[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sat Jun 16 02:14:03 MDT 2012
The branch, master has been updated
via 4edd8b8 s3-auth: Remove auth_netlogond
via 9c715da s3-passdb: Remove pdb_ads
via d949736 s4-classicupgrade: Also ask testparm for 'smb passwd file'
via a0a2f79 WHATSNEW: Bump the version and announce the s3fs default
via d9f7195 s4-classicupgrade: Use "samba classic" description for samba3 NT4-like domains in samba3upgrade
via 39766b7 s4-lib/param: FLAG DAY for the default FILE SERVER
via b58dc18 s4-s3upgrade: Assert that administrator has a SID of -500, and only skip root if it is -500
via 61f7f01 s4-s3upgrade: Add my wins.dat and fix the parsing error
via d0b60f0 s4-s3upgrade: improve idmap import to use posixAccount and posixGroup entries
via 3c65bac s4-idmap: Add mapping using uidNumber and gidNumber like idmap_ad
from bbb7cbf Same fix as bug 8989 - Samba 3.5.x (and probably all other versions of Samba) does not send correct responses to NT Transact Secondary when no data and no params
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4edd8b891a90a89a84fbfa3636cc568d247b04b2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 3 10:56:46 2012 +1000
s3-auth: Remove auth_netlogond
auth_netlogond was an important module in the development of the
combined Samba 4.0, and was the first module to link smbd with the AD
authentication store, showing that it was possible for NTLM
authentication to be offloaded to the AD server components.
We now have auth_samba4, which provides the full GENSEC stack to smbd,
which also matches exactly the group membership and privileges
assignment and which is supported and tested as part of the official
Samba 4.0 release configuration.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
commit 9c715da1cbc256b9ae9298618c92807592607c9b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 3 10:54:06 2012 +1000
s3-passdb: Remove pdb_ads
pdb_ads was an important module in the development of the combined Samba 4.0, and
was the first module to show that standard samba3 tools such as smbpasswd can be
made to operate on the sam.ldb.
We now have pdb_samba4, which operates directly on the sam.ldb, rather than via
ldapi://, which uses transactions and which is supported and tested as part
of the official Samba 4.0 release configuration.
This module is not as complete (for example, it does not honour the idmap
configuration) and requires that the samba binary be running to operate.
Andrew Bartlett
commit d949736f8dc02eec180723a55f4604b7b3aa83d8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 15:34:50 2012 +1000
s4-classicupgrade: Also ask testparm for 'smb passwd file'
commit a0a2f7999e20ab64dcbfca8299dbf0adfba0dea3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 13:12:50 2012 +1000
WHATSNEW: Bump the version and announce the s3fs default
commit d9f7195a1f5a12d5dc8865aa5553b61a4f770e3d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 13:06:44 2012 +1000
s4-classicupgrade: Use "samba classic" description for samba3 NT4-like domains in samba3upgrade
commit 39766b75a40fbab73fc23dd947de44f8349ed466
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 12:54:12 2012 +1000
s4-lib/param: FLAG DAY for the default FILE SERVER
This commit changes the default file server to be s3fs. Existing
installs wishing to keep the ntvfs file server need to set this in
their smb.conf:
server services = +smb -s3fs
dcerpc endpoint services = +winreg +srvsvc
Andrew Bartlett
commit b58dc1826e69c61a30d38b05e7f451404670baef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 14:19:42 2012 +1000
s4-s3upgrade: Assert that administrator has a SID of -500, and only skip root if it is -500
Many upgraded installations have root as -1000, and so that account needs to be kept.
Andrew Bartlett
commit 61f7f0155465b14612f7ac29a12c442ff25031b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jun 16 13:58:06 2012 +1000
s4-s3upgrade: Add my wins.dat and fix the parsing error
The issue was that the numbers at the end of the lines are space
padded.
