[SCM] Samba Shared Repository - branch master updated

Ralph Böhme slow at samba.org
Sat Feb 10 12:09:02 UTC 2018


The branch, master has been updated
       via  597e755 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
       via  8422c00 winbindd: rename winbindd_pam_auth_pac_send and let it return validation
       via  5444cc4 winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
       via  5ce3cb2 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
       via  42e4453 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
       via  021d75f winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
       via  2b01818 s3/rpc_client: add map_info6_to_validation()
       via  d4ba23f s3/auth: add create_info6_from_pac()
       via  e1ba819 s4/auth_winbind: ask for validation level 6
       via  1a98573 winbindd: allow validation level 6 in winbind_SamLogon
       via  60aa5e7 s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()
       via  b60c634 winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
       via  d76bcdb winbindd: handle interactive logons in _winbind_SamLogon()
       via  8c6c47a winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
       via  2268f1c winbindd: add a comment to a parameter in _winbind_SamLogon()
       via  d1c3676 winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
       via  be26a47 s3/rpc_client: add rpccli_netlogon_interactive_logon()
       via  2ee2551 winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
       via  8b0e1a7 wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available
       via  b112cbc winbindd: fix debug message in find_default_route_domain() on a DC
       via  6151909 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
       via  9f96ede winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
       via  ffa9eb7 s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
       via  d8e4e7c winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
       via  4274ef6 winbindd: move loading of trusted domains on a DC to a seperate function
       via  728fb7c winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
       via  7fc1974 s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
       via  8b7bf6d winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
       via  af9a37a winbindd: prepare find_auth_domain() transitive trusts on a DC
       via  c5bd18c winbindd: remove const from set_routing_domain()
       via  70bb9c2 winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
       via  7329706 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
       via  fe47041 s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()
       via  9a613f4 winbindd: add routing_domain as parameter to add_trusted_domain
       via  9fef5d1 winbindd: add missing can_do_ncacn_ip_tcp initialisation
       via  1918a87 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
       via  53484d0 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
      from  cefb41b sambatool drs showrepl: prefer self over ctx in python classes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 597e755328940fc964b861333b557b0650666b24
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 23:13:12 2018 +0100

    winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Sat Feb 10 13:08:50 CET 2018 on sn-devel-144

commit 8422c001bec169a73657b1d638ec8ec4c35c243a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Feb 9 08:38:18 2018 +0100

    winbindd: rename winbindd_pam_auth_pac_send and let it return validation
    
    Just a preperational step. The next commit will update the caller to
    make use of the validation info.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 5444cc4e7ed8ea0c063110f3b78f360d91b0b0a5
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 23:10:42 2018 +0100

    winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
    
    winbindd_pam_auth_crap_recv() should not have any real logic.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 5ce3cb2fb468d8798980b49d84568782becf25ea
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 23:02:26 2018 +0100

    winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
    
    This way we don't loose the DNS info and UPN. A subsequent commit will
    let winbindd_pam_auth_pac_send() return the full validation info.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 42e445396881c5b6651a0dde0abde3d6bb0740bf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 22:00:35 2018 +0100

    winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 021d75fb223630d06a256a605659abda9ece853f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 21:34:46 2018 +0100

    winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
    
    This way we don't loose dns_domain_name and user principal.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 2b0181877806f171eee053c246dcb2eda2300261
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 21:32:53 2018 +0100

    s3/rpc_client: add map_info6_to_validation()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit d4ba23fd353ad387a374a5d7f6f6d085a0699d2c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 21:32:25 2018 +0100

    s3/auth: add create_info6_from_pac()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit e1ba81996033e7c2cfeba13124ee7f404ded2031
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 17:58:07 2018 +0100

    s4/auth_winbind: ask for validation level 6
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 1a9857369d2fae08fefef613cf6cbd3354092a4a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 17:57:37 2018 +0100

    winbindd: allow validation level 6 in winbind_SamLogon
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 60aa5e7657608c1a5519c03e690cce58efd67abd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 17:53:49 2018 +0100

    s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit b60c634123ee00021efc5b5aaa03e1663474d3da
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Feb 2 15:24:00 2018 +0100

    winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
    
    At lot of callers require a valid schannel connection.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit d76bcdb0854cff9b08010d47469fd48324d902bc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 17:39:15 2018 +0100

    winbindd: handle interactive logons in _winbind_SamLogon()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 8c6c47aec0e91ab3944bea5f6eda8072f5db959d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 17:37:54 2018 +0100

    winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 2268f1c0dd1e8543c126553f80d94e80a1e32487
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Feb 8 17:23:49 2018 +0100

    winbindd: add a comment to a parameter in _winbind_SamLogon()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit d1c3676197032487505e9069c0655427b5fd385c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 16:36:45 2018 +0100

    winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
    
    We need to handle 4 cases:
    
    plaintext_given=true  interactive=true
    plaintext_given=false interactive=true
    plaintext_given=true  interactive=false
    plaintext_given=false interactive=false
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit be26a472ae082d612f9aec28c932d25e2317f9ba
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Feb 9 16:15:18 2018 +0100

    s3/rpc_client: add rpccli_netlogon_interactive_logon()
    
    This will be used in a subsequent commit.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 2ee2551409e0bd0cd5bf130cc1e3736e58b8c14d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 23 23:19:32 2018 +0100

    winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
    
    Check whether the DNS domain name in the info6 struct is actually more
    then just an empty string. If it is we want to call add_trusted_domain()
    with NULL as DNS domain name argument.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13257
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 8b0e1a77ae5f7ef6d8db9a05718afa8d472a971b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sun Feb 4 22:48:01 2018 +0100

    wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13256
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit b112cbc2462edf810473026c133b0802d1e18468
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jan 31 08:22:07 2018 +0100

    winbindd: fix debug message in find_default_route_domain() on a DC
    
    As we don't support multiple domains in a forest yet,
    we don't need to print a warning a log level 0.
    
    This also adds a missing \n.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13255
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 6151909c823016417f863c22e77c8a136f3fbb95
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 18 16:35:52 2018 +0100

    s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 9f96ede6f500cc1a7c76e67ee785b44a99244d0d
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 18 16:35:13 2018 +0100

    winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
    
    This reflects the new implementation in winbindd.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit ffa9eb7d6453eb6c6f3a50ad72288d3891361752
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 18 11:32:30 2018 +0100

    s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
    
    winbindd doesn't use that data anymore.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d8e4e7cae57eb192c6fcab6b9aef95fb10eeb5a8
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 18 11:30:53 2018 +0100

    winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 4274ef681bf3b974ce99b8f21fda3a86a5b305bc
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 18 11:28:20 2018 +0100

    winbindd: move loading of trusted domains on a DC to a seperate function
    
    This allows using the split out function in a subsequent commit in the
    MSG_WINBIND_NEW_TRUSTED_DOMAIN message handler.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 728fb7c593230abeb681854d924e4619d6f4cf37
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 13:02:04 2018 +0100

    winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 7fc19747ef346df9cc72bb516b45a8309f462dd8
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 12:57:11 2018 +0100

    s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 8b7bf6d4d81cde099d78cd9cc03aa085cec672d4
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 12:06:50 2018 +0100

    winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit af9a37aa1925a18709365ceb93460d8ae0f66f51
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 12:06:50 2018 +0100

    winbindd: prepare find_auth_domain() transitive trusts on a DC
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit c5bd18c0021b428c669dbbc35f65a3d436b4add5
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 12:03:11 2018 +0100

    winbindd: remove const from set_routing_domain()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 70bb9c27cf8c464d5af79acbe11a0d2d0e20f5a8
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 12:02:05 2018 +0100

    winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 7329706a037fef75e8ced63bfb7ab93b64482eda
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 12:00:19 2018 +0100

    s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit fe47041b4bf8d2ef6f6f9ba15a80038f1c60da3f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 11:58:31 2018 +0100

    s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 9a613f4bccf171c40ede3e6ead9236463fcc5883
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Jan 18 08:38:59 2018 +0100

    winbindd: add routing_domain as parameter to add_trusted_domain
    
    This also fixes the following CIDs:
    
