[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Jun 11 04:44:04 MDT 2014
The branch, master has been updated
via ba4467c s3-winbindd: Implement SamLogon IRPC call
via eabe7d7 s3-winbind: Transparently forward IRPC messages to the winbind_dual child
via faa4452 s3-winbind rename winbindd_update_rodc_dns to be for more generic irpc
via f4ab082 librpc/idl: Merge wbint.idl with winbind.idl so we can forward IRPC requests to internal winbind calls
via 223fbda s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC
via cb79cc3 s3-winbindd: Register winbindd with irpc
via 597d2a7 auth: Provide a way to use the auth stack for winbindd authentication
via 2e961bf winbindd: Call set_dc_type_and_flags on the internal domain
via 791c382 dsdb: Do not refresh the schema using the wrong event context
via 8327321 dsdb: Do not store a struct ldb_dn in struct schema_data
via cda32d4 passdb: Do not routinely clear the global memory returned by get_global_sam_sid()
from 6da8126 ctdb-eventscripts: New configuration variable CTDB_GANESHA_REC_SUBDIR
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ba4467ca65d5f85a2732da27d88760b684c6e30d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 8 16:49:13 2014 +1200
s3-winbindd: Implement SamLogon IRPC call
We do this by lifting parts of the winbindd_dual_pam_auth_crap() code
into a new helper function winbind_dual_SamLogon(). This allows us to
implement the semantics we need for IRPC, without the artifacts of the
winbindd pipe protocol.
Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104
commit eabe7d732e6d9b64004bbb477384a1eae999815f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 8 15:33:11 2014 +1200
s3-winbind: Transparently forward IRPC messages to the winbind_dual child
Change-Id: I8b336e2365e10ef9ea04d0957eb0829d3766b11e
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit faa4452df7f2add0b4b583a25365b43da8ec1305
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 8 14:46:06 2014 +1200
s3-winbind rename winbindd_update_rodc_dns to be for more generic irpc
Change-Id: I385ef8bd766848becc42e58694207dc94cd07a89
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f4ab082d2b984b7deb3afbc7a26e238aa5b3b8c3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 8 12:17:32 2014 +1200
librpc/idl: Merge wbint.idl with winbind.idl so we can forward IRPC requests to internal winbind calls
Change-Id: Iba3913d5a1c7f851b93f37e9beb6dbb20fbf7e55
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 223fbdaf3872fe71a75fec62813b91612af73a2b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 6 17:00:09 2014 +1200
s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC
Change-Id: Ib87933c318f510d95f7008e122216d73803ede68
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cb79cc342e30bb2bbac33868836ea13d2d594c30
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 6 13:39:12 2014 +1200
s3-winbindd: Register winbindd with irpc
Change-Id: Ie3c7109fef6982d95e8cad06870334565352e329
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 597d2a7a29f768f51cbcbc13de56a4dc349e20e4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 27 12:58:05 2014 +1300
auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.
That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.
Andrew Bartlett
Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2e961bf598e58178ce0d4ed5e35553acd882e436
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 16 18:10:23 2014 +1200
winbindd: Call set_dc_type_and_flags on the internal domain
This allows the AD DC to be picked up correctly and gives the correct DNS name.
To ensure no confusion, we also always init it with the full DNS name.
It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.
This in turn allows kerberos authentication against winbindd on the AD DC.
Andrew Bartlett
Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 791c38282d681c60eaedb47803b9043991f5950d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 14 20:12:03 2014 +1200
dsdb: Do not refresh the schema using the wrong event context
What we now do is have the refresh function and module be on a
seperate object to the schema, only referring to the data and
not excuting on the original ldb and event loop.
That is, we never use another ldb context when calling the
refresh function, by binding the refresh handler to the
ldb and not the schema.
Andrew Bartlett
Change-Id: I5c323dda743cf5858badd01147fda6227599bc16
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8327321225251e312ccbd06bbefa5ebf98099f34
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 23 16:06:17 2014 +1200
dsdb: Do not store a struct ldb_dn in struct schema_data
The issue is that the DN contains a pointer to the ldb it belongs to,
and if this is not kept around long enough, we might reference memory
after it is de-allocated.
Andrew Bartlett
Change-Id: I040a6c37a3164b3309f370e32e598dd56b1a1bbb
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cda32d4e47aa3efb040eb60f1a0332ea8dd58417
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 13 17:47:03 2014 +1200
passdb: Do not routinely clear the global memory returned by get_global_sam_sid()
This avoids use-after-free errors and tdb database churn.
