[SCM] Samba Shared Repository - branch master updated
Volker Lendecke
vlendec at samba.org
Mon Sep 25 11:43:03 UTC 2017
The branch, master has been updated
via 82c17bc rpcclient: Fix "capabilities" command
via 32e823e netlogon_creds_cli: Pass "capabilities" up from creds_cli_check
via d7e31d9 winbindd: Use rpccli_connect_netlogon
via 71c54af cli_netlogon: rpccli_connect_netlogon
via f7807c1 cli_netlogon: Return flags from rpccli_setup_netlogon_creds_locked
via de2279d rpcclient3: Factor out cli_rpc_pipe_open_bind_schannel()
via 9f4fc9f cli_netlogon: Factor out rpccli_setup_netlogon_creds_locked
via 4d19f8b netlogon_creds_cli: Protect netlogon_creds_cli_auth by _lck
via f6e3945 netlogon_creds_cli: Protect netlogon_creds_cli_check by _lck
via d61545a netlogon_creds_cli: Add netlogon_creds_cli_delete_lck
via 3e72a12 netlogon_creds_cli: Add netlogon_creds_cli_lck
via 4b97de8 rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds
via 6f879b7 netlogon_creds_cli: Create cli_credentials from netlogon creds ctx
via dac48cf netlogon_creds_cli: Factor out netlogon_creds_cli_delete_internal
via c0e2863 netlogon_creds_cli: Factor out netlogon_creds_cli_store_internal
via 62e6555 netlogon_creds_cli: Print netlogon_creds_CredentialState
via 0463527 netlogon_creds_cli: Simplify netlogon_creds_cli_get
via 71fb0a8 netlogon_creds_cli: Rename netlogon_creds_cli_lock_fetch->get_internal
via c377c91 netlogon_creds_cli: Transfer a comment
via b750a6d netlogon_creds_cli: Remove tevent_req handling from netlogon_creds_cli_lock_fetch
via b92b10d netlogon_creds_cli: Remove unused code
via fa53617 netlogon_creds_cli: Simplify netlogon_creds_cli_delete
via 154b28b netlogon_creds_cli: Simplify netlogon_creds_cli_store
via c234599 cli_netlogon: Remove an unnecessary if-condition
via a969fc9 cli_netlogon: Rename "netlogon_creds" to "creds_ctx"
via 8636496 netlogon_creds_cli: Simplify netlogon_creds_cli_context_global
via 954167a netlogon_creds_cli: Fix talloc_stackframe leaks
from 7ddf479 scripting: Add script (backportable) to undo a GUID index
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 82c17bc9faaca395e1cc91a672348f08362984a0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 19 17:30:02 2017 -0700
rpcclient: Fix "capabilities" command
This used to not properly store the chained credentials back into the
netlogon_creds_cli tdb. This by the way is the bug that all the
routines for the NT4 style sam replication had that just disappeared.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Sep 25 13:42:19 CEST 2017 on sn-devel-144
commit 32e823e08df305919ba0a001a389eb88b7d1be68
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 19 16:45:27 2017 -0700
netlogon_creds_cli: Pass "capabilities" up from creds_cli_check
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 18 16:19:12 2017 -0700
winbindd: Use rpccli_connect_netlogon
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 71c54af089d13ba2b80383e8d57859b62cc131a7
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 18 13:26:03 2017 -0700
cli_netlogon: rpccli_connect_netlogon
This is the one-stop shop to a working, schannel'ed connection to the
netlogon RPC interface. Jeremy tells me it needs more comments :-)
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7807c1bd20c160da4da09d57f983d6d06a0e66f
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 18 13:17:01 2017 -0700
cli_netlogon: Return flags from rpccli_setup_netlogon_creds_locked
This will be used in a later commit in the rpcclient "capabilities"
command. Avoids another netlogon_creds_cli_get in the next commit.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit de2279df55dea426f73c485917676976f7a6e28c
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 17 14:28:44 2017 -0700
rpcclient3: Factor out cli_rpc_pipe_open_bind_schannel()
This will be used for the "fast path" to netlogon when we already have
credentials.
