[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-308-gcfceb06
Volker Lendecke
vlendec at samba.org
Wed Mar 19 16:02:01 GMT 2008
The branch, v3-2-test has been updated
via cfceb063f559f8549b8f24ce347be213c89303b0 (commit)
via 32fc759d942abb36d7dd351eff82925b6788dd28 (commit)
from 5ec2dbd144a3bbfdb14deafd158bad48b2d41ca4 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit cfceb063f559f8549b8f24ce347be213c89303b0
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 19 16:09:37 2008 +0100
Merge dd9e0bea31751 from 3-0-ctdb -- use NetSamLogonEx when possible
NetSamLogonEx has the advantage that it does not use the credential chain
commit 32fc759d942abb36d7dd351eff82925b6788dd28
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 19 16:08:24 2008 +0100
Fix some "nexted extern" warnins
-----------------------------------------------------------------------
Summary of changes:
source/winbindd/winbindd.h | 8 +++
source/winbindd/winbindd_cm.c | 10 ++++
source/winbindd/winbindd_ndr.c | 16 +++---
source/winbindd/winbindd_pam.c | 95 ++++++++++++++++++++++++++++++----------
4 files changed, 98 insertions(+), 31 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h
index b812d69..0840e58 100644
--- a/source/winbindd/winbindd.h
+++ b/source/winbindd/winbindd.h
@@ -176,6 +176,14 @@ struct winbindd_domain {
time_t startup_time; /* When we set "startup" true. */
bool startup; /* are we in the first 30 seconds after startup_time ? */
+ bool can_do_samlogon_ex; /* Due to the lack of finer control what type
+ * of DC we have, let us try to do a
+ * credential-chain less samlogon_ex call
+ * with AD and schannel. If this fails with
+ * DCERPC_FAULT_OP_RNG_ERROR, then set this
+ * to False. This variable is around so that
+ * we don't have to try _ex every time. */
+
/* Lookup methods for this domain (LDAP or RPC) */
struct winbindd_methods *methods;
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 072b4ee..c715ac0 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -2403,6 +2403,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
no_schannel:
if ((lp_client_schannel() == False) ||
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ /*
+ * NetSamLogonEx only works for schannel
+ */
+ domain->can_do_samlogon_ex = False;
+
/* We're done - just keep the existing connection to NETLOGON
* open */
conn->netlogon_pipe = netlogon_pipe;
@@ -2434,6 +2439,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
}
+ /*
+ * Try NetSamLogonEx for AD domains
+ */
+ domain->can_do_samlogon_ex = domain->active_directory;
+
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}
diff --git a/source/winbindd/winbindd_ndr.c b/source/winbindd/winbindd_ndr.c
index 842c915..9d1502a 100644
--- a/source/winbindd/winbindd_ndr.c
+++ b/source/winbindd/winbindd_ndr.c
@@ -70,18 +70,18 @@ void ndr_print_winbindd_cm_conn(struct ndr_print *ndr,
/****************************************************************
****************************************************************/
+#ifdef HAVE_ADS
+extern struct winbindd_methods ads_methods;
+#endif
+extern struct winbindd_methods msrpc_methods;
+extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods reconnect_methods;
+extern struct winbindd_methods cache_methods;
+
void ndr_print_winbindd_methods(struct ndr_print *ndr,
const char *name,
const struct winbindd_methods *r)
{
-#ifdef HAVE_ADS
- extern struct winbindd_methods ads_methods;
-#endif
- extern struct winbindd_methods msrpc_methods;
- extern struct winbindd_methods passdb_methods;
- extern struct winbindd_methods reconnect_methods;
- extern struct winbindd_methods cache_methods;
-
ndr_print_struct(ndr, name, "winbindd_methods");
ndr->depth++;
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index ef5a312..c56eb1b 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1283,6 +1283,17 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
/* check authentication loop */
do {
+ NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *server,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3);
ZERO_STRUCTP(my_info3);
retry = False;
@@ -1294,19 +1305,32 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
goto done;
}
- result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- 0,
- contact_domain->dcname, /* server name */
- name_user, /* user name */
- name_domain, /* target domain */
- global_myname(), /* workstation */
- chal,
- lm_resp,
- nt_resp,
- &my_info3);
+ logon_fn = contact_domain->can_do_samlogon_ex
+ ? rpccli_netlogon_sam_network_logon_ex
+ : rpccli_netlogon_sam_network_logon;
+
+ result = logon_fn(netlogon_pipe,
+ state->mem_ctx,
+ 0,
+ contact_domain->dcname, /* server name */
+ name_user, /* user name */
+ name_domain, /* target domain */
+ global_myname(), /* workstation */
+ chal,
+ lm_resp,
+ nt_resp,
+ &my_info3);
attempts += 1;
+ if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+ && contact_domain->can_do_samlogon_ex) {
+ DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+ "retrying with NetSamLogon\n"));
+ contact_domain->can_do_samlogon_ex = False;
+ retry = True;
+ continue;
+ }
+
/* We have to try a second time as cm_connect_netlogon
might not yet have noticed that the DC has killed
our connection. */
@@ -1804,6 +1828,18 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
}
do {
+ NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *server,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3);
+
retry = False;
netlogon_pipe = NULL;
@@ -1815,18 +1851,31 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
goto done;
}
- result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- state->request.data.auth_crap.logon_parameters,
- contact_domain->dcname,
- name_user,
- name_domain,
- /* Bug #3248 - found by Stefan Burkei. */
- workstation, /* We carefully set this above so use it... */
- state->request.data.auth_crap.chal,
- lm_resp,
- nt_resp,
- &info3);
+ logon_fn = contact_domain->can_do_samlogon_ex
+ ? rpccli_netlogon_sam_network_logon_ex
+ : rpccli_netlogon_sam_network_logon;
+
+ result = logon_fn(netlogon_pipe,
+ state->mem_ctx,
+ state->request.data.auth_crap.logon_parameters,
+ contact_domain->dcname,
+ name_user,
+ name_domain,
+ /* Bug #3248 - found by Stefan Burkei. */
+ workstation, /* We carefully set this above so use it... */
+ state->request.data.auth_crap.chal,
+ lm_resp,
+ nt_resp,
+ &info3);
+
+ if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+ && contact_domain->can_do_samlogon_ex) {
+ DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+ "retrying with NetSamLogon\n"));
+ contact_domain->can_do_samlogon_ex = False;
+ retry = True;
+ continue;
+ }
attempts += 1;
--
Samba Shared Repository
More information about the samba-cvs
mailing list