[PATCH] pass "authoritative" in samlogon through winbind
Volker Lendecke
vl at samba.org
Tue Mar 7 05:38:17 UTC 2017
Hi!
This patchset survived autobuild and is independently correct I
believe.
Review appreciated!
Thanks, Volker
-------------- next part --------------
>From 571baf0ebd86b9bffa9e46e4e06b3ec03b640e45 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 28 Jan 2017 11:27:21 +0000
Subject: [PATCH 1/9] cli_netlogon: Remove a fallback for authoritative=NULL
The two callers of rpccli_netlogon_network_logon have authoritative
set !=NULL
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/rpc_client/cli_netlogon.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 166f318..0dab9f7 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -472,16 +472,12 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
struct netr_NetworkInfo *network_info;
uint16_t validation_level = 0;
union netr_Validation *validation = NULL;
- uint8_t _authoritative = 0;
uint32_t _flags = 0;
struct netr_ChallengeResponse lm;
struct netr_ChallengeResponse nt;
*info3 = NULL;
- if (authoritative == NULL) {
- authoritative = &_authoritative;
- }
if (flags == NULL) {
flags = &_flags;
}
--
2.1.4
>From 19f51cca529f9ec677b735069db843f7e0f169bd Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 28 Jan 2017 11:31:09 +0000
Subject: [PATCH 2/9] cli_netlogon: Remove a fallback for flags=NULL
The two callers of rpccli_netlogon_network_logon have flags set !=NULL
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/rpc_client/cli_netlogon.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 0dab9f7..d166629 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -472,16 +472,11 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
struct netr_NetworkInfo *network_info;
uint16_t validation_level = 0;
union netr_Validation *validation = NULL;
- uint32_t _flags = 0;
struct netr_ChallengeResponse lm;
struct netr_ChallengeResponse nt;
*info3 = NULL;
- if (flags == NULL) {
- flags = &_flags;
- }
-
ZERO_STRUCT(lm);
ZERO_STRUCT(nt);
--
2.1.4
>From d566638cd1ae51cbe3b00f67e7d8aece023aa0ba Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 28 Jan 2017 11:36:11 +0000
Subject: [PATCH 3/9] cli_netlogon: Add return parms to
rpccli_netlogon_password_logon
Just for symmetry with rpccli_netlogon_network_logon()
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/rpc_client/cli_netlogon.c | 8 ++++----
source3/rpc_client/cli_netlogon.h | 2 ++
source3/rpcclient/cmd_netlogon.c | 4 ++++
source3/winbindd/winbindd_pam.c | 2 ++
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index d166629..634c78b 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -310,6 +310,8 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
const char *password,
const char *workstation,
enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3)
{
TALLOC_CTX *frame = talloc_stackframe();
@@ -317,8 +319,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
union netr_LogonLevel *logon;
uint16_t validation_level = 0;
union netr_Validation *validation = NULL;
- uint8_t authoritative = 0;
- uint32_t flags = 0;
char *workstation_slash = NULL;
logon = talloc_zero(frame, union netr_LogonLevel);
@@ -426,8 +426,8 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
frame,
&validation_level,
&validation,
- &authoritative,
- &flags);
+ authoritative,
+ flags);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index d63805b..bef0def 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -65,6 +65,8 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
const char *password,
const char *workstation,
enum netr_LogonInfoClass logon_type,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3);
NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
struct dcerpc_binding_handle *binding_handle,
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index f657172..29d3096 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -779,6 +779,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
uint32_t logon_param = 0;
const char *workstation = NULL;
struct netr_SamInfo3 *info3 = NULL;
+ uint8_t authoritative = 0;
+ uint32_t flags = 0;
/* Check arguments */
@@ -816,6 +818,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
password,
workstation,
logon_type,
+ &authoritative,
+ &flags,
&info3);
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 74afdcc..3954de2 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1392,6 +1392,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
password,
workstation,
NetlogonInteractiveInformation,
+ &authoritative,
+ &flags,
info3);
} else {
result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
--
2.1.4
>From 9ae1af3d19eead2b16b8b5d42122c2e8261847cf Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 28 Jan 2017 20:20:59 +0000
Subject: [PATCH 4/9] winbind: Pass up args from winbind_samlogon_retry_loop
In particular "authoritative" is useful at the top level
