[PATCHES] handle random UTF16MUNGED passwords and use SEC_CHAN_DNS_DOMAIN
Stefan (metze) Metzmacher
metze at samba.org
Thu Dec 18 12:52:37 MST 2014
Hi,
here're patches for https://bugzilla.samba.org/show_bug.cgi?id=11016
and more.
Please review and push.
Thanks!
metze
-------------- next part --------------
From 739c6b2635ce2ac972b29364a915ddf397d394a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 17 Dec 2014 18:42:55 +0000
Subject: [PATCH 01/11] auth/gensec: make sure we keep a
DCERPC_AUTH_TYPE_SCHANNEL backend if required
Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.
With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.
---
auth/gensec/gensec_start.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 9910f1a..955cc36 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -75,9 +75,13 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
const struct gensec_security_ops **new_gensec_list;
int i, j, num_mechs_in;
enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+ bool keep_schannel = false;
if (creds) {
use_kerberos = cli_credentials_get_kerberos_state(creds);
+ if (cli_credentials_get_netlogon_creds(creds) != NULL) {
+ keep_schannel = true;
+ }
}
for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
@@ -103,6 +107,10 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
}
}
+ if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ keep = keep_schannel;
+ }
+
switch (use_kerberos) {
case CRED_AUTO_USE_KERBEROS:
keep = true;
--
1.9.1
From ba226835b3d722b92478f5b309f72dcb6aec4d42 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 21:49:05 +0000
Subject: [PATCH 02/11] auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to
schannel_update()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/schannel.c | 27 ++++++++++-----------------
1 file changed, 10 insertions(+), 17 deletions(-)
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index ee23e77..9b28c45 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -459,7 +459,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
struct schannel_state);
NTSTATUS status;
enum ndr_err_code ndr_err;
- struct NL_AUTH_MESSAGE bind_schannel;
+ struct NL_AUTH_MESSAGE bind_schannel = {};
struct NL_AUTH_MESSAGE bind_schannel_ack;
struct netlogon_creds_CredentialState *creds;
const char *workstation;
@@ -486,26 +486,19 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
}
bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
-#if 0
- /* to support this we'd need to have access to the full domain name */
- /* 0x17, 23 */
- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
- bind_schannel.oem_netbios_computer.a = creds->computer_name;
- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
- /* w2k3 refuses us if we use the full DNS workstation?
- why? perhaps because we don't fill in the dNSHostName
- attribute in the machine account? */
- bind_schannel.utf8_netbios_computer = creds->computer_name;
-#else
+
bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
bind_schannel.oem_netbios_computer.a = creds->computer_name;
-#endif
+
+ if (creds->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+ bind_schannel.Flags |= NL_FLAG_UTF8_DNS_DOMAIN_NAME;
+ bind_schannel.utf8_dns_domain.u = cli_credentials_get_realm(gensec_security->credentials);
+
+ bind_schannel.Flags |= NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+ bind_schannel.utf8_netbios_computer.u = creds->computer_name;
+ }
ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
--
1.9.1
From 10e546ee8ff1429d712049cf9f85ba593910148e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 13:58:11 +0000
Subject: [PATCH 03/11] auth/credentials: add
cli_credentials_set_utf16_password()
We need a way to initialize the cli_credentials from the raw utf16 blob,
which might not be completely valid utf16, which means the conversion
from CH_UTF16MUNGED to CH_UTF8 might loose information.
