From 5971fd6b9c7520456c30d8989c346d97b28c801d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Jul 2008 08:02:18 +1000 Subject: Fix warnings in new prefixMap code (This used to be commit b8770a4fd8408473593fa4c6600bce056183958d) --- source4/dsdb/schema/schema_init.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c index 9b8959466d..85fdbe9e87 100644 --- a/source4/dsdb/schema/schema_init.c +++ b/source4/dsdb/schema/schema_init.c @@ -566,9 +566,10 @@ WERROR dsdb_read_prefixes_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, return WERR_NOMEM; } for (i=0; i < blob->ctr.dsdb.num_mappings; i++) { + char *oid; (*prefixes)[i].id = blob->ctr.dsdb.mappings[i].id_prefix<<16; - (*prefixes)[i].oid = talloc_strdup(mem_ctx, blob->ctr.dsdb.mappings[i].oid.oid); - (*prefixes)[i].oid = talloc_asprintf_append((*prefixes)[i].oid, "."); + oid = talloc_strdup(mem_ctx, blob->ctr.dsdb.mappings[i].oid.oid); + (*prefixes)[i].oid = talloc_asprintf_append(oid, "."); (*prefixes)[i].oid_len = strlen(blob->ctr.dsdb.mappings[i].oid.oid); } -- cgit From cff30c6da666abcb4ad8c587defa63883ce86c23 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Jul 2008 08:04:15 +1000 Subject: Remove unused function and make sensitive directories private. (This used to be commit e23333d16397606d38e90684d2d916b5b967cde4) --- source4/scripting/python/samba/provision.py | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 0119f40c7f..068fe5ad9b 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -133,26 +133,6 @@ findnss_uid = lambda names: findnss(pwd.getpwnam, names)[2] findnss_gid = lambda names: findnss(grp.getgrnam, names)[2] -def open_ldb(session_info, credentials, lp, dbname): - """Open a LDB, thrashing it if it is corrupt. - - :param session_info: auth session information - :param credentials: credentials - :param lp: Loadparm context - :param dbname: Path of the database to open. - :return: a Ldb object - """ - assert session_info is not None - try: - return Ldb(dbname, session_info=session_info, credentials=credentials, - lp=lp) - except LdbError, e: - print e - os.unlink(dbname) - return Ldb(dbname, session_info=session_info, credentials=credentials, - lp=lp) - - def read_and_sub_file(file, subst_vars): """Read a file and sub in variables found in it @@ -1195,7 +1175,7 @@ def provision_backend(setup_dir=None, message=None, paths = provision_paths_from_lp(lp, names.dnsdomain) if not os.path.isdir(paths.ldapdir): - os.makedirs(paths.ldapdir) + os.makedirs(paths.ldapdir, 0700) schemadb_path = os.path.join(paths.ldapdir, "schema-tmp.ldb") try: os.unlink(schemadb_path) @@ -1290,7 +1270,7 @@ def provision_backend(setup_dir=None, message=None, setup_db_config(setup_path, os.path.join(paths.ldapdir, "db", "schema")) if not os.path.exists(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")): - os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba")) + os.makedirs(os.path.join(paths.ldapdir, "db", "samba", "cn=samba"), 0700) setup_file(setup_path("cn=samba.ldif"), os.path.join(paths.ldapdir, "db", "samba", "cn=samba.ldif"), -- cgit From da9ab5756e1256a9c6e1188f7510ca5d84cbe4f9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Jul 2008 08:04:43 +1000 Subject: Remove unused variable (This used to be commit 31a303c099e26423160010c48b305434d4cbea25) --- source4/dsdb/samdb/ldb_modules/schema_fsmo.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c index 2acc5c0af4..87ada855d3 100644 --- a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c +++ b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c @@ -150,7 +150,6 @@ static int schema_fsmo_add(struct ldb_module *module, struct ldb_request *req) static int schema_fsmo_extended(struct ldb_module *module, struct ldb_request *req) { - WERROR status; struct ldb_dn *schema_dn; struct dsdb_schema *schema; char *error_string = NULL; -- cgit From 0299edbc02f4185020bae8e66c02d1081d07279f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 09:29:42 +0200 Subject: auth/credentials: explain why we need to the enctypes for the gssapi layer metze (This used to be commit 88970c4d4192635544cf63e79e929e9bb05ecb5f) --- source4/auth/credentials/credentials_krb5.