[SCM] Samba Shared Repository - branch master updated
simo
idra at samba.org
Sat Jun 16 08:23:21 MDT 2012
On Sat, 2012-06-16 at 10:14 +0200, Andrew Bartlett wrote:
> The branch, master has been updated
> via 4edd8b8 s3-auth: Remove auth_netlogond
> via 9c715da s3-passdb: Remove pdb_ads
Andrew,
I would like you to revert these two commits ASAP.
Simo.
> via d949736 s4-classicupgrade: Also ask testparm for 'smb passwd file'
> via a0a2f79 WHATSNEW: Bump the version and announce the s3fs default
> via d9f7195 s4-classicupgrade: Use "samba classic" description for samba3 NT4-like domains in samba3upgrade
> via 39766b7 s4-lib/param: FLAG DAY for the default FILE SERVER
> via b58dc18 s4-s3upgrade: Assert that administrator has a SID of -500, and only skip root if it is -500
> via 61f7f01 s4-s3upgrade: Add my wins.dat and fix the parsing error
> via d0b60f0 s4-s3upgrade: improve idmap import to use posixAccount and posixGroup entries
> via 3c65bac s4-idmap: Add mapping using uidNumber and gidNumber like idmap_ad
> from bbb7cbf Same fix as bug 8989 - Samba 3.5.x (and probably all other versions of Samba) does not send correct responses to NT Transact Secondary when no data and no params
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> - Log -----------------------------------------------------------------
> commit 4edd8b891a90a89a84fbfa3636cc568d247b04b2
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sun Jun 3 10:56:46 2012 +1000
>
> s3-auth: Remove auth_netlogond
>
> auth_netlogond was an important module in the development of the
> combined Samba 4.0, and was the first module to link smbd with the AD
> authentication store, showing that it was possible for NTLM
> authentication to be offloaded to the AD server components.
>
> We now have auth_samba4, which provides the full GENSEC stack to smbd,
> which also matches exactly the group membership and privileges
> assignment and which is supported and tested as part of the official
> Samba 4.0 release configuration.
>
> Andrew Bartlett
>
> Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
> Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
>
> commit 9c715da1cbc256b9ae9298618c92807592607c9b
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sun Jun 3 10:54:06 2012 +1000
>
> s3-passdb: Remove pdb_ads
>
> pdb_ads was an important module in the development of the combined Samba 4.0, and
> was the first module to show that standard samba3 tools such as smbpasswd can be
> made to operate on the sam.ldb.
>
> We now have pdb_samba4, which operates directly on the sam.ldb, rather than via
> ldapi://, which uses transactions and which is supported and tested as part
> of the official Samba 4.0 release configuration.
>
> This module is not as complete (for example, it does not honour the idmap
> configuration) and requires that the samba binary be running to operate.
>
> Andrew Bartlett
>
> commit d949736f8dc02eec180723a55f4604b7b3aa83d8
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sat Jun 16 15:34:50 2012 +1000
>
> s4-classicupgrade: Also ask testparm for 'smb passwd file'
>
> commit a0a2f7999e20ab64dcbfca8299dbf0adfba0dea3
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sat Jun 16 13:12:50 2012 +1000
>
> WHATSNEW: Bump the version and announce the s3fs default
>
> commit d9f7195a1f5a12d5dc8865aa5553b61a4f770e3d
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sat Jun 16 13:06:44 2012 +1000
>
> s4-classicupgrade: Use "samba classic" description for samba3 NT4-like domains in samba3upgrade
>
> commit 39766b75a40fbab73fc23dd947de44f8349ed466
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sat Jun 16 12:54:12 2012 +1000
>
> s4-lib/param: FLAG DAY for the default FILE SERVER
>
> This commit changes the default file server to be s3fs. Existing
> installs wishing to keep the ntvfs file server need to set this in
> their smb.conf:
>
> server services = +smb -s3fs
> dcerpc endpoint services = +winreg +srvsvc
>
> Andrew Bartlett
>
> commit b58dc1826e69c61a30d38b05e7f451404670baef
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sat Jun 16 14:19:42 2012 +1000
>
> s4-s3upgrade: Assert that administrator has a SID of -500, and only skip root if it is -500
>
> Many upgraded installations have root as -1000, and so that account needs to be kept.
