[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Sat Feb 10 12:09:02 UTC 2018
The branch, master has been updated
via 597e755 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
via 8422c00 winbindd: rename winbindd_pam_auth_pac_send and let it return validation
via 5444cc4 winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
via 5ce3cb2 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
via 42e4453 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
via 021d75f winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
via 2b01818 s3/rpc_client: add map_info6_to_validation()
via d4ba23f s3/auth: add create_info6_from_pac()
via e1ba819 s4/auth_winbind: ask for validation level 6
via 1a98573 winbindd: allow validation level 6 in winbind_SamLogon
via 60aa5e7 s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()
via b60c634 winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
via d76bcdb winbindd: handle interactive logons in _winbind_SamLogon()
via 8c6c47a winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
via 2268f1c winbindd: add a comment to a parameter in _winbind_SamLogon()
via d1c3676 winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
via be26a47 s3/rpc_client: add rpccli_netlogon_interactive_logon()
via 2ee2551 winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
via 8b0e1a7 wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available
via b112cbc winbindd: fix debug message in find_default_route_domain() on a DC
via 6151909 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
via 9f96ede winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
via ffa9eb7 s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
via d8e4e7c winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
via 4274ef6 winbindd: move loading of trusted domains on a DC to a seperate function
via 728fb7c winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
via 7fc1974 s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
via 8b7bf6d winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
via af9a37a winbindd: prepare find_auth_domain() transitive trusts on a DC
via c5bd18c winbindd: remove const from set_routing_domain()
via 70bb9c2 winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
via 7329706 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
via fe47041 s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()
via 9a613f4 winbindd: add routing_domain as parameter to add_trusted_domain
via 9fef5d1 winbindd: add missing can_do_ncacn_ip_tcp initialisation
via 1918a87 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
via 53484d0 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
from cefb41b sambatool drs showrepl: prefer self over ctx in python classes
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 597e755328940fc964b861333b557b0650666b24
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 23:13:12 2018 +0100
winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Sat Feb 10 13:08:50 CET 2018 on sn-devel-144
commit 8422c001bec169a73657b1d638ec8ec4c35c243a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 9 08:38:18 2018 +0100
winbindd: rename winbindd_pam_auth_pac_send and let it return validation
Just a preperational step. The next commit will update the caller to
make use of the validation info.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5444cc4e7ed8ea0c063110f3b78f360d91b0b0a5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 23:10:42 2018 +0100
winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
winbindd_pam_auth_crap_recv() should not have any real logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 5ce3cb2fb468d8798980b49d84568782becf25ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 23:02:26 2018 +0100
winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
This way we don't loose the DNS info and UPN. A subsequent commit will
let winbindd_pam_auth_pac_send() return the full validation info.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 42e445396881c5b6651a0dde0abde3d6bb0740bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 22:00:35 2018 +0100
winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 021d75fb223630d06a256a605659abda9ece853f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 21:34:46 2018 +0100
winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
This way we don't loose dns_domain_name and user principal.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2b0181877806f171eee053c246dcb2eda2300261
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 21:32:53 2018 +0100
s3/rpc_client: add map_info6_to_validation()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d4ba23fd353ad387a374a5d7f6f6d085a0699d2c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 21:32:25 2018 +0100
s3/auth: add create_info6_from_pac()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e1ba81996033e7c2cfeba13124ee7f404ded2031
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 17:58:07 2018 +0100
s4/auth_winbind: ask for validation level 6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1a9857369d2fae08fefef613cf6cbd3354092a4a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 17:57:37 2018 +0100
winbindd: allow validation level 6 in winbind_SamLogon
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 60aa5e7657608c1a5519c03e690cce58efd67abd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 17:53:49 2018 +0100
s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b60c634123ee00021efc5b5aaa03e1663474d3da
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 2 15:24:00 2018 +0100
winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
At lot of callers require a valid schannel connection.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d76bcdb0854cff9b08010d47469fd48324d902bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 17:39:15 2018 +0100
winbindd: handle interactive logons in _winbind_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 8c6c47aec0e91ab3944bea5f6eda8072f5db959d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 17:37:54 2018 +0100
winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2268f1c0dd1e8543c126553f80d94e80a1e32487
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 8 17:23:49 2018 +0100
winbindd: add a comment to a parameter in _winbind_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d1c3676197032487505e9069c0655427b5fd385c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 16:36:45 2018 +0100
winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
We need to handle 4 cases:
plaintext_given=true interactive=true
plaintext_given=false interactive=true
plaintext_given=true interactive=false
plaintext_given=false interactive=false
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit be26a472ae082d612f9aec28c932d25e2317f9ba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 9 16:15:18 2018 +0100
s3/rpc_client: add rpccli_netlogon_interactive_logon()
This will be used in a subsequent commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2ee2551409e0bd0cd5bf130cc1e3736e58b8c14d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 23 23:19:32 2018 +0100
winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
Check whether the DNS domain name in the info6 struct is actually more
then just an empty string. If it is we want to call add_trusted_domain()
with NULL as DNS domain name argument.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13257
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 8b0e1a77ae5f7ef6d8db9a05718afa8d472a971b
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Feb 4 22:48:01 2018 +0100
wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13256
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b112cbc2462edf810473026c133b0802d1e18468
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 31 08:22:07 2018 +0100
winbindd: fix debug message in find_default_route_domain() on a DC
As we don't support multiple domains in a forest yet,
we don't need to print a warning a log level 0.
