[Patches] winbindd improvements with anonymous and ntlmssp falbacks (bugs #11830 #12587 #12598)

Stefan Metzmacher metze at samba.org
Fri Feb 24 16:51:31 UTC 2017


Am 22.02.2017 um 23:27 schrieb Andrew Bartlett:
> On Wed, 2017-02-22 at 23:07 +0100, Stefan Metzmacher wrote:
>> Hi,
>>
>> here're some patches to fix bugs
>> https://bugzilla.samba.org/show_bug.cgi?id=12587
>> https://bugzilla.samba.org/show_bug.cgi?id=12598
>>
>> I'm currently running private autobuilds with them.
>> I also plan to do some more tests with real setups
>> tomorrow.
>>
>> So please have a look but not yet push.
> 
> This looks reasonable to me.
> 
> Is there any way we can test this automatically to ensure this is less
> fragile?

All tests seem to be ok with the following patchset,
it already has enough reviews and I'll push it shortly.

I'll think about possible ways to test this next way.

I also includes fixes for https://bugzilla.samba.org/show_bug.cgi?id=11830

metze
-------------- next part --------------
From dfe9b6ace8cd15cbb95c5927e880e48327baab49 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 13:19:59 +0100
Subject: [PATCH 01/10] Revert "s3-winbind: Fix schannel connections against
 trusted domain DCs"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit d2379caa77fe02264323d69fee1bcad33f1bfeee.

This change doesn't solve the real problem, it just
causes useless network traffic and the following error:

rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT

While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.

A better fix will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
 source3/winbindd/winbindd_cm.c | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 41a0076..fc403e2 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -903,7 +903,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
 	struct cli_credentials *creds;
 	NTSTATUS status;
 	bool force_machine_account = false;
-	bool ok;
 
 	/* If we are a DC and this is not our own domain */
 
@@ -948,13 +947,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
 						   CRED_DONT_USE_KERBEROS);
 	}
 
-	/*
-	 * When we contact our own domain and get a list of the trusted domain
-	 * we have the information if we are able to contact the DC with
-	 * with our machine account password.
-	 */
-	ok = winbindd_can_contact_domain(domain);
-	if (!ok) {
+	if (creds_domain != domain) {
 		/*
 		 * We can only use schannel against a direct trust
 		 */
@@ -3246,8 +3239,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
 	if (sec_chan_type == SEC_CHAN_NULL) {
-		DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
-			    domain->name);
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
@@ -3287,11 +3278,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 	conn->netlogon_flags = netlogon_creds->negotiate_flags;
 	TALLOC_FREE(netlogon_creds);
 
-	/*
-	 * FIXME: Document in which case we are not able to contact
-	 * a DC without schannel. Which information do we try to get
-	 * from this DC?
-	 */
 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
 		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
 			result = NT_STATUS_DOWNGRADE_DETECTED;
-- 
1.9.1


From b3608c05009fcf33037f1964c6ed0542286442f4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 10:37:32 +0000
Subject: [PATCH 02/10] s3:winbindd: try a NETLOGON connection with noauth over
 NCACN_NP against trusted domains.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().

This should fix SMB authentication with a user of a domain
behind a transitive trust.

With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.

The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.

is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().

That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.

A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.

We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.

For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
 source3/winbindd/winbindd_cm.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index fc403e2..7516419 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3239,7 +3239,28 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
 	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
 	if (sec_chan_type == SEC_CHAN_NULL) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		if (transport == NCACN_IP_TCP) {
+			DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+				   " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n",
+				   domain->name);
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+
+		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
+			   "fallback to noauth on NCACN_NP.\n",
+			   domain->name);
+
+		result = cli_rpc_pipe_open_noauth_transport(conn->cli,
+							    transport,
+							    &ndr_table_netlogon,
+							    &conn->netlogon_pipe);
+		if (!NT_STATUS_IS_OK(result)) {
+			invalidate_cm_connection(domain);
+			return result;
+		}
+
+		*cli = conn->netlogon_pipe;
+		return NT_STATUS_OK;
 	}
 
 	result = rpccli_create_netlogon_creds_with_creds(creds,
-- 
1.9.1


From 5431edacbc99eb92342e9f82a78094307bd21db9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 24 Feb 2017 16:02:50 +0100
Subject: [PATCH 03/10] auth/credentials: try to use kerberos with the machine
 account unless we're in an AD domain