Andrew Bartlett
Change-Id: If7ab2e24556d9dffc7ad22c0489d665dd75a0cab
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/common_auth.h | 6 +-
libcli/auth/netlogon_creds_cli.c | 265 ++++++++++++++++++++
libcli/auth/netlogon_creds_cli.h | 14 +
.../librpc/idl/wbint.idl => librpc/idl/winbind.idl | 27 ++-
librpc/idl/wscript_build | 5 +
librpc/wscript_build | 15 ++
source3/auth/auth.c | 10 +-
source3/auth/auth_sam.c | 2 +-
source3/auth/auth_samba4.c | 26 ++-
source3/include/auth.h | 5 +-
source3/librpc/idl/wscript_build | 5 -
source3/librpc/wscript_build | 14 -
source3/passdb/machine_account_secrets.c | 10 +-
source3/passdb/pdb_samba_dsdb.c | 46 +++-
source3/winbindd/wb_dsgetdcname.c | 2 +-
source3/winbindd/wb_fill_pwent.c | 2 +-
source3/winbindd/wb_getgrsid.c | 2 +-
source3/winbindd/wb_getpwsid.c | 2 +-
source3/winbindd/wb_gettoken.c | 2 +-
source3/winbindd/wb_gid2sid.c | 2 +-
source3/winbindd/wb_group_members.c | 2 +-
source3/winbindd/wb_lookupname.c | 2 +-
source3/winbindd/wb_lookupsid.c | 2 +-
source3/winbindd/wb_lookupsids.c | 2 +-
source3/winbindd/wb_lookupuseraliases.c | 2 +-
source3/winbindd/wb_lookupusergroups.c | 2 +-
source3/winbindd/wb_next_grent.c | 2 +-
source3/winbindd/wb_next_pwent.c | 2 +-
source3/winbindd/wb_query_user_list.c | 2 +-
source3/winbindd/wb_queryuser.c | 2 +-
source3/winbindd/wb_seqnum.c | 2 +-
source3/winbindd/wb_seqnums.c | 2 +-
source3/winbindd/wb_sids2xids.c | 2 +-
source3/winbindd/wb_uid2sid.c | 2 +-
source3/winbindd/winbindd.c | 39 +++
source3/winbindd/winbindd.h | 2 +-
source3/winbindd/winbindd_allocate_gid.c | 2 +-
source3/winbindd/winbindd_allocate_uid.c | 2 +-
source3/winbindd/winbindd_cache.c | 8 +-
source3/winbindd/winbindd_change_machine_acct.c | 2 +-
source3/winbindd/winbindd_check_machine_acct.c | 2 +-
source3/winbindd/winbindd_cm.c | 82 +++++-
source3/winbindd/winbindd_dsgetdcname.c | 2 +-
source3/winbindd/winbindd_dual_ndr.c | 6 +-
source3/winbindd/winbindd_dual_srv.c | 74 ++++++-
source3/winbindd/winbindd_getdcname.c | 2 +-
source3/winbindd/winbindd_irpc.c | 166 ++++++++++++
source3/winbindd/winbindd_list_groups.c | 2 +-
source3/winbindd/winbindd_list_users.c | 2 +-
source3/winbindd/winbindd_lookuprids.c | 2 +-
source3/winbindd/winbindd_pam.c | 174 +++++++++----
source3/winbindd/winbindd_ping_dc.c | 2 +-
source3/winbindd/winbindd_proto.h | 19 ++
source3/winbindd/winbindd_samr.c | 91 +-------
source3/winbindd/winbindd_util.c | 16 +-
source3/winbindd/winbindd_wins_byip.c | 2 +-
source3/winbindd/winbindd_wins_byname.c | 2 +-
source3/wscript_build | 6 +-
source4/auth/auth.h | 1 +
source4/auth/ntlm/auth.c | 5 +
source4/auth/ntlm/auth_sam.c | 6 +-
source4/dsdb/repl/drepl_out_helpers.c | 35 ++--
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 11 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 3 +-
source4/dsdb/samdb/ldb_modules/schema_data.c | 16 +-
source4/dsdb/samdb/ldb_modules/schema_load.c | 196 +++++++++------
source4/dsdb/samdb/samdb.c | 7 -
source4/dsdb/schema/schema.h | 9 +-
source4/dsdb/schema/schema_init.c | 10 -
source4/dsdb/schema/schema_set.c | 98 +++++---
source4/libnet/libnet_vampire.c | 5 -
source4/librpc/idl/wscript_build | 2 +-
source4/librpc/wscript_build | 15 +-
73 files changed, 1190 insertions(+), 426 deletions(-)
rename source3/librpc/idl/wbint.idl => librpc/idl/winbind.idl (82%)
create mode 100644 source3/winbindd/winbindd_irpc.c
Changeset truncated at 500 lines:
diff --git a/auth/common_auth.h b/auth/common_auth.h
index a40f7c2..d9bde01 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -25,7 +25,9 @@
#define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
#define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
-#define USER_INFO_INTERACTIVE_LOGON 0x08 /* don't check unix account status */
+#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */
+#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM */
