||
|
writable = no |
||||||
|
printable = yes |
||||||
|
|
||||||
|
# Un-comment the following and create the netlogon directory for Domain Logons: |
||||||
|
; [netlogon] |
||||||
|
; comment = Network Logon Service |
||||||
|
; path = /var/lib/samba/netlogon |
||||||
|
; guest ok = yes |
||||||
|
; writable = no |
||||||
|
; share modes = no |
||||||
|
|
||||||
|
# Un-comment the following to provide a specific roaming profile share. |
||||||
|
# The default is to use the user's home directory: |
||||||
|
; [Profiles] |
||||||
|
; path = /var/lib/samba/profiles |
||||||
|
; browseable = no |
||||||
|
; guest ok = yes |
||||||
|
|
||||||
|
# A publicly accessible directory that is read only, except for users in the |
||||||
|
# "staff" group (which have write permissions): |
||||||
|
; [public] |
||||||
|
; comment = Public Stuff |
||||||
|
; path = /home/samba |
||||||
|
; public = yes |
||||||
|
; writable = no |
||||||
|
; printable = no |
||||||
|
; write list = +staff |
@ -0,0 +1,37 @@ |
|||||||
|
# See smb.conf.example for a more detailed config file or |
||||||
|
# read the smb.conf manpage. |
||||||
|
# Run 'testparm' to verify the config is correct after |
||||||
|
# you modified it. |
||||||
|
|
||||||
|
[global] |
||||||
|
workgroup = SAMBA |
||||||
|
security = user |
||||||
|
|
||||||
|
passdb backend = tdbsam |
||||||
|
|
||||||
|
printing = cups |
||||||
|
printcap name = cups |
||||||
|
load printers = yes |
||||||
|
cups options = raw |
||||||
|
|
||||||
|
[homes] |
||||||
|
comment = Home Directories |
||||||
|
valid users = %S, %D%w%S |
||||||
|
browseable = No |
||||||
|
read only = No |
||||||
|
inherit acls = Yes |
||||||
|
|
||||||
|
[printers] |
||||||
|
comment = All Printers |
||||||
|
path = /var/tmp |
||||||
|
printable = Yes |
||||||
|
create mask = 0600 |
||||||
|
browseable = No |
||||||
|
|
||||||
|
[print$] |
||||||
|
comment = Printer Drivers |
||||||
|
path = /var/lib/samba/drivers |
||||||
|
write list = @printadmin root |
||||||
|
force group = @printadmin |
||||||
|
create mask = 0664 |
||||||
|
directory mask = 0775 |
Loading…
Reference in new issue