    CID 1427622:  Null pointer dereferences  (REVERSE_INULL)
    CID 1427619:  Null pointer dereferences  (REVERSE_INULL)
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13233
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 9fef5d1891e6c1aebea29fbfbb90e77631b7836c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 14:30:48 2018 +0100

    winbindd: add missing can_do_ncacn_ip_tcp initialisation
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13232
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 1918a870c38c29bd3a05cd3f660ffe6623121bf3
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 14:30:12 2018 +0100

    winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 53484d0d98475f55ae3bd02e1a86b9c45b20e33d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Jan 15 14:24:47 2018 +0100

    winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/messaging.idl                  |   2 +-
 nsswitch/wbinfo.c                         |  13 +-
 source3/auth/proto.h                      |   4 +
 source3/auth/server_info.c                |  56 +++
 source3/rpc_client/cli_lsarpc.c           |  10 +-
 source3/rpc_client/cli_lsarpc.h           |   1 +
 source3/rpc_client/cli_netlogon.c         | 131 ++++++-
 source3/rpc_client/cli_netlogon.h         |  16 +
 source3/rpc_client/util_netlogon.c        | 171 +++++++++
 source3/rpc_client/util_netlogon.h        |  11 +
 source3/winbindd/winbindd.h               |   3 +-
 source3/winbindd/winbindd_cm.c            |  59 ++--
 source3/winbindd/winbindd_dual.c          |   7 +-
 source3/winbindd/winbindd_dual_srv.c      | 182 +++++++---
 source3/winbindd/winbindd_msrpc.c         |  63 +++-
 source3/winbindd/winbindd_pam.c           | 248 ++++++++-----
 source3/winbindd/winbindd_pam_auth_crap.c | 106 +++---
 source3/winbindd/winbindd_proto.h         |  12 +-
 source3/winbindd/winbindd_util.c          | 556 ++++++++++++++----------------
 source4/auth/ntlm/auth_winbind.c          |   2 +-
 source4/rpc_server/lsa/dcesrv_lsa.c       |  28 +-
 21 files changed, 1163 insertions(+), 518 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/messaging.idl b/librpc/idl/messaging.idl
index 37f8fcc..b35f1e1 100644
--- a/librpc/idl/messaging.idl
+++ b/librpc/idl/messaging.idl
@@ -123,7 +123,7 @@ interface messaging
 		MSG_WINBIND_IP_DROPPED		= 0x040A,
 		MSG_WINBIND_DOMAIN_ONLINE	= 0x040B,
 		MSG_WINBIND_DOMAIN_OFFLINE	= 0x040C,
-		MSG_WINBIND_NEW_TRUSTED_DOMAIN	= 0x040D,
+		MSG_WINBIND_RELOAD_TRUSTED_DOMAINS = 0x040D,
 
 		/* event messages */
 		MSG_DUMP_EVENT_LIST		= 0x0500,
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 54d5758..82863c2 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1798,13 +1798,22 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
 	if (use_ntlmv2) {
 		DATA_BLOB server_chal;
 		DATA_BLOB names_blob;
+		const char *netbios_name = NULL;
+		const char *domain = NULL;
+
+		netbios_name = get_winbind_netbios_name(),
+		domain = get_winbind_domain();
+		if (domain == NULL) {
+			d_fprintf(stderr, "Failed to get domain from winbindd\n");
+			return false;
+		}
 
 		server_chal = data_blob(params.password.response.challenge, 8);
 
 		/* Pretend this is a login to 'us', for blob purposes */
 		names_blob = NTLMv2_generate_names_blob(NULL,
-						get_winbind_netbios_name(),
-						get_winbind_domain());
+							netbios_name,
+							domain);
 
 		if (pass != NULL &&
 		    !SMBNTLMv2encrypt(NULL, name_user, name_domain, pass,
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index e774670..ca851c2 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -312,6 +312,10 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
 NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
                                         const struct PAC_LOGON_INFO *logon_info,
                                         struct netr_SamInfo3 **pp_info3);
+NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx,
+			       const struct PAC_LOGON_INFO *logon_info,
+			       const struct PAC_UPN_DNS_INFO *upn_dns_info,
+			       struct netr_SamInfo6 **pp_info6);
 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			  struct samu *samu,
 			  const char *login_server,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 7898175..339cce6 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -363,6 +363,62 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
 }
 
