]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | commit 8a7159aa1b000593ffe89ca8d7477e6373764aaf |
2 | Author: Günther Deschner <gd@samba.org> | |
3 | AuthorDate: Tue Jul 15 14:16:56 2014 +0200 | |
4 | Commit: Andreas Schneider <asn@samba.org> | |
5 | CommitDate: Tue Jul 15 15:25:27 2014 +0200 | |
6 | ||
7 | PATCHSET14 s3-rpc_client: return info3 in rpccli_netlogon_password_logon(). | |
8 | ||
9 | Guenther | |
10 | ||
11 | Signed-off-by: Günther Deschner <gd@samba.org> | |
12 | Pair-Programmed-With: Andreas Schneider <asn@samba.org> | |
13 | Reviewed-by: Andreas Schneider <asn@samba.org> | |
14 | --- | |
15 | source3/rpc_client/cli_netlogon.c | 100 +++++++++++++++++++++----------------- | |
16 | source3/rpc_client/cli_netlogon.h | 3 +- | |
17 | source3/rpcclient/cmd_netlogon.c | 3 +- | |
18 | 3 files changed, 60 insertions(+), 46 deletions(-) | |
19 | ||
20 | diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c | |
21 | index c69a933..9454226 100644 | |
22 | --- a/source3/rpc_client/cli_netlogon.c | |
23 | +++ b/source3/rpc_client/cli_netlogon.c | |
24 | @@ -153,6 +153,53 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli, | |
25 | return NT_STATUS_OK; | |
26 | } | |
27 | ||
28 | +static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx, | |
29 | + uint16_t validation_level, | |
30 | + union netr_Validation *validation, | |
31 | + struct netr_SamInfo3 **info3_p) | |
32 | +{ | |
33 | + struct netr_SamInfo3 *info3; | |
34 | + NTSTATUS status; | |
35 | + | |
36 | + if (validation == NULL) { | |
37 | + return NT_STATUS_INVALID_PARAMETER; | |
38 | + } | |
39 | + | |
40 | + switch (validation_level) { | |
41 | + case 3: | |
42 | + if (validation->sam3 == NULL) { | |
43 | + return NT_STATUS_INVALID_PARAMETER; | |
44 | + } | |
45 | + | |
46 | + info3 = talloc_move(mem_ctx, &validation->sam3); | |
47 | + break; | |
48 | + case 6: | |
49 | + if (validation->sam6 == NULL) { | |
50 | + return NT_STATUS_INVALID_PARAMETER; | |
51 | + } | |
52 | + | |
53 | + info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); | |
54 | + if (info3 == NULL) { | |
55 | + return NT_STATUS_NO_MEMORY; | |
56 | + } | |
57 | + status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base); | |
58 | + if (!NT_STATUS_IS_OK(status)) { | |
59 | + TALLOC_FREE(info3); | |
60 | + return status; | |
61 | + } | |
62 | + | |
63 | + info3->sidcount = validation->sam6->sidcount; | |
64 | + info3->sids = talloc_move(info3, &validation->sam6->sids); | |
65 | + break; | |
66 | + default: | |
67 | + return NT_STATUS_BAD_VALIDATION_CLASS; | |
68 | + } | |
69 | + | |
70 | + *info3_p = info3; | |
71 | + | |
72 | + return NT_STATUS_OK; | |
73 | +} | |
74 | + | |
75 | /* Logon domain user */ | |
76 | ||
77 | NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
78 | @@ -163,7 +210,8 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
79 | const char *password, | |
80 | const char *workstation, | |
81 | uint16_t validation_level, | |
82 | - int logon_type) | |
83 | + int logon_type, | |
84 | + struct netr_SamInfo3 **info3) | |
85 | { | |
86 | NTSTATUS result = NT_STATUS_UNSUCCESSFUL; | |
87 | NTSTATUS status; | |
88 | @@ -298,54 +346,18 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
89 | return NT_STATUS_ACCESS_DENIED; | |
90 | } | |
91 | ||
92 | - return result; | |
93 | -} | |
94 | - | |
95 | -static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx, | |
96 | - uint16_t validation_level, | |
97 | - union netr_Validation *validation, | |
98 | - struct netr_SamInfo3 **info3_p) | |
99 | -{ | |
100 | - struct netr_SamInfo3 *info3; | |
101 | - NTSTATUS status; | |
102 | - | |
103 | - if (validation == NULL) { | |
104 | - return NT_STATUS_INVALID_PARAMETER; | |
105 | + if (!NT_STATUS_IS_OK(result)) { | |
106 | + return result; | |
107 | } | |
108 | ||
109 | - switch (validation_level) { | |
110 | - case 3: | |
111 | - if (validation->sam3 == NULL) { | |
112 | - return NT_STATUS_INVALID_PARAMETER; | |
113 | - } | |
114 | - | |
115 | - info3 = talloc_move(mem_ctx, &validation->sam3); | |
116 | - break; | |
117 | - case 6: | |
118 | - if (validation->sam6 == NULL) { | |
119 | - return NT_STATUS_INVALID_PARAMETER; | |
120 | - } | |
121 | - | |
122 | - info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); | |
123 | - if (info3 == NULL) { | |
124 | - return NT_STATUS_NO_MEMORY; | |
125 | - } | |
126 | - status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base); | |
