[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Dec 2 14:50:02 UTC 2021
The branch, master has been updated
via d1ea9c5aaba libcli:auth: Allow to connect to netlogon server offering only AES
via 6bf3a39b118 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
via 62aa7696674 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
via c7ead129285 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
via be1520d2058 s3:libsmb: Remove trailing white spaces from passchange.c
via bb3e0ce8fc9 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
via 34c57ebee04 s3:libnet: Remove tailing whitespaces in libnet_join.c
via 33eb7a1bc9c s3:rpcclient: Remove trailing white spaces in rpcclient.c
via 016429acaf7 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
via b3bf5bbaf81 s3:rpc_client: Remove trailing white spaces from cli_pipe.c
via 492fd5b00fe testprogs: Add rpcclient schannel tests
from f4d0bb164f0 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 13:46:26 2021 +0100
libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:52:18 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 62aa769667464451cda672fc073e52a8e52ae4c1
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:47:26 2021 +0100
s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:43:08 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 24 13:21:28 2021 +0100
s3:libsmb: Remove trailing white spaces from passchange.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bb3e0ce8fc932f5146044c548730f454a0119800
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:31:00 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 34c57ebee04bb770174fab31edd9bfe2f88a84eb
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:38:42 2021 +0100
s3:libnet: Remove tailing whitespaces in libnet_join.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 33eb7a1bc9c21463dc699d6daaa6a1e19f668268
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:32:42 2021 +0100
s3:rpcclient: Remove trailing white spaces in rpcclient.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 016429acaf76bde53bd4ab81b48be23c2bcc28e3
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 18 11:18:59 2021 +0100
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b3bf5bbaf81de369c8f9415d903816a2d7424ffc
Author: Andreas Schneider <asn at samba.org>
Date: Thu Nov 18 11:14:16 2021 +0100
s3:rpc_client: Remove trailing white spaces from cli_pipe.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 492fd5b00fe9d62f53b96e3a7588a7f2848a571d
Author: Andreas Schneider <asn at samba.org>
Date: Wed Nov 17 11:46:04 2021 +0100
testprogs: Add rpcclient schannel tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
examples/winexe/winexe.c | 14 +++-
libcli/auth/netlogon_creds_cli.c | 48 +++++++++++---
source3/libnet/libnet_join.c | 43 ++++++++----
source3/libsmb/passchange.c | 16 +++--
source3/rpc_client/cli_netlogon.c | 51 ++++++++++++---
source3/rpc_client/cli_pipe.c | 54 ++++++++++++---
source3/rpc_client/cli_pipe.h | 9 +++
source3/rpc_client/cli_pipe_schannel.c | 7 +-
source3/rpcclient/rpcclient.c | 53 +++++++++++++--
source3/utils/net_rpc.c | 8 +++
source3/winbindd/winbindd_cm.c | 45 +++++++++++--
source4/selftest/tests.py | 27 ++++++++
testprogs/blackbox/test_rpcclient_schannel.sh | 94 +++++++++++++++++++++++++++
13 files changed, 403 insertions(+), 66 deletions(-)
create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh
Changeset truncated at 500 lines:
diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c
index 59fb9dbdebb..8a17107617c 100644
--- a/examples/winexe/winexe.c
+++ b/examples/winexe/winexe.c
@@ -401,11 +401,16 @@ static NTSTATUS winexe_svc_install(
bool need_conf = false;
NTSTATUS status;
WERROR werr;
+ const char *remote_name = smbXcli_conn_remote_name(cli->conn);
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(cli->conn);
status = cli_rpc_pipe_open_noauth_transport(
cli,
NCACN_NP,
&ndr_table_svcctl,
+ remote_name,
+ remote_sockaddr,
&rpccli);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n",
@@ -416,7 +421,7 @@ static NTSTATUS winexe_svc_install(
status = dcerpc_svcctl_OpenSCManagerW(
rpccli->binding_handle,
frame,
- smbXcli_conn_remote_name(cli->conn),
+ remote_name,
NULL,
SEC_FLAG_MAXIMUM_ALLOWED,
&scmanager_handle,
@@ -717,11 +722,16 @@ static NTSTATUS winexe_svc_uninstall(
struct SERVICE_STATUS service_status;
NTSTATUS status;
WERROR werr;
+ const char *remote_name = smbXcli_conn_remote_name(cli->conn);
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(cli->conn);
