[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Mon Feb 26 08:07:02 UTC 2024


The branch, master has been updated
       via  e4c3c61302b python:gp: Implement client site lookup in site_dn_for_machine()
       via  e7584258697 librpc:idl: Make netlogon_samlogon_response public
      from  bdd739c1adb s3: winbindd: assign rangenum member after NULL check

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e4c3c61302b12419f041867b58350f11dc800318
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Feb 21 09:10:47 2024 +0100

    python:gp: Implement client site lookup in site_dn_for_machine()
    
    This is [MS-GPOL] 3.2.5.1.4 Site Search.
    
    The netr_DsRGetSiteName() needs to run over local rpc, however we do not
    have the call implemented in our rpc_server. What netr_DsRGetSiteName()
    actually does is an ldap query to get the sitename, we can just do the
    same.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Feb 26 08:06:08 UTC 2024 on atb-devel-224

commit e758425869729a43136ae51e6baecb2061d1525b
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Feb 21 08:56:06 2024 +0100

    librpc:idl: Make netlogon_samlogon_response public
    
    This is required that we can use it with ndrdump or in python to decode
    a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Pair-Programmed-With: Guenther Deschner <gd at samba.org>
    
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/nbt.idl         |  2 +-
 librpc/ndr/ndr_nbt.c       |  2 +-
 librpc/ndr/ndr_nbt.h       |  2 +-
 python/samba/gp/gpclass.py | 68 ++++++++++++++++++++++++++++++----------------
 4 files changed, 48 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/nbt.idl b/librpc/idl/nbt.idl
index 11814e7970e..46be2eae7e2 100644
--- a/librpc/idl/nbt.idl
+++ b/librpc/idl/nbt.idl
@@ -490,7 +490,7 @@ interface nbt
 		[case(NETLOGON_NT_VERSION_5EX)] NETLOGON_SAM_LOGON_RESPONSE_EX nt5_ex;
 	} netlogon_samlogon_response_union;
 
-	typedef [nopush,nopull] struct {
+	typedef [nopush,nopull,noprint,public] struct {
 		uint32 ntver;
 		[switch_is(ntver)] netlogon_samlogon_response_union data;
 	} netlogon_samlogon_response;
diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c
index eb186810785..6f54198ffbc 100644
--- a/librpc/ndr/ndr_nbt.c
+++ b/librpc/ndr/ndr_nbt.c
@@ -392,7 +392,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_samlogon_response(struct ndr_pull *
 	return NDR_ERR_SUCCESS;
 }
 
-_PUBLIC_ void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, struct netlogon_samlogon_response *r)
+_PUBLIC_ void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, const struct netlogon_samlogon_response *r)
 {
 	ndr_print_struct(ndr, name, "netlogon_samlogon_response");
 	if (r == NULL) { ndr_print_null(ndr); return; }
diff --git a/librpc/ndr/ndr_nbt.h b/librpc/ndr/ndr_nbt.h
index c38422fff6b..00ee8a17364 100644
--- a/librpc/ndr/ndr_nbt.h
+++ b/librpc/ndr/ndr_nbt.h
@@ -37,6 +37,6 @@ enum ndr_err_code ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_
 								     uint32_t nt_version_flags);
 enum ndr_err_code ndr_push_netlogon_samlogon_response(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct netlogon_samlogon_response *r);
 enum ndr_err_code ndr_pull_netlogon_samlogon_response(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct netlogon_samlogon_response *r);
-void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, struct netlogon_samlogon_response *r);
+void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, const struct netlogon_samlogon_response *r);
 
 #endif /* _LIBRPC_NDR_NDR_NBT_H */
diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 26c2386847e..08be472e707 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -49,7 +49,7 @@ from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, GP
 from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
 from samba.dcerpc import security
 import samba.security
-from samba.dcerpc import netlogon
+from samba.dcerpc import nbt
 from datetime import datetime
 
