[SCM] Samba Shared Repository - branch v3-2-stable updated -
release-3-2-2-19-ga90648e
Karolin Seeger
kseeger at samba.org
Fri Aug 22 21:56:05 GMT 2008
The branch, v3-2-stable has been updated
via a90648e905aebc98c78897adf76729bea269cedf (commit)
via 9bbd6ee5db03747499bd263bb1365c8cd352076d (commit)
via b3a8b823361d6144f14c2d800e956f26ff9ad6d6 (commit)
via 6d42b1e372b67eba83dbd5200bfb131b74cac180 (commit)
via 94dd61a4e8e070e175339defce4da08eaf87429d (commit)
via 7a53e1e83a070394f77da4a0f7b2ed480165c376 (commit)
via 3c205320cd1eb19ed275572f975487e92c611f13 (commit)
from ef801d12a309c4c9f6429739b835fb32f5c309b8 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable
- Log -----------------------------------------------------------------
commit a90648e905aebc98c78897adf76729bea269cedf
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 22 13:50:53 2008 -0700
Don't re-initialize a token when we already have one. This fixes the build farm failures when winbindd connects as guest.
This one took a *lot* of tracking down :-).
Jeremy.
(cherry picked from commit f845c95dcfa0b1630a0057c62941bb8a72ebdd83)
commit 9bbd6ee5db03747499bd263bb1365c8cd352076d
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Fri Aug 22 10:17:04 2008 -0500
winbindd: Fix crash in cm_connect_sam()
Fix segv when talking to parent DC (joined to child domain).
The root cause was
(a) storing the parent domain in the cli_state struct caused
the NTLMSSP pipe bind to fail which made us fallover to
the schannel code path
(b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning
NULL even though the function indicated success.
(cherry picked from commit 5ce4a2ae6697970ea37d0078a506615b4b7a9a9c)
(cherry picked from commit 72d138adc200ab36e324721900af1a06d0879318)
commit b3a8b823361d6144f14c2d800e956f26ff9ad6d6
Author: Jeff Layton <jlayton at redhat.com>
Date: Thu Aug 21 21:41:19 2008 -0400
cifs.upcall: fix build warning
Signed-off-by: Jeff Layton <jlayton at redhat.com>
(cherry picked from commit dffb2d8eea03bb75224c3d8b4d0ab210993c645a)
commit 6d42b1e372b67eba83dbd5200bfb131b74cac180
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 21 15:05:35 2008 +0200
Fix Bug #5710 and make machine account password changing work again.
When we negotiated NETLOGON_NEG_PASSWORD_SET2 we need to use
NetrServerPasswordSet2 to change the machine password.
Tested with NT4, W2k, W2k3 and W2k8.
Guenther
(cherry picked from commit 8ae7040a5e64f1a1d2088aeca1dab90470455d8a)
commit 94dd61a4e8e070e175339defce4da08eaf87429d
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 21 15:02:03 2008 +0200
re-run make idl.
Guenther
(cherry picked from commit f24cef9fa7be45212744d39b7c66804e64147afd)
(cherry picked from commit 059979f8e7d7d0459f83184ad5b06a8e6281f558)
commit 7a53e1e83a070394f77da4a0f7b2ed480165c376
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 21 15:01:36 2008 +0200
IDL: fix IDL for netr_ServerPasswordSet2().
Guenther
(cherry picked from commit 7b312a0abc6de5a51555ccfbde7f8f78fc11d043)
(cherry picked from commit d9fa27a079dde0ebd9c2d6dc1c1bff3ae570f9e8)
commit 3c205320cd1eb19ed275572f975487e92c611f13
Author: Jeremy Allison <jra at samba.org>
Date: Thu Aug 21 10:25:51 2008 -0700
Fix bug 5698 - mixup of TALLOC/malloc. Spotted by Douglas Wegscheid <Douglas_E_Wegscheid at whirlpool.com>.
Jeremy.