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/winbindd_pam.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3954de2..aad1ee3 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1320,6 +1320,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
DATA_BLOB lm_response,
DATA_BLOB nt_response,
bool interactive,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3)
{
int attempts = 0;
@@ -1329,8 +1331,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
do {
struct rpc_pipe_client *netlogon_pipe;
- uint8_t authoritative = 0;
- uint32_t flags = 0;
ZERO_STRUCTP(info3);
retry = false;
@@ -1392,8 +1392,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
password,
workstation,
NetlogonInteractiveInformation,
- &authoritative,
- &flags,
+ authoritative,
+ flags,
info3);
} else {
result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
@@ -1406,8 +1406,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
chal,
lm_response,
nt_response,
- &authoritative,
- &flags,
+ authoritative,
+ flags,
info3);
}
@@ -1493,6 +1493,8 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
fstring name_domain, name_user;
NTSTATUS result;
struct netr_SamInfo3 *my_info3 = NULL;
+ uint8_t authoritative = 0;
+ uint32_t flags = 0;
*info3 = NULL;
@@ -1567,6 +1569,8 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
lm_resp,
nt_resp,
true, /* interactive */
+ &authoritative,
+ &flags,
&my_info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
@@ -1948,6 +1952,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
DATA_BLOB nt_response,
struct netr_SamInfo3 **info3)
{
+ uint8_t authoritative = 0;
+ uint32_t flags = 0;
NTSTATUS result;
if (strequal(name_domain, get_global_sam_name())) {
@@ -1982,6 +1988,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
lm_response,
nt_response,
false, /* interactive */
+ &authoritative,
+ &flags,
info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
--
2.1.4
>From d7fbbac51ffa5ead588be5bab60c109c5125b668 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 28 Jan 2017 20:20:59 +0000
Subject: [PATCH 5/9] winbind: Pass up args from winbind_dual_SamLogon
We'll need to pass "authoritative" back to the winbind client
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/winbindd_dual_srv.c | 6 +++++-
source3/winbindd/winbindd_pam.c | 14 ++++++++++----
source3/winbindd/winbindd_proto.h | 2 ++
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 7b97f33..763ebb8 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -860,6 +860,8 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
struct winbindd_domain *domain;
NTSTATUS status;
DATA_BLOB lm_response, nt_response;
+ uint32_t flags;
+
domain = wb_child_domain();
if (domain == NULL) {
return NT_STATUS_REQUEST_NOT_ACCEPTED;
@@ -883,7 +885,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
r->in.logon.network->identity_info.domain_name.string,
r->in.logon.network->identity_info.workstation.string,
r->in.logon.network->challenge,
- lm_response, nt_response, &r->out.validation.sam3);
+ lm_response, nt_response,
+ &r->out.authoritative, &flags,
+ &r->out.validation.sam3);
return status;
}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index aad1ee3..a8bc34e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1950,10 +1950,10 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3)
{
- uint8_t authoritative = 0;
- uint32_t flags = 0;
NTSTATUS result;
if (strequal(name_domain, get_global_sam_name())) {
@@ -1972,6 +1972,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
* We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
*/
if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+ *authoritative = 1;
+ *flags = 0;
goto process_result;
}
}
@@ -1988,8 +1990,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
lm_response,
nt_response,
false, /* interactive */
- &authoritative,
- &flags,
+ authoritative,
+ flags,
info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
@@ -2053,6 +2055,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
const char *name_user = NULL;
const char *name_domain = NULL;
const char *workstation;
+ uint8_t authoritative;
+ uint32_t flags;
DATA_BLOB lm_resp, nt_resp;
@@ -2105,6 +2109,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
state->request->data.auth_crap.chal,
lm_resp,
nt_resp,
+ &authoritative,
+ &flags,
&info3);
if (!NT_STATUS_IS_OK(result)) {
goto done;
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 46fb600..09be4b2 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -452,6 +452,8 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
const uint8_t chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
+ uint8_t *authoritative,
+ uint32_t *flags,
struct netr_SamInfo3 **info3);
/* The following definitions come from winbindd/winbindd_util.c */
--
2.1.4
>From 8d0a0546a51f584c3b5dc8b4814484338557010b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Jan 2017 16:46:12 +0000
Subject: [PATCH 6/9] winbind: Add "authoritative" to winbindd_response
This is a relevant piece of info in the samlogon response,
smbd and netlogond need to be able to react to it.
