[SCM] Samba Shared Repository - branch master updated
Volker Lendecke
vlendec at samba.org
Tue Mar 7 12:17:02 UTC 2017
The branch, master has been updated
via b796622 winbind: Correcly pass !authoritative from wb_irpc_SamLogon
via a6f4e60 libwbclient: Add "authoritative" to wbcAuthErrorInfo
via 0ff97d9 winbind: Set "authoritative" in response to auth_crap
via f16e302 winbind: Add "authoritative" to winbindd_response
via 3a6a7b5 winbind: Pass up args from winbind_dual_SamLogon
via 5b87e91 winbind: Pass up args from winbind_samlogon_retry_loop
via 00c25a5 cli_netlogon: Add return parms to rpccli_netlogon_password_logon
via c0875cd cli_netlogon: Remove a fallback for flags=NULL
via 72b9b62 cli_netlogon: Remove a fallback for authoritative=NULL
from 57b3b12 winbind: Fix a debug message
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b7966221c799006af735c9f962ab68291beb53fd
Author: Volker Lendecke <vl at samba.org>
Date: Sat Mar 4 18:40:09 2017 +0100
winbind: Correcly pass !authoritative from wb_irpc_SamLogon
Returning an error at this level gives a RPC level error without the chance to
provide !authoritative flag to the caller. At the RPC level we're fine, but not
finding the domain to authenticate means that we don't know the domain and thus
have to return !authoritative.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Mar 7 13:16:00 CET 2017 on sn-devel-144
commit a6f4e603063b540f37a1b8774dd9253dd595a913
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 29 16:51:53 2017 +0000
libwbclient: Add "authoritative" to wbcAuthErrorInfo
smbd needs to react to "authoritative"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0ff97d969f7c10202ef67972293c78930da53088
Author: Volker Lendecke <vl at samba.org>
Date: Sat Feb 11 10:04:29 2017 +0100
winbind: Set "authoritative" in response to auth_crap
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f16e302376529f73c30b2c4d11526843266e3eea
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 29 16:46:12 2017 +0000
winbind: Add "authoritative" to winbindd_response
This is a relevant piece of info in the samlogon response,
smbd and netlogond need to be able to react to it.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3a6a7b53af48853508c31394ca8b1d22b2df1811
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 28 20:20:59 2017 +0000
winbind: Pass up args from winbind_dual_SamLogon
We'll need to pass "authoritative" back to the winbind client
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5b87e915dc73839892af72456c6a0070fade3695
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 28 20:20:59 2017 +0000
winbind: Pass up args from winbind_samlogon_retry_loop
In particular "authoritative" is useful at the top level
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 00c25a5080be89ad41195969dd7fc9521a26ad7d
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 28 11:36:11 2017 +0000
cli_netlogon: Add return parms to rpccli_netlogon_password_logon
Just for symmetry with rpccli_netlogon_network_logon()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c0875cd88365e61a827ee32b59ab95e73a524307
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 28 11:31:09 2017 +0000
cli_netlogon: Remove a fallback for flags=NULL
The two callers of rpccli_netlogon_network_logon have flags set !=NULL
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 72b9b629565ae7a39d3a4315b32ee9210be0e69d
Author: Volker Lendecke <vl at samba.org>
Date: Sat Jan 28 11:27:21 2017 +0000
cli_netlogon: Remove a fallback for authoritative=NULL
The two callers of rpccli_netlogon_network_logon have authoritative
set !=NULL
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../ABI/{wbclient-0.13.sigs => wbclient-0.14.sigs} | 0
nsswitch/libwbclient/wbc_pam.c | 1 +
nsswitch/libwbclient/wbclient.h | 4 +++-
nsswitch/libwbclient/wscript | 2 +-
nsswitch/winbind_struct_protocol.h | 6 ++++--
source3/rpc_client/cli_netlogon.c | 17 ++++-----------
source3/rpc_client/cli_netlogon.h | 2 ++
source3/rpcclient/cmd_netlogon.c | 4 ++++
source3/winbindd/winbindd_dual_srv.c | 6 +++++-
source3/winbindd/winbindd_irpc.c | 4 +++-
source3/winbindd/winbindd_pam.c | 25 ++++++++++++++++++----
source3/winbindd/winbindd_proto.h | 2 ++
12 files changed, 50 insertions(+), 23 deletions(-)
copy nsswitch/libwbclient/ABI/{wbclient-0.13.sigs => wbclient-0.14.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/nsswitch/libwbclient/ABI/wbclient-0.13.sigs b/nsswitch/libwbclient/ABI/wbclient-0.14.sigs