This also adds a missing \n.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13255
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6151909c823016417f863c22e77c8a136f3fbb95
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 16:35:52 2018 +0100
s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9f96ede6f500cc1a7c76e67ee785b44a99244d0d
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 16:35:13 2018 +0100
winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
This reflects the new implementation in winbindd.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ffa9eb7d6453eb6c6f3a50ad72288d3891361752
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 11:32:30 2018 +0100
s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
winbindd doesn't use that data anymore.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d8e4e7cae57eb192c6fcab6b9aef95fb10eeb5a8
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 11:30:53 2018 +0100
winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4274ef681bf3b974ce99b8f21fda3a86a5b305bc
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 11:28:20 2018 +0100
winbindd: move loading of trusted domains on a DC to a seperate function
This allows using the split out function in a subsequent commit in the
MSG_WINBIND_NEW_TRUSTED_DOMAIN message handler.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 728fb7c593230abeb681854d924e4619d6f4cf37
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 13:02:04 2018 +0100
winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7fc19747ef346df9cc72bb516b45a8309f462dd8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 12:57:11 2018 +0100
s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 8b7bf6d4d81cde099d78cd9cc03aa085cec672d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 12:06:50 2018 +0100
winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit af9a37aa1925a18709365ceb93460d8ae0f66f51
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 12:06:50 2018 +0100
winbindd: prepare find_auth_domain() transitive trusts on a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c5bd18c0021b428c669dbbc35f65a3d436b4add5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 12:03:11 2018 +0100
winbindd: remove const from set_routing_domain()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 70bb9c27cf8c464d5af79acbe11a0d2d0e20f5a8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 12:02:05 2018 +0100
winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7329706a037fef75e8ced63bfb7ab93b64482eda
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 12:00:19 2018 +0100
s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fe47041b4bf8d2ef6f6f9ba15a80038f1c60da3f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 11:58:31 2018 +0100
s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9a613f4bccf171c40ede3e6ead9236463fcc5883
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 18 08:38:59 2018 +0100
winbindd: add routing_domain as parameter to add_trusted_domain
This also fixes the following CIDs:
CID 1427622: Null pointer dereferences (REVERSE_INULL)
CID 1427619: Null pointer dereferences (REVERSE_INULL)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13233
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9fef5d1891e6c1aebea29fbfbb90e77631b7836c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 14:30:48 2018 +0100
winbindd: add missing can_do_ncacn_ip_tcp initialisation
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13232
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 1918a870c38c29bd3a05cd3f660ffe6623121bf3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 14:30:12 2018 +0100
winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 53484d0d98475f55ae3bd02e1a86b9c45b20e33d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jan 15 14:24:47 2018 +0100
winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/messaging.idl | 2 +-
nsswitch/wbinfo.c | 13 +-
source3/auth/proto.h | 4 +
source3/auth/server_info.c | 56 +++
source3/rpc_client/cli_lsarpc.c | 10 +-
source3/rpc_client/cli_lsarpc.h | 1 +
source3/rpc_client/cli_netlogon.c | 131 ++++++-
source3/rpc_client/cli_netlogon.h | 16 +