This slightly widens the area of code covered by the netlogon_creds
lock: cli_rpc_pipe_open is now also covered by the lock.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9f4fc9f8a6e6a953c004eb649e2190b4a4670eaf
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 17 07:31:28 2017 -0700
cli_netlogon: Factor out rpccli_setup_netlogon_creds_locked
This does the reqchallenge/serverauth while assuming we have the
netlogon_creds_cli_lck already held. The _locked flavor will be called
from a routine that covers more under one single lock.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4d19f8b4b957814b11d096acc75e670878bc8240
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 11:51:47 2017 -0700
netlogon_creds_cli: Protect netlogon_creds_cli_auth by _lck
This widens the lock range to cover the check for established
credentials. Before this patch it could happen that more than one
winbind finds no credentials and does the auth3. This can pile up.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f6e39450f539e2014854debb485023e46a8f16d2
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 09:40:57 2017 -0700
netlogon_creds_cli: Protect netlogon_creds_cli_check by _lck
netlogon_creds_cli_lck provides the locking around the operation
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d61545a5b3531ecf22fa310a66ba85ae8165cadf
Author: Volker Lendecke <vl at samba.org>
Date: Fri Sep 15 19:39:01 2017 -0700
netlogon_creds_cli: Add netlogon_creds_cli_delete_lck
Like netlogon_creds_cli_delete, protected by netlogon_creds_cli_lck
instead of netlogon_creds_cli_lock.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3e72a12dafde9f437e3b57836b7fc0960a65a049
Author: Volker Lendecke <vl at samba.org>
Date: Mon Sep 11 16:48:27 2017 -0700
netlogon_creds_cli: Add netlogon_creds_cli_lck
This adds an external locking scheme to protect our
netlogon_creds_CredentialState. This is needed because the routines
exposed by netlogon_creds_cli.h need a more flexible locking to
set up our credentials in a properly protected way.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b97de8adb2977aaec21940241dbc4d615307f4f
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 7 12:43:00 2017 +0200
rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds
This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f879b780a5ff37e80d1bf7c06e377909bcfc950
Author: Volker Lendecke <vl at samba.org>
Date: Thu Sep 7 12:36:14 2017 +0200
netlogon_creds_cli: Create cli_credentials from netlogon creds ctx
A netlogon_creds_cli_context holds all information required to do an
schannel bind. Used in the next commit.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dac48cf2b9d857b3da9454d612103d44cfe49c5a
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 09:33:56 2017 -0700
netlogon_creds_cli: Factor out netlogon_creds_cli_delete_internal
In a future commit we'll need a version that does not check for
context->db.locked_state
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c0e28638fa839958d3e621be53243c2c513f94b4
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 09:32:36 2017 -0700
netlogon_creds_cli: Factor out netlogon_creds_cli_store_internal
In a future commit we'll need a version that does not check for
context->db.locked_state
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 62e655568ed13f587e98cb08563f515f2a9be570
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 10 19:11:21 2017 +0200
netlogon_creds_cli: Print netlogon_creds_CredentialState
Add some debugging for the tdb records
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0463527e4ed367b54c4822f6b179ae7a3dd78cd7
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 11:40:24 2017 -0700
netlogon_creds_cli: Simplify netlogon_creds_cli_get
netlogon_creds_cli_get_internal almost does everything needed, only
the invalidating for credential chain use is missing.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 71fb0a89b48e8bd44b7c792d01380ff6711cd8d0
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 11:38:11 2017 -0700
netlogon_creds_cli: Rename netlogon_creds_cli_lock_fetch->get_internal
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c377c915d6283439021dcf805769eb1485966010
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 11:37:00 2017 -0700
netlogon_creds_cli: Transfer a comment
This part of from netlogon_creds_cli_get will go
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b750a6dbb549112d2660f49882a7d2ef8f1320ca
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 08:51:25 2017 -0700