This would result in an invalid nt_hash, when we convert back
from CH_UTF8 to CH_UTF16LE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/credentials/credentials.c | 13 +++++----
auth/credentials/credentials.h | 3 ++
auth/credentials/credentials_ntlm.c | 55 ++++++++++++++++++++++++++++++++++++-
3 files changed, 65 insertions(+), 6 deletions(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 78b5955..a9e4fc8 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -496,24 +496,27 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx)
{
- const char *password = cli_credentials_get_password(cred);
+ const char *password = NULL;
- if (password) {
+ if (cred->nt_hash != NULL) {
struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
if (!nt_hash) {
return NULL;
}
- E_md4hash(password, nt_hash->hash);
+ *nt_hash = *cred->nt_hash;
return nt_hash;
- } else if (cred->nt_hash != NULL) {
+ }
+
+ password = cli_credentials_get_password(cred);
+ if (password) {
struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
if (!nt_hash) {
return NULL;
}
- *nt_hash = *cred->nt_hash;
+ E_md4hash(password, nt_hash->hash);
return nt_hash;
}
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 2da47d2..814f016 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -191,6 +191,9 @@ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_creden
time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred);
void cli_credentials_set_kvno(struct cli_credentials *cred,
int kvno);
+bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16,
+ enum credentials_obtained obtained);
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 8c6be39..5e9aeed 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -214,7 +214,60 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
}
return NT_STATUS_OK;
}
-
+
+/*
+ * Set a utf16 password on the credentials context, including an indication
+ * of 'how' the password was obtained
+ *
+ * This is required because the nt_hash is calculated over the raw utf16 blob,
+ * which might not be completely valid utf16, which means the conversion
+ * from CH_UTF16MUNGED to CH_UTF8 might loose information.
+ */
+_PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16,
+ enum credentials_obtained obtained)
+{
+ if (password_utf16 == NULL) {
+ return cli_credentials_set_password(cred, NULL, obtained);
+ }
+
+ if (obtained >= cred->password_obtained) {
+ struct samr_Password *nt_hash = NULL;
+ char *password_talloc = NULL;
+ size_t password_len = 0;
+ bool ok;
+
+ nt_hash = talloc(cred, struct samr_Password);
+ if (nt_hash == NULL) {
+ return false;
+ }
+
+ ok = convert_string_talloc(cred,
+ CH_UTF16MUNGED, CH_UTF8,
+ password_utf16->data,
+ password_utf16->length,
+ (void *)&password_talloc,
+ &password_len);
+ if (!ok) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ ok = cli_credentials_set_password(cred, password_talloc, obtained);
+ TALLOC_FREE(password_talloc);
+ if (!ok) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ mdfour(nt_hash->hash, password_utf16->data, password_utf16->length);
+ cred->nt_hash = nt_hash;
+ return true;
+ }
+
+ return false;
+}
+
_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained)
--
1.9.1
From 1e303ae9936ec6763712fcb37152c8e51b164a9b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 17 Dec 2014 08:40:49 +0000
Subject: [PATCH 04/11] s3:cli_netlogon: add
rpccli_{create,setup}_netlogon_creds_with_creds() helper functions
This simplifies the callers, then can just pass in a cli_credentials structure.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_client/cli_netlogon.c | 54 +++++++++++++++++++++++++++++++++++++++
source3/rpc_client/cli_netlogon.h | 11 ++++++++
2 files changed, 65 insertions(+)
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a5ea02c..b08c10f 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -124,6 +124,32 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
return NT_STATUS_OK;
}
+NTSTATUS rpccli_create_netlogon_creds_with_creds(struct cli_credentials *creds,
+ const char *server_computer,
+ struct messaging_context *msg_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct netlogon_creds_cli_context **netlogon_creds)
+{
+ enum netr_SchannelType sec_chan_type;
+ const char *server_netbios_domain;
+ const char *client_account;
+
+ sec_chan_type = cli_credentials_get_secure_channel_type(creds);
+ if (sec_chan_type == SEC_CHAN_NULL) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ client_account = cli_credentials_get_username(creds);
+ server_netbios_domain = cli_credentials_get_domain(creds);