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index c4c58398c3..1a2d5faddd 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -392,7 +392,17 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ret; } - /* transfer the enctypes from the smb_krb5_context to the gssapi layer */ + /* + * transfer the enctypes from the smb_krb5_context to the gssapi layer + * + * We use 'our' smb_krb5_context to do the AS-REQ and it is possible + * to configure the enctypes via the krb5.conf. + * + * And the gss_init_sec_context() creates it's own krb5_context and + * the TGS-REQ had all enctypes in it and only the ones configured + * and used for the AS-REQ, so it wasn't possible to disable the usage + * of AES keys. + */ min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context, &etypes); if (min_stat == 0) { -- cgit From 45d60f5bd9be53ae4d4399664500709f1b2801a5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Jul 2008 20:18:17 +1000 Subject: Always print the slapd startup command (This used to be commit b1d05e7d14c65133e8ab0ff9d41a26fa7e3d41d3) --- source4/scripting/python/samba/provision.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 068fe5ad9b..8437909da1 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -1290,7 +1290,8 @@ def provision_backend(setup_dir=None, message=None, server_port_string = " -h ldap://0.0.0.0:%d" % ldap_backend_port else: server_port_string = "" - slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h " + ldapi_uri + server_port_string + + slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h " + ldapi_uri + server_port_string schema_command = "bin/ad2oLschema --option=convert:target=" + ldap_backend_type + " -I " + setup_path(mapping) + " -H tdb://" + schemadb_path + " -O " + os.path.join(paths.ldapdir, backend_schema) -- cgit From 08795db6d6af69442dfbfa7d39532e898d4c0ea6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Jul 2008 20:26:14 +1000 Subject: Make it even clearer what to do next in the LDAP backend setup (This used to be commit bace931ad674b5071d53bf9c99c383f1d8957e1b) --- source4/scripting/python/samba/provision.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 8437909da1..13329e8b10 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -1232,6 +1232,8 @@ def provision_backend(setup_dir=None, message=None, slapdcommand="Initailise Fedora DS with: setup-ds.pl --file=%s" % paths.fedoradsinf + ldapuser = "--simple-bind-dn=" + names.ldapmanagerdn + elif ldap_backend_type == "openldap": attrs = ["linkID", "lDAPDisplayName"] res = schemadb.search(expression="(&(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1)))(objectclass=attributeSchema))", base=names.schemadn, scope=SCOPE_SUBTREE, attrs=attrs) @@ -1293,6 +1295,8 @@ def provision_backend(setup_dir=None, message=None, slapdcommand="Start slapd with: slapd -f " + paths.ldapdir + "/slapd.conf -h " + ldapi_uri + server_port_string + ldapuser = "--username=samba-admin" + schema_command = "bin/ad2oLschema --option=convert:target=" + ldap_backend_type + " -I " + setup_path(mapping) + " -H tdb://" + schemadb_path + " -O " + os.path.join(paths.ldapdir, backend_schema) @@ -1311,7 +1315,7 @@ def provision_backend(setup_dir=None, message=None, message("LDAP admin password: %s" % adminpass) message(slapdcommand) - + message("Run provision with: --ldap-backend=ldapi --ldap-backend-type=" + ldap_backend_type + " --password=" + adminpass + " " + ldapuser) def create_phpldapadmin_config(path, setup_path, ldapi_uri): """Create a PHP LDAP admin configuration file. -- cgit From e80115deb9f57d827f915b57b52961f1e2df682e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 28 Jul 2008 20:51:02 +1000 Subject: We don't use EXTENSIBLEOBJECT any more. (This used to be commit 4b137085c8b89773d4639372bbffd516a41dfc8f) --- source4/scripting/python/samba/provision.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 13329e8b10..441d662b23 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -779,7 +779,6 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, setup_add_ldif(samdb, setup_path("provision_configuration_basedn.ldif"), { "CONFIGDN": names.configdn, "ACI": aci, - "EXTENSIBLEOBJECT": "# no objectClass: extensibleObject for local ldb", }) message("Modifying configuration container") setup_modify_ldif(samdb, setup_path("provision_configuration_basedn_modify.ldif"), { @@ -791,7 +790,6 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, setup_add_ldif(samdb, setup_path("provision_schema_basedn.ldif"), { "SCHEMADN": names.schemadn, "ACI": aci, - "EXTENSIBLEOBJECT": "# no objectClass: