[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue May 30 10:17:03 UTC 2017


The branch, master has been updated
       via  41981db s4:lib/com: remove unused pycom binding
       via  50c7112 s4:librpc: restore inhibit_timeout_processing = true during gensec_update_send/recv()
       via  27aacf9 Revert "s4:librpc: simplify dcerpc_connect_timeout_handler() logic"
       via  0382a40 s4:auth: use talloc_reparent() in samba_server_gensec_krb5_start()
       via  80f92e8 tests/rodc: Check that new passwords trigger wiping on RODC
       via  4b52f10 getncchanges: Do not filter EXOPs using highwatermark
       via  b22387c rpc_server: Move SID helpers into common
       via  d3e8bcb netlogon: Add necessary security checks for SendToSam
       via  452170d tests/rodc: Check SID restriction for SendToSam
       via  7dfe7df tests/rodc: Add password lockout tests with RODC-auth, RWDC-check
       via  e418db6 selftest: Ensure rodc environment uses localdc as winbind partner
       via  fd29e28 netlogon: Implement SendToSam along with its winbind forwarding
       via  8ae9681 netlogon_creds_cli: Do not corrupt authenticator state on application level errors
       via  29cccff kdc: Send bad password via NETLOGON in RODC
       via  ef0218a hdb: Dupe a copy of repl secrets into the KDC
       via  c98514a auth_sam: Make auth_sam_trigger_repl_secret more generic
       via  f40fdae rodc: Set non-authoritative for RODC bad passwords
       via  44b0ebe tests/rodc: Test for NTLM wrong password forwarding
       via  b50a147 auth_winbind: Allow badPwdCount to be set to 0 with this auth method
       via  2368f57 winbindd: Do not run SAM auth stack in winbind SamLogon
       via  a6a19e4 auth4: Add authoritative flag to check_password
       via  deec2af libads: Decide to have no fallback option
       via  52a37c6 winbindd_cm: Pass cm_open_connection the need_rw_dc flag
       via  ac84789 winbindd_cm: Call dcip_check_name even when fetching from cache
       via  9d8a373 winbindd_cm: Rename dcip_to_name to the more accurate dcip_check_name
       via  2ff09f6 winbindd_cm: Add new parameter to getdc and find_new_dc calls
       via  bbf2414 winbindd_cm: Add new parameter for dcip_to_name
       via  eaf2c3e libads: Check cldap flags in libads/ldap
       via  3dcee68 tests/password_lockout: Remove unused users from base
       via  df2b71d samba-tool/spn: Add a missing newline to error message
      from  8d818e1 ctdb-tools: Always exit with positive return value

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 41981db0d32b24fede0e52555bd0193ae330cc4b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Apr 26 15:25:43 2017 +0200

    s4:lib/com: remove unused pycom binding
    
    This is completely untested and from reading the code it doesn't really
    do anything beside always returning None from the get_class_object() method.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue May 30 12:16:57 CEST 2017 on sn-devel-144

commit 50c7112b002bc33f46e827bac47857215e135015
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon May 29 09:37:09 2017 +0200

    s4:librpc: restore inhibit_timeout_processing = true during gensec_update_send/recv()
    
    As not all gensec backends are fully async yet, we need the
    inhibit_timeout_processing workarround in order to protect
    against nested event loops.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 27aacf9288aafefb2610adca262086b69be7c827
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon May 29 09:32:12 2017 +0200

    Revert "s4:librpc: simplify dcerpc_connect_timeout_handler() logic"
    
    This reverts commit 2c3e99d1697b83f7dd498596a274fe2e8e96116d.
    
    As the source4 backends for kerberos still use nested event loops,
    we need to restore this for now.
    