+
+ return rpccli_create_netlogon_creds(server_computer,
+ server_netbios_domain,
+ client_account,
+ sec_chan_type,
+ msg_ctx, mem_ctx,
+ netlogon_creds);
+}
+
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
enum dcerpc_transport_t transport,
struct netlogon_creds_cli_context *netlogon_creds,
@@ -195,6 +221,34 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
return NT_STATUS_OK;
}
+NTSTATUS rpccli_setup_netlogon_creds_with_creds(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+ struct netlogon_creds_cli_context *netlogon_creds,
+ bool force_reauth,
+ struct cli_credentials *creds)
+{
+ struct samr_Password *current_nt_hash = NULL;
+ struct samr_Password *previous_nt_hash = NULL;
+ NTSTATUS status;
+
+ current_nt_hash = cli_credentials_get_nt_hash(creds, talloc_tos());
+ if (current_nt_hash == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = rpccli_setup_netlogon_creds(cli, transport,
+ netlogon_creds,
+ force_reauth,
+ *current_nt_hash,
+ previous_nt_hash);
+ TALLOC_FREE(current_nt_hash);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
uint16_t validation_level,
union netr_Validation *validation,
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index cc4033e..b04f3a2 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -25,6 +25,7 @@
struct cli_state;
struct messaging_context;
+struct cli_credentials;
struct netlogon_creds_cli_context;
struct dcerpc_binding_handle;
#include "librpc/rpc/rpc_common.h"
@@ -39,12 +40,22 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
struct messaging_context *msg_ctx,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **netlogon_creds);
+NTSTATUS rpccli_create_netlogon_creds_with_creds(struct cli_credentials *creds,
+ const char *server_computer,
+ struct messaging_context *msg_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct netlogon_creds_cli_context **netlogon_creds);
NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
enum dcerpc_transport_t transport,
struct netlogon_creds_cli_context *netlogon_creds,
bool force_reauth,
struct samr_Password current_nt_hash,
const struct samr_Password *previous_nt_hash);
+NTSTATUS rpccli_setup_netlogon_creds_with_creds(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+ struct netlogon_creds_cli_context *netlogon_creds,
+ bool force_reauth,
+ struct cli_credentials *creds);
NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
struct dcerpc_binding_handle *binding_handle,
TALLOC_CTX *mem_ctx,
--
1.9.1
From c8db3c0073bcb9627e0e00c54f6128f0155d3368 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 17 Dec 2014 09:19:49 +0000
Subject: [PATCH 05/11] s3:rpc_client: add
cli_rpc_pipe_open_schannel_with_creds() helper function
This will simplify the callers and add potential support for SEC_CHAN_DNS_DOMAIN
as cli_credentials_get_realm() will return the correct value compared to
cli_credentials_get_domain().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/rpc_client/cli_pipe.c | 86 +++++++++++++++++++++++++++++++++++++++++++
source3/rpc_client/cli_pipe.h | 7 ++++
2 files changed, 93 insertions(+)
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index fcb8b61..db28306 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3210,6 +3210,92 @@ done:
return NT_STATUS_OK;
}
+NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ struct cli_credentials *cli_creds,
+ struct netlogon_creds_cli_context *netlogon_creds,
+ struct rpc_pipe_client **_rpccli)
+{
+ struct rpc_pipe_client *rpccli;
+ struct pipe_auth_data *rpcauth;
+ const char *target_service = table->authservices->names[0];
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ enum dcerpc_AuthLevel auth_level;
+ NTSTATUS status;
+ int rpc_pipe_bind_dbglvl = 0;
+
+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &ncreds);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
+
+ cli_credentials_set_netlogon_creds(cli_creds, ncreds);
+
+ status = rpccli_generic_bind_data_from_creds(rpccli,
+ DCERPC_AUTH_TYPE_SCHANNEL,
+ auth_level,
+ rpccli->desthost,
+ target_service,
+ cli_creds,
+ &rpcauth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("rpccli_generic_bind_data_from_creds returned %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+ status = rpc_pipe_bind(rpccli, rpcauth);
+ cli_credentials_set_netlogon_creds(cli_creds, NULL);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+ rpc_pipe_bind_dbglvl = 1;
+ netlogon_creds_cli_delete(netlogon_creds, &ncreds);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(rpc_pipe_bind_dbglvl,
+ ("%s: rpc_pipe_bind failed with error %s\n",