extensibleObject for local ldb" }) message("Modifying schema container") @@ -1189,7 +1187,6 @@ def provision_backend(setup_dir=None, message=None, setup_add_ldif(schemadb, setup_path("provision_schema_basedn.ldif"), {"SCHEMADN": names.schemadn, "ACI": "#", - "EXTENSIBLEOBJECT": "# no objectClass: extensibleObject for local ldb" }) setup_modify_ldif(schemadb, setup_path("provision_schema_basedn_modify.ldif"), \ -- cgit From 4355b31730f900fcae1ccb58df4feb387489e1e9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Jun 2008 21:41:06 +0200 Subject: libcli/smb2: sign SMB2 Logoff requests metze (This used to be commit 35ee165b146b9157b0cff49e1139a0cb37d98926) --- source4/libcli/smb2/logoff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/libcli/smb2/logoff.c b/source4/libcli/smb2/logoff.c index b38a08ca43..e3f83f27d8 100644 --- a/source4/libcli/smb2/logoff.c +++ b/source4/libcli/smb2/logoff.c @@ -33,6 +33,8 @@ struct smb2_request *smb2_logoff_send(struct smb2_session *session) req = smb2_request_init(session->transport, SMB2_OP_LOGOFF, 0x04, false, 0); if (req == NULL) return NULL; + req->session = session; + SBVAL(req->out.hdr, SMB2_HDR_SESSION_ID, session->uid); SSVAL(req->out.body, 0x02, 0); -- cgit From 1a4f4d2cf052edde8ef6893081ed3c5a756e51d2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Jun 2008 21:41:55 +0200 Subject: SMB2-CONNECT: remove reference to req->session before calling smb2_logoff_recv() on the invalid session metze (This used to be commit 93203e8e318dd10b9e7096e586187eb271d42134) --- source4/torture/smb2/connect.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/source4/torture/smb2/connect.c b/source4/torture/smb2/connect.c index 826bb2d719..e77e32ff7a 100644 --- a/source4/torture/smb2/connect.c +++ b/source4/torture/smb2/connect.c @@ -193,6 +193,7 @@ bool torture_smb2_connect(struct torture_context *torture) { TALLOC_CTX *mem_ctx = talloc_new(NULL); struct smb2_tree *tree; + struct smb2_request *req; struct smb2_handle h1, h2; NTSTATUS status; @@ -242,7 +243,15 @@ bool torture_smb2_connect(struct torture_context *torture) return false; } - status = smb2_logoff(tree->session); + req = smb2_logoff_send(tree->session); + if (!req) { + printf("smb2_logoff_send() failed\n"); + return false; + } + + req->session = NULL; + + status = smb2_logoff_recv(req); if (!NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) { printf("Logoff should have disabled session - %s\n", nt_errstr(status)); return false; -- cgit From 35bd7a6378cc25ed6b24d153c3cf1557d6126788 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Jun 2008 21:57:41 +0200 Subject: libcli/smb2: fix per session signing state metze (This used to be commit 8bc12dc77a59e792830d96e84a4e8d1b2c651505) --- source4/libcli/smb2/connect.c | 8 ++++---- source4/libcli/smb2/session.c | 6 +++--- source4/libcli/smb2/smb2.h | 9 +++------ source4/libcli/smb2/transport.c | 6 ++---- 4 files changed, 12 insertions(+), 17 deletions(-) diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c index cdb5e3b5d4..c89c109b72 100644 --- a/source4/libcli/smb2/connect.c +++ b/source4/libcli/smb2/connect.c @@ -112,19 +112,19 @@ static void continue_negprot(struct smb2_request *req) composite_error(c, NT_STATUS_ACCESS_DENIED); return; } - transport->signing.doing_signing = false; + transport->signing_required = false; break; case SMB_SIGNING_SUPPORTED: case SMB_SIGNING_AUTO: if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) { - transport->signing.doing_signing = true; + transport->signing_required = true; } else { - transport->signing.doing_signing = false; + transport->signing_required = false; } break; case SMB_SIGNING_REQUIRED: if (transport->negotiate.security_mode & SMB2_NEGOTIATE_SIGNING_ENABLED) { - transport->signing.doing_signing = true; + transport->signing_required = true; } else { composite_error(c, NT_STATUS_ACCESS_DENIED); return; diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index 91616319d5..6c573bf6d5 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -187,14 +187,14 @@ static void session_request_handler(struct smb2_request *req) return; } - if (session->transport->signing.doing_signing) { + if (session->transport->signing_required) { if (session->session_key.length != 16) { DEBUG(2,("Wrong session key length %u for SMB2 signing\n", (unsigned)session->session_key.length)); composite_error(c, NT_STATUS_ACCESS_DENIED); return; } - session->transport->signing.signing_started = true; + session->signing_active = true; } composite_done(c); @@ -218,7 +218,7 @@ struct composite_context *smb2_session_setup_spnego_send(struct smb2_session *se ZERO_STRUCT(state->io); state->io.in.vc_number = 0; - if (session->transport->signing.doing_signing) { + if (session->transport->signing_required) { state->io.in.