Andrew Bartlett
commit d0b60f02dd3c324d4c990dae7334b228dddba075
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 10 20:42:25 2012 +1000
s4-s3upgrade: improve idmap import to use posixAccount and posixGroup entries
commit 3c65bac0b6fc104f4bdf86beed775d13da00aaab
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Jun 10 15:52:14 2012 +1000
s4-idmap: Add mapping using uidNumber and gidNumber like idmap_ad
This is a solution for users who are upgrading from Samba 3.x in
particuar, or have clients that will be using idmap_ad. This avoids
needing to have duplicate values in idmap.ldb and in the directory.
No check for conflicts is made with the idmap.ldb - the AD store always wins.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 51 +-
lib/param/loadparm.c | 4 +-
selftest/target/Samba4.pm | 3 +-
source3/Makefile.in | 9 -
source3/auth/auth_netlogond.c | 448 ----
source3/auth/proto.h | 2 -
source3/auth/wscript_build | 9 -
source3/configure.in | 4 -
source3/passdb/pdb_ads.c | 2693 --------------------
source3/passdb/wscript_build | 9 -
source3/wscript | 2 +-
source4/scripting/python/samba/netcmd/domain.py | 19 +-
.../scripting/python/samba/provision/__init__.py | 8 +-
source4/scripting/python/samba/samba3/__init__.py | 3 +-
source4/scripting/python/samba/upgrade.py | 45 +-
source4/setup/tests/blackbox_s3upgrade.sh | 9 +-
source4/winbind/idmap.c | 124 +-
source4/winbind/idmap.h | 1 +
testdata/samba3/wins.dat2 | 23 +
19 files changed, 243 insertions(+), 3223 deletions(-)
delete mode 100644 source3/auth/auth_netlogond.c
delete mode 100644 source3/passdb/pdb_ads.c
create mode 100644 testdata/samba3/wins.dat2
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cb35f08..b6c9523 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,4 @@
-What's new in Samba 4 beta1
+What's new in Samba 4 beta2
=============================
Samba 4.0 will be the next version of the Samba suite and incorporates
@@ -11,7 +11,7 @@ and above.
WARNINGS
========
-Samba4 beta1 is not a final Samba release, however we are now making
+Samba4 beta2 is not a final Samba release, however we are now making
good progress towards a Samba 4.0 release, of which this is a preview.
Be aware the this release contains the best of all of Samba's
technology parts, both a file server (that you can reasonably expect
@@ -28,13 +28,26 @@ different stability characteristics compared with our previous default
file server. We are making this release so that we can find and fix
any of these issues that arise in the real world. New AD DC
installations can provision or join with --use-ntvfs to obtain the
-previous default file server. Existing installations will be
-unaffected at this stage.
+previous default file server. See below how to continue using ntvfs
+in an existing installation.
If you are upgrading, or looking to develop, test or deploy Samba 4.0
beta releases, you should backup all configuration and data.
+UPGRADING
+=========
+
+Users upgrading from Samba 3.x domain controllers and wanting to use
+Samba 4.0 as an AD DC should use the 'samba-tool domain
+classicupgrade' command. See the wiki for more details:
+https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO
+
+Users upgrading from Samba 4.0 alpha and beta releases since alpha15
+should run 'samba-tool dbcheck --cross-ncs --fix'. Users upgrading
+from earlier alpha releases should contact the team for advice.
+
+
NEW FEATURES
============
@@ -81,41 +94,33 @@ Python programs to interface to Samba's internals, and many tools and
internal workings of the DC code is now implemented in python.
-CHANGES SINCE alpha21
+CHANGES SINCE beta1
=====================
-For a list of changes since alpha21, please see the git log.
+For a list of changes since beta1, please see the git log.
$ git clone git://git.samba.org/samba.git
$ cd samba.git
-$ git log samba-4.0.0alpha21..samba-4.0.0beta1
+$ git log samba-4.0.0beta1..samba-4.0.0beta2
Some major user-visible changes include:
-The internal DNS server has had some stability improvements, and
-now handles forwarded DNS replies in an async manner.
-
-The build of libtdb.so and libtalloc.so has been removed from the
-autoconf build. Use the build in lib/talloc and lib/tdb to build
-this software for use across the system.
-
-The smbclient and nmblookup binaries have been renamed in the top
-level build, so smbclient/nmblookup are now the implementations from
-the Samba 3.x heritage.
