winbindd of a Samba PDC is broken in current SAMBA_3_0
Andrew Bartlett
abartlet at samba.org
Wed Aug 20 04:06:05 GMT 2003
On Tue, Aug 19, 2003 at 10:31:14PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We know about it and are working on it. Beware if you cvs update.
Proposed fix attached - this broke all NT4-like DCs (including Samba).
Andrew Bartlett
-------------- next part --------------
Index: nsswitch/winbindd_cm.c
===================================================================
RCS file: /home/cvs/samba/source/nsswitch/winbindd_cm.c,v
retrieving revision 1.31.2.40
diff -u -r1.31.2.40 winbindd_cm.c
--- nsswitch/winbindd_cm.c 19 Aug 2003 22:47:10 -0000 1.31.2.40
+++ nsswitch/winbindd_cm.c 20 Aug 2003 04:01:26 -0000
@@ -121,6 +121,7 @@
struct in_addr dc_ip;
int i;
BOOL retry = True;
+ BOOL got_login = False;
ZERO_STRUCT(dc_ip);
@@ -163,64 +164,81 @@
CLI_FULL_CONNECTION_USE_KERBEROS,
&retry);
- if (NT_STATUS_IS_OK(result)) {
- if ((lp_security() == SEC_ADS)
- && (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) {
- new_conn->cli->use_kerberos = True;
- DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n",
- new_conn->controller, global_myname(), machine_krb5_principal));
-
- if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal,
- machine_password,
- domain)) {
- result = cli_nt_error(new_conn->cli);
- DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
- if (NT_STATUS_IS_OK(result))
- result = NT_STATUS_UNSUCCESSFUL;
- }
+ if (!NT_STATUS_IS_OK(result))
+ break;
+
+ retry = False;
+ got_login = False;
+
+ if ((lp_security() == SEC_ADS)
+ && (new_conn->cli->protocol >= PROTOCOL_NT1 && new_conn->cli->capabilities & CAP_EXTENDED_SECURITY)) {
+ new_conn->cli->use_kerberos = True;
+ DEBUG(5, ("connecting to %s from %s with kerberos principal [%s]\n",
+ new_conn->controller, global_myname(), machine_krb5_principal));
+
+ if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal,
+ machine_password,
+ domain)) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+ if (NT_STATUS_IS_OK(result))
+ result = NT_STATUS_UNSUCCESSFUL;
+ } else {
+ got_login = True;
+ result = NT_STATUS_OK;
}
- new_conn->cli->use_kerberos = False;
- if (!NT_STATUS_IS_OK(result)
- && new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
- DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n",
- new_conn->controller, global_myname(), ipc_domain, ipc_username));
-
- if (!cli_session_setup(new_conn->cli, ipc_username,
- ipc_password, strlen(ipc_password)+1,
- ipc_password, strlen(ipc_password)+1,
- domain)) {
- result = cli_nt_error(new_conn->cli);
- DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
- if (NT_STATUS_IS_OK(result))
- result = NT_STATUS_UNSUCCESSFUL;
- }
+ }
+
+ new_conn->cli->use_kerberos = False;
+ if ((!got_login)
+ && new_conn->cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
+ DEBUG(5, ("connecting to %s from %s with username [%s]\\[%s]\n",
+ new_conn->controller, global_myname(), ipc_domain, ipc_username));
+
+ if (!cli_session_setup(new_conn->cli, ipc_username,
+ ipc_password, strlen(ipc_password)+1,
+ ipc_password, strlen(ipc_password)+1,
+ domain)) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+ if (NT_STATUS_IS_OK(result))
+ result = NT_STATUS_UNSUCCESSFUL;
+ } else {
+ got_login = True;
+ result = NT_STATUS_OK;
}
- if (!NT_STATUS_IS_OK(result)) {
- if (!cli_session_setup(new_conn->cli, "", NULL, 0,
- NULL, 0,
- "")) {
- result = cli_nt_error(new_conn->cli);
- DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
- if (NT_STATUS_IS_OK(result))
- result = NT_STATUS_UNSUCCESSFUL;
- }
-
+ }
+
+ /* guest fallback */
+ if (!got_login) {
+ if (!cli_session_setup(new_conn->cli, "", NULL, 0,
+ NULL, 0,
+ "")) {
+ result = cli_nt_error(new_conn->cli);
+ DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
+ if (NT_STATUS_IS_OK(result))
+ result = NT_STATUS_UNSUCCESSFUL;
+ } else {
+ got_login = True;
+ result = NT_STATUS_OK;
}
- if (NT_STATUS_IS_OK(result) && !cli_send_tconX(new_conn->cli, "IPC$", "IPC",
- "", 0)) {
+
+ }
+ if (got_login) {
+ if (!cli_send_tconX(new_conn->cli, "IPC$", "IPC",
+ "", 0)) {
result = cli_nt_error(new_conn->cli);
DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result)));
cli_shutdown(new_conn->cli);
if (NT_STATUS_IS_OK(result)) {
result = NT_STATUS_UNSUCCESSFUL;
}
+ } else {
+ /* sucess - we got the IPC$ open */
+ struct ntuser_creds creds;
+ init_creds(&creds, ipc_username, ipc_domain, ipc_password);
+ cli_init_creds(new_conn->cli, &creds);
}
- }
-
- if (NT_STATUS_IS_OK(result)) {
- struct ntuser_creds creds;
- init_creds(&creds, ipc_username, ipc_domain, ipc_password);
- cli_init_creds(new_conn->cli, &creds);
}
if (got_mutex)
More information about the samba-technical
mailing list