127 | - if (!NT_STATUS_IS_OK(status)) { | |
128 | - TALLOC_FREE(info3); | |
129 | - return status; | |
130 | - } | |
131 | + netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation); | |
132 | ||
133 | - info3->sidcount = validation->sam6->sidcount; | |
134 | - info3->sids = talloc_move(info3, &validation->sam6->sids); | |
135 | - break; | |
136 | - default: | |
137 | - return NT_STATUS_BAD_VALIDATION_CLASS; | |
138 | + result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3); | |
139 | + if (!NT_STATUS_IS_OK(result)) { | |
140 | + return result; | |
141 | } | |
142 | ||
143 | - *info3_p = info3; | |
144 | - | |
145 | - return NT_STATUS_OK; | |
146 | + return result; | |
147 | } | |
148 | ||
149 | /** | |
150 | diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h | |
151 | index ad59d5b..9c6cbc8 100644 | |
152 | --- a/source3/rpc_client/cli_netlogon.h | |
153 | +++ b/source3/rpc_client/cli_netlogon.h | |
154 | @@ -41,7 +41,8 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
155 | const char *password, | |
156 | const char *workstation, | |
157 | uint16_t validation_level, | |
158 | - int logon_type); | |
159 | + int logon_type, | |
160 | + struct netr_SamInfo3 **info3); | |
161 | NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, | |
162 | TALLOC_CTX *mem_ctx, | |
163 | uint32 logon_parameters, | |
164 | diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c | |
165 | index 63057ac..e285145 100644 | |
166 | --- a/source3/rpcclient/cmd_netlogon.c | |
167 | +++ b/source3/rpcclient/cmd_netlogon.c | |
168 | @@ -724,6 +724,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
169 | uint16_t validation_level = 3; | |
170 | uint32 logon_param = 0; | |
171 | const char *workstation = NULL; | |
172 | + struct netr_SamInfo3 *info3 = NULL; | |
173 | ||
174 | /* Check arguments */ | |
175 | ||
176 | @@ -750,7 +751,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
177 | ||
178 | /* Perform the sam logon */ | |
179 | ||
180 | - result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type); | |
181 | + result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type, &info3); | |
182 | ||
183 | if (!NT_STATUS_IS_OK(result)) | |
184 | goto done; | |
185 | commit 53c404ade6d660c449a9dddb56aa80dc6d5ea920 | |
186 | Author: Günther Deschner <gd@samba.org> | |
187 | AuthorDate: Tue Jul 15 14:25:19 2014 +0200 | |
188 | Commit: Andreas Schneider <asn@samba.org> | |
189 | CommitDate: Tue Jul 15 15:25:29 2014 +0200 | |
190 | ||
191 | PATCHSET14 s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon. | |
192 | ||
193 | Guenther | |
194 | ||
195 | Signed-off-by: Guenther Deschner <gd@samba.org> | |
196 | Pair-Programmed-With: Andreas Schneider <asn@samba.org> | |
197 | Reviewed-by: Andreas Schneider <asn@samba.org> | |
198 | --- | |
199 | source3/winbindd/winbindd_pam.c | 20 +++++++++++++++++++- | |
200 | 1 file changed, 19 insertions(+), 1 deletion(-) | |
201 | ||
202 | diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | |
203 | index 125e393..2b31d54 100644 | |
204 | --- a/source3/winbindd/winbindd_pam.c | |
205 | +++ b/source3/winbindd/winbindd_pam.c | |
206 | @@ -1152,11 +1152,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, | |
207 | uint32_t logon_parameters, | |
208 | const char *server, | |
209 | const char *username, | |
210 | + const char *password, | |
211 | const char *domainname, | |
212 | const char *workstation, | |
213 | const uint8_t chal[8], | |
214 | DATA_BLOB lm_response, | |
215 | DATA_BLOB nt_response, | |
216 | + bool interactive, | |
217 | struct netr_SamInfo3 **info3) | |
218 | { | |
219 | int attempts = 0; | |
220 | @@ -1269,7 +1271,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, | |
221 | domain->can_do_validation6 = false; | |
222 | } | |
223 | ||
224 | - if (domain->can_do_samlogon_ex && domain->can_do_validation6) { | |
225 | + if (interactive && username != NULL && password != NULL) { | |
226 | + result = rpccli_netlogon_sam_logon( | |
227 | + netlogon_pipe, | |
228 | + mem_ctx, | |
229 | + logon_parameters, | |
230 | + domainname, | |
231 | + username, | |
232 | + password, | |
233 | + workstation, | |
234 | + 3, /* FIXME */ | |
235 | + NetlogonInteractiveInformation, | |
236 | + info3); | |
237 | + } else if (domain->can_do_samlogon_ex && domain->can_do_validation6) { | |
238 | result = rpccli_netlogon_sam_network_logon_ex( | |
239 | netlogon_pipe, | |
