[SCM] Samba Shared Repository - branch v4-6-test updated

Karolin Seeger kseeger at samba.org
Mon Aug 28 12:43:03 UTC 2017


The branch, v4-6-test has been updated
       via  76da233 vfs_default: Fix passing of errno from async calls
       via  8506375 s3:utils: Remove pointless if-clause for remote_machine
       via  eabb9ca s3:utils: Make sure we authenticate against our SAM name in smbpasswd
       via  ae27c7d s3:utils: Pass domain to password_change() in smbpasswd
       via  0434034 s3:utils: Make strings const passed to password_change() in smbpasswd
       via  2523f77 s3:libsmb: Move prototye of remote_password_change()
       via  90b5cbb s3:libsmb: Pass domain to remote_password_change()
       via  0485080 s3:gse_krb5: make use of precalculated krb5 keys in fill_mem_keytab_from_secrets()
       via  b6449bc s3:secrets: allow secrets_fetch_or_upgrade_domain_info() on an AD DC
       via  c13ab92 blackbox: Add test for 'net ads changetrustpw'
       via  85175f8 s3:libads: Fix changing passwords with Kerberos
       via  27f76f4 s3:libsmb: Print the kinit failed message with DBGLVL_NOTICE
       via  2e4ac5e s3:utils: Do not report an invalid range for AD DC role
      from  ba9c6fb vfs_fruit: factor out common code from ad_get() and ad_fget()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test


- Log -----------------------------------------------------------------
commit 76da233af1693d38482527bf054ec364f8ed21e5
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Aug 23 14:37:28 2017 -0700

    vfs_default: Fix passing of errno from async calls
    
    Current code assigns errno from async pthreadpool calls to the
    vfs_default internal vfswrap_*_state.  The callers of the vfs_*_recv
    functions expect the value from errno in vfs_aio_state.error.
    
    Correctly assign errno to vfs_aio_state.error and remove the unused
    internal err variable.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12983
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit a6f391b8dd1fbfd1a370667dec1374284984c341)
    
    Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-6-test): Mon Aug 28 14:42:02 CEST 2017 on sn-devel-144

commit 85063757ad2f437af1b70df6b194993e045b84c8
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Aug 22 15:46:07 2017 +0200

    s3:utils: Remove pointless if-clause for remote_machine
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
    
    Review with: git show -U20
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)

commit eabb9cafa209bbf1b220e030803c954dc3d6a1ac
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 18 16:17:08 2017 +0200

    s3:utils: Make sure we authenticate against our SAM name in smbpasswd
    
    If a local user wants to change his password using smbpasswd and the
    machine is a domain member, we need to make sure we authenticate against
    our SAM and not ask winbind.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)

commit ae27c7d28c79916edb60ee55c19b6ad6b209503b
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 18 16:14:57 2017 +0200

    s3:utils: Pass domain to password_change() in smbpasswd
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit b483340639157fe95777672f5723455c48c3c616)

commit 04340343dbae780e979e73fdf32139299f03c5d1
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 18 16:13:15 2017 +0200

    s3:utils: Make strings const passed to password_change() in smbpasswd
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)

commit 2523f779213b8fa358c1d933d71417a90016e4e3
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 18 16:10:06 2017 +0200

    s3:libsmb: Move prototye of remote_password_change()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)

commit 90b5cbb7528f28391678db4b629d893051f1bf25
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 18 16:08:46 2017 +0200

    s3:libsmb: Pass domain to remote_password_change()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)

commit 048508034b57c3b36ac73cdf0bd54675d8e320a9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 17 17:45:21 2017 +0200

    s3:gse_krb5: make use of precalculated krb5 keys in fill_mem_keytab_from_secrets()
    
    This avoids a lot of cpu cycles, which were wasted for each single smb
    connection, even if the client didn't use kerberos.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12973
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Aug 18 10:04:57 CEST 2017 on sn-devel-144
    
    (cherry picked from commit cd813f7fd9ee8e9d82a6bf6c98621c437f6974b2)

commit b6449bca2d3e44930f7a76b477ef707386f0560b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 17 21:42:34 2017 +0200

    s3:secrets: allow secrets_fetch_or_upgrade_domain_info() on an AD DC
    
    The reason for the check is for write access as secrets.ldb is the
    master database.
    
