summaryrefslogtreecommitdiffstats
path: root/source3/utils
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-20 04:07:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-20 04:07:27 +0000
commit19d0fde1ace012e366182b511c528f7ab6a0ed37 (patch)
tree4b7f31bfcae1f06f2a77dd154508460119172422 /source3/utils
parentAdding debian version 2:4.20.1+dfsg-5. (diff)
downloadsamba-19d0fde1ace012e366182b511c528f7ab6a0ed37.tar.xz
samba-19d0fde1ace012e366182b511c528f7ab6a0ed37.zip
Merging upstream version 2:4.20.2+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/utils')
-rw-r--r--source3/utils/conn_tdb.c12
-rw-r--r--source3/utils/conn_tdb.h1
-rw-r--r--source3/utils/net_ads.c6
-rw-r--r--source3/utils/net_registry.c2
-rw-r--r--source3/utils/sharesec.c8
-rw-r--r--source3/utils/smbcacls.c15
-rw-r--r--source3/utils/status.c82
-rw-r--r--source3/utils/status.h1
-rw-r--r--source3/utils/status_json.c2
9 files changed, 108 insertions, 21 deletions
diff --git a/source3/utils/conn_tdb.c b/source3/utils/conn_tdb.c
index 3724bd4..3f4ef00 100644
--- a/source3/utils/conn_tdb.c
+++ b/source3/utils/conn_tdb.c
@@ -27,6 +27,7 @@
#include "conn_tdb.h"
#include "util_tdb.h"
#include "lib/util/string_wrappers.h"
+#include "../libcli/security/session.h"
struct connections_forall_state {
struct db_context *session_by_pid;
@@ -44,7 +45,7 @@ struct connections_forall_session {
uint16_t cipher;
uint16_t dialect;
uint16_t signing;
- uint8_t signing_flags;
+ bool authenticated;
};
static int collect_sessions_fn(struct smbXsrv_session_global0 *global,
@@ -56,6 +57,7 @@ static int collect_sessions_fn(struct smbXsrv_session_global0 *global,
uint32_t id = global->session_global_id;
struct connections_forall_session sess;
+ enum security_user_level ul;
if (global->auth_session_info == NULL) {
sess.uid = -1;
@@ -69,7 +71,12 @@ static int collect_sessions_fn(struct smbXsrv_session_global0 *global,
sess.cipher = global->channels[0].encryption_cipher;
sess.signing = global->channels[0].signing_algo;
sess.dialect = global->connection_dialect;
- sess.signing_flags = global->signing_flags;
+ ul = security_session_user_level(global->auth_session_info, NULL);
+ if (ul >= SECURITY_USER) {
+ sess.authenticated = true;
+ } else {
+ sess.authenticated = false;
+ }
status = dbwrap_store(state->session_by_pid,
make_tdb_data((void*)&id, sizeof(id)),
@@ -134,6 +141,7 @@ static int traverse_tcon_fn(struct smbXsrv_tcon_global0 *global,
data.dialect = sess.dialect;
data.signing = sess.signing;
data.signing_flags = global->signing_flags;
+ data.authenticated = sess.authenticated;
state->count++;
diff --git a/source3/utils/conn_tdb.h b/source3/utils/conn_tdb.h
index 2a6e04e..23a5e21 100644
--- a/source3/utils/conn_tdb.h
+++ b/source3/utils/conn_tdb.h
@@ -36,6 +36,7 @@ struct connections_data {
uint16_t dialect;
uint8_t signing_flags;
uint16_t signing;
+ bool authenticated;
};
/* The following definitions come from lib/conn_tdb.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d95a209..43fa026 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -521,6 +521,11 @@ static int net_ads_info_json(ADS_STRUCT *ads)
goto failure;
}
+ ret = json_add_string (&jsobj, "Workgroup", ads->config.workgroup);
+ if (ret != 0) {
+ goto failure;
+ }
+
ret = json_add_string (&jsobj, "Realm", ads->config.realm);
if (ret != 0) {
goto failure;
@@ -627,6 +632,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
d_printf(_("LDAP server: %s\n"), addr);
d_printf(_("LDAP server name: %s\n"), ads->config.ldap_server_name);
+ d_printf(_("Workgroup: %s\n"), ads->config.workgroup);
d_printf(_("Realm: %s\n"), ads->config.realm);
d_printf(_("Bind Path: %s\n"), ads->config.bind_path);
d_printf(_("LDAP port: %d\n"), ads->ldap.port);
diff --git a/source3/utils/net_registry.c b/source3/utils/net_registry.c
index 5d1314e..b47a8ff 100644
--- a/source3/utils/net_registry.c
+++ b/source3/utils/net_registry.c
@@ -1146,7 +1146,7 @@ static int registry_value_cmp(
if (v1->type == v2->type) {