netlogon_creds_cli: Remove tevent_req handling from netlogon_creds_cli_lock_fetch
Disentangle concerns, make netlogon_creds_cli_lock_fetch usable for
other callers
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b92b10d7c3468c09f15090a747b2ac432682d746
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 5 13:37:56 2017 +0200
netlogon_creds_cli: Remove unused code
According to metze this was meant for test code that never materialized
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa53617542361191c2da7dd9a761cd17af03a312
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 10 14:55:13 2017 +0200
netlogon_creds_cli: Simplify netlogon_creds_cli_delete
Don't implicitly TALLOC_FREE(creds) in the pure delete routine
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 154b28b686f04a933181e510c43444afc67993b8
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 10 14:55:13 2017 +0200
netlogon_creds_cli: Simplify netlogon_creds_cli_store
Don't implicitly TALLOC_FREE(creds) in the pure store routine. This
mixes up responsibilities, and there's not enough callers to justify
the TALLOC_FREE to be centralized.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c234599a5404947c676bfdb6b8bd3929960b1cd9
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 5 16:26:11 2017 +0200
cli_netlogon: Remove an unnecessary if-condition
We don't need to check this here. rpccli_create_netlogon_creds_ctx via
netlogon_creds_cli_context_global returns NT_STATUS_INVALID_PARAMETER for an
unknown schannel type. Slightly different error code, but we could change the
one in netlogon_creds_cli_context_global if necessary.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a969fc99a83d84d1c8e54eb476738d3096155152
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 5 16:17:58 2017 +0200
cli_netlogon: Rename "netlogon_creds" to "creds_ctx"
Trying to understand this code it's important for me to name variables
indicating their use: A netlogon_creds_cli_context is a context with access to
credentials, it's not the credentials itself.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 863649653118adf4d46c76dd039dbec1a3682c7a
Author: Volker Lendecke <vl at samba.org>
Date: Tue Sep 5 15:35:17 2017 +0200
netlogon_creds_cli: Simplify netlogon_creds_cli_context_global
netlogon_creds_cli_open_global_db() already contains the NULL check. Use that.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 954167a0014b8e3e989d57757d5e97be0e225e27
Author: Volker Lendecke <vl at samba.org>
Date: Wed Sep 13 04:10:59 2017 -0700
netlogon_creds_cli: Fix talloc_stackframe leaks
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/netlogon_creds_cli.c | 663 ++++++++++++++++++---------------
libcli/auth/netlogon_creds_cli.h | 46 ++-
source3/libnet/libnet_join.c | 1 -
source3/libsmb/trusts_util.c | 46 ++-
source3/rpc_client/cli_netlogon.c | 307 ++++++++++++---
source3/rpc_client/cli_netlogon.h | 18 +-
source3/rpc_client/cli_pipe.c | 105 ++++--
source3/rpc_client/cli_pipe.h | 7 +-
source3/rpc_client/cli_pipe_schannel.c | 1 -
source3/rpcclient/cmd_netlogon.c | 56 +--
source3/winbindd/winbindd_cm.c | 113 +-----
11 files changed, 818 insertions(+), 545 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index dc05316..cb3d6a9 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -38,6 +38,7 @@
#include "source3/include/g_lock.h"
#include "libds/common/roles.h"
#include "lib/crypto/crypto.h"
+#include "auth/credentials/credentials.h"
struct netlogon_creds_cli_locked_state;
@@ -67,6 +68,7 @@ struct netlogon_creds_cli_context {
struct db_context *ctx;
struct g_lock_ctx *g_ctx;
struct netlogon_creds_cli_locked_state *locked_state;
+ enum netlogon_creds_cli_lck_type lock;
} db;
};
@@ -272,11 +274,13 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
*_context = NULL;
if (msg_ctx == NULL) {
+ TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
client_computer = lpcfg_netbios_name(lp_ctx);
if (strlen(client_computer) > 15) {
+ TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
@@ -432,13 +436,6 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
return NT_STATUS_NO_MEMORY;
}
- if (netlogon_creds_cli_global_db != NULL) {
- context->db.ctx = netlogon_creds_cli_global_db;
- *_context = context;
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
status = netlogon_creds_cli_open_global_db(lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(context);
@@ -452,44 +449,35 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
return NT_STATUS_OK;
}
-NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
