[SCM] Samba Shared Repository - branch v4-5-test updated
Stefan Metzmacher
metze at samba.org
Wed Mar 1 12:16:02 UTC 2017
The branch, v4-5-test has been updated
via c479054 dbchecker: Stop ignoring linked cases where both objects are alive
via 9f5b85e tests/dbcheck: Add a test for two live objects, with a dangling forward link
via b13e9a9 tests/dbcheck: Add a test for two live objects, with a dangling backlink
via 4f3f492 s3:idmap_ad: make use of pdb_get_trust_credentials() to get the machine account creds
via de16359 s3:winbindd: allow a fallback to NTLMSSP for LDAP connections
via 3c1073e s3:libads: add more debugging to ads_sasl_spnego_bind()
via f6eb2a7 s3:winbindd: rely on the kerberos_state from pdb_get_trust_credentials()
via 2b55ed3 s3:winbindd: add more debugging to cm_prepare_connection()
via 3b423b0 s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials()
via 18c1e21 s3:winbindd: fix the valid usage anonymous smb authentication
via b241315 auth/credentials: try to use kerberos with the machine account unless we're in an AD domain
via 41a4da3 s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains.
via abb51ac Revert "s3-winbind: Fix schannel connections against trusted domain DCs"
via 2158bad s3:winbindd: make sure cm_prepare_connection() only returns OK with a valid tree connect
from 81613c1 vfs_streams_xattr: use fsp, not base_fsp
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit c479054b341b1b1abbc076d63a49bd4463a9ec4c
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Feb 22 15:42:46 2017 +1300
dbchecker: Stop ignoring linked cases where both objects are alive
Previously, this did nothing and the code was both untested and unused.
Removes the knownfail entry for dbcheck.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
(cherry picked from commit 0a7c6b56563faeafd61a620cb330349671bc9f3b)
Autobuild-User(v4-5-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-5-test): Wed Mar 1 13:15:34 CET 2017 on sn-devel-144
commit 9f5b85e0ddfe9d1c571f9a60e2b57a965e63a64e
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Feb 22 17:43:21 2017 +1300
tests/dbcheck: Add a test for two live objects, with a dangling forward link
Handling backlinks appears to be rather non-deterministic, so the
forward link hangs off of the RODC replication group (which has no other
valid forward links). In other situations, it either won't delete the
memberOf, or the expected output order will vary.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
(cherry picked from commit 6f2deb01fa1c6e81f101df49990dadcbc9c31226)
commit b13e9a9f72f68e42a0bff329a797c0b3e8eb2f2e
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Feb 22 15:43:34 2017 +1300
tests/dbcheck: Add a test for two live objects, with a dangling backlink
Adds dbcheck 4.5.0pre1 to the knownfail, to be removed later.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
(cherry picked from commit 86f10eaecd4ed9fd9db83d711cbf1f823528d6e5)
commit 4f3f4926ba127d48e4da25f8904be1895af8bc2e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 22 21:29:50 2017 +0100
s3:idmap_ad: make use of pdb_get_trust_credentials() to get the machine account creds
This is mostly a cosmetic change currently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Feb 24 22:34:48 CET 2017 on sn-devel-144
(cherry picked from commit 3d7fed0f2883d529bb635fc6df86f39d5a434d25)
commit de16359f453040abf431f53485a674283bcfb013
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 22 21:18:32 2017 +0100
s3:winbindd: allow a fallback to NTLMSSP for LDAP connections
This matches the behaviour of pdb_get_trust_credentials() for
our machine account and allows us to fallback to NTLMSSP
when contacting trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4e9a0894cd977585ccc94e7c1811de1b0293382d)
commit 3c1073ea4f777579bdba6632a5a098786ed5b2e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 11:54:21 2017 +0100
s3:libads: add more debugging to ads_sasl_spnego_bind()
Any fallbacks to other authentication methods should be logged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(similar to commit ea0bc12ba52166032d5112ee22ab53d831c13e86)
commit f6eb2a74addb69da8e0bd8ab31c09fbc3545d330
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 22 20:07:25 2017 +0100
s3:winbindd: rely on the kerberos_state from pdb_get_trust_credentials()
The implementation of pdb_get_trust_credentials() should have all
the details to set the kerberos_state to a useful value.
This should enable the fallback to NTLMSSP again, when using our
machine account against trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 51caeb7c538b7546e5feccf27a735bb803c78a0b)
commit 2b55ed38d387a0933af002987c473a4f8d3b6c73
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 23 11:54:21 2017 +0100
s3:winbindd: add more debugging to cm_prepare_connection()
Any fallbacks to other authentication methods should be logged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(similar to commit ba9d139ec3d71af184a24daf24356304c2e49144)
commit 3b423b0a91434bdc8e08100e6ecf0391c8a962cd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 22 20:07:25 2017 +0100
s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials()
Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.