+ __func__, nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+ TALLOC_FREE(ncreds);
+
+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
+ goto done;
+ }
+
+ status = netlogon_creds_cli_check(netlogon_creds,
+ rpccli->binding_handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+
+done:
+ DEBUG(10,("%s: opened pipe %s to machine %s "
+ "for domain %s and bound using schannel.\n",
+ __func__, table->name,
+ rpccli->desthost, cli_credentials_get_domain(cli_creds)));
+
+ *_rpccli = rpccli;
+ return NT_STATUS_OK;
+}
+
NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
DATA_BLOB *session_key)
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 0c1e692..16946c5 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -106,6 +106,13 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
struct netlogon_creds_cli_context *netlogon_creds,
struct rpc_pipe_client **presult);
+NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ struct cli_credentials *cli_creds,
+ struct netlogon_creds_cli_context *netlogon_creds,
+ struct rpc_pipe_client **_rpccli);
+
NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
struct messaging_context *msg_ctx,
const struct ndr_interface_table *table,
--
1.9.1
From 222c0288f9efbac0cf9e71ef4be29e59beb57c32 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 23:17:52 +0000
Subject: [PATCH 06/11] s3:winbindd: make sure we try to use NCACN_IP_TCP in
cm_connect_netlogon
We need to call init_dc_connection_rpc() before we can decide if we want to try
NCACN_IP_TCP.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 4b01348..cb5bc11 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3264,6 +3264,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
{
NTSTATUS status;
+ status = init_dc_connection_rpc(domain, true);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
--
1.9.1
From f3d3fd7022e59ea0e87a064ef5084d0ba27b1b09 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 23:17:52 +0000
Subject: [PATCH 07/11] s3:winbindd: we only need a an netlogon connection to a
rwdc if we're a rodc ourself
If we're a member or RWDC there's no need to require talking to a rwdc,
an rodc will forward the request if required.
TODO: even on a rodc we want to answer locally if the user credentials are
available..., this would be needed for a local wbinfo -a.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index cb5bc11..d396018 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3127,7 +3127,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
*cli = NULL;
- result = init_dc_connection_rpc(domain, true);
+ result = init_dc_connection_rpc(domain, domain->rodc);
if (!NT_STATUS_IS_OK(result)) {
return result;
}
@@ -3264,7 +3264,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
{
NTSTATUS status;
- status = init_dc_connection_rpc(domain, true);
+ status = init_dc_connection_rpc(domain, domain->rodc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
1.9.1
From a493c1907f8366787dac5370c9edca26ed1e19ba Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 17 Dec 2014 08:48:38 +0000
Subject: [PATCH 08/11] s3:winbindd: make use of
rpccli_{create,setup}_netlogon_creds_with_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 32 +++++++++-----------------------
1 file changed, 9 insertions(+), 23 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index d396018..1a3fe69 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3118,10 +3118,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
struct winbindd_cm_conn *conn;
NTSTATUS result;
enum netr_SchannelType sec_chan_type;
- const char *account_name;
- const char *domain_name;
- const struct samr_Password *current_nt_hash = NULL;
- const struct samr_Password *previous_nt_hash = NULL;
struct netlogon_creds_CredentialState *netlogon_creds = NULL;
struct cli_credentials *creds = NULL;
@@ -3162,20 +3158,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
goto no_schannel;
}
- account_name = cli_credentials_get_username(creds);
- domain_name = cli_credentials_get_domain(creds);
- current_nt_hash = cli_credentials_get_nt_hash(creds, talloc_tos());
- if (current_nt_hash == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- result = rpccli_create_netlogon_creds(domain->dcname,
- domain_name,
- account_name,
- sec_chan_type,
- msg_ctx,
- domain,
- &conn->netlogon_creds);
+ result = rpccli_create_netlogon_creds_with_creds(creds,
+ domain->dcname,
+ msg_ctx,
+ domain,
+ &conn->netlogon_creds);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("rpccli_create_netlogon_creds failed for %s, "