- const char *client_account,
- enum netr_SchannelType type,
- uint32_t proposed_flags,
- uint32_t required_flags,
- enum dcerpc_AuthLevel auth_level,
- const char *server_computer,
- const char *server_netbios_domain,
- TALLOC_CTX *mem_ctx,
- struct netlogon_creds_cli_context **_context)
+NTSTATUS netlogon_creds_bind_cli_credentials(
+ struct netlogon_creds_cli_context *context, TALLOC_CTX *mem_ctx,
+ struct cli_credentials **pcli_creds)
{
+ struct cli_credentials *cli_creds;
+ struct netlogon_creds_CredentialState *ncreds;
NTSTATUS status;
- struct netlogon_creds_cli_context *context = NULL;
- *_context = NULL;
+ cli_creds = cli_credentials_init(mem_ctx);
+ if (cli_creds == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ cli_credentials_set_secure_channel_type(cli_creds,
+ context->client.type);
+ cli_credentials_set_username(cli_creds, context->client.account,
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(cli_creds, context->server.netbios_domain,
+ CRED_SPECIFIED);
+ cli_credentials_set_realm(cli_creds, context->server.dns_domain,
+ CRED_SPECIFIED);
- status = netlogon_creds_cli_context_common(client_computer,
- client_account,
- type,
- auth_level,
- proposed_flags,
- required_flags,
- server_computer,
- server_netbios_domain,
- "",
- mem_ctx,
- &context);
+ status = netlogon_creds_cli_get(context, cli_creds, &ncreds);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(cli_creds);
return status;
}
+ cli_credentials_set_netlogon_creds(cli_creds, ncreds);
- context->db.ctx = db_open_rbt(context);
- if (context->db.ctx == NULL) {
- talloc_free(context);
- return NT_STATUS_NO_MEMORY;
- }
-
- *_context = context;
+ *pcli_creds = cli_creds;
return NT_STATUS_OK;
}
@@ -541,6 +529,10 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
return;
}
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds);
+ }
+
tmp_flags = state->creds->negotiate_flags;
tmp_flags &= state->required_flags;
if (tmp_flags != state->required_flags) {
@@ -552,27 +544,20 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
state->status = NT_STATUS_OK;
}
+static NTSTATUS netlogon_creds_cli_get_internal(
+ struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState **pcreds);
+
NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_CredentialState **_creds)
{
NTSTATUS status;
- struct netlogon_creds_cli_fetch_state fstate = {
- .mem_ctx = mem_ctx,
- .status = NT_STATUS_INTERNAL_ERROR,
- .required_flags = context->client.required_flags,
- };
+ struct netlogon_creds_CredentialState *creds;
*_creds = NULL;
- status = dbwrap_parse_record(context->db.ctx,
- context->db.key_data,
- netlogon_creds_cli_fetch_parser,
- &fstate);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- status = fstate.status;
+ status = netlogon_creds_cli_get_internal(context, mem_ctx, &creds);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -580,61 +565,12 @@ NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
/*
* mark it as invalid for step operations.
*/
- fstate.creds->sequence = 0;
- fstate.creds->seed = (struct netr_Credential) {{0}};
- fstate.creds->client = (struct netr_Credential) {{0}};
- fstate.creds->server = (struct netr_Credential) {{0}};
-
- if (context->server.cached_flags == fstate.creds->negotiate_flags) {
- *_creds = fstate.creds;
- return NT_STATUS_OK;
- }
-
- /*
- * It is really important to try SamLogonEx here,
- * because multiple processes can talk to the same
- * domain controller, without using the credential
- * chain.
- *
- * With a normal SamLogon call, we must keep the
- * credentials chain updated and intact between all
- * users of the machine account (which would imply
- * cross-node communication for every NTLM logon).
- *
- * The credentials chain is not per NETLOGON pipe
- * connection, but globally on the server/client pair
- * by computer name.
- *
- * It's also important to use NetlogonValidationSamInfo4 (6),
- * because it relies on the rpc transport encryption
- * and avoids using the global netlogon schannel
- * session key to en/decrypt secret information
- * like the user_session_key for network logons.
- *
- * [MS-APDS] 3.1.5.2 NTLM Network Logon
- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
- * NETLOGON_NEG_AUTHENTICATED_RPC set together
- * are the indication that the server supports
- * NetlogonValidationSamInfo4 (6). And it must only
- * be used if "SealSecureChannel" is used.
- *
- * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
- * check is done in netlogon_creds_cli_LogonSamLogon*().