source3/rpc_client/util_netlogon.c | 171 +++++++++
source3/rpc_client/util_netlogon.h | 11 +
source3/winbindd/winbindd.h | 3 +-
source3/winbindd/winbindd_cm.c | 59 ++--
source3/winbindd/winbindd_dual.c | 7 +-
source3/winbindd/winbindd_dual_srv.c | 182 +++++++---
source3/winbindd/winbindd_msrpc.c | 63 +++-
source3/winbindd/winbindd_pam.c | 248 ++++++++-----
source3/winbindd/winbindd_pam_auth_crap.c | 106 +++---
source3/winbindd/winbindd_proto.h | 12 +-
source3/winbindd/winbindd_util.c | 556 ++++++++++++++----------------
source4/auth/ntlm/auth_winbind.c | 2 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 28 +-
21 files changed, 1163 insertions(+), 518 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/messaging.idl b/librpc/idl/messaging.idl
index 37f8fcc..b35f1e1 100644
--- a/librpc/idl/messaging.idl
+++ b/librpc/idl/messaging.idl
@@ -123,7 +123,7 @@ interface messaging
MSG_WINBIND_IP_DROPPED = 0x040A,
MSG_WINBIND_DOMAIN_ONLINE = 0x040B,
MSG_WINBIND_DOMAIN_OFFLINE = 0x040C,
- MSG_WINBIND_NEW_TRUSTED_DOMAIN = 0x040D,
+ MSG_WINBIND_RELOAD_TRUSTED_DOMAINS = 0x040D,
/* event messages */
MSG_DUMP_EVENT_LIST = 0x0500,
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 54d5758..82863c2 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1798,13 +1798,22 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
if (use_ntlmv2) {
DATA_BLOB server_chal;
DATA_BLOB names_blob;
+ const char *netbios_name = NULL;
+ const char *domain = NULL;
+
+ netbios_name = get_winbind_netbios_name(),
+ domain = get_winbind_domain();
+ if (domain == NULL) {
+ d_fprintf(stderr, "Failed to get domain from winbindd\n");
+ return false;
+ }
server_chal = data_blob(params.password.response.challenge, 8);
/* Pretend this is a login to 'us', for blob purposes */
names_blob = NTLMv2_generate_names_blob(NULL,
- get_winbind_netbios_name(),
- get_winbind_domain());
+ netbios_name,
+ domain);
if (pass != NULL &&
!SMBNTLMv2encrypt(NULL, name_user, name_domain, pass,
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index e774670..ca851c2 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -312,6 +312,10 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
const struct PAC_LOGON_INFO *logon_info,
struct netr_SamInfo3 **pp_info3);
+NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ const struct PAC_UPN_DNS_INFO *upn_dns_info,
+ struct netr_SamInfo6 **pp_info6);
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
const char *login_server,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 7898175..339cce6 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -363,6 +363,62 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
}
/*
+ * Create a copy of an info6 struct from the PAC_UPN_DNS_INFO and PAC_LOGON_INFO
+ * then merge resource SIDs, if any, into it. If successful return the created
+ * info6 struct.
+ */
+NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ const struct PAC_UPN_DNS_INFO *upn_dns_info,
+ struct netr_SamInfo6 **pp_info6)
+{
+ NTSTATUS status;
+ struct netr_SamInfo6 *info6 = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+
+ info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+ if (info6 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = copy_netr_SamInfo3(info6,
+ &logon_info->info3,
+ &info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info6);
+ return status;
+ }
+
+ status = merge_resource_sids(logon_info, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info6);
+ return status;
+ }
+
+ info6->base = info3->base;
+ info6->sids = info3->sids;
+ info6->sidcount = info3->sidcount;
+
+ if (upn_dns_info != NULL) {
+ info6->dns_domainname.string = talloc_strdup(info6,
+ upn_dns_info->dns_domain_name);
+ if (info6->dns_domainname.string == NULL) {
+ TALLOC_FREE(info6);
+ return NT_STATUS_NO_MEMORY;
+ }
+ info6->principal_name.string = talloc_strdup(info6,
+ upn_dns_info->upn_name);
+ if (info6->principal_name.string == NULL) {
+ TALLOC_FREE(info6);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *pp_info6 = info6;
+ return NT_STATUS_OK;
+}
+
+/*
* Check if this is a "Unix Users" domain user, or a
* "Unix Groups" domain group, we need to handle it
* in a special way if that's the case.