    But secrets_fetch_or_upgrade_domain_info() just syncs the values
    we got from if they got overwritten by secrets_store_machine_pw_sync().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12973
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 37e49a2af5bb1c40c17eab18ff9412f2ce79ef71)

commit c13ab92bd8a37e68ce4a4f51d5a0d3a115ec23a4
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Aug 9 12:14:34 2017 +0200

    blackbox: Add test for 'net ads changetrustpw'
    
    BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
    
    (cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)

commit 85175f8de36a226dfaf277043018d0a3c8e0dc03
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Aug 9 18:14:23 2017 +0200

    s3:libads: Fix changing passwords with Kerberos
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Richard Sharpe <realrichardsharpe at gmail.com>
    (cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)

commit 27f76f406b6c57a7b19812fbf5c24115cc063af2
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 24 12:51:35 2017 +0200

    s3:libsmb: Print the kinit failed message with DBGLVL_NOTICE
    
    The default debug level of smbclient is set to 'log level = 1'. So we
    need to use at least NOTICE to not get the message when we do not force
    kerberos.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    (cherry picked from commit 6d7681c73dc68930dc39f05d58c2679b7c84ad97)

commit 2e4ac5e6b8f150647e095222f9eae87e87a44d52
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 18 10:35:55 2017 +0200

    s3:utils: Do not report an invalid range for AD DC role
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12629
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    (cherry picked from commit 95e30b081f273f2d156792577179c5220c0a10cc)

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h                  |   6 --
 source3/libads/krb5_setpw.c              |   2 +-
 source3/librpc/crypto/gse_krb5.c         | 180 +++++++++++++++----------------
 source3/libsmb/cliconnect.c              |   2 +-
 source3/libsmb/passchange.c              |   5 +-
 source3/libsmb/proto.h                   |  10 ++
 source3/modules/vfs_default.c            |  15 +--
 source3/passdb/machine_account_secrets.c |  15 +--
 source3/utils/smbpasswd.c                |  57 +++++++---
 source3/utils/testparm.c                 |  16 +--
 testprogs/blackbox/test_net_ads.sh       |   4 +
 11 files changed, 171 insertions(+), 141 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index baa5799..67e1a9d 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -832,12 +832,6 @@ bool get_dc_name(const char *domain,
 		fstring srv_name,
 		struct sockaddr_storage *ss_out);
 
-/* The following definitions come from libsmb/passchange.c  */
-
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 
-				const char *old_passwd, const char *new_passwd,
-				char **err_str);
-
 /* The following definitions come from libsmb/smberr.c  */
 
 const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 630c2e4..bc96ac6 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 	ret = krb5_set_password(context,
 				&creds,
 				discard_const_p(char, newpw),
-				princ,
+				NULL,
 				&result_code,
 				&result_code_string,
 				&result_string);
diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c
index 2c9fc03..cc8cb90 100644
--- a/source3/librpc/crypto/gse_krb5.c
+++ b/source3/librpc/crypto/gse_krb5.c
@@ -20,6 +20,7 @@
 #include "includes.h"
 #include "smb_krb5.h"
 #include "secrets.h"
+#include "librpc/gen_ndr/secrets.h"
 #include "gse_krb5.h"
 #include "lib/param/loadparm.h"
 #include "libads/kerberos_proto.h"
@@ -85,45 +86,15 @@ out:
 	return ret;
 }
 
