[SCM] Samba Shared Repository - branch v3-2-stable updated -
release-3-2-0pre2-121-ge4fda2d4
Karolin Seeger
kseeger at samba.org
Wed Mar 19 17:01:07 GMT 2008
The branch, v3-2-stable has been updated
via e4fda2d44f7237f88a5fdb172d6aa008ff48b211 (commit)
via a19b800b736d8123214182aeee06c72b0fe7ce70 (commit)
via c5c907e8cf4c8f5d8f3256feea1ed7f46e131bac (commit)
via 9aeda996e8c73d900446709a9a5680ef587b8620 (commit)
from 8187ec8271d6e8864a5e8e734bb7e47316606e85 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable
- Log -----------------------------------------------------------------
commit e4fda2d44f7237f88a5fdb172d6aa008ff48b211
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 19 17:04:50 2008 +0100
Fix a warning
(cherry picked from commit c40648ea4d7897c401a5a94703e586acfdaec13b)
commit a19b800b736d8123214182aeee06c72b0fe7ce70
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 19 16:09:37 2008 +0100
Merge dd9e0bea31751 from 3-0-ctdb -- use NetSamLogonEx when possible
NetSamLogonEx has the advantage that it does not use the credential chain
(cherry picked from commit cfceb063f559f8549b8f24ce347be213c89303b0)
commit c5c907e8cf4c8f5d8f3256feea1ed7f46e131bac
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 19 16:08:24 2008 +0100
Fix some "nexted extern" warnins
(cherry picked from commit 32fc759d942abb36d7dd351eff82925b6788dd28)
commit 9aeda996e8c73d900446709a9a5680ef587b8620
Author: Derrell Lipman <derrell.lipman at unwireduniverse.com>
Date: Mon Mar 17 11:34:25 2008 -0400
Fix use of AuthDataWithContext capability
During my initial plans for, and the subsequent discussion of a more
significant change to the API for libsmbclient, I had removed the
AuthDataWithContext usage, in favor of a more generalized planned interface.
When the API returned to its original state, I neglected to reinsert this
code.
Use of an authentication function with the context can be tested using
examples/libsmbclient/testbrowse -C
Derrell
(cherry picked from commit 38eab68dfb2d8abe8ad00f5a86fc54c778d0d303)
-----------------------------------------------------------------------
Summary of changes:
source/libsmb/libsmb_context.c | 3 +-
source/libsmb/libsmb_server.c | 22 +++++++--
source/rpc_parse/parse_buffer.c | 2 +-
source/winbindd/winbindd.h | 8 +++
source/winbindd/winbindd_cm.c | 10 ++++
source/winbindd/winbindd_ndr.c | 16 +++---
source/winbindd/winbindd_pam.c | 95 +++++++++++++++++++++++++++++---------
7 files changed, 119 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/libsmb/libsmb_context.c b/source/libsmb/libsmb_context.c
index c04f751..5869b8b 100644
--- a/source/libsmb/libsmb_context.c
+++ b/source/libsmb/libsmb_context.c
@@ -422,7 +422,8 @@ smbc_init_context(SMBCCTX *context)
return NULL;
}
- if (!smbc_getFunctionAuthData(context) ||
+ if ((!smbc_getFunctionAuthData(context) &&
+ !smbc_getFunctionAuthDataWithContext(context)) ||
smbc_getDebug(context) < 0 ||
smbc_getDebug(context) > 100) {
diff --git a/source/libsmb/libsmb_server.c b/source/libsmb/libsmb_server.c
index 37612c6..7af5ca3 100644
--- a/source/libsmb/libsmb_server.c
+++ b/source/libsmb/libsmb_server.c
@@ -101,15 +101,29 @@ SMBC_call_auth_fn(TALLOC_CTX *ctx,
fstring workgroup;
fstring username;
fstring password;
+ smbc_get_auth_data_with_context_fn auth_with_context_fn;
strlcpy(workgroup, *pp_workgroup, sizeof(workgroup));
strlcpy(username, *pp_username, sizeof(username));
strlcpy(password, *pp_password, sizeof(password));
- smbc_getFunctionAuthData(context)(server, share,
- workgroup, sizeof(workgroup),
- username, sizeof(username),
- password, sizeof(password));
+ /* See if there's an authentication with context function provided */
+ auth_with_context_fn = smbc_getFunctionAuthDataWithContext(context);
+ if (auth_with_context_fn)
+ {
+ (* auth_with_context_fn)(context,
+ server, share,
+ workgroup, sizeof(workgroup),
+ username, sizeof(username),
+ password, sizeof(password));
+ }
+ else
+ {
+ smbc_getFunctionAuthData(context)(server, share,
+ workgroup, sizeof(workgroup),
+ username, sizeof(username),
+ password, sizeof(password));
+ }
TALLOC_FREE(*pp_workgroup);
TALLOC_FREE(*pp_username);
diff --git a/source/rpc_parse/parse_buffer.c b/source/rpc_parse/parse_buffer.c
index 9a68e54..bb39a58 100644
--- a/source/rpc_parse/parse_buffer.c
+++ b/source/rpc_parse/parse_buffer.c
@@ -37,7 +37,7 @@ void rpcbuf_init(RPC_BUFFER *buffer, uint32 size, TALLOC_CTX *ctx)
if (prs_init(&buffer->prs, size, ctx, MARSHALL))
buffer->struct_start = prs_offset(&buffer->prs);
else
- buffer->struct_start = NULL;
+ buffer->struct_start = 0;
}
/*******************************************************************
diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h
index b812d69..0840e58 100644
--- a/source/winbindd/winbindd.h
+++ b/source/winbindd/winbindd.h
@@ -176,6 +176,14 @@ struct winbindd_domain {
time_t startup_time; /* When we set "startup" true. */
bool startup; /* are we in the first 30 seconds after startup_time ? */
+ bool can_do_samlogon_ex; /* Due to the lack of finer control what type
+ * of DC we have, let us try to do a
+ * credential-chain less samlogon_ex call