>
> Andrew Bartlett
>
> commit 61f7f0155465b14612f7ac29a12c442ff25031b4
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sat Jun 16 13:58:06 2012 +1000
>
> s4-s3upgrade: Add my wins.dat and fix the parsing error
>
> The issue was that the numbers at the end of the lines are space
> padded.
>
> Andrew Bartlett
>
> commit d0b60f02dd3c324d4c990dae7334b228dddba075
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sun Jun 10 20:42:25 2012 +1000
>
> s4-s3upgrade: improve idmap import to use posixAccount and posixGroup entries
>
> commit 3c65bac0b6fc104f4bdf86beed775d13da00aaab
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Sun Jun 10 15:52:14 2012 +1000
>
> s4-idmap: Add mapping using uidNumber and gidNumber like idmap_ad
>
> This is a solution for users who are upgrading from Samba 3.x in
> particuar, or have clients that will be using idmap_ad. This avoids
> needing to have duplicate values in idmap.ldb and in the directory.
>
> No check for conflicts is made with the idmap.ldb - the AD store always wins.
>
> Andrew Bartlett
>
> -----------------------------------------------------------------------
>
> Summary of changes:
> WHATSNEW.txt | 51 +-
> lib/param/loadparm.c | 4 +-
> selftest/target/Samba4.pm | 3 +-
> source3/Makefile.in | 9 -
> source3/auth/auth_netlogond.c | 448 ----
> source3/auth/proto.h | 2 -
> source3/auth/wscript_build | 9 -
> source3/configure.in | 4 -
> source3/passdb/pdb_ads.c | 2693 --------------------
> source3/passdb/wscript_build | 9 -
> source3/wscript | 2 +-
> source4/scripting/python/samba/netcmd/domain.py | 19 +-
> .../scripting/python/samba/provision/__init__.py | 8 +-
> source4/scripting/python/samba/samba3/__init__.py | 3 +-
> source4/scripting/python/samba/upgrade.py | 45 +-
> source4/setup/tests/blackbox_s3upgrade.sh | 9 +-
> source4/winbind/idmap.c | 124 +-
> source4/winbind/idmap.h | 1 +
> testdata/samba3/wins.dat2 | 23 +
> 19 files changed, 243 insertions(+), 3223 deletions(-)
> delete mode 100644 source3/auth/auth_netlogond.c
> delete mode 100644 source3/passdb/pdb_ads.c
> create mode 100644 testdata/samba3/wins.dat2
>
>
> Changeset truncated at 500 lines:
>
> diff --git a/WHATSNEW.txt b/WHATSNEW.txt
> index cb35f08..b6c9523 100644
> --- a/WHATSNEW.txt
> +++ b/WHATSNEW.txt
> @@ -1,4 +1,4 @@
> -What's new in Samba 4 beta1
> +What's new in Samba 4 beta2
> =============================
>
> Samba 4.0 will be the next version of the Samba suite and incorporates
> @@ -11,7 +11,7 @@ and above.
> WARNINGS
> ========
>
> -Samba4 beta1 is not a final Samba release, however we are now making
> +Samba4 beta2 is not a final Samba release, however we are now making
> good progress towards a Samba 4.0 release, of which this is a preview.
> Be aware the this release contains the best of all of Samba's
> technology parts, both a file server (that you can reasonably expect
> @@ -28,13 +28,26 @@ different stability characteristics compared with our previous default
> file server. We are making this release so that we can find and fix
> any of these issues that arise in the real world. New AD DC
> installations can provision or join with --use-ntvfs to obtain the
> -previous default file server. Existing installations will be
> -unaffected at this stage.
> +previous default file server. See below how to continue using ntvfs
> +in an existing installation.
>
> If you are upgrading, or looking to develop, test or deploy Samba 4.0
> beta releases, you should backup all configuration and data.
>
>
> +UPGRADING
> +=========
> +
> +Users upgrading from Samba 3.x domain controllers and wanting to use
> +Samba 4.0 as an AD DC should use the 'samba-tool domain
> +classicupgrade' command. See the wiki for more details:
> +https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO
> +
> +Users upgrading from Samba 4.0 alpha and beta releases since alpha15
> +should run 'samba-tool dbcheck --cross-ncs --fix'. Users upgrading
> +from earlier alpha releases should contact the team for advice.
