summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-connectivity/samba
diff options
context:
space:
mode:
authorMartin Jansa <Martin.Jansa@gmail.com>2015-11-15 16:18:39 +0100
committerMartin Jansa <Martin.Jansa@gmail.com>2015-11-16 21:50:10 +0100
commit0e525daafe2958504674a9910bbed7c1b4d3fd38 (patch)
treeab265ec69054c64bc7c16a7b7bb55610531d5039 /meta-oe/recipes-connectivity/samba
parentdf552bed28c6ed983a94ebad4185bc9b2d04486f (diff)
downloadmeta-openembedded-0e525daafe2958504674a9910bbed7c1b4d3fd38.tar.gz
samba, ctdb, libldb, libtdb, libtevent, talloc: move to meta-networking
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-oe/recipes-connectivity/samba')
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch108
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch1448
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch266
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch962
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch211
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch29894
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch97
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch42
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch44
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch35
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch180
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch329
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch159
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch988
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch51
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch154
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch52
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch22
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch22
-rw-r--r--meta-oe/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch42
-rwxr-xr-xmeta-oe/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch57
-rw-r--r--meta-oe/recipes-connectivity/samba/samba_4.1.12.bb182
22 files changed, 0 insertions, 35345 deletions
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch
deleted file mode 100644
index c94bc3185..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch
+++ /dev/null
@@ -1,108 +0,0 @@
1From 1573638212a9733a44939a4d38a226f38dca36f1 Mon Sep 17 00:00:00 2001
2From: Michele Baldessari <michele@acksyn.org>
3Date: Tue, 9 Jul 2013 23:23:33 +0200
4Subject: [PATCH] Fix typos in man-pages
5
6Fix some typos in the man-pages.
7
8Signed-off-by: Michele Baldessari <michele@acksyn.org>
9Reviewed-by: Simo Sorce <idra@samba.org>
10
11Autobuild-User(master): Simo Sorce <idra@samba.org>
12Autobuild-Date(master): Wed Jul 10 16:45:07 CEST 2013 on sn-devel-104
13---
14 docs-xml/manpages/dbwrap_tool.1.xml | 2 +-
15 docs-xml/manpages/idmap_autorid.8.xml | 2 +-
16 docs-xml/manpages/net.8.xml | 2 +-
17 docs-xml/manpages/pdbedit.8.xml | 2 +-
18 docs-xml/manpages/samba.7.xml | 2 +-
19 docs-xml/manpages/smbclient.1.xml | 2 +-
20 docs-xml/manpages/smbpasswd.5.xml | 2 +-
21 docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 +-
22 8 files changed, 8 insertions(+), 8 deletions(-)
23
24Index: samba-4.1.11/docs-xml/manpages/smbstatus.1.xml
25===================================================================
26--- samba-4.1.11.orig/docs-xml/manpages/smbstatus.1.xml
27+++ samba-4.1.11/docs-xml/manpages/smbstatus.1.xml
28@@ -137,6 +137,13 @@
29 </listitem>
30 </varlistentry>
31
32+ <varlistentry>
33+ <term>-n|--numeric</term>
34+ <listitem><para>causes smbstatus to display numeric UIDs and GIDs instead of
35+ resolving them to names.</para>
36+ </listitem>
37+ </varlistentry>
38+
39 </variablelist>
40 </refsect1>
41
42Index: samba-4.1.11/docs-xml/manpages/sharesec.1.xml
43===================================================================
44--- samba-4.1.11.orig/docs-xml/manpages/sharesec.1.xml
45+++ samba-4.1.11/docs-xml/manpages/sharesec.1.xml
46@@ -129,6 +129,13 @@
47 </para></listitem>
48 </varlistentry>
49
50+ <varlistentry>
51+ <term>-S|--setsddl=STRING</term>
52+ <listitem><para>
53+ Set security descriptor by providing ACL in SDDL format.
54+ </para></listitem>
55+ </varlistentry>
56+
57 &stdarg.help;
58 &stdarg.server.debug;
59 &popt.common.samba;
60Index: samba-4.1.11/docs-xml/build/DTD/samba.entities
61===================================================================
62--- samba-4.1.11.orig/docs-xml/build/DTD/samba.entities
63+++ samba-4.1.11/docs-xml/build/DTD/samba.entities
64@@ -270,6 +270,44 @@ file.
65 &popt.common.samba;
66 '>
67
68+<!ENTITY stdarg.signing '
69+<varlistentry>
70+<term>-S|--signing on|off|required</term>
71+<listitem><para>Set the client signing state.
72+</para></listitem>
73+</varlistentry>
74+'>
75+
76+<!ENTITY stdarg.machinepass '
77+<varlistentry>
78+<term>-P|--machine-pass</term>
79+<listitem><para>Use stored machine account password.
80+</para></listitem>
81+</varlistentry>
82+'>
83+
84+<!ENTITY stdarg.encrypt '
85+<varlistentry>
86+<term>-e|--encrypt</term>
87+<listitem><para>
88+This command line parameter requires the remote
89+server support the UNIX extensions or that the SMB3 protocol has been selected.
90+Requests that the connection be encrypted. Negotiates SMB encryption using either
91+SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for
92+the encryption negotiation (either kerberos or NTLMv1/v2 if given
93+domain/username/password triple. Fails the connection if encryption
94+cannot be negotiated.
95+</para></listitem>
96+</varlistentry>
97+'>
98+
99+<!ENTITY stdarg.pwnthash '
100+<varlistentry>
101+<term>--pw-nt-hash</term>
102+<listitem><para>The supplied password is the NT hash.
103+</para></listitem>
104+</varlistentry>
105+'>
106
107 <!ENTITY stdarg.resolve.order '
108 <varlistentry>
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
deleted file mode 100644
index 6c08cccc6..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
+++ /dev/null
@@ -1,1448 +0,0 @@
1From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Mon, 16 Dec 2013 12:57:20 +0100
4Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids().
5
6Pair-Programmed-With: Guenther Deschner <gd@samba.org>
7Signed-off-by: Guenther Deschner <gd@samba.org>
8Signed-off-by: Andreas Schneider <asn@samba.org>
9Reviewed-by: Andrew Bartlett <abartlet@samba.org>
10
11(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663)
12---
13 source3/lib/winbind_util.c | 34 +++++
14 source3/lib/winbind_util.h | 4 +
15 source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++
16 source3/wscript_build | 2 +-
17 4 files changed, 350 insertions(+), 1 deletion(-)
18 create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs
19
20diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
21index b458ebe..f62682b 100644
22--- a/source3/lib/winbind_util.c
23+++ b/source3/lib/winbind_util.c
24@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
25 return true;
26 }
27
28+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
29+ const struct dom_sid *user_sid,
30+ uint32_t *p_num_sids,
31+ struct dom_sid **p_sids)
32+{
33+ wbcErr ret;
34+ struct wbcDomainSid dom_sid;
35+ struct wbcDomainSid *sid_list = NULL;
36+ uint32_t num_sids;
37+
38+ memcpy(&dom_sid, user_sid, sizeof(dom_sid));
39+
40+ ret = wbcLookupUserSids(&dom_sid,
41+ false,
42+ &num_sids,
43+ &sid_list);
44+ if (ret != WBC_ERR_SUCCESS) {
45+ return false;
46+ }
47+
48+ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
49+ if (*p_sids == NULL) {
50+ wbcFreeMemory(sid_list);
51+ return false;
52+ }
53+
54+ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids);
55+
56+ *p_num_sids = num_sids;
57+ wbcFreeMemory(sid_list);
58+
59+ return true;
60+}
61+
62 #else /* WITH_WINBIND */
63
64 struct passwd * winbind_getpwnam(const char * name)
65diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h
66index 541bb95..abbc5a9 100644
67--- a/source3/lib/winbind_util.h
68+++ b/source3/lib/winbind_util.h
69@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx,
70 size_t num_members,
71 uint32_t **pp_alias_rids,
72 size_t *p_num_alias_rids);
73+bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx,
74+ const struct dom_sid *user_sid,
75+ uint32_t *p_num_sids,
76+ struct dom_sid **p_sids);
77
78 #endif /* __LIB__WINBIND_UTIL_H__ */
79diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs
80new file mode 100644
81index 0000000..f4de9c4
82--- /dev/null
83+++ b/source3/passdb/ABI/pdb-0.1.0.sigs
84@@ -0,0 +1,311 @@
85+PDB_secrets_clear_domain_protection: bool (const char *)
86+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *)
87+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *)
88+PDB_secrets_mark_domain_protected: bool (const char *)
89+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *)
90+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *)
91+account_policy_get: bool (enum pdb_policy_type, uint32_t *)
92+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *)
93+account_policy_get_desc: const char *(enum pdb_policy_type)
94+account_policy_name_to_typenum: enum pdb_policy_type (const char *)
95+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *)
96+account_policy_set: bool (enum pdb_policy_type, uint32_t)
97+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *)
98+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t)
99+algorithmic_pdb_rid_is_user: bool (uint32_t)
100+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t)
101+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t)
102+algorithmic_rid_base: int (void)
103+builtin_domain_name: const char *(void)
104+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
105+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
106+create_builtin_administrators: NTSTATUS (const struct dom_sid *)
107+create_builtin_users: NTSTATUS (const struct dom_sid *)
108+decode_account_policy_name: const char *(enum pdb_policy_type)
109+get_account_pol_db: struct db_context *(void)
110+get_account_policy_attr: const char *(enum pdb_policy_type)
111+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *)
112+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **)
113+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *)
114+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int)
115+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *)
116+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *)
117+gid_to_sid: void (struct dom_sid *, gid_t)
118+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *)
119+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int)
120+grant_all_privileges: bool (const struct dom_sid *)
121+grant_privilege_by_name: bool (const struct dom_sid *, const char *)
122+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
123+groupdb_tdb_init: const struct mapping_backend *(void)
124+init_account_policy: bool (void)
125+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool)
126+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t)
127+initialize_password_db: bool (bool, struct tevent_context *)
128+is_dc_trusted_domain_situation: bool (const char *)
129+is_privileged_sid: bool (const struct dom_sid *)
130+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **)
131+login_cache_delentry: bool (const struct samu *)
132+login_cache_init: bool (void)
133+login_cache_read: bool (struct samu *, struct login_cache *)
134+login_cache_shutdown: bool (void)
135+login_cache_write: bool (const struct samu *, const struct login_cache *)
136+lookup_builtin_name: bool (const char *, uint32_t *)
137+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **)
138+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *)
139+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
140+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
141+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
142+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **)
143+lookup_unix_group_name: bool (const char *, struct dom_sid *)
144+lookup_unix_user_name: bool (const char *, struct dom_sid *)
145+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **)
146+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **)
147+make_pdb_method: NTSTATUS (struct pdb_methods **)
148+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *)
149+max_algorithmic_gid: gid_t (void)
150+max_algorithmic_uid: uid_t (void)
151+my_sam_name: const char *(void)
152+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
153+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *)
154+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
155+pdb_add_sam_account: NTSTATUS (struct samu *)
156+pdb_build_fields_present: uint32_t (struct samu *)
157+pdb_capabilities: uint32_t (void)
158+pdb_copy_sam_account: bool (struct samu *, struct samu *)
159+pdb_create_alias: NTSTATUS (const char *, uint32_t *)
160+pdb_create_builtin: NTSTATUS (uint32_t)
161+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t)
162+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *)
163+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *)
164+pdb_decode_acct_ctrl: uint32_t (const char *)
165+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
166+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
167+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
168+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *)
169+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *)
170+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *)
171+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
172+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
173+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
174+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
175+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
176+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
177+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
178+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *)
179+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
180+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
181+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t)
182+pdb_del_trusted_domain: NTSTATUS (const char *)
183+pdb_del_trusteddom_pw: bool (const char *)
184+pdb_delete_alias: NTSTATUS (const struct dom_sid *)
185+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t)
186+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid)
187+pdb_delete_sam_account: NTSTATUS (struct samu *)
188+pdb_delete_secret: NTSTATUS (const char *)
189+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *)
190+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements)
191+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements)
192+pdb_encode_acct_ctrl: char *(uint32_t, size_t)
193+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
194+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *)
195+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool)
196+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *)
197+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
198+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
199+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
200+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
201+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
202+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
203+pdb_get_acct_ctrl: uint32_t (const struct samu *)
204+pdb_get_acct_desc: const char *(const struct samu *)
205+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
206+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *)
207+pdb_get_backends: const struct pdb_init_function_entry *(void)
208+pdb_get_bad_password_count: uint16_t (const struct samu *)
209+pdb_get_bad_password_time: time_t (const struct samu *)
210+pdb_get_code_page: uint16_t (const struct samu *)
211+pdb_get_comment: const char *(const struct samu *)
212+pdb_get_country_code: uint16_t (const struct samu *)
213+pdb_get_dir_drive: const char *(const struct samu *)
214+pdb_get_domain: const char *(const struct samu *)
215+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *)
216+pdb_get_fullname: const char *(const struct samu *)
217+pdb_get_group_rid: uint32_t (struct samu *)
218+pdb_get_group_sid: const struct dom_sid *(struct samu *)
219+pdb_get_homedir: const char *(const struct samu *)
220+pdb_get_hours: const uint8_t *(const struct samu *)
221+pdb_get_hours_len: uint32_t (const struct samu *)
222+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements)
223+pdb_get_kickoff_time: time_t (const struct samu *)
224+pdb_get_lanman_passwd: const uint8_t *(const struct samu *)
225+pdb_get_logoff_time: time_t (const struct samu *)
226+pdb_get_logon_count: uint16_t (const struct samu *)
227+pdb_get_logon_divs: uint16_t (const struct samu *)
228+pdb_get_logon_script: const char *(const struct samu *)
229+pdb_get_logon_time: time_t (const struct samu *)
230+pdb_get_munged_dial: const char *(const struct samu *)
231+pdb_get_nt_passwd: const uint8_t *(const struct samu *)
232+pdb_get_nt_username: const char *(const struct samu *)
233+pdb_get_pass_can_change: bool (const struct samu *)
234+pdb_get_pass_can_change_time: time_t (const struct samu *)
235+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *)
236+pdb_get_pass_last_set_time: time_t (const struct samu *)
237+pdb_get_pass_must_change_time: time_t (const struct samu *)
238+pdb_get_plaintext_passwd: const char *(const struct samu *)
239+pdb_get_profile_path: const char *(const struct samu *)
240+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *)
241+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **)
242+pdb_get_seq_num: bool (time_t *)
243+pdb_get_tevent_context: struct tevent_context *(void)
244+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **)
245+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **)
246+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
247+pdb_get_unknown_6: uint32_t (const struct samu *)
248+pdb_get_user_rid: uint32_t (const struct samu *)
249+pdb_get_user_sid: const struct dom_sid *(const struct samu *)
250+pdb_get_username: const char *(const struct samu *)
251+pdb_get_workstations: const char *(const struct samu *)
252+pdb_getgrgid: bool (GROUP_MAP *, gid_t)
253+pdb_getgrnam: bool (GROUP_MAP *, const char *)
254+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid)
255+pdb_gethexhours: bool (const char *, unsigned char *)
256+pdb_gethexpwd: bool (const char *, unsigned char *)
257+pdb_getsampwnam: bool (struct samu *, const char *)
258+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *)
259+pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
260+pdb_group_rid_to_gid: gid_t (uint32_t)
261+pdb_increment_bad_password_count: bool (struct samu *)
262+pdb_is_password_change_time_max: bool (time_t)
263+pdb_is_responsible_for_builtin: bool (void)
264+pdb_is_responsible_for_our_sam: bool (void)
265+pdb_is_responsible_for_unix_groups: bool (void)
266+pdb_is_responsible_for_unix_users: bool (void)
267+pdb_is_responsible_for_wellknown: bool (void)
268+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *)
269+pdb_new_rid: bool (uint32_t *)
270+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
271+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid)
272+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool)
273+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
274+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *)
275+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid)
276+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
277+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *)
278+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *)
279+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **)
280+pdb_search_groups: struct pdb_search *(TALLOC_CTX *)
281+pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type)
282+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t)
283+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t)
284+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state)
285+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state)
286+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *)
287+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state)
288+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state)
289+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state)
290+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state)
291+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state)
292+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state)
293+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state)
294+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state)
295+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state)
296+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
297+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
298+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state)
299+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state)
300+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state)
301+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state)
302+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state)
303+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
304+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state)
305+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state)
306+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state)
307+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state)
308+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state)
309+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state)
310+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state)
311+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state)
312+pdb_set_pass_can_change: bool (struct samu *, bool)
313+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state)
314+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state)
315+pdb_set_plaintext_passwd: bool (struct samu *, const char *)
316+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state)
317+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state)
318+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state)
319+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *)
320+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *)
321+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
322+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
323+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
324+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
325+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
326+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
327+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
328+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state)
329+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state)
330+pdb_sethexhours: void (char *, const unsigned char *)
331+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t)
332+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *)
333+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *)
334+pdb_uid_to_sid: bool (uid_t, struct dom_sid *)
335+pdb_update_autolock_flag: bool (struct samu *, bool *)
336+pdb_update_bad_password_count: bool (struct samu *, bool *)
337+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *)
338+pdb_update_login_attempts: NTSTATUS (struct samu *, bool)
339+pdb_update_sam_account: NTSTATUS (struct samu *)
340+privilege_create_account: NTSTATUS (const struct dom_sid *)
341+privilege_delete_account: NTSTATUS (const struct dom_sid *)
342+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *)
343+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *)
344+revoke_all_privileges: bool (const struct dom_sid *)
345+revoke_privilege_by_name: bool (const struct dom_sid *, const char *)
346+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *)
347+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *)
348+samu_new: struct samu *(TALLOC_CTX *)
349+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *)
350+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
351+sid_check_is_builtin: bool (const struct dom_sid *)
352+sid_check_is_for_passdb: bool (const struct dom_sid *)
353+sid_check_is_in_builtin: bool (const struct dom_sid *)
354+sid_check_is_in_unix_groups: bool (const struct dom_sid *)
355+sid_check_is_in_unix_users: bool (const struct dom_sid *)
356+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *)
357+sid_check_is_unix_groups: bool (const struct dom_sid *)
358+sid_check_is_unix_users: bool (const struct dom_sid *)
359+sid_check_is_wellknown_builtin: bool (const struct dom_sid *)
360+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **)
361+sid_check_object_is_for_passdb: bool (const struct dom_sid *)
362+sid_to_gid: bool (const struct dom_sid *, gid_t *)
363+sid_to_uid: bool (const struct dom_sid *, uid_t *)
364+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *)
365+smb_add_user_group: int (const char *, const char *)
366+smb_create_group: int (const char *, gid_t *)
367+smb_delete_group: int (const char *)
368+smb_delete_user_group: int (const char *, const char *)
369+smb_nscd_flush_group_cache: void (void)
370+smb_nscd_flush_user_cache: void (void)
371+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function)
372+smb_set_primary_group: int (const char *, const char *)
373+uid_to_sid: void (struct dom_sid *, uid_t)
374+uid_to_unix_users_sid: void (uid_t, struct dom_sid *)
375+unix_groups_domain_name: const char *(void)
376+unix_users_domain_name: const char *(void)
377+unixid_from_both: void (struct unixid *, uint32_t)
378+unixid_from_gid: void (struct unixid *, uint32_t)
379+unixid_from_uid: void (struct unixid *, uint32_t)
380+wb_is_trusted_domain: wbcErr (const char *)
381+winbind_allocate_gid: bool (gid_t *)
382+winbind_allocate_uid: bool (uid_t *)
383+winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **)
384+winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *)
385+winbind_getpwnam: struct passwd *(const char *)
386+winbind_getpwsid: struct passwd *(const struct dom_sid *)
387+winbind_gid_to_sid: bool (struct dom_sid *, gid_t)
388+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *)
389+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **)
390+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
391+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **)
392+winbind_ping: bool (void)
393+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *)
394+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *)
395+winbind_uid_to_sid: bool (struct dom_sid *, uid_t)
396diff --git a/source3/wscript_build b/source3/wscript_build
397index e0432bf..6d6b6aa 100755
398--- a/source3/wscript_build
399+++ b/source3/wscript_build
400@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb',
401 passdb/lookup_sid.h''',
402 abi_match=private_pdb_match,
403 abi_directory='passdb/ABI',
404- vnum='0',
405+ vnum='0.1.0',
406 vars=locals())
407
408 bld.SAMBA3_LIBRARY('smbldaphelper',
409--
4101.8.5.2
411
412
413From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001
414From: Andreas Schneider <asn@samba.org>
415Date: Fri, 13 Dec 2013 19:08:34 +0100
416Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3().