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 auth/credentials/credentials_secrets.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index d5a37cf..ed148fd 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -39,7 +39,7 @@
 #include "dbwrap/dbwrap.h"
 #include "dbwrap/dbwrap_open.h"
 #include "lib/util/util_tdb.h"
-
+#include "libds/common/roles.h"
 
 /**
  * Fill in credentials for the machine trust account, from the secrets database.
@@ -276,6 +276,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 	char *secrets_tdb_password = NULL;
 	char *secrets_tdb_old_password = NULL;
 	uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
+	int server_role = lpcfg_server_role(lp_ctx);
+	int security = lpcfg_security(lp_ctx);
 	char *keystr;
 	char *keystr_upper = NULL;
 	TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
@@ -354,13 +356,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 	}
 
 	if (secrets_tdb_password_more_recent) {
+		enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
 		char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
 		cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
 		cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
 		cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
 		if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
 			cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
+
+			switch (server_role) {
+			case ROLE_DOMAIN_MEMBER:
+				if (security != SEC_ADS) {
+					break;
+				}
+				/* fall through */
+			case ROLE_ACTIVE_DIRECTORY_DC:
+				use_kerberos = CRED_AUTO_USE_KERBEROS;
+				break;
+			}
 		}
+		cli_credentials_set_kerberos_state(cred, use_kerberos);
 		cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
 		cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
 		cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
-- 
1.9.1


From 25d62ad2de4e0cfe8f10c5433eacafdd5043142e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 19:18:04 +0100
Subject: [PATCH 04/10] s3:winbindd: fix the valid usage anonymous smb
 authentication

If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:

  workgroup = NT4DOM
  security = domain
  require strong key = no
  client use spnego = no
  client ipc signing = auto

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/winbindd_cm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 7516419..3a9ad10 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1107,6 +1107,10 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		  machine_domain, machine_account,
 		  machine_principal, machine_realm));
 
+	if (cli_credentials_is_anonymous(creds)) {
+		goto anon_fallback;
+	}
+
 	winbindd_set_locator_kdc_envs(domain);
 
 	result = cli_session_setup_creds(*cli, creds);
@@ -1125,10 +1129,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 	    || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)
 	    || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE))
 	{
-		if (cli_credentials_is_anonymous(creds)) {
-			goto done;
-		}
-
 		if (!cm_is_ipc_credentials(creds)) {
 			goto ipc_fallback;
 		}
-- 
1.9.1


From 098273333488ab1df332ce076f2e3154ab503496 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 20:07:25 +0100
Subject: [PATCH 05/10] s3:passdb: use cli_credentials_set_kerberos_state() for
 trusts in pdb_get_trust_credentials()

Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.

At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.

In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/passdb/passdb.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 36aedad..64e05b3 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
 			status = NT_STATUS_NO_MEMORY;
 			goto fail;
 		}
+
+		/*
+		 * It's not possible to use NTLMSSP with a domain trust account.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+	} else {
+		/*
+		 * We can't use kerberos against an NT4 domain.
+		 *
+		 * We should have a mode that also disallows NTLMSSP here,
+		 * as only NETLOGON SCHANNEL is possible.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
 	}
 
 	ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
 			status = NT_STATUS_NO_MEMORY;
 			goto fail;
 		}
+		/*
+		 * We currently can't do kerberos just with an NTHASH.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
 		goto done;
 	}
 
-- 
1.9.1


From f9d6e7d87228e9d53c4ce3ddfebb728190bae1a6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Feb 2017 11:54:21 +0100
Subject: [PATCH 06/10] s3:winbindd: add more debugging to
 cm_prepare_connection()

Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/winbindd_cm.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 3a9ad10..9cef0d4 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1118,6 +1118,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		goto session_setup_done;
 	}
 