    We should reapply this once all backends are fully async.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 0382a4068bd15d1c6eb3167e0f7080b1bd072623
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed May 24 06:11:17 2017 +0200

    s4:auth: use talloc_reparent() in samba_server_gensec_krb5_start()
    
    This matches logic of samba_server_gensec_start() and avoids warnings like this:
    
    WARNING: talloc_steal with references at ../source4/auth/samba_server_gensec.c:150
            reference at ../auth/gensec/gensec_start.c:586
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 80f92e8338fc6a278e09a3f23beb0330ca80a323
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon May 22 15:08:27 2017 +1200

    tests/rodc: Check that new passwords trigger wiping on RODC
    
    This appears to have been working correctly, but we just haven't had a test for it.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4b52f102be0ec245d852a4cf999aa1f23d9d1db7
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon May 22 13:59:22 2017 +1200

    getncchanges: Do not filter EXOPs using highwatermark
    
    Prior to this patch, any REPL_SECRETS could be filtered accidentally.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b22387cf858426ac078139a2b1b134aded92ee49
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Apr 21 11:29:48 2017 +1200

    rpc_server: Move SID helpers into common
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d3e8bcbc9b634c89a98fb63a3b9449d3a628ba39
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Apr 19 12:50:55 2017 +1200

    netlogon: Add necessary security checks for SendToSam
    
    We eliminate a small race between GUID -> DN and ensure RODC can only
    reset bad password count on accounts it is allowed to cache locally.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 452170db2cdc9c7cd474d82e46698ec05fc1c651
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Apr 26 16:32:51 2017 +1200

    tests/rodc: Check SID restriction for SendToSam
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7dfe7df6d0bb211d9a2711d532643ad0b3f7b429
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Apr 21 15:21:58 2017 +1200

    tests/rodc: Add password lockout tests with RODC-auth, RWDC-check
    
    This occurs when the password is preloaded, and the bad logins and
    successes must be forwarded the the RWDC.
    
    The password server MUST be localdc.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e418db6ea1ccd1501269b9e22031d848399ce785
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Apr 26 16:11:28 2017 +1200

    selftest: Ensure rodc environment uses localdc as winbind partner
    
    This is required for password lockout testing.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit fd29e28d5231a4e576979c0b116564b751be8831
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Apr 11 15:51:50 2017 +1200

    netlogon: Implement SendToSam along with its winbind forwarding
    
    This allows you to forward bad password count resets to 0. Currently,
    there is a missing access check for the RODC to ensure it only applies
    to cached users (msDS-Allowed-Password-Replication-Group).
    
    (further patches still need to address forcing a RWDC contact)
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8ae968193b7084af8bb0ccf7d624ff10e39d5715
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Apr 20 16:55:58 2017 +1200

    netlogon_creds_cli: Do not corrupt authenticator state on application level errors
    
    If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent
    calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS
    updates falling off and never continuing.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 29cccff500a74bb474c097eef89db016ce57569d
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Apr 4 11:57:01 2017 +1200

    kdc: Send bad password via NETLOGON in RODC
    
    This means that a RWDC will be collecting the badPwdCount to ensure
    domain wide lockout.
    
    TODO The parameters should be better constructed.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ef0218a512cc5b7d828f31602c79cc23db676856
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Apr 3 16:11:35 2017 +1200

    hdb: Dupe a copy of repl secrets into the KDC
    
    When you have an RODC, this will force the fetch of secrets if not found here
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit c98514adf2a28c781f0f89778a932325c14dae2d
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Apr 3 15:49:45 2017 +1200

    auth_sam: Make auth_sam_trigger_repl_secret more generic
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit f40fdaea7f64bcf7461a53f61fd6ffe8def0c8e9
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Apr 3 15:22:08 2017 +1200

    rodc: Set non-authoritative for RODC bad passwords
    
    This requires as a pre-requisite that the auth stack is not run twice.
    We remove the knownfail introduced in the earlier patch.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 44b0ebefb2546a81152b9f2a6d463d3949519c40
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Apr 26 13:41:03 2017 +1200

    tests/rodc: Test for NTLM wrong password forwarding
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b50a147a7e40e17d0e280b4c705ac25cea78c869
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Apr 3 15:26:12 2017 +1200

