1 commit 8a7159aa1b000593ffe89ca8d7477e6373764aaf
2 Author: Günther Deschner <gd@samba.org>
3 AuthorDate: Tue Jul 15 14:16:56 2014 +0200
4 Commit: Andreas Schneider <asn@samba.org>
5 CommitDate: Tue Jul 15 15:25:27 2014 +0200
7 PATCHSET14 s3-rpc_client: return info3 in rpccli_netlogon_password_logon().
11 Signed-off-by: Günther Deschner <gd@samba.org>
12 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
13 Reviewed-by: Andreas Schneider <asn@samba.org>
15 source3/rpc_client/cli_netlogon.c | 100 +++++++++++++++++++++-----------------
16 source3/rpc_client/cli_netlogon.h | 3 +-
17 source3/rpcclient/cmd_netlogon.c | 3 +-
18 3 files changed, 60 insertions(+), 46 deletions(-)
20 diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
21 index c69a933..9454226 100644
22 --- a/source3/rpc_client/cli_netlogon.c
23 +++ b/source3/rpc_client/cli_netlogon.c
24 @@ -153,6 +153,53 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
28 +static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
29 + uint16_t validation_level,
30 + union netr_Validation *validation,
31 + struct netr_SamInfo3 **info3_p)
33 + struct netr_SamInfo3 *info3;
36 + if (validation == NULL) {
37 + return NT_STATUS_INVALID_PARAMETER;
40 + switch (validation_level) {
42 + if (validation->sam3 == NULL) {
43 + return NT_STATUS_INVALID_PARAMETER;
46 + info3 = talloc_move(mem_ctx, &validation->sam3);
49 + if (validation->sam6 == NULL) {
50 + return NT_STATUS_INVALID_PARAMETER;
53 + info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
54 + if (info3 == NULL) {
55 + return NT_STATUS_NO_MEMORY;
57 + status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
58 + if (!NT_STATUS_IS_OK(status)) {
63 + info3->sidcount = validation->sam6->sidcount;
64 + info3->sids = talloc_move(info3, &validation->sam6->sids);
67 + return NT_STATUS_BAD_VALIDATION_CLASS;
72 + return NT_STATUS_OK;
75 /* Logon domain user */
77 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
78 @@ -163,7 +210,8 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
80 const char *workstation,
81 uint16_t validation_level,
84 + struct netr_SamInfo3 **info3)
86 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
88 @@ -298,54 +346,18 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
89 return NT_STATUS_ACCESS_DENIED;
95 -static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
96 - uint16_t validation_level,
97 - union netr_Validation *validation,
98 - struct netr_SamInfo3 **info3_p)
100 - struct netr_SamInfo3 *info3;
103 - if (validation == NULL) {
104 - return NT_STATUS_INVALID_PARAMETER;
105 + if (!NT_STATUS_IS_OK(result)) {
109 - switch (validation_level) {
111 - if (validation->sam3 == NULL) {
112 - return NT_STATUS_INVALID_PARAMETER;
115 - info3 = talloc_move(mem_ctx, &validation->sam3);
118 - if (validation->sam6 == NULL) {
119 - return NT_STATUS_INVALID_PARAMETER;
122 - info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
123 - if (info3 == NULL) {
124 - return NT_STATUS_NO_MEMORY;
126 - status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
127 - if (!NT_STATUS_IS_OK(status)) {
128 - TALLOC_FREE(info3);
131 + netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
133 - info3->sidcount = validation->sam6->sidcount;
134 - info3->sids = talloc_move(info3, &validation->sam6->sids);
137 - return NT_STATUS_BAD_VALIDATION_CLASS;
138 + result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
139 + if (!NT_STATUS_IS_OK(result)) {
145 - return NT_STATUS_OK;
150 diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
151 index ad59d5b..9c6cbc8 100644
152 --- a/source3/rpc_client/cli_netlogon.h
153 +++ b/source3/rpc_client/cli_netlogon.h
154 @@ -41,7 +41,8 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
155 const char *password,
156 const char *workstation,
157 uint16_t validation_level,
160 + struct netr_SamInfo3 **info3);
161 NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
163 uint32 logon_parameters,
164 diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
165 index 63057ac..e285145 100644
