[PATCH] Re: netlogon_creds_cli_validate() in master4-schannel
Garming Sam
garming at catalyst.net.nz
Sun Dec 1 21:57:28 MST 2013
On 02/12/13 13:38, Garming Sam wrote:
> On 02/12/13 12:04, Garming Sam wrote:
>> On 02/12/13 09:59, Andrew Bartlett wrote:
>>> On Fri, 2013-11-29 at 18:45 +0100, Stefan (metze) Metzmacher wrote:
>>>> Am 29.11.2013 06:19, schrieb Garming Sam:
>>>>> On 29/11/13 15:19, Andrew Bartlett wrote:
>>>>>> On Fri, 2013-11-29 at 14:50 +1300, Garming Sam wrote:
>>>>>>>> Segmentation fault (core dumped)
>>>>>>>>
>>>>>>> The seg fault was because it couldn't fetch the secret. This patch
>>>>>>> prints an error in this case and fixes the seg fault by
>>>>>>> reinitializing
>>>>>>> the pointer.
>>>>>> Thanks Garming!
>>>>>>
>>>>>> Reviewed-by: Andrew Bartlett <abartlet at samba.org>
>>>>>>
>>>>>> Metze: can you review that and add it to you tree?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Andrew Bartlett
>>>>> Andrew and I just wrote a test to cover the calls that were changed.
>>>> Thanks! I've integrated the patches into my tree, Partly before my
>>>> changes.
>>> Thanks. Can you add my review tags to the patches I reviewed last
>>> week,
>>> so I don't have to re-tag them?
>>>
>>> I'll also work with Garming to do some manual testing and perhaps add a
>>> few more automated tests.
>>>
>>> Andrew Bartlett
>>>
>>
>> Hi there,
>>
>> We were aiming to write a test to demonstrate the difference between
>> master and some of your patches.
>>
>> On git master:
>> Calling wbinfo -t, net rpc testjoin, wbinfo -t on a machine joined to
>> a Windows domain gave an auth error - could not check secret. But
>> attempting to do the same when joined to a Samba domain inside a test
>> environment didn't appear to produce any errors.
>>
>> On your branch:
>> Calling wbinfo -t, net rpc testjoin, wbinfo -t on a machine joined to
>> a Windows domain appeared to work normally. In the Samba test
>> environment, no errors appeared either.
>>
>> The patch has clearly made a difference to joining a Windows domain,
>> which is great. It would be good to have something like that for
>> Samba to test though, any ideas?
>>
>>
>>
>> Garming Sam
>>
>
> Just added a test to demonstrate the current behaviour.
>
>
> Garming Sam
Decided to try running net rpc join to a DC running the last version of
Samba 3.5, 3.5.22. With Samba 4.1 and master, I got the following
message indicating a successful join.
4.1 and similarly master:
netr_LogonGetCapabilities: struct netr_LogonGetCapabilities
out: struct netr_LogonGetCapabilities
return_authenticator : *
return_authenticator: struct netr_Authenticator
cred: struct netr_Credential
data : 0000000000000000
timestamp : (time_t)0
capabilities : *
capabilities : union netr_Capabilities(case 1)
server_capabilities : 0x00000000 (0)
0: NETLOGON_NEG_ACCOUNT_LOCKOUT
0: NETLOGON_NEG_PERSISTENT_SAMREPL
0: NETLOGON_NEG_ARCFOUR
0: NETLOGON_NEG_PROMOTION_COUNT
0: NETLOGON_NEG_CHANGELOG_BDC
0: NETLOGON_NEG_FULL_SYNC_REPL
0: NETLOGON_NEG_MULTIPLE_SIDS
0: NETLOGON_NEG_REDO
0: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL
0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC
0: NETLOGON_NEG_GENERIC_PASSTHROUGH
0: NETLOGON_NEG_CONCURRENT_RPC
0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL
0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL
0: NETLOGON_NEG_STRONG_KEYS
0: NETLOGON_NEG_TRANSITIVE_TRUSTS
0: NETLOGON_NEG_DNS_DOMAIN_TRUSTS
0: NETLOGON_NEG_PASSWORD_SET2
0: NETLOGON_NEG_GETDOMAININFO
0: NETLOGON_NEG_CROSS_FOREST_TRUSTS
0: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION
0: NETLOGON_NEG_RODC_PASSTHROUGH
0: NETLOGON_NEG_SUPPORTS_AES_SHA2
0: NETLOGON_NEG_SUPPORTS_AES
0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS
0: NETLOGON_NEG_AUTHENTICATED_RPC
result : NT_STATUS_NOT_IMPLEMENTED
We are checking against an old Samba version - NT_STATUS_NOT_IMPLEMENTED
cli_rpc_pipe_open_schannel_with_key: opened pipe \netlogon to machine
192.168.122.249 for domain S3 and bound using schannel.