    auth_winbind: Allow badPwdCount to be set to 0 with this auth method
    
    We rely on the other SAM modules to increment the badPwdCount locally,
    but we must reset to 0 if the remote sends a success (to override our
    failure).
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2368f57b4d7bc26ba08273020d7281fab6f817c8
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Apr 12 14:12:32 2017 +1200

    winbindd: Do not run SAM auth stack in winbind SamLogon
    
    pdbtest.s4winbind no longer is applicable without a live NETLOGON
    connection.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a6a19e4308d4e81418eb5810cf492407dc91344b
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Apr 3 15:21:29 2017 +1200

    auth4: Add authoritative flag to check_password
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit deec2af7d2d0beb612bc9f35cca66cc825b9816d
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Apr 4 12:42:17 2017 +1200

    libads: Decide to have no fallback option
    
    Before this change, it would always possibly choose another server at
    random despite later using the original principal when it got back to
    the connection initialization in the the winbind connection manager.
    This caused bizarre authentication failures.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 52a37c697af2d24d129d8a41e9ae9cd8e7ca7fba
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Mar 21 12:24:30 2017 +1300

    winbindd_cm: Pass cm_open_connection the need_rw_dc flag
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ac847898c8dbaeb16ca1f0fec24533441fc1a03c
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Mar 21 11:56:39 2017 +1300

    winbindd_cm: Call dcip_check_name even when fetching from cache
    
    This is so that we can ensure that the DC is RWDC if required.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9d8a373523bde3899045cf7ff2e202e3f4f81612
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Mar 21 11:15:13 2017 +1300

    winbindd_cm: Rename dcip_to_name to the more accurate dcip_check_name
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2ff09f6df096263851b51efe9123bdc37380eccf
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Mar 20 17:04:12 2017 +1300

    winbindd_cm: Add new parameter to getdc and find_new_dc calls
    
    This is to enforce the requirements on the remote DC.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit bbf24149278f033a536c17f79aef445a24b4f2bc
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Mar 20 15:56:37 2017 +1300

    winbindd_cm: Add new parameter for dcip_to_name
    
    This is used to check the appropriateness of the DC given.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit eaf2c3e21dffde4dad89ce2e6c6a5061cc9f435f
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Mar 20 15:37:12 2017 +1300

    libads: Check cldap flags in libads/ldap
    
    Pass down request flags and check they are respected with the response
    flags. Otherwise, error out and pretend the connection never happened.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3dcee68fa998b9cf10ac34d6b3720d79475ac8c9
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Apr 26 10:39:09 2017 +1200

    tests/password_lockout: Remove unused users from base
    
    They take extra time to set-up...
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit df2b71d1dbf14f79ee9a81585d710f3db832d83d
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Apr 10 14:40:20 2017 +1200