"unable to create NETLOGON credentials: %s\n",
@@ -3183,11 +3170,10 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
return result;
}
- result = rpccli_setup_netlogon_creds(conn->cli, transport,
- conn->netlogon_creds,
- conn->netlogon_force_reauth,
- *current_nt_hash,
- previous_nt_hash);
+ result = rpccli_setup_netlogon_creds_with_creds(conn->cli, transport,
+ conn->netlogon_creds,
+ conn->netlogon_force_reauth,
+ creds);
conn->netlogon_force_reauth = false;
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("rpccli_setup_netlogon_creds failed for %s, "
--
1.9.1
From 84fac2e49f8af44430f3f03dcff160319ab14800 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 17 Dec 2014 13:05:45 +0000
Subject: [PATCH 09/11] s3:winbindd: make use of
cli_rpc_pipe_open_schannel_with_creds()
This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/winbindd_cm.c | 57 +++++++++++++++++++++++++++++-------------
1 file changed, 40 insertions(+), 17 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 1a3fe69..0a63369 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2701,7 +2701,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10, ("cm_connect_sam: No no user available for "
+ DEBUG(10, ("cm_connect_sam: No user available for "
"domain %s, trying schannel\n", domain->name));
goto schannel;
}
@@ -2767,9 +2767,17 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
nt_errstr(status) ));
goto anonymous;
}
- status = cli_rpc_pipe_open_schannel_with_key
+ TALLOC_FREE(creds);
+ result = get_trust_credentials(domain, talloc_tos(), true, &creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("cm_connect_sam: No user available for "
+ "domain %s (error %s), trying anon\n", domain->name,
+ nt_errstr(result)));
+ goto anonymous;
+ }
+ status = cli_rpc_pipe_open_schannel_with_creds
(conn->cli, &ndr_table_samr, NCACN_NP,
- domain->name, p_creds, &conn->samr_pipe);
+ creds, p_creds, &conn->samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
@@ -2879,7 +2887,8 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
struct rpc_pipe_client **cli)
{
struct winbindd_cm_conn *conn;
- struct netlogon_creds_cli_context *creds;
+ struct netlogon_creds_cli_context *p_creds = NULL;
+ struct cli_credentials *creds = NULL;
NTSTATUS status;
DEBUG(10,("cm_connect_lsa_tcp\n"));
@@ -2900,17 +2909,22 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
TALLOC_FREE(conn->lsa_pipe_tcp);
- status = cm_get_schannel_creds(domain, &creds);
+ status = cm_get_schannel_creds(domain, &p_creds);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
- status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
- &ndr_table_lsarpc,
- NCACN_IP_TCP,
- domain->name,
- creds,
- &conn->lsa_pipe_tcp);
+ status = get_trust_credentials(domain, talloc_tos(), true, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_creds(conn->cli,
+ &ndr_table_lsarpc,
+ NCACN_IP_TCP,
+ creds,
+ p_creds,
+ &conn->lsa_pipe_tcp);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
nt_errstr(status)));
@@ -2950,7 +2964,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
result = get_trust_credentials(domain, talloc_tos(), false, &creds);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10, ("cm_connect_sam: No no user available for "
+ DEBUG(10, ("cm_connect_lsa: No user available for "
"domain %s, trying schannel\n", domain->name));
goto schannel;
}
@@ -3009,9 +3023,18 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
nt_errstr(result) ));
goto anonymous;
}
- result = cli_rpc_pipe_open_schannel_with_key
+
+ TALLOC_FREE(creds);
+ result = get_trust_credentials(domain, talloc_tos(), true, &creds);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10, ("cm_connect_lsa: No user available for "
+ "domain %s (error %s), trying anon\n", domain->name,
+ nt_errstr(result)));
+ goto anonymous;
+ }
+ result = cli_rpc_pipe_open_schannel_with_creds
(conn->cli, &ndr_table_lsarpc, NCACN_NP,
- domain->name, p_creds, &conn->lsa_pipe);
+ creds, p_creds, &conn->lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
@@ -3141,7 +3164,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
result = get_trust_credentials(domain, talloc_tos(), true, &creds);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10, ("cm_connect_sam: No no user available for "
+ DEBUG(10, ("cm_connect_sam: No user available for "
"domain %s when trying schannel\n", domain->name));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -3224,9 +3247,9 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
part of the new pipe auth struct.
