[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Thu Dec 22 11:22:02 MST 2011


The branch, master has been updated
       via  6765e7c s3-netlogon: use dsgetdcname() instead of get_dc_name()
       via  1c8f326 s3-netlogon: Add support to authenticate trusted domains.
       via  2f5e9aa s4-torture: Test rpc schannel netr_LogonGetCapability.
       via  00d0b4d s3-rpc_server: Pass in our flags to netlogon_creds_server_init().
       via  9c00d04 s3-netlogon: Add support for LogonGetCapabilities.
       via  a7541fc s4-librpc: Fix netlogon schannel client connect.
      from  32317b0 s3:torture/test_smb2: also try PROTOCOL_SMB2_24

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6765e7c2a6618be8fa2ddcb93800ef32c3f54830
Author: Sumit Bose <sbose at redhat.com>
Date:   Thu Nov 24 12:22:57 2011 -0500

    s3-netlogon: use dsgetdcname() instead of get_dc_name()
    
    Sometimes the domain parameter might not contain the NetBIOS name of the remote
    domain but the DNS name.
    
    Autobuild-User: Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date: Thu Dec 22 19:21:21 CET 2011 on sn-devel-104

commit 1c8f326dc6367969852d0ac30887428345be9d7d
Author: Sumit Bose <sbose at redhat.com>
Date:   Tue Nov 22 08:02:20 2011 -0500

    s3-netlogon: Add support to authenticate trusted domains.

commit 2f5e9aae860b55203c3efd2e558cd27e00f734ed
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Sep 19 21:14:17 2009 +0200

    s4-torture: Test rpc schannel netr_LogonGetCapability.
    
    metze

commit 00d0b4d6d0e60f9bdb80404dbaab9e49af77236b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Sep 29 09:16:13 2009 +0200

    s3-rpc_server: Pass in our flags to netlogon_creds_server_init().
    
    metze

commit 9c00d04ac1b8c54b88167f6cc32ac70ea0b2817c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Sep 19 21:07:20 2009 +0200

    s3-netlogon: Add support for LogonGetCapabilities.
    
    This is also needed to support AES.
    
    metze

commit a7541fc27ec9fd880ce8f13e9c04bec105c5435e
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Dec 22 16:32:31 2011 +0100

    s4-librpc: Fix netlogon schannel client connect.
    
    As a client we request as much flags as possible. The server checks
    which flags it supports and returns the same negotiation flags or less.
    So we need to store the negotiate flags from the server. We need them
    later if we have to call netr_LogonGetCapabilities.

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_server/netlogon/srv_netlog_nt.c |   46 +++++++++++++++++++++--
 source4/librpc/rpc/dcerpc_schannel.c        |    2 +
 source4/torture/rpc/netlogon.c              |   54 +++++++++++++++++++++++++++
 source4/torture/rpc/schannel.c              |    8 ++++
 4 files changed, 106 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 05651aa..fdbe937 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -185,6 +185,8 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
 	struct netr_NETLOGON_INFO_4 *info4;
 	const char *fn;
 	uint32_t acct_ctrl;
+	NTSTATUS status;
+	struct netr_DsRGetDCNameInfo *dc_info;
 
 	switch (p->opnum) {
 	case NDR_NETR_LOGONCONTROL:
@@ -303,12 +305,15 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
 			break;
 		}
 
-		if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
+		status = dsgetdcname(p->mem_ctx, p->msg_ctx, domain, NULL, NULL,
+				     DS_FORCE_REDISCOVERY | DS_RETURN_FLAT_NAME,
+				     &dc_info);
+		if (!NT_STATUS_IS_OK(status)) {
 			tc_status = WERR_NO_LOGON_SERVERS;
 			break;
 		}
 
-		dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
+		dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_info->dc_unc);
 		if (!dc_name) {
 			return WERR_NOMEM;
 		}
@@ -907,6 +912,19 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 		srv_flgs |= NETLOGON_NEG_SCHANNEL;
 	}
 