+	DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
+		  controller,
+		  cli_credentials_get_unparsed_name(creds, talloc_tos()),
+		  nt_errstr(result)));
+
 	/*
 	 * If we are not going to validiate the conneciton
 	 * with SMB signing, then allow us to fall back to
@@ -1140,9 +1145,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		goto anon_fallback;
 	}
 
-	DEBUG(4, ("authenticated session setup failed with %s\n",
-		nt_errstr(result)));
-
 	goto done;
 
  ipc_fallback:
@@ -1169,6 +1171,11 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		goto session_setup_done;
 	}
 
+	DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n",
+		  controller,
+		  cli_credentials_get_unparsed_name(creds, talloc_tos()),
+		  nt_errstr(result)));
+
 	/*
 	 * If we are not going to validiate the conneciton
 	 * with SMB signing, then allow us to fall back to
@@ -1183,9 +1190,6 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		goto anon_fallback;
 	}
 
-	DEBUG(4, ("authenticated session setup failed with %s\n",
-		nt_errstr(result)));
-
 	goto done;
 
  anon_fallback:
@@ -1196,7 +1200,7 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 	}
 
 	/* Fall back to anonymous connection, this might fail later */
-	DEBUG(10,("cm_prepare_connection: falling back to anonymous "
+	DEBUG(5,("cm_prepare_connection: falling back to anonymous "
 		"connection for DC %s\n",
 		controller ));
 
@@ -1206,6 +1210,9 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 		goto session_setup_done;
 	}
 
+	DEBUG(1, ("anonymous session setup to %s failed with %s\n",
+		  controller, nt_errstr(result)));
+
 	/* We can't session setup */
 	goto done;
 
@@ -1253,6 +1260,8 @@ static NTSTATUS cm_prepare_connection(struct winbindd_domain *domain,
 	}
 
 	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n",
+			  controller, nt_errstr(result)));
 		winbind_add_failed_connection_entry(domain, controller, result);
 		if ((*cli) != NULL) {
 			cli_shutdown(*cli);
-- 
1.9.1


From d7c04bc3a7f5969cce3cc94acd9487419f075e56 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 20:07:25 +0100
Subject: [PATCH 07/10] s3:winbindd: rely on the kerberos_state from
 pdb_get_trust_credentials()

The implementation of pdb_get_trust_credentials() should have all
the details to set the kerberos_state to a useful value.

This should enable the fallback to NTLMSSP again, when using our
machine account against trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/winbindd_cm.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 9cef0d4..c9890ac 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -936,17 +936,6 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
 		goto ipc_fallback;
 	}
 
-	if (domain->primary && lp_security() == SEC_ADS) {
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_AUTO_USE_KERBEROS);
-	} else if (domain->active_directory) {
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_MUST_USE_KERBEROS);
-	} else {
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_DONT_USE_KERBEROS);
-	}
-
 	if (creds_domain != domain) {
 		/*
 		 * We can only use schannel against a direct trust
-- 
1.9.1


From 99f2086ac890e67206b837b5e683ad58c81456fe Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 23 Feb 2017 11:54:21 +0100
Subject: [PATCH 08/10] s3:libads: add more debugging to ads_sasl_spnego_bind()

Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/libads/sasl.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 39c60c3..8570788 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -703,6 +703,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 #ifdef HAVE_KRB5
 	bool got_kerberos_mechanism = False;
 #endif
+	const char *mech = NULL;
 
 	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
 
@@ -749,6 +750,8 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 	    got_kerberos_mechanism) 
 	{
+		mech = "KRB5";
+
 		if (ads->auth.password == NULL ||
 		    ads->auth.password[0] == '\0')
 		{
@@ -775,7 +778,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 							blob);
 			if (!ADS_ERR_OK(status)) {
 				DEBUG(0,("kinit succeeded but "
-					"ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n",
+					"ads_sasl_spnego_gensec_bind(KRB5) failed "
+					"for %s/%s with user[%s] realm[%s]: %s\n",
+					p.service, p.hostname,
+					ads->auth.user_name,
+					ads->auth.realm,
 					ads_errstr(status)));
 			}
 		}
@@ -785,17 +792,34 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
 			goto done;
 		}
+
+		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+			 "for %s/%s with user[%s] realm[%s]: %s, "
+			 "fallback to NTLMSSP\n",
+			 p.service, p.hostname,
+			 ads->auth.user_name,
+			 ads->auth.realm,
+			 ads_errstr(status)));
 	}
 #endif
 