417
418First this function tries to contacts winbind if the user is a domain
419user to get valid information about it. If winbind isn't running it will
420try to create everything from the passwd struct. This is not always
421reliable but works in most cases. It improves the current situation
422which doesn't talk to winbind at all.
423
424Pair-Programmed-With: Guenther Deschner <gd@samba.org>
425Signed-off-by: Guenther Deschner <gd@samba.org>
426Signed-off-by: Andreas Schneider <asn@samba.org>
427Reviewed-by: Andrew Bartlett <abartlet@samba.org>
428(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770)
429---
430 source3/auth/proto.h | 4 ++
431 source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++
432 2 files changed, 120 insertions(+)
433
434diff --git a/source3/auth/proto.h b/source3/auth/proto.h
435index 76661fc..8385e66 100644
436--- a/source3/auth/proto.h
437+++ b/source3/auth/proto.h
438@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
439 const char *login_server,
440 struct netr_SamInfo3 **_info3,
441 struct extra_auth_info *extra);
442+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
443+ const char *unix_username,
444+ const struct passwd *pwd,
445+ struct netr_SamInfo3 **pinfo3);
446 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
447 struct netr_SamInfo3 *orig);
448 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
449diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
450index d2b7d6e..46d8178 100644
451--- a/source3/auth/server_info.c
452+++ b/source3/auth/server_info.c
453@@ -24,6 +24,7 @@
454 #include "../libcli/security/security.h"
455 #include "rpc_client/util_netlogon.h"
456 #include "nsswitch/libwbclient/wbclient.h"
457+#include "lib/winbind_util.h"
458 #include "passdb.h"
459
460 #undef DBGC_CLASS
461@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
462 return NT_STATUS_OK;
463 }
464
465+NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
466+ const char *unix_username,
467+ const struct passwd *pwd,
468+ struct netr_SamInfo3 **pinfo3)
469+{
470+ struct netr_SamInfo3 *info3;
471+ NTSTATUS status;
472+ TALLOC_CTX *tmp_ctx;
473+ const char *domain_name = NULL;
474+ const char *user_name = NULL;
475+ struct dom_sid domain_sid;
476+ struct dom_sid user_sid;
477+ struct dom_sid group_sid;
478+ enum lsa_SidType type;
479+ uint32_t num_sids = 0;
480+ struct dom_sid *user_sids = NULL;
481+ bool ok;
482+
483+ tmp_ctx = talloc_stackframe();
484+
485+ ok = lookup_name_smbconf(tmp_ctx,
486+ unix_username,
487+ LOOKUP_NAME_ALL,
488+ &domain_name,
489+ &user_name,
490+ &user_sid,
491+ &type);
492+ if (!ok) {
493+ status = NT_STATUS_NO_SUCH_USER;
494+ goto done;
495+ }
496+
497+ if (type != SID_NAME_USER) {
498+ status = NT_STATUS_NO_SUCH_USER;
499+ goto done;
500+ }
501+
502+ ok = winbind_lookup_usersids(tmp_ctx,
503+ &user_sid,
504+ &num_sids,
505+ &user_sids);
506+ /* Check if winbind is running */
507+ if (ok) {
508+ /*
509+ * Winbind is running and the first element of the user_sids
510+ * is the primary group.
511+ */
512+ if (num_sids > 0) {
513+ group_sid = user_sids[0];
514+ }
515+ } else {
516+ /*
517+ * Winbind is not running, create the group_sid from the
518+ * group id.
519+ */
520+ gid_to_sid(&group_sid, pwd->pw_gid);
521+ }
522+
523+ /* Make sure we have a valid group sid */
524+ ok = !is_null_sid(&group_sid);
525+ if (!ok) {
526+ status = NT_STATUS_NO_SUCH_USER;
527+ goto done;
528+ }
529+
530+ /* Construct a netr_SamInfo3 from the information we have */
531+ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3);
532+ if (!info3) {
533+ status = NT_STATUS_NO_MEMORY;
534+ goto done;
535+ }
536+
537+ info3->base.account_name.string = talloc_strdup(info3, unix_username);
538+ if (info3->base.account_name.string == NULL) {
539+ status = NT_STATUS_NO_MEMORY;
540+ goto done;
541+ }
542+
543+ ZERO_STRUCT(domain_sid);
544+
545+ sid_copy(&domain_sid, &user_sid);
546+ sid_split_rid(&domain_sid, &info3->base.rid);
547+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
548+
549+ ok = sid_peek_check_rid(&domain_sid, &group_sid,
550+ &info3->base.primary_gid);
551+ if (!ok) {
552+ DEBUG(1, ("The primary group domain sid(%s) does not "
553+ "match the domain sid(%s) for %s(%s)\n",
554+ sid_string_dbg(&group_sid),
555+ sid_string_dbg(&domain_sid),
556+ unix_username,
557+ sid_string_dbg(&user_sid)));
558+ status = NT_STATUS_INVALID_SID;
559+ goto done;
560+ }
561+
562+ info3->base.acct_flags = ACB_NORMAL;
563+
564+ if (num_sids) {
565+ status = group_sids_to_info3(info3, user_sids, num_sids);
566+ if (!NT_STATUS_IS_OK(status)) {
567+ goto done;
568+ }
569+ }
570+
571+ *pinfo3 = talloc_steal(mem_ctx, info3);
572+
573+ status = NT_STATUS_OK;
574+done:
575+ talloc_free(tmp_ctx);
576+
577+ return status;
578+}
579+
580 #undef RET_NOMEM
581
582 #define RET_NOMEM(ptr) do { \
583--
5841.8.5.2
585
586
587From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001
588From: Andreas Schneider <asn@samba.org>
589Date: Fri, 13 Dec 2013 19:11:01 +0100
590Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw().
591
592Pair-Programmed-With: Guenther Deschner <gd@samba.org>
593Signed-off-by: Guenther Deschner <gd@samba.org>
594Signed-off-by: Andreas Schneider <asn@samba.org>
595Reviewed-by: Andrew Bartlett <abartlet@samba.org>
596(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf)
597---
598 source3/auth/auth_unix.c | 7 +++++--
599 source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++-------------------
600 source3/auth/proto.h | 7 ++++---
601 source3/auth/user_krb5.c | 5 +----
602 4 files changed, 42 insertions(+), 29 deletions(-)
603
604diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
605index c8b5435..7b483a2 100644
606--- a/source3/auth/auth_unix.c
607+++ b/source3/auth/auth_unix.c
608@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
609 unbecome_root();
610
611 if (NT_STATUS_IS_OK(nt_status)) {
612- if (pass) {
613- make_server_info_pw(server_info, pass->pw_name, pass);
614+ if (pass != NULL) {
615+ nt_status = make_server_info_pw(mem_ctx,
616+ pass->pw_name,
617+ pass,
618+ server_info);
619 } else {
620 /* we need to do somthing more useful here */
621 nt_status = NT_STATUS_NO_SUCH_USER;
622diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
623index ceaa706..b225b0d 100644
624--- a/source3/auth/auth_util.c
625+++ b/source3/auth/auth_util.c
626@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
627 to a struct samu
628 ***************************************************************************/
629
630-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
631- char *unix_username,
632- struct passwd *pwd)
633+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
634+ const char *unix_username,
635+ const struct passwd *pwd,
636+ struct auth_serversupplied_info **server_info)
637 {
638 NTSTATUS status;
639 struct samu *sampass = NULL;
640 char *qualified_name = NULL;
641- TALLOC_CTX *mem_ctx = NULL;
642+ TALLOC_CTX *tmp_ctx;
643 struct dom_sid u_sid;
644 enum lsa_SidType type;
645 struct auth_serversupplied_info *result;
646@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
647 * plaintext passwords were used with no SAM backend.
648 */
649
650- mem_ctx = talloc_init("make_server_info_pw_tmp");
651- if (!mem_ctx) {
652+ tmp_ctx = talloc_stackframe();
653+ if (tmp_ctx == NULL) {
654 return NT_STATUS_NO_MEMORY;
655 }
656
657- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
658+ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
659 unix_users_domain_name(),
660 unix_username );
661 if (!qualified_name) {
662- TALLOC_FREE(mem_ctx);
663+ TALLOC_FREE(tmp_ctx);
664 return NT_STATUS_NO_MEMORY;
665 }
666
667- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
668+ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
669 NULL, NULL,
670 &u_sid, &type)) {
671- TALLOC_FREE(mem_ctx);
672+ TALLOC_FREE(tmp_ctx);
673 return NT_STATUS_NO_SUCH_USER;
674 }
675
676- TALLOC_FREE(mem_ctx);
677+ TALLOC_FREE(tmp_ctx);
678
679 if (type != SID_NAME_USER) {
680 return NT_STATUS_NO_SUCH_USER;
681@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
682 /* set the user sid to be the calculated u_sid */
683 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
684
685- result = make_server_info(NULL);
686+ result = make_server_info(mem_ctx);
687 if (result == NULL) {
688 TALLOC_FREE(sampass);
689 return NT_STATUS_NO_MEMORY;
690@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
691 struct passwd *pwd;
692 NTSTATUS status;
693 struct auth_serversupplied_info *result;
694+ TALLOC_CTX *tmp_ctx;
695
696- pwd = Get_Pwnam_alloc(talloc_tos(), username);
697- if (pwd == NULL) {
698- return NT_STATUS_NO_SUCH_USER;
699+ tmp_ctx = talloc_stackframe();
700+ if (tmp_ctx == NULL) {
701+ return NT_STATUS_NO_MEMORY;
702 }
703
704- status = make_server_info_pw(&result, pwd->pw_name, pwd);
705+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
706+ if (pwd == NULL) {
707+ status = NT_STATUS_NO_SUCH_USER;
708+ goto done;
709+ }
710
711+ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result);
712 if (!NT_STATUS_IS_OK(status)) {
713- return status;
714+ goto done;
715 }
716
717 result->nss_token = true;
718 result->guest = is_guest;
719
720 /* Now turn the server_info into a session_info with the full token etc */
721- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
722- TALLOC_FREE(result);
723- TALLOC_FREE(pwd);
724+ status = create_local_token(mem_ctx,
725+ result,
726+ NULL,
727+ pwd->pw_name,
728+ session_info);
729+
730+done:
731+ talloc_free(tmp_ctx);
732
733 return status;
734 }
735diff --git a/source3/auth/proto.h b/source3/auth/proto.h
736index 8385e66..7abca07 100644
737--- a/source3/auth/proto.h
738+++ b/source3/auth/proto.h
739@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
740 bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid);
741 bool user_in_group(const char *username, const char *groupname);
742 struct passwd;
743-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
744- char *unix_username,
745- struct passwd *pwd);
746+NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
747+ const char *unix_username,
748+ const struct passwd *pwd,
749+ struct auth_serversupplied_info **server_info);
750 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
751 const char *username,
752 bool is_guest,
753diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
754index 974a8aa..7d44285 100644
755--- a/source3/auth/user_krb5.c
756+++ b/source3/auth/user_krb5.c
757@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
758 */
759 DEBUG(10, ("didn't find user %s in passdb, calling "
760 "make_server_info_pw\n", username));
761- status = make_server_info_pw(&tmp, username, pw);
762+ status = make_server_info_pw(mem_ctx, username, pw, &tmp);
763 }
764
765 TALLOC_FREE(sampass);
766@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
767 return status;
768 }
769
770- /* Steal tmp server info into the server_info pointer. */
771- server_info = talloc_move(mem_ctx, &tmp);
772-
773 /* make_server_info_pw does not set the domain. Without this
774 * we end up with the local netbios name in substitutions for
775 * %D. */
776--
7771.8.5.2
778
779
780From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001
781From: Andreas Schneider <asn@samba.org>
782Date: Fri, 13 Dec 2013 19:19:02 +0100
783Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3().