166 --- a/source3/rpcclient/cmd_netlogon.c
167 +++ b/source3/rpcclient/cmd_netlogon.c
168 @@ -724,6 +724,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
169 uint16_t validation_level = 3;
170 uint32 logon_param = 0;
171 const char *workstation = NULL;
172 + struct netr_SamInfo3 *info3 = NULL;
174 /* Check arguments */
176 @@ -750,7 +751,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
178 /* Perform the sam logon */
180 - result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
181 + result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type, &info3);
183 if (!NT_STATUS_IS_OK(result))
185 commit 53c404ade6d660c449a9dddb56aa80dc6d5ea920
186 Author: Günther Deschner <gd@samba.org>
187 AuthorDate: Tue Jul 15 14:25:19 2014 +0200
188 Commit: Andreas Schneider <asn@samba.org>
189 CommitDate: Tue Jul 15 15:25:29 2014 +0200
191 PATCHSET14 s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
195 Signed-off-by: Guenther Deschner <gd@samba.org>
196 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
197 Reviewed-by: Andreas Schneider <asn@samba.org>
199 source3/winbindd/winbindd_pam.c | 20 +++++++++++++++++++-
200 1 file changed, 19 insertions(+), 1 deletion(-)
202 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
203 index 125e393..2b31d54 100644
204 --- a/source3/winbindd/winbindd_pam.c
205 +++ b/source3/winbindd/winbindd_pam.c
206 @@ -1152,11 +1152,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
207 uint32_t logon_parameters,
209 const char *username,
210 + const char *password,
211 const char *domainname,
212 const char *workstation,
213 const uint8_t chal[8],
214 DATA_BLOB lm_response,
215 DATA_BLOB nt_response,
217 struct netr_SamInfo3 **info3)
220 @@ -1269,7 +1271,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
221 domain->can_do_validation6 = false;
224 - if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
225 + if (interactive && username != NULL && password != NULL) {
226 + result = rpccli_netlogon_sam_logon(
235 + NetlogonInteractiveInformation,
237 + } else if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
238 result = rpccli_netlogon_sam_network_logon_ex(
241 @@ -1453,11 +1467,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
253 if (!NT_STATUS_IS_OK(result)) {
255 @@ -1874,12 +1890,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
256 state->request->data.auth_crap.logon_parameters,
259 + NULL, /* password */
261 /* Bug #3248 - found by Stefan Burkei. */
262 workstation, /* We carefully set this above so use it... */
263 state->request->data.auth_crap.chal,
266 + false, /* interactive */
268 if (!NT_STATUS_IS_OK(result)) {
270 commit f73d1b92b78c4c3f23f411807273e3d09d39c10a
271 Author: Günther Deschner <gd@samba.org>
272 AuthorDate: Mon Jul 7 17:14:37 2014 +0200
273 Commit: Andreas Schneider <asn@samba.org>
274 CommitDate: Tue Jul 15 15:25:30 2014 +0200
276 PATCHSET14 s3-winbindd: add wcache_query_user_fullname().
278 This helper function is used to query the full name of a cached user object (for
279 further gecos processing).
281 Thanks to Matt Rogers <mrogers@redhat.com>.
283 BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
287 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
288 Signed-off-by: Günther Deschner <gd@samba.org>
289 Reviewed-by: Andreas Schneider <asn@samba.org>
291 source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
292 source3/winbindd/winbindd_proto.h | 4 ++++
293 2 files changed, 38 insertions(+)
295 diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
296 index 0a65953..82c8087 100644
297 --- a/source3/winbindd/winbindd_cache.c
298 +++ b/source3/winbindd/winbindd_cache.c
299 @@ -2282,6 +2282,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
305 +* @brief Query a fullname from the username cache (for further gecos processing)
307 +* @param domain A pointer to the winbindd_domain struct.
308 +* @param mem_ctx The talloc context.
309 +* @param user_sid The user sid.
310 +* @param full_name A pointer to the full_name string.