> +
> +
> NEW FEATURES
> ============
>
> @@ -81,41 +94,33 @@ Python programs to interface to Samba's internals, and many tools and
> internal workings of the DC code is now implemented in python.
>
>
> -CHANGES SINCE alpha21
> +CHANGES SINCE beta1
> =====================
>
> -For a list of changes since alpha21, please see the git log.
> +For a list of changes since beta1, please see the git log.
>
> $ git clone git://git.samba.org/samba.git
> $ cd samba.git
> -$ git log samba-4.0.0alpha21..samba-4.0.0beta1
> +$ git log samba-4.0.0beta1..samba-4.0.0beta2
>
> Some major user-visible changes include:
>
> -The internal DNS server has had some stability improvements, and
> -now handles forwarded DNS replies in an async manner.
> -
> -The build of libtdb.so and libtalloc.so has been removed from the
> -autoconf build. Use the build in lib/talloc and lib/tdb to build
> -this software for use across the system.
> -
> -The smbclient and nmblookup binaries have been renamed in the top
> -level build, so smbclient/nmblookup are now the implementations from
> -the Samba 3.x heritage.
> +The default file server for EXISTING USERS has changed to s3fs. To
> +continue to use ntvfs, you must set in your smb.conf:
>
> -Improved handling of the cleanup of smbd child processes (removing a
> -number of scary warnings from our log output).
> + server services = +smb -s3fs
> + dcerpc endpoint services = +winreg +srvsvc
>
> -Much improved support for FreeBSD, including extended attribute
> -support on the filesystem for the AD DC.
> +samba-tool dbcheck will now upgrade older databases that are missing
> +GUIDs in the schema partition.
>
>
> KNOWN ISSUES
> ============
>
> -- We are making this beta release to gain real-world use of the 's3fs'
> +- This release makes the s3fs file server the default, as this is the
> file server combination we will use for the Samba 4.0 release.
> - Users should expect some rough edges: in particular, there are
> + Users should still expect some rough edges: in particular, there are
> warnings about invalid parameters from the two respective parameter
> parsing engines.
>
> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
> index 5749c34..41c8cc6 100644
> --- a/lib/param/loadparm.c
> +++ b/lib/param/loadparm.c
> @@ -3312,8 +3312,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
> lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
> lpcfg_do_global_parameter(lp_ctx, "max connections", "-1");
>
> - lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup unixinfo browser eventlog6 backupkey dnsserver");
> - lpcfg_do_global_parameter(lp_ctx, "server services", "smb rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate");
> + lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
> + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate");
> lpcfg_do_global_parameter(lp_ctx, "ntptr providor", "simple_ldb");
> /* the winbind method for domain controllers is for both RODC
> auth forwarding and for trusted domains */
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 954cf9c..2c26ffc 100644
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -580,7 +580,8 @@ sub provision_raw_step1($$)
> panic action = $RealBin/gdb_backtrace \%d
> wins support = yes
> server role = $ctx->{server_role}
> - server services = +echo +dns
> + server services = +echo +dns +smb -s3fs
> + dcerpc endpoint servers = +winreg +srvsvc
> notify:inotify = false
> ldb:nosync = true
> #We don't want to pass our self-tests if the PAC code is wrong
> diff --git a/source3/Makefile.in b/source3/Makefile.in
> index 43dfb94..e7a0a7d 100644
> --- a/source3/Makefile.in
> +++ b/source3/Makefile.in
> @@ -906,7 +906,6 @@ AUTH_UNIX_OBJ = auth/auth_unix.o
> AUTH_WINBIND_OBJ = auth/auth_winbind.o