+The default file server for EXISTING USERS has changed to s3fs. To
+continue to use ntvfs, you must set in your smb.conf:
-Improved handling of the cleanup of smbd child processes (removing a
-number of scary warnings from our log output).
+ server services = +smb -s3fs
+ dcerpc endpoint services = +winreg +srvsvc
-Much improved support for FreeBSD, including extended attribute
-support on the filesystem for the AD DC.
+samba-tool dbcheck will now upgrade older databases that are missing
+GUIDs in the schema partition.
KNOWN ISSUES
============
-- We are making this beta release to gain real-world use of the 's3fs'
+- This release makes the s3fs file server the default, as this is the
file server combination we will use for the Samba 4.0 release.
- Users should expect some rough edges: in particular, there are
+ Users should still expect some rough edges: in particular, there are
warnings about invalid parameters from the two respective parameter
parsing engines.
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5749c34..41c8cc6 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3312,8 +3312,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "-1");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup unixinfo browser eventlog6 backupkey dnsserver");
- lpcfg_do_global_parameter(lp_ctx, "server services", "smb rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate");
lpcfg_do_global_parameter(lp_ctx, "ntptr providor", "simple_ldb");
/* the winbind method for domain controllers is for both RODC
auth forwarding and for trusted domains */
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 954cf9c..2c26ffc 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -580,7 +580,8 @@ sub provision_raw_step1($$)
panic action = $RealBin/gdb_backtrace \%d
wins support = yes
server role = $ctx->{server_role}
- server services = +echo +dns
+ server services = +echo +dns +smb -s3fs
+ dcerpc endpoint servers = +winreg +srvsvc
notify:inotify = false
ldb:nosync = true
#We don't want to pass our self-tests if the PAC code is wrong
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 43dfb94..e7a0a7d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -906,7 +906,6 @@ AUTH_UNIX_OBJ = auth/auth_unix.o
AUTH_WINBIND_OBJ = auth/auth_winbind.o
AUTH_WBC_OBJ = auth/auth_wbc.o
AUTH_SCRIPT_OBJ = auth/auth_script.o
-AUTH_NETLOGOND_OBJ = auth/auth_netlogond.o
AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
auth/server_info.o \
@@ -2656,10 +2655,6 @@ bin/script. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_SCRIPT_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(AUTH_SCRIPT_OBJ)
-bin/netlogond. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_NETLOGOND_OBJ)
- @echo "Building plugin $@"
- @$(SHLD_MODULE) $(AUTH_NETLOGOND_OBJ)
-
bin/winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_WINBIND_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(AUTH_WINBIND_OBJ)
@@ -2682,10 +2677,6 @@ bin/ldapsam. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_ldap.o passdb/pdb_nds.o \
@$(SHLD_MODULE) passdb/pdb_ldap.o passdb/pdb_nds.o passdb/pdb_ipa.o \
passdb/pdb_ldap_util.o $(LDAP_LIBS)
-bin/ads. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_ads.o
- @echo "Building plugin $@"
- @$(SHLD_MODULE) passdb/pdb_ads.o
-
bin/tdbsam. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_tdb.o
@echo "Building plugin $@"
@$(SHLD_MODULE) passdb/pdb_tdb.o
diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c
deleted file mode 100644
index 7fb0374..0000000
--- a/source3/auth/auth_netlogond.c
+++ /dev/null
@@ -1,448 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Authenticate against a netlogon pipe listening on a unix domain socket
- Copyright (C) Volker Lendecke 2008
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "auth.h"
-#include "../libcli/auth/libcli_auth.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-#include "librpc/gen_ndr/ndr_schannel.h"