312 +* @return NTSTATUS code
314 +NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
315 + TALLOC_CTX *mem_ctx,
316 + const struct dom_sid *user_sid,
317 + const char **full_name)
320 + struct wbint_userinfo info;
322 + status = wcache_query_user(domain, mem_ctx, user_sid, &info);
323 + if (!NT_STATUS_IS_OK(status)) {
327 + if (info.full_name != NULL) {
328 + *full_name = talloc_strdup(mem_ctx, info.full_name);
329 + if (*full_name == NULL) {
330 + return NT_STATUS_NO_MEMORY;
334 + return NT_STATUS_OK;
337 /* Lookup user information from a rid */
338 static NTSTATUS query_user(struct winbindd_domain *domain,
340 diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
341 index 82176b2..585853e 100644
342 --- a/source3/winbindd/winbindd_proto.h
343 +++ b/source3/winbindd/winbindd_proto.h
344 @@ -103,6 +103,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
346 const struct dom_sid *user_sid,
347 struct wbint_userinfo *info);
348 +NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
349 + TALLOC_CTX *mem_ctx,
350 + const struct dom_sid *user_sid,
351 + const char **full_name);
352 NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
354 uint32 num_sids, const struct dom_sid *sids,
355 commit d4d04c269ade1e96f84b71e60a1c6c322eec5514
356 Author: Günther Deschner <gd@samba.org>
357 AuthorDate: Mon Jul 7 17:16:32 2014 +0200
358 Commit: Andreas Schneider <asn@samba.org>
359 CommitDate: Tue Jul 15 15:25:31 2014 +0200
361 PATCHSET14 s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
363 The reason for this followup query is that very often the samlogon cache only
364 contains a info3 netlogon user structure that has been retrieved during a
365 netlogon samlogon authentication using "network" logon level. With that logon
366 level only a few info3 fields are filled in; the user's fullname is never filled
367 in that case. This is problematic when the cache is used to fill in the user's
368 gecos field (for NSS queries). When we have retrieved the user's fullname during
369 other queries, reuse it from the other caches.
371 Thanks to Matt Rogers <mrogers@redhat.com>.
373 BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
377 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
378 Signed-off-by: Guenther Deschner <gd@samba.org>
379 Reviewed-by: Andreas Schneider <asn@samba.org>
381 source3/winbindd/winbindd_ads.c | 8 ++++++++
382 source3/winbindd/winbindd_msrpc.c | 8 ++++++++
383 source3/winbindd/winbindd_pam.c | 41 +++++++++++++++++++++++++++++++++++++++
384 3 files changed, 57 insertions(+)
386 diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
387 index 3099ff0..7d960fc 100644
388 --- a/source3/winbindd/winbindd_ads.c
389 +++ b/source3/winbindd/winbindd_ads.c
390 @@ -515,6 +515,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
394 + if (info->full_name == NULL) {
395 + /* this might fail so we dont check the return code */
396 + wcache_query_user_fullname(domain,
405 diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
406 index b426884..eae822c 100644
407 --- a/source3/winbindd/winbindd_msrpc.c
408 +++ b/source3/winbindd/winbindd_msrpc.c
409 @@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
410 user_info->full_name = talloc_strdup(user_info,
411 user->base.full_name.string);
413 + if (user_info->full_name == NULL) {
414 + /* this might fail so we dont check the return code */
415 + wcache_query_user_fullname(domain,
418 + &user_info->full_name);
421 status = NT_STATUS_OK;
424 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
425 index 2b31d54..86b352e 100644
426 --- a/source3/winbindd/winbindd_pam.c
427 +++ b/source3/winbindd/winbindd_pam.c
428 @@ -1739,6 +1739,26 @@ process_result:
429 sid_compose(&user_sid, info3->base.domain_sid,
432 + if (info3->base.full_name.string == NULL) {
433 + struct netr_SamInfo3 *cached_info3;
435 + cached_info3 = netsamlogon_cache_get(state->mem_ctx,
437 + if (cached_info3 != NULL &&
438 + cached_info3->base.full_name.string != NULL) {
439 + info3->base.full_name.string =
440 + talloc_strdup(info3,
441 + cached_info3->base.full_name.string);
444 + /* this might fail so we dont check the return code */
445 + wcache_query_user_fullname(domain,
448 + &info3->base.full_name.string);
452 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
454 netsamlogon_cache_store(name_user, info3);
455 @@ -1910,6 +1930,27 @@ process_result:
457 sid_compose(&user_sid, info3->base.domain_sid,
460 + if (info3->base.full_name.string == NULL) {
461 + struct netr_SamInfo3 *cached_info3;
463 + cached_info3 = netsamlogon_cache_get(state->mem_ctx,
465 + if (cached_info3 != NULL &&
466 + cached_info3->base.full_name.string != NULL) {
467 + info3->base.full_name.string =
468 + talloc_strdup(info3,
469 + cached_info3->base.full_name.string);
472 + /* this might fail so we dont check the return code */
473 + wcache_query_user_fullname(domain,
476 + &info3->base.full_name.string);
480 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
482 netsamlogon_cache_store(name_user, info3);