At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.
In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d961ae9d14b46708d2693ca91ace04f9f1a53ca2)
commit 18c1e21e77a5a2f09d9855f19aa6a610b4e2617e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 22 19:18:04 2017 +0100
s3:winbindd: fix the valid usage anonymous smb authentication
If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:
workgroup = NT4DOM
security = domain
require strong key = no
client use spnego = no
client ipc signing = auto
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(similar to commit c97a29bdfdc0020ec0113073580da56f2d35edc1)
commit b241315c653acd8de2a7879dab30f3a670d65f9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 24 16:02:50 2017 +0100
auth/credentials: try to use kerberos with the machine account unless we're in an AD domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7)
commit 41a4da3f84350ca701c59805b778a717e0200e93
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 24 10:37:32 2017 +0000
s3:winbindd: try a NETLOGON connection with noauth over NCACN_NP against trusted domains.
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().
This should fix SMB authentication with a user of a domain
behind a transitive trust.
With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.
The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.
is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().
That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.
A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.
We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.
For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6)
commit abb51ac9d503761f4744b3339f56ca724a4bccfb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 24 13:19:59 2017 +0100
Revert "s3-winbind: Fix schannel connections against trusted domain DCs"
This reverts commit d2379caa77fe02264323d69fee1bcad33f1bfeee.
This change doesn't solve the real problem, it just
causes useless network traffic and the following error:
rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.
A better fix will follow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 0bf1a7492bee2f7678cb37ef9515b8aefd26233b)
commit 2158bade24473c2f06ac7526b51c9dd976c356a9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 31 15:19:00 2017 +0100
s3:winbindd: make sure cm_prepare_connection() only returns OK with a valid tree connect
If cm_get_ipc_credentials() returned anonymous creds and signing is required
we were returning the result of cm_get_ipc_credentials() instead of
the original error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12588
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(similar to commit cebcc2adc7e568d492466bb69f21ba2a9630a0d2)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_secrets.c | 17 ++-
python/samba/dbchecker.py | 23 +++--
source3/libads/sasl.c | 25 ++++-
source3/passdb/passdb.c | 17 +++
source3/winbindd/idmap_ad.c | 36 +++----
source3/winbindd/winbindd_ads.c | 2 +
source3/winbindd/winbindd_cm.c | 115 +++++++++++++--------
.../add-dangling-backlink-user.ldif | 3 +
.../release-4-5-0-pre1/add-dangling-backlink.ldif | 4 +
.../add-dangling-forwardlink-user.ldif | 3 +
.../add-initially-normal-link.ldif | 4 +
.../release-4-5-0-pre1/delete-only-backlink.ldif | 4 +
.../expected-dbcheck-link-output.txt | 10 +-
testprogs/blackbox/dbcheck-links.sh | 37 +++++++
14 files changed, 218 insertions(+), 82 deletions(-)
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-dangling-backlink-user.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-dangling-backlink.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-dangling-forwardlink-user.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/add-initially-normal-link.ldif
create mode 100644 source4/selftest/provisions/release-4-5-0-pre1/delete-only-backlink.ldif
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index d5a37cf..ed148fd 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -39,7 +39,7 @@
#include "dbwrap/dbwrap.h"
#include "dbwrap/dbwrap_open.h"
#include "lib/util/util_tdb.h"
-
+#include "libds/common/roles.h"
/**
* Fill in credentials for the machine trust account, from the secrets database.
@@ -276,6 +276,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
char *secrets_tdb_password = NULL;
char *secrets_tdb_old_password = NULL;
uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
+ int server_role = lpcfg_server_role(lp_ctx);
+ int security = lpcfg_security(lp_ctx);
char *keystr;
char *keystr_upper = NULL;
TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
@@ -354,13 +356,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
+ enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
+
+ switch (server_role) {
+ case ROLE_DOMAIN_MEMBER:
+ if (security != SEC_ADS) {
+ break;
+ }
+ /* fall through */
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ use_kerberos = CRED_AUTO_USE_KERBEROS;
+ break;
+ }
}
+ cli_credentials_set_kerberos_state(cred, use_kerberos);
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 22819de..032c0e7 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -645,10 +645,9 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
self.report("Not fixing missing backlink %s" % backlink_name)
return
m = ldb.Message()
- m.dn = obj.dn
- m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname)
- m['new_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_ADD, attrname)
- if self.do_modify(m, ["show_recycled:1"],
+ m.dn = target_dn
+ m['new_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_ADD, backlink_name)
+ if self.do_modify(m, ["show_recycled:1", "relax:0"],
"Failed to fix missing backlink %s" % backlink_name):
self.report("Fixed missing backlink %s" % (backlink_name))
@@ -974,12 +973,16 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
if v_guid == obj_guid:
match_count += 1
if match_count != 1:
- if target_is_deleted:
- error_count += 1
- if linkID & 1:
- self.err_missing_backlink(obj, attrname, val, reverse_link_name, dsdb_dn.dn)
- else:
- self.err_orphaned_backlink(obj, attrname, val, reverse_link_name, dsdb_dn.dn)
+ error_count += 1
+ if linkID & 1:
+ # Backlink exists, but forward link does not
+ # Delete the hanging backlink
+ self.err_orphaned_backlink(obj, attrname, val, reverse_link_name, dsdb_dn.dn)
+ else:
+ # Forward link exists, but backlink does not
+ # Add the missing backlink (if the target object is not Deleted Objects?)