> AUTH_WBC_OBJ = auth/auth_wbc.o
> AUTH_SCRIPT_OBJ = auth/auth_script.o
> -AUTH_NETLOGOND_OBJ = auth/auth_netlogond.o
>
> AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
> auth/server_info.o \
> @@ -2656,10 +2655,6 @@ bin/script. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_SCRIPT_OBJ)
> @echo "Building plugin $@"
> @$(SHLD_MODULE) $(AUTH_SCRIPT_OBJ)
>
> -bin/netlogond. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_NETLOGOND_OBJ)
> - @echo "Building plugin $@"
> - @$(SHLD_MODULE) $(AUTH_NETLOGOND_OBJ)
> -
> bin/winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_WINBIND_OBJ)
> @echo "Building plugin $@"
> @$(SHLD_MODULE) $(AUTH_WINBIND_OBJ)
> @@ -2682,10 +2677,6 @@ bin/ldapsam. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_ldap.o passdb/pdb_nds.o \
> @$(SHLD_MODULE) passdb/pdb_ldap.o passdb/pdb_nds.o passdb/pdb_ipa.o \
> passdb/pdb_ldap_util.o $(LDAP_LIBS)
>
> -bin/ads. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_ads.o
> - @echo "Building plugin $@"
> - @$(SHLD_MODULE) passdb/pdb_ads.o
> -
> bin/tdbsam. at SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_tdb.o
> @echo "Building plugin $@"
> @$(SHLD_MODULE) passdb/pdb_tdb.o
> diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c
> deleted file mode 100644
> index 7fb0374..0000000
> --- a/source3/auth/auth_netlogond.c
> +++ /dev/null
> @@ -1,448 +0,0 @@
> -/*
> - Unix SMB/CIFS implementation.
> - Authenticate against a netlogon pipe listening on a unix domain socket
> - Copyright (C) Volker Lendecke 2008
> -
> - This program is free software; you can redistribute it and/or modify
> - it under the terms of the GNU General Public License as published by
> - the Free Software Foundation; either version 3 of the License, or
> - (at your option) any later version.
> -
> - This program is distributed in the hope that it will be useful,
> - but WITHOUT ANY WARRANTY; without even the implied warranty of
> - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> - GNU General Public License for more details.
> -
> - You should have received a copy of the GNU General Public License
> - along with this program. If not, see <http://www.gnu.org/licenses/>.
> -*/
> -
> -#include "includes.h"
> -#include "auth.h"
> -#include "../libcli/auth/libcli_auth.h"
> -#include "../librpc/gen_ndr/ndr_netlogon.h"
> -#include "librpc/gen_ndr/ndr_schannel.h"
> -#include "rpc_client/cli_pipe.h"
> -#include "rpc_client/cli_netlogon.h"
> -#include "secrets.h"
> -#include "tldap.h"
> -#include "tldap_util.h"
> -
> -#undef DBGC_CLASS
> -#define DBGC_CLASS DBGC_AUTH
> -
> -static bool secrets_store_local_schannel_creds(
> - const struct netlogon_creds_CredentialState *creds)
> -{
> - DATA_BLOB blob;
> - enum ndr_err_code ndr_err;
> - bool ret;
> -
> - ndr_err = ndr_push_struct_blob(
> - &blob, talloc_tos(), creds,
> - (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
> - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> - DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: "
> - "%s\n", ndr_errstr(ndr_err)));
> - return false;
> - }
> - ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY,
> - blob.data, blob.length);
> - data_blob_free(&blob);
> - return ret;
> -}
> -
> -static struct netlogon_creds_CredentialState *
> -secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx)
> -{
> - struct netlogon_creds_CredentialState *creds;
> - enum ndr_err_code ndr_err;
> - DATA_BLOB blob;
> -
> - blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY,
> - &blob.length);
> - if (blob.data == NULL) {
> - DEBUG(10, ("secrets_fetch failed\n"));
> - return NULL;
> - }
> -
> - creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
> - if (creds == NULL) {
> - DEBUG(10, ("talloc failed\n"));
> - SAFE_FREE(blob.data);