240 | mem_ctx, | |
241 | @@ -1453,11 +1467,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx, | |
242 | 0, | |
243 | domain->dcname, | |
244 | name_user, | |
245 | + pass, | |
246 | name_domain, | |
247 | global_myname(), | |
248 | chal, | |
249 | lm_resp, | |
250 | nt_resp, | |
251 | + true, | |
252 | &my_info3); | |
253 | if (!NT_STATUS_IS_OK(result)) { | |
254 | goto done; | |
255 | @@ -1874,12 +1890,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, | |
256 | state->request->data.auth_crap.logon_parameters, | |
257 | domain->dcname, | |
258 | name_user, | |
259 | + NULL, /* password */ | |
260 | name_domain, | |
261 | /* Bug #3248 - found by Stefan Burkei. */ | |
262 | workstation, /* We carefully set this above so use it... */ | |
263 | state->request->data.auth_crap.chal, | |
264 | lm_resp, | |
265 | nt_resp, | |
266 | + false, /* interactive */ | |
267 | &info3); | |
268 | if (!NT_STATUS_IS_OK(result)) { | |
269 | goto done; | |
270 | commit f73d1b92b78c4c3f23f411807273e3d09d39c10a | |
271 | Author: Günther Deschner <gd@samba.org> | |
272 | AuthorDate: Mon Jul 7 17:14:37 2014 +0200 | |
273 | Commit: Andreas Schneider <asn@samba.org> | |
274 | CommitDate: Tue Jul 15 15:25:30 2014 +0200 | |
275 | ||
276 | PATCHSET14 s3-winbindd: add wcache_query_user_fullname(). | |
277 | ||
278 | This helper function is used to query the full name of a cached user object (for | |
279 | further gecos processing). | |
280 | ||
281 | Thanks to Matt Rogers <mrogers@redhat.com>. | |
282 | ||
283 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 | |
284 | ||
285 | Guenther | |
286 | ||
287 | Pair-Programmed-With: Andreas Schneider <asn@samba.org> | |
288 | Signed-off-by: Günther Deschner <gd@samba.org> | |
289 | Reviewed-by: Andreas Schneider <asn@samba.org> | |
290 | --- | |
291 | source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++ | |
292 | source3/winbindd/winbindd_proto.h | 4 ++++ | |
293 | 2 files changed, 38 insertions(+) | |
294 | ||
295 | diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c | |
296 | index 0a65953..82c8087 100644 | |
297 | --- a/source3/winbindd/winbindd_cache.c | |
298 | +++ b/source3/winbindd/winbindd_cache.c | |
299 | @@ -2282,6 +2282,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain, | |
300 | return status; | |
301 | } | |
302 | ||
303 | + | |
304 | +/** | |
305 | +* @brief Query a fullname from the username cache (for further gecos processing) | |
306 | +* | |
307 | +* @param domain A pointer to the winbindd_domain struct. | |
308 | +* @param mem_ctx The talloc context. | |
309 | +* @param user_sid The user sid. | |
310 | +* @param full_name A pointer to the full_name string. | |
311 | +* | |
312 | +* @return NTSTATUS code | |
313 | +*/ | |
314 | +NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain, | |
315 | + TALLOC_CTX *mem_ctx, | |
316 | + const struct dom_sid *user_sid, | |
317 | + const char **full_name) | |
318 | +{ | |
319 | + NTSTATUS status; | |
320 | + struct wbint_userinfo info; | |
321 | + | |
322 | + status = wcache_query_user(domain, mem_ctx, user_sid, &info); | |
323 | + if (!NT_STATUS_IS_OK(status)) { | |
324 | + return status; | |
325 | + } | |
326 | + | |
327 | + if (info.full_name != NULL) { | |
328 | + *full_name = talloc_strdup(mem_ctx, info.full_name); | |
329 | + if (*full_name == NULL) { | |
330 | + return NT_STATUS_NO_MEMORY; | |
331 | + } | |
332 | + } | |
333 | + | |
334 | + return NT_STATUS_OK; | |
335 | +} | |
336 | + | |
337 | /* Lookup user information from a rid */ | |
338 | static NTSTATUS query_user(struct winbindd_domain *domain, | |
339 | TALLOC_CTX *mem_ctx, | |
340 | diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h | |
341 | index 82176b2..585853e 100644 | |
342 | --- a/source3/winbindd/winbindd_proto.h | |
343 | +++ b/source3/winbindd/winbindd_proto.h | |
344 | @@ -103,6 +103,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain, | |
345 | TALLOC_CTX *mem_ctx, | |
346 | const struct dom_sid *user_sid, | |
347 | struct wbint_userinfo *info); | |
348 | +NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain, | |
349 | + TALLOC_CTX *mem_ctx, | |
350 | + const struct dom_sid *user_sid, | |
351 | + const char **full_name); | |
352 | NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain, | |
353 | TALLOC_CTX *mem_ctx, | |
354 | uint32 num_sids, const struct dom_sid *sids, | |
355 | commit d4d04c269ade1e96f84b71e60a1c6c322eec5514 | |