Signed-off-by: Volker Lendecke <vl at samba.org>
---
nsswitch/winbind_struct_protocol.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
index 84829d2..ccc9ef2 100644
--- a/nsswitch/winbind_struct_protocol.h
+++ b/nsswitch/winbind_struct_protocol.h
@@ -58,8 +58,9 @@ typedef char fstring[FSTRING_LEN];
* removed WINBINDD_SID_TO_GID
* removed WINBINDD_GID_TO_SID
* removed WINBINDD_UID_TO_SID
+ * 29: added "authoritative" to response.data.auth
*/
-#define WINBIND_INTERFACE_VERSION 28
+#define WINBIND_INTERFACE_VERSION 29
/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
On a 64bit Linux box, we have to support a constant structure size
@@ -432,6 +433,7 @@ struct winbindd_response {
char first_8_lm_hash[8];
fstring krb5ccname;
uint32_t reject_reason;
+ uint8_t authoritative;
uint32_t padding;
struct policy_settings {
uint32_t min_length_password;
--
2.1.4
>From 42d8c7c5abfdc17d15d0993b6e9f38fad3fd1ba3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 11 Feb 2017 10:04:29 +0100
Subject: [PATCH 7/9] winbind: Set "authoritative" in response to auth_crap
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/winbindd_pam.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a8bc34e..5d1da16 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2113,6 +2113,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
&flags,
&info3);
if (!NT_STATUS_IS_OK(result)) {
+ state->response->data.auth.authoritative = authoritative;
goto done;
}
--
2.1.4
>From 4dbb310329a3047601e8c09992dfd3befe8e5281 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sun, 29 Jan 2017 16:51:53 +0000
Subject: [PATCH 8/9] libwbclient: Add "authoritative" to wbcAuthErrorInfo
smbd needs to react to "authoritative"
Signed-off-by: Volker Lendecke <vl at samba.org>
---
nsswitch/libwbclient/ABI/wbclient-0.14.sigs | 132 ++++++++++++++++++++++++++++
nsswitch/libwbclient/wbc_pam.c | 1 +
nsswitch/libwbclient/wbclient.h | 4 +-
nsswitch/libwbclient/wscript | 2 +-
4 files changed, 137 insertions(+), 2 deletions(-)
create mode 100644 nsswitch/libwbclient/ABI/wbclient-0.14.sigs
diff --git a/nsswitch/libwbclient/ABI/wbclient-0.14.sigs b/nsswitch/libwbclient/ABI/wbclient-0.14.sigs
new file mode 100644
index 0000000..b07a6a8
--- /dev/null
+++ b/nsswitch/libwbclient/ABI/wbclient-0.14.sigs
@@ -0,0 +1,132 @@
+wbcAddNamedBlob: wbcErr (size_t *, struct wbcNamedBlob **, const char *, uint32_t, uint8_t *, size_t)
+wbcAllocateGid: wbcErr (gid_t *)
+wbcAllocateMemory: void *(size_t, size_t, void (*)(void *))
+wbcAllocateStringArray: const char **(int)
+wbcAllocateUid: wbcErr (uid_t *)
+wbcAuthenticateUser: wbcErr (const char *, const char *)
+wbcAuthenticateUserEx: wbcErr (const struct wbcAuthUserParams *, struct wbcAuthUserInfo **, struct wbcAuthErrorInfo **)
+wbcChangeTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcChangeUserPassword: wbcErr (const char *, const char *, const char *)
+wbcChangeUserPasswordEx: wbcErr (const struct wbcChangePasswordParams *, struct wbcAuthErrorInfo **, enum wbcPasswordChangeRejectReason *, struct wbcUserPasswordPolicyInfo **)
+wbcCheckTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcCredentialCache: wbcErr (struct wbcCredentialCacheParams *, struct wbcCredentialCacheInfo **, struct wbcAuthErrorInfo **)
+wbcCredentialSave: wbcErr (const char *, const char *)
+wbcCtxAllocateGid: wbcErr (struct wbcContext *, gid_t *)
+wbcCtxAllocateUid: wbcErr (struct wbcContext *, uid_t *)
+wbcCtxAuthenticateUser: wbcErr (struct wbcContext *, const char *, const char *)
+wbcCtxAuthenticateUserEx: wbcErr (struct wbcContext *, const struct wbcAuthUserParams *, struct wbcAuthUserInfo **, struct wbcAuthErrorInfo **)
+wbcCtxChangeTrustCredentials: wbcErr (struct wbcContext *, const char *, struct wbcAuthErrorInfo **)