*/
- result = cli_rpc_pipe_open_schannel_with_key(
+ result = cli_rpc_pipe_open_schannel_with_creds(
conn->cli, &ndr_table_netlogon, transport,
- domain->name,
+ creds,
conn->netlogon_creds,
&conn->netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
--
1.9.1
From 87a125ea98e85c376e3611a23bd224a873f7601f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 15:06:56 +0000
Subject: [PATCH 10/11] s3:pdb_samba_dsdb: add
pdb_samba_dsdb_get_trusteddom_creds
We have the password as raw UTF16 blob, which might not be
valid utf16, so we need to use cli_credentials_set_utf16_password().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/passdb/pdb_samba_dsdb.c | 234 +++++++++++++++++++++++++++++++++++++++-
1 file changed, 233 insertions(+), 1 deletion(-)
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 5fa2c2f..9f9a5a9 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -38,6 +38,7 @@
#include "source4/dsdb/common/util.h"
#include "source3/include/secrets.h"
#include "source4/auth/auth_sam.h"
+#include "auth/credentials/credentials.h"
struct pdb_samba_dsdb_state {
struct tevent_context *ev;
@@ -2131,6 +2132,7 @@ static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
TALLOC_CTX *tmp_ctx = talloc_stackframe();
const char * const attrs[] = {
"securityIdentifier",
+ "flatName",
"trustPartner",
"trustAuthOutgoing",
"whenCreated",
@@ -2152,6 +2154,7 @@ static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
size_t password_len;
enum ndr_err_code ndr_err;
NTSTATUS status;
+ const char *netbios_domain = NULL;
status = sam_get_results_trust(state->ldb, tmp_ctx, domain,
NULL, attrs, &msg);
@@ -2166,6 +2169,14 @@ static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
return false;
}
+ netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (netbios_domain == NULL) {
+ DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
+ domain));
+ TALLOC_FREE(tmp_ctx);
+ return false;
+ }
+
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
DEBUG(2, ("Trusted domain %s is is not an outbound trust.\n",
@@ -2230,7 +2241,7 @@ static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
* utf8.
*/
if (!convert_string_talloc(tmp_ctx,
- CH_UTF16, CH_UTF8,
+ CH_UTF16MUNGED, CH_UTF8,
password_utf16.data, password_utf16.length,
(void *)&password_talloc,
&password_len)) {
@@ -2249,6 +2260,226 @@ static bool pdb_samba_dsdb_get_trusteddom_pw(struct pdb_methods *m,
return true;
}
+static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
+ const char *domain,
+ TALLOC_CTX *mem_ctx,
+ struct cli_credentials **_creds)
+{
+ struct pdb_samba_dsdb_state *state = talloc_get_type_abort(
+ m->private_data, struct pdb_samba_dsdb_state);
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ const char * const attrs[] = {
+ "securityIdentifier",
+ "flatName",
+ "trustPartner",
+ "trustAuthOutgoing",
+ "whenCreated",
+ "msDS-SupportedEncryptionTypes",
+ "trustAttributes",
+ "trustDirection",
+ "trustType",
+ NULL
+ };
+ struct ldb_message *msg;
+ const struct ldb_val *password_val;
+ int trust_direction_flags;
+ int trust_type;
+ int i;
+ DATA_BLOB password_utf16 = {};
+ DATA_BLOB password_nt = {};
+ struct trustAuthInOutBlob password_blob;
+ struct AuthenticationInformationArray *auth_array = NULL;
+ enum ndr_err_code ndr_err;
+ NTSTATUS status;
+ time_t last_set_time = 0;
+ struct loadparm_context *lp_ctx = NULL;
+ struct cli_credentials *creds = NULL;
+ bool ok;
+ const char *my_netbios_name = NULL;
+ const char *my_netbios_domain = NULL;
+ const char *netbios_domain = NULL;
+ char *account_name = NULL;
+ const char *dns_domain = NULL;
+
+ status = sam_get_results_trust(state->ldb, tmp_ctx, domain,
+ NULL, attrs, &msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * This can be called to work out of a domain is