+ if not target_is_deleted:
+ self.err_missing_backlink(obj, attrname, obj.dn.extended_str(), reverse_link_name, dsdb_dn.dn)
continue
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 39c60c3..c2564cb 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#ifdef HAVE_KRB5
bool got_kerberos_mechanism = False;
#endif
+ const char *mech = NULL;
rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
@@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism)
{
+ mech = "KRB5";
+
if (ads->auth.password == NULL ||
ads->auth.password[0] == '\0')
{
@@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
blob);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("kinit succeeded but "
- "ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n",
+ "ads_sasl_spnego_gensec_bind(KRB5) failed: "
+ "for %s/%s user[%s] realm[%s]: %s\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
ads_errstr(status)));
}
}
@@ -785,17 +792,33 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
+
+ DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s "
+ "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status)));
}
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
+ mech = "NTLMSSP";
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_DONT_USE_KERBEROS,
p.service, p.hostname,
data_blob_null);
done:
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s "
+ "with user[%s] realm=[%s]: %s\n", mech,
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status)));
+ }
ads_free_service_principal(&p);
TALLOC_FREE(frame);
if (blob.data != NULL) {
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index f48c317..e7a9b43 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
status = NT_STATUS_NO_MEMORY;
goto fail;
}
+
+ /*
+ * It's not possible to use NTLMSSP with a domain trust account.
+ */
+ cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+ } else {
+ /*
+ * We can't use kerberos against an NT4 domain.
+ *
+ * We should have a mode that also disallows NTLMSSP here,
+ * as only NETLOGON SCHANNEL is possible.
+ */
+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
status = NT_STATUS_NO_MEMORY;
goto fail;
}
+ /*
+ * We currently can't do kerberos just with an NTHASH.
+ */
+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
goto done;
}
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index c385cf0..94de255 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -22,7 +22,7 @@
#include "idmap.h"
#include "tldap_gensec_bind.h"
#include "tldap_util.h"
-#include "secrets.h"
+#include "passdb.h"
#include "lib/param/param.h"
#include "utils/net.h"
#include "auth/gensec/gensec.h"
@@ -243,7 +243,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
const char *domname,
struct tldap_context **pld)
{
- struct db_context *db_ctx;
struct netr_DsRGetDCNameInfo *dcinfo;
struct sockaddr_storage dcaddr;
struct cli_credentials *creds;
@@ -294,11 +293,19 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- creds = cli_credentials_init(dcinfo);
- if (creds == NULL) {
- DBG_DEBUG("cli_credentials_init failed\n");
+ /*
+ * Here we use or own machine account as
+ * we run as domain member.
+ */
+ status = pdb_get_trust_credentials(lp_workgroup(),
+ lp_realm(),
+ dcinfo,
+ &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n",
+ nt_errstr(status));
TALLOC_FREE(dcinfo);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
@@ -308,23 +315,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_conf(creds, lp_ctx);
-
- db_ctx = secrets_db_ctx();
- if (db_ctx == NULL) {
- DBG_DEBUG("Failed to open secrets.tdb.\n");
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx,
- db_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DBG_DEBUG("cli_credentials_set_machine_account "
- "failed: %s\n", nt_errstr(status));
- TALLOC_FREE(dcinfo);
- return status;
- }
-
rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
if (!TLDAP_RC_IS_SUCCESS(rc)) {
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index dc92a4a..febde5e 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -119,6 +119,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
ads_destroy(&ads);
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index e18f638..d1dce73 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,7 +903,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
struct cli_credentials *creds;
NTSTATUS status;
bool force_machine_account = false;
- bool ok;
/* If we are a DC and this is not our own domain */
@@ -937,24 +936,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
goto ipc_fallback;
}
- if (domain->primary && lp_security() == SEC_ADS) {
- cli_credentials_set_kerberos_state(creds,
- CRED_AUTO_USE_KERBEROS);
- } else if (domain->active_directory) {
- cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
- } else {
- cli_credentials_set_kerberos_state(creds,
- CRED_DONT_USE_KERBEROS);
- }
-
- /*
- * When we contact our own domain and get a list of the trusted domain
- * we have the information if we are able to contact the DC with
- * with our machine account password.
