[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Tue Jul 15 10:26:04 MDT 2014
The branch, master has been updated
via 776c7ed samlogon_cache: avoid overwriting info3->base.full_name.string.
via e0128fd samlogon_cache: use a talloc_stackframe inside netsamlogon_cache_store.
via 2a790a5 s3-winbindd: prefer "displayName" over "name" in ads user queries for the fullname.
via 403693f s3-winbind: Don't set the gecos field to NULL.
via 1839417 s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
via cf0ae51 s3-winbindd: add wcache_query_user_fullname().
via c735823 s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
via b722167 s3-rpc_client: return info3 in rpccli_netlogon_password_logon().
from 4b68871 ntlm_auth: added require-membership tests
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 776c7ed0f505be4f17d884c9ee3c40ae6c722b2a
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 3 16:17:46 2014 +0200
samlogon_cache: avoid overwriting info3->base.full_name.string.
This field servers as a source for the gecos field. We should not overwrite it
when a info3 struct from a samlogon network level gets saved in which case this
field is always NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
commit e0128fd07e31b3e93c38d35731d9fc15048089d7
Author: Günther Deschner <gd at samba.org>
Date: Wed Jul 9 13:36:06 2014 +0200
samlogon_cache: use a talloc_stackframe inside netsamlogon_cache_store.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2a790a5aff7beceb6af875fa6bc3b3f656765f4a
Author: Günther Deschner <gd at samba.org>
Date: Mon Jul 14 18:22:26 2014 +0200
s3-winbindd: prefer "displayName" over "name" in ads user queries for the fullname.
This makes use more consistent with security=domain as well where the gecos
field is also filled using the displayName field.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 403693f228ec327ba935843cfd17aa7e4f62da63
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 3 16:19:42 2014 +0200
s3-winbind: Don't set the gecos field to NULL.
The value is loaded from the cache anyway. So it will be set to NULL if
it is not available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 1839417bcc21391de9eceb406719c7281763f2a1
Author: Günther Deschner <gd at samba.org>
Date: Mon Jul 7 17:16:32 2014 +0200
s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.
Thanks to Matt Rogers <mrogers at redhat.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cf0ae511ebe2a9dc3bd11d5adf60459e545157f7
Author: Günther Deschner <gd at samba.org>
Date: Mon Jul 7 17:14:37 2014 +0200
s3-winbindd: add wcache_query_user_fullname().
This helper function is used to query the full name of a cached user object (for
further gecos processing).
Thanks to Matt Rogers <mrogers at redhat.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c735823f68ab3e0553e982ac3e5e90a7cc43db16
Author: Günther Deschner <gd at samba.org>
Date: Tue Jul 15 08:29:55 2014 +0200
s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b722167b2c7435dbd14684261002522808eb7aaf
Author: Günther Deschner <gd at samba.org>
Date: Tue Jul 15 08:28:42 2014 +0200
s3-rpc_client: return info3 in rpccli_netlogon_password_logon().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/samlogon_cache.c | 23 +++++--
source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++---------------
source3/rpc_client/cli_netlogon.h | 4 +-
source3/rpcclient/cmd_netlogon.c | 5 +-
source3/winbindd/nss_info_template.c | 1 -
source3/winbindd/winbindd_ads.c | 24 ++++++--
source3/winbindd/winbindd_cache.c | 34 +++++++++++
source3/winbindd/winbindd_msrpc.c | 8 +++
source3/winbindd/winbindd_pam.c | 86 ++++++++++++++++++++++++----
source3/winbindd/winbindd_proto.h | 4 +
10 files changed, 218 insertions(+), 74 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
index b04cf0a..0a157d4 100644
--- a/source3/libsmb/samlogon_cache.c
+++ b/source3/libsmb/samlogon_cache.c
@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
bool result = false;
struct dom_sid user_sid;
time_t t = time(NULL);
- TALLOC_CTX *mem_ctx;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
DATA_BLOB blob;
enum ndr_err_code ndr_err;
struct netsamlogoncache_entry r;
@@ -149,9 +149,18 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
/* Prepare data */
- if (!(mem_ctx = talloc( NULL, int))) {
- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
- return false;
+ if (info3->base.full_name.string == NULL) {
+ struct netr_SamInfo3 *cached_info3;
+ const char *full_name = NULL;
+
+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
+ if (cached_info3 != NULL) {
+ full_name = cached_info3->base.full_name.string;
+ }
+
+ if (full_name != NULL) {
+ info3->base.full_name.string = talloc_strdup(info3, full_name);
+ }
}
/* only Samba fills in the username, not sure why NT doesn't */
@@ -168,11 +177,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
}
- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
(ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
- TALLOC_FREE(mem_ctx);
+ TALLOC_FREE(tmp_ctx);
return false;
}