    samba-tool/spn: Add a missing newline to error message
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/auth/netlogon_creds_cli.c                   | 292 ++++++++++-
 libcli/auth/netlogon_creds_cli.h                   |  11 +
 librpc/idl/netlogon.idl                            |  39 +-
 librpc/idl/winbind.idl                             |   5 +
 python/samba/netcmd/spn.py                         |   4 +-
 selftest/knownfail                                 |   4 +
 selftest/target/Samba4.pm                          |   1 +
 source3/include/ads.h                              |   1 +
 source3/libads/cldap.c                             |  38 ++
 source3/libads/cldap.h                             |   3 +
 source3/libads/ldap.c                              |  17 +-
 source3/libsmb/dsgetdcname.c                       |  37 --
 source3/rpc_server/netlogon/srv_netlog_nt.c        |   6 +-
 source3/winbindd/winbindd_cm.c                     |  99 ++--
 source3/winbindd/winbindd_dual_srv.c               |  29 +-
 source3/winbindd/winbindd_irpc.c                   |  23 +
 source3/winbindd/winbindd_pam.c                    |   4 +-
 source3/winbindd/winbindd_proto.h                  |   1 +
 source4/auth/auth.h                                |   4 +-
 source4/auth/ntlm/auth.c                           |  11 +-
 source4/auth/ntlm/auth_anonymous.c                 |   3 +-
 source4/auth/ntlm/auth_developer.c                 |   3 +-
 source4/auth/ntlm/auth_sam.c                       | 123 +++--
 source4/auth/ntlm/auth_unix.c                      |   3 +-
 source4/auth/ntlm/auth_winbind.c                   |  47 +-
 source4/auth/sam.c                                 |  56 +-
 source4/auth/samba_server_gensec.c                 |   2 +-
 source4/dsdb/tests/python/password_lockout.py      |  14 +
 source4/dsdb/tests/python/password_lockout_base.py |  82 ++-
 source4/dsdb/tests/python/rodc_rwdc.py             | 576 ++++++++++++++++++++-
 source4/kdc/db-glue.c                              |  52 +-
 source4/kdc/hdb-samba4.c                           | 109 +++-
 source4/kdc/wscript_build                          |   4 +-
 source4/lib/com/pycom.c                            |  83 ---
 source4/lib/com/wscript_build                      |   7 -
 source4/librpc/rpc/dcerpc.h                        |   8 +
 source4/librpc/rpc/dcerpc_auth.c                   |  10 +
 source4/librpc/rpc/dcerpc_connect.c                |  10 +-
 source4/rpc_server/common/sid_helper.c             | 134 +++++
 source4/rpc_server/drsuapi/getncchanges.c          | 152 +-----
 source4/rpc_server/netlogon/dcerpc_netlogon.c      | 195 ++++++-
 source4/rpc_server/wscript_build                   |   9 +-
 42 files changed, 1873 insertions(+), 438 deletions(-)
 delete mode 100644 source4/lib/com/pycom.c
 create mode 100644 source4/rpc_server/common/sid_helper.c


Changeset truncated at 500 lines:

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index d55142e..fcab814 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -31,6 +31,7 @@
 #include "../libcli/auth/schannel.h"
 #include "../librpc/gen_ndr/ndr_schannel.h"
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
 #include "../librpc/gen_ndr/server_id.h"
 #include "netlogon_creds_cli.h"
 #include "source3/include/messages.h"
@@ -2800,19 +2801,20 @@ static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tev
 		return;
 	}
 
-	if (tevent_req_nterror(req, result)) {
-		netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, result);
-		return;
-	}
-
 	*state->creds = state->tmp_creds;
 	status = netlogon_creds_cli_store(state->context,
 					  &state->creds);
+
 	if (tevent_req_nterror(req, status)) {
 		netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status);
 		return;
 	}
 
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, result);
+		return;
+	}
+
 	tevent_req_done(req);
 }
 
@@ -3052,11 +3054,6 @@ static void netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq
 		return;
 	}
 
-	if (tevent_req_nterror(req, result)) {
-		netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, result);
-		return;
-	}
-
 	cmp = memcmp(state->new_owf_password.hash,
 		     zero.hash, sizeof(zero.hash));
 	if (cmp != 0) {
@@ -3078,6 +3075,11 @@ static void netlogon_creds_cli_ServerGetTrustInfo_done(struct tevent_req *subreq
 		return;
 	}
 
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_ServerGetTrustInfo_cleanup(req, result);
+		return;
+	}
+
 	tevent_req_done(req);
 }
 
@@ -3347,19 +3349,20 @@ static void netlogon_creds_cli_GetForestTrustInformation_done(struct tevent_req
 		return;
 	}
 
-	if (tevent_req_nterror(req, result)) {
-		netlogon_creds_cli_GetForestTrustInformation_cleanup(req, result);
-		return;
-	}
-
 	*state->creds = state->tmp_creds;
 	status = netlogon_creds_cli_store(state->context,
 					  &state->creds);
+
 	if (tevent_req_nterror(req, status)) {
 		netlogon_creds_cli_GetForestTrustInformation_cleanup(req, status);
 		return;
 	}
 
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_GetForestTrustInformation_cleanup(req, result);
+		return;
+	}
+
 	tevent_req_done(req);
 }
 