356 | Author: Günther Deschner <gd@samba.org> | |
357 | AuthorDate: Mon Jul 7 17:16:32 2014 +0200 | |
358 | Commit: Andreas Schneider <asn@samba.org> | |
359 | CommitDate: Tue Jul 15 15:25:31 2014 +0200 | |
360 | ||
361 | PATCHSET14 s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache. | |
362 | ||
363 | The reason for this followup query is that very often the samlogon cache only | |
364 | contains a info3 netlogon user structure that has been retrieved during a | |
365 | netlogon samlogon authentication using "network" logon level. With that logon | |
366 | level only a few info3 fields are filled in; the user's fullname is never filled | |
367 | in that case. This is problematic when the cache is used to fill in the user's | |
368 | gecos field (for NSS queries). When we have retrieved the user's fullname during | |
369 | other queries, reuse it from the other caches. | |
370 | ||
371 | Thanks to Matt Rogers <mrogers@redhat.com>. | |
372 | ||
373 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 | |
374 | ||
375 | Guenther | |
376 | ||
377 | Pair-Programmed-With: Andreas Schneider <asn@samba.org> | |
378 | Signed-off-by: Guenther Deschner <gd@samba.org> | |
379 | Reviewed-by: Andreas Schneider <asn@samba.org> | |
380 | --- | |
381 | source3/winbindd/winbindd_ads.c | 8 ++++++++ | |
382 | source3/winbindd/winbindd_msrpc.c | 8 ++++++++ | |
383 | source3/winbindd/winbindd_pam.c | 41 +++++++++++++++++++++++++++++++++++++++ | |
384 | 3 files changed, 57 insertions(+) | |
385 | ||
386 | diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c | |
387 | index 3099ff0..7d960fc 100644 | |
388 | --- a/source3/winbindd/winbindd_ads.c | |
389 | +++ b/source3/winbindd/winbindd_ads.c | |
390 | @@ -515,6 +515,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain, | |
391 | ||
392 | TALLOC_FREE(user); | |
393 | ||
394 | + if (info->full_name == NULL) { | |
395 | + /* this might fail so we dont check the return code */ | |
396 | + wcache_query_user_fullname(domain, | |
397 | + mem_ctx, | |
398 | + sid, | |
399 | + &info->full_name); | |
400 | + } | |
401 | + | |
402 | return NT_STATUS_OK; | |
403 | } | |
404 | ||
405 | diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c | |
406 | index b426884..eae822c 100644 | |
407 | --- a/source3/winbindd/winbindd_msrpc.c | |
408 | +++ b/source3/winbindd/winbindd_msrpc.c | |
409 | @@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain, | |
410 | user_info->full_name = talloc_strdup(user_info, | |
411 | user->base.full_name.string); | |
412 | ||
413 | + if (user_info->full_name == NULL) { | |
414 | + /* this might fail so we dont check the return code */ | |
415 | + wcache_query_user_fullname(domain, | |
416 | + mem_ctx, | |
417 | + user_sid, | |
418 | + &user_info->full_name); | |
419 | + } | |
420 | + | |
421 | status = NT_STATUS_OK; | |
422 | goto done; | |
423 | } | |
424 | diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | |
425 | index 2b31d54..86b352e 100644 | |
426 | --- a/source3/winbindd/winbindd_pam.c | |
427 | +++ b/source3/winbindd/winbindd_pam.c | |
428 | @@ -1739,6 +1739,26 @@ process_result: | |
429 | sid_compose(&user_sid, info3->base.domain_sid, | |
430 | info3->base.rid); | |
431 | ||
432 | + if (info3->base.full_name.string == NULL) { | |
433 | + struct netr_SamInfo3 *cached_info3; | |
434 | + | |
435 | + cached_info3 = netsamlogon_cache_get(state->mem_ctx, | |
436 | + &user_sid); | |
437 | + if (cached_info3 != NULL && | |
438 | + cached_info3->base.full_name.string != NULL) { | |
439 | + info3->base.full_name.string = | |
440 | + talloc_strdup(info3, | |
441 | + cached_info3->base.full_name.string); | |
442 | + } else { | |
443 | + | |
444 | + /* this might fail so we dont check the return code */ | |
445 | + wcache_query_user_fullname(domain, | |
446 | + info3, | |
447 | + &user_sid, | |
448 | + &info3->base.full_name.string); | |
449 | + } | |
450 | + } | |
451 | + | |
452 | wcache_invalidate_samlogon(find_domain_from_name(name_domain), | |
453 | &user_sid); | |
454 | netsamlogon_cache_store(name_user, info3); | |
455 | @@ -1910,6 +1930,27 @@ process_result: | |
456 | ||
457 | sid_compose(&user_sid, info3->base.domain_sid, | |
458 | info3->base.rid); | |
459 | + | |
460 | + if (info3->base.full_name.string == NULL) { | |
461 | + struct netr_SamInfo3 *cached_info3; | |
462 | + | |
463 | + cached_info3 = netsamlogon_cache_get(state->mem_ctx, | |