-#include "rpc_client/cli_pipe.h"
-#include "rpc_client/cli_netlogon.h"
-#include "secrets.h"
-#include "tldap.h"
-#include "tldap_util.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_AUTH
-
-static bool secrets_store_local_schannel_creds(
- const struct netlogon_creds_CredentialState *creds)
-{
- DATA_BLOB blob;
- enum ndr_err_code ndr_err;
- bool ret;
-
- ndr_err = ndr_push_struct_blob(
- &blob, talloc_tos(), creds,
- (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: "
- "%s\n", ndr_errstr(ndr_err)));
- return false;
- }
- ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY,
- blob.data, blob.length);
- data_blob_free(&blob);
- return ret;
-}
-
-static struct netlogon_creds_CredentialState *
-secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx)
-{
- struct netlogon_creds_CredentialState *creds;
- enum ndr_err_code ndr_err;
- DATA_BLOB blob;
-
- blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY,
- &blob.length);
- if (blob.data == NULL) {
- DEBUG(10, ("secrets_fetch failed\n"));
- return NULL;
- }
-
- creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
- if (creds == NULL) {
- DEBUG(10, ("talloc failed\n"));
- SAFE_FREE(blob.data);
- return NULL;
- }
- ndr_err = ndr_pull_struct_blob(
- &blob, creds, creds,
- (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
- SAFE_FREE(blob.data);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: "
- "%s\n", ndr_errstr(ndr_err)));
- TALLOC_FREE(creds);
- return NULL;
- }
-
- return creds;
-}
-
-static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
- const struct auth_context *auth_context,
- const char *ncalrpc_sockname,
- struct netlogon_creds_CredentialState *creds,
- const struct auth_usersupplied_info *user_info,
- struct netr_SamInfo3 **pinfo3,
- NTSTATUS *schannel_bind_result)
-{
- struct rpc_pipe_client *p = NULL;
- struct pipe_auth_data *auth = NULL;
- struct netr_SamInfo3 *info3 = NULL;
- NTSTATUS status;
-
- *schannel_bind_result = NT_STATUS_OK;
-
- status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
- &ndr_table_netlogon.syntax_id, &p);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- p->dc = creds;
-
- status = rpccli_schannel_bind_data(p, lp_workgroup(),
- DCERPC_AUTH_LEVEL_PRIVACY,
- p->dc, &auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
- nt_errstr(status)));
- TALLOC_FREE(p);
- return status;
- }
-
- status = rpc_pipe_bind(p, auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
- TALLOC_FREE(p);
- *schannel_bind_result = status;
- return status;
- }
-
- status = rpccli_netlogon_sam_network_logon_ex(
- p, p,
- user_info->logon_parameters, /* flags such as 'allow
- * workstation logon' */
- lp_netbios_name(), /* server name */
- user_info->client.account_name, /* user name logging on. */
- user_info->client.domain_name, /* domain name */
- user_info->workstation_name, /* workstation name */
- (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
- 3, /* validation level */
- user_info->password.response.lanman, /* lanman 24 byte response */
- user_info->password.response.nt, /* nt 24 byte response */
- &info3); /* info3 out */
-
- DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
- nt_errstr(status)));
-
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(p);
- return status;
- }
-
- *pinfo3 = talloc_move(mem_ctx, &info3);
-
- TALLOC_FREE(p);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld)
-{
- struct tldap_context *ld;
- struct sockaddr_un addr;
- char *sockaddr;
- int fd;
- NTSTATUS status;
- int res;
-
- sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi",
- lp_private_dir());
- if (sockaddr == NULL) {
- DEBUG(10, ("talloc failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- ZERO_STRUCT(addr);
- addr.sun_family = AF_UNIX;
- strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path));
- TALLOC_FREE(sockaddr);
-
- status = open_socket_out((struct sockaddr_storage *)(void *)&addr,