784
785Correctly lookup users which come from smb.conf. passwd_to_SamInfo3()
786tries to contact winbind if the user is a domain user to get
787valid information about it. If winbind isn't running it will try to
788create everything from the passwd struct. This is not always reliable
789but works in most cases. It improves the current situation which doesn't
790talk to winbind at all.
791
792BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
793
794Pair-Programmed-With: Guenther Deschner <gd@samba.org>
795Signed-off-by: Andreas Schneider <asn@samba.org>
796Reviewed-by: Andrew Bartlett <abartlet@samba.org>
797
798Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
799Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
800
801(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09)
802---
803 source3/auth/auth_util.c | 87 +++++++++-------------------------------------
804 source3/auth/server_info.c | 22 ++++++++++--
805 2 files changed, 36 insertions(+), 73 deletions(-)
806
807diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
808index b225b0d..24190af 100644
809--- a/source3/auth/auth_util.c
810+++ b/source3/auth/auth_util.c
811@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx,
812 struct auth_serversupplied_info **server_info)
813 {
814 NTSTATUS status;
815- struct samu *sampass = NULL;
816- char *qualified_name = NULL;
817- TALLOC_CTX *tmp_ctx;
818- struct dom_sid u_sid;
819- enum lsa_SidType type;
820+ TALLOC_CTX *tmp_ctx = NULL;
821 struct auth_serversupplied_info *result;
822
823- /*
824- * The SID returned in server_info->sam_account is based
825- * on our SAM sid even though for a pure UNIX account this should
826- * not be the case as it doesn't really exist in the SAM db.
827- * This causes lookups on "[in]valid users" to fail as they
828- * will lookup this name as a "Unix User" SID to check against
829- * the user token. Fix this by adding the "Unix User"\unix_username
830- * SID to the sid array. The correct fix should probably be
831- * changing the server_info->sam_account user SID to be a
832- * S-1-22 Unix SID, but this might break old configs where
833- * plaintext passwords were used with no SAM backend.
834- */
835-
836 tmp_ctx = talloc_stackframe();
837 if (tmp_ctx == NULL) {
838 return NT_STATUS_NO_MEMORY;
839 }
840
841- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s",
842- unix_users_domain_name(),
843- unix_username );
844- if (!qualified_name) {
845- TALLOC_FREE(tmp_ctx);
846- return NT_STATUS_NO_MEMORY;
847- }
848-
849- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL,
850- NULL, NULL,
851- &u_sid, &type)) {
852- TALLOC_FREE(tmp_ctx);
853- return NT_STATUS_NO_SUCH_USER;
854- }
855-
856- TALLOC_FREE(tmp_ctx);
857-
858- if (type != SID_NAME_USER) {
859- return NT_STATUS_NO_SUCH_USER;
860- }
861-
862- if ( !(sampass = samu_new( NULL )) ) {
863- return NT_STATUS_NO_MEMORY;
864- }
865-
866- status = samu_set_unix( sampass, pwd );
867- if (!NT_STATUS_IS_OK(status)) {
868- return status;
869- }
870-
871- /* In pathological cases the above call can set the account
872- * name to the DOMAIN\username form. Reset the account name
873- * using unix_username */
874- pdb_set_username(sampass, unix_username, PDB_SET);
875-
876- /* set the user sid to be the calculated u_sid */
877- pdb_set_user_sid(sampass, &u_sid, PDB_SET);
878-
879- result = make_server_info(mem_ctx);
880+ result = make_server_info(tmp_ctx);
881 if (result == NULL) {
882- TALLOC_FREE(sampass);
883- return NT_STATUS_NO_MEMORY;
884+ status = NT_STATUS_NO_MEMORY;
885+ goto done;
886 }
887
888- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
889- &result->info3, &result->extra);
890- TALLOC_FREE(sampass);
891+ status = passwd_to_SamInfo3(result,
892+ unix_username,
893+ pwd,
894+ &result->info3);
895 if (!NT_STATUS_IS_OK(status)) {
896- DEBUG(10, ("Failed to convert samu to info3: %s\n",
897- nt_errstr(status)));
898- TALLOC_FREE(result);
899- return status;
900+ goto done;
901 }
902
903 result->unix_name = talloc_strdup(result, unix_username);
904-
905 if (result->unix_name == NULL) {
906- TALLOC_FREE(result);
907- return NT_STATUS_NO_MEMORY;
908+ status = NT_STATUS_NO_MEMORY;
909+ goto done;
910 }
911
912 result->utok.uid = pwd->pw_uid;
913 result->utok.gid = pwd->pw_gid;
914
915- *server_info = result;
916+ *server_info = talloc_steal(mem_ctx, result);
917+ status = NT_STATUS_OK;
918+done:
919+ talloc_free(tmp_ctx);
920
921- return NT_STATUS_OK;
922+ return status;
923 }
924
925 static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
926diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
927index 46d8178..43711d5 100644
928--- a/source3/auth/server_info.c
929+++ b/source3/auth/server_info.c
930@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
931 }
932 } else {
933 /*
934- * Winbind is not running, create the group_sid from the
935- * group id.
936+ * Winbind is not running, try to create the group_sid from the
937+ * passwd group id.
938+ */
939+
940+ /*
941+ * This can lead to a primary group of S-1-22-2-XX which
942+ * will be rejected by other Samba code.
943 */
944 gid_to_sid(&group_sid, pwd->pw_gid);
945+
946+ ZERO_STRUCT(domain_sid);
947+
948+ /*
949+ * If we are a unix group, set the group_sid to the
950+ * 'Domain Users' RID of 513 which will always resolve to a
951+ * name.
952+ */
953+ if (sid_check_is_in_unix_groups(&group_sid)) {
954+ sid_compose(&group_sid,
955+ get_global_sam_sid(),
956+ DOMAIN_RID_USERS);
957+ }
958 }
959
960 /* Make sure we have a valid group sid */
961--
9621.8.5.2
963
964
965From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001
966From: Andreas Schneider <asn@samba.org>
967Date: Tue, 18 Feb 2014 10:02:57 +0100
968Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam().
969
970Coverity-Id: 1168009
971BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
972
973Signed-off-by: Andreas Schneider <asn@samba.org>
974
975Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd
976Reviewed-by: Andrew Bartlett <abartlet@samba.org>
977(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39)
978---
979 source3/auth/check_samsec.c | 2 +-
980 source3/auth/proto.h | 5 ++--
981 source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++---------------
982 source3/auth/user_krb5.c | 12 +++++----
983 4 files changed, 47 insertions(+), 28 deletions(-)
984
985diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
986index 7ed8cc2..b6cac60 100644
987--- a/source3/auth/check_samsec.c
988+++ b/source3/auth/check_samsec.c
989@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
990 }
991
992 become_root();
993- nt_status = make_server_info_sam(server_info, sampass);
994+ nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
995 unbecome_root();
996
997 TALLOC_FREE(sampass);
998diff --git a/source3/auth/proto.h b/source3/auth/proto.h
999index 7abca07..eac3e54 100644
1000--- a/source3/auth/proto.h
1001+++ b/source3/auth/proto.h
1002@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address,
1003 struct auth_usersupplied_info **user_info);
1004
1005 struct samu;
1006-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
1007- struct samu *sampass);
1008+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
1009+ struct samu *sampass,
1010+ struct auth_serversupplied_info **pserver_info);
1011 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
1012 const struct auth_serversupplied_info *server_info,
1013 DATA_BLOB *session_key,
1014diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c
1015index 5d657f9..47087b1 100644
1016--- a/source3/auth/server_info_sam.c
1017+++ b/source3/auth/server_info_sam.c
1018@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username)
1019 Make (and fill) a user_info struct from a struct samu
1020 ***************************************************************************/
1021
1022-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
1023- struct samu *sampass)
1024+NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx,
1025+ struct samu *sampass,
1026+ struct auth_serversupplied_info **pserver_info)
1027 {
1028 struct passwd *pwd;
1029- struct auth_serversupplied_info *result;
1030+ struct auth_serversupplied_info *server_info;
1031 const char *username = pdb_get_username(sampass);
1032+ TALLOC_CTX *tmp_ctx;
1033 NTSTATUS status;
1034
1035- if ( !(result = make_server_info(NULL)) ) {
1036+ tmp_ctx = talloc_stackframe();
1037+ if (tmp_ctx == NULL) {
1038 return NT_STATUS_NO_MEMORY;
1039 }
1040
1041- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) {
1042+ server_info = make_server_info(tmp_ctx);
1043+ if (server_info == NULL) {
1044+ return NT_STATUS_NO_MEMORY;
1045+ }
1046+
1047+ pwd = Get_Pwnam_alloc(tmp_ctx, username);
1048+ if (pwd == NULL) {
1049 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
1050 pdb_get_username(sampass)));
1051- TALLOC_FREE(result);
1052- return NT_STATUS_NO_SUCH_USER;
1053+ status = NT_STATUS_NO_SUCH_USER;
1054+ goto out;
1055 }
1056
1057- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
1058- &result->info3, &result->extra);
1059+ status = samu_to_SamInfo3(server_info,
1060+ sampass,
1061+ lp_netbios_name(),
1062+ &server_info->info3,
1063+ &server_info->extra);
1064 if (!NT_STATUS_IS_OK(status)) {
1065- TALLOC_FREE(result);
1066- return status;
1067+ goto out;
1068 }
1069
1070- result->unix_name = pwd->pw_name;
1071- /* Ensure that we keep pwd->pw_name, because we will free pwd below */
1072- talloc_steal(result, pwd->pw_name);
1073- result->utok.gid = pwd->pw_gid;
1074- result->utok.uid = pwd->pw_uid;
1075+ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name);
1076+ if (server_info->unix_name == NULL) {
1077+ status = NT_STATUS_NO_MEMORY;
1078+ goto out;
1079+ }
1080
1081- TALLOC_FREE(pwd);
1082+ server_info->utok.gid = pwd->pw_gid;
1083+ server_info->utok.uid = pwd->pw_uid;
1084
1085 if (IS_DC && is_our_machine_account(username)) {
1086 /*
1087@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
1088 }
1089
1090 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
1091- pdb_get_username(sampass), result->unix_name));
1092+ pdb_get_username(sampass), server_info->unix_name));
1093+
1094+ *pserver_info = talloc_steal(mem_ctx, server_info);
1095
1096- *server_info = result;
1097+ status = NT_STATUS_OK;
1098+out:
1099+ talloc_free(tmp_ctx);
1100
1101- return NT_STATUS_OK;
1102+ return status;
1103 }
1104diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
1105index 7d44285..e40c8ac 100644
1106--- a/source3/auth/user_krb5.c
1107+++ b/source3/auth/user_krb5.c
1108@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
1109 * SID consistency with ntlmssp session setup
1110 */
1111 struct samu *sampass;
1112- /* The stupid make_server_info_XX functions here
1113- don't take a talloc context. */
1114- struct auth_serversupplied_info *tmp = NULL;
1115
1116 sampass = samu_new(talloc_tos());
1117 if (sampass == NULL) {
1118@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
1119 if (pdb_getsampwnam(sampass, username)) {
1120 DEBUG(10, ("found user %s in passdb, calling "
1121 "make_server_info_sam\n", username));
1122- status = make_server_info_sam(&tmp, sampass);
1123+ status = make_server_info_sam(mem_ctx,
1124+ sampass,
1125+ &server_info);
1126 } else {
1127 /*
1128 * User not in passdb, make it up artificially
1129 */
1130 DEBUG(10, ("didn't find user %s in passdb, calling "
1131 "make_server_info_pw\n", username));
1132- status = make_server_info_pw(mem_ctx, username, pw, &tmp);
1133+ status = make_server_info_pw(mem_ctx,
1134+ username,
1135+ pw,
1136+ &server_info);
1137 }
1138
1139 TALLOC_FREE(sampass);
1140--
11411.8.5.2
1142
1143
1144From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001
1145From: Andreas Schneider <asn@samba.org>
1146Date: Tue, 18 Feb 2014 10:19:57 +0100
1147Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password().
1148
1149Coverity-Id: 1168009
1150BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598
1151
1152Signed-off-by: Andreas Schneider <asn@samba.org>
1153
1154Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a
1155Reviewed-by: Andrew Bartlett <abartlet@samba.org>
1156(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28)
1157---
1158 source3/auth/auth.c | 50 ++++++++++++++++++-----------
1159 source3/auth/auth_ntlmssp.c | 6 ++--
1160 source3/auth/proto.h | 8 +++--
1161 source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++--
1162 source3/torture/pdbtest.c | 5 ++-
1163 5 files changed, 48 insertions(+), 27 deletions(-)
1164
1165diff --git a/source3/auth/auth.c b/source3/auth/auth.c
1166index c3797cf..dc9af02 100644
1167--- a/source3/auth/auth.c
1168+++ b/source3/auth/auth.c
1169@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain)
1170 *
1171 **/
1172
1173-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
1174- const struct auth_usersupplied_info *user_info,
1175- struct auth_serversupplied_info **server_info)
1176+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
1177+ const struct auth_context *auth_context,
1178+ const struct auth_usersupplied_info *user_info,
1179+ struct auth_serversupplied_info **pserver_info)
1180 {
1181 /* if all the modules say 'not for me' this is reasonable */
1182 NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
1183 const char *unix_username;
1184 auth_methods *auth_method;
1185- TALLOC_CTX *mem_ctx;
1186
1187- if (!user_info || !auth_context || !server_info)
1188+ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
1189 return NT_STATUS_LOGON_FAILURE;
1190+ }
1191
1192 DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
1193 user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
1194@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
1195 return NT_STATUS_LOGON_FAILURE;
1196
1197 for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
1198+ struct auth_serversupplied_info *server_info;
1199+ TALLOC_CTX *tmp_ctx;
1200 NTSTATUS result;
1201
1202- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
1203- user_info->mapped.domain_name, user_info->client.account_name);
1204+ tmp_ctx = talloc_named(mem_ctx,
1205+ 0,
1206+ "%s authentication for user %s\\%s",
1207+ auth_method->name,
1208+ user_info->mapped.domain_name,
1209+ user_info->client.account_name);
1210
1211- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
1212+ result = auth_method->auth(auth_context,
1213+ auth_method->private_data,
1214+ tmp_ctx,
1215+ user_info,
1216+ &server_info);
1217
1218 /* check if the module did anything */
1219 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
1220 DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
1221- talloc_destroy(mem_ctx);
1222+ TALLOC_FREE(tmp_ctx);
1223 continue;
1224 }
1225
1226@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
1227 auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
1228 }
1229
1230- talloc_destroy(mem_ctx);
1231-
1232- if ( NT_STATUS_IS_OK(nt_status))
1233- {
1234- break;
1235+ if (NT_STATUS_IS_OK(nt_status)) {
1236+ *pserver_info = talloc_steal(mem_ctx, server_info);
1237+ TALLOC_FREE(tmp_ctx);
1238+ break;
1239 }
1240+
1241+ TALLOC_FREE(tmp_ctx);
1242 }
1243
1244 /* successful authentication */
1245
1246 if (NT_STATUS_IS_OK(nt_status)) {
1247- unix_username = (*server_info)->unix_name;
1248- if (!(*server_info)->guest) {
1249+ unix_username = (*pserver_info)->unix_name;
1250+ if (!(*pserver_info)->guest) {
1251 const char *rhost;
1252
1253 if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
1254@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
1255 }
1256
1257 if (NT_STATUS_IS_OK(nt_status)) {
1258- DEBUG((*server_info)->guest ? 5 : 2,
1259+ DEBUG((*pserver_info)->guest ? 5 : 2,
1260 ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
1261- (*server_info)->guest ? "guest " : "",
1262+ (*pserver_info)->guest ? "guest " : "",
1263 user_info->client.account_name,
1264 user_info->mapped.account_name,
1265 unix_username));
1266@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
1267 DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
1268 user_info->client.account_name, user_info->mapped.account_name,
1269 nt_errstr(nt_status)));
1270- ZERO_STRUCTP(server_info);
1271+ ZERO_STRUCTP(pserver_info);
1272
1273 return nt_status;
1274 }
1275diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
1276index f99bd44..cb7726c 100644
1277--- a/source3/auth/auth_ntlmssp.c
1278+++ b/source3/auth/auth_ntlmssp.c
1279@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
1280
1281 mapped_user_info->flags = user_info->flags;
1282
1283- nt_status = auth_check_ntlm_password(auth_context,
1284- mapped_user_info, &server_info);
1285+ nt_status = auth_check_ntlm_password(mem_ctx,
1286+ auth_context,
1287+ mapped_user_info,
1288+ &server_info);
1289
1290 if (!NT_STATUS_IS_OK(nt_status)) {
1291 DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
1292diff --git a/source3/auth/proto.h b/source3/auth/proto.h
1293index eac3e54..15b1ba0 100644
1294--- a/source3/auth/proto.h
1295+++ b/source3/auth/proto.h
1296@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
1297 * struct. When the return is other than NT_STATUS_OK the contents
1298 * of that structure is undefined.