return data_blob_cmp(&v1->data, &v2->data);
}
- return v1->type - v2->type;
+ return NUMERIC_CMP(v1->type, v2->type);
}
static WERROR precheck_create_val(struct precheck_ctx *ctx,
diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
index a6481e2..4175729 100644
--- a/source3/utils/sharesec.c
+++ b/source3/utils/sharesec.c
@@ -120,19 +120,19 @@ static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
return 0;
if (ace1->type != ace2->type)
- return ace2->type - ace1->type;
+ return NUMERIC_CMP(ace2->type, ace1->type);
if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
return dom_sid_compare(&ace1->trustee, &ace2->trustee);
if (ace1->flags != ace2->flags)
- return ace1->flags - ace2->flags;
+ return NUMERIC_CMP(ace1->flags, ace2->flags);
if (ace1->access_mask != ace2->access_mask)
- return ace1->access_mask - ace2->access_mask;
+ return NUMERIC_CMP(ace1->access_mask, ace2->access_mask);
if (ace1->size != ace2->size)
- return ace1->size - ace2->size;
+ return NUMERIC_CMP(ace1->size, ace2->size);
return memcmp(ace1, ace2, sizeof(struct security_ace));
}
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index e0591ac..5df7158 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -510,22 +510,23 @@ static int ace_compare(struct security_ace *ace1, struct security_ace *ace2)
return -1;
if ((ace1->flags & SEC_ACE_FLAG_INHERITED_ACE) &&
(ace2->flags & SEC_ACE_FLAG_INHERITED_ACE))
- return ace1 - ace2;
-
- if (ace1->type != ace2->type)
- return ace2->type - ace1->type;
+ return NUMERIC_CMP(ace2->type, ace1->type);
+ if (ace1->type != ace2->type) {
+ /* note the reverse order */
+ return NUMERIC_CMP(ace2->type, ace1->type);
+ }
if (dom_sid_compare(&ace1->trustee, &ace2->trustee))
return dom_sid_compare(&ace1->trustee, &ace2->trustee);
if (ace1->flags != ace2->flags)
- return ace1->flags - ace2->flags;
+ return NUMERIC_CMP(ace1->flags, ace2->flags);
if (ace1->access_mask != ace2->access_mask)
- return ace1->access_mask - ace2->access_mask;
+ return NUMERIC_CMP(ace1->access_mask, ace2->access_mask);
if (ace1->size != ace2->size)
- return ace1->size - ace2->size;
+ return NUMERIC_CMP(ace1->size, ace2->size);
return memcmp(ace1, ace2, sizeof(struct security_ace));
}
diff --git a/source3/utils/status.c b/source3/utils/status.c
index 4102b41..02a5f6d 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -483,9 +483,33 @@ static int traverse_connections_stdout(struct traverse_state *state,
char *server_id,
const char *machine,
const char *timestr,
- const char *encryption,
- const char *signing)
+ const char *encryption_cipher,
+ enum crypto_degree encryption_degree,
+ const char *signing_cipher,
+ enum crypto_degree signing_degree)
{
+ fstring encryption;
+ fstring signing;
+
+ if (encryption_degree == CRYPTO_DEGREE_FULL) {
+ fstr_sprintf(encryption, "%s", encryption_cipher);
+ } else if (encryption_degree == CRYPTO_DEGREE_ANONYMOUS) {
+ fstr_sprintf(encryption, "anonymous(%s)", encryption_cipher);
+ } else if (encryption_degree == CRYPTO_DEGREE_PARTIAL) {
+ fstr_sprintf(encryption, "partial(%s)", encryption_cipher);
+ } else {
+ fstr_sprintf(encryption, "-");
+ }
+ if (signing_degree == CRYPTO_DEGREE_FULL) {
+ fstr_sprintf(signing, "%s", signing_cipher);
+ } else if (signing_degree == CRYPTO_DEGREE_ANONYMOUS) {
+ fstr_sprintf(signing, "anonymous(%s)", signing_cipher);
+ } else if (signing_degree == CRYPTO_DEGREE_PARTIAL) {
+ fstr_sprintf(signing, "partial(%s)", signing_cipher);
+ } else {
+ fstr_sprintf(signing, "-");
+ }
+
d_printf("%-12s %-7s %-13s %-32s %-12s %-12s\n",
servicename, server_id, machine, timestr, encryption, signing);
@@ -538,7 +562,9 @@ static int traverse_connections(const struct connections_data *crec,
return -1;
}
- if (smbXsrv_is_encrypted(crec->encryption_flags)) {
+ if (smbXsrv_is_encrypted(crec->encryption_flags) ||
+ smbXsrv_is_partially_encrypted(crec->encryption_flags))
+ {
switch (crec->cipher) {
case SMB_ENCRYPTION_GSSAPI:
encryption = "GSSAPI";