(cherry picked from commit 02e260ab5254c9691846f7009f685e1b11032f80)
-----------------------------------------------------------------------
Summary of changes:
source/client/cifs.upcall.c | 3 +-
source/lib/util_str.c | 5 +-
source/librpc/gen_ndr/cli_netlogon.c | 6 +-
source/librpc/gen_ndr/cli_netlogon.h | 6 +-
source/librpc/gen_ndr/ndr_netlogon.c | 38 ++++++++++++++---
source/librpc/gen_ndr/netlogon.h | 4 +-
source/librpc/idl/netlogon.idl | 6 +-
source/libsmb/trusts_util.c | 75 +++++++++++++++++++++++----------
source/smbd/sesssetup.c | 23 ++++++-----
source/winbindd/winbindd_cm.c | 12 +++++-
10 files changed, 123 insertions(+), 55 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/client/cifs.upcall.c b/source/client/cifs.upcall.c
index fd3ed17..cf5f1c3 100644
--- a/source/client/cifs.upcall.c
+++ b/source/client/cifs.upcall.c
@@ -222,7 +222,8 @@ int main(const int argc, char *const argv[])
uid_t uid;
int kernel_upcall_version;
int c, use_cifs_service_prefix = 0;
- char *buf, *oid, *hostname = NULL;
+ char *buf, *hostname = NULL;
+ const char *oid;
openlog(prog, 0, LOG_DAEMON);
diff --git a/source/lib/util_str.c b/source/lib/util_str.c
index c36d512..a2458c8 100644
--- a/source/lib/util_str.c
+++ b/source/lib/util_str.c
@@ -2006,6 +2006,7 @@ bool str_list_sub_basic( char **list, const char *smb_name,
bool str_list_substitute(char **list, const char *pattern, const char *insert)
{
+ TALLOC_CTX *ctx = list;
char *p, *s, *t;
ssize_t ls, lp, li, ld, i, d;
@@ -2028,7 +2029,7 @@ bool str_list_substitute(char **list, const char *pattern, const char *insert)
t = *list;
d = p -t;
if (ld) {
- t = (char *) SMB_MALLOC(ls +ld +1);
+ t = TALLOC_ARRAY(ctx, char, ls +ld +1);
if (!t) {
DEBUG(0,("str_list_substitute: "
"Unable to allocate memory"));
@@ -2036,7 +2037,7 @@ bool str_list_substitute(char **list, const char *pattern, const char *insert)
}
memcpy(t, *list, d);
memcpy(t +d +li, p +lp, ls -d -lp +1);
- SAFE_FREE(*list);
+ TALLOC_FREE(*list);
*list = t;
ls += ld;
s = t +d +li;
diff --git a/source/librpc/gen_ndr/cli_netlogon.c b/source/librpc/gen_ndr/cli_netlogon.c
index 61f4103..f5b4715 100644
--- a/source/librpc/gen_ndr/cli_netlogon.c
+++ b/source/librpc/gen_ndr/cli_netlogon.c
@@ -1534,9 +1534,9 @@ NTSTATUS rpccli_netr_ServerPasswordSet2(struct rpc_pipe_client *cli,
const char *account_name /* [in] [charset(UTF16)] */,
enum netr_SchannelType secure_channel_type /* [in] */,
const char *computer_name /* [in] [charset(UTF16)] */,
- struct netr_Authenticator credential /* [in] */,
- struct netr_CryptPassword new_password /* [in] */,
- struct netr_Authenticator *return_authenticator /* [out] [ref] */)
+ struct netr_Authenticator *credential /* [in] [ref] */,
+ struct netr_Authenticator *return_authenticator /* [out] [ref] */,
+ struct netr_CryptPassword *new_password /* [in] [ref] */)
{
struct netr_ServerPasswordSet2 r;
NTSTATUS status;
diff --git a/source/librpc/gen_ndr/cli_netlogon.h b/source/librpc/gen_ndr/cli_netlogon.h
index 2968732..2033315 100644
--- a/source/librpc/gen_ndr/cli_netlogon.h
+++ b/source/librpc/gen_ndr/cli_netlogon.h
@@ -239,9 +239,9 @@ NTSTATUS rpccli_netr_ServerPasswordSet2(struct rpc_pipe_client *cli,
const char *account_name /* [in] [charset(UTF16)] */,
enum netr_SchannelType secure_channel_type /* [in] */,
const char *computer_name /* [in] [charset(UTF16)] */,
- struct netr_Authenticator credential /* [in] */,
- struct netr_CryptPassword new_password /* [in] */,
- struct netr_Authenticator *return_authenticator /* [out] [ref] */);
+ struct netr_Authenticator *credential /* [in] [ref] */,
+ struct netr_Authenticator *return_authenticator /* [out] [ref] */,
+ struct netr_CryptPassword *new_password /* [in] [ref] */);
NTSTATUS rpccli_netr_ServerPasswordGet(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *server_name /* [in] [unique,charset(UTF16)] */,
diff --git a/source/librpc/gen_ndr/ndr_netlogon.c b/source/librpc/gen_ndr/ndr_netlogon.c
index ce61f8d..eff816c 100644
--- a/source/librpc/gen_ndr/ndr_netlogon.c
+++ b/source/librpc/gen_ndr/ndr_netlogon.c
@@ -12310,8 +12310,14 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet2(struct ndr_push *ndr,
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.computer_name, CH_UTF16)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.computer_name, ndr_charset_length(r->in.computer_name, CH_UTF16), sizeof(uint16_t), CH_UTF16));
- NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
- NDR_CHECK(ndr_push_netr_CryptPassword(ndr, NDR_SCALARS, &r->in.new_password));
