[PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samba - samba-technical mailing list
After commit 8e88b56e the winbind parent process does set anymore
auth_crap.domain to the winbind default domain when the domain was not
specified in the request, causing the request to fail with
NT_STATUS_CANT_ACCESS_DOMAIN_INFO.

This commit restores the behavior in the winbind child. If 'winbind use
default domain = yes' and no domain is specified in the request, will
use the default domain. It also allows the domain to be specified in
auth_crap.user as 'DOMAIN\user'.

To test this I have added a new environment where 'winbind use default
domain' is set to true.

Comments and reviews appreciated!

0002-s3-winbind-Use-default-domain-for-pam_auth_crap-when.patch (4K) Download Attachment
0001-selftest-Add-tests-for-NTLM-authentication-using-win.patch (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samba - samba-technical mailing list
These patches are for master. Previous ones are for v4-6-stable.

Sorry for the noise.

On Tue, 2017-11-21 at 12:36 +0100, Samuel Cabrero via samba-technical
wrote:

> After commit 8e88b56e the winbind parent process does set anymore
> auth_crap.domain to the winbind default domain when the domain was
> not
> specified in the request, causing the request to fail with
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>
> This commit restores the behavior in the winbind child. If 'winbind
> use
> default domain = yes' and no domain is specified in the request, will
> use the default domain. It also allows the domain to be specified in
> auth_crap.user as 'DOMAIN\user'.
>
> To test this I have added a new environment where 'winbind use
> default
> domain' is set to true.
>
> Comments and reviews appreciated!

0002-s3-winbind-Use-default-domain-for-pam_auth_crap-when.patch (4K) Download Attachment
0001-selftest-Add-tests-for-NTLM-authentication-using-win.patch (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samba - samba-technical mailing list
Hi Samuel,

On Tue, Nov 21, 2017 at 01:27:43PM +0100, Samuel Cabrero via samba-technical wrote:
> These patches are for master. Previous ones are for v4-6-stable.

can't you just reuse the s4member_dflt_domain test environment?

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v2] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samba - samba-technical mailing list
Hi Ralph,

indeed it is what I was looking for and I did not see it.

I have updated the first patch removing the new environment and using
s4member_dflt_domain.

Thanks.

On Tue, 2017-11-21 at 13:48 +0100, Ralph Böhme via samba-technical
wrote:

> Hi Samuel,
>
> On Tue, Nov 21, 2017 at 01:27:43PM +0100, Samuel Cabrero via samba-
> technical wrote:
> > These patches are for master. Previous ones are for v4-6-stable.
>
> can't you just reuse the s4member_dflt_domain
> test environment?
>
> -slow
>

0001-selftest-Add-tests-for-NTLM-authentication-using-win.patch (11K) Download Attachment
0002-s3-winbind-Use-default-domain-for-pam_auth_crap-when.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On 11/21/2017 01:36 PM, Samuel Cabrero via samba-technical wrote:

> After commit 8e88b56e the winbind parent process does set anymore
> auth_crap.domain to the winbind default domain when the domain was not
> specified in the request, causing the request to fail with
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
>
> This commit restores the behavior in the winbind child. If 'winbind use
> default domain = yes' and no domain is specified in the request, will
> use the default domain. It also allows the domain to be specified in
> auth_crap.user as 'DOMAIN\user'.
>
> To test this I have added a new environment where 'winbind use default
> domain' is set to true.
>
> Comments and reviews appreciated!
>

I'm "guilty" for commit 8e88b56e so I have some comments.

This patch set won't survive autobuild - "samba3.unix.whoami ntlm
user@realm(ad_member)" fails. The reason is that it breaks
authenticating to SMB server using \upn@realm. (empty domain and user
component is upn@realm).

The point of commit 8e88b56e was that in NTLMv2, the domain is part of
the cryptographic material, and you are not allowed to change it
whimsically. An empty domain given to winbindd means that on the wire
the domain was empty, and if you change that, the v2-hash you get can't
possibly match the provided hash.

With NTLM(v1) the domain can be changed, and I suppose I was unaware of
the possible breakage with ntlm_auth (IIRC, smbd has not regressed due
to this change, at least not if "map untrusted to domain" is kept at its
default of "no").

I think also that the expected behavior should be documented in the bug
report / commit message - If I understand correctly, the expected
behavior is that \user mapped to DOMAIN\user - well that's inconsistent
with smbd, where \user is mapped to WORKSTATION\user, unless "map
untrusted to domain" is true.

Finally, another possible option for fixing this is in ntlm_auth. That
keeps Winbindd simple. Just a thought.

Thanks,
Uri.

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Fix bug #13126 - NTLM authentications using default domain/workgroup stopped working

Samba - samba-technical mailing list
Uri, thanks for your comments. I should have ran all tests before.

Following your suggestion, this patch fixes it in ntlm_auth. If an
empty domain is given (eg: --domain="" or --username="\user") but
"winbind use default domain = yes", then the winbind domain is used.

I have also added tests reusing the s4member_dflt_domain environment.

Regards.

On Tue, 2017-11-21 at 20:10 +0200, Uri Simchoni via samba-technical
wrote:

> On 11/21/2017 01:36 PM, Samuel Cabrero via samba-technical wrote:
> > After commit 8e88b56e the winbind parent process does set anymore
> > auth_crap.domain to the winbind default domain when the domain was
> > not
> > specified in the request, causing the request to fail with
> > NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
> >
> > This commit restores the behavior in the winbind child. If 'winbind
> > use
> > default domain = yes' and no domain is specified in the request,
> > will
> > use the default domain. It also allows the domain to be specified
> > in
> > auth_crap.user as 'DOMAIN\user'.
> >
> > To test this I have added a new environment where 'winbind use
> > default
> > domain' is set to true.
> >
> > Comments and reviews appreciated!
> >
>
> I'm "guilty" for commit 8e88b56e so I have some comments.
>
> This patch set won't survive autobuild - "samba3.unix.whoami ntlm
> user@realm(ad_member)" fails. The reason is that it breaks
> authenticating to SMB server using \upn@realm. (empty domain and user
> component is upn@realm).
>
> The point of commit 8e88b56e was that in NTLMv2, the domain is part
> of
> the cryptographic material, and you are not allowed to change it
> whimsically. An empty domain given to winbindd means that on the wire
> the domain was empty, and if you change that, the v2-hash you get
> can't
> possibly match the provided hash.
>
> With NTLM(v1) the domain can be changed, and I suppose I was unaware
> of
> the possible breakage with ntlm_auth (IIRC, smbd has not regressed
> due
> to this change, at least not if "map untrusted to domain" is kept at
> its
> default of "no").
>
> I think also that the expected behavior should be documented in the
> bug
> report / commit message - If I understand correctly, the expected
> behavior is that \user mapped to DOMAIN\user - well that's
> inconsistent
> with smbd, where \user is mapped to WORKSTATION\user, unless "map
> untrusted to domain" is true.
>
> Finally, another possible option for fixing this is in ntlm_auth.
> That
> keeps Winbindd simple. Just a thought.
>
> Thanks,
> Uri.
>

0001-ntlm_auth-Honour-winbind-use-default-domain-when-emp.patch (1K) Download Attachment
0002-selftest-Add-tests-for-ntlm_auth-with-empty-domain.patch (15K) Download Attachment