- 0, 0, &fd);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path,
- nt_errstr(status)));
- return status;
- }
- set_blocking(fd, false);
-
- ld = tldap_context_create(mem_ctx, fd);
- if (ld == NULL) {
- close(fd);
- return NT_STATUS_NO_MEMORY;
- }
- res = tldap_fetch_rootdse(ld);
- if (res != TLDAP_SUCCESS) {
- DEBUG(10, ("tldap_fetch_rootdse failed: %s\n",
- tldap_errstr(talloc_tos(), ld, res)));
- TALLOC_FREE(ld);
- return NT_STATUS_LDAP(res);
- }
- *pld = ld;
- return NT_STATUS_OK;;
-}
-
-static NTSTATUS mymachinepw(uint8_t pwd[16])
-{
- TALLOC_CTX *frame = talloc_stackframe();
- struct tldap_context *ld = NULL;
- struct tldap_message *rootdse, **msg;
- const char *attrs[1] = { "unicodePwd" };
- char *default_nc, *myname;
- int rc, num_msg;
- DATA_BLOB pwdblob;
- NTSTATUS status;
-
- status = get_ldapi_ctx(talloc_tos(), &ld);
- if (!NT_STATUS_IS_OK(status)) {
- goto fail;
- }
- rootdse = tldap_rootdse(ld);
- if (rootdse == NULL) {
- DEBUG(10, ("Could not get rootdse\n"));
- status = NT_STATUS_INTERNAL_ERROR;
- goto fail;
- }
- default_nc = tldap_talloc_single_attribute(
- rootdse, "defaultNamingContext", talloc_tos());
- if (default_nc == NULL) {
- DEBUG(10, ("Could not get defaultNamingContext\n"));
- status = NT_STATUS_NO_MEMORY;
- goto fail;
- }
- DEBUG(10, ("default_nc = %s\n", default_nc));
-
- myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$",
- lp_netbios_name());
- if (myname == NULL) {
- DEBUG(10, ("talloc failed\n"));
- status = NT_STATUS_NO_MEMORY;
- goto fail;
- }
-
- rc = tldap_search_fmt(
- ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0,
- talloc_tos(), &msg,
- "(&(sAMAccountName=%s)(objectClass=computer))", myname);
- if (rc != TLDAP_SUCCESS) {
- DEBUG(10, ("Could not retrieve our account: %s\n",
- tldap_errstr(talloc_tos(), ld, rc)));
- status = NT_STATUS_LDAP(rc);
- goto fail;
- }
- num_msg = talloc_array_length(msg);
- if (num_msg != 1) {
- DEBUG(10, ("Got %d accounts, expected one\n", num_msg));
- status = NT_STATUS_INTERNAL_DB_CORRUPTION;
- goto fail;
- }
- if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) {
- char *dn = NULL;
- tldap_entry_dn(msg[0], &dn);
- DEBUG(10, ("No unicodePwd attribute in %s\n",
- dn ? dn : "<unknown DN>"));
- status = NT_STATUS_INTERNAL_DB_CORRUPTION;
- goto fail;
- }
- if (pwdblob.length != 16) {
- DEBUG(10, ("Password hash hash has length %d, expected 16\n",
- (int)pwdblob.length));
- status = NT_STATUS_INTERNAL_DB_CORRUPTION;
- goto fail;
- }
- memcpy(pwd, pwdblob.data, 16);
-
-fail:
- TALLOC_FREE(frame);
- return status;
-}
-
-static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
-{
- TALLOC_CTX *frame = talloc_stackframe();
- struct netr_SamInfo3 *info3 = NULL;
- struct rpc_pipe_client *p = NULL;
- struct pipe_auth_data *auth = NULL;
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
- uint8_t machine_password[16];
- struct netlogon_creds_CredentialState *creds;
- NTSTATUS schannel_bind_result, status;
- struct named_mutex *mutex = NULL;
- const char *ncalrpcsock;
-
- DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
-
- ncalrpcsock = lp_parm_const_string(
- GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
-
- if (ncalrpcsock == NULL) {
- ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
- get_dyn_NCALRPCDIR(), "DEFAULT");
- }
-
- if (ncalrpcsock == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- creds = secrets_fetch_local_schannel_creds(talloc_tos());
- if (creds == NULL) {
- goto new_key;
- }
-
- status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
- creds, user_info, &info3,
- &schannel_bind_result);
-
- DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
-
- if (NT_STATUS_IS_OK(status)) {
- goto okay;
- }
-
- if (NT_STATUS_IS_OK(schannel_bind_result)) {
- /*
- * This is a real failure from the DC
--
Samba Shared Repository
More information about the samba-cvs
mailing list