464 | + &user_sid); | |
465 | + if (cached_info3 != NULL && | |
466 | + cached_info3->base.full_name.string != NULL) { | |
467 | + info3->base.full_name.string = | |
468 | + talloc_strdup(info3, | |
469 | + cached_info3->base.full_name.string); | |
470 | + } else { | |
471 | + | |
472 | + /* this might fail so we dont check the return code */ | |
473 | + wcache_query_user_fullname(domain, | |
474 | + info3, | |
475 | + &user_sid, | |
476 | + &info3->base.full_name.string); | |
477 | + } | |
478 | + } | |
479 | + | |
480 | wcache_invalidate_samlogon(find_domain_from_name(name_domain), | |
481 | &user_sid); | |
482 | netsamlogon_cache_store(name_user, info3); | |
483 | commit 7a38729ac2b93d0bd8c2450821cfcedff6fa3f53 | |
484 | Author: Günther Deschner <gd@samba.org> | |
485 | AuthorDate: Wed Jul 9 13:36:06 2014 +0200 | |
486 | Commit: Andreas Schneider <asn@samba.org> | |
487 | CommitDate: Tue Jul 15 15:25:32 2014 +0200 | |
488 | ||
489 | PATCHSET14 samlogon_cache: use a talloc_stackframe inside netsamlogon_cache_store. | |
490 | ||
491 | Guenther | |
492 | ||
493 | Signed-off-by: Günther Deschner <gd@samba.org> | |
494 | Reviewed-by: Andreas Schneider <asn@samba.org> | |
495 | --- | |
496 | source3/libsmb/samlogon_cache.c | 13 ++++--------- | |
497 | 1 file changed, 4 insertions(+), 9 deletions(-) | |
498 | ||
499 | diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c | |
500 | index 590c950..4281965 100644 | |
501 | --- a/source3/libsmb/samlogon_cache.c | |
502 | +++ b/source3/libsmb/samlogon_cache.c | |
503 | @@ -132,7 +132,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3) | |
504 | bool result = false; | |
505 | struct dom_sid user_sid; | |
506 | time_t t = time(NULL); | |
507 | - TALLOC_CTX *mem_ctx; | |
508 | + TALLOC_CTX *tmp_ctx = talloc_stackframe(); | |
509 | DATA_BLOB blob; | |
510 | enum ndr_err_code ndr_err; | |
511 | struct netsamlogoncache_entry r; | |
512 | @@ -156,11 +156,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3) | |
513 | ||
514 | /* Prepare data */ | |
515 | ||
516 | - if (!(mem_ctx = TALLOC_P( NULL, int))) { | |
517 | - DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n")); | |
518 | - return false; | |
519 | - } | |
520 | - | |
521 | /* only Samba fills in the username, not sure why NT doesn't */ | |
522 | /* so we fill it in since winbindd_getpwnam() makes use of it */ | |
523 | ||
524 | @@ -175,11 +170,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3) | |
525 | NDR_PRINT_DEBUG(netsamlogoncache_entry, &r); | |
526 | } | |
527 | ||
528 | - ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r, | |
529 | + ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r, | |
530 | (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry); | |
531 | if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { | |
532 | DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n")); | |
533 | - TALLOC_FREE(mem_ctx); | |
534 | + TALLOC_FREE(tmp_ctx); | |
535 | return false; | |
536 | } | |
537 | ||
538 | @@ -190,7 +185,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3) | |
539 | result = true; | |
540 | } | |
541 | ||
542 | - TALLOC_FREE(mem_ctx); | |
543 | + TALLOC_FREE(tmp_ctx); | |
544 | ||
545 | return result; | |
546 | } | |
547 | commit f89b793bd672a66f5e75ade33467f6621545f0d4 | |
548 | Author: Andreas Schneider <asn@samba.org> | |
549 | AuthorDate: Thu Jul 3 16:17:46 2014 +0200 | |
550 | Commit: Andreas Schneider <asn@samba.org> | |
551 | CommitDate: Tue Jul 15 15:25:32 2014 +0200 | |
552 | ||
553 | PATCHSET14 samlogon_cache: avoid overwriting info3->base.full_name.string. | |
554 | ||
555 | This field servers as a source for the gecos field. We should not overwrite it | |
556 | when a info3 struct from a samlogon network level gets saved in which case this | |
557 | field is always NULL. | |
558 | ||
559 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 | |
560 | ||
561 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
562 | Reviewed-by: Guenther Deschner <gd@samba.org> | |
563 | --- | |
564 | source3/libsmb/samlogon_cache.c | 14 ++++++++++++++ | |
565 | 1 file changed, 14 insertions(+) | |
566 | ||
567 | diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c | |
568 | index 4281965..8a3dbd2 100644 | |
569 | --- a/source3/libsmb/samlogon_cache.c | |
570 | +++ b/source3/libsmb/samlogon_cache.c | |
571 | @@ -156,6 +156,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3) | |