+ if (r->in.credential == NULL) {
+ return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+ }
+ NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
+ if (r->in.new_password == NULL) {
+ return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+ }
+ NDR_CHECK(ndr_push_netr_CryptPassword(ndr, NDR_SCALARS, r->in.new_password));
}
if (flags & NDR_OUT) {
if (r->out.return_authenticator == NULL) {
@@ -12327,7 +12333,9 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr,
{
uint32_t _ptr_server_name;
TALLOC_CTX *_mem_save_server_name_0;
+ TALLOC_CTX *_mem_save_credential_0;
TALLOC_CTX *_mem_save_return_authenticator_0;
+ TALLOC_CTX *_mem_save_new_password_0;
if (flags & NDR_IN) {
ZERO_STRUCT(r->out);
@@ -12364,8 +12372,20 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr,
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16));
- NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
- NDR_CHECK(ndr_pull_netr_CryptPassword(ndr, NDR_SCALARS, &r->in.new_password));
+ if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+ NDR_PULL_ALLOC(ndr, r->in.credential);
+ }
+ _mem_save_credential_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->in.credential, LIBNDR_FLAG_REF_ALLOC);
+ NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_credential_0, LIBNDR_FLAG_REF_ALLOC);
+ if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+ NDR_PULL_ALLOC(ndr, r->in.new_password);
+ }
+ _mem_save_new_password_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->in.new_password, LIBNDR_FLAG_REF_ALLOC);
+ NDR_CHECK(ndr_pull_netr_CryptPassword(ndr, NDR_SCALARS, r->in.new_password));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_new_password_0, LIBNDR_FLAG_REF_ALLOC);
NDR_PULL_ALLOC(ndr, r->out.return_authenticator);
ZERO_STRUCTP(r->out.return_authenticator);
}
@@ -12401,8 +12421,14 @@ _PUBLIC_ void ndr_print_netr_ServerPasswordSet2(struct ndr_print *ndr, const cha
ndr_print_string(ndr, "account_name", r->in.account_name);
ndr_print_netr_SchannelType(ndr, "secure_channel_type", r->in.secure_channel_type);
ndr_print_string(ndr, "computer_name", r->in.computer_name);
- ndr_print_netr_Authenticator(ndr, "credential", &r->in.credential);
- ndr_print_netr_CryptPassword(ndr, "new_password", &r->in.new_password);
+ ndr_print_ptr(ndr, "credential", r->in.credential);
+ ndr->depth++;
+ ndr_print_netr_Authenticator(ndr, "credential", r->in.credential);
+ ndr->depth--;
+ ndr_print_ptr(ndr, "new_password", r->in.new_password);
+ ndr->depth++;
+ ndr_print_netr_CryptPassword(ndr, "new_password", r->in.new_password);
+ ndr->depth--;
ndr->depth--;
}
if (flags & NDR_OUT) {
diff --git a/source/librpc/gen_ndr/netlogon.h b/source/librpc/gen_ndr/netlogon.h
index 9e86051..1cea1f0 100644
--- a/source/librpc/gen_ndr/netlogon.h
+++ b/source/librpc/gen_ndr/netlogon.h
@@ -1355,8 +1355,8 @@ struct netr_ServerPasswordSet2 {
const char *account_name;/* [charset(UTF16)] */
enum netr_SchannelType secure_channel_type;
const char *computer_name;/* [charset(UTF16)] */
- struct netr_Authenticator credential;
- struct netr_CryptPassword new_password;
+ struct netr_Authenticator *credential;/* [ref] */
+ struct netr_CryptPassword *new_password;/* [ref] */
} in;
struct {
diff --git a/source/librpc/idl/netlogon.idl b/source/librpc/idl/netlogon.idl
index 98cf1e7..74535fc 100644
--- a/source/librpc/idl/netlogon.idl
+++ b/source/librpc/idl/netlogon.idl
@@ -1182,9 +1182,9 @@ interface netlogon
[in] [string,charset(UTF16)] uint16 account_name[],
[in] netr_SchannelType secure_channel_type,
[in] [string,charset(UTF16)] uint16 computer_name[],
- [in] netr_Authenticator credential,
- [in] netr_CryptPassword new_password,
- [out,ref] netr_Authenticator *return_authenticator
+ [in,ref] netr_Authenticator *credential,
+ [out,ref] netr_Authenticator *return_authenticator,
+ [in,ref] netr_CryptPassword *new_password
);
/****************/
diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
index c3f5f25..0535d1b 100644
--- a/source/libsmb/trusts_util.c
+++ b/source/libsmb/trusts_util.c
@@ -31,34 +31,60 @@
static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
const unsigned char orig_trust_passwd_hash[16],
+ const char *new_trust_pwd_cleartext,
const unsigned char new_trust_passwd_hash[16],
uint32 sec_channel_type)
{
NTSTATUS result;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
- /* Check if the netlogon pipe is open using schannel. If so we
- already have valid creds. If not we must set them up. */
-
- if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-