1299 *
1300+ * @param mem_ctx The memory context to use to allocate server_info
1301+ *
1302 * @param user_info Contains the user supplied components, including the passwords.
1303 * Must be created with make_user_info() or one of its wrappers.
1304 *
1305@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
1306 * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
1307 *
1308 **/
1309-
1310-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
1311- const struct auth_usersupplied_info *user_info,
1312+NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
1313+ const struct auth_context *auth_context,
1314+ const struct auth_usersupplied_info *user_info,
1315 struct auth_serversupplied_info **server_info);
1316
1317 /* The following definitions come from auth/auth_builtin.c */
1318diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
1319index e5ca474..0c8c9a5 100644
1320--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
1321+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
1322@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
1323 } /* end switch */
1324
1325 if ( NT_STATUS_IS_OK(status) ) {
1326- status = auth_check_ntlm_password(auth_context,
1327- user_info, &server_info);
1328+ status = auth_check_ntlm_password(p->mem_ctx,
1329+ auth_context,
1330+ user_info,
1331+ &server_info);
1332 }
1333
1334 TALLOC_FREE(auth_context);
1335diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
1336index 17da455..14d58b9 100644
1337--- a/source3/torture/pdbtest.c
1338+++ b/source3/torture/pdbtest.c
1339@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
1340 return False;
1341 }
1342
1343- status = auth_check_ntlm_password(auth_context, user_info, &server_info);
1344+ status = auth_check_ntlm_password(mem_ctx,
1345+ auth_context,
1346+ user_info,
1347+ &server_info);
1348
1349 if (!NT_STATUS_IS_OK(status)) {
1350 DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status)));
1351--
13521.8.5.2
1353
1354
1355From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001
1356From: Andreas Schneider <asn@samba.org>
1357Date: Tue, 18 Feb 2014 13:52:49 +0100
1358Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info().
1359
1360Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a
1361Reviewed-by: Andrew Bartlett <abartlet@samba.org>
1362
1363Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
1364Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
1365
1366(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3)
1367---
1368 source3/auth/auth_ntlmssp.c | 7 ++++---
1369 source3/auth/auth_util.c | 12 +++++++-----
1370 source3/auth/proto.h | 8 +++++---
1371 3 files changed, 16 insertions(+), 11 deletions(-)
1372
1373diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
1374index cb7726c..d4fe901 100644
1375--- a/source3/auth/auth_ntlmssp.c
1376+++ b/source3/auth/auth_ntlmssp.c
1377@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
1378 free_user_info(&mapped_user_info);
1379
1380 if (!NT_STATUS_IS_OK(nt_status)) {
1381- nt_status = do_map_to_guest_server_info(nt_status,
1382- &server_info,
1383+ nt_status = do_map_to_guest_server_info(mem_ctx,
1384+ nt_status,
1385 user_info->client.account_name,
1386- user_info->client.domain_name);
1387+ user_info->client.domain_name,
1388+ &server_info);
1389 *server_returned_info = talloc_steal(mem_ctx, server_info);
1390 return nt_status;
1391 }
1392diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
1393index 24190af..8cf5cb7 100644
1394--- a/source3/auth/auth_util.c
1395+++ b/source3/auth/auth_util.c
1396@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name)
1397 on a logon error possibly map the error to success if "map to guest"
1398 is set approriately
1399 */
1400-NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
1401- struct auth_serversupplied_info **server_info,
1402- const char *user, const char *domain)
1403+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
1404+ NTSTATUS status,
1405+ const char *user,
1406+ const char *domain,
1407+ struct auth_serversupplied_info **server_info)
1408 {
1409 user = user ? user : "";
1410 domain = domain ? domain : "";
1411@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
1412 (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
1413 DEBUG(3,("No such user %s [%s] - using guest account\n",
1414 user, domain));
1415- return make_server_info_guest(NULL, server_info);
1416+ return make_server_info_guest(mem_ctx, server_info);
1417 }
1418 } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
1419 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
1420 DEBUG(3,("Registered username %s for guest access\n",
1421 user));
1422- return make_server_info_guest(NULL, server_info);
1423+ return make_server_info_guest(mem_ctx, server_info);
1424 }
1425 }
1426
1427diff --git a/source3/auth/proto.h b/source3/auth/proto.h
1428index 15b1ba0..7b8959f 100644
1429--- a/source3/auth/proto.h
1430+++ b/source3/auth/proto.h
1431@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
1432 enum auth_password_state password_state);
1433 void free_user_info(struct auth_usersupplied_info **user_info);
1434
1435-NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
1436- struct auth_serversupplied_info **server_info,
1437- const char *user, const char *domain);
1438+NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx,
1439+ NTSTATUS status,
1440+ const char *user,
1441+ const char *domain,
1442+ struct auth_serversupplied_info **server_info);
1443
1444 /* The following definitions come from auth/auth_winbind.c */
1445
1446--
14471.8.5.2
1448
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
deleted file mode 100644
index daa283e67..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
+++ /dev/null
@@ -1,266 +0,0 @@
1From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Mon, 13 Jan 2014 15:59:26 +0100
4Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Just calling print_canonical_sockaddr() is sufficient, as it already deals with
10ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
11removed as well. It was pointless because it always derived the port number from
12the provided address which was either a SMB (usually port 445) or LDAP
13connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
14Finally, the kerberos libraries that we support and build with, can deal with
15ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
16resolving the DC name on the kerberos library anymore.
17
18Guenther
19
20Signed-off-by: Günther Deschner <gd@samba.org>
21Reviewed-by: Andreas Schneider <asn@samba.org>
22---
23 source3/libads/kerberos.c | 73 ++++-------------------------------------------
24 1 file changed, 5 insertions(+), 68 deletions(-)
25
26diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
27index b026e09..ea14350 100644
28--- a/source3/libads/kerberos.c
29+++ b/source3/libads/kerberos.c
30@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
31 /************************************************************************
32 ************************************************************************/
33
34-static char *print_kdc_line(char *mem_ctx,
35- const char *prev_line,
36- const struct sockaddr_storage *pss,
37- const char *kdc_name)
38-{
39- char addr[INET6_ADDRSTRLEN];
40- uint16_t port = get_sockaddr_port(pss);
41-
42- if (pss->ss_family == AF_INET) {
43- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
44- prev_line,
45- print_canonical_sockaddr(mem_ctx, pss));
46- }
47-
48- /*
49- * IPv6 starts here
50- */
51-
52- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
53- kdc_name, port));
54-
55- if (port != 0 && port != DEFAULT_KRB5_PORT) {
56- /* Currently for IPv6 we can't specify a non-default
57- krb5 port with an address, as this requires a ':'.
58- Resolve to a name. */
59- char hostname[MAX_DNS_NAME_LENGTH];
60- int ret = sys_getnameinfo((const struct sockaddr *)pss,
61- sizeof(*pss),
62- hostname, sizeof(hostname),
63- NULL, 0,
64- NI_NAMEREQD);
65- if (ret) {
66- DEBUG(0,("print_kdc_line: can't resolve name "
67- "for kdc with non-default port %s. "
68- "Error %s\n.",
69- print_canonical_sockaddr(mem_ctx, pss),
70- gai_strerror(ret)));
71- return NULL;
72- }
73- /* Success, use host:port */
74- return talloc_asprintf(mem_ctx,
75- "%s\tkdc = %s:%u\n",
76- prev_line,
77- hostname,
78- (unsigned int)port);
79- }
80-
81- /* no krb5 lib currently supports "kdc = ipv6 address"
82- * at all, so just fill in just the kdc_name if we have
83- * it and let the krb5 lib figure out the appropriate
84- * ipv6 address - gd */
85-
86- if (kdc_name) {
87- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
88- prev_line, kdc_name);
89- }
90-
91- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
92- prev_line,
93- print_sockaddr(addr,
94- sizeof(addr),
95- pss));
96-}
97-
98 /************************************************************************
99 Create a string list of available kdc's, possibly searching by sitename.
100 Does DNS queries.
101@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
102 char *result = NULL;
103 struct netlogon_samlogon_response **responses = NULL;
104 NTSTATUS status;
105- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
106+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
107+ print_canonical_sockaddr(mem_ctx, pss));
108
109 if (kdc_str == NULL) {
110 TALLOC_FREE(frame);
111@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
112 }
113
114 /* Append to the string - inefficient but not done often. */
115- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
116- &dc_addrs[i],
117- kdc_name);
118+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
119+ kdc_str,
120+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
121 if (new_kdc_str == NULL) {
122 goto fail;
123 }
124--
1251.8.5.3
126
127
128From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
129From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
130Date: Fri, 7 Mar 2014 14:47:31 +0100
131Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
132 create_local_private_krb5_conf_for_domain().
133MIME-Version: 1.0
134Content-Type: text/plain; charset=UTF-8
135Content-Transfer-Encoding: 8bit
136
137Guenther
138
139Signed-off-by: Günther Deschner <gd@samba.org>
140Reviewed-by: Andreas Schneider <asn@samba.org>
141---
142 source3/libads/kerberos.c | 10 ++++------
143 source3/libads/kerberos_proto.h | 3 +--
144 source3/libnet/libnet_join.c | 3 +--
145 source3/libsmb/namequery_dc.c | 6 ++----
146 source3/winbindd/winbindd_cm.c | 6 ++----
147 5 files changed, 10 insertions(+), 18 deletions(-)
148
149diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
150index ea14350..649e568 100644
151--- a/source3/libads/kerberos.c
152+++ b/source3/libads/kerberos.c
153@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
154 static char *get_kdc_ip_string(char *mem_ctx,
155 const char *realm,
156 const char *sitename,
157- const struct sockaddr_storage *pss,
158- const char *kdc_name)
159+ const struct sockaddr_storage *pss)
160 {
161 TALLOC_CTX *frame = talloc_stackframe();
162 int i;
163@@ -756,8 +755,7 @@ fail:
164 bool create_local_private_krb5_conf_for_domain(const char *realm,
165 const char *domain,
166 const char *sitename,
167- const struct sockaddr_storage *pss,
168- const char *kdc_name)
169+ const struct sockaddr_storage *pss)
170 {
171 char *dname;
172 char *tmpname = NULL;
173@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
174 return false;
175 }
176
177- if (domain == NULL || pss == NULL || kdc_name == NULL) {
178+ if (domain == NULL || pss == NULL) {
179 return false;
180 }
181
182@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
183 goto done;
184 }
185
186- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
187+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
188 if (!kdc_ip_string) {
189 goto done;
190 }
191diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
192index f7470d2..2559634 100644
193--- a/source3/libads/kerberos_proto.h
194+++ b/source3/libads/kerberos_proto.h
195@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
196 bool create_local_private_krb5_conf_for_domain(const char *realm,
197 const char *domain,
198 const char *sitename,
199- const struct sockaddr_storage *pss,
200- const char *kdc_name);
201+ const struct sockaddr_storage *pss);
202
203 /* The following definitions come from libads/authdata.c */
204
205diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
206index a87eb38..68884cd 100644
207--- a/source3/libnet/libnet_join.c
208+++ b/source3/libnet/libnet_join.c
209@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
210
211 create_local_private_krb5_conf_for_domain(
212 r->out.dns_domain_name, r->out.netbios_domain_name,
213- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
214- smbXcli_conn_remote_name(cli->conn));
215+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
216
217 if (r->out.domain_is_ad && r->in.account_ou &&
218 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
219diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
220index 3cfae79..eb34741 100644
221--- a/source3/libsmb/namequery_dc.c
222+++ b/source3/libsmb/namequery_dc.c
223@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
224 create_local_private_krb5_conf_for_domain(realm,
225 domain,
226 sitename,
227- &ads->ldap.ss,
228- ads->config.ldap_server_name);
229+ &ads->ldap.ss);
230 } else {
231 create_local_private_krb5_conf_for_domain(realm,
232 domain,
233 NULL,
234- &ads->ldap.ss,
235- ads->config.ldap_server_name);
236+ &ads->ldap.ss);
237 }
238 }
239 #endif
240diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
241index 669a43e..be13a57 100644
242--- a/source3/winbindd/winbindd_cm.c
243+++ b/source3/winbindd/winbindd_cm.c
244@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
245 create_local_private_krb5_conf_for_domain(domain->alt_name,
246 domain->name,
247 sitename,
248- pss,
249- *name);
250+ pss);
251
252 SAFE_FREE(sitename);
253 } else {
254@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
255 create_local_private_krb5_conf_for_domain(domain->alt_name,
256 domain->name,
257 NULL,
258- pss,
259- *name);
260+ pss);
261 }
262 winbindd_set_locator_kdc_envs(domain);
263
264--
2651.8.5.3
266
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
deleted file mode 100644
index 26a4caf01..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
+++ /dev/null
@@ -1,962 +0,0 @@
1From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Fri, 17 Jan 2014 14:29:03 +0100
4Subject: [PATCH 1/8] s3-libads: pass down local_service to
5 kerberos_return_pac().
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Guenther
11
12Signed-off-by: Günther Deschner <gd@samba.org>
13Reviewed-by: Andreas Schneider <asn@samba.org>
14---
15 source3/libads/authdata.c | 6 +-----
16 source3/libads/kerberos_proto.h | 1 +
17 source3/utils/net_ads.c | 8 ++++++++
18 source3/winbindd/winbindd_pam.c | 9 +++++++++
19 4 files changed, 19 insertions(+), 5 deletions(-)
20
21diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
22index 801e551..dd80dc2 100644
23--- a/source3/libads/authdata.c
24+++ b/source3/libads/authdata.c
25@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
26 bool add_netbios_addr,
27 time_t renewable_time,
28 const char *impersonate_princ_s,
29+ const char *local_service,
30 struct PAC_LOGON_INFO **_logon_info)
31 {
32 krb5_error_code ret;
33 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
34 DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
35 const char *auth_princ = NULL;
36- const char *local_service = NULL;
37 const char *cc = "MEMORY:kerberos_return_pac";
38 struct auth_session_info *session_info;
39 struct gensec_security *gensec_server_context;
40@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
41 }
42 NT_STATUS_HAVE_NO_MEMORY(auth_princ);
43
44- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
45- lp_netbios_name(), lp_realm());
46- NT_STATUS_HAVE_NO_MEMORY(local_service);
47-
48 ret = kerberos_kinit_password_ext(auth_princ,
49 pass,
50 time_offset,
51diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
52index 2559634..1151d66 100644
53--- a/source3/libads/kerberos_proto.h
54+++ b/source3/libads/kerberos_proto.h
55@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
56 bool add_netbios_addr,
57 time_t renewable_time,
58 const char *impersonate_princ_s,
59+ const char *local_service,
60 struct PAC_LOGON_INFO **logon_info);
61
62 /* The following definitions come from libads/krb5_setpw.c */
63diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
64index 89eebf3..5a073b1 100644
65--- a/source3/utils/net_ads.c
66+++ b/source3/utils/net_ads.c
67@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
68 NTSTATUS status;
69 int ret = -1;
70 const char *impersonate_princ_s = NULL;
71+ const char *local_service = NULL;
72
73 if (c->display_usage) {
74 d_printf( "%s\n"
75@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
76 impersonate_princ_s = argv[0];
77 }
78
79+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
80+ lp_netbios_name(), lp_realm());
81+ if (local_service == NULL) {
82+ goto out;
83+ }
84+
85 c->opt_password = net_prompt_pass(c, c->opt_user_name);
86
87 status = kerberos_return_pac(mem_ctx,
88@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
89 true,
90 2592000, /* one month */
91 impersonate_princ_s,
92+ local_service,
93 &info);
94 if (!NT_STATUS_IS_OK(status)) {
95 d_printf(_("failed to query kerberos PAC: %s\n"),
96diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
97index 3f3ec70..61e2cef 100644
98--- a/source3/winbindd/winbindd_pam.c
99+++ b/source3/winbindd/winbindd_pam.c
100@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
101 time_t time_offset = 0;
102 const char *user_ccache_file;
103 struct PAC_LOGON_INFO *logon_info = NULL;
104+ const char *local_service;
105
106 *info3 = NULL;
107
108@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
109 return NT_STATUS_NO_MEMORY;
110 }
111
112+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
113+ lp_netbios_name(), lp_realm());
114+ if (local_service == NULL) {
115+ return NT_STATUS_NO_MEMORY;
116+ }
117+
118+
119 /* if this is a user ccache, we need to act as the user to let the krb5
120 * library handle the chown, etc. */
121
122@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
123 true,
124 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
125 NULL,
126+ local_service,
127 &logon_info);
128 if (user_ccache_file != NULL) {
129 gain_root_privilege();
130--
1311.8.5.3
132
133
134From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001
135From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
136Date: Mon, 3 Mar 2014 12:14:51 +0100
137Subject: [PATCH 2/8] auth/kerberos: fix a typo.