@@ -3413,3 +3416,262 @@ NTSTATUS netlogon_creds_cli_GetForestTrustInformation(
 	TALLOC_FREE(frame);
 	return status;
 }
+
+struct netlogon_creds_cli_SendToSam_state {
+	struct tevent_context *ev;
+	struct netlogon_creds_cli_context *context;
+	struct dcerpc_binding_handle *binding_handle;
+
+	char *srv_name_slash;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	DATA_BLOB opaque;
+
+	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_CredentialState tmp_creds;
+	struct netr_Authenticator req_auth;
+	struct netr_Authenticator rep_auth;
+};
+
+static void netlogon_creds_cli_SendToSam_cleanup(struct tevent_req *req,
+								 NTSTATUS status);
+static void netlogon_creds_cli_SendToSam_locked(struct tevent_req *subreq);
+
+struct tevent_req *netlogon_creds_cli_SendToSam_send(TALLOC_CTX *mem_ctx,
+						     struct tevent_context *ev,
+						     struct netlogon_creds_cli_context *context,
+						     struct dcerpc_binding_handle *b,
+						     struct netr_SendToSamBase *message)
+{
+	struct tevent_req *req;
+	struct netlogon_creds_cli_SendToSam_state *state;
+	struct tevent_req *subreq;
+	enum ndr_err_code ndr_err;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct netlogon_creds_cli_SendToSam_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	state->ev = ev;
+	state->context = context;
+	state->binding_handle = b;
+
+	state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
+						context->server.computer);
+	if (tevent_req_nomem(state->srv_name_slash, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	ndr_err = ndr_push_struct_blob(&state->opaque, mem_ctx, message,
+				       (ndr_push_flags_fn_t)ndr_push_netr_SendToSamBase);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
+		tevent_req_nterror(req, status);
+		return tevent_req_post(req, ev);
+	}
+
+	dcerpc_binding_handle_auth_info(state->binding_handle,
+					&state->auth_type,
+					&state->auth_level);
+
+	subreq = netlogon_creds_cli_lock_send(state, state->ev,
+					      state->context);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_SendToSam_locked,
+				req);
+
+	return req;
+}
+
+static void netlogon_creds_cli_SendToSam_cleanup(struct tevent_req *req,
+							 NTSTATUS status)
+{
+	struct netlogon_creds_cli_SendToSam_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_SendToSam_state);
+
+	if (state->creds == NULL) {
+		return;
+	}
+
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
+		TALLOC_FREE(state->creds);
+		return;
+	}
+
+	netlogon_creds_cli_delete(state->context, &state->creds);
+}
+
+static void netlogon_creds_cli_SendToSam_done(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_SendToSam_locked(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_SendToSam_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_SendToSam_state);
+	NTSTATUS status;
+
+	status = netlogon_creds_cli_lock_recv(subreq, state,
+					      &state->creds);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		switch (state->auth_level) {
+		case DCERPC_AUTH_LEVEL_INTEGRITY:
+		case DCERPC_AUTH_LEVEL_PRIVACY:
+			break;
+		default:
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+			return;
+		}
+	} else {
+		uint32_t tmp = state->creds->negotiate_flags;
+
+		if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
+			/*
+			 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
+			 * it should be used, which means