483 commit 7a38729ac2b93d0bd8c2450821cfcedff6fa3f53
484 Author: Günther Deschner <gd@samba.org>
485 AuthorDate: Wed Jul 9 13:36:06 2014 +0200
486 Commit: Andreas Schneider <asn@samba.org>
487 CommitDate: Tue Jul 15 15:25:32 2014 +0200
489 PATCHSET14 samlogon_cache: use a talloc_stackframe inside netsamlogon_cache_store.
493 Signed-off-by: Günther Deschner <gd@samba.org>
494 Reviewed-by: Andreas Schneider <asn@samba.org>
496 source3/libsmb/samlogon_cache.c | 13 ++++---------
497 1 file changed, 4 insertions(+), 9 deletions(-)
499 diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
500 index 590c950..4281965 100644
501 --- a/source3/libsmb/samlogon_cache.c
502 +++ b/source3/libsmb/samlogon_cache.c
503 @@ -132,7 +132,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
505 struct dom_sid user_sid;
506 time_t t = time(NULL);
507 - TALLOC_CTX *mem_ctx;
508 + TALLOC_CTX *tmp_ctx = talloc_stackframe();
510 enum ndr_err_code ndr_err;
511 struct netsamlogoncache_entry r;
512 @@ -156,11 +156,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
516 - if (!(mem_ctx = TALLOC_P( NULL, int))) {
517 - DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
521 /* only Samba fills in the username, not sure why NT doesn't */
522 /* so we fill it in since winbindd_getpwnam() makes use of it */
524 @@ -175,11 +170,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
525 NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
528 - ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
529 + ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
530 (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
531 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
532 DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
533 - TALLOC_FREE(mem_ctx);
534 + TALLOC_FREE(tmp_ctx);
538 @@ -190,7 +185,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
542 - TALLOC_FREE(mem_ctx);
543 + TALLOC_FREE(tmp_ctx);
547 commit f89b793bd672a66f5e75ade33467f6621545f0d4
548 Author: Andreas Schneider <asn@samba.org>
549 AuthorDate: Thu Jul 3 16:17:46 2014 +0200
550 Commit: Andreas Schneider <asn@samba.org>
551 CommitDate: Tue Jul 15 15:25:32 2014 +0200
553 PATCHSET14 samlogon_cache: avoid overwriting info3->base.full_name.string.
555 This field servers as a source for the gecos field. We should not overwrite it
556 when a info3 struct from a samlogon network level gets saved in which case this
557 field is always NULL.
559 BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
561 Signed-off-by: Andreas Schneider <asn@samba.org>
562 Reviewed-by: Guenther Deschner <gd@samba.org>
564 source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
565 1 file changed, 14 insertions(+)
567 diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
568 index 4281965..8a3dbd2 100644
569 --- a/source3/libsmb/samlogon_cache.c
570 +++ b/source3/libsmb/samlogon_cache.c
571 @@ -156,6 +156,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
575 + if (info3->base.full_name.string == NULL) {
576 + struct netr_SamInfo3 *cached_info3;
577 + const char *full_name = NULL;
579 + cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
580 + if (cached_info3 != NULL) {
581 + full_name = cached_info3->base.full_name.string;
584 + if (full_name != NULL) {
585 + info3->base.full_name.string = talloc_strdup(info3, full_name);