 	/* lets do NTLMSSP ... this has the big advantage that we don't need
 	   to sync clocks, and we don't rely on special versions of the krb5 
 	   library for HMAC_MD4 encryption */
+	mech = "NTLMSSP";
 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
 					     CRED_DONT_USE_KERBEROS,
 					     p.service, p.hostname,
 					     data_blob_null);
 done:
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed "
+			 "for %s/%s with user[%s] realm=[%s]: %s\n", mech,
+			  p.service, p.hostname,
+			  ads->auth.user_name,
+			  ads->auth.realm,
+			  ads_errstr(status)));
+	}
 	ads_free_service_principal(&p);
 	TALLOC_FREE(frame);
 	if (blob.data != NULL) {
-- 
1.9.1


From 25f4e603b63de5c9746bff8b1023e8672a98824b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 21:18:32 +0100
Subject: [PATCH 09/10] s3:winbindd: allow a fallback to NTLMSSP for LDAP
 connections

This matches the behaviour of pdb_get_trust_credentials() for
our machine account and allows us to fallback to NTLMSSP
when contacting trusted domains.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/winbindd_ads.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 077c6ec..05ef2ec 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -120,6 +120,8 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	ads->auth.renewable = renewable;
 	ads->auth.password = password;
 
+	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
 	ads->auth.realm = SMB_STRDUP(auth_realm);
 	if (!strupper_m(ads->auth.realm)) {
 		ads_destroy(&ads);
-- 
1.9.1


From 93082d36c7072a4dc9d4cf87c5b66294f6482343 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 22 Feb 2017 21:29:50 +0100
Subject: [PATCH 10/10] s3:idmap_ad: make use of pdb_get_trust_credentials() to
 get the machine account creds

This is mostly a cosmetic change currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
---
 source3/winbindd/idmap_ad.c | 36 +++++++++++++-----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index f406392..5039e9b 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -22,7 +22,7 @@
 #include "idmap.h"
 #include "tldap_gensec_bind.h"
 #include "tldap_util.h"
-#include "secrets.h"
+#include "passdb.h"
 #include "lib/param/param.h"
 #include "utils/net.h"
 #include "auth/gensec/gensec.h"
@@ -249,7 +249,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 				       const char *domname,
 				       struct tldap_context **pld)
 {
-	struct db_context *db_ctx;
 	struct netr_DsRGetDCNameInfo *dcinfo;
 	struct sockaddr_storage dcaddr;
 	struct cli_credentials *creds;
@@ -300,11 +299,19 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	creds = cli_credentials_init(dcinfo);
-	if (creds == NULL) {
-		DBG_DEBUG("cli_credentials_init failed\n");
+	/*
+	 * Here we use or own machine account as
+	 * we run as domain member.
+	 */
+	status = pdb_get_trust_credentials(lp_workgroup(),
+					   lp_realm(),
+					   dcinfo,
+					   &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n",
+			  nt_errstr(status));
 		TALLOC_FREE(dcinfo);
-		return NT_STATUS_NO_MEMORY;
+		return status;
 	}
 
 	lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers());
@@ -314,23 +321,6 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	cli_credentials_set_conf(creds, lp_ctx);
-
-	db_ctx = secrets_db_ctx();
-	if (db_ctx == NULL) {
-		DBG_DEBUG("Failed to open secrets.tdb.\n");
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx,
-							    db_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		DBG_DEBUG("cli_credentials_set_machine_account "
-			  "failed: %s\n", nt_errstr(status));
-		TALLOC_FREE(dcinfo);
-		return status;
-	}
-
 	rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx,
 			       GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 	if (!TLDAP_RC_IS_SUCCESS(rc)) {
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170224/54a075f1/signature.sig>


More information about the samba-technical mailing list