+ * trusted, rather than just to get the password
+ */
+ DEBUG(2, ("Failed to get trusted domain password for %s. "
+ "It may not be a trusted domain.\n", domain));
+ TALLOC_FREE(tmp_ctx);
+ return status;
+ }
+
+ netbios_domain = ldb_msg_find_attr_as_string(msg, "flatName", NULL);
+ if (netbios_domain == NULL) {
+ DEBUG(2, ("Trusted domain %s has to flatName defined.\n",
+ domain));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ dns_domain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+
+ trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
+ if (!(trust_direction_flags & LSA_TRUST_DIRECTION_OUTBOUND)) {
+ DEBUG(2, ("Trusted domain %s is is not an outbound trust.\n",
+ domain));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ trust_type = ldb_msg_find_attr_as_int(msg, "trustType", 0);
+ if (trust_type == LSA_TRUST_TYPE_MIT) {
+ DEBUG(1, ("Trusted domain %s is is not an AD trust "
+ "(trustType == LSA_TRUST_TYPE_MIT).\n",
+ domain));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+ if (password_val == NULL) {
+ DEBUG(2, ("Failed to get trusted domain password for %s, "
+ "attribute trustAuthOutgoing not returned.\n", domain));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ ndr_err = ndr_pull_struct_blob(password_val, tmp_ctx, &password_blob,
+ (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0, ("Failed to get trusted domain password for %s, "
+ "attribute trustAuthOutgoing coult not be parsed %s.\n",
+ domain,
+ ndr_map_error2string(ndr_err)));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ auth_array = &password_blob.current;
+
+ for (i=0; i < auth_array->count; i++) {
+ if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
+ last_set_time = nt_time_to_unix(auth_array->array[i].LastUpdateTime);
+
+ password_utf16 = data_blob_const(auth_array->array[i].AuthInfo.clear.password,
+ auth_array->array[i].AuthInfo.clear.size);
+ password_nt = data_blob_null;
+ break;
+ }
+
+ if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
+ last_set_time = nt_time_to_unix(auth_array->array[i].LastUpdateTime);
+
+ password_nt = data_blob_const(auth_array->array[i].AuthInfo.clear.password,
+ auth_array->array[i].AuthInfo.clear.size);
+ }
+ }
+
+ if (password_utf16.length == 0 && password_nt.length == 0) {
+ DEBUG(0, ("Trusted domain %s does not have a "
+ "clear-text nor nt password stored\n",
+ domain));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;;
+ }
+
+ my_netbios_name = lpcfg_netbios_name(lp_ctx);
+ my_netbios_domain = lpcfg_workgroup(lp_ctx);
+
+ creds = cli_credentials_init(tmp_ctx);
+ if (creds == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = cli_credentials_set_workstation(creds, my_netbios_name, CRED_SPECIFIED);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ ok = cli_credentials_set_realm(creds, dns_domain, CRED_SPECIFIED);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
+
+ account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
+ if (account_name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (password_nt.length == 16) {
+ struct samr_Password nt_hash;
+
+ memcpy(nt_hash.hash, password_nt.data, 16);
+
+ ok = cli_credentials_set_nt_hash(creds, &nt_hash,
+ CRED_SPECIFIED);
+ ZERO_STRUCT(nt_hash);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (password_utf16.length > 0) {
+ ok = cli_credentials_set_utf16_password(creds,
+ &password_utf16,
+ CRED_SPECIFIED);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ cli_credentials_set_password_last_changed_time(creds, last_set_time);
+
+ if (password_utf16.length > 0 && dns_domain != NULL) {
+ /*
+ * Force kerberos if this is an active directory domain
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_MUST_USE_KERBEROS);
+ } else {
+ /*
+ * TODO: we should allow krb5 with the raw nt hash.