589 /* only Samba fills in the username, not sure why NT doesn't */
590 /* so we fill it in since winbindd_getpwnam() makes use of it */
592 commit 8fcaeecf174a1c9088c84f271e2859f75e9a5101
593 Author: Andreas Schneider <asn@samba.org>
594 AuthorDate: Thu Jul 3 16:19:42 2014 +0200
595 Commit: Andreas Schneider <asn@samba.org>
596 CommitDate: Tue Jul 15 15:25:33 2014 +0200
598 PATCHSET14 s3-winbind: Don't set the gecos field to NULL.
600 The value is loaded from the cache anyway. So it will be set to NULL if
603 BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
605 Signed-off-by: Andreas Schneider <asn@samba.org>
606 Reviewed-by: Guenther Deschner <gd@samba.org>
608 source3/winbindd/nss_info_template.c | 1 -
609 1 file changed, 1 deletion(-)
611 diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
612 index 5fdfd9b..de93803 100644
613 --- a/source3/winbindd/nss_info_template.c
614 +++ b/source3/winbindd/nss_info_template.c
615 @@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
617 *homedir = talloc_strdup( ctx, lp_template_homedir() );
618 *shell = talloc_strdup( ctx, lp_template_shell() );
621 if ( !*homedir || !*shell ) {
622 return NT_STATUS_NO_MEMORY;
623 commit d32503872aec4fca41056b2d9d9bbb6b15ce9701
624 Author: Günther Deschner <gd@samba.org>
625 AuthorDate: Tue Jul 15 16:21:08 2014 +0200
626 Commit: Andreas Schneider <asn@samba.org>
627 CommitDate: Tue Jul 15 16:24:59 2014 +0200
629 PATCHSET14 s3-rpc_client: add rpccli_netlogon_sam_logon_ex().
631 This function deals with interactive samlogon and does a dcerpc_netr_SamLogonEx
632 call (w/o credential chaining).
636 Signed-off-by: Günther Deschner <gd@samba.org>
638 source3/rpc_client/cli_netlogon.c | 152 ++++++++++++++++++++++++++++++++++++++
639 source3/rpc_client/cli_netlogon.h | 10 +++
640 2 files changed, 162 insertions(+)
642 diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
643 index 9454226..0290944 100644
644 --- a/source3/rpc_client/cli_netlogon.c
645 +++ b/source3/rpc_client/cli_netlogon.c
646 @@ -360,6 +360,158 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
650 +/* Logon domain user */
652 +NTSTATUS rpccli_netlogon_sam_logon_ex(struct rpc_pipe_client *cli,
653 + TALLOC_CTX *mem_ctx,
654 + uint32 logon_parameters,
655 + const char *domain,
656 + const char *username,
657 + const char *password,
658 + const char *workstation,
659 + uint16_t validation_level,
661 + struct netr_SamInfo3 **info3)
663 + NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
665 + struct netr_Authenticator ret_creds;
666 + union netr_LogonLevel *logon;
667 + union netr_Validation validation;
668 + uint8_t authoritative;
669 + fstring clnt_name_slash;
670 + struct dcerpc_binding_handle *b = cli->binding_handle;
671 + uint32_t flags = 0;
673 + ZERO_STRUCT(ret_creds);
675 + logon = TALLOC_ZERO_P(mem_ctx, union netr_LogonLevel);
677 + return NT_STATUS_NO_MEMORY;
681 + fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
683 + fstr_sprintf( clnt_name_slash, "\\\\%s", global_myname() );
686 + /* Initialise input parameters */
688 + switch (logon_type) {
689 + case NetlogonInteractiveInformation: {
691 + struct netr_PasswordInfo *password_info;
693 + struct samr_Password lmpassword;
694 + struct samr_Password ntpassword;
696 + password_info = TALLOC_ZERO_P(mem_ctx, struct netr_PasswordInfo);
697 + if (!password_info) {
698 + return NT_STATUS_NO_MEMORY;
701 + nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
703 + if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
704 + netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
705 + netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
707 + netlogon_creds_des_encrypt(cli->dc, &lmpassword);
708 + netlogon_creds_des_encrypt(cli->dc, &ntpassword);
711 + password_info->identity_info.domain_name.string = domain;
712 + password_info->identity_info.parameter_control = logon_parameters;
713 + password_info->identity_info.logon_id_low = 0xdead;
714 + password_info->identity_info.logon_id_high = 0xbeef;
715 + password_info->identity_info.account_name.string = username;
716 + password_info->identity_info.workstation.string = clnt_name_slash;
718 + password_info->lmpassword = lmpassword;
719 + password_info->ntpassword = ntpassword;
721 + logon->password = password_info;
725 + case NetlogonNetworkInformation: {
726 + struct netr_NetworkInfo *network_info;
728 + unsigned char local_lm_response[24];
729 + unsigned char local_nt_response[24];