- */
- context->server.cached_flags = fstate.creds->negotiate_flags;
- context->server.try_validation6 = true;
- context->server.try_logon_ex = true;
- context->server.try_logon_with = true;
+ creds->sequence = 0;
+ creds->seed = (struct netr_Credential) {{0}};
+ creds->client = (struct netr_Credential) {{0}};
+ creds->server = (struct netr_Credential) {{0}};
- if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
- context->server.try_validation6 = false;
- context->server.try_logon_ex = false;
- }
- if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
- context->server.try_validation6 = false;
- }
-
- *_creds = fstate.creds;
+ *_creds = creds;
return NT_STATUS_OK;
}
@@ -676,37 +612,22 @@ bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
return (cmp == 0);
}
-NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
- struct netlogon_creds_CredentialState **_creds)
+static NTSTATUS netlogon_creds_cli_store_internal(
+ struct netlogon_creds_cli_context *context,
+ struct netlogon_creds_CredentialState *creds)
{
- struct netlogon_creds_CredentialState *creds = *_creds;
NTSTATUS status;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
TDB_DATA data;
- *_creds = NULL;
-
- if (context->db.locked_state == NULL) {
- /*
- * this was not the result of netlogon_creds_cli_lock*()
- */
- TALLOC_FREE(creds);
- return NT_STATUS_INVALID_PAGE_PROTECTION;
- }
-
- if (context->db.locked_state->creds != creds) {
- /*
- * this was not the result of netlogon_creds_cli_lock*()
- */
- TALLOC_FREE(creds);
- return NT_STATUS_INVALID_PAGE_PROTECTION;
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
}
ndr_err = ndr_push_struct_blob(&blob, creds, creds,
(ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- TALLOC_FREE(creds);
status = ndr_map_error2ntstatus(ndr_err);
return status;
}
@@ -717,7 +638,7 @@ NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
status = dbwrap_store(context->db.ctx,
context->db.key_data,
data, TDB_REPLACE);
- TALLOC_FREE(creds);
+ TALLOC_FREE(data.dptr);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -725,19 +646,15 @@ NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
return NT_STATUS_OK;
}
-NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
- struct netlogon_creds_CredentialState **_creds)
+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
+ struct netlogon_creds_CredentialState *creds)
{
- struct netlogon_creds_CredentialState *creds = *_creds;
NTSTATUS status;
- *_creds = NULL;
-
if (context->db.locked_state == NULL) {
/*
* this was not the result of netlogon_creds_cli_lock*()
*/
- TALLOC_FREE(creds);
return NT_STATUS_INVALID_PAGE_PROTECTION;
}
@@ -745,18 +662,55 @@ NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
/*
* this was not the result of netlogon_creds_cli_lock*()
*/
- TALLOC_FREE(creds);
return NT_STATUS_INVALID_PAGE_PROTECTION;
}
- status = dbwrap_delete(context->db.ctx,
- context->db.key_data);
- TALLOC_FREE(creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ status = netlogon_creds_cli_store_internal(context, creds);
+ return status;
+}
+
+static NTSTATUS netlogon_creds_cli_delete_internal(
+ struct netlogon_creds_cli_context *context)
+{
+ NTSTATUS status;
+ status = dbwrap_delete(context->db.ctx, context->db.key_data);
+ return status;
+}
+
+NTSTATUS netlogon_creds_cli_delete_lck(
+ struct netlogon_creds_cli_context *context)
+{
+ NTSTATUS status;
+
+ if (context->db.lock != NETLOGON_CREDS_CLI_LCK_EXCLUSIVE) {
+ return NT_STATUS_NOT_LOCKED;
}
- return NT_STATUS_OK;
+ status = netlogon_creds_cli_delete_internal(context);
+ return status;
+}
+
+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
+ struct netlogon_creds_CredentialState *creds)
+{
+ NTSTATUS status;
+
+ if (context->db.locked_state == NULL) {
+ /*
+ * this was not the result of netlogon_creds_cli_lock*()
+ */
+ return NT_STATUS_INVALID_PAGE_PROTECTION;
+ }
+
+ if (context->db.locked_state->creds != creds) {
+ /*
+ * this was not the result of netlogon_creds_cli_lock*()
+ */
+ return NT_STATUS_INVALID_PAGE_PROTECTION;
+ }
+
+ status = netlogon_creds_cli_delete_internal(context);
+ return status;
}
struct netlogon_creds_cli_lock_state {