+			 * we had a chance to verify no downgrade
+			 * happened.
+			 *
+			 * This relies on netlogon_creds_cli_check*
+			 * being called before, as first request after
+			 * the DCERPC bind.
+			 */
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+			return;
+		}
+	}
+
+	/*
+	 * we defer all callbacks in order to cleanup
+	 * the database record.
+	 */
+	tevent_req_defer_callback(req, state->ev);
+
+	state->tmp_creds = *state->creds;
+	netlogon_creds_client_authenticator(&state->tmp_creds,
+					    &state->req_auth);
+	ZERO_STRUCT(state->rep_auth);
+
+	if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		netlogon_creds_aes_encrypt(&state->tmp_creds,
+					   state->opaque.data,
+					   state->opaque.length);
+	} else {
+		netlogon_creds_arcfour_crypt(&state->tmp_creds,
+					     state->opaque.data,
+					     state->opaque.length);
+	}
+
+	subreq = dcerpc_netr_NetrLogonSendToSam_send(state, state->ev,
+						     state->binding_handle,
+						     state->srv_name_slash,
+						     state->tmp_creds.computer_name,
+						     &state->req_auth,
+						     &state->rep_auth,
+						     state->opaque.data,
+						     state->opaque.length);
+	if (tevent_req_nomem(subreq, req)) {
+		status = NT_STATUS_NO_MEMORY;
+		netlogon_creds_cli_SendToSam_cleanup(req, status);
+		return;
+	}
+
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_SendToSam_done,
+				req);
+}
+
+static void netlogon_creds_cli_SendToSam_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_SendToSam_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_SendToSam_state);
+	NTSTATUS status;
+	NTSTATUS result;
+	bool ok;
+
+	status = dcerpc_netr_NetrLogonSendToSam_recv(subreq, state, &result);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		netlogon_creds_cli_SendToSam_cleanup(req, status);
+		return;
+	}
+
+	ok = netlogon_creds_client_check(&state->tmp_creds,
+					 &state->rep_auth.cred);
+	if (!ok) {
+		status = NT_STATUS_ACCESS_DENIED;
+		tevent_req_nterror(req, status);
+		netlogon_creds_cli_SendToSam_cleanup(req, status);
+		return;
+	}
+
+	*state->creds = state->tmp_creds;
+	status = netlogon_creds_cli_store(state->context,
+					  &state->creds);
+
+	if (tevent_req_nterror(req, status)) {
+		netlogon_creds_cli_SendToSam_cleanup(req, status);
+		return;
+	}
+
+	/*
+	 * Creds must be stored before we send back application errors
+	 * e.g. NT_STATUS_NOT_IMPLEMENTED
+	 */
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_SendToSam_cleanup(req, result);
+		return;
+	}
+
+	tevent_req_done(req);
+}
+
+NTSTATUS netlogon_creds_cli_SendToSam(struct netlogon_creds_cli_context *context,
+				      struct dcerpc_binding_handle *b,
+				      struct netr_SendToSamBase *message)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	NTSTATUS status = NT_STATUS_OK;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = netlogon_creds_cli_SendToSam_send(frame, ev, context, b, message);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+		goto fail;
+	}
+
+	/* Ignore the result */
+ fail:
+	TALLOC_FREE(frame);
+	return status;
+}
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 949e03b..7c737dd 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -181,4 +181,15 @@ NTSTATUS netlogon_creds_cli_GetForestTrustInformation(
 			TALLOC_CTX *mem_ctx,
 			struct lsa_ForestTrustInformation **forest_trust_info);
 