-static krb5_error_code get_host_principal(krb5_context krbctx,
-					  krb5_principal *host_princ)
-{
-	krb5_error_code ret;
-	char *host_princ_s = NULL;
-	int err;
-
-	err = asprintf(&host_princ_s, "%s$@%s", lp_netbios_name(), lp_realm());
-	if (err == -1) {
-		return -1;
-	}
-
-	if (!strlower_m(host_princ_s)) {
-		SAFE_FREE(host_princ_s);
-		return -1;
-	}
-	ret = smb_krb5_parse_name(krbctx, host_princ_s, host_princ);
-	if (ret) {
-		DEBUG(1, (__location__ ": smb_krb5_parse_name(%s) "
-			  "failed (%s)\n",
-			  host_princ_s, error_message(ret)));
-	}
-
-	SAFE_FREE(host_princ_s);
-	return ret;
-}
-
 static krb5_error_code fill_keytab_from_password(krb5_context krbctx,
 						 krb5_keytab keytab,
 						 krb5_principal princ,
 						 krb5_kvno vno,
-						 krb5_data *password)
+						 struct secrets_domain_info1_password *pw)
 {
 	krb5_error_code ret;
 	krb5_enctype *enctypes;
-	krb5_keytab_entry kt_entry;
-	unsigned int i;
-	krb5_principal salt_princ = NULL;
-	char *salt_princ_s = NULL;
+	uint16_t i;
 
 	ret = smb_krb5_get_allowed_etypes(krbctx, &enctypes);
 	if (ret) {
@@ -132,61 +103,47 @@ static krb5_error_code fill_keytab_from_password(krb5_context krbctx,
 		return ret;
 	}
 
-	salt_princ_s = kerberos_secrets_fetch_salt_princ();
-	if (salt_princ_s == NULL) {
-		ret = ENOMEM;
-		goto out;
-	}
-	ret = krb5_parse_name(krbctx, salt_princ_s, &salt_princ);
-	SAFE_FREE(salt_princ_s);
-	if (ret != 0) {
-		goto out;
-	}
-
-	for (i = 0; enctypes[i]; i++) {
+	for (i = 0; i < pw->num_keys; i++) {
+		krb5_keytab_entry kt_entry;
 		krb5_keyblock *key = NULL;
-		int rc;
+		unsigned int ei;
+		bool found_etype = false;
 
-		if (!(key = SMB_MALLOC_P(krb5_keyblock))) {
-			ret = ENOMEM;
-			goto out;
+		for (ei=0; enctypes[ei] != 0; ei++) {
+			if ((uint32_t)enctypes[ei] != pw->keys[i].keytype) {
+				continue;
+			}
+
+			found_etype = true;
+			break;
 		}
 
-		rc = create_kerberos_key_from_string(krbctx,
-						     princ,
-						     salt_princ,
-						     password,
-						     key,
-						     enctypes[i],
-						     false);
-		if (rc != 0) {
-			DEBUG(10, ("Failed to create key for enctype %d "
-				   "(error: %s)\n",
-				   enctypes[i], error_message(ret)));
-			SAFE_FREE(key);
+		if (!found_etype) {
 			continue;
 		}
 
+		ZERO_STRUCT(kt_entry);
 		kt_entry.principal = princ;
 		kt_entry.vno = vno;
-		*(KRB5_KT_KEY(&kt_entry)) = *key;
+
+		key = KRB5_KT_KEY(&kt_entry);
+		KRB5_KEY_TYPE(key) = pw->keys[i].keytype;
+		KRB5_KEY_DATA(key) = pw->keys[i].value.data;
+		KRB5_KEY_LENGTH(key) = pw->keys[i].value.length;
 
 		ret = krb5_kt_add_entry(krbctx, keytab, &kt_entry);
 		if (ret) {
 			DEBUG(1, (__location__ ": Failed to add entry to "
 				  "keytab for enctype %d (error: %s)\n",
-				   enctypes[i], error_message(ret)));
-			krb5_free_keyblock(krbctx, key);
+				  (unsigned)pw->keys[i].keytype,
+				  error_message(ret)));
 			goto out;
 		}
-
-		krb5_free_keyblock(krbctx, key);
 	}
 