status = cli_rpc_pipe_open_noauth_transport(
cli,
NCACN_NP,
&ndr_table_svcctl,
+ remote_name,
+ remote_sockaddr,
&rpccli);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n",
@@ -732,7 +742,7 @@ static NTSTATUS winexe_svc_uninstall(
status = dcerpc_svcctl_OpenSCManagerW(
rpccli->binding_handle,
frame,
- smbXcli_conn_remote_name(cli->conn),
+ remote_name,
NULL,
SEC_FLAG_MAXIMUM_ALLOWED,
&scmanager_handle,
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index beab2fae53a..e92a042c012 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -516,9 +516,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
return context->client.auth_level;
}
+static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags,
+ uint32_t proposed_flags,
+ uint32_t required_flags)
+{
+ uint32_t req_flags = required_flags;
+ uint32_t tmp_flags;
+
+ req_flags = required_flags;
+ if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) &&
+ (proposed_flags & NETLOGON_NEG_SUPPORTS_AES))
+ {
+ req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS;
+ }
+
+ tmp_flags = negotiated_flags;
+ tmp_flags &= req_flags;
+ if (tmp_flags != req_flags) {
+ return true;
+ }
+
+ return false;
+}
+
struct netlogon_creds_cli_fetch_state {
TALLOC_CTX *mem_ctx;
struct netlogon_creds_CredentialState *creds;
+ uint32_t proposed_flags;
uint32_t required_flags;
NTSTATUS status;
};
@@ -530,7 +554,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
(struct netlogon_creds_cli_fetch_state *)private_data;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
- uint32_t tmp_flags;
+ bool downgraded;
state->creds = talloc_zero(state->mem_ctx,
struct netlogon_creds_CredentialState);
@@ -554,9 +578,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds);
}
- tmp_flags = state->creds->negotiate_flags;
- tmp_flags &= state->required_flags;
- if (tmp_flags != state->required_flags) {
+ downgraded = netlogon_creds_cli_downgraded(
+ state->creds->negotiate_flags,
+ state->proposed_flags,
+ state->required_flags);
+ if (downgraded) {
TALLOC_FREE(state->creds);
state->status = NT_STATUS_DOWNGRADE_DETECTED;
return;
@@ -827,6 +853,7 @@ static NTSTATUS netlogon_creds_cli_get_internal(
{
struct netlogon_creds_cli_fetch_state fstate = {
.status = NT_STATUS_INTERNAL_ERROR,
+ .proposed_flags = context->client.proposed_flags,
.required_flags = context->client.required_flags,
};
NTSTATUS status;
@@ -1309,7 +1336,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
enum ndr_err_code ndr_err;
DATA_BLOB blob;
TDB_DATA data;
- uint32_t tmp_flags;
+ bool downgraded;
if (state->try_auth3) {
status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
@@ -1356,9 +1383,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
return;
}
- tmp_flags = state->creds->negotiate_flags;
- tmp_flags &= state->context->client.required_flags;
- if (tmp_flags != state->context->client.required_flags) {
+ downgraded = netlogon_creds_cli_downgraded(
+ state->creds->negotiate_flags,
+ state->context->client.proposed_flags,
+ state->context->client.required_flags);
+ if (downgraded) {
if (NT_STATUS_IS_OK(result)) {
tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
return;
@@ -1368,8 +1397,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
}
if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
-
- tmp_flags = state->context->client.proposed_flags;
+ uint32_t tmp_flags = state->context->client.proposed_flags;
if ((state->current_flags == tmp_flags) &&
(state->creds->negotiate_flags != tmp_flags))
{
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 263420a2159..02705f1c70c 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1297,11 +1297,18 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
TALLOC_FREE(creds);
if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
- status = cli_rpc_pipe_open_schannel_with_creds(cli,
- &ndr_table_netlogon,
- NCACN_NP,
- netlogon_creds,
- &passwordset_pipe);
+ const char *remote_name = smbXcli_conn_remote_name(cli->conn);
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(cli->conn);
+
+ status = cli_rpc_pipe_open_schannel_with_creds(
+ cli,
+ &ndr_table_netlogon,
+ NCACN_NP,
+ netlogon_creds,
+ remote_name,
+ remote_sockaddr,
+ &passwordset_pipe);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
@@ -1700,6 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
uint32_t netlogon_flags = 0;
NTSTATUS status;
int flags = CLI_FULL_CONNECTION_IPC;
+ const char *remote_name = NULL;
+ const struct sockaddr_storage *remote_sockaddr = NULL;
if (!dc_name) {