> - return NULL;
> - }
> - ndr_err = ndr_pull_struct_blob(
> - &blob, creds, creds,
> - (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
> - SAFE_FREE(blob.data);
> - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
> - DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: "
> - "%s\n", ndr_errstr(ndr_err)));
> - TALLOC_FREE(creds);
> - return NULL;
> - }
> -
> - return creds;
> -}
> -
> -static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
> - const struct auth_context *auth_context,
> - const char *ncalrpc_sockname,
> - struct netlogon_creds_CredentialState *creds,
> - const struct auth_usersupplied_info *user_info,
> - struct netr_SamInfo3 **pinfo3,
> - NTSTATUS *schannel_bind_result)
> -{
> - struct rpc_pipe_client *p = NULL;
> - struct pipe_auth_data *auth = NULL;
> - struct netr_SamInfo3 *info3 = NULL;
> - NTSTATUS status;
> -
> - *schannel_bind_result = NT_STATUS_OK;
> -
> - status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname,
> - &ndr_table_netlogon.syntax_id, &p);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n",
> - nt_errstr(status)));
> - return status;
> - }
> -
> - p->dc = creds;
> -
> - status = rpccli_schannel_bind_data(p, lp_workgroup(),
> - DCERPC_AUTH_LEVEL_PRIVACY,
> - p->dc, &auth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n",
> - nt_errstr(status)));
> - TALLOC_FREE(p);
> - return status;
> - }
> -
> - status = rpc_pipe_bind(p, auth);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
> - TALLOC_FREE(p);
> - *schannel_bind_result = status;
> - return status;
> - }
> -
> - status = rpccli_netlogon_sam_network_logon_ex(
> - p, p,
> - user_info->logon_parameters, /* flags such as 'allow
> - * workstation logon' */
> - lp_netbios_name(), /* server name */
> - user_info->client.account_name, /* user name logging on. */
> - user_info->client.domain_name, /* domain name */
> - user_info->workstation_name, /* workstation name */
> - (uchar *)auth_context->challenge.data, /* 8 byte challenge. */
> - 3, /* validation level */
> - user_info->password.response.lanman, /* lanman 24 byte response */
> - user_info->password.response.nt, /* nt 24 byte response */
> - &info3); /* info3 out */
> -
> - DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
> - nt_errstr(status)));
> -
> - if (!NT_STATUS_IS_OK(status)) {
> - TALLOC_FREE(p);
> - return status;
> - }
> -
> - *pinfo3 = talloc_move(mem_ctx, &info3);
> -
> - TALLOC_FREE(p);
> - return NT_STATUS_OK;
> -}
> -
> -static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context **pld)
> -{
> - struct tldap_context *ld;
> - struct sockaddr_un addr;
> - char *sockaddr;
> - int fd;
> - NTSTATUS status;
> - int res;
> -
> - sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi",
> - lp_private_dir());
> - if (sockaddr == NULL) {
> - DEBUG(10, ("talloc failed\n"));
> - return NT_STATUS_NO_MEMORY;
> - }
> -
> - ZERO_STRUCT(addr);
> - addr.sun_family = AF_UNIX;
> - strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path));
> - TALLOC_FREE(sockaddr);
> -
> - status = open_socket_out((struct sockaddr_storage *)(void *)&addr,
> - 0, 0, &fd);
> - if (!NT_STATUS_IS_OK(status)) {
> - DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path,
> - nt_errstr(status)));
> - return status;
> - }
> - set_blocking(fd, false);
> -
> - ld = tldap_context_create(mem_ctx, fd);
> - if (ld == NULL) {
> - close(fd);
> - return NT_STATUS_NO_MEMORY;
> - }
> - res = tldap_fetch_rootdse(ld);
> - if (res != TLDAP_SUCCESS) {
> - DEBUG(10, ("tldap_fetch_rootdse failed: %s\n",
> - tldap_errstr(talloc_tos(), ld, res)));
> - TALLOC_FREE(ld);
> - return NT_STATUS_LDAP(res);
> - }
> - *pld = ld;
> - return NT_STATUS_OK;;
> -}
> -
> -static NTSTATUS mymachinepw(uint8_t pwd[16])
> -{