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 41c1ef4..65c6ca0 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -172,6 +172,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
struct policy_handle *pol,
int num_sids,
const struct dom_sid *sids,
+ enum lsa_LookupNamesLevel level,
char **domains,
char **names,
enum lsa_SidType *types,
@@ -183,7 +184,6 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
struct lsa_SidArray sid_array;
struct lsa_RefDomainList *ref_domains = NULL;
struct lsa_TransNameArray lsa_names;
- enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
uint32_t count = 0;
int i;
@@ -348,6 +348,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
struct policy_handle *pol,
int num_sids,
const struct dom_sid *sids,
+ enum lsa_LookupNamesLevel level,
char ***pdomains,
char ***pnames,
enum lsa_SidType **ptypes,
@@ -414,6 +415,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
pol,
hunk_num_sids,
hunk_sids,
+ level,
hunk_domains,
hunk_names,
hunk_types,
@@ -489,11 +491,13 @@ NTSTATUS dcerpc_lsa_lookup_sids(struct dcerpc_binding_handle *h,
enum lsa_SidType **ptypes,
NTSTATUS *result)
{
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
return dcerpc_lsa_lookup_sids_generic(h,
mem_ctx,
pol,
num_sids,
sids,
+ level,
pdomains,
pnames,
ptypes,
@@ -512,12 +516,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli,
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle,
mem_ctx,
pol,
num_sids,
sids,
+ level,
pdomains,
pnames,
ptypes,
@@ -540,11 +546,13 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h,
enum lsa_SidType **ptypes,
NTSTATUS *result)
{
+ enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL;
return dcerpc_lsa_lookup_sids_generic(h,
mem_ctx,
pol,
num_sids,
sids,
+ level,
pdomains,
pnames,
ptypes,
diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h
index 4f9464d..f716b04 100644
--- a/source3/rpc_client/cli_lsarpc.h
+++ b/source3/rpc_client/cli_lsarpc.h
@@ -130,6 +130,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h,
struct policy_handle *pol,
int num_sids,
const struct dom_sid *sids,
+ enum lsa_LookupNamesLevel level,
char ***pdomains,
char ***pnames,
enum lsa_SidType **ptypes,
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 800b995..2aa0f5e 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -490,7 +490,8 @@ NTSTATUS rpccli_netlogon_password_logon(
/* Initialise input parameters */
switch (logon_type) {
- case NetlogonInteractiveInformation: {
+ case NetlogonInteractiveInformation:
+ case NetlogonInteractiveTransitiveInformation: {
struct netr_PasswordInfo *password_info;
@@ -519,7 +520,8 @@ NTSTATUS rpccli_netlogon_password_logon(
break;
}
- case NetlogonNetworkInformation: {
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation: {
struct netr_NetworkInfo *network_info;
uint8_t chal[8];
unsigned char local_lm_response[24];
@@ -608,6 +610,7 @@ NTSTATUS rpccli_netlogon_network_logon(
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ enum netr_LogonInfoClass logon_type,
uint8_t *authoritative,
uint32_t *flags,
uint16_t *_validation_level,
@@ -627,6 +630,16 @@ NTSTATUS rpccli_netlogon_network_logon(
ZERO_STRUCT(lm);
ZERO_STRUCT(nt);
+ switch (logon_type) {
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+ break;
+ default:
+ DEBUG(0, ("switch value %d not supported\n",
+ logon_type));
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
logon = talloc_zero(mem_ctx, union netr_LogonLevel);
if (!logon) {
return NT_STATUS_NO_MEMORY;
@@ -672,7 +685,117 @@ NTSTATUS rpccli_netlogon_network_logon(
status = netlogon_creds_cli_LogonSamLogon(creds_ctx,
binding_handle,
- NetlogonNetworkInformation,
+ logon_type,
+ logon,
+ mem_ctx,
+ &validation_level,
+ &validation,
+ authoritative,
+ flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_validation_level = validation_level;
+ *_validation = validation;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS rpccli_netlogon_interactive_logon(
+ struct netlogon_creds_cli_context *creds_ctx,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ DATA_BLOB lm_hash,
+ DATA_BLOB nt_hash,
+ enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+ const char *workstation_name_slash;
+ union netr_LogonLevel *logon = NULL;
+ struct netr_PasswordInfo *password_info = NULL;
+ uint16_t validation_level = 0;
+ union netr_Validation *validation = NULL;
+ struct netr_ChallengeResponse lm;
+ struct netr_ChallengeResponse nt;
+
+ *_validation = NULL;