TALLOC_FREE(frame);
@@ -1800,9 +1809,15 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
return NT_STATUS_OK;
}
+ remote_name = smbXcli_conn_remote_name(cli->conn);
+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn);
+
status = cli_rpc_pipe_open_schannel_with_creds(
cli, &ndr_table_netlogon, NCACN_NP,
- netlogon_creds, &netlogon_pipe);
+ netlogon_creds,
+ remote_name,
+ remote_sockaddr,
+ &netlogon_pipe);
TALLOC_FREE(netlogon_pipe);
@@ -1810,7 +1825,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
DEBUG(0,("libnet_join_ok: failed to open schannel session "
"on netlogon pipe to server %s for domain %s. "
"Error was %s\n",
- smbXcli_conn_remote_name(cli->conn),
+ remote_name,
netbios_domain_name, nt_errstr(status)));
cli_shutdown(cli);
TALLOC_FREE(frame);
@@ -3045,7 +3060,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
}
- if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
+ if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
!r->in.delete_machine_account) {
libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
return WERR_OK;
@@ -3077,8 +3092,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
}
#ifdef HAVE_ADS
- /* for net ads leave, try to delete the account. If it works,
- no sense in disabling. If it fails, we can still try to
+ /* for net ads leave, try to delete the account. If it works,
+ no sense in disabling. If it fails, we can still try to
disable it. jmcd */
if (r->in.delete_machine_account) {
@@ -3086,10 +3101,10 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
if (ADS_ERR_OK(ads_status)) {
/* dirty hack */
- r->out.dns_domain_name =
+ r->out.dns_domain_name =
talloc_strdup(mem_ctx,
r->in.ads->server.realm);
- ads_status =
+ ads_status =
libnet_unjoin_remove_machine_acct(mem_ctx, r);
}
if (!ADS_ERR_OK(ads_status)) {
@@ -3105,7 +3120,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
}
#endif /* HAVE_ADS */
- /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
+ /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
"disable". */
if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
status = libnet_join_unjoindomain_rpc(mem_ctx, r);
@@ -3124,7 +3139,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
r->out.disabled_machine_account = true;
}
- /* If disable succeeded or was not requested at all, we
+ /* If disable succeeded or was not requested at all, we
should be getting rid of our end of things */
libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index f60e3079975..2137c183f0e 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
SMB client password change routine
Copyright (C) Andrew Tridgell 1994-1998
@@ -79,7 +79,7 @@ NTSTATUS remote_password_change(const char *remote_machine,
if (!NT_STATUS_IS_OK(result)) {
if (asprintf(err_str, "machine %s rejected the negotiate "
- "protocol. Error was : %s.\n",
+ "protocol. Error was : %s.\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
@@ -87,7 +87,7 @@ NTSTATUS remote_password_change(const char *remote_machine,
return result;
}
- /* Given things like SMB signing, restrict anonymous and the like,
+ /* Given things like SMB signing, restrict anonymous and the like,
try an authenticated connection first */
result = cli_session_setup_creds(cli, creds);
@@ -120,7 +120,7 @@ NTSTATUS remote_password_change(const char *remote_machine,
if (!NT_STATUS_IS_OK(result)) {
if (asprintf(err_str, "machine %s rejected the session "
- "setup. Error was : %s.\n",
+ "setup. Error was : %s.\n",
remote_machine, nt_errstr(result)) == -1) {
*err_str = NULL;
}
@@ -143,12 +143,16 @@ NTSTATUS remote_password_change(const char *remote_machine,
/* Try not to give the password away too easily */
if (!pass_must_change) {
+ const struct sockaddr_storage *remote_sockaddr =
+ smbXcli_conn_remote_sockaddr(cli->conn);
+
result = cli_rpc_pipe_open_with_creds(cli,
&ndr_table_samr,
NCACN_NP,
DCERPC_AUTH_TYPE_NTLMSSP,
DCERPC_AUTH_LEVEL_PRIVACY,
remote_machine,
+ remote_sockaddr,
creds,
&pipe_hnd);
} else {
@@ -196,7 +200,7 @@ NTSTATUS remote_password_change(const char *remote_machine,
cli_shutdown(cli);
return NT_STATUS_OK;
- } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
+ } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
/* it failed, but for reasons such as wrong password, too short etc ... */
@@ -227,7 +231,7 @@ NTSTATUS remote_password_change(const char *remote_machine,
cli_shutdown(cli);
return NT_STATUS_OK;
} else {
- if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
+ if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