138MIME-Version: 1.0
139Content-Type: text/plain; charset=UTF-8
140Content-Transfer-Encoding: 8bit
141
142Guenther
143
144Signed-off-by: Günther Deschner <gd@samba.org>
145Reviewed-by: Andreas Schneider <asn@samba.org>
146---
147 auth/kerberos/kerberos_pac.c | 2 +-
148 1 file changed, 1 insertion(+), 1 deletion(-)
149
150diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
151index 81f7f21..8f55c8f 100644
152--- a/auth/kerberos/kerberos_pac.c
153+++ b/auth/kerberos/kerberos_pac.c
154@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
155 }
156
157 /**
158-* @brief Decode a blob containing a NDR envoded PAC structure
159+* @brief Decode a blob containing a NDR encoded PAC structure
160 *
161 * @param mem_ctx - The memory context
162 * @param pac_data_blob - The data blob containing the NDR encoded data
163--
1641.8.5.3
165
166
167From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001
168From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
169Date: Mon, 10 Mar 2014 15:11:18 +0100
170Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used
171 in "net ads kerberos pac".
172MIME-Version: 1.0
173Content-Type: text/plain; charset=UTF-8
174Content-Transfer-Encoding: 8bit
175
176Guenther
177
178Signed-off-by: Günther Deschner <gd@samba.org>
179Reviewed-by: Andreas Schneider <asn@samba.org>
180---
181 source3/utils/net_ads.c | 14 ++++++++++----
182 1 file changed, 10 insertions(+), 4 deletions(-)
183
184diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
185index 5a073b1..ac6346f 100644
186--- a/source3/utils/net_ads.c
187+++ b/source3/utils/net_ads.c
188@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
189 int ret = -1;
190 const char *impersonate_princ_s = NULL;
191 const char *local_service = NULL;
192+ int i;
193
194 if (c->display_usage) {
195 d_printf( "%s\n"
196@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
197 return 0;
198 }
199
200+ for (i=0; i<argc; i++) {
201+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
202+ impersonate_princ_s = get_string_param(argv[i]);
203+ if (impersonate_princ_s == NULL) {
204+ return -1;
205+ }
206+ }
207+ }
208+
209 mem_ctx = talloc_init("net_ads_kerberos_pac");
210 if (!mem_ctx) {
211 goto out;
212 }
213
214- if (argc > 0) {
215- impersonate_princ_s = argv[0];
216- }
217-
218 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
219 lp_netbios_name(), lp_realm());
220 if (local_service == NULL) {
221--
2221.8.5.3
223
224
225From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001
226From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
227Date: Tue, 11 Mar 2014 16:34:36 +0100
228Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads
229 kerberos pac".
230MIME-Version: 1.0
231Content-Type: text/plain; charset=UTF-8
232Content-Transfer-Encoding: 8bit
233
234Guenther
235
236Signed-off-by: Günther Deschner <gd@samba.org>
237Reviewed-by: Andreas Schneider <asn@samba.org>
238---
239 source3/utils/net_ads.c | 14 +++++++++++---
240 1 file changed, 11 insertions(+), 3 deletions(-)
241
242diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
243index ac6346f..c53c8c6 100644
244--- a/source3/utils/net_ads.c
245+++ b/source3/utils/net_ads.c
246@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
247 return -1;
248 }
249 }
250+ if (strnequal(argv[i], "local_service", strlen("local_service"))) {
251+ local_service = get_string_param(argv[i]);
252+ if (local_service == NULL) {
253+ return -1;
254+ }
255+ }
256 }
257
258 mem_ctx = talloc_init("net_ads_kerberos_pac");
259@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
260 goto out;
261 }
262
263- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
264- lp_netbios_name(), lp_realm());
265 if (local_service == NULL) {
266- goto out;
267+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
268+ lp_netbios_name(), lp_realm());
269+ if (local_service == NULL) {
270+ goto out;
271+ }
272 }
273
274 c->opt_password = net_prompt_pass(c, c->opt_user_name);
275--
2761.8.5.3
277
278
279From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001
280From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
281Date: Fri, 21 Feb 2014 18:56:04 +0100
282Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().
283MIME-Version: 1.0
284Content-Type: text/plain; charset=UTF-8
285Content-Transfer-Encoding: 8bit
286
287Guenther
288
289Signed-off-by: Günther Deschner <gd@samba.org>
290Reviewed-by: Andreas Schneider <asn@samba.org>
291---
292 source3/libads/authdata.c | 28 +++++++++++++++++-----------
293 source3/libads/kerberos_proto.h | 4 ++--
294 source3/utils/net_ads.c | 17 ++++++++++++++++-
295 source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-
296 4 files changed, 56 insertions(+), 15 deletions(-)
297
298diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
299index dd80dc2..53e40ef 100644
300--- a/source3/libads/authdata.c
301+++ b/source3/libads/authdata.c
302@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
303 struct auth_session_info **session_info)
304 {
305 TALLOC_CTX *tmp_ctx;
306- struct PAC_LOGON_INFO *logon_info = NULL;
307+ struct PAC_DATA *pac_data = NULL;
308 NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
309
310 tmp_ctx = talloc_new(mem_ctx);
311@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
312 }
313
314 if (pac_blob) {
315- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
316- NULL, NULL, 0, &logon_info);
317+ status = kerberos_decode_pac(tmp_ctx,
318+ *pac_blob,
319+ NULL,
320+ NULL,
321+ NULL,
322+ NULL,
323+ 0,
324+ &pac_data);
325 if (!NT_STATUS_IS_OK(status)) {
326 goto done;
327 }
328 }
329
330- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
331+ talloc_set_name_const(pac_data, "struct PAC_DATA");
332
333- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
334+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
335 *session_info = talloc_zero(mem_ctx, struct auth_session_info);
336 if (!*session_info) {
337 status = NT_STATUS_NO_MEMORY;
338@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
339 time_t renewable_time,
340 const char *impersonate_princ_s,
341 const char *local_service,
342- struct PAC_LOGON_INFO **_logon_info)
343+ struct PAC_DATA **_pac_data)
344 {
345 krb5_error_code ret;
346 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
347@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
348 size_t idx = 0;
349 struct auth4_context *auth_context;
350 struct loadparm_context *lp_ctx;
351- struct PAC_LOGON_INFO *logon_info = NULL;
352+ struct PAC_DATA *pac_data = NULL;
353
354 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
355 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
356@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
357 goto out;
358 }
359
360- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
361- struct PAC_LOGON_INFO);
362- if (logon_info == NULL) {
363+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
364+ struct PAC_DATA);
365+ if (pac_data == NULL) {
366 DEBUG(1,("no PAC\n"));
367 status = NT_STATUS_INVALID_PARAMETER;
368 goto out;
369 }
370
371- *_logon_info = talloc_move(mem_ctx, &logon_info);
372+ *_pac_data = talloc_move(mem_ctx, &pac_data);
373
374 out:
375 talloc_free(tmp_ctx);
376diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
377index 1151d66..b2f7486 100644
378--- a/source3/libads/kerberos_proto.h
379+++ b/source3/libads/kerberos_proto.h
380@@ -32,7 +32,7 @@
381
382 #include "system/kerberos.h"
383
384-struct PAC_LOGON_INFO;
385+struct PAC_DATA;
386
387 #include "libads/ads_status.h"
388
389@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
390 time_t renewable_time,
391 const char *impersonate_princ_s,
392 const char *local_service,
393- struct PAC_LOGON_INFO **logon_info);
394+ struct PAC_DATA **pac_data);
395
396 /* The following definitions come from libads/krb5_setpw.c */
397
398diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
399index c53c8c6..19da6da 100644
400--- a/source3/utils/net_ads.c
401+++ b/source3/utils/net_ads.c
402@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
403 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
404 {
405 struct PAC_LOGON_INFO *info = NULL;
406+ struct PAC_DATA *pac_data = NULL;
407 TALLOC_CTX *mem_ctx = NULL;
408 NTSTATUS status;
409 int ret = -1;
410@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
411 2592000, /* one month */
412 impersonate_princ_s,
413 local_service,
414- &info);
415+ &pac_data);
416 if (!NT_STATUS_IS_OK(status)) {
417 d_printf(_("failed to query kerberos PAC: %s\n"),
418 nt_errstr(status));
419 goto out;
420 }
421
422+ for (i=0; i < pac_data->num_buffers; i++) {
423+
424+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
425+ continue;
426+ }
427+
428+ info = pac_data->buffers[i].info->logon_info.info;
429+ if (!info) {
430+ goto out;
431+ }
432+
433+ break;
434+ }
435+
436 if (info) {
437 const char *s;
438 s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
439diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
440index 61e2cef..a8daae51 100644
441--- a/source3/winbindd/winbindd_pam.c
442+++ b/source3/winbindd/winbindd_pam.c
443@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
444 time_t time_offset = 0;
445 const char *user_ccache_file;
446 struct PAC_LOGON_INFO *logon_info = NULL;
447+ struct PAC_DATA *pac_data = NULL;
448 const char *local_service;
449+ int i;
450
451 *info3 = NULL;
452
453@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
454 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
455 NULL,
456 local_service,
457- &logon_info);
458+ &pac_data);
459 if (user_ccache_file != NULL) {
460 gain_root_privilege();
461 }
462@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
463 goto failed;
464 }
465
466+ if (pac_data == NULL) {
467+ goto failed;
468+ }
469+
470+ for (i=0; i < pac_data->num_buffers; i++) {
471+
472+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
473+ continue;
474+ }
475+
476+ logon_info = pac_data->buffers[i].info->logon_info.info;
477+ if (!logon_info) {
478+ return NT_STATUS_INVALID_PARAMETER;
479+ }
480+
481+ break;
482+ }
483+
484 *info3 = &logon_info->info3;
485
486 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
487--
4881.8.5.3
489
490
491From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
492From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
493Date: Tue, 11 Mar 2014 18:07:11 +0100
494Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC
495 container.
496MIME-Version: 1.0
497Content-Type: text/plain; charset=UTF-8
498Content-Transfer-Encoding: 8bit
499
500Guenther
501
502Signed-off-by: Günther Deschner <gd@samba.org>
503Reviewed-by: Andreas Schneider <asn@samba.org>
504---
505 source3/libads/authdata.c | 29 +++++++++++++++++++++--------
506 source3/libads/kerberos_proto.h | 7 ++++++-
507 source3/utils/net_ads.c | 5 ++++-
508 source3/winbindd/winbindd_pam.c | 8 +++++++-
509 4 files changed, 38 insertions(+), 11 deletions(-)
510
511diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
512index 53e40ef..276408d 100644
513--- a/source3/libads/authdata.c
514+++ b/source3/libads/authdata.c
515@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
516 {
517 TALLOC_CTX *tmp_ctx;
518 struct PAC_DATA *pac_data = NULL;
519+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
520 NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
521
522 tmp_ctx = talloc_new(mem_ctx);
523@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
524 }
525 }
526
527- talloc_set_name_const(pac_data, "struct PAC_DATA");
528+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
529+ if (pac_data_ctr == NULL) {
530+ status = NT_STATUS_NO_MEMORY;
531+ goto done;
532+ }
533+
534+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
535+
536+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
537+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
538+ pac_blob->data,
539+ pac_blob->length);
540+
541+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
542
543- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
544 *session_info = talloc_zero(mem_ctx, struct auth_session_info);
545 if (!*session_info) {
546 status = NT_STATUS_NO_MEMORY;
547@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
548 time_t renewable_time,
549 const char *impersonate_princ_s,
550 const char *local_service,
551- struct PAC_DATA **_pac_data)
552+ struct PAC_DATA_CTR **_pac_data_ctr)
553 {
554 krb5_error_code ret;
555 NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
556@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
557 size_t idx = 0;
558 struct auth4_context *auth_context;
559 struct loadparm_context *lp_ctx;
560- struct PAC_DATA *pac_data = NULL;
561+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
562
563 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
564 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
565@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
566 goto out;
567 }
568
569- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
570- struct PAC_DATA);
571- if (pac_data == NULL) {
572+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
573+ struct PAC_DATA_CTR);
574+ if (pac_data_ctr == NULL) {
575 DEBUG(1,("no PAC\n"));
576 status = NT_STATUS_INVALID_PARAMETER;
577 goto out;
578 }
579
580- *_pac_data = talloc_move(mem_ctx, &pac_data);
581+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
582
583 out:
584 talloc_free(tmp_ctx);
585diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
586index b2f7486..3d0ad4b 100644
587--- a/source3/libads/kerberos_proto.h
588+++ b/source3/libads/kerberos_proto.h
589@@ -34,6 +34,11 @@
590
591 struct PAC_DATA;
592
593+struct PAC_DATA_CTR {
594+ DATA_BLOB pac_blob;
595+ struct PAC_DATA *pac_data;
596+};
597+
598 #include "libads/ads_status.h"
599
600 /* The following definitions come from libads/kerberos.c */
601@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
602 time_t renewable_time,
603 const char *impersonate_princ_s,
604 const char *local_service,
605- struct PAC_DATA **pac_data);
606+ struct PAC_DATA_CTR **pac_data_ctr);
607
608 /* The following definitions come from libads/krb5_setpw.c */
609
610diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
611index 19da6da..19c28b1 100644
612--- a/source3/utils/net_ads.c
613+++ b/source3/utils/net_ads.c
614@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
615 {
616 struct PAC_LOGON_INFO *info = NULL;
617 struct PAC_DATA *pac_data = NULL;
618+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
619 TALLOC_CTX *mem_ctx = NULL;
620 NTSTATUS status;
621 int ret = -1;
622@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
623 2592000, /* one month */
624 impersonate_princ_s,
625 local_service,
626- &pac_data);
627+ &pac_data_ctr);
628 if (!NT_STATUS_IS_OK(status)) {
629 d_printf(_("failed to query kerberos PAC: %s\n"),
630 nt_errstr(status));
631 goto out;
632 }
633
634+ pac_data = pac_data_ctr->pac_data;
635+
636 for (i=0; i < pac_data->num_buffers; i++) {
637
638 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
639diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
640index a8daae51..b41291e 100644
641--- a/source3/winbindd/winbindd_pam.c
642+++ b/source3/winbindd/winbindd_pam.c
643@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
644 const char *user_ccache_file;
645 struct PAC_LOGON_INFO *logon_info = NULL;
646 struct PAC_DATA *pac_data = NULL;
647+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
648 const char *local_service;
649 int i;
650
651@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
652 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
653 NULL,
654 local_service,
655- &pac_data);
656+ &pac_data_ctr);
657 if (user_ccache_file != NULL) {
658 gain_root_privilege();
659 }
660@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
661 goto failed;
662 }
663
664+ if (pac_data_ctr == NULL) {
665+ goto failed;
666+ }
667+
668+ pac_data = pac_data_ctr->pac_data;
669 if (pac_data == NULL) {
670 goto failed;
671 }
672--
6731.8.5.3
674
675
676From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001
677From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
678Date: Tue, 11 Mar 2014 18:14:39 +0100
679Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"
680 command.