+wbcCtxChangeUserPassword: wbcErr (struct wbcContext *, const char *, const char *, const char *)
+wbcCtxChangeUserPasswordEx: wbcErr (struct wbcContext *, const struct wbcChangePasswordParams *, struct wbcAuthErrorInfo **, enum wbcPasswordChangeRejectReason *, struct wbcUserPasswordPolicyInfo **)
+wbcCtxCheckTrustCredentials: wbcErr (struct wbcContext *, const char *, struct wbcAuthErrorInfo **)
+wbcCtxCreate: struct wbcContext *(void)
+wbcCtxCredentialCache: wbcErr (struct wbcContext *, struct wbcCredentialCacheParams *, struct wbcCredentialCacheInfo **, struct wbcAuthErrorInfo **)
+wbcCtxCredentialSave: wbcErr (struct wbcContext *, const char *, const char *)
+wbcCtxDcInfo: wbcErr (struct wbcContext *, const char *, size_t *, const char ***, const char ***)
+wbcCtxDomainInfo: wbcErr (struct wbcContext *, const char *, struct wbcDomainInfo **)
+wbcCtxEndgrent: wbcErr (struct wbcContext *)
+wbcCtxEndpwent: wbcErr (struct wbcContext *)
+wbcCtxFree: void (struct wbcContext *)
+wbcCtxGetDisplayName: wbcErr (struct wbcContext *, const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcCtxGetGroups: wbcErr (struct wbcContext *, const char *, uint32_t *, gid_t **)
+wbcCtxGetSidAliases: wbcErr (struct wbcContext *, const struct wbcDomainSid *, struct wbcDomainSid *, uint32_t, uint32_t **, uint32_t *)
+wbcCtxGetgrent: wbcErr (struct wbcContext *, struct group **)
+wbcCtxGetgrgid: wbcErr (struct wbcContext *, gid_t, struct group **)
+wbcCtxGetgrlist: wbcErr (struct wbcContext *, struct group **)
+wbcCtxGetgrnam: wbcErr (struct wbcContext *, const char *, struct group **)
+wbcCtxGetpwent: wbcErr (struct wbcContext *, struct passwd **)
+wbcCtxGetpwnam: wbcErr (struct wbcContext *, const char *, struct passwd **)
+wbcCtxGetpwsid: wbcErr (struct wbcContext *, struct wbcDomainSid *, struct passwd **)
+wbcCtxGetpwuid: wbcErr (struct wbcContext *, uid_t, struct passwd **)
+wbcCtxGidToSid: wbcErr (struct wbcContext *, gid_t, struct wbcDomainSid *)
+wbcCtxInterfaceDetails: wbcErr (struct wbcContext *, struct wbcInterfaceDetails **)
+wbcCtxListGroups: wbcErr (struct wbcContext *, const char *, uint32_t *, const char ***)
+wbcCtxListTrusts: wbcErr (struct wbcContext *, struct wbcDomainInfo **, size_t *)
+wbcCtxListUsers: wbcErr (struct wbcContext *, const char *, uint32_t *, const char ***)
+wbcCtxLogoffUser: wbcErr (struct wbcContext *, const char *, uid_t, const char *)
+wbcCtxLogoffUserEx: wbcErr (struct wbcContext *, const struct wbcLogoffUserParams *, struct wbcAuthErrorInfo **)
+wbcCtxLogonUser: wbcErr (struct wbcContext *, const struct wbcLogonUserParams *, struct wbcLogonUserInfo **, struct wbcAuthErrorInfo **, struct wbcUserPasswordPolicyInfo **)
+wbcCtxLookupDomainController: wbcErr (struct wbcContext *, const char *, uint32_t, struct wbcDomainControllerInfo **)
+wbcCtxLookupDomainControllerEx: wbcErr (struct wbcContext *, const char *, struct wbcGuid *, const char *, uint32_t, struct wbcDomainControllerInfoEx **)
+wbcCtxLookupName: wbcErr (struct wbcContext *, const char *, const char *, struct wbcDomainSid *, enum wbcSidType *)
+wbcCtxLookupRids: wbcErr (struct wbcContext *, struct wbcDomainSid *, int, uint32_t *, const char **, const char ***, enum wbcSidType **)
+wbcCtxLookupSid: wbcErr (struct wbcContext *, const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcCtxLookupSids: wbcErr (struct wbcContext *, const struct wbcDomainSid *, int, struct wbcDomainInfo **, int *, struct wbcTranslatedName **)
+wbcCtxLookupUserSids: wbcErr (struct wbcContext *, const struct wbcDomainSid *, bool, uint32_t *, struct wbcDomainSid **)
+wbcCtxPing: wbcErr (struct wbcContext *)
+wbcCtxPingDc: wbcErr (struct wbcContext *, const char *, struct wbcAuthErrorInfo **)
+wbcCtxPingDc2: wbcErr (struct wbcContext *, const char *, struct wbcAuthErrorInfo **, char **)