@@ -549,14 +575,31 @@ static int traverse_connections(const struct connections_data *crec,
case SMB2_ENCRYPTION_AES128_GCM:
encryption = "AES-128-GCM";
break;
+ case SMB2_ENCRYPTION_AES256_CCM:
+ encryption = "AES-256-CCM";
+ break;
+ case SMB2_ENCRYPTION_AES256_GCM:
+ encryption = "AES-256-GCM";
+ break;
default:
encryption = "???";
break;
}
- encryption_degree = CRYPTO_DEGREE_FULL;
+ if (smbXsrv_is_encrypted(crec->encryption_flags)) {
+ encryption_degree = CRYPTO_DEGREE_FULL;
+ } else if (smbXsrv_is_partially_encrypted(crec->encryption_flags)) {
+ encryption_degree = CRYPTO_DEGREE_PARTIAL;
+ }
+ if (encryption_degree != CRYPTO_DEGREE_NONE &&
+ !crec->authenticated)
+ {
+ encryption_degree = CRYPTO_DEGREE_ANONYMOUS;
+ }
}
- if (smbXsrv_is_signed(crec->signing_flags)) {
+ if (smbXsrv_is_signed(crec->signing_flags) ||
+ smbXsrv_is_partially_signed(crec->signing_flags))
+ {
switch (crec->signing) {
case SMB2_SIGNING_MD5_SMB1:
signing = "HMAC-MD5";
@@ -574,7 +617,16 @@ static int traverse_connections(const struct connections_data *crec,
signing = "???";
break;
}
- signing_degree = CRYPTO_DEGREE_FULL;
+ if (smbXsrv_is_signed(crec->signing_flags)) {
+ signing_degree = CRYPTO_DEGREE_FULL;
+ } else if (smbXsrv_is_partially_signed(crec->signing_flags)) {
+ signing_degree = CRYPTO_DEGREE_PARTIAL;
+ }
+ if (signing_degree != CRYPTO_DEGREE_NONE &&
+ !crec->authenticated)
+ {
+ signing_degree = CRYPTO_DEGREE_ANONYMOUS;
+ }
}
if (!state->json_output) {
@@ -584,7 +636,9 @@ static int traverse_connections(const struct connections_data *crec,
crec->machine,
timestr,
encryption,
- signing);
+ encryption_degree,
+ signing,
+ signing_degree);
} else {
result = traverse_connections_json(state,
crec,
@@ -615,6 +669,8 @@ static int traverse_sessionid_stdout(struct traverse_state *state,
if (encryption_degree == CRYPTO_DEGREE_FULL) {
fstr_sprintf(encryption, "%s", encryption_cipher);
+ } else if (encryption_degree == CRYPTO_DEGREE_ANONYMOUS) {
+ fstr_sprintf(encryption, "anonymous(%s)", encryption_cipher);
} else if (encryption_degree == CRYPTO_DEGREE_PARTIAL) {
fstr_sprintf(encryption, "partial(%s)", encryption_cipher);
} else {
@@ -622,6 +678,8 @@ static int traverse_sessionid_stdout(struct traverse_state *state,
}
if (signing_degree == CRYPTO_DEGREE_FULL) {
fstr_sprintf(signing, "%s", signing_cipher);
+ } else if (signing_degree == CRYPTO_DEGREE_ANONYMOUS) {
+ fstr_sprintf(signing, "anonymous(%s)", signing_cipher);
} else if (signing_degree == CRYPTO_DEGREE_PARTIAL) {
fstr_sprintf(signing, "partial(%s)", signing_cipher);
} else {
@@ -756,6 +814,11 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
} else if (smbXsrv_is_partially_encrypted(session->encryption_flags)) {
encryption_degree = CRYPTO_DEGREE_PARTIAL;
}
+ if (encryption_degree != CRYPTO_DEGREE_NONE &&
+ !session->authenticated)
+ {
+ encryption_degree = CRYPTO_DEGREE_ANONYMOUS;
+ }
}
if (smbXsrv_is_signed(session->signing_flags) ||
@@ -783,6 +846,11 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
} else if (smbXsrv_is_partially_signed(session->signing_flags)) {
signing_degree = CRYPTO_DEGREE_PARTIAL;
}
+ if (signing_degree != CRYPTO_DEGREE_NONE &&
+ !session->authenticated)
+ {
+ signing_degree = CRYPTO_DEGREE_ANONYMOUS;
+ }
}
diff --git a/source3/utils/status.h b/source3/utils/status.h
index c08aba4..6674f0d 100644
--- a/source3/utils/status.h
+++ b/source3/utils/status.h
@@ -38,6 +38,7 @@ struct traverse_state {
enum crypto_degree {
CRYPTO_DEGREE_NONE,
CRYPTO_DEGREE_PARTIAL,
+ CRYPTO_DEGREE_ANONYMOUS,
CRYPTO_DEGREE_FULL
};
diff --git a/source3/utils/status_json.c b/source3/utils/status_json.c
index ee24a3b..f558c91 100644
--- a/source3/utils/status_json.c
+++ b/source3/utils/status_json.c
@@ -258,6 +258,8 @@ static int add_crypto_to_json(struct json_object *parent_json,
if (degree == CRYPTO_DEGREE_NONE) {
degree_str = "none";
+ } else if (degree == CRYPTO_DEGREE_ANONYMOUS) {
+ degree_str = "anonymous";
} else if (degree == CRYPTO_DEGREE_PARTIAL) {
degree_str = "partial";
} else {