681MIME-Version: 1.0
682Content-Type: text/plain; charset=UTF-8
683Content-Transfer-Encoding: 8bit
684
685Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow
686dumping of individial pac buffer types. Ommitting type= or using type=0 will
687dump the whole PAC structure on stdout.
688
689Guenther
690
691Signed-off-by: Günther Deschner <gd@samba.org>
692Reviewed-by: Andreas Schneider <asn@samba.org>
693---
694 source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------
695 1 file changed, 77 insertions(+), 38 deletions(-)
696
697diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
698index 19c28b1..f54cf23 100644
699--- a/source3/utils/net_ads.c
700+++ b/source3/utils/net_ads.c
701@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
702 return ret;
703 }
704
705-static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
706+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
707+ struct PAC_DATA_CTR **pac_data_ctr)
708 {
709- struct PAC_LOGON_INFO *info = NULL;
710- struct PAC_DATA *pac_data = NULL;
711- struct PAC_DATA_CTR *pac_data_ctr = NULL;
712- TALLOC_CTX *mem_ctx = NULL;
713 NTSTATUS status;
714 int ret = -1;
715 const char *impersonate_princ_s = NULL;
716 const char *local_service = NULL;
717 int i;
718
719- if (c->display_usage) {
720- d_printf( "%s\n"
721- "net ads kerberos pac [impersonation_principal]\n"
722- " %s\n",
723- _("Usage:"),
724- _("Dump the Kerberos PAC"));
725- return 0;
726- }
727-
728 for (i=0; i<argc; i++) {
729 if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
730 impersonate_princ_s = get_string_param(argv[i]);
731@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
732 }
733 }
734
735- mem_ctx = talloc_init("net_ads_kerberos_pac");
736- if (!mem_ctx) {
737- goto out;
738- }
739-
740 if (local_service == NULL) {
741- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
742+ local_service = talloc_asprintf(c, "%s$@%s",
743 lp_netbios_name(), lp_realm());
744 if (local_service == NULL) {
745 goto out;
746@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
747
748 c->opt_password = net_prompt_pass(c, c->opt_user_name);
749
750- status = kerberos_return_pac(mem_ctx,
751+ status = kerberos_return_pac(c,
752 c->opt_user_name,
753 c->opt_password,
754 0,
755@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
756 2592000, /* one month */
757 impersonate_princ_s,
758 local_service,
759- &pac_data_ctr);
760+ pac_data_ctr);
761 if (!NT_STATUS_IS_OK(status)) {
762 d_printf(_("failed to query kerberos PAC: %s\n"),
763 nt_errstr(status));
764 goto out;
765 }
766
767- pac_data = pac_data_ctr->pac_data;
768+ ret = 0;
769+ out:
770+ return ret;
771+}
772
773- for (i=0; i < pac_data->num_buffers; i++) {
774+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
775+{
776+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
777+ int i;
778+ int ret = -1;
779+ enum PAC_TYPE type = 0;
780
781- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
782- continue;
783+ if (c->display_usage) {
784+ d_printf( "%s\n"
785+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
786+ " %s\n",
787+ _("Usage:"),
788+ _("Dump the Kerberos PAC"));
789+ return -1;
790+ }
791+
792+ for (i=0; i<argc; i++) {
793+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
794+ type = get_int_param(argv[i]);
795 }
796+ }
797
798- info = pac_data->buffers[i].info->logon_info.info;
799- if (!info) {
800- goto out;
801+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
802+ if (ret) {
803+ return ret;
804+ }
805+
806+ if (type == 0) {
807+
808+ char *s = NULL;
809+
810+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
811+ pac_data_ctr->pac_data);
812+ if (s != NULL) {
813+ d_printf(_("The Pac: %s\n"), s);
814+ talloc_free(s);
815 }
816
817- break;
818+ return 0;
819 }
820
821- if (info) {
822- const char *s;
823- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
824- d_printf(_("The Pac: %s\n"), s);
825+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
826+
827+ char *s = NULL;
828+
829+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
830+ continue;
831+ }
832+
833+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
834+ pac_data_ctr->pac_data->buffers[i].info);
835+ if (s != NULL) {
836+ d_printf(_("The Pac: %s\n"), s);
837+ talloc_free(s);
838+ }
839+ break;
840 }
841
842- ret = 0;
843- out:
844- TALLOC_FREE(mem_ctx);
845- return ret;
846+ return 0;
847+}
848+
849+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
850+{
851+ struct functable func[] = {
852+ {
853+ "dump",
854+ net_ads_kerberos_pac_dump,
855+ NET_TRANSPORT_ADS,
856+ N_("Dump Kerberos PAC"),
857+ N_("net ads kerberos pac dump\n"
858+ " Dump a Kerberos PAC to stdout")
859+ },
860+
861+ {NULL, NULL, 0, NULL, NULL}
862+ };
863+
864+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
865 }
866
867 static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
868--
8691.8.5.3
870
871
872From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001
873From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
874Date: Tue, 11 Mar 2014 18:16:40 +0100
875Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool.
876MIME-Version: 1.0
877Content-Type: text/plain; charset=UTF-8
878Content-Transfer-Encoding: 8bit
879
880Use "filename=string" to define a file where to save the unencrypted PAC to.
881
882Guenther
883
884Signed-off-by: Günther Deschner <gd@samba.org>
885Reviewed-by: Andreas Schneider <asn@samba.org>
886---
887 source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
888 1 file changed, 52 insertions(+)
889
890diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
891index f54cf23..8b8e719 100644
892--- a/source3/utils/net_ads.c
893+++ b/source3/utils/net_ads.c
894@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char
895 return 0;
896 }
897
898+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
899+{
900+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
901+ char *filename = NULL;
902+ int ret = -1;
903+ int i;
904+
905+ if (c->display_usage) {
906+ d_printf( "%s\n"
907+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
908+ " %s\n",
909+ _("Usage:"),
910+ _("Save the Kerberos PAC"));
911+ return -1;
912+ }
913+
914+ for (i=0; i<argc; i++) {
915+ if (strnequal(argv[i], "filename", strlen("filename"))) {
916+ filename = get_string_param(argv[i]);
917+ if (filename == NULL) {
918+ return -1;
919+ }
920+ }
921+ }
922+
923+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
924+ if (ret) {
925+ return ret;
926+ }
927+
928+ if (filename == NULL) {
929+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
930+ return -1;
931+ }
932+
933+ /* save the raw format */
934+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
935+ d_printf(_("failed to save PAC in %s\n"), filename);
936+ return -1;
937+ }
938+
939+ return 0;
940+}
941+
942 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
943 {
944 struct functable func[] = {
945@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
946 N_("net ads kerberos pac dump\n"
947 " Dump a Kerberos PAC to stdout")
948 },
949+ {
950+ "save",
951+ net_ads_kerberos_pac_save,
952+ NET_TRANSPORT_ADS,
953+ N_("Save Kerberos PAC"),
954+ N_("net ads kerberos pac save\n"
955+ " Save a Kerberos PAC in a file")
956+ },
957
958 {NULL, NULL, 0, NULL, NULL}
959 };
960--
9611.8.5.3
962
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
deleted file mode 100644
index a2058f115..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
+++ /dev/null
@@ -1,211 +0,0 @@
1From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Wed, 2 Apr 2014 19:37:34 +0200
4Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config
5 files more robust.
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Older MIT Kerberos libraries will add any secondary ipv6 address as
11ipv4 address, defining the (default) krb5 port 88 circumvents that.
12
13Guenther
14
15Signed-off-by: Günther Deschner <gd@samba.org>
16---
17 source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
18 1 file changed, 27 insertions(+), 2 deletions(-)
19
20diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
21index 649e568..f3c23ea 100644
22--- a/source3/libads/kerberos.c
23+++ b/source3/libads/kerberos.c
24@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
25 *num_addrs += 1;
26 }
27
28+/* print_canonical_sockaddr prints an ipv6 addr in the form of
29+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
30+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
31+* portnumber workarounds the issue. - gd */
32+
33+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
34+ const struct sockaddr_storage *pss)
35+{
36+ char *str = NULL;
37+
38+ str = print_canonical_sockaddr(mem_ctx, pss);
39+ if (str == NULL) {
40+ return NULL;
41+ }
42+
43+ if (pss->ss_family != AF_INET6) {
44+ return str;
45+ }
46+
47+#if defined(HAVE_IPV6)
48+ str = talloc_asprintf_append(str, ":88");
49+#endif
50+ return str;
51+}
52+
53 static char *get_kdc_ip_string(char *mem_ctx,
54 const char *realm,
55 const char *sitename,
56@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
57 struct netlogon_samlogon_response **responses = NULL;
58 NTSTATUS status;
59 char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
60- print_canonical_sockaddr(mem_ctx, pss));
61+ print_canonical_sockaddr_with_port(mem_ctx, pss));
62
63 if (kdc_str == NULL) {
64 TALLOC_FREE(frame);
65@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
66 /* Append to the string - inefficient but not done often. */
67 new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
68 kdc_str,
69- print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
70+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
71 if (new_kdc_str == NULL) {
72 goto fail;
73 }
74--
751.9.0
76
77From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001
78From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
79Date: Wed, 16 Apr 2014 16:07:14 +0200
80Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip
81 address.
82MIME-Version: 1.0
83Content-Type: text/plain; charset=UTF-8
84Content-Transfer-Encoding: 8bit
85
86Pass down a struct sockaddr_storage to ads_try_connect.
87
88Guenther
89
90Signed-off-by: Günther Deschner <gd@samba.org>
91Reviewed-by: Andreas Schneider <asn@samba.org>
92
93Autobuild-User(master): Günther Deschner <gd@samba.org>
94Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
95---
96 source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
97 1 file changed, 26 insertions(+), 18 deletions(-)
98
99diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
100index d9bb8e2..8fed8fd 100644
101--- a/source3/libads/ldap.c
102+++ b/source3/libads/ldap.c
103@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
104 try a connection to a given ldap server, returning True and setting the servers IP
105 in the ads struct if successful
106 */
107-static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
108+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
109+ struct sockaddr_storage *ss)
110 {
111 struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
112 TALLOC_CTX *frame = talloc_stackframe();
113 bool ret = false;
114- struct sockaddr_storage ss;
115 char addr[INET6_ADDRSTRLEN];
116
117- if (!server || !*server) {
118+ if (ss == NULL) {
119 TALLOC_FREE(frame);
120 return False;
121 }
122
123- if (!resolve_name(server, &ss, 0x20, true)) {
124- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
125- server ));
126- TALLOC_FREE(frame);
127- return false;
128- }
129- print_sockaddr(addr, sizeof(addr), &ss);
130+ print_sockaddr(addr, sizeof(addr), ss);
131
132 DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
133 addr, ads->server.realm));
134
135 ZERO_STRUCT( cldap_reply );
136
137- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
138+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
139 DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
140 ret = false;
141 goto out;
142@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
143 ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
144
145 ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
146- ads->ldap.ss = ss;
147+ ads->ldap.ss = *ss;
148
149 /* Store our site name. */
150 sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
151@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
152 bool use_own_domain = False;
153 char *sitename;
154 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
155+ bool ok = false;
156
157 /* if the realm and workgroup are both empty, assume they are ours */
158
159@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
160 DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
161 (got_realm ? "realm" : "domain"), realm));
162
163- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
164+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
165+ if (ok) {
166 /*
167 * we call ads_try_connect() to fill in the
168 * ads->config details
169 */
170- if (ads_try_connect(ads, srv_name, false)) {
171+ ok = ads_try_connect(ads, false, &ip_out);
172+ if (ok) {
173 return NT_STATUS_OK;
174 }
175 }
176@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
177 }
178 }
179
180- if ( ads_try_connect(ads, server, false) ) {
181+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
182+ if (ok) {
183 SAFE_FREE(ip_list);
184 SAFE_FREE(sitename);
185 return NT_STATUS_OK;
186@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
187 TALLOC_FREE(s);
188 }
189
190- if (ads->server.ldap_server)
191- {
192- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
193+ if (ads->server.ldap_server) {
194+ bool ok = false;
195+ struct sockaddr_storage ss;
196+
197+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
198+ if (!ok) {
199+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
200+ ads->server.ldap_server));
201+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
202+ goto out;
203+ }
204+ ok = ads_try_connect(ads, ads->server.gc, &ss);
205+ if (ok) {
206 goto got_connection;
207 }
208
209--
2101.9.0
211
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
deleted file mode 100644
index c1dfc06e9..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
+++ /dev/null
@@ -1,29894 +0,0 @@
1From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Thu, 4 Sep 2014 12:55:53 +0200
4Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
5 uninitialized.
6
7On my system this gets evaluated to 0 so in the end we detect samba to
8be running cause $childpid is set to 0.
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793
11
12Signed-off-by: Andreas Schneider <asn@samba.org>
13Reviewed-by: Stefan Metzmacher <metze@samba.org>
14
15Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
16Autobuild-Date(master): Thu Sep 4 17:09:17 CEST 2014 on sn-devel-104
17
18(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
19Signed-off-by: Andreas Schneider <asn@samba.org>
20
21Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
22Autobuild-Date(v4-1-test): Mon Sep 8 23:19:29 CEST 2014 on sn-devel-104
23---
24 selftest/target/Samba.pm | 7 ++++++-
25 1 file changed, 6 insertions(+), 1 deletion(-)
26
27diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
28index ab3851f..b0817fd 100644
29--- a/selftest/target/Samba.pm
30+++ b/selftest/target/Samba.pm
31@@ -188,7 +188,12 @@ sub get_interface($)
32 sub cleanup_child($$)
33 {
34 my ($pid, $name) = @_;
35- my $childpid = waitpid($pid, WNOHANG);
36+ my $childpid = -1;
37+
38+ if (defined($pid)) {
39+ $childpid = waitpid($pid, WNOHANG);
40+ }
41+
42 if ($childpid == 0) {
43 } elsif ($childpid < 0) {
44 printf STDERR "%s child process %d isn't here any more\n",
45--
461.9.3
47
48
49From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
50From: Stefan Metzmacher <metze@samba.org>
51Date: Wed, 31 Jul 2013 12:33:25 +0200
52Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
53 from cli_credentials_get_unparsed_name()
54
55Signed-off-by: Stefan Metzmacher <metze@samba.org>
56
57Reviewed-by: Andrew Bartlett <abartlet@samba.org>
58(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
59---
60 auth/credentials/credentials.c | 2 +-
61 1 file changed, 1 insertion(+), 1 deletion(-)
62
63diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
64index e636123..e597809 100644
65--- a/auth/credentials/credentials.c
66+++ b/auth/credentials/credentials.c
67@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
68 const char *name;
69
70 if (bind_dn) {
71- name = talloc_reference(mem_ctx, bind_dn);
72+ name = talloc_strdup(mem_ctx, bind_dn);
73 } else {
74 cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
75 if (domain && domain[0]) {
76--
771.9.3
78
79
80From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
81From: Stefan Metzmacher <metze@samba.org>
82Date: Wed, 31 Jul 2013 12:33:25 +0200
83Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
84 from cli_credentials_get_principal_and_obtained()
85
86Signed-off-by: Stefan Metzmacher <metze@samba.org>
87
88Reviewed-by: Andrew Bartlett <abartlet@samba.org>
89(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
90---
91 auth/credentials/credentials.c | 2 +-
92 1 file changed, 1 insertion(+), 1 deletion(-)
93
94diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
95index e597809..7a4b081 100644
96--- a/auth/credentials/credentials.c
97+++ b/auth/credentials/credentials.c
98@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
99 }
100 }
101 *obtained = cred->principal_obtained;
102- return talloc_reference(mem_ctx, cred->principal);
103+ return talloc_strdup(mem_ctx, cred->principal);
104 }
105
106 /**
107--
1081.9.3
109
110
111From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
112From: Stefan Metzmacher <metze@samba.org>
113Date: Wed, 31 Jul 2013 12:52:17 +0200
114Subject: [PATCH 005/249] auth/credentials: add
115 cli_credentials_[set_]callback_data*
116
117Signed-off-by: Stefan Metzmacher <metze@samba.org>
118
119Reviewed-by: Andrew Bartlett <abartlet@samba.org>
120(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
121---
122 auth/credentials/credentials.c | 11 +++++++++++
123 auth/credentials/credentials.h | 8 ++++++++
124 2 files changed, 19 insertions(+)
125
126diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
127index 7a4b081..e6a4710 100644
128--- a/auth/credentials/credentials.c
129+++ b/auth/credentials/credentials.c
130@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
131 return cred;
132 }
133
134+_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
135+ void *callback_data)
136+{
137+ cred->priv_data = callback_data;
138+}
139+
140+_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
141+{
142+ return cred->priv_data;
143+}
144+
145 /**
146 * Create a new anonymous credential
147 * @param mem_ctx TALLOC_CTX parent for credentials structure
148diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
149index dbc014f..0f498ad 100644
150--- a/auth/credentials/credentials.h
151+++ b/auth/credentials/credentials.h
152@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
153 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
154 const char *(*workstation_cb) (struct cli_credentials *));
155
156+void cli_credentials_set_callback_data(struct cli_credentials *cred,
157+ void *callback_data);
158+void *_cli_credentials_callback_data(struct cli_credentials *cred);
159+#define cli_credentials_callback_data(_cred, _type) \
160+ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
161+#define cli_credentials_callback_data_void(_cred) \
162+ _cli_credentials_callback_data(_cred)
163+
164 /**
165 * Return attached NETLOGON credentials
166 */
167--
1681.9.3
169
170
171From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
172From: Stefan Metzmacher <metze@samba.org>
173Date: Wed, 31 Jul 2013 13:21:14 +0200
174Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()
175
176This is useful for testing.