+wbcCtxResolveWinsByIP: wbcErr (struct wbcContext *, const char *, char **)
+wbcCtxResolveWinsByName: wbcErr (struct wbcContext *, const char *, char **)
+wbcCtxSetgrent: wbcErr (struct wbcContext *)
+wbcCtxSetpwent: wbcErr (struct wbcContext *)
+wbcCtxSidToGid: wbcErr (struct wbcContext *, const struct wbcDomainSid *, gid_t *)
+wbcCtxSidToUid: wbcErr (struct wbcContext *, const struct wbcDomainSid *, uid_t *)
+wbcCtxSidsToUnixIds: wbcErr (struct wbcContext *, const struct wbcDomainSid *, uint32_t, struct wbcUnixId *)
+wbcCtxUidToSid: wbcErr (struct wbcContext *, uid_t, struct wbcDomainSid *)
+wbcCtxUnixIdsToSids: wbcErr (struct wbcContext *, const struct wbcUnixId *, uint32_t, struct wbcDomainSid *)
+wbcDcInfo: wbcErr (const char *, size_t *, const char ***, const char ***)
+wbcDomainInfo: wbcErr (const char *, struct wbcDomainInfo **)
+wbcEndgrent: wbcErr (void)
+wbcEndpwent: wbcErr (void)
+wbcErrorString: const char *(wbcErr)
+wbcFreeMemory: void (void *)
+wbcGetDisplayName: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcGetGlobalCtx: struct wbcContext *(void)
+wbcGetGroups: wbcErr (const char *, uint32_t *, gid_t **)
+wbcGetSidAliases: wbcErr (const struct wbcDomainSid *, struct wbcDomainSid *, uint32_t, uint32_t **, uint32_t *)
+wbcGetgrent: wbcErr (struct group **)
+wbcGetgrgid: wbcErr (gid_t, struct group **)
+wbcGetgrlist: wbcErr (struct group **)
+wbcGetgrnam: wbcErr (const char *, struct group **)
+wbcGetpwent: wbcErr (struct passwd **)
+wbcGetpwnam: wbcErr (const char *, struct passwd **)
+wbcGetpwsid: wbcErr (struct wbcDomainSid *, struct passwd **)
+wbcGetpwuid: wbcErr (uid_t, struct passwd **)
+wbcGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcGuidToString: wbcErr (const struct wbcGuid *, char **)
+wbcInterfaceDetails: wbcErr (struct wbcInterfaceDetails **)
+wbcLibraryDetails: wbcErr (struct wbcLibraryDetails **)
+wbcListGroups: wbcErr (const char *, uint32_t *, const char ***)
+wbcListTrusts: wbcErr (struct wbcDomainInfo **, size_t *)
+wbcListUsers: wbcErr (const char *, uint32_t *, const char ***)
+wbcLogoffUser: wbcErr (const char *, uid_t, const char *)
+wbcLogoffUserEx: wbcErr (const struct wbcLogoffUserParams *, struct wbcAuthErrorInfo **)
+wbcLogonUser: wbcErr (const struct wbcLogonUserParams *, struct wbcLogonUserInfo **, struct wbcAuthErrorInfo **, struct wbcUserPasswordPolicyInfo **)
+wbcLookupDomainController: wbcErr (const char *, uint32_t, struct wbcDomainControllerInfo **)
+wbcLookupDomainControllerEx: wbcErr (const char *, struct wbcGuid *, const char *, uint32_t, struct wbcDomainControllerInfoEx **)
+wbcLookupName: wbcErr (const char *, const char *, struct wbcDomainSid *, enum wbcSidType *)
+wbcLookupRids: wbcErr (struct wbcDomainSid *, int, uint32_t *, const char **, const char ***, enum wbcSidType **)
+wbcLookupSid: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcLookupSids: wbcErr (const struct wbcDomainSid *, int, struct wbcDomainInfo **, int *, struct wbcTranslatedName **)
+wbcLookupUserSids: wbcErr (const struct wbcDomainSid *, bool, uint32_t *, struct wbcDomainSid **)
+wbcPing: wbcErr (void)
+wbcPingDc: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcPingDc2: wbcErr (const char *, struct wbcAuthErrorInfo **, char **)
+wbcQueryGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcQuerySidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcQuerySidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcQueryUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
+wbcRemoveGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcRemoveUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcRequestResponse: wbcErr (struct wbcContext *, int, struct winbindd_request *, struct winbindd_response *)