+ */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_DONT_USE_KERBEROS);
+ }
+
+ *_creds = talloc_move(mem_ctx, &creds);
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_OK;
+}
+
static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m,
const char* domain, const char* pwd,
const struct dom_sid *sid)
@@ -2329,6 +2560,7 @@ static void pdb_samba_dsdb_init_methods(struct pdb_methods *m)
m->capabilities = pdb_samba_dsdb_capabilities;
m->new_rid = pdb_samba_dsdb_new_rid;
m->get_trusteddom_pw = pdb_samba_dsdb_get_trusteddom_pw;
+ m->get_trusteddom_creds = pdb_samba_dsdb_get_trusteddom_creds;
m->set_trusteddom_pw = pdb_samba_dsdb_set_trusteddom_pw;
m->del_trusteddom_pw = pdb_samba_dsdb_del_trusteddom_pw;
m->enum_trusteddoms = pdb_samba_dsdb_enum_trusteddoms;
--
1.9.1
From f2c0a7497ac66f243d3e8ba9e704193381a82eeb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 16 Dec 2014 15:57:49 +0000
Subject: [PATCH 11/11] s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in
pdb_samba_dsdb_get_trusteddom_creds()
If both ends have a dns domain, we can use SEC_CHAN_DNS_DOMAIN in order to match
a Windows DC.
For kerberos we still need to use MY_NETBIOS_DOMAIN$@REMOTE_REALM.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/passdb/pdb_samba_dsdb.c | 39 +++++++++++++++++++++++++++++++++------
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 9f9a5a9..bd3926a 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -2297,8 +2297,10 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
bool ok;
const char *my_netbios_name = NULL;
const char *my_netbios_domain = NULL;
+ const char *my_dns_domain = NULL;
const char *netbios_domain = NULL;
char *account_name = NULL;
+ char *principal_name = NULL;
const char *dns_domain = NULL;
status = sam_get_results_trust(state->ldb, tmp_ctx, domain,
@@ -2397,6 +2399,7 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
my_netbios_name = lpcfg_netbios_name(lp_ctx);
my_netbios_domain = lpcfg_workgroup(lp_ctx);
+ my_dns_domain = lpcfg_dnsdomain(lp_ctx);
creds = cli_credentials_init(tmp_ctx);
if (creds == NULL) {
@@ -2421,12 +2424,27 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
-
- account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
- if (account_name == NULL) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
+ if (my_dns_domain != NULL && dns_domain != NULL) {
+ cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DNS_DOMAIN);
+ account_name = talloc_asprintf(tmp_ctx, "%s.", my_dns_domain);
+ if (account_name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ principal_name = talloc_asprintf(tmp_ctx, "%s$@%s", my_netbios_domain,
+ cli_credentials_get_realm(creds));
+ if (principal_name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ cli_credentials_set_secure_channel_type(creds, SEC_CHAN_DOMAIN);
+ account_name = talloc_asprintf(tmp_ctx, "%s$", my_netbios_domain);
+ if (account_name == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ principal_name = NULL;
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@@ -2435,6 +2453,15 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m,
return NT_STATUS_NO_MEMORY;
}
+ if (principal_name != NULL) {
+ ok = cli_credentials_set_principal(creds, principal_name,
+ CRED_SPECIFIED);
+ if (!ok) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
if (password_nt.length == 16) {
struct samr_Password nt_hash;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141218/62b036e9/attachment.pgp>
More information about the samba-technical
mailing list