572 | ||
573 | /* Prepare data */ | |
574 | ||
575 | + if (info3->base.full_name.string == NULL) { | |
576 | + struct netr_SamInfo3 *cached_info3; | |
577 | + const char *full_name = NULL; | |
578 | + | |
579 | + cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid); | |
580 | + if (cached_info3 != NULL) { | |
581 | + full_name = cached_info3->base.full_name.string; | |
582 | + } | |
583 | + | |
584 | + if (full_name != NULL) { | |
585 | + info3->base.full_name.string = talloc_strdup(info3, full_name); | |
586 | + } | |
587 | + } | |
588 | + | |
589 | /* only Samba fills in the username, not sure why NT doesn't */ | |
590 | /* so we fill it in since winbindd_getpwnam() makes use of it */ | |
591 | ||
592 | commit 8fcaeecf174a1c9088c84f271e2859f75e9a5101 | |
593 | Author: Andreas Schneider <asn@samba.org> | |
594 | AuthorDate: Thu Jul 3 16:19:42 2014 +0200 | |
595 | Commit: Andreas Schneider <asn@samba.org> | |
596 | CommitDate: Tue Jul 15 15:25:33 2014 +0200 | |
597 | ||
598 | PATCHSET14 s3-winbind: Don't set the gecos field to NULL. | |
599 | ||
600 | The value is loaded from the cache anyway. So it will be set to NULL if | |
601 | it is not available. | |
602 | ||
603 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 | |
604 | ||
605 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
606 | Reviewed-by: Guenther Deschner <gd@samba.org> | |
607 | --- | |
608 | source3/winbindd/nss_info_template.c | 1 - | |
609 | 1 file changed, 1 deletion(-) | |
610 | ||
611 | diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c | |
612 | index 5fdfd9b..de93803 100644 | |
613 | --- a/source3/winbindd/nss_info_template.c | |
614 | +++ b/source3/winbindd/nss_info_template.c | |
615 | @@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e, | |
616 | username */ | |
617 | *homedir = talloc_strdup( ctx, lp_template_homedir() ); | |
618 | *shell = talloc_strdup( ctx, lp_template_shell() ); | |
619 | - *gecos = NULL; | |
620 | ||
621 | if ( !*homedir || !*shell ) { | |
622 | return NT_STATUS_NO_MEMORY; | |
623 | commit d32503872aec4fca41056b2d9d9bbb6b15ce9701 | |
624 | Author: Günther Deschner <gd@samba.org> | |
625 | AuthorDate: Tue Jul 15 16:21:08 2014 +0200 | |
626 | Commit: Andreas Schneider <asn@samba.org> | |
627 | CommitDate: Tue Jul 15 16:24:59 2014 +0200 | |
628 | ||
629 | PATCHSET14 s3-rpc_client: add rpccli_netlogon_sam_logon_ex(). | |
630 | ||
631 | This function deals with interactive samlogon and does a dcerpc_netr_SamLogonEx | |
632 | call (w/o credential chaining). | |
633 | ||
634 | Guenther | |
635 | ||
636 | Signed-off-by: Günther Deschner <gd@samba.org> | |
637 | --- | |
638 | source3/rpc_client/cli_netlogon.c | 152 ++++++++++++++++++++++++++++++++++++++ | |
639 | source3/rpc_client/cli_netlogon.h | 10 +++ | |
640 | 2 files changed, 162 insertions(+) | |
641 | ||
642 | diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c | |
643 | index 9454226..0290944 100644 | |
644 | --- a/source3/rpc_client/cli_netlogon.c | |
645 | +++ b/source3/rpc_client/cli_netlogon.c | |
646 | @@ -360,6 +360,158 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
647 | return result; | |
648 | } | |
649 | ||
650 | +/* Logon domain user */ | |
651 | + | |
652 | +NTSTATUS rpccli_netlogon_sam_logon_ex(struct rpc_pipe_client *cli, | |
653 | + TALLOC_CTX *mem_ctx, | |
654 | + uint32 logon_parameters, | |
655 | + const char *domain, | |
656 | + const char *username, | |
657 | + const char *password, | |
658 | + const char *workstation, | |
659 | + uint16_t validation_level, | |
660 | + int logon_type, | |
661 | + struct netr_SamInfo3 **info3) | |
662 | +{ | |
663 | + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; | |
664 | + NTSTATUS status; | |
665 | + struct netr_Authenticator ret_creds; | |
666 | + union netr_LogonLevel *logon; | |
667 | + union netr_Validation validation; | |
668 | + uint8_t authoritative; | |
669 | + fstring clnt_name_slash; | |
670 | + struct dcerpc_binding_handle *b = cli->binding_handle; | |
671 | + uint32_t flags = 0; | |
672 | + | |
673 | + ZERO_STRUCT(ret_creds); | |
674 | + | |
675 | + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel); | |
676 | + if (!logon) { | |
677 | + return NT_STATUS_NO_MEMORY; | |
678 | + } | |
679 | + | |
680 | + if (workstation) { | |
681 | + fstr_sprintf( clnt_name_slash, "\\\\%s", workstation ); | |
682 | + } else { | |
683 | + fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() ); | |