+ * with AD and schannel. If this fails with
+ * DCERPC_FAULT_OP_RNG_ERROR, then set this
+ * to False. This variable is around so that
+ * we don't have to try _ex every time. */
+
/* Lookup methods for this domain (LDAP or RPC) */
struct winbindd_methods *methods;
diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c
index 072b4ee..c715ac0 100644
--- a/source/winbindd/winbindd_cm.c
+++ b/source/winbindd/winbindd_cm.c
@@ -2403,6 +2403,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
no_schannel:
if ((lp_client_schannel() == False) ||
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ /*
+ * NetSamLogonEx only works for schannel
+ */
+ domain->can_do_samlogon_ex = False;
+
/* We're done - just keep the existing connection to NETLOGON
* open */
conn->netlogon_pipe = netlogon_pipe;
@@ -2434,6 +2439,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
}
+ /*
+ * Try NetSamLogonEx for AD domains
+ */
+ domain->can_do_samlogon_ex = domain->active_directory;
+
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}
diff --git a/source/winbindd/winbindd_ndr.c b/source/winbindd/winbindd_ndr.c
index 842c915..9d1502a 100644
--- a/source/winbindd/winbindd_ndr.c
+++ b/source/winbindd/winbindd_ndr.c
@@ -70,18 +70,18 @@ void ndr_print_winbindd_cm_conn(struct ndr_print *ndr,
/****************************************************************
****************************************************************/
+#ifdef HAVE_ADS
+extern struct winbindd_methods ads_methods;
+#endif
+extern struct winbindd_methods msrpc_methods;
+extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods reconnect_methods;
+extern struct winbindd_methods cache_methods;
+
void ndr_print_winbindd_methods(struct ndr_print *ndr,
const char *name,
const struct winbindd_methods *r)
{
-#ifdef HAVE_ADS
- extern struct winbindd_methods ads_methods;
-#endif
- extern struct winbindd_methods msrpc_methods;
- extern struct winbindd_methods passdb_methods;
- extern struct winbindd_methods reconnect_methods;
- extern struct winbindd_methods cache_methods;
-
ndr_print_struct(ndr, name, "winbindd_methods");
ndr->depth++;
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index ef5a312..c56eb1b 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1283,6 +1283,17 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
/* check authentication loop */
do {
+ NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *server,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3);
ZERO_STRUCTP(my_info3);
retry = False;
@@ -1294,19 +1305,32 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
goto done;
}
- result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- 0,
- contact_domain->dcname, /* server name */
- name_user, /* user name */
- name_domain, /* target domain */
- global_myname(), /* workstation */
- chal,
- lm_resp,
- nt_resp,
- &my_info3);
+ logon_fn = contact_domain->can_do_samlogon_ex
+ ? rpccli_netlogon_sam_network_logon_ex
+ : rpccli_netlogon_sam_network_logon;
+
+ result = logon_fn(netlogon_pipe,
+ state->mem_ctx,
+ 0,
+ contact_domain->dcname, /* server name */
+ name_user, /* user name */
+ name_domain, /* target domain */
+ global_myname(), /* workstation */
+ chal,
+ lm_resp,
+ nt_resp,
+ &my_info3);
attempts += 1;
+ if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+ && contact_domain->can_do_samlogon_ex) {
+ DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+ "retrying with NetSamLogon\n"));
+ contact_domain->can_do_samlogon_ex = False;
+ retry = True;
+ continue;
+ }
+
/* We have to try a second time as cm_connect_netlogon
might not yet have noticed that the DC has killed
our connection. */
@@ -1804,6 +1828,18 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
}
do {
+ NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *server,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3);
+
retry = False;
netlogon_pipe = NULL;
@@ -1815,18 +1851,31 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
goto done;
}
- result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- state->request.data.auth_crap.logon_parameters,
- contact_domain->dcname,
- name_user,
- name_domain,
- /* Bug #3248 - found by Stefan Burkei. */
- workstation, /* We carefully set this above so use it... */
- state->request.data.auth_crap.chal,
- lm_resp,
- nt_resp,
- &info3);
+ logon_fn = contact_domain->can_do_samlogon_ex
+ ? rpccli_netlogon_sam_network_logon_ex
+ : rpccli_netlogon_sam_network_logon;
+
+ result = logon_fn(netlogon_pipe,
+ state->mem_ctx,
+ state->request.data.auth_crap.logon_parameters,
+ contact_domain->dcname,
+ name_user,
+ name_domain,
+ /* Bug #3248 - found by Stefan Burkei. */
+ workstation, /* We carefully set this above so use it... */
+ state->request.data.auth_crap.chal,
+ lm_resp,
+ nt_resp,
+ &info3);
+
+ if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+ && contact_domain->can_do_samlogon_ex) {
+ DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+ "retrying with NetSamLogon\n"));
+ contact_domain->can_do_samlogon_ex = False;
+ retry = True;
+ continue;
+ }
attempts += 1;
--
Samba Shared Repository
More information about the samba-cvs
mailing list