+#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
enum auth_password_state {
AUTH_PASSWORD_PLAIN = 1,
@@ -77,6 +79,8 @@ struct loadparm_context;
struct ldb_context;
struct smb_krb5_context;
+#define AUTH_METHOD_LOCAL_SAM 0x01
+
struct auth4_context {
struct {
/* Who set this up in the first place? */
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 472a452..05a30da 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -2568,3 +2568,268 @@ NTSTATUS netlogon_creds_cli_LogonSamLogon(
TALLOC_FREE(frame);
return status;
}
+
+struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state {
+ struct tevent_context *ev;
+ struct netlogon_creds_cli_context *context;
+ struct dcerpc_binding_handle *binding_handle;
+
+ char *srv_name_slash;
+ enum dcerpc_AuthType auth_type;
+ enum dcerpc_AuthLevel auth_level;
+
+ const char *site_name;
+ uint32_t dns_ttl;
+ struct NL_DNS_NAME_INFO_ARRAY *dns_names;
+
+ struct netlogon_creds_CredentialState *creds;
+ struct netlogon_creds_CredentialState tmp_creds;
+ struct netr_Authenticator req_auth;
+ struct netr_Authenticator rep_auth;
+};
+
+static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(struct tevent_req *req,
+ NTSTATUS status);
+static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct tevent_req *subreq);
+
+struct tevent_req *netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct netlogon_creds_cli_context *context,
+ struct dcerpc_binding_handle *b,
+ const char *site_name,
+ uint32_t dns_ttl,
+ struct NL_DNS_NAME_INFO_ARRAY *dns_names)
+{
+ struct tevent_req *req;
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state;
+ struct tevent_req *subreq;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->ev = ev;
+ state->context = context;
+ state->binding_handle = b;
+
+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
+ context->server.computer);
+ if (tevent_req_nomem(state->srv_name_slash, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->site_name = site_name;
+ state->dns_ttl = dns_ttl;
+ state->dns_names = dns_names;
+
+ dcerpc_binding_handle_auth_info(state->binding_handle,
+ &state->auth_type,
+ &state->auth_level);
+
+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
+ state->context);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_set_callback(subreq,
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked,
+ req);
+
+ return req;
+}
+
+static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(struct tevent_req *req,
+ NTSTATUS status)
+{
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state =
+ tevent_req_data(req,
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
+
+ if (state->creds == NULL) {
+ return;
+ }
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
+ TALLOC_FREE(state->creds);
+ return;
+ }
+
+ netlogon_creds_cli_delete(state->context, &state->creds);
+}
+
+static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state =
+ tevent_req_data(req,
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
+ NTSTATUS status;
+
+ status = netlogon_creds_cli_lock_recv(subreq, state,
+ &state->creds);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ switch (state->auth_level) {
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ break;
+ default:
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return;
+ }
+ } else {
+ uint32_t tmp = state->creds->negotiate_flags;
+
+ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
+ /*
+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
+ * it should be used, which means
+ * we had a chance to verify no downgrade
+ * happened.
+ *
+ * This relies on netlogon_creds_cli_check*
+ * being called before, as first request after
+ * the DCERPC bind.
+ */
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return;
+ }
+ }
+
+ /*
+ * we defer all callbacks in order to cleanup
+ * the database record.