Joined domain S3.
return code = 0
However, on the new branch, the join appears to fail.
Failure message on your branch:
garming at garming-pc:~/samba$ sudo bin/net rpc join -S 192.168.122.249
-Uroot%password12# -d1
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : '192.168.122.249'
machine_name : 'GARMING-PC'
domain_name : *
domain_name : 'S3'
account_ou : NULL
admin_account : ''
admin_domain : NULL
machine_password : NULL
join_flags : 0x000000c1 (193)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
1: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
1: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
../source3/rpc_client/cli_pipe.c:471: RPC fault code
DCERPC_NCA_S_OP_RNG_ERROR received from host 192.168.122.249!
No realm has been specified! Do you really want to join an Active
Directory server?
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'S3'
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-1592316062-3819178106-2819773400
modified_config : 0x00 (0)
error_string : 'failed to join domain 'S3' over
rpc: Access denied'
domain_is_ad : 0x00 (0)
result : WERR_ACCESS_DENIED
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : '192.168.122.249'
machine_name : 'GARMING-PC'
domain_name : *
domain_name : 'S3'
account_ou : NULL
admin_account : 'root'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
secure_channel_type : SEC_CHAN_WKSTA (2)
../source3/rpc_client/cli_pipe.c:471: RPC fault code
DCERPC_NCA_S_OP_RNG_ERROR received from host 192.168.122.249!
No realm has been specified! Do you really want to join an Active
Directory server?
netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
libnet_join_ok: failed to open schannel session on netlogon pipe to
server 192.168.122.249 for domain S3. Error was NT_STATUS_NOT_IMPLEMENTED
libnet_Unjoin:
libnet_UnjoinCtx: struct libnet_UnjoinCtx
in: struct libnet_UnjoinCtx
dc_name : '192.168.122.249'
machine_name : 'GARMING-PC'
domain_name : 'S3'
account_ou : NULL
admin_account : 'root'
admin_domain : NULL
machine_password : NULL
unjoin_flags : 0x00000005 (5)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
0: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
delete_machine_account : 0x00 (0)
modify_config : 0x00 (0)
domain_sid : NULL
domain_sid : (NULL SID)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x00 (0)
libnet_Unjoin:
libnet_UnjoinCtx: struct libnet_UnjoinCtx
out: struct libnet_UnjoinCtx
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
modified_config : 0x00 (0)
error_string : NULL
disabled_machine_account : 0x01 (1)
deleted_machine_account : 0x00 (0)
result : WERR_OK
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'S3'
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : *
domain_sid :
S-1-5-21-1592316062-3819178106-2819773400
modified_config : 0x00 (0)
error_string : 'failed to verify domain
membership after joining: Not implemented'
domain_is_ad : 0x00 (0)
result : WERR_SETUP_NOT_JOINED
Failed to join domain: failed to verify domain membership after joining:
Not implemented
return code = -1
I ran a git bisect and found the culprit.
+ sudo bin/net rpc join -S 192.168.122.249 -Uroot%password12#
No realm has been specified! Do you really want to join an Active
Directory server?
netlogon_creds_cli_ServerPasswordSet failed: NT_STATUS_INVALID_PARAMETER_MIX
No realm has been specified! Do you really want to join an Active
Directory server?
netlogon_creds_cli_check failed with NT_STATUS_NOT_IMPLEMENTED
libnet_join_ok: failed to open schannel session on netlogon pipe to
server 192.168.122.249 for domain S3. Error was NT_STATUS_NOT_IMPLEMENTED
Failed to join domain: failed to verify domain membership after joining:
Not implemented
+ exit 1
7b77662322f741b8fe1d9e408073def55de6ff83 is the first bad commit
commit 7b77662322f741b8fe1d9e408073def55de6ff83
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jul 27 11:30:13 2013 +0200
s3:rpc_client: make use of the new netlogon_creds_cli_context
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local
database.
This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599
Signed-off-by: Stefan Metzmacher <metze at samba.org>
:040000 040000 0c7c4c5bd36a69aa6acf9afbbdc5e9c7c181b58b
b6081aa2e5cf4e49d6eadc82e404e7c8bd53a1d8 M source3
bisect run success
From the commit message, it doesn't seem that this was expected. If it
is though, we should probably note it down somewhere. In any case, I
just wanted to let you know.
Cheers,
Garming Sam
More information about the samba-technical
mailing list