@@ -183,7 +192,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
result = true;
}
- TALLOC_FREE(mem_ctx);
+ TALLOC_FREE(tmp_ctx);
return result;
}
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 746c7b6..7063351 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
return NT_STATUS_OK;
}
+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+ struct netr_SamInfo3 **info3_p)
+{
+ struct netr_SamInfo3 *info3;
+ NTSTATUS status;
+
+ if (validation == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (validation_level) {
+ case 3:
+ if (validation->sam3 == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ info3 = talloc_move(mem_ctx, &validation->sam3);
+ break;
+ case 6:
+ if (validation->sam6 == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
+
+ info3->sidcount = validation->sam6->sidcount;
+ info3->sids = talloc_move(info3, &validation->sam6->sids);
+ break;
+ default:
+ return NT_STATUS_BAD_VALIDATION_CLASS;
+ }
+
+ *info3_p = info3;
+
+ return NT_STATUS_OK;
+}
+
/* Logon domain user */
NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
uint32_t logon_parameters,
const char *domain,
const char *username,
const char *password,
const char *workstation,
- enum netr_LogonInfoClass logon_type)
+ enum netr_LogonInfoClass logon_type,
+ struct netr_SamInfo3 **info3)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
&validation,
&authoritative,
&flags);
- TALLOC_FREE(frame);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
return status;
}
- return NT_STATUS_OK;
-}
-
-static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
- uint16_t validation_level,
- union netr_Validation *validation,
- struct netr_SamInfo3 **info3_p)
-{
- struct netr_SamInfo3 *info3;
- NTSTATUS status;
-
- if (validation == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- switch (validation_level) {
- case 3:
- if (validation->sam3 == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- info3 = talloc_move(mem_ctx, &validation->sam3);
- break;
- case 6:
- if (validation->sam6 == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
- if (info3 == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- return status;
- }
-
- info3->sidcount = validation->sam6->sidcount;
- info3->sids = talloc_move(info3, &validation->sam6->sids);
- break;
- default:
- return NT_STATUS_BAD_VALIDATION_CLASS;
+ status = map_validation_to_info3(mem_ctx,
+ validation_level, validation,
+ info3);
+ TALLOC_FREE(frame);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- *info3_p = info3;
return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 61fed4a..fee0801 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
const struct samr_Password *previous_nt_hash);
NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
uint32_t logon_parameters,
const char *domain,
const char *username,
const char *password,
const char *workstation,
- enum netr_LogonInfoClass logon_type);
+ enum netr_LogonInfoClass logon_type,
+ struct netr_SamInfo3 **info3);
NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
struct dcerpc_binding_handle *binding_handle,
TALLOC_CTX *mem_ctx,
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index b637b3e..2d1c351 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
const char *username, *password;
uint32 logon_param = 0;
const char *workstation = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
/* Check arguments */
@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
cli->binding_handle,
+ mem_ctx,
logon_param,
lp_workgroup(),
username,
password,
workstation,
- logon_type);
+ logon_type,
+ &info3);
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
index 5fdfd9b..de93803 100644
--- a/source3/winbindd/nss_info_template.c
+++ b/source3/winbindd/nss_info_template.c
@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
username */
*homedir = talloc_strdup( ctx, lp_template_homedir() );
*shell = talloc_strdup( ctx, lp_template_shell() );
- *gecos = NULL;
if ( !*homedir || !*shell ) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 4f149a7..a869ff5 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -329,7 +329,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
}
info->acct_name = ads_pull_username(ads, mem_ctx, msg);
- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
+ if (info->full_name == NULL) {
+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ }
info->homedir = NULL;
info->shell = NULL;
info->primary_gid = (gid_t)-1;
@@ -594,7 +597,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
struct netr_SamInfo3 *user = NULL;
gid_t gid = -1;
int ret;
- char *ads_name;
+ char *full_name;
DEBUG(3,("ads: query_user\n"));
@@ -621,6 +624,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_FREE(user);
+ if (info->full_name == NULL) {
+ /* this might fail so we dont check the return code */
+ wcache_query_user_fullname(domain,
+ mem_ctx,
+ sid,
+ &info->full_name);
+ }
+
return NT_STATUS_OK;
}
@@ -698,7 +709,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
* nss_get_info_cached call. nss_get_info_cached might destroy
* the ads struct, potentially invalidating the ldap message.