- result = rpccli_netlogon_setup_creds(cli,
- cli->cli->desthost, /* server name */
- lp_workgroup(), /* domain */
- global_myname(), /* client name */
- global_myname(), /* machine account name */
- orig_trust_passwd_hash,
- sec_channel_type,
- &neg_flags);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
- nt_errstr(result)));
- return result;
- }
+ result = rpccli_netlogon_setup_creds(cli,
+ cli->cli->desthost, /* server name */
+ lp_workgroup(), /* domain */
+ global_myname(), /* client name */
+ global_myname(), /* machine account name */
+ orig_trust_passwd_hash,
+ sec_channel_type,
+ &neg_flags);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
+ nt_errstr(result)));
+ return result;
}
- {
+ if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
+
+ struct netr_Authenticator clnt_creds, srv_cred;
+ struct netr_CryptPassword new_password;
+ struct samr_CryptPassword password_buf;
+
+ netlogon_creds_client_step(cli->dc, &clnt_creds);
+
+ encode_pw_buffer(password_buf.data, new_trust_pwd_cleartext, STR_UNICODE);
+
+ SamOEMhash(password_buf.data, cli->dc->sess_key, 516);
+ memcpy(new_password.data, password_buf.data, 512);
+ new_password.length = IVAL(password_buf.data, 512);
+
+ result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx,
+ cli->dc->remote_machine,
+ cli->dc->mach_acct,
+ sec_channel_type,
+ global_myname(),
+ &clnt_creds,
+ &srv_cred,
+ &new_password);
+
+ /* Always check returned credentials. */
+ if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
+ DEBUG(0,("rpccli_netr_ServerPasswordSet2: "
+ "credentials chain check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ } else {
+
struct netr_Authenticator clnt_creds, srv_cred;
struct samr_Password new_password;
@@ -118,8 +144,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
E_md4hash(new_trust_passwd, new_trust_passwd_hash);
- nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
- new_trust_passwd_hash, sec_channel_type);
+ nt_status = just_change_the_password(cli, mem_ctx,
+ orig_trust_passwd_hash,
+ new_trust_passwd,
+ new_trust_passwd_hash,
+ sec_channel_type);
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
index 33a54dd..98594b0 100644
--- a/source/smbd/sesssetup.c
+++ b/source/smbd/sesssetup.c
@@ -1735,16 +1735,19 @@ void reply_sesssetup_and_X(struct smb_request *req)
return;
}
- nt_status = create_local_token(server_info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(10, ("create_local_token failed: %s\n",
- nt_errstr(nt_status)));
- data_blob_free(&nt_resp);
- data_blob_free(&lm_resp);
- data_blob_clear_free(&plaintext_password);
- reply_nterror(req, nt_status_squash(nt_status));
- END_PROFILE(SMBsesssetupX);
- return;
+ if (!server_info->ptok) {
+ nt_status = create_local_token(server_info);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(10, ("create_local_token failed: %s\n",
+ nt_errstr(nt_status)));
+ data_blob_free(&nt_resp);
+ data_blob_free(&lm_resp);
+ data_blob_clear_free(&plaintext_password);
+ reply_nterror(req, nt_status_squash(nt_status));
+ END_PROFILE(SMBsesssetupX);
+ return;
+ }
}
if (server_info->user_session_key.data) {
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index c9769bf..cd05c36 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -846,7 +846,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, domain->name, machine_password);
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
goto session_setup_done;
}
}
@@ -871,7 +871,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, domain->name, machine_password);
+ cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
goto session_setup_done;
}
}
@@ -908,6 +908,9 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
anon_fallback:
/* Fall back to anonymous connection, this might fail later */
+ DEBUG(10,("cm_prepare_connection: falling back to anonymous "
+ "connection for DC %s\n",
+ controller ));
if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
NULL, 0, ""))) {
@@ -1900,6 +1903,10 @@ static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain,
/* Return a pointer to the struct dcinfo from the
netlogon pipe. */
+ if (!domain->conn.netlogon_pipe->dc) {
+ return false;
+ }
+
*ppdc = domain->conn.netlogon_pipe->dc;
return True;
}
@@ -1926,6 +1933,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
goto done;
}
+
/*
* No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated
* sign and sealed pipe using the machine account password by
--
Samba Shared Repository
More information about the samba-cvs
mailing list