 /*
+ * Create a copy of an info6 struct from the PAC_UPN_DNS_INFO and PAC_LOGON_INFO
+ * then merge resource SIDs, if any, into it. If successful return the created
+ * info6 struct.
+ */
+NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx,
+			       const struct PAC_LOGON_INFO *logon_info,
+			       const struct PAC_UPN_DNS_INFO *upn_dns_info,
+			       struct netr_SamInfo6 **pp_info6)
+{
+	NTSTATUS status;
+	struct netr_SamInfo6 *info6 = NULL;
+	struct netr_SamInfo3 *info3 = NULL;
+
+	info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+	if (info6 == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = copy_netr_SamInfo3(info6,
+				    &logon_info->info3,
+				    &info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info6);
+		return status;
+	}
+
+	status = merge_resource_sids(logon_info, info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info6);
+		return status;
+	}
+
+	info6->base = info3->base;
+	info6->sids = info3->sids;
+	info6->sidcount = info3->sidcount;
+
+	if (upn_dns_info != NULL) {
+		info6->dns_domainname.string = talloc_strdup(info6,
+				upn_dns_info->dns_domain_name);
+		if (info6->dns_domainname.string == NULL) {
+			TALLOC_FREE(info6);
+			return NT_STATUS_NO_MEMORY;
+		}
+		info6->principal_name.string = talloc_strdup(info6,
+				upn_dns_info->upn_name);
+		if (info6->principal_name.string == NULL) {
+			TALLOC_FREE(info6);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	*pp_info6 = info6;
+	return NT_STATUS_OK;
+}
+
+/*
  * Check if this is a "Unix Users" domain user, or a
  * "Unix Groups" domain group, we need to handle it
  * in a special way if that's the case.
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 41c1ef4..65c6ca0 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -172,6 +172,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
 					       struct policy_handle *pol,
 					       int num_sids,
 					       const struct dom_sid *sids,
+					       enum lsa_LookupNamesLevel level,
 					       char **domains,
 					       char **names,
 					       enum lsa_SidType *types,
@@ -183,7 +184,6 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
 	struct lsa_SidArray sid_array;
 	struct lsa_RefDomainList *ref_domains = NULL;
 	struct lsa_TransNameArray lsa_names;
-	enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
 	uint32_t count = 0;
 	int i;
 
@@ -348,6 +348,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
 					struct policy_handle *pol,
 					int num_sids,
 					const struct dom_sid *sids,
+					enum lsa_LookupNamesLevel level,
 					char ***pdomains,
 					char ***pnames,
 					enum lsa_SidType **ptypes,
@@ -414,6 +415,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
 							pol,
 							hunk_num_sids,
 							hunk_sids,
+							level,
 							hunk_domains,
 							hunk_names,
 							hunk_types,
@@ -489,11 +491,13 @@ NTSTATUS dcerpc_lsa_lookup_sids(struct dcerpc_binding_handle *h,
 				enum lsa_SidType **ptypes,
 				NTSTATUS *result)
 {
+	enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
 	return dcerpc_lsa_lookup_sids_generic(h,
 					      mem_ctx,
 					      pol,
 					      num_sids,
 					      sids,
+					      level,
 					      pdomains,
 					      pnames,
 					      ptypes,
@@ -512,12 +516,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
 {
 	NTSTATUS status;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+	enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
 
 	status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle,
 						mem_ctx,
 						pol,
 						num_sids,
 						sids,
+						level,
 						pdomains,
 						pnames,
 						ptypes,
@@ -540,11 +546,13 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h,
 				 enum lsa_SidType **ptypes,
 				 NTSTATUS *result)
 {
+	enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
 	return dcerpc_lsa_lookup_sids_generic(h,
 					      mem_ctx,
 					      pol,
 					      num_sids,
 					      sids,
+					      level,
 					      pdomains,
 					      pnames,
 					      ptypes,
diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h
index 4f9464d..f716b04 100644
--- a/source3/rpc_client/cli_lsarpc.h
+++ b/source3/rpc_client/cli_lsarpc.h
@@ -130,6 +130,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
 					struct policy_handle *pol,
 					int num_sids,
 					const struct dom_sid *sids,
+					enum lsa_LookupNamesLevel level,
 					char ***pdomains,
 					char ***pnames,
 					enum lsa_SidType **ptypes,
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 800b995..2aa0f5e 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -490,7 +490,8 @@ NTSTATUS rpccli_netlogon_password_logon(
 	/* Initialise input parameters */
 
 	switch (logon_type) {
-	case NetlogonInteractiveInformation: {
+	case NetlogonInteractiveInformation:
+	case NetlogonInteractiveTransitiveInformation: {
 
 		struct netr_PasswordInfo *password_info;
 