similarity index 100%
copy from nsswitch/libwbclient/ABI/wbclient-0.13.sigs
copy to nsswitch/libwbclient/ABI/wbclient-0.14.sigs
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index 0d1b90c..cb2d5a0 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -259,6 +259,7 @@ static wbcErr wbc_create_error_info(const struct winbindd_response *resp,
e->nt_status = resp->data.auth.nt_status;
e->pam_error = resp->data.auth.pam_error;
+ e->authoritative = resp->data.auth.authoritative;
e->nt_string = strdup(resp->data.auth.nt_status_string);
BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 8c1803b..77915b9 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -74,9 +74,10 @@ const char *wbcErrorString(wbcErr error);
* 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
* 0.12: Added wbcCtxCreate and friends
* 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
+ * 0.14: Added "authoritative" to wbcAuthErrorInfo
**/
#define WBCLIENT_MAJOR_VERSION 0
-#define WBCLIENT_MINOR_VERSION 13
+#define WBCLIENT_MINOR_VERSION 14
#define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
struct wbcLibraryDetails {
uint16_t major_version;
@@ -419,6 +420,7 @@ struct wbcAuthErrorInfo {
char *nt_string;
int32_t pam_error;
char *display_string;
+ uint8_t authoritative;
};
/**
diff --git a/nsswitch/libwbclient/wscript b/nsswitch/libwbclient/wscript
index 5c5002a..c5390b9 100644
--- a/nsswitch/libwbclient/wscript
+++ b/nsswitch/libwbclient/wscript
@@ -3,7 +3,7 @@
import Options, Logs
# Remember to also update wbclient.h
-VERSION="0.13"
+VERSION="0.14"
# It may be useful at some point to allow Samba to build against a
# system libwbclient, such as the one provided by Likewise. To to
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
index 84829d2..a2e7d4c 100644
--- a/nsswitch/winbind_struct_protocol.h
+++ b/nsswitch/winbind_struct_protocol.h
@@ -58,8 +58,9 @@ typedef char fstring[FSTRING_LEN];
* removed WINBINDD_SID_TO_GID
* removed WINBINDD_GID_TO_SID
* removed WINBINDD_UID_TO_SID
+ * 29: added "authoritative" to response.data.auth
*/
-#define WINBIND_INTERFACE_VERSION 28
+#define WINBIND_INTERFACE_VERSION 29
/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
On a 64bit Linux box, we have to support a constant structure size
@@ -432,7 +433,8 @@ struct winbindd_response {
char first_8_lm_hash[8];
fstring krb5ccname;
uint32_t reject_reason;
- uint32_t padding;
+ uint8_t authoritative;
+ uint8_t padding[3];
struct policy_settings {
uint32_t min_length_password;
uint32_t password_history;
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 166f318..634c78b 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -310,6 +310,8 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
const char *password,
const char *workstation,
enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3)
{
TALLOC_CTX *frame = talloc_stackframe();
@@ -317,8 +319,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
union netr_LogonLevel *logon;
uint16_t validation_level = 0;
union netr_Validation *validation = NULL;
- uint8_t authoritative = 0;
- uint32_t flags = 0;
char *workstation_slash = NULL;
logon = talloc_zero(frame, union netr_LogonLevel);
@@ -426,8 +426,8 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
frame,
&validation_level,
&validation,
- &authoritative,
- &flags);
+ authoritative,
+ flags);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
@@ -472,20 +472,11 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
struct netr_NetworkInfo *network_info;
uint16_t validation_level = 0;
union netr_Validation *validation = NULL;
- uint8_t _authoritative = 0;
- uint32_t _flags = 0;
struct netr_ChallengeResponse lm;
struct netr_ChallengeResponse nt;
*info3 = NULL;
- if (authoritative == NULL) {
- authoritative = &_authoritative;
- }
- if (flags == NULL) {
- flags = &_flags;
- }
-
ZERO_STRUCT(lm);
ZERO_STRUCT(nt);
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index d63805b..bef0def 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -65,6 +65,8 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
const char *password,
const char *workstation,
enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3);
NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
struct dcerpc_binding_handle *binding_handle,