 	ret = 0;
 
 out:
-	krb5_free_principal(krbctx, salt_princ);
 	SAFE_FREE(enctypes);
 	return ret;
 }
@@ -197,27 +154,43 @@ out:
 static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
 						    krb5_keytab *keytab)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
 	krb5_error_code ret;
-	char *pwd = NULL;
-	size_t pwd_len;
+	const char *domain = lp_workgroup();
+	struct secrets_domain_info1 *info = NULL;
+	const char *realm = NULL;
+	const DATA_BLOB *ct = NULL;
 	krb5_kt_cursor kt_cursor;
 	krb5_keytab_entry kt_entry;
-	krb5_data password;
 	krb5_principal princ = NULL;
 	krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */
-	char *pwd_old = NULL;
+	NTSTATUS status;
 
 	if (!secrets_init()) {
 		DEBUG(1, (__location__ ": secrets_init failed\n"));
+		TALLOC_FREE(frame);
 		return KRB5_CONFIG_CANTOPEN;
 	}
 
-	pwd = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-	if (!pwd) {
-		DEBUG(2, (__location__ ": failed to fetch machine password\n"));
+	status = secrets_fetch_or_upgrade_domain_info(domain,
+						      frame,
+						      &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_WARNING("secrets_fetch_or_upgrade_domain_info(%s) - %s\n",
+			    domain, nt_errstr(status));
+		TALLOC_FREE(frame);
 		return KRB5_LIBOS_CANTREADPWD;
 	}
-	pwd_len = strlen(pwd);
+	ct = &info->password->cleartext_blob;
+
+	if (info->domain_info.dns_domain.string != NULL) {
+		realm = strupper_talloc(frame,
+				info->domain_info.dns_domain.string);
+		if (realm == NULL) {
+			TALLOC_FREE(frame);
+			return ENOMEM;
+		}
+	}
 
 	ZERO_STRUCT(kt_entry);
 	ZERO_STRUCT(kt_cursor);
@@ -249,9 +222,9 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
 			/* found private entry,
 			 * check if keytab is up to date */
 
-			if ((pwd_len == KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry))) &&
+			if ((ct->length == KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry))) &&
 			    (memcmp(KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)),
-						pwd, pwd_len) == 0)) {
+						ct->data, ct->length) == 0)) {
 				/* keytab is already up to date, return */
 				smb_krb5_kt_free_entry(krbctx, &kt_entry);
 				goto out;
@@ -277,32 +250,51 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
 
 	/* keytab is not up to date, fill it up */
 
-	ret = get_host_principal(krbctx, &princ);
+	ret = smb_krb5_make_principal(krbctx, &princ, realm,
+				      info->account_name, NULL);
 	if (ret) {
 		DEBUG(1, (__location__ ": Failed to get host principal!\n"));
 		goto out;
 	}
 
-	password.data = pwd;
-	password.length = pwd_len;
 	ret = fill_keytab_from_password(krbctx, *keytab,
-					princ, kvno, &password);
+					princ, kvno,
+					info->password);
 	if (ret) {
-		DEBUG(1, (__location__ ": Failed to fill memory keytab!\n"));
+		DBG_WARNING("fill_keytab_from_password() failed for "
+			    "info->password.\n.");
 		goto out;
 	}
 