177
178Signed-off-by: Stefan Metzmacher <metze@samba.org>
179
180Reviewed-by: Andrew Bartlett <abartlet@samba.org>
181(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
182---
183 auth/credentials/credentials.c | 15 +++++++++++++++
184 auth/credentials/credentials.h | 3 +++
185 2 files changed, 18 insertions(+)
186
187diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
188index e6a4710..c1c6993 100644
189--- a/auth/credentials/credentials.c
190+++ b/auth/credentials/credentials.c
191@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
192 return cred->priv_data;
193 }
194
195+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
196+ struct cli_credentials *src)
197+{
198+ struct cli_credentials *dst;
199+
200+ dst = talloc(mem_ctx, struct cli_credentials);
201+ if (dst == NULL) {
202+ return NULL;
203+ }
204+
205+ *dst = *src;
206+
207+ return dst;
208+}
209+
210 /**
211 * Create a new anonymous credential
212 * @param mem_ctx TALLOC_CTX parent for credentials structure
213diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
214index 0f498ad..1377bfa 100644
215--- a/auth/credentials/credentials.h
216+++ b/auth/credentials/credentials.h
217@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
218 #define cli_credentials_callback_data_void(_cred) \
219 _cli_credentials_callback_data(_cred)
220
221+struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
222+ struct cli_credentials *src);
223+
224 /**
225 * Return attached NETLOGON credentials
226 */
227--
2281.9.3
229
230
231From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
232From: Stefan Metzmacher <metze@samba.org>
233Date: Wed, 31 Jul 2013 13:20:13 +0200
234Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
235 = NULL;
236
237Signed-off-by: Stefan Metzmacher <metze@samba.org>
238
239Reviewed-by: Andrew Bartlett <abartlet@samba.org>
240(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
241---
242 source3/utils/ntlm_auth.c | 1 -
243 1 file changed, 1 deletion(-)
244
245diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
246index b3bbaa4..a5e0cd2 100644
247--- a/source3/utils/ntlm_auth.c
248+++ b/source3/utils/ntlm_auth.c
249@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
250
251 /* Ask for a password */
252 x_fprintf(x_stdout, "PW\n");
253- credentials->priv_data = NULL;
254
255 manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
256 talloc_steal(credentials, password);
257--
2581.9.3
259
260
261From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
262From: Stefan Metzmacher <metze@samba.org>
263Date: Wed, 31 Jul 2013 13:22:10 +0200
264Subject: [PATCH 008/249] s4:torture/shell: simplify
265 cli_credentials_set_password() call
266
267All we want is to avoid a possible callback...
268
269Signed-off-by: Stefan Metzmacher <metze@samba.org>
270
271Reviewed-by: Andrew Bartlett <abartlet@samba.org>
272(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
273---
274 source4/torture/shell.c | 5 +----
275 1 file changed, 1 insertion(+), 4 deletions(-)
276
277diff --git a/source4/torture/shell.c b/source4/torture/shell.c
278index d6cc94c..aa85da3 100644
279--- a/source4/torture/shell.c
280+++ b/source4/torture/shell.c
281@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
282 * stops the credentials system prompting when we use the "auth"
283 * command to display the current auth parameters.
284 */
285- if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
286- cli_credentials_set_password(cmdline_credentials, "",
287- CRED_SPECIFIED);
288- }
289+ cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
290
291 while (1) {
292 cline = smb_readline("torture> ", NULL, NULL);
293--
2941.9.3
295
296
297From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
298From: Stefan Metzmacher <metze@samba.org>
299Date: Wed, 31 Jul 2013 13:23:08 +0200
300Subject: [PATCH 009/249] s4:torture/gentest: make use of
301 cli_credentials_get_username()
302
303Signed-off-by: Stefan Metzmacher <metze@samba.org>
304
305Reviewed-by: Andrew Bartlett <abartlet@samba.org>
306(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
307---
308 source4/torture/gentest.c | 3 ++-
309 1 file changed, 2 insertions(+), 1 deletion(-)
310
311diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
312index 91b60e2..586a25b 100644
313--- a/source4/torture/gentest.c
314+++ b/source4/torture/gentest.c
315@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
316
317 printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
318 servers[i].server_name, servers[i].share_name,
319- servers[i].credentials->username, j);
320+ cli_credentials_get_username(servers[i].credentials),
321+ j);
322
323 cli_credentials_set_workstation(servers[i].credentials,
324 "gentest", CRED_SPECIFIED);
325--
3261.9.3
327
328
329From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
330From: Stefan Metzmacher <metze@samba.org>
331Date: Wed, 31 Jul 2013 13:23:41 +0200
332Subject: [PATCH 010/249] s4:torture/rpc: make use of
333 cli_credentials_set_netlogon_creds()
334
335Signed-off-by: Stefan Metzmacher <metze@samba.org>
336
337Reviewed-by: Andrew Bartlett <abartlet@samba.org>
338(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
339---
340 source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
341 1 file changed, 16 insertions(+), 20 deletions(-)
342
343diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
344index e0862d2..8203749 100644
345--- a/source4/torture/rpc/schannel.c
346+++ b/source4/torture/rpc/schannel.c
347@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
348 torture_assert(torture, join_ctx != NULL,
349 "Failed to join domain with acct_flags=ACB_WSTRUST");
350
351- credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
352- credentials1->netlogon_creds = NULL;
353- credentials2->netlogon_creds = NULL;
354+ credentials2 = cli_credentials_shallow_copy(torture, credentials1);
355+ cli_credentials_set_netlogon_creds(credentials1, NULL);
356+ cli_credentials_set_netlogon_creds(credentials2, NULL);
357
358 status = dcerpc_parse_binding(torture, binding, &b);
359 torture_assert_ntstatus_ok(torture, status, "Bad binding string");
360@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
361 credentials2, torture->ev, torture->lp_ctx);
362 torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
363
364- credentials1->netlogon_creds = NULL;
365- credentials2->netlogon_creds = NULL;
366+ cli_credentials_set_netlogon_creds(credentials1, NULL);
367+ cli_credentials_set_netlogon_creds(credentials2, NULL);
368
369 torture_comment(torture, "Testing logon on pipe1\n");
370 if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
371@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
372 s->nprocs = torture_setting_int(torture, "nprocs", 4);
373 s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
374
375- s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
376- cmdline_credentials,
377- sizeof(*s->user1_creds));
378+ s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
379 tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
380 if (tmp) {
381 cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
382 }
383- s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
384- cmdline_credentials,
385- sizeof(*s->user1_creds));
386+ s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
387 tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
388 if (tmp) {
389 cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
390@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
391 cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
392
393 for (i=0; i < s->nprocs; i++) {
394- s->conns[i].s = s;
395- s->conns[i].index = i;
396- s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
397- s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
398+ struct cli_credentials *wks = s->wks_creds1;
399+
400 if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
401- memcpy(s->conns[i].wks_creds, s->wks_creds2,
402- talloc_get_size(s->conns[i].wks_creds));
403+ wks = s->wks_creds2;
404 }
405- s->conns[i].wks_creds->netlogon_creds = NULL;
406+
407+ s->conns[i].s = s;
408+ s->conns[i].index = i;
409+ s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
410+ cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
411 }
412
413 status = dcerpc_parse_binding(s, binding, &s->b);
414@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
415
416 /* Just as a test, connect with the new creds */
417
418- talloc_free(s->wks_creds1->netlogon_creds);
419- s->wks_creds1->netlogon_creds = NULL;
420+ cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
421
422 status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
423 &ndr_table_netlogon,
424--
4251.9.3
426
427
428From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
429From: Stefan Metzmacher <metze@samba.org>
430Date: Wed, 31 Jul 2013 13:24:21 +0200
431Subject: [PATCH 011/249] s4:ntlm_auth: make use of
432 cli_credentials_[set_]callback_data*
433
434Signed-off-by: Stefan Metzmacher <metze@samba.org>
435
436Reviewed-by: Andrew Bartlett <abartlet@samba.org>
437(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
438---
439 source4/utils/ntlm_auth.c | 10 ++++++----
440 1 file changed, 6 insertions(+), 4 deletions(-)
441
442diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
443index c363c9d..136e238 100644
444--- a/source4/utils/ntlm_auth.c
445+++ b/source4/utils/ntlm_auth.c
446@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
447 static const char *get_password(struct cli_credentials *credentials)
448 {
449 char *password = NULL;
450-
451+ void *cb = cli_credentials_callback_data_void(credentials);
452+
453 /* Ask for a password */
454- mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
455- credentials->priv_data = NULL;
456+ mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
457+ cli_credentials_set_callback_data(credentials, NULL);
458
459 manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
460 return password;
461@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
462 if (state->set_password) {
463 cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
464 } else {
465+ void *cb = (void*)(uintptr_t)mux_id;
466+ cli_credentials_set_callback_data(creds, cb);
467 cli_credentials_set_password_callback(creds, get_password);
468- creds->priv_data = (void*)(uintptr_t)mux_id;
469 }
470 if (opt_workstation) {
471 cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
472--
4731.9.3
474
475
476From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
477From: Stefan Metzmacher <metze@samba.org>
478Date: Wed, 31 Jul 2013 12:41:40 +0200
479Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private
480
481Signed-off-by: Stefan Metzmacher <metze@samba.org>
482
483Reviewed-by: Andrew Bartlett <abartlet@samba.org>
484(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
485---
486 auth/credentials/credentials.c | 1 +
487 auth/credentials/credentials.h | 101 +++-------------------------
488 auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
489 auth/credentials/credentials_krb5.c | 1 +
490 auth/credentials/credentials_ntlm.c | 1 +
491 auth/credentials/credentials_secrets.c | 1 +
492 6 files changed, 126 insertions(+), 93 deletions(-)
493 create mode 100644 auth/credentials/credentials_internal.h
494
495diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
496index c1c6993..f334465 100644
497--- a/auth/credentials/credentials.c
498+++ b/auth/credentials/credentials.c
499@@ -24,6 +24,7 @@
500 #include "includes.h"
501 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
502 #include "auth/credentials/credentials.h"
503+#include "auth/credentials/credentials_internal.h"
504 #include "libcli/auth/libcli_auth.h"
505 #include "tevent.h"
506 #include "param/param.h"
507diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
508index 1377bfa..cb09dc3 100644
509--- a/auth/credentials/credentials.h
510+++ b/auth/credentials/credentials.h
511@@ -25,9 +25,17 @@
512 #include "../lib/util/data_blob.h"
513 #include "librpc/gen_ndr/misc.h"
514
515+struct cli_credentials;
516 struct ccache_container;
517 struct tevent_context;
518 struct netlogon_creds_CredentialState;
519+struct ldb_context;
520+struct ldb_message;
521+struct loadparm_context;
522+struct ccache_container;
523+struct gssapi_creds_container;
524+struct smb_krb5_context;
525+struct keytab_container;
526
527 /* In order of priority */
528 enum credentials_obtained {
529@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
530 #define CLI_CRED_NTLM_AUTH 0x08
531 #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
532
533-struct cli_credentials {
534- enum credentials_obtained workstation_obtained;
535- enum credentials_obtained username_obtained;
536- enum credentials_obtained password_obtained;
537- enum credentials_obtained domain_obtained;
538- enum credentials_obtained realm_obtained;
539- enum credentials_obtained ccache_obtained;
540- enum credentials_obtained client_gss_creds_obtained;
541- enum credentials_obtained principal_obtained;
542- enum credentials_obtained keytab_obtained;
543- enum credentials_obtained server_gss_creds_obtained;
544-
545- /* Threshold values (essentially a MAX() over a number of the
546- * above) for the ccache and GSS credentials, to ensure we
547- * regenerate/pick correctly */
548-
549- enum credentials_obtained ccache_threshold;
550- enum credentials_obtained client_gss_creds_threshold;
551-
552- const char *workstation;
553- const char *username;
554- const char *password;
555- const char *old_password;
556- const char *domain;
557- const char *realm;
558- const char *principal;
559- char *salt_principal;
560- char *impersonate_principal;
561- char *self_service;
562- char *target_service;
563-
564- const char *bind_dn;
565-
566- /* Allows authentication from a keytab or similar */
567- struct samr_Password *nt_hash;
568-
569- /* Allows NTLM pass-though authentication */
570- DATA_BLOB lm_response;
571- DATA_BLOB nt_response;
572-
573- struct ccache_container *ccache;
574- struct gssapi_creds_container *client_gss_creds;
575- struct keytab_container *keytab;
576- struct gssapi_creds_container *server_gss_creds;
577-
578- const char *(*workstation_cb) (struct cli_credentials *);
579- const char *(*password_cb) (struct cli_credentials *);
580- const char *(*username_cb) (struct cli_credentials *);
581- const char *(*domain_cb) (struct cli_credentials *);
582- const char *(*realm_cb) (struct cli_credentials *);
583- const char *(*principal_cb) (struct cli_credentials *);
584-
585- /* Private handle for the callback routines to use */
586- void *priv_data;
587-
588- struct netlogon_creds_CredentialState *netlogon_creds;
589- enum netr_SchannelType secure_channel_type;
590- int kvno;
591- time_t password_last_changed_time;
592-
593- struct smb_krb5_context *smb_krb5_context;
594-
595- /* We are flagged to get machine account details from the
596- * secrets.ldb when we are asked for a username or password */
597- bool machine_account_pending;
598- struct loadparm_context *machine_account_pending_lp_ctx;
599-
600- /* Is this a machine account? */
601- bool machine_account;
602-
603- /* Should we be trying to use kerberos? */
604- enum credentials_use_kerberos use_kerberos;
605-
606- /* Should we get a forwardable ticket? */
607- enum credentials_krb_forwardable krb_forwardable;
608-
609- /* gensec features which should be used for connections */
610- uint32_t gensec_features;
611-
612- /* Number of retries left before bailing out */
613- int tries;
614-
615- /* Whether any callback is currently running */
616- bool callback_running;
617-};
618-
619-struct ldb_context;
620-struct ldb_message;
621-struct loadparm_context;
622-struct ccache_container;
623-
624-struct gssapi_creds_container;
625-
626 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
627 bool cli_credentials_set_workstation(struct cli_credentials *cred,
628 const char *val,
629diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
630new file mode 100644
631index 0000000..5a3655b
632--- /dev/null
633+++ b/auth/credentials/credentials_internal.h
634@@ -0,0 +1,114 @@
635+/*
636+ samba -- Unix SMB/CIFS implementation.