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index f657172..29d3096 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -779,6 +779,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
uint32_t logon_param = 0;
const char *workstation = NULL;
struct netr_SamInfo3 *info3 = NULL;
+ uint8_t authoritative = 0;
+ uint32_t flags = 0;
/* Check arguments */
@@ -816,6 +818,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
password,
workstation,
logon_type,
+ &authoritative,
+ &flags,
&info3);
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 7b97f33..763ebb8 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -860,6 +860,8 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
struct winbindd_domain *domain;
NTSTATUS status;
DATA_BLOB lm_response, nt_response;
+ uint32_t flags;
+
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
@@ -883,7 +885,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
r->in.logon.network->identity_info.domain_name.string,
r->in.logon.network->identity_info.workstation.string,
r->in.logon.network->challenge,
- lm_response, nt_response, &r->out.validation.sam3);
+ lm_response, nt_response,
+ &r->out.authoritative, &flags,
+ &r->out.validation.sam3);
return status;
}
diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
index 9a9f753..c87707a 100644
--- a/source3/winbindd/winbindd_irpc.c
+++ b/source3/winbindd/winbindd_irpc.c
@@ -141,7 +141,9 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
domain = find_auth_domain(0, target_domain_name);
if (domain == NULL) {
- return NT_STATUS_NO_SUCH_USER;
+ req->out.result = NT_STATUS_NO_SUCH_USER;
+ req->out.authoritative = 0;
+ return NT_STATUS_OK;
}
DEBUG(5, ("wb_irpc_SamLogon called\n"));
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 74afdcc..5d1da16 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1320,6 +1320,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
DATA_BLOB lm_response,
DATA_BLOB nt_response,
bool interactive,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3)
{
int attempts = 0;
@@ -1329,8 +1331,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
do {
struct rpc_pipe_client *netlogon_pipe;
- uint8_t authoritative = 0;
- uint32_t flags = 0;
ZERO_STRUCTP(info3);
retry = false;
@@ -1392,6 +1392,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
password,
workstation,
NetlogonInteractiveInformation,
+ authoritative,
+ flags,
info3);
} else {
result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
@@ -1404,8 +1406,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
chal,
lm_response,
nt_response,
- &authoritative,
- &flags,
+ authoritative,
+ flags,
info3);
}
@@ -1491,6 +1493,8 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
fstring name_domain, name_user;
NTSTATUS result;
struct netr_SamInfo3 *my_info3 = NULL;
+ uint8_t authoritative = 0;
+ uint32_t flags = 0;
*info3 = NULL;
@@ -1565,6 +1569,8 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
lm_resp,
nt_resp,
true, /* interactive */
+ &authoritative,
+ &flags,
&my_info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
@@ -1944,6 +1950,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3)
{
NTSTATUS result;
@@ -1964,6 +1972,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
* We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
*/
if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ *authoritative = 1;
+ *flags = 0;
goto process_result;
}
}
@@ -1980,6 +1990,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
lm_response,
nt_response,
false, /* interactive */
+ authoritative,
+ flags,
info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
@@ -2043,6 +2055,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
const char *name_user = NULL;
const char *name_domain = NULL;
const char *workstation;
+ uint8_t authoritative;
+ uint32_t flags;
DATA_BLOB lm_resp, nt_resp;
@@ -2095,8 +2109,11 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
state->request->data.auth_crap.chal,
lm_resp,
nt_resp,
+ &authoritative,
+ &flags,
&info3);
if (!NT_STATUS_IS_OK(result)) {
+ state->response->data.auth.authoritative = authoritative;
goto done;
}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 46fb600..09be4b2 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -452,6 +452,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3);
/* The following definitions come from winbindd/winbindd_util.c */
--
Samba Shared Repository
More information about the samba-cvs
mailing list