*/
- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
+ if (full_name == NULL) {
+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+ }
ads_msgfree(ads, msg);
msg = NULL;
@@ -714,9 +728,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
}
if (info->full_name == NULL) {
- info->full_name = ads_name;
+ info->full_name = full_name;
} else {
- TALLOC_FREE(ads_name);
+ TALLOC_FREE(full_name);
}
status = NT_STATUS_OK;
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index bfd78da..9ec46cf 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -2314,6 +2314,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
return status;
}
+
+/**
+* @brief Query a fullname from the username cache (for further gecos processing)
+*
+* @param domain A pointer to the winbindd_domain struct.
+* @param mem_ctx The talloc context.
+* @param user_sid The user sid.
+* @param full_name A pointer to the full_name string.
+*
+* @return NTSTATUS code
+*/
+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ const char **full_name)
+{
+ NTSTATUS status;
+ struct wbint_userinfo info;
+
+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (info.full_name != NULL) {
+ *full_name = talloc_strdup(mem_ctx, info.full_name);
+ if (*full_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
/* Lookup user information from a rid */
static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 9aef7cc..99021ae 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
user_info->full_name = talloc_strdup(user_info,
user->base.full_name.string);
+ if (user_info->full_name == NULL) {
+ /* this might fail so we dont check the return code */
+ wcache_query_user_fullname(domain,
+ mem_ctx,
+ user_sid,
+ &user_info->full_name);
+ }
+
status = NT_STATUS_OK;
goto done;
}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8387bdc..435df38 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1292,11 +1292,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
uint32_t logon_parameters,
const char *server,
const char *username,
+ const char *password,
const char *domainname,
const char *workstation,
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ bool interactive,
struct netr_SamInfo3 **info3)
{
int attempts = 0;
@@ -1356,19 +1358,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
}
netr_attempts = 0;
- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
- netlogon_pipe->binding_handle,
- mem_ctx,
- logon_parameters,
- username,
- domainname,
- workstation,
- chal,
- lm_response,
- nt_response,
- &authoritative,
- &flags,
- info3);
+ if (interactive && username != NULL && password != NULL) {
+ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
+ netlogon_pipe->binding_handle,
+ mem_ctx,
+ logon_parameters,
+ domainname,
+ username,
+ password,
+ workstation,
+ NetlogonInteractiveInformation,
+ info3);
+ } else {
+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
+ netlogon_pipe->binding_handle,
+ mem_ctx,
+ logon_parameters,
+ username,
+ domainname,
+ workstation,
+ chal,
+ lm_response,
+ nt_response,
+ &authoritative,
+ &flags,
+ info3);
+ }
/*
* we increment this after the "feature negotiation"
@@ -1517,11 +1532,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
0,
domain->dcname,
name_user,
+ pass,
name_domain,
lp_netbios_name(),
chal,
lm_resp,
nt_resp,
+ true, /* interactive */
&my_info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
@@ -1787,6 +1804,26 @@ process_result:
sid_compose(&user_sid, info3->base.domain_sid,
info3->base.rid);
+ if (info3->base.full_name.string == NULL) {
+ struct netr_SamInfo3 *cached_info3;
+
+ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
+ &user_sid);
+ if (cached_info3 != NULL &&
+ cached_info3->base.full_name.string != NULL) {
+ info3->base.full_name.string =
+ talloc_strdup(info3,
+ cached_info3->base.full_name.string);
+ } else {
+
+ /* this might fail so we dont check the return code */
+ wcache_query_user_fullname(domain,
+ info3,
+ &user_sid,
+ &info3->base.full_name.string);
+ }
+ }
+
wcache_invalidate_samlogon(find_domain_from_name(name_domain),
&user_sid);
netsamlogon_cache_store(name_user, info3);
@@ -1908,12 +1945,14 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
logon_parameters,
domain->dcname,
name_user,
+ NULL, /* password */
name_domain,
/* Bug #3248 - found by Stefan Burkei. */
workstation, /* We carefully set this above so use it... */
chal,
lm_response,
nt_response,
+ false, /* interactive */
info3);
--
Samba Shared Repository
More information about the samba-cvs
mailing list