/* it failed, but again it was due to things like new password too short */
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 175f83d6750..049186e5a51 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -168,6 +168,8 @@ NTSTATUS rpccli_setup_netlogon_creds_locked(
const struct samr_Password *nt_hashes[2] = { NULL, NULL };
uint8_t idx_nt_hashes = 0;
NTSTATUS status;
+ const char *remote_name = NULL;
+ const struct sockaddr_storage *remote_sockaddr = NULL;
status = netlogon_creds_cli_get(creds_ctx, frame, &creds);
if (NT_STATUS_IS_OK(status)) {
@@ -177,10 +179,16 @@ NTSTATUS rpccli_setup_netlogon_creds_locked(
action = "overwrite";
}
+ if (cli != NULL) {
+ remote_name = smbXcli_conn_remote_name(cli->conn);
+ } else {
+ remote_name = "<UNKNOWN>";
+ }
+
DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
__FUNCTION__, action,
creds->account_name, creds->computer_name,
- smbXcli_conn_remote_name(cli->conn)));
+ remote_name));
if (!force_reauth) {
goto done;
}
@@ -200,14 +208,19 @@ NTSTATUS rpccli_setup_netlogon_creds_locked(
num_nt_hashes = 2;
}
+ remote_name = smbXcli_conn_remote_name(cli->conn);
+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn);
+
status = cli_rpc_pipe_open_noauth_transport(cli,
transport,
&ndr_table_netlogon,
+ remote_name,
+ remote_sockaddr,
&netlogon_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
__FUNCTION__,
- smbXcli_conn_remote_name(cli->conn),
+ remote_name,
nt_errstr(status)));
TALLOC_FREE(frame);
return status;
@@ -233,7 +246,7 @@ NTSTATUS rpccli_setup_netlogon_creds_locked(
DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
__FUNCTION__,
creds->account_name, creds->computer_name,
- smbXcli_conn_remote_name(cli->conn)));
+ remote_name));
done:
if (negotiate_flags != NULL) {
@@ -293,6 +306,8 @@ NTSTATUS rpccli_connect_netlogon(
struct rpc_pipe_client *rpccli;
NTSTATUS status;
bool retry = false;
+ const char *remote_name = NULL;
+ const struct sockaddr_storage *remote_sockaddr = NULL;
sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
if (sec_chan_type == SEC_CHAN_NULL) {
@@ -353,15 +368,22 @@ again:
}
}
+ remote_name = smbXcli_conn_remote_name(cli->conn);
+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn);
+
do_serverauth = force_reauth || !found_existing_creds;
if (!do_serverauth) {
/*
* Do the quick schannel bind without a reauth
*/
- status = cli_rpc_pipe_open_bind_schannel(
- cli, &ndr_table_netlogon, transport, creds_ctx,
- &rpccli);
+ status = cli_rpc_pipe_open_bind_schannel(cli,
+ &ndr_table_netlogon,
+ transport,
+ creds_ctx,
+ remote_name,
+ remote_sockaddr,
+ &rpccli);
if (!retry && NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
DBG_DEBUG("Retrying with serverauthenticate\n");
TALLOC_FREE(lck);
@@ -411,8 +433,12 @@ again:
goto fail;
}
- status = cli_rpc_pipe_open_noauth_transport(
- cli, transport, &ndr_table_netlogon, &rpccli);
+ status = cli_rpc_pipe_open_noauth_transport(cli,
+ transport,
+ &ndr_table_netlogon,
+ remote_name,
+ remote_sockaddr,
+ &rpccli);
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
"failed: %s\n", nt_errstr(status));
@@ -421,8 +447,13 @@ again:
goto done;
}
- status = cli_rpc_pipe_open_bind_schannel(
- cli, &ndr_table_netlogon, transport, creds_ctx, &rpccli);
+ status = cli_rpc_pipe_open_bind_schannel(cli,
+ &ndr_table_netlogon,
+ transport,
+ creds_ctx,
+ remote_name,
+ remote_sockaddr,
+ &rpccli);
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("cli_rpc_pipe_open_bind_schannel "
"failed: %s\n", nt_errstr(status));
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 2ceef482c64..8dca089bbf5 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3058,7 +3058,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
* assignments of cli, which invalidates the data in the returned
* rpc_pipe_client if this function is called before the structure assignment
* of cli.
- *
+ *
****************************************************************************/
static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
@@ -3136,13 +3136,15 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
enum dcerpc_transport_t transport,
const struct ndr_interface_table *table,
+ const char *remote_name,
+ const struct sockaddr_storage *remote_sockaddr,
struct rpc_pipe_client **presult)
{
switch (transport) {
case NCACN_IP_TCP:
return rpc_pipe_open_tcp(NULL,
- smbXcli_conn_remote_name(cli->conn),
- smbXcli_conn_remote_sockaddr(cli->conn),
+ remote_name,
--
Samba Shared Repository
More information about the samba-cvs
mailing list