Jeremy Allison [Sun, 26 Sep 2010 11:59:31 +0000 (04:59 -0700)]
Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
s3: Fix bug 7688, rpcclient command line completion crashing
We've grown more than 100 rpcclient commands by now, so this would overwrite
the array of 100 completions. There's nicer ways to fix this problem, but 1000
rpcclient commands should be at least a bit away.
s3:smbd: Align change notify replies on 4-byte boundary
MS-CIFS section 2.2.7.4.2 states this is mandatory. WinXP clients
don't seem to care, but a Win7 client will send an immediate Close()
to the directory handle when receiving an incorrectly aligned
change notify response.
Fix bug #7662 (Change notify replies must be aligned on 4-byte boundary for
Win7.)
Volker Lendecke [Mon, 10 May 2010 10:05:01 +0000 (12:05 +0200)]
libwbclient: Fix a fd-leak at dlclose-time
__attribute__((destructor)) makes winbind_close_sock() being called at
dlclose() time.
Found while testing apache on Linux with mod_auth_pam.
Other platforms will have to find a different fix. One possibility would be to
always close the socket after each operation, but this badly sucks
performance-wise.
Jeremy Allison [Thu, 9 Sep 2010 13:54:23 +0000 (15:54 +0200)]
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit a34c3e999bb1ea61da31c5b3e845b19663039358)
The issue with using talloc_move here is that users of that function in winbind
will only be able to have two schanneled connections, as the cached schannel
credentials pointer from the netlogon pipe will be set to NULL. Do a deep copy
of the struct instead.
Björn Jacke [Thu, 12 Aug 2010 14:18:45 +0000 (16:18 +0200)]
s3: fall back to cups-config for underlinked libs
some OpenBSD systems have underlinked cups libraries. If linking against cups
alone fails, try to link against all the cups-config --libs cruft, which we
usually don't want. (bugzila #7244)
(cherry picked from commit 616e187d68e3e7b202413a96518b31d029e9563a)
Jeremy Allison [Thu, 29 Jul 2010 20:44:35 +0000 (13:44 -0700)]
Fix bug #7589 - ntlm_auth fails to use cached credentials.
In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy*
of the mapped username, but fails to canonicalize the actual username
sent to the backend domain process. When "winbind default domain"
is set this can lead to credentials being cached with an index of
user: user, not DOMAIN\user. All other code paths that use
canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF)
correctly canonicalize the data sent to the backend. All calls
the can cause credentials to be looked up (PAM_CHAUTHTOK etc.)
correctly call canonicalize_username() to create the credential
lookup key.
Jeremy Allison [Tue, 27 Jul 2010 08:54:01 +0000 (01:54 -0700)]
Fix bug 7590 - offline login fails because winbind deletes cache on every startup.
Sync lib/tdb_validate.c with the change in current master.
Change tdb_validate_open() to always use O_RDWR instead of O_RDONLY,
as (from the bug report): "db_check() will always return failure for a read-only database.
Silently, without any log output, when _tdb_lockall() fails."
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
s3-librpc: Fixed GUID_from_data_blob() with length of 32.
If we hit the case that the blob length is 32. The code goes to the end
of the function and generates a GUID with garbage.
So try to convert the blob to the GUID and return.
Fix bug #7538 (Backport fixes for GUID_from_data_blob).
Björn Jacke [Fri, 28 May 2010 23:40:21 +0000 (01:40 +0200)]
s3: fix check for pie compiler flags
some compilers (HP and Sun e.g.) output warning messages on stderr for unknown
options and we ended up partly using some unwanted random compile flags we
did't intend to use.
Björn Jacke [Mon, 24 May 2010 21:34:00 +0000 (23:34 +0200)]
s3:configure: turn "error warnings" into errors
By default "Missing argument(s)" is just an "error warning" for xlc :-)
The change to turn "error warnings" into errors should fix bug #7427.
(cherry picked from commit ff0872d59d78ad42212c88313ef924ea4eb7a8a1)
Fix bug #7427 (Using IBM xl_C compiler produces wrong results in configure).
Matthieu Patou [Fri, 21 May 2010 07:57:29 +0000 (11:57 +0400)]
s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
previous password key when the password is changed. It also check the
user ticket against previous password.
Signed-off-by: Günther Deschner <gd@samba.org>
Fix bug #7099 (Every Thursday at 11:08-11:15am Windows Client
Connections break with Kerberos errors).
Jeremy Allison [Thu, 20 May 2010 21:30:44 +0000 (14:30 -0700)]
Fix what looks like a cut-and-paste error in our read_negTokenInit() function.
We should never be calling asn1_push_XXX functions inside an asn1
reading function. Change asn1_push_tag() -> asn1_start_tag() and
asn1_pop_tag() -> asn1_end_tag(). This allows us to connect to a
NetApp filer at the Microsoft plugfest.
Jeremy Allison [Thu, 20 May 2010 18:36:47 +0000 (11:36 -0700)]
Fix bug #7410 - samba sends "raw" inode number as uniqueid with unix extensions.
Move to a consistent get_FileIndex() function for all inode returns,
that checks if st_dev on the file is identical to the top directory
dev_t of the exported share, and if so uses the raw 64-bit inode
number. If it isn't (we've traversed a mount point) - return what
we used to do for Windows which is the concatination of the bottom
32-bits of the inode with the 32-bit device number. We can get more
creative with this over time (hashing?) if we want as now all inode returns go
through this single function.
Günther Deschner [Fri, 14 May 2010 22:34:35 +0000 (00:34 +0200)]
s3-kerberos: temporary fix for ipv6 in print_kdc_line().
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill
in just the kdc_name if we have it and let the krb5 lib figure out the
appropriate ipv6 address
Karolin Seeger [Wed, 12 May 2010 09:24:57 +0000 (11:24 +0200)]
s3-docs: Move -D option to the right paragraph in man winbindd.
Fix bug #7260 (Command line option documentation in wrong place in winbindd man
page.). Thanks to Ged Haywood <samba@jubileegroup.co.uk> for reporting!