> - TALLOC_CTX *frame = talloc_stackframe();
> - struct tldap_context *ld = NULL;
> - struct tldap_message *rootdse, **msg;
> - const char *attrs[1] = { "unicodePwd" };
> - char *default_nc, *myname;
> - int rc, num_msg;
> - DATA_BLOB pwdblob;
> - NTSTATUS status;
> -
> - status = get_ldapi_ctx(talloc_tos(), &ld);
> - if (!NT_STATUS_IS_OK(status)) {
> - goto fail;
> - }
> - rootdse = tldap_rootdse(ld);
> - if (rootdse == NULL) {
> - DEBUG(10, ("Could not get rootdse\n"));
> - status = NT_STATUS_INTERNAL_ERROR;
> - goto fail;
> - }
> - default_nc = tldap_talloc_single_attribute(
> - rootdse, "defaultNamingContext", talloc_tos());
> - if (default_nc == NULL) {
> - DEBUG(10, ("Could not get defaultNamingContext\n"));
> - status = NT_STATUS_NO_MEMORY;
> - goto fail;
> - }
> - DEBUG(10, ("default_nc = %s\n", default_nc));
> -
> - myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$",
> - lp_netbios_name());
> - if (myname == NULL) {
> - DEBUG(10, ("talloc failed\n"));
> - status = NT_STATUS_NO_MEMORY;
> - goto fail;
> - }
> -
> - rc = tldap_search_fmt(
> - ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0,
> - talloc_tos(), &msg,
> - "(&(sAMAccountName=%s)(objectClass=computer))", myname);
> - if (rc != TLDAP_SUCCESS) {
> - DEBUG(10, ("Could not retrieve our account: %s\n",
> - tldap_errstr(talloc_tos(), ld, rc)));
> - status = NT_STATUS_LDAP(rc);
> - goto fail;
> - }
> - num_msg = talloc_array_length(msg);
> - if (num_msg != 1) {
> - DEBUG(10, ("Got %d accounts, expected one\n", num_msg));
> - status = NT_STATUS_INTERNAL_DB_CORRUPTION;
> - goto fail;
> - }
> - if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) {
> - char *dn = NULL;
> - tldap_entry_dn(msg[0], &dn);
> - DEBUG(10, ("No unicodePwd attribute in %s\n",
> - dn ? dn : "<unknown DN>"));
> - status = NT_STATUS_INTERNAL_DB_CORRUPTION;
> - goto fail;
> - }
> - if (pwdblob.length != 16) {
> - DEBUG(10, ("Password hash hash has length %d, expected 16\n",
> - (int)pwdblob.length));
> - status = NT_STATUS_INTERNAL_DB_CORRUPTION;
> - goto fail;
> - }
> - memcpy(pwd, pwdblob.data, 16);
> -
> -fail:
> - TALLOC_FREE(frame);
> - return status;
> -}
> -
> -static NTSTATUS check_netlogond_security(const struct auth_context *auth_context,
> - void *my_private_data,
> - TALLOC_CTX *mem_ctx,
> - const struct auth_usersupplied_info *user_info,
> - struct auth_serversupplied_info **server_info)
> -{
> - TALLOC_CTX *frame = talloc_stackframe();
> - struct netr_SamInfo3 *info3 = NULL;
> - struct rpc_pipe_client *p = NULL;
> - struct pipe_auth_data *auth = NULL;
> - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> - uint8_t machine_password[16];
> - struct netlogon_creds_CredentialState *creds;
> - NTSTATUS schannel_bind_result, status;
> - struct named_mutex *mutex = NULL;
> - const char *ncalrpcsock;
> -
> - DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
> -
> - ncalrpcsock = lp_parm_const_string(
> - GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL);
> -
> - if (ncalrpcsock == NULL) {
> - ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s",
> - get_dyn_NCALRPCDIR(), "DEFAULT");
> - }
> -
> - if (ncalrpcsock == NULL) {
> - status = NT_STATUS_NO_MEMORY;
> - goto done;
> - }
> -
> - creds = secrets_fetch_local_schannel_creds(talloc_tos());
> - if (creds == NULL) {
> - goto new_key;
> - }
> -
> - status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock,
> - creds, user_info, &info3,
> - &schannel_bind_result);
> -
> - DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status)));
> -
> - if (NT_STATUS_IS_OK(status)) {
> - goto okay;
> - }
> -
> - if (NT_STATUS_IS_OK(schannel_bind_result)) {
> - /*
> - * This is a real failure from the DC
>
>
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-cvs
mailing list