+ */
+ tevent_req_defer_callback(req, state->ev);
+
+ state->tmp_creds = *state->creds;
+ netlogon_creds_client_authenticator(&state->tmp_creds,
+ &state->req_auth);
+ ZERO_STRUCT(state->rep_auth);
+
+ subreq = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_send(state, state->ev,
+ state->binding_handle,
+ state->srv_name_slash,
+ state->tmp_creds.computer_name,
+ &state->req_auth,
+ &state->rep_auth,
+ state->site_name,
+ state->dns_ttl,
+ state->dns_names);
+ if (tevent_req_nomem(subreq, req)) {
+ status = NT_STATUS_NO_MEMORY;
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
+ return;
+ }
+
+ tevent_req_set_callback(subreq,
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done,
+ req);
+}
+
+static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state =
+ tevent_req_data(req,
+ struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state);
+ NTSTATUS status;
+ NTSTATUS result;
+ bool ok;
+
+ status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state,
+ &result);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
+ return;
+ }
+
+ ok = netlogon_creds_client_check(&state->tmp_creds,
+ &state->rep_auth.cred);
+ if (!ok) {
+ status = NT_STATUS_ACCESS_DENIED;
+ tevent_req_nterror(req, status);
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
+ return;
+ }
+
+ if (tevent_req_nterror(req, result)) {
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, result);
+ return;
+ }
+
+ *state->creds = state->tmp_creds;
+ status = netlogon_creds_cli_store(state->context,
+ &state->creds);
+ if (tevent_req_nterror(req, status)) {
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
+ return;
+ }
+
+ tevent_req_done(req);
+}
+
+NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(struct tevent_req *req)
+{
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
+ tevent_req_received(req);
+ return status;
+ }
+
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(
+ struct netlogon_creds_cli_context *context,
+ struct dcerpc_binding_handle *b,
+ const char *site_name,
+ uint32_t dns_ttl,
+ struct NL_DNS_NAME_INFO_ARRAY *dns_names)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct tevent_context *ev;
+ struct tevent_req *req;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+ ev = samba_tevent_context_init(frame);
+ if (ev == NULL) {
+ goto fail;
+ }
+ req = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(frame, ev, context, b,
+ site_name,
+ dns_ttl,
+ dns_names);
+ if (req == NULL) {
+ goto fail;
+ }
+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+ goto fail;
+ }
+ status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(req);
+ fail:
+ TALLOC_FREE(frame);
+ return status;
+}
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 90d0182..a910259 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -132,5 +132,19 @@ NTSTATUS netlogon_creds_cli_LogonSamLogon(
union netr_Validation **validation,
uint8_t *authoritative,
uint32_t *flags);
+struct tevent_req *netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct netlogon_creds_cli_context *context,
+ struct dcerpc_binding_handle *b,
+ const char *site_name,
+ uint32_t dns_ttl,
+ struct NL_DNS_NAME_INFO_ARRAY *dns_names);
+NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(struct tevent_req *req);
+NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords(
+ struct netlogon_creds_cli_context *context,
+ struct dcerpc_binding_handle *b,
+ const char *site_name,
+ uint32_t dns_ttl,
+ struct NL_DNS_NAME_INFO_ARRAY *dns_names);
#endif /* NETLOGON_CREDS_CLI_H */
diff --git a/source3/librpc/idl/wbint.idl b/librpc/idl/winbind.idl
similarity index 82%
rename from source3/librpc/idl/wbint.idl
rename to librpc/idl/winbind.idl
index f05107a..39e89c3 100644
--- a/source3/librpc/idl/wbint.idl
+++ b/librpc/idl/winbind.idl
@@ -9,8 +9,10 @@ import "lsa.idl", "netlogon.idl", "misc.idl", "security.idl", "idmap.idl";
helpstring("winbind parent-child protocol"),
no_srv_register
]
-interface wbint
+interface winbind
{
+ /* Private methods */
+
void wbint_Ping(
[in] uint32 in_data,
[out] uint32 *out_data
@@ -167,4 +169,27 @@ interface wbint
NTSTATUS wbint_PingDc(
[out,string,charset(UTF8)] char **dcname
);
+
+ /* Public methods available via IRPC */
+
+ typedef [switch_type(uint16)] union netr_LogonLevel netr_LogonLevel;
+ typedef [switch_type(uint16)] union netr_Validation netr_Validation;
+
+ /*
+ * do a netr_LogonSamLogon() against the right DC