@@ -765,7 +719,6 @@ struct netlogon_creds_cli_lock_state {
};
static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
-static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -799,8 +752,11 @@ struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
state->locked_state = locked_state;
if (context->db.g_ctx == NULL) {
- netlogon_creds_cli_lock_fetch(req);
- if (!tevent_req_is_in_progress(req)) {
+ NTSTATUS status;
+
+ status = netlogon_creds_cli_get_internal(
+ context, state, &state->creds);
+ if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
@@ -836,40 +792,73 @@ static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
}
state->locked_state->is_glocked = true;
- netlogon_creds_cli_lock_fetch(req);
+ status = netlogon_creds_cli_get_internal(state->locked_state->context,
+ state, &state->creds);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ tevent_req_done(req);
}
-static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
+static NTSTATUS netlogon_creds_cli_get_internal(
+ struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState **pcreds)
{
- struct netlogon_creds_cli_lock_state *state =
- tevent_req_data(req,
- struct netlogon_creds_cli_lock_state);
- struct netlogon_creds_cli_context *context = state->locked_state->context;
struct netlogon_creds_cli_fetch_state fstate = {
.status = NT_STATUS_INTERNAL_ERROR,
.required_flags = context->client.required_flags,
};
NTSTATUS status;
- fstate.mem_ctx = state;
+ fstate.mem_ctx = mem_ctx;
status = dbwrap_parse_record(context->db.ctx,
context->db.key_data,
netlogon_creds_cli_fetch_parser,
&fstate);
- if (tevent_req_nterror(req, status)) {
- return;
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- status = fstate.status;
- if (tevent_req_nterror(req, status)) {
- return;
+ if (!NT_STATUS_IS_OK(fstate.status)) {
+ return fstate.status;
}
if (context->server.cached_flags == fstate.creds->negotiate_flags) {
- state->creds = fstate.creds;
- tevent_req_done(req);
- return;
+ *pcreds = fstate.creds;
+ return NT_STATUS_OK;
}
+ /*
+ * It is really important to try SamLogonEx here,
+ * because multiple processes can talk to the same
+ * domain controller, without using the credential
+ * chain.
+ *
+ * With a normal SamLogon call, we must keep the
+ * credentials chain updated and intact between all
+ * users of the machine account (which would imply
+ * cross-node communication for every NTLM logon).
+ *
+ * The credentials chain is not per NETLOGON pipe
+ * connection, but globally on the server/client pair
+ * by computer name.
+ *
+ * It's also important to use NetlogonValidationSamInfo4 (6),
+ * because it relies on the rpc transport encryption
+ * and avoids using the global netlogon schannel
+ * session key to en/decrypt secret information
+ * like the user_session_key for network logons.
+ *
+ * [MS-APDS] 3.1.5.2 NTLM Network Logon
+ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
+ * NETLOGON_NEG_AUTHENTICATED_RPC set together
+ * are the indication that the server supports
+ * NetlogonValidationSamInfo4 (6). And it must only
+ * be used if "SealSecureChannel" is used.
+ *
+ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
+ * check is done in netlogon_creds_cli_LogonSamLogon*().
+ */
+
context->server.cached_flags = fstate.creds->negotiate_flags;
context->server.try_validation6 = true;
context->server.try_logon_ex = true;
@@ -883,9 +872,8 @@ static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
context->server.try_validation6 = false;
}
- state->creds = fstate.creds;
- tevent_req_done(req);
- return;
+ *pcreds = fstate.creds;
+ return NT_STATUS_OK;
}
NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
@@ -935,6 +923,148 @@ NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
return status;
}
+struct netlogon_creds_cli_lck {
+ struct netlogon_creds_cli_context *context;
+};
+
+struct netlogon_creds_cli_lck_state {
+ struct netlogon_creds_cli_lck *lck;
+ enum netlogon_creds_cli_lck_type type;
+};
+
+static void netlogon_creds_cli_lck_locked(struct tevent_req *subreq);
--
Samba Shared Repository
More information about the samba-cvs
mailing list