684 | + } | |
685 | + | |
686 | + /* Initialise input parameters */ | |
687 | + | |
688 | + switch (logon_type) { | |
689 | + case NetlogonInteractiveInformation: { | |
690 | + | |
691 | + struct netr_PasswordInfo *password_info; | |
692 | + | |
693 | + struct samr_Password lmpassword; | |
694 | + struct samr_Password ntpassword; | |
695 | + | |
696 | + password_info = TALLOC_ZERO_P(mem_ctx, struct netr_PasswordInfo); | |
697 | + if (!password_info) { | |
698 | + return NT_STATUS_NO_MEMORY; | |
699 | + } | |
700 | + | |
701 | + nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash); | |
702 | + | |
703 | + if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) { | |
704 | + netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16); | |
705 | + netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16); | |
706 | + } else { | |
707 | + netlogon_creds_des_encrypt(cli->dc, &lmpassword); | |
708 | + netlogon_creds_des_encrypt(cli->dc, &ntpassword); | |
709 | + } | |
710 | + | |
711 | + password_info->identity_info.domain_name.string = domain; | |
712 | + password_info->identity_info.parameter_control = logon_parameters; | |
713 | + password_info->identity_info.logon_id_low = 0xdead; | |
714 | + password_info->identity_info.logon_id_high = 0xbeef; | |
715 | + password_info->identity_info.account_name.string = username; | |
716 | + password_info->identity_info.workstation.string = clnt_name_slash; | |
717 | + | |
718 | + password_info->lmpassword = lmpassword; | |
719 | + password_info->ntpassword = ntpassword; | |
720 | + | |
721 | + logon->password = password_info; | |
722 | + | |
723 | + break; | |
724 | + } | |
725 | + case NetlogonNetworkInformation: { | |
726 | + struct netr_NetworkInfo *network_info; | |
727 | + uint8 chal[8]; | |
728 | + unsigned char local_lm_response[24]; | |
729 | + unsigned char local_nt_response[24]; | |
730 | + struct netr_ChallengeResponse lm; | |
731 | + struct netr_ChallengeResponse nt; | |
732 | + | |
733 | + ZERO_STRUCT(lm); | |
734 | + ZERO_STRUCT(nt); | |
735 | + | |
736 | + network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo); | |
737 | + if (!network_info) { | |
738 | + return NT_STATUS_NO_MEMORY; | |
739 | + } | |
740 | + | |
741 | + generate_random_buffer(chal, 8); | |
742 | + | |
743 | + SMBencrypt(password, chal, local_lm_response); | |
744 | + SMBNTencrypt(password, chal, local_nt_response); | |
745 | + | |
746 | + lm.length = 24; | |
747 | + lm.data = local_lm_response; | |
748 | + | |
749 | + nt.length = 24; | |
750 | + nt.data = local_nt_response; | |
751 | + | |
752 | + network_info->identity_info.domain_name.string = domain; | |
753 | + network_info->identity_info.parameter_control = logon_parameters; | |
754 | + network_info->identity_info.logon_id_low = 0xdead; | |
755 | + network_info->identity_info.logon_id_high = 0xbeef; | |
756 | + network_info->identity_info.account_name.string = username; | |
757 | + network_info->identity_info.workstation.string = clnt_name_slash; | |
758 | + | |
759 | + memcpy(network_info->challenge, chal, 8); | |
760 | + network_info->nt = nt; | |
761 | + network_info->lm = lm; | |
762 | + | |
763 | + logon->network = network_info; | |
764 | + | |
765 | + break; | |
766 | + } | |
767 | + default: | |
768 | + DEBUG(0, ("switch value %d not supported\n", | |
769 | + logon_type)); | |
770 | + return NT_STATUS_INVALID_INFO_CLASS; | |
771 | + } | |
772 | + | |
773 | + status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx, | |
774 | + cli->srv_name_slash, | |
775 | + global_myname(), | |
776 | + logon_type, | |
777 | + logon, | |
778 | + validation_level, | |
779 | + &validation, | |
780 | + &authoritative, | |
781 | + &flags, | |
782 | + &result); | |
783 | + if (!NT_STATUS_IS_OK(status)) { | |
784 | + return status; | |
785 | + } | |
786 | + | |
787 | + if (!NT_STATUS_IS_OK(result)) { | |
788 | + return result; | |
789 | + } | |
790 | + | |
791 | + netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation); | |
792 | + | |
793 | + result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3); | |
794 | + if (!NT_STATUS_IS_OK(result)) { | |
795 | + return result; | |
796 | + } | |
797 | + | |
798 | + return result; | |
799 | +} | |
800 | + | |
801 | + | |
802 | /** | |
803 | * Logon domain user with an 'network' SAM logon | |
804 | * | |
805 | diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h | |