+ */
+ NTSTATUS winbind_SamLogon(
+ [in] uint16 logon_level,
+ [in] [switch_is(logon_level)] netr_LogonLevel logon,
+ [in] uint16 validation_level,
+ [out] [switch_is(validation_level)] netr_Validation validation,
+ [out] uint8 authoritative
+ );
+
+ NTSTATUS winbind_DsrUpdateReadOnlyServerDnsRecords(
+ [in,unique] [string,charset(UTF16)] uint16 *site_name,
+ [in] uint32 dns_ttl,
+ [in,out,ref] NL_DNS_NAME_INFO_ARRAY *dns_names
+ );
+
}
diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index f181786..d1484af 100644
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -35,3 +35,8 @@ bld.SAMBA_PIDL_LIST('PIDL',
'dnsp.idl nfs4acl.idl',
options='--header --ndr-parser --client --python',
output_dir='../gen_ndr')
+
+bld.SAMBA_PIDL_LIST('PIDL',
+ 'winbind.idl',
+ options='--header --ndr-parser --samba3-ndr-server --client --python',
+ output_dir='../gen_ndr')
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 1c2062f..393f579 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -663,3 +663,18 @@ bld.SAMBA_LIBRARY('dcerpc-binding',
pc_files=[],
public_headers='rpc/rpc_common.h',
vnum='0.0.1')
+
+bld.SAMBA_SUBSYSTEM('NDR_WINBIND',
+ source='gen_ndr/ndr_winbind.c',
+ public_deps='ndr'
+ )
+
+bld.SAMBA_SUBSYSTEM('RPC_NDR_WINBIND',
+ source='gen_ndr/ndr_winbind_c.c',
+ public_deps='dcerpc NDR_WINBIND'
+ )
+
+bld.SAMBA3_SUBSYSTEM('SRV_NDR_WINBIND',
+ source='gen_ndr/srv_winbind.c',
+ public_deps='NDR_WINBIND'
+ )
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 7718142..6d1192e 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -210,6 +210,11 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
TALLOC_CTX *tmp_ctx;
NTSTATUS result;
+ if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY
+ && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) {
+ continue;
+ }
+
tmp_ctx = talloc_named(mem_ctx,
0,
"%s authentication for user %s\\%s",
@@ -253,7 +258,10 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
if (NT_STATUS_IS_OK(nt_status)) {
unix_username = (*pserver_info)->unix_name;
- if (!(*pserver_info)->guest) {
+
+ /* We skip doing this step if the caller asked us not to */
+ if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ)
+ && !(*pserver_info)->guest) {
const char *rhost;
if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index a34f9a5..c4100d5 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -121,7 +121,7 @@ static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *par
}
result->auth = auth_samstrict_auth;
result->name = "sam";
-
+ result->flags = AUTH_METHOD_LOCAL_SAM;
*auth_method = result;
return NT_STATUS_OK;
}
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index d9d7151..284a91f 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -145,14 +145,23 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
goto done;
}
- nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name,
- user_info->mapped.domain_name, server_info,
- info3);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(10, ("make_server_info_info3 failed: %s\n",
- nt_errstr(nt_status)));
- TALLOC_FREE(frame);
- return nt_status;
+ if (user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) {
+ *server_info = make_server_info(mem_ctx);
+ if (*server_info == NULL) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ (*server_info)->info3 = talloc_steal(*server_info, info3);
+
+ } else {
+ nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name,
+ user_info->mapped.domain_name, server_info,
+ info3);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(10, ("make_server_info_info3 failed: %s\n",
+ nt_errstr(nt_status)));
+ goto done;
+ }
}
nt_status = NT_STATUS_OK;
@@ -356,6 +365,7 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
result->auth = check_samba4_security;
result->prepare_gensec = prepare_gensec;
result->make_auth4_context = make_auth4_context_s4;
+ result->flags = AUTH_METHOD_LOCAL_SAM;
if (param && *param) {
auth_context->forced_samba4_methods = talloc_strdup(result, param);
diff --git a/source3/include/auth.h b/source3/include/auth.h
index acae5a8..d35936b 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -107,6 +107,8 @@ typedef struct auth_methods
/* Used to keep tabs on things like the cli for SMB server authentication */
void *private_data;
+ uint32_t flags;
+
} auth_methods;
--
Samba Shared Repository
More information about the samba-cvs
mailing list