-	pwd_old = secrets_fetch_prev_machine_password(lp_workgroup());
-	if (!pwd_old) {
-		DEBUG(10, (__location__ ": no prev machine password\n"));
-	} else {
-		password.data = pwd_old;
-		password.length = strlen(pwd_old);
+	if (info->old_password != NULL) {
+		ret = fill_keytab_from_password(krbctx, *keytab,
+						princ, kvno - 1,
+						info->old_password);
+		if (ret) {
+			DBG_WARNING("fill_keytab_from_password() failed for "
+				    "info->old_password.\n.");
+			goto out;
+		}
+	}
+
+	if (info->older_password != NULL) {
 		ret = fill_keytab_from_password(krbctx, *keytab,
-						princ, kvno -1, &password);
+						princ, kvno - 2,
+						info->older_password);
 		if (ret) {
-			DEBUG(1, (__location__
-				  ": Failed to fill memory keytab!\n"));
+			DBG_WARNING("fill_keytab_from_password() failed for "
+				    "info->older_password.\n.");
+			goto out;
+		}
+	}
+
+	if (info->next_change != NULL) {
+		ret = fill_keytab_from_password(krbctx, *keytab,
+						princ, kvno - 3,
+						info->next_change->password);
+		if (ret) {
+			DBG_WARNING("fill_keytab_from_password() failed for "
+				    "info->next_change->password.\n.");
 			goto out;
 		}
 	}
@@ -314,8 +306,8 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
 	kt_entry.vno = 0;
 
 	KRB5_KEY_TYPE(KRB5_KT_KEY(&kt_entry)) = CLEARTEXT_PRIV_ENCTYPE;
-	KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry)) = pwd_len;
-	KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)) = (uint8_t *)pwd;
+	KRB5_KEY_LENGTH(KRB5_KT_KEY(&kt_entry)) = ct->length;
+	KRB5_KEY_DATA(KRB5_KT_KEY(&kt_entry)) = ct->data;
 
 	ret = krb5_kt_add_entry(krbctx, *keytab, &kt_entry);
 	if (ret) {
@@ -328,9 +320,6 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
 	ret = 0;
 
 out:
-	SAFE_FREE(pwd);
-	SAFE_FREE(pwd_old);
-
 	if (!all_zero((uint8_t *)&kt_cursor, sizeof(kt_cursor)) && *keytab) {
 		krb5_kt_end_seq_get(krbctx, *keytab, &kt_cursor);
 	}
@@ -339,6 +328,7 @@ out:
 		krb5_free_principal(krbctx, princ);
 	}
 
+	TALLOC_FREE(frame);
 	return ret;
 }
 
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6803d02..75bcae4 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -349,7 +349,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
 				0 /* no time correction for now */,
 				NULL);
 	if (ret != 0) {
-		int dbglvl = DBGLVL_WARNING;
+		int dbglvl = DBGLVL_NOTICE;
 
 		if (krb5_state == CRED_MUST_USE_KERBEROS) {
 			dbglvl = DBGLVL_ERR;
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index c89b7ca..48ffba8 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -30,7 +30,8 @@
  Change a password on a remote machine using IPC calls.
 *************************************************************/
 
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 
+NTSTATUS remote_password_change(const char *remote_machine,
+				const char *domain, const char *user_name,
 				const char *old_passwd, const char *new_passwd,
 				char **err_str)
 {
@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
 
 	creds = cli_session_creds_init(cli,
 				       user_name,
-				       NULL, /* domain */
+				       domain,
 				       NULL, /* realm */
 				       old_passwd,
 				       false, /* use_kerberos */
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index a583a8e..44f4d04 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -31,6 +31,9 @@
 
 struct smb_trans_enc_state;
 struct cli_credentials;
+struct cli_state;
+struct file_info;
+struct print_job_info;
 
 /* The following definitions come from libsmb/cliconnect.c  */
 
@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
 		       TALLOC_CTX *mem_ctx, char **psubstitute_name,
 		      char **pprint_name, uint32_t *pflags);
 