+struct tevent_req *netlogon_creds_cli_SendToSam_send(TALLOC_CTX *mem_ctx,
+						     struct tevent_context *ev,
+						     struct netlogon_creds_cli_context *context,
+						     struct dcerpc_binding_handle *b,
+						     struct netr_SendToSamBase *message);
+
+NTSTATUS netlogon_creds_cli_SendToSam(
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				struct netr_SendToSamBase *message);
+
 #endif /* NETLOGON_CREDS_CLI_H */
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index e4b499f..4d1a0ef 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -1466,9 +1466,46 @@ interface netlogon
 		[out,ref] samr_Password *password
 		);
 
+	typedef [public] enum {
+		SendToSamUpdatePassword = 0,
+		SendToSamResetBadPasswordCount = 1,
+		SendToSamUpdatePasswordForward = 2,
+		SendToSamUpdateLastLogonTimestamp = 3,
+		SendToSamResetSmartCardPassword = 4
+	} netr_SendToSamType;
+
+	typedef struct {
+		GUID guid;
+	} netr_SendToSamResetBadPasswordCount;
+
+	typedef [nodiscriminant, public,switch_type(netr_SendToSamType)] union {
+		/* TODO Implement other SendToSam message types
+		 * [case(SendToSamUpdatePassword)] netr_SendToSamUpdatePassword ...; */
+		[case(SendToSamResetBadPasswordCount)] netr_SendToSamResetBadPasswordCount reset_bad_password;
+		/*
+		 * [case(SendToSamUpdatePasswordForward)] netrSendToSamUpdatePasswordForward ...;
+		 * [case(SendToSamUpdateLastLogonTimestamp)] netrSendToSamUpdateLastLogonTimestamp ...;
+		 * [case(SendToSamResetSmartCardPassword)]   netrSendToSamResetSmartCardPassword ...;
+		 */
+		[default];
+	} netr_SendToSamMessage;
+
+	typedef [public] struct {
+		netr_SendToSamType message_type;
+		uint32 message_size;
+		[switch_is(message_type), subcontext(0), subcontext_size(message_size)] netr_SendToSamMessage message;
+	} netr_SendToSamBase;
+
 	/****************/
 	/* Function 0x20 */
-	[todo] WERROR netr_NETRLOGONSENDTOSAM();
+	NTSTATUS netr_NetrLogonSendToSam(
+		[in,unique] [string,charset(UTF16)] uint16 *server_name,
+		[in]  [string,charset(UTF16)] uint16 *computer_name,
+		[in,ref] netr_Authenticator *credential,
+		[out,ref] netr_Authenticator *return_authenticator,
+		[in,ref]  [size_is(buffer_len)] uint8 *opaque_buffer,
+		[in] uint32 buffer_len
+		);
 
 	/****************/
 	/* Function 0x21 */
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 05db6b9..737d66a 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -211,4 +211,9 @@ interface winbind
 		[in] uint32 flags,
 		[out,ref] lsa_ForestTrustInformation **forest_trust_info
 		);
+
+	NTSTATUS winbind_SendToSam(
+		[in] netr_SendToSamBase message
+		);
+
 }
diff --git a/python/samba/netcmd/spn.py b/python/samba/netcmd/spn.py
index 03d072e..001728c 100644
--- a/python/samba/netcmd/spn.py
+++ b/python/samba/netcmd/spn.py
@@ -67,8 +67,8 @@ class cmd_spn_list(Command):
                 for e in spns:
                     self.outf.write("\t %s\n" % e)
             else:
-                self.outf.write("User %s has no servicePrincipalName" %
-                    res[0].dn)
+                self.outf.write("User %s has no servicePrincipalName\n" %
+                                res[0].dn)
         else:
             raise CommandError("User %s not found" % user)
 
diff --git a/selftest/knownfail b/selftest/knownfail
index 3cc945b..c6047c8 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -244,6 +244,10 @@
 ^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
 ^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
 #
+# This test is no longer valid given s4winbind needs a live NETLOGON server
+#
+^samba.blackbox.pdbtest.s4winbind\(ad_dc_ntvfs\).pdbtest
+#
 # Differences in our KDC compared to windows
 #
 ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index b9367ea..e4d5efd 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1622,6 +1622,7 @@ sub provision_rodc($$$)
 	$ctx->{smb_conf_extra_options} = "
 	max xmit = 32K
 	server max protocol = SMB2
+	password server = $dcvars->{DC_SERVER}
 
 [sysvol]
 	path = $ctx->{statedir}/sysvol
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 2b25c1c..ebc5728 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -64,6 +64,7 @@ typedef struct ads_struct {
 		char *workgroup;
 		char *ldap_server;
 		bool gc;     /* Is this a global catalog server? */
+		bool no_fallback; /* Bail if the ldap_server is not available */
 	} server;
 
 	/* info needed to authenticate */
diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c
index 586a04a..f4022a1 100644
--- a/source3/libads/cldap.c
+++ b/source3/libads/cldap.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "../libcli/cldap/cldap.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"


-- 
Samba Shared Repository



More information about the samba-cvs mailing list