+
+ ZERO_STRUCT(lm);
+ ZERO_STRUCT(nt);
+
+ switch (logon_type) {
+ case NetlogonInteractiveInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ break;
+ default:
+ DEBUG(0, ("switch value %d not supported\n",
+ logon_type));
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+ if (logon == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ password_info = talloc_zero(logon, struct netr_PasswordInfo);
+ if (password_info == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (workstation[0] != '\\' && workstation[1] != '\\') {
+ workstation_name_slash = talloc_asprintf(frame, "\\\\%s", workstation);
+ } else {
+ workstation_name_slash = workstation;
+ }
+
+ if (workstation_name_slash == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Initialise input parameters */
+
+ password_info->identity_info.domain_name.string = domain;
+ password_info->identity_info.parameter_control = logon_parameters;
+ password_info->identity_info.logon_id_low = 0xdead;
+ password_info->identity_info.logon_id_high = 0xbeef;
+ password_info->identity_info.account_name.string = username;
+ password_info->identity_info.workstation.string = workstation_name_slash;
+
+ if (nt_hash.length != sizeof(password_info->ntpassword.hash)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ memcpy(password_info->ntpassword.hash, nt_hash.data, nt_hash.length);
+ if (lm_hash.length != 0) {
+ if (lm_hash.length != sizeof(password_info->lmpassword.hash)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ memcpy(password_info->lmpassword.hash, lm_hash.data, lm_hash.length);
+ }
+
+ logon->password = password_info;
+
+ /* Marshall data and send request */
+
+ status = netlogon_creds_cli_LogonSamLogon(creds_ctx,
+ binding_handle,
+ logon_type,
logon,
mem_ctx,
&validation_level,
@@ -680,11 +803,13 @@ NTSTATUS rpccli_netlogon_network_logon(
authoritative,
flags);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
return status;
}
*_validation_level = validation_level;
*_validation = validation;
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index d31bdee..d0232b5 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -84,6 +84,22 @@ NTSTATUS rpccli_netlogon_network_logon(
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ uint16_t *_validation_level,
+ union netr_Validation **_validation);
+NTSTATUS rpccli_netlogon_interactive_logon(
+ struct netlogon_creds_cli_context *creds_ctx,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ DATA_BLOB lm_hash,
+ DATA_BLOB nt_hash,
+ enum netr_LogonInfoClass logon_type,
uint8_t *authoritative,
uint32_t *flags,
uint16_t *_validation_level,
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index 15c769f..2d73bc9 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -190,6 +190,152 @@ NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+NTSTATUS copy_netr_SamInfo6(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo6 *in,
+ struct netr_SamInfo6 **pout)
+{
+ struct netr_SamInfo6 *info6 = NULL;
+ unsigned int i;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ info6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+ if (info6 == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ status = copy_netr_SamBaseInfo(info6, &in->base, &info6->base);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ if (in->sidcount) {
+ info6->sidcount = in->sidcount;
+ info6->sids = talloc_array(info6, struct netr_SidAttr,
+ in->sidcount);
+ if (info6->sids == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ for (i = 0; i < in->sidcount; i++) {
+ info6->sids[i].sid = dom_sid_dup(info6->sids,
+ in->sids[i].sid);
+ if (info6->sids[i].sid == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ info6->sids[i].attributes = in->sids[i].attributes;
+ }
+ }
+
+ if (in->dns_domainname.string != NULL) {
+ info6->dns_domainname.string = talloc_strdup(info6,
+ in->dns_domainname.string);
+ if (info6->dns_domainname.string == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ if (in->principal_name.string != NULL) {
+ info6->principal_name.string = talloc_strdup(info6,
+ in->principal_name.string);
+ if (info6->principal_name.string == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ *pout = info6;
+ info6 = NULL;
+
+ status = NT_STATUS_OK;
+out:
+ TALLOC_FREE(info6);
+ return status;
+}
+
+NTSTATUS map_validation_to_info6(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
--
Samba Shared Repository
More information about the samba-cvs
mailing list