 
@@ -611,12 +611,6 @@ def get_dc_hostname(creds, lp):
                                                           nbt.NBT_SERVER_DS))
     return cldap_ret.pdc_dns_name
 
-def get_dc_netbios_hostname(creds, lp):
-    net = Net(creds=creds, lp=lp)
-    cldap_ret = net.finddc(domain=lp.get('realm'), flags=(nbt.NBT_SERVER_LDAP |
-                                                          nbt.NBT_SERVER_DS))
-    return cldap_ret.pdc_name
-
 
 """ Fetch a list of GUIDs for applicable GPOs """
 
@@ -787,24 +781,52 @@ def merge_with_system_token(token_1):
     # There are no claims in the system token, so it is safe not to merge the claims
     return token_1
 
+
 def site_dn_for_machine(samdb, dc_hostname, lp, creds, hostname):
     # [MS-GPOL] 3.2.5.1.4 Site Search
-    config_context = samdb.get_config_basedn()
-    try:
-        c = netlogon.netlogon("ncacn_np:%s[seal]" % dc_hostname, lp, creds)
-        site_name = c.netr_DsRGetSiteName(hostname)
-        return 'CN={},CN=Sites,{}'.format(site_name, config_context)
-    except WERRORError:
-        # Fallback to the old method found in ads_site_dn_for_machine
-        nb_hostname = get_dc_netbios_hostname(creds, lp)
-        res = samdb.search(config_context, ldb.SCOPE_SUBTREE,
-                           "(cn=%s)" % nb_hostname, ['dn'])
-        if res.count != 1:
-            raise ldb.LdbError(ldb.ERR_NO_SUCH_OBJECT,
-                               'site_dn_for_machine: no result')
-        dn = res.msgs[0]['dn']
-        site_dn = dn.parent().parent()
-        return site_dn
+
+    # The netr_DsRGetSiteName() needs to run over local rpc, however we do not
+    # have the call implemented in our rpc_server.
+    # What netr_DsRGetSiteName() actually does is an ldap query to get
+    # the sitename, we can do the same.
+
+    # NtVer=(NETLOGON_NT_VERSION_IP|NETLOGON_NT_VERSION_WITH_CLOSEST_SITE|
+    #        NETLOGON_NT_VERSION_5EX) [0x20000014]
+    expr = "(&(DnsDomain=%s.)(User=%s)(NtVer=\\14\\00\\00\\20))" % (
+        samdb.domain_dns_name(),
+        hostname)
+    res = samdb.search(
+        base='',
+        scope=ldb.SCOPE_BASE,
+        expression=expr,
+        attrs=["Netlogon"])
+    if res.count != 1:
+        raise RuntimeError('site_dn_for_machine: No result')
+
+    samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response,
+                                   bytes(res.msgs[0]['Netlogon'][0]))
+    if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX,
+                                       (nbt.NETLOGON_NT_VERSION_1
+                                        | nbt.NETLOGON_NT_VERSION_5EX)]:
+        raise RuntimeError('site_dn_for_machine: Invalid NtVer in '
+                           + 'netlogon_samlogon_response')
+
+    # We want NETLOGON_NT_VERSION_5EX out of the union!
+    samlogon_response.ntver = nbt.NETLOGON_NT_VERSION_5EX
+    samlogon_response_ex = samlogon_response.data
+
+    client_site = "Default-First-Site-Name"
+    if (samlogon_response_ex.client_site
+            and len(samlogon_response_ex.client_site) > 1):
+        client_site = samlogon_response_ex.client_site
+
+    site_dn = samdb.get_config_basedn()
+    site_dn.add_child("CN=Sites")
+    site_dn.add_child("CN=%s" % (client_site))
+
+    return site_dn
+
+
 
 def get_gpo_list(dc_hostname, creds, lp, username):
     """Get the full list of GROUP_POLICY_OBJECTs for a given username.


-- 
Samba Shared Repository



More information about the samba-cvs mailing list