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED; } diff --git a/source4/libcli/smb2/smb2.h b/source4/libcli/smb2/smb2.h index 2b468d3dc9..5d6341a15b 100644 --- a/source4/libcli/smb2/smb2.h +++ b/source4/libcli/smb2/smb2.h @@ -27,11 +27,6 @@ struct smb2_handle; -struct smb2_signing_context { - bool doing_signing; - bool signing_started; -}; - /* information returned from the negotiate process */ @@ -78,7 +73,8 @@ struct smb2_transport { } oplock; struct smbcli_options options; - struct smb2_signing_context signing; + + bool signing_required; }; @@ -98,6 +94,7 @@ struct smb2_session { struct gensec_security *gensec; uint64_t uid; DATA_BLOB session_key; + bool signing_active; }; diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c index 6e0d523e21..d9691bec7c 100644 --- a/source4/libcli/smb2/transport.c +++ b/source4/libcli/smb2/transport.c @@ -235,7 +235,7 @@ static NTSTATUS smb2_transport_finish_recv(void *private, DATA_BLOB blob) req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE); req->status = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS)); - if (req->session && transport->signing.doing_signing) { + if (req->session && req->session->signing_active) { status = smb2_check_signature(&req->in, req->session->session_key); if (!NT_STATUS_IS_OK(status)) { @@ -352,9 +352,7 @@ void smb2_transport_send(struct smb2_request *req) } /* possibly sign the message */ - if (req->transport->signing.doing_signing && - req->transport->signing.signing_started && - req->session) { + if (req->session && req->session->signing_active) { status = smb2_sign_message(&req->out, req->session->session_key); if (!NT_STATUS_IS_OK(status)) { req->state = SMB2_REQUEST_ERROR; -- cgit From 8623e2cc4ca3b7fefcdc943c1da8a89b805f5d29 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Jun 2008 21:45:19 +0200 Subject: smb2srv: correctly hold the signing state per session metze (This used to be commit 5b3ba3f3556e8031133128853cd2324ee3852aa1) --- source4/smb_server/smb2/negprot.c | 2 +- source4/smb_server/smb2/receive.c | 21 +++++++++++---------- source4/smb_server/smb2/sesssetup.c | 14 +++++++++++++- source4/smb_server/smb_server.h | 7 ++++++- 4 files changed, 31 insertions(+), 13 deletions(-) diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 3e6e2e1a43..d64b36d659 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -122,7 +122,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 case SMB_SIGNING_REQUIRED: io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED; /* force signing on immediately */ - req->smb_conn->doing_signing = true; + req->smb_conn->smb2_signing_required = true; break; } io->out.dialect_revision = SMB2_DIALECT_REVISION; diff --git a/source4/smb_server/smb2/receive.c b/source4/smb_server/smb2/receive.c index 2f4e9df2b6..cfd6c1d01a 100644 --- a/source4/smb_server/smb2/receive.c +++ b/source4/smb_server/smb2/receive.c @@ -235,11 +235,8 @@ void smb2srv_send_reply(struct smb2srv_request *req) _smb2_setlen(req->out.buffer, req->out.size - NBT_HDR_SIZE); } - /* if the request was signed or doing_signing is true, then we - must sign the reply */ - if (req->session && - (req->smb_conn->doing_signing || - (IVAL(req->in.hdr, SMB2_HDR_FLAGS) & SMB2_HDR_FLAG_SIGNED))) { + /* if signing is active on the session then sign the packet */ + if (req->session && req->session->smb2_signing.active) { status = smb2_sign_message(&req->out, req->session->session_info->session_key); if (!NT_STATUS_IS_OK(status)) { @@ -310,18 +307,22 @@ static NTSTATUS smb2srv_reply(struct smb2srv_request *req) should give a signed reply to any signed request */ if (flags & SMB2_HDR_FLAG_SIGNED) { NTSTATUS status; - if (req->session == NULL) { - /* we can't check signing with no session */ - smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED); - return NT_STATUS_OK; + + if (!req->session) goto nosession; + + if (!req->session->smb2_signing.active) { + /* TODO: workout the correct error code */ + smb2srv_send_error(req, NT_STATUS_FOOBAR); + return NT_STATUS_OK; } + status = smb2_check_signature(&req->in, req->session->session_info->session_key); if (!NT_STATUS_IS_OK(status)) { smb2srv_send_error(req, status); return NT_STATUS_OK; } - } else if (req->smb_conn->doing_signing && req->session != NULL) { + } else if (req->session && req->session->smb2_signing.active) { /* we require signing and this request was not signed */ smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED); return NT_STATUS_OK; diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 9fb3220005..6e3e963794 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -90,6 +90,10 @@ static void smb2srv_sesssetup_callback(struct gensec_update_request *greq, void } req->session = smb_sess; + if (smb_sess->smb2_signing.required) { + /* activate smb2 signing on the session */ + smb_sess->smb2_signing.active = true; + } done: io->smb2.out.uid = smb_sess->vuid; failed: @@ -182,7 +186,15 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses This is deliberate as windows does not set it even when it does set SMB2_NEGOTIATE_SIGNING_REQUIRED */ if (io->smb2.in.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) { - req->smb_conn->doing_signing = true; + smb_sess->smb2_signing.required = true; + } else if (req->smb_conn->smb2_signing_required) { + /* + * if required signing was negotiates in SMB2 Negotiate + * then the client made an error not using it here + */ + DEBUG(1, ("SMB2 signing required on the connection but not used on session\n")); + req->status = NT_STATUS_FOOBAR; + goto failed; } return; diff --git a/source4/smb_server/smb_server.h b/source4/smb_server/smb_server.h index dd4ec3281b..4676fc3e9c 100644 --- a/source4/smb_server/smb_server.h +++ b/source4/smb_server/smb_server.h @@ -100,6 +100,11 @@ struct smbsrv_session { struct auth_session_info *session_info; + struct { + bool required; + bool active; + } smb2_signing; + /* some statistics for the management tools */ struct { /* the time when the session setup started */ @@ -380,7 +385,7 @@ struct smbsrv_connection { struct loadparm_context *lp_ctx; - bool doing_signing; + bool smb2_signing_required; }; struct model_ops; -- cgit From 0251096a89d9740f6bf2dfcf41594957424f887d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 9 Jun 2008 21:57:05 +0200 Subject: smb2srv: sign SMB2 Logoff replies metze (This used to be commit 2844e361730a6bc640ea89d0e10059deca1ca867) --- source4/smb_server/smb2/sesssetup.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 6e3e963794..9f8765d6e9 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -224,11 +224,25 @@ void smb2srv_sesssetup_recv(struct smb2srv_request *req) smb2srv_sesssetup_backend(req, io); } -static NTSTATUS smb2srv_logoff_backend(struct smb2srv_request *req) +static int smb2srv_cleanup_session_destructor(struct smbsrv_session **session) { /* TODO: call ntvfs backends to close file of this session */ - talloc_free(req->session); - req->session = NULL; + DEBUG(0,("free session[%p]\n", *session)); + talloc_free(*session); + return 0; +} + +static NTSTATUS smb2srv_logoff_backend(struct smb2srv_request *req) +{ + struct smbsrv_session **session_ptr; + + /* we need to destroy the session after sending the reply */ + session_ptr = talloc(req, struct smbsrv_session *); + NT_STATUS_HAVE_NO_MEMORY(session_ptr); + + *session_ptr = req->session; + talloc_set_destructor(session_ptr, smb2srv_cleanup_session_destructor); + return NT_STATUS_OK; } -- cgit From 2d2911c7885dc832700185e62160bc18f8abfa04 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 15:49:46 +0200 Subject: libcli/smb2: the session key for SMB2 signing is truncated to 16 bytes To make that work (as a client) with aes128 and aes256 krb5 keys we need to use gsskrb5_get_subkey(). metze (This used to be commit 0c6d988f2083067e1ac7b07a492f88cefd3ba906) --- source4/libcli/smb2/session.c | 4 ++-- source4/libcli/smb2/signing.c | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index 6c573bf6d5..31b3e942e9 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -188,8 +188,8 @@ static void session_request_handler(struct smb2_request *req) } if (session->transport->signing_required) { - if (session->session_key.length != 16) { - DEBUG(2,("Wrong session key length %u for SMB2 signing\n", + if (session->session_key.length == 0) { + DEBUG(0,("Wrong