@@ -519,7 +520,8 @@ NTSTATUS rpccli_netlogon_password_logon(
 
 		break;
 	}
-	case NetlogonNetworkInformation: {
+	case NetlogonNetworkInformation:
+	case NetlogonNetworkTransitiveInformation: {
 		struct netr_NetworkInfo *network_info;
 		uint8_t chal[8];
 		unsigned char local_lm_response[24];
@@ -608,6 +610,7 @@ NTSTATUS rpccli_netlogon_network_logon(
 	const uint8_t chal[8],
 	DATA_BLOB lm_response,
 	DATA_BLOB nt_response,
+	enum netr_LogonInfoClass logon_type,
 	uint8_t *authoritative,
 	uint32_t *flags,
 	uint16_t *_validation_level,
@@ -627,6 +630,16 @@ NTSTATUS rpccli_netlogon_network_logon(
 	ZERO_STRUCT(lm);
 	ZERO_STRUCT(nt);
 
+	switch (logon_type) {
+	case NetlogonNetworkInformation:
+	case NetlogonNetworkTransitiveInformation:
+		break;
+	default:
+		DEBUG(0, ("switch value %d not supported\n",
+			logon_type));
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
 	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
 	if (!logon) {
 		return NT_STATUS_NO_MEMORY;
@@ -672,7 +685,117 @@ NTSTATUS rpccli_netlogon_network_logon(
 
 	status = netlogon_creds_cli_LogonSamLogon(creds_ctx,
 						  binding_handle,
-						  NetlogonNetworkInformation,
+						  logon_type,
+						  logon,
+						  mem_ctx,
+						  &validation_level,
+						  &validation,
+						  authoritative,
+						  flags);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	*_validation_level = validation_level;
+	*_validation = validation;
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS rpccli_netlogon_interactive_logon(
+	struct netlogon_creds_cli_context *creds_ctx,
+	struct dcerpc_binding_handle *binding_handle,
+	TALLOC_CTX *mem_ctx,
+	uint32_t logon_parameters,
+	const char *username,
+	const char *domain,
+	const char *workstation,
+	DATA_BLOB lm_hash,
+	DATA_BLOB nt_hash,
+	enum netr_LogonInfoClass logon_type,
+	uint8_t *authoritative,
+	uint32_t *flags,
+	uint16_t *_validation_level,
+	union netr_Validation **_validation)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	NTSTATUS status;
+	const char *workstation_name_slash;
+	union netr_LogonLevel *logon = NULL;
+	struct netr_PasswordInfo *password_info = NULL;
+	uint16_t validation_level = 0;
+	union netr_Validation *validation = NULL;
+	struct netr_ChallengeResponse lm;
+	struct netr_ChallengeResponse nt;
+
+	*_validation = NULL;
+
+	ZERO_STRUCT(lm);
+	ZERO_STRUCT(nt);
+
+	switch (logon_type) {
+	case NetlogonInteractiveInformation:
+	case NetlogonInteractiveTransitiveInformation:
+		break;
+	default:
+		DEBUG(0, ("switch value %d not supported\n",
+			logon_type));
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+	if (logon == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	password_info = talloc_zero(logon, struct netr_PasswordInfo);
+	if (password_info == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (workstation[0] != '\\' && workstation[1] != '\\') {
+		workstation_name_slash = talloc_asprintf(frame, "\\\\%s", workstation);
+	} else {
+		workstation_name_slash = workstation;
+	}
+
+	if (workstation_name_slash == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* Initialise input parameters */
+
+	password_info->identity_info.domain_name.string		= domain;
+	password_info->identity_info.parameter_control		= logon_parameters;
+	password_info->identity_info.logon_id_low		= 0xdead;
+	password_info->identity_info.logon_id_high		= 0xbeef;
+	password_info->identity_info.account_name.string	= username;
+	password_info->identity_info.workstation.string		= workstation_name_slash;
+
+	if (nt_hash.length != sizeof(password_info->ntpassword.hash)) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	memcpy(password_info->ntpassword.hash, nt_hash.data, nt_hash.length);
+	if (lm_hash.length != 0) {
+		if (lm_hash.length != sizeof(password_info->lmpassword.hash)) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+		memcpy(password_info->lmpassword.hash, lm_hash.data, lm_hash.length);
+	}
+
+	logon->password = password_info;
+
+	/* Marshall data and send request */
+
+	status = netlogon_creds_cli_LogonSamLogon(creds_ctx,
+						  binding_handle,
+						  logon_type,
 						  logon,
 						  mem_ctx,
 						  &validation_level,
@@ -680,11 +803,13 @@ NTSTATUS rpccli_netlogon_network_logon(
 						  authoritative,
 						  flags);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
 		return status;
 	}
 