+/* The following definitions come from libsmb/passchange.c  */
+
+NTSTATUS remote_password_change(const char *remote_machine,
+				const char *domain, const char *user_name,
+				const char *old_passwd, const char *new_passwd,
+				char **err_str);
+
 #endif /* _LIBSMB_PROTO_H_ */
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 53a116c..ce1b6e2 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -722,7 +722,6 @@ static int vfswrap_init_pool(struct smbd_server_connection *conn)
 
 struct vfswrap_pread_state {
 	ssize_t ret;
-	int err;
 	int fd;
 	void *buf;
 	size_t count;
@@ -796,7 +795,9 @@ static void vfs_pread_do(void *private_data)
 				   state->offset);
 	} while ((state->ret == -1) && (errno == EINTR));
 
-	state->err = errno;
+	if (state->ret == -1) {
+		state->vfs_aio_state.error = errno;
+	}
 
 	PROFILE_TIMESTAMP(&end_time);
 
@@ -845,7 +846,6 @@ static ssize_t vfswrap_pread_recv(struct tevent_req *req,
 
 struct vfswrap_pwrite_state {
 	ssize_t ret;
-	int err;
 	int fd;
 	const void *buf;
 	size_t count;
@@ -919,7 +919,9 @@ static void vfs_pwrite_do(void *private_data)
 				   state->offset);
 	} while ((state->ret == -1) && (errno == EINTR));
 
-	state->err = errno;
+	if (state->ret == -1) {
+		state->vfs_aio_state.error = errno;
+	}
 
 	PROFILE_TIMESTAMP(&end_time);
 
@@ -968,7 +970,6 @@ static ssize_t vfswrap_pwrite_recv(struct tevent_req *req,
 
 struct vfswrap_fsync_state {
 	ssize_t ret;
-	int err;
 	int fd;
 
 	struct vfs_aio_state vfs_aio_state;
@@ -1029,7 +1030,9 @@ static void vfs_fsync_do(void *private_data)
 		state->ret = fsync(state->fd);
 	} while ((state->ret == -1) && (errno == EINTR));
 
-	state->err = errno;
+	if (state->ret == -1) {
+		state->vfs_aio_state.error = errno;
+	}
 
 	PROFILE_TIMESTAMP(&end_time);
 
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 3d1cb5b..5a0f7a8 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -832,7 +832,8 @@ static NTSTATUS secrets_store_domain_info1_by_key(const char *key,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS secrets_store_domain_info(const struct secrets_domain_info1 *info)
+static NTSTATUS secrets_store_domain_info(const struct secrets_domain_info1 *info,
+					  bool upgrade)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	const char *domain = info->domain_info.name.string;
@@ -853,7 +854,7 @@ static NTSTATUS secrets_store_domain_info(const struct secrets_domain_info1 *inf
 	switch (info->secure_channel_type) {
 	case SEC_CHAN_WKSTA:
 	case SEC_CHAN_BDC:
-		if (role >= ROLE_ACTIVE_DIRECTORY_DC) {
+		if (!upgrade && role >= ROLE_ACTIVE_DIRECTORY_DC) {
 			DBG_ERR("AD_DC not supported for %s\n",
 				domain);
 			TALLOC_FREE(frame);
@@ -1490,7 +1491,7 @@ NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
 
 	secrets_debug_domain_info(DBGLVL_INFO, info, "upgrade");
 
-	status = secrets_store_domain_info(info);
+	status = secrets_store_domain_info(info, true /* upgrade */);
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_ERR("secrets_store_domain_info() failed "
 			"for %s - %s\n", domain, nt_errstr(status));
@@ -1647,7 +1648,7 @@ NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r)
 
 	secrets_debug_domain_info(DBGLVL_INFO, info, "join");
 
-	status = secrets_store_domain_info(info);
+	status = secrets_store_domain_info(info, false /* upgrade */);
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_ERR("secrets_store_domain_info() failed "
 			"for %s - %s\n", domain, nt_errstr(status));
@@ -1739,7 +1740,7 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
 
 	secrets_debug_domain_info(DBGLVL_INFO, info, "prepare_change");
 
-	status = secrets_store_domain_info(info);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list