+	/*
+	 * Support authenticaten of trusted domains.
+	 *
+	 * These flags are the minimum required set which works with win2k3
+	 * and win2k8.
+	 */
+	if (pdb_capabilities() & PDB_CAP_TRUSTED_DOMAINS_EX) {
+		srv_flgs |= NETLOGON_NEG_TRANSITIVE_TRUSTS |
+			    NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+			    NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+			    NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
+	}
+
 	switch (p->opnum) {
 		case NDR_NETR_SERVERAUTHENTICATE:
 			fn = "_netr_ServerAuthenticate";
@@ -966,7 +984,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 					   &mach_pwd,
 					   r->in.credentials,
 					   r->out.return_credentials,
-					   *r->in.negotiate_flags);
+					   srv_flgs);
 	if (!creds) {
 		DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
 			"request from client %s machine account %s\n",
@@ -2032,7 +2050,27 @@ WERROR _netr_DsRGetDCName(struct pipes_struct *p,
 NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
 				    struct netr_LogonGetCapabilities *r)
 {
-	return NT_STATUS_NOT_IMPLEMENTED;
+	struct netlogon_creds_CredentialState *creds;
+	NTSTATUS status;
+
+	become_root();
+	status = netr_creds_server_step_check(p, p->mem_ctx,
+					      r->in.computer_name,
+					      r->in.credential,
+					      r->out.return_authenticator,
+					      &creds);
+	unbecome_root();
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	if (r->in.query_level != 1) {
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
+	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+	return NT_STATUS_OK;
 }
 
 /****************************************************************
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 9501e3e..335c34c 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -245,6 +245,8 @@ static void continue_srv_auth2(struct tevent_req *subreq)
 		return;
 	}
 
+	s->creds->negotiate_flags = s->remote_negotiate_flags;
+
 	/* verify credentials */
 	if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
 		composite_error(c, NT_STATUS_UNSUCCESSFUL);
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 0fe594c..d60b2e3 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -885,6 +885,60 @@ bool test_netlogon_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
 }
 
 /*
+  try a netlogon GetCapabilities
+*/
+bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *tctx,
+				struct cli_credentials *credentials,
+				struct netlogon_creds_CredentialState *creds)
+{
+	NTSTATUS status;
+	struct netr_LogonGetCapabilities r;
+	union netr_Capabilities capabilities;
+	struct netr_Authenticator auth, return_auth;
+	struct netlogon_creds_CredentialState tmp_creds;
+	struct dcerpc_binding_handle *b = p->binding_handle;
+
+	r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+	r.in.computer_name = cli_credentials_get_workstation(credentials);
+	r.in.credential = &auth;
+	r.in.return_authenticator = &return_auth;
+	r.in.query_level = 1;
+	r.out.capabilities = &capabilities;
+	r.out.return_authenticator = &return_auth;
+
+	torture_comment(tctx, "Testing LogonGetCapabilities\n");
+
+	ZERO_STRUCT(return_auth);
+
+	/*
+	 * we need to operate on a temporary copy of creds
+	 * because dcerpc_netr_LogonGetCapabilities was
+	 * dcerpc_netr_DummyFunction and returns NT_STATUS_NOT_IMPLEMENTED
+	 * without looking a the authenticator.
+	 */
+	tmp_creds = *creds;
+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities failed");
+	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
+		return true;
+	}
+
+	*creds = tmp_creds;
+
+	torture_assert(tctx, netlogon_creds_client_check(creds,
+							 &r.out.return_authenticator->cred),
+		       "Credential chaining failed");
+
+	torture_assert_int_equal(tctx, creds->negotiate_flags,
+				 capabilities.server_capabilities,
+				 "negotiate flags");
+
+	return true;
+}
+
+/*
   try a netlogon SamLogon
 */
 static bool test_SamLogon(struct torture_context *tctx, 
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index dff9fe7..30b8a1d 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -312,6 +312,10 @@ static bool test_schannel(struct torture_context *tctx,
 	status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
 	torture_assert_ntstatus_ok(tctx, status, "schannel creds");
 
+	/* checks the capabilities */
+	torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
+		       "Failed to process schannel secured capability ops (on fresh connection)");
+
 	/* do a couple of logins */
 	torture_assert(tctx, test_netlogon_ops(p_netlogon, tctx, credentials, creds),
 		"Failed to process schannel secured NETLOGON ops");
@@ -391,6 +395,10 @@ static bool test_schannel(struct torture_context *tctx,
 
 	torture_assert_ntstatus_ok(tctx, status, "auth failed");
 
+	/* checks the capabilities */
+	torture_assert(tctx, test_netlogon_capabilities(p_netlogon2, tctx, credentials, creds),
+		       "Failed to process schannel secured capability ops (on fresh connection)");
+
 	/* Try the schannel-only SamLogonEx operation */
 	torture_assert(tctx, test_netlogon_ex_ops(p_netlogon2, tctx, credentials, creds),
 		       "Failed to process schannel secured NETLOGON EX ops (on fresh connection)");


-- 
Samba Shared Repository


More information about the samba-cvs mailing list