- */
- ok = winbindd_can_contact_domain(domain);
- if (!ok) {
+ if (creds_domain != domain) {
/*
* We can only use schannel against a direct trust
*/
@@ -1002,6 +984,8 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
struct named_mutex *mutex;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS tmp_status;
+ NTSTATUS tcon_status = NT_STATUS_NETWORK_NAME_DELETED;
enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing();
@@ -1103,6 +1087,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
}
}
+ if (cli_credentials_is_anonymous(creds)) {
+ goto anon_fallback;
+ }
+
krb5_state = cli_credentials_get_kerberos_state(creds);
machine_krb5_principal = cli_credentials_get_principal(creds,
@@ -1138,8 +1126,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
goto session_setup_done;
}
- DEBUG(4,("failed kerberos session setup with %s\n",
- nt_errstr(result)));
+ DEBUG(1, ("Failed to use kerberos connecting to %s from %s "
+ "with kerberos principal [%s]\n",
+ controller, lp_netbios_name(),
+ machine_krb5_principal));
}
if (krb5_state != CRED_MUST_USE_KERBEROS) {
@@ -1157,10 +1147,15 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
machine_password,
strlen(machine_password)+1,
machine_domain);
- }
- if (NT_STATUS_IS_OK(result)) {
- goto session_setup_done;
+ if (NT_STATUS_IS_OK(result)) {
+ goto session_setup_done;
+ }
+
+ DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s "
+ "with username [%s]\\[%s]\n",
+ controller, lp_netbios_name(),
+ machine_domain, machine_account));
}
/*
@@ -1174,10 +1169,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
|| NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
|| NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
{
- if (cli_credentials_is_anonymous(creds)) {
- goto done;
- }
-
if (!cm_is_ipc_credentials(creds)) {
goto ipc_fallback;
}
@@ -1189,19 +1180,22 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
goto anon_fallback;
}
- DEBUG(4, ("authenticated session setup failed with %s\n",
- nt_errstr(result)));
+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
+ controller,
+ cli_credentials_get_unparsed_name(creds, talloc_tos()),
+ nt_errstr(result)));
goto done;
ipc_fallback:
- result = cm_get_ipc_credentials(talloc_tos(), &creds);
- if (!NT_STATUS_IS_OK(result)) {
+ TALLOC_FREE(creds);
+ tmp_status = cm_get_ipc_credentials(talloc_tos(), &creds);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ result = tmp_status;
goto done;
}
if (cli_credentials_is_anonymous(creds)) {
- TALLOC_FREE(creds);
goto anon_fallback;
}
@@ -1228,6 +1222,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
goto session_setup_done;
}
+ DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s "
+ "with username "
+ "[%s]\\[%s]\n", controller, lp_netbios_name(),
+ machine_domain, machine_account));
+
/*
* If we are not going to validiate the conneciton
* with SMB signing, then allow us to fall back to
@@ -1242,19 +1241,22 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
goto anon_fallback;
}
- DEBUG(4, ("authenticated session setup failed with %s\n",
- nt_errstr(result)));
+ DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
+ controller,
+ cli_credentials_get_unparsed_name(creds, talloc_tos()),
+ nt_errstr(result)));
goto done;
anon_fallback:
+ TALLOC_FREE(creds);
if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) {
goto done;
}
/* Fall back to anonymous connection, this might fail later */
- DEBUG(10,("cm_prepare_connection: falling back to anonymous "
+ DEBUG(5,("cm_prepare_connection: falling back to anonymous "
"connection for DC %s\n",
controller ));
@@ -1266,6 +1268,9 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
goto session_setup_done;
}
+ DEBUG(1, ("anonymous session setup to %s failed with %s\n",
+ controller, nt_errstr(result)));
+
/* We can't session setup */
goto done;
@@ -1283,11 +1288,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
}
result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0);
-
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
goto done;
}
+ tcon_status = result;
/* cache the server name for later connections */
@@ -1306,7 +1311,13 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
done:
TALLOC_FREE(mutex);
+ if (NT_STATUS_IS_OK(result)) {
+ result = tcon_status;
+ }
+
if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n",
+ controller, nt_errstr(result)));
winbind_add_failed_connection_entry(domain, controller, result);
if ((*cli) != NULL) {
cli_shutdown(*cli);
@@ -3293,9 +3304,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
sec_chan_type = cli_credentials_get_secure_channel_type(creds);
if (sec_chan_type == SEC_CHAN_NULL) {
- DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
- domain->name);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ if (transport == NCACN_IP_TCP) {
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n",
+ domain->name);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+ "fallback to noauth on NCACN_NP.\n",
+ domain->name);
+
+ result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+ transport,
+ &ndr_table_netlogon,
--
Samba Shared Repository
More information about the samba-cvs
mailing list