[PATCH] Ask local netlogon pipe on an AD DC

Volker Lendecke vl at samba.org
Wed Mar 1 13:03:14 UTC 2017 

Hi!

Review appreciated!

Thanks, Volker
-------------- next part --------------
>From 87b26f8cc70abe472d92df59c408c095d13a6f6c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 1 Mar 2017 13:53:39 +0100
Subject: [PATCH 1/3] rpc_client3: Fix some crashes for NULL cli_state in
 cli_pipe

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/rpc_client/cli_netlogon.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 634c78b..9f1d952 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -174,7 +174,7 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 		DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
 			 __FUNCTION__, action,
 			 creds->account_name, creds->computer_name,
-			 smbXcli_conn_remote_name(cli->conn)));
+			 cli ? smbXcli_conn_remote_name(cli->conn) : "local"));
 		if (!force_reauth) {
 			TALLOC_FREE(frame);
 			return NT_STATUS_OK;
@@ -189,7 +189,7 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
 			 __FUNCTION__,
-			 smbXcli_conn_remote_name(cli->conn),
+			 cli ? smbXcli_conn_remote_name(cli->conn) : "local",
 			 nt_errstr(status)));
 		TALLOC_FREE(frame);
 		return status;
@@ -215,7 +215,7 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 	DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
 		 __FUNCTION__,
 		 creds->account_name, creds->computer_name,
-		 smbXcli_conn_remote_name(cli->conn)));
+		 cli ? smbXcli_conn_remote_name(cli->conn) : "local"));
 
 	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
-- 
2.1.4


>From 4d13fb566434f2f59a7643c509f38e635b169b76 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 1 Mar 2017 13:54:53 +0100
Subject: [PATCH 2/3] rpc_client3: Allow to connect to local unix socket

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 14f7fbc..176345e 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3057,6 +3057,26 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
 					 table, presult);
 	case NCACN_NP:
 		return rpc_pipe_open_np(cli, table, presult);
+	case NCACN_UNIX_STREAM: {
+		char *socket_path;
+		NTSTATUS status;
+
+		socket_path = talloc_asprintf(talloc_tos(), "%s/DEFAULT",
+					      lp_ncalrpc_dir());
+		if (socket_path == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		status = rpc_pipe_open_ncalrpc(
+			NULL, socket_path, table, presult);
+
+		DBG_DEBUG("rpc_pipe_open_ncalrpc(%s) returned %s\n",
+			  socket_path, nt_errstr(status));
+
+		TALLOC_FREE(socket_path);
+
+		return status;
+	}
 	default:
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
-- 
2.1.4


>From 63d187821210bb6533db8f43e76a7b6fec27ab7a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Wed, 1 Mar 2017 13:56:19 +0100
Subject: [PATCH 3/3] winbind3: On a AD DC, ask the local netlogon pipe for
 local auth

Signed-off-by: Volker Lendecke <vl at samba.org>
---
 source3/winbindd/winbindd_cm.c  | 10 ++++++++++
 source3/winbindd/winbindd_pam.c |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 3df4af3..64fda34 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3357,6 +3357,16 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return status;
 	}
 
+	if (domain->primary && !domain->rodc &&
+	    (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)) {
+		if (domain->dcname == NULL) {
+			domain->dcname = talloc_strdup(
+				domain, lp_netbios_name());
+		}
+		return cm_connect_netlogon_transport(
+			domain, NCACN_UNIX_STREAM, cli);
+	}
+
 	if (domain->active_directory && domain->can_do_ncacn_ip_tcp) {
 		status = cm_connect_netlogon_transport(domain, NCACN_IP_TCP, cli);
 		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3d62522..b6a8262 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1238,6 +1238,11 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
 	int rc;
 	TALLOC_CTX *frame = talloc_stackframe();
 
+	if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
 	rc = tsocket_address_inet_from_strings(frame,
 					       "ip",
 					       "127.0.0.1",
-- 
2.1.4

More information about the samba-technical mailing list