 	*_validation_level = validation_level;
 	*_validation = validation;
 
+	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index d31bdee..d0232b5 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -84,6 +84,22 @@ NTSTATUS rpccli_netlogon_network_logon(
 	const uint8_t chal[8],
 	DATA_BLOB lm_response,
 	DATA_BLOB nt_response,
+	enum netr_LogonInfoClass logon_type,
+	uint8_t *authoritative,
+	uint32_t *flags,
+	uint16_t *_validation_level,
+	union netr_Validation **_validation);
+NTSTATUS rpccli_netlogon_interactive_logon(
+	struct netlogon_creds_cli_context *creds_ctx,
+	struct dcerpc_binding_handle *binding_handle,
+	TALLOC_CTX *mem_ctx,
+	uint32_t logon_parameters,
+	const char *username,
+	const char *domain,
+	const char *workstation,
+	DATA_BLOB lm_hash,
+	DATA_BLOB nt_hash,
+	enum netr_LogonInfoClass logon_type,
 	uint8_t *authoritative,
 	uint32_t *flags,
 	uint16_t *_validation_level,
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 15c769f..2d73bc9 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -190,6 +190,152 @@ NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS copy_netr_SamInfo6(TALLOC_CTX *mem_ctx,
+			    const struct netr_SamInfo6 *in,
+			    struct netr_SamInfo6 **pout)
+{
+	struct netr_SamInfo6 *info6 = NULL;
+	unsigned int i;
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+	info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+	if (info6 == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto out;
+	}
+
+	status = copy_netr_SamBaseInfo(info6, &in->base, &info6->base);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto out;
+	}
+
+	if (in->sidcount) {
+		info6->sidcount = in->sidcount;
+		info6->sids = talloc_array(info6, struct netr_SidAttr,
+					   in->sidcount);
+		if (info6->sids == NULL) {
+			status = NT_STATUS_NO_MEMORY;
+			goto out;
+		}
+
+		for (i = 0; i < in->sidcount; i++) {
+			info6->sids[i].sid = dom_sid_dup(info6->sids,
+							 in->sids[i].sid);
+			if (info6->sids[i].sid == NULL) {
+				status = NT_STATUS_NO_MEMORY;
+				goto out;
+			}
+			info6->sids[i].attributes = in->sids[i].attributes;
+		}
+	}
+
+	if (in->dns_domainname.string != NULL) {
+		info6->dns_domainname.string = talloc_strdup(info6,
+						in->dns_domainname.string);
+		if (info6->dns_domainname.string == NULL) {
+			status = NT_STATUS_NO_MEMORY;
+			goto out;
+		}
+	}
+
+	if (in->principal_name.string != NULL) {
+		info6->principal_name.string = talloc_strdup(info6,
+						in->principal_name.string);
+		if (info6->principal_name.string == NULL) {
+			status = NT_STATUS_NO_MEMORY;
+			goto out;
+		}
+	}
+
+	*pout = info6;
+	info6 = NULL;
+
+	status = NT_STATUS_OK;
+out:
+	TALLOC_FREE(info6);
+	return status;
+}
+
+NTSTATUS map_validation_to_info6(TALLOC_CTX *mem_ctx,
+				 uint16_t validation_level,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list