session key length %u for SMB2 signing\n", (unsigned)session->session_key.length)); composite_error(c, NT_STATUS_ACCESS_DENIED); return; diff --git a/source4/libcli/smb2/signing.c b/source4/libcli/smb2/signing.c index fb2c22db4e..0d655d1a86 100644 --- a/source4/libcli/smb2/signing.c +++ b/source4/libcli/smb2/signing.c @@ -46,7 +46,7 @@ NTSTATUS smb2_sign_message(struct smb2_request_buffer *buf, DATA_BLOB session_ke return NT_STATUS_OK; } - if (session_key.length != 16) { + if (session_key.length == 0) { DEBUG(2,("Wrong session key length %u for SMB2 signing\n", (unsigned)session_key.length)); return NT_STATUS_ACCESS_DENIED; @@ -57,10 +57,9 @@ NTSTATUS smb2_sign_message(struct smb2_request_buffer *buf, DATA_BLOB session_ke SIVAL(buf->hdr, SMB2_HDR_FLAGS, IVAL(buf->hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED); ZERO_STRUCT(m); - hmac_sha256_init(session_key.data, 16, &m); + hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m); hmac_sha256_update(buf->buffer+NBT_HDR_SIZE, buf->size-NBT_HDR_SIZE, &m); hmac_sha256_final(res, &m); - DEBUG(5,("signed SMB2 message of size %u\n", (unsigned)buf->size - NBT_HDR_SIZE)); memcpy(buf->hdr + SMB2_HDR_SIGNATURE, res, 16); @@ -95,7 +94,7 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session return NT_STATUS_OK; } - if (session_key.length != 16) { + if (session_key.length == 0) { DEBUG(2,("Wrong session key length %u for SMB2 signing\n", (unsigned)session_key.length)); return NT_STATUS_ACCESS_DENIED; @@ -106,7 +105,7 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session memset(buf->hdr + SMB2_HDR_SIGNATURE, 0, 16); ZERO_STRUCT(m); - hmac_sha256_init(session_key.data, 16, &m); + hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m); hmac_sha256_update(buf->hdr, buf->size-NBT_HDR_SIZE, &m); hmac_sha256_final(res, &m); -- cgit From c4c79aa1b61b48eca47dffecb4ad847fae3bffed Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 16:11:30 +0200 Subject: gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work SMB signing with aes doesn't work, but still works with arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc. metze (This used to be commit 73964f069056f46f2f27fc690e42e5c91ae1fe19) --- source4/auth/gensec/gensec_gssapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 205d8a0f9b..c20cf4f5bd 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1152,9 +1152,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_OK; } - maj_stat = gsskrb5_get_initiator_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &subkey); + maj_stat = gsskrb5_get_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &subkey); if (maj_stat != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; -- cgit From 14900695da4e32e64ddb6262b1764983254fcc1d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 16:40:21 +0200 Subject: rpc_server: remove unused variable metze (This used to be commit c2186d5d60aa2b57ecafaa57f9fd41f2a6717046) --- source4/rpc_server/dcerpc_server.c | 1 - 1 file changed, 1 deletion(-) diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index cb07f6e8ce..95589498e2 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -947,7 +947,6 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call) uint32_t length; struct data_blob_list_item *rep; struct ncacn_packet pkt; - const uint32_t overhead = (DCERPC_MAX_SIGN_SIZE+DCERPC_RESPONSE_LENGTH); rep = talloc(call, struct data_blob_list_item); NT_STATUS_HAVE_NO_MEMORY(rep); -- cgit From e45c3e127d389a2cb63879ca12bbbfed048f4eb1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 17:59:17 +0200 Subject: Revert "gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work" This reverts commit 73964f069056f46f2f27fc690e42e5c91ae1fe19. This breaks more than it gains:-( It seems to break the ncacn_np session key metze (This used to be commit 9678085f75b6cb0ed068e22f3d9f94247b200ce2) --- source4/auth/gensec/gensec_gssapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index c20cf4f5bd..205d8a0f9b 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1152,9 +1152,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_OK; } - maj_stat = gsskrb5_get_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &subkey); + maj_stat = gsskrb5_get_initiator_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &subkey); if (maj_stat != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; -- cgit