730 + struct netr_ChallengeResponse lm;
731 + struct netr_ChallengeResponse nt;
736 + network_info = TALLOC_ZERO_P(mem_ctx, struct netr_NetworkInfo);
737 + if (!network_info) {
738 + return NT_STATUS_NO_MEMORY;
741 + generate_random_buffer(chal, 8);
743 + SMBencrypt(password, chal, local_lm_response);
744 + SMBNTencrypt(password, chal, local_nt_response);
747 + lm.data = local_lm_response;
750 + nt.data = local_nt_response;
752 + network_info->identity_info.domain_name.string = domain;
753 + network_info->identity_info.parameter_control = logon_parameters;
754 + network_info->identity_info.logon_id_low = 0xdead;
755 + network_info->identity_info.logon_id_high = 0xbeef;
756 + network_info->identity_info.account_name.string = username;
757 + network_info->identity_info.workstation.string = clnt_name_slash;
759 + memcpy(network_info->challenge, chal, 8);
760 + network_info->nt = nt;
761 + network_info->lm = lm;
763 + logon->network = network_info;
768 + DEBUG(0, ("switch value %d not supported\n",
770 + return NT_STATUS_INVALID_INFO_CLASS;
773 + status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
774 + cli->srv_name_slash,
783 + if (!NT_STATUS_IS_OK(status)) {
787 + if (!NT_STATUS_IS_OK(result)) {
791 + netlogon_creds_decrypt_samlogon(cli->dc, validation_level, &validation);
793 + result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
794 + if (!NT_STATUS_IS_OK(result)) {
803 * Logon domain user with an 'network' SAM logon
805 diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
806 index 9c6cbc8..3763843 100644
807 --- a/source3/rpc_client/cli_netlogon.h
808 +++ b/source3/rpc_client/cli_netlogon.h
809 @@ -43,6 +43,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
810 uint16_t validation_level,
812 struct netr_SamInfo3 **info3);
813 +NTSTATUS rpccli_netlogon_sam_logon_ex(struct rpc_pipe_client *cli,
814 + TALLOC_CTX *mem_ctx,
815 + uint32 logon_parameters,
816 + const char *domain,
817 + const char *username,
818 + const char *password,
819 + const char *workstation,
820 + uint16_t validation_level,
822 + struct netr_SamInfo3 **info3);
823 NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
825 uint32 logon_parameters,
826 commit f39f18e062207427ea436c85a7c721629a38bc0d
827 Author: Günther Deschner <gd@samba.org>
828 AuthorDate: Tue Jul 15 16:22:15 2014 +0200
829 Commit: Andreas Schneider <asn@samba.org>
830 CommitDate: Tue Jul 15 16:25:04 2014 +0200
832 PATCHSET14 s3-winbindd: prefer to do a rpccli_netlogon_sam_logon_ex if we can.
836 Signed-off-by: Günther Deschner <gd@samba.org>
838 source3/winbindd/winbindd_pam.c | 36 +++++++++++++++++++++++++-----------
839 1 file changed, 25 insertions(+), 11 deletions(-)
841 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
842 index 86b352e..e838ac6 100644
843 --- a/source3/winbindd/winbindd_pam.c
844 +++ b/source3/winbindd/winbindd_pam.c
845 @@ -1272,17 +1272,31 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
848 if (interactive && username != NULL && password != NULL) {
849 - result = rpccli_netlogon_sam_logon(
858 - NetlogonInteractiveInformation,
860 + if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
861 + result = rpccli_netlogon_sam_logon_ex(
870 + NetlogonInteractiveInformation,
873 + result = rpccli_netlogon_sam_logon(
881 + domain->can_do_validation6 ? 6 : 3,
882 + NetlogonInteractiveInformation,
885 } else if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
886 result = rpccli_netlogon_sam_network_logon_ex(
888 From fa58aff691268b021ba4dde1eb580d0387b917e1 Mon Sep 17 00:00:00 2001
889 From: Andreas Schneider <asn@samba.org>
890 Date: Wed, 20 Aug 2014 15:51:21 +0200
891 Subject: [PATCH] PATCHSET14: Reset netlogon pipe for interactive samlogon_ex.
894 source3/winbindd/winbindd_pam.c | 12 ++++++++++++
895 1 file changed, 12 insertions(+)
897 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
898 index e838ac6..5316232 100644
899 --- a/source3/winbindd/winbindd_pam.c
900 +++ b/source3/winbindd/winbindd_pam.c
901 @@ -1297,6 +1297,18 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
902 NetlogonInteractiveInformation,
906 + if (NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
908 + * HACK: This is a 3.6 hack that we get a new
909 + * session_key to do a successfuly interactive
912 + TALLOC_FREE(domain->conn.netlogon_pipe);
917 } else if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
918 result = rpccli_netlogon_sam_network_logon_ex(