806 | index 9c6cbc8..3763843 100644 | |
807 | --- a/source3/rpc_client/cli_netlogon.h | |
808 | +++ b/source3/rpc_client/cli_netlogon.h | |
809 | @@ -43,6 +43,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, | |
810 | uint16_t validation_level, | |
811 | int logon_type, | |
812 | struct netr_SamInfo3 **info3); | |
813 | +NTSTATUS rpccli_netlogon_sam_logon_ex(struct rpc_pipe_client *cli, | |
814 | + TALLOC_CTX *mem_ctx, | |
815 | + uint32 logon_parameters, | |
816 | + const char *domain, | |
817 | + const char *username, | |
818 | + const char *password, | |
819 | + const char *workstation, | |
820 | + uint16_t validation_level, | |
821 | + int logon_type, | |
822 | + struct netr_SamInfo3 **info3); | |
823 | NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, | |
824 | TALLOC_CTX *mem_ctx, | |
825 | uint32 logon_parameters, | |
826 | commit f39f18e062207427ea436c85a7c721629a38bc0d | |
827 | Author: Günther Deschner <gd@samba.org> | |
828 | AuthorDate: Tue Jul 15 16:22:15 2014 +0200 | |
829 | Commit: Andreas Schneider <asn@samba.org> | |
830 | CommitDate: Tue Jul 15 16:25:04 2014 +0200 | |
831 | ||
832 | PATCHSET14 s3-winbindd: prefer to do a rpccli_netlogon_sam_logon_ex if we can. | |
833 | ||
834 | Guenther | |
835 | ||
836 | Signed-off-by: Günther Deschner <gd@samba.org> | |
837 | --- | |
838 | source3/winbindd/winbindd_pam.c | 36 +++++++++++++++++++++++++----------- | |
839 | 1 file changed, 25 insertions(+), 11 deletions(-) | |
840 | ||
841 | diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | |
842 | index 86b352e..e838ac6 100644 | |
843 | --- a/source3/winbindd/winbindd_pam.c | |
844 | +++ b/source3/winbindd/winbindd_pam.c | |
845 | @@ -1272,17 +1272,31 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, | |
846 | } | |
847 | ||
848 | if (interactive && username != NULL && password != NULL) { | |
849 | - result = rpccli_netlogon_sam_logon( | |
850 | - netlogon_pipe, | |
851 | - mem_ctx, | |
852 | - logon_parameters, | |
853 | - domainname, | |
854 | - username, | |
855 | - password, | |
856 | - workstation, | |
857 | - 3, /* FIXME */ | |
858 | - NetlogonInteractiveInformation, | |
859 | - info3); | |
860 | + if (domain->can_do_samlogon_ex && domain->can_do_validation6) { | |
861 | + result = rpccli_netlogon_sam_logon_ex( | |
862 | + netlogon_pipe, | |
863 | + mem_ctx, | |
864 | + logon_parameters, | |
865 | + domainname, | |
866 | + username, | |
867 | + password, | |
868 | + workstation, | |
869 | + 6, | |
870 | + NetlogonInteractiveInformation, | |
871 | + info3); | |
872 | + } else { | |
873 | + result = rpccli_netlogon_sam_logon( | |
874 | + netlogon_pipe, | |
875 | + mem_ctx, | |
876 | + logon_parameters, | |
877 | + domainname, | |
878 | + username, | |
879 | + password, | |
880 | + workstation, | |
881 | + domain->can_do_validation6 ? 6 : 3, | |
882 | + NetlogonInteractiveInformation, | |
883 | + info3); | |
884 | + } | |
885 | } else if (domain->can_do_samlogon_ex && domain->can_do_validation6) { | |
886 | result = rpccli_netlogon_sam_network_logon_ex( | |
887 | netlogon_pipe, | |
888 | From fa58aff691268b021ba4dde1eb580d0387b917e1 Mon Sep 17 00:00:00 2001 | |
889 | From: Andreas Schneider <asn@samba.org> | |
890 | Date: Wed, 20 Aug 2014 15:51:21 +0200 | |
891 | Subject: [PATCH] PATCHSET14: Reset netlogon pipe for interactive samlogon_ex. | |
892 | ||
893 | --- | |
894 | source3/winbindd/winbindd_pam.c | 12 ++++++++++++ | |
895 | 1 file changed, 12 insertions(+) | |
896 | ||
897 | diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | |
898 | index e838ac6..5316232 100644 | |
899 | --- a/source3/winbindd/winbindd_pam.c | |
900 | +++ b/source3/winbindd/winbindd_pam.c | |
901 | @@ -1297,6 +1297,18 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, | |
902 | NetlogonInteractiveInformation, | |
903 | info3); | |
904 | } | |
905 | + | |
906 | + if (NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) { | |
907 | + /* | |
908 | + * HACK: This is a 3.6 hack that we get a new | |
909 | + * session_key to do a successfuly interactive | |
910 | + * logon | |
911 | + */ | |
912 | + TALLOC_FREE(domain->conn.netlogon_pipe); | |
913 | + attempts += 1; | |
914 | + retry = true; | |
915 | + continue; | |
916 | + } | |
917 | } else if (domain->can_do_samlogon_ex && domain->can_do_validation6) { | |
918 | result = rpccli_netlogon_sam_network_logon_ex( | |
919 | netlogon_pipe, | |
920 | -- | |
921 | 1.9.3 | |
922 |