From: Garming Sam <garming@catalyst.net.nz>
Date: Wed, 12 Apr 2017 02:12:32 +0000 (+1200)
Subject: winbindd: Do not run SAM auth stack in winbind SamLogon
X-Git-Tag: ldb-1.1.30~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2368f57b4d7bc26ba08273020d7281fab6f817c8;p=thirdparty%2Fsamba.git

winbindd: Do not run SAM auth stack in winbind SamLogon

pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail b/selftest/knownfail
index 3cc945b4a31..c6047c85445 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -244,6 +244,10 @@
 ^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
 ^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
 #
+# This test is no longer valid given s4winbind needs a live NETLOGON server
+#
+^samba.blackbox.pdbtest.s4winbind\(ad_dc_ntvfs\).pdbtest
+#
 # Differences in our KDC compared to windows
 #
 ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 02b1adb2117..8007c7d38d1 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -890,7 +890,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 				       r->in.logon.network->identity_info.workstation.string,
 				       r->in.logon.network->challenge,
 				       lm_response, nt_response,
-				       &r->out.authoritative, &flags,
+				       &r->out.authoritative,
+				       true,
+				       &flags,
 				       &r->out.validation.sam3);
 	return status;
 }
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c792cfe704f..4d3a7eeb1ba 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2003,6 +2003,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			       DATA_BLOB lm_response,
 			       DATA_BLOB nt_response,
 			       uint8_t *authoritative,
+			       bool skip_sam,
 			       uint32_t *flags,
 			       struct netr_SamInfo3 **info3)
 {
@@ -2017,7 +2018,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 	 * name_domain can also be lp_realm()
 	 * we need to check against domain->name.
 	 */
-	if (strequal(domain->name, get_global_sam_name())) {
+	if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
 		DATA_BLOB chal_blob = data_blob_const(
 			chal, 8);
 
@@ -2172,6 +2173,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 				       lm_resp,
 				       nt_resp,
 				       &authoritative,
+				       false,
 				       &flags,
 				       &info3);
 	if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 57b363a7bd8..6d6fafcb72f 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -454,6 +454,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			       DATA_BLOB lm_response,
 			       DATA_BLOB nt_response,
 			       uint8_t *authoritative,
+			       bool skip_sam,
 			       uint32_t *flags,
 			       struct netr_SamInfo3 **info3);