+wbcRequestResponsePriv: wbcErr (struct wbcContext *, int, struct winbindd_request *, struct winbindd_response *)
+wbcResolveWinsByIP: wbcErr (const char *, char **)
+wbcResolveWinsByName: wbcErr (const char *, char **)
+wbcSetGidHwm: wbcErr (gid_t)
+wbcSetGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcSetUidHwm: wbcErr (uid_t)
+wbcSetUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcSetgrent: wbcErr (void)
+wbcSetpwent: wbcErr (void)
+wbcSidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcSidToString: wbcErr (const struct wbcDomainSid *, char **)
+wbcSidToStringBuf: int (const struct wbcDomainSid *, char *, int)
+wbcSidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcSidTypeString: const char *(enum wbcSidType)
+wbcSidsToUnixIds: wbcErr (const struct wbcDomainSid *, uint32_t, struct wbcUnixId *)
+wbcStrDup: char *(const char *)
+wbcStringToGuid: wbcErr (const char *, struct wbcGuid *)
+wbcStringToSid: wbcErr (const char *, struct wbcDomainSid *)
+wbcUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
+wbcUnixIdsToSids: wbcErr (const struct wbcUnixId *, uint32_t, struct wbcDomainSid *)
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index 0d1b90c..cb2d5a0 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -259,6 +259,7 @@ static wbcErr wbc_create_error_info(const struct winbindd_response *resp,
e->nt_status = resp->data.auth.nt_status;
e->pam_error = resp->data.auth.pam_error;
+ e->authoritative = resp->data.auth.authoritative;
e->nt_string = strdup(resp->data.auth.nt_status_string);
BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 8c1803b..77915b9 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -74,9 +74,10 @@ const char *wbcErrorString(wbcErr error);
* 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
* 0.12: Added wbcCtxCreate and friends
* 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
+ * 0.14: Added "authoritative" to wbcAuthErrorInfo
**/
#define WBCLIENT_MAJOR_VERSION 0
-#define WBCLIENT_MINOR_VERSION 13
+#define WBCLIENT_MINOR_VERSION 14
#define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
struct wbcLibraryDetails {
uint16_t major_version;
@@ -419,6 +420,7 @@ struct wbcAuthErrorInfo {
char *nt_string;
int32_t pam_error;
char *display_string;
+ uint8_t authoritative;
};
/**
diff --git a/nsswitch/libwbclient/wscript b/nsswitch/libwbclient/wscript
index 5c5002a..c5390b9 100644
--- a/nsswitch/libwbclient/wscript
+++ b/nsswitch/libwbclient/wscript
@@ -3,7 +3,7 @@
import Options, Logs
# Remember to also update wbclient.h
-VERSION="0.13"
+VERSION="0.14"
# It may be useful at some point to allow Samba to build against a
# system libwbclient, such as the one provided by Likewise. To to
--
2.1.4
>From 5d6d74c5e74bcb3529f49ee7e25a1c164a7ccdc8 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Sat, 4 Mar 2017 18:40:09 +0100
Subject: [PATCH 9/9] winbind: Correcly pass !authoritative from
wb_irpc_SamLogon
Returning an error at this level gives a RPC level error without the chance to
provide !authoritative flag to the caller. At the RPC level we're fine, but not
finding the domain to authenticate means that we don't know the domain and thus
have to return !authoritative.
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source3/winbindd/winbindd_irpc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
index 9a9f753..c87707a 100644
--- a/source3/winbindd/winbindd_irpc.c
+++ b/source3/winbindd/winbindd_irpc.c
@@ -141,7 +141,9 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
domain = find_auth_domain(0, target_domain_name);
if (domain == NULL) {
- return NT_STATUS_NO_SUCH_USER;
+ req->out.result = NT_STATUS_NO_SUCH_USER;
+ req->out.authoritative = 0;
+ return NT_STATUS_OK;
}
DEBUG(5, ("wb_irpc_SamLogon called\n"));
--
2.1.4
More information about the samba-technical
mailing list