637+
638+ Client credentials structure
639+
640+ Copyright (C) Jelmer Vernooij 2004-2006
641+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
642+
643+ This program is free software; you can redistribute it and/or modify
644+ it under the terms of the GNU General Public License as published by
645+ the Free Software Foundation; either version 3 of the License, or
646+ (at your option) any later version.
647+
648+ This program is distributed in the hope that it will be useful,
649+ but WITHOUT ANY WARRANTY; without even the implied warranty of
650+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
651+ GNU General Public License for more details.
652+
653+ You should have received a copy of the GNU General Public License
654+ along with this program. If not, see <http://www.gnu.org/licenses/>.
655+*/
656+#ifndef __CREDENTIALS_INTERNAL_H__
657+#define __CREDENTIALS_INTERNAL_H__
658+
659+#include "../lib/util/data_blob.h"
660+#include "librpc/gen_ndr/misc.h"
661+
662+struct cli_credentials {
663+ enum credentials_obtained workstation_obtained;
664+ enum credentials_obtained username_obtained;
665+ enum credentials_obtained password_obtained;
666+ enum credentials_obtained domain_obtained;
667+ enum credentials_obtained realm_obtained;
668+ enum credentials_obtained ccache_obtained;
669+ enum credentials_obtained client_gss_creds_obtained;
670+ enum credentials_obtained principal_obtained;
671+ enum credentials_obtained keytab_obtained;
672+ enum credentials_obtained server_gss_creds_obtained;
673+
674+ /* Threshold values (essentially a MAX() over a number of the
675+ * above) for the ccache and GSS credentials, to ensure we
676+ * regenerate/pick correctly */
677+
678+ enum credentials_obtained ccache_threshold;
679+ enum credentials_obtained client_gss_creds_threshold;
680+
681+ const char *workstation;
682+ const char *username;
683+ const char *password;
684+ const char *old_password;
685+ const char *domain;
686+ const char *realm;
687+ const char *principal;
688+ char *salt_principal;
689+ char *impersonate_principal;
690+ char *self_service;
691+ char *target_service;
692+
693+ const char *bind_dn;
694+
695+ /* Allows authentication from a keytab or similar */
696+ struct samr_Password *nt_hash;
697+
698+ /* Allows NTLM pass-though authentication */
699+ DATA_BLOB lm_response;
700+ DATA_BLOB nt_response;
701+
702+ struct ccache_container *ccache;
703+ struct gssapi_creds_container *client_gss_creds;
704+ struct keytab_container *keytab;
705+ struct gssapi_creds_container *server_gss_creds;
706+
707+ const char *(*workstation_cb) (struct cli_credentials *);
708+ const char *(*password_cb) (struct cli_credentials *);
709+ const char *(*username_cb) (struct cli_credentials *);
710+ const char *(*domain_cb) (struct cli_credentials *);
711+ const char *(*realm_cb) (struct cli_credentials *);
712+ const char *(*principal_cb) (struct cli_credentials *);
713+
714+ /* Private handle for the callback routines to use */
715+ void *priv_data;
716+
717+ struct netlogon_creds_CredentialState *netlogon_creds;
718+ enum netr_SchannelType secure_channel_type;
719+ int kvno;
720+ time_t password_last_changed_time;
721+
722+ struct smb_krb5_context *smb_krb5_context;
723+
724+ /* We are flagged to get machine account details from the
725+ * secrets.ldb when we are asked for a username or password */
726+ bool machine_account_pending;
727+ struct loadparm_context *machine_account_pending_lp_ctx;
728+
729+ /* Is this a machine account? */
730+ bool machine_account;
731+
732+ /* Should we be trying to use kerberos? */
733+ enum credentials_use_kerberos use_kerberos;
734+
735+ /* Should we get a forwardable ticket? */
736+ enum credentials_krb_forwardable krb_forwardable;
737+
738+ /* gensec features which should be used for connections */
739+ uint32_t gensec_features;
740+
741+ /* Number of retries left before bailing out */
742+ int tries;
743+
744+ /* Whether any callback is currently running */
745+ bool callback_running;
746+};
747+
748+#endif /* __CREDENTIALS_INTERNAL_H__ */
749diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
750index ec6a695..489a959 100644
751--- a/auth/credentials/credentials_krb5.c
752+++ b/auth/credentials/credentials_krb5.c
753@@ -26,6 +26,7 @@
754 #include "system/gssapi.h"
755 #include "auth/kerberos/kerberos.h"
756 #include "auth/credentials/credentials.h"
757+#include "auth/credentials/credentials_internal.h"
758 #include "auth/credentials/credentials_proto.h"
759 #include "auth/credentials/credentials_krb5.h"
760 #include "auth/kerberos/kerberos_credentials.h"
761diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
762index 8f143bf..8c6be39 100644
763--- a/auth/credentials/credentials_ntlm.c
764+++ b/auth/credentials/credentials_ntlm.c
765@@ -26,6 +26,7 @@
766 #include "../lib/crypto/crypto.h"
767 #include "libcli/auth/libcli_auth.h"
768 #include "auth/credentials/credentials.h"
769+#include "auth/credentials/credentials_internal.h"
770
771 _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
772 int *flags,
773diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
774index 27ee607..678d167 100644
775--- a/auth/credentials/credentials_secrets.c
776+++ b/auth/credentials/credentials_secrets.c
777@@ -28,6 +28,7 @@
778 #include "param/secrets.h"
779 #include "system/filesys.h"
780 #include "auth/credentials/credentials.h"
781+#include "auth/credentials/credentials_internal.h"
782 #include "auth/credentials/credentials_proto.h"
783 #include "auth/credentials/credentials_krb5.h"
784 #include "auth/kerberos/kerberos_util.h"
785--
7861.9.3
787
788
789From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
790From: Stefan Metzmacher <metze@samba.org>
791Date: Wed, 31 Jul 2013 13:39:17 +0200
792Subject: [PATCH 013/249] auth/credentials: get the old password from
793 secrets.tdb
794
795Signed-off-by: Stefan Metzmacher <metze@samba.org>
796
797Reviewed-by: Andrew Bartlett <abartlet@samba.org>
798(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
799---
800 auth/credentials/credentials_secrets.c | 11 +++++++++++
801 1 file changed, 11 insertions(+)
802
803diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
804index 678d167..6c1cded 100644
805--- a/auth/credentials/credentials_secrets.c
806+++ b/auth/credentials/credentials_secrets.c
807@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
808 bool secrets_tdb_password_more_recent;
809 time_t secrets_tdb_lct = 0;
810 char *secrets_tdb_password = NULL;
811+ char *secrets_tdb_old_password = NULL;
812 char *keystr;
813 char *keystr_upper = NULL;
814 char *secrets_tdb;
815@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
816 if (NT_STATUS_IS_OK(status)) {
817 secrets_tdb_password = (char *)dbuf.dptr;
818 }
819+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
820+ SECRETS_MACHINE_PASSWORD_PREV,
821+ domain);
822+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
823+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
824+ &dbuf);
825+ if (NT_STATUS_IS_OK(status)) {
826+ secrets_tdb_old_password = (char *)dbuf.dptr;
827+ }
828 }
829
830 filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
831@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
832 if (secrets_tdb_password_more_recent) {
833 char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
834 cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
835+ cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
836 cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
837 cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
838 } else if (!NT_STATUS_IS_OK(status)) {
839--
8401.9.3
841
842
843From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
844From: Stefan Metzmacher <metze@samba.org>
845Date: Wed, 31 Jul 2013 14:25:54 +0200
846Subject: [PATCH 014/249] auth/credentials: simplify password_tries state
847
848Signed-off-by: Stefan Metzmacher <metze@samba.org>
849
850Reviewed-by: Andrew Bartlett <abartlet@samba.org>
851(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
852---
853 auth/credentials/credentials.c | 19 ++++++++++++++-----
854 auth/credentials/credentials_internal.h | 2 +-
855 2 files changed, 15 insertions(+), 6 deletions(-)
856
857diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
858index f334465..4ac5356 100644
859--- a/auth/credentials/credentials.c
860+++ b/auth/credentials/credentials.c
861@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
862
863 cred->machine_account = false;
864
865- cred->tries = 3;
866+ cred->password_tries = 0;
867
868 cred->callback_running = false;
869
870@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
871 enum credentials_obtained obtained)
872 {
873 if (obtained >= cred->password_obtained) {
874+ cred->password_tries = 0;
875 cred->password = talloc_strdup(cred, val);
876 if (cred->password) {
877 /* Don't print the actual password in talloc memory dumps */
878@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
879 const char *(*password_cb) (struct cli_credentials *))
880 {
881 if (cred->password_obtained < CRED_CALLBACK) {
882+ cred->password_tries = 3;
883 cred->password_cb = password_cb;
884 cred->password_obtained = CRED_CALLBACK;
885 cli_credentials_invalidate_ccache(cred, cred->password_obtained);
886@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
887 if (cred->password_obtained != CRED_CALLBACK_RESULT) {
888 return false;
889 }
890-
891- cred->password_obtained = CRED_CALLBACK;
892
893- cred->tries--;
894+ if (cred->password_tries == 0) {
895+ return false;
896+ }
897+
898+ cred->password_tries--;
899
900- return (cred->tries > 0);
901+ if (cred->password_tries == 0) {
902+ return false;
903+ }
904+
905+ cred->password_obtained = CRED_CALLBACK;
906+ return true;
907 }
908
909 _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
910diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
911index 5a3655b..f2f79b9 100644
912--- a/auth/credentials/credentials_internal.h
913+++ b/auth/credentials/credentials_internal.h
914@@ -105,7 +105,7 @@ struct cli_credentials {
915 uint32_t gensec_features;
916
917 /* Number of retries left before bailing out */
918- int tries;
919+ uint32_t password_tries;
920
921 /* Whether any callback is currently running */
922 bool callback_running;
923--
9241.9.3
925
926
927From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
928From: Stefan Metzmacher <metze@samba.org>
929Date: Wed, 31 Jul 2013 14:32:36 +0200
930Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
931 callback
932
933We only do this if it's still CRED_CALLBACK after the callback,
934this allowes the callback to overwrite it.
935
936Signed-off-by: Stefan Metzmacher <metze@samba.org>
937
938Reviewed-by: Andrew Bartlett <abartlet@samba.org>
939
940Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
941Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
942(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
943---
944 auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
945 1 file changed, 23 insertions(+), 11 deletions(-)
946
947diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
948index 4ac5356..be497bc 100644
949--- a/auth/credentials/credentials.c
950+++ b/auth/credentials/credentials.c
951@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
952 cred->callback_running = true;
953 cred->username = cred->username_cb(cred);
954 cred->callback_running = false;
955- cred->username_obtained = CRED_SPECIFIED;
956- cli_credentials_invalidate_ccache(cred, cred->username_obtained);
957+ if (cred->username_obtained == CRED_CALLBACK) {
958+ cred->username_obtained = CRED_CALLBACK_RESULT;
959+ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
960+ }
961 }
962
963 return cred->username;
964@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
965 cred->callback_running = true;
966 cred->principal = cred->principal_cb(cred);
967 cred->callback_running = false;
968- cred->principal_obtained = CRED_SPECIFIED;
969- cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
970+ if (cred->principal_obtained == CRED_CALLBACK) {
971+ cred->principal_obtained = CRED_CALLBACK_RESULT;
972+ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
973+ }
974 }
975
976 if (cred->principal_obtained < cred->username_obtained
977@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
978 cred->callback_running = true;
979 cred->password = cred->password_cb(cred);
980 cred->callback_running = false;
981- cred->password_obtained = CRED_CALLBACK_RESULT;
982- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
983+ if (cred->password_obtained == CRED_CALLBACK) {
984+ cred->password_obtained = CRED_CALLBACK_RESULT;
985+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
986+ }
987 }
988
989 return cred->password;
990@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
991 cred->callback_running = true;
992 cred->domain = cred->domain_cb(cred);
993 cred->callback_running = false;
994- cred->domain_obtained = CRED_SPECIFIED;
995- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
996+ if (cred->domain_obtained == CRED_CALLBACK) {
997+ cred->domain_obtained = CRED_CALLBACK_RESULT;
998+ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
999+ }
1000 }
1001
1002 return cred->domain;
1003@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
1004 cred->callback_running = true;
1005 cred->realm = cred->realm_cb(cred);
1006 cred->callback_running = false;
1007- cred->realm_obtained = CRED_SPECIFIED;
1008- cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
1009+ if (cred->realm_obtained == CRED_CALLBACK) {
1010+ cred->realm_obtained = CRED_CALLBACK_RESULT;
1011+ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
1012+ }
1013 }
1014
1015 return cred->realm;
1016@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
1017 cred->callback_running = true;
1018 cred->workstation = cred->workstation_cb(cred);
1019 cred->callback_running = false;
1020- cred->workstation_obtained = CRED_SPECIFIED;
1021+ if (cred->workstation_obtained == CRED_CALLBACK) {
1022+ cred->workstation_obtained = CRED_CALLBACK_RESULT;
1023+ }
1024 }
1025
1026 return cred->workstation;
1027--
10281.9.3
1029
1030
1031From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
1032From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1033Date: Fri, 17 May 2013 16:02:59 +0200
1034Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
1035 connect_dst_pipe().
1036MIME-Version: 1.0
1037Content-Type: text/plain; charset=UTF-8
1038Content-Transfer-Encoding: 8bit
1039
1040Guenther
1041
1042Signed-off-by: Günther Deschner <gd@samba.org>
1043Reviewed-by: Stefan Metzmacher <metze@samba.org>
1044Reviewed-by: Andreas Schneider <asn@samba.org>
1045(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
1046---
1047 source3/utils/net_proto.h | 2 +-
1048 source3/utils/net_rpc.c | 4 ++--
1049 source3/utils/net_rpc_printer.c | 10 +++++-----
1050 source3/utils/net_util.c | 4 ++--
1051 4 files changed, 10 insertions(+), 10 deletions(-)
1052
1053diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
1054index 3f99e14..03fb312 100644
1055--- a/source3/utils/net_proto.h
1056+++ b/source3/utils/net_proto.h
1057@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
1058 const char *server_name);
1059 NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
1060 struct rpc_pipe_client **pp_pipe_hnd,
1061- const struct ndr_syntax_id *interface);
1062+ const struct ndr_interface_table *table);
1063 int net_use_krb_machine_account(struct net_context *c);
1064 int net_use_machine_account(struct net_context *c);
1065 bool net_find_server(struct net_context *c,
1066diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
1067index c5c4d6c..4503f59 100644
1068--- a/source3/utils/net_rpc.c
1069+++ b/source3/utils/net_rpc.c
1070@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
1071
1072 /* connect destination PI_SRVSVC */
1073 nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
1074- &ndr_table_srvsvc.syntax_id);
1075+ &ndr_table_srvsvc);
1076 if (!NT_STATUS_IS_OK(nt_status))
1077 return nt_status;
1078
1079@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
1080
1081 /* connect destination PI_SRVSVC */
1082 nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
1083- &ndr_table_srvsvc.syntax_id);
1084+ &ndr_table_srvsvc);
1085 if (!NT_STATUS_IS_OK(nt_status))
1086 return nt_status;
1087
1088diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
1089index ba34de1..1e42e6f 100644
1090--- a/source3/utils/net_rpc_printer.c
1091+++ b/source3/utils/net_rpc_printer.c
1092@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
1093
1094 /* connect destination PI_SPOOLSS */
1095 nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
1096- &ndr_table_spoolss.syntax_id);
1097+ &ndr_table_spoolss);
1098 if (!NT_STATUS_IS_OK(nt_status)) {
1099 return nt_status;
1100 }
1101@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
1102
1103 /* connect destination PI_SPOOLSS */
1104 nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
1105- &ndr_table_spoolss.syntax_id);
1106+ &ndr_table_spoolss);
1107 if (!NT_STATUS_IS_OK(nt_status)) {
1108 return nt_status;
1109 }
1110@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
1111 DEBUG(3,("copying printer-drivers\n"));
1112
1113 nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
1114- &ndr_table_spoolss.syntax_id);
1115+ &ndr_table_spoolss);
1116 if (!NT_STATUS_IS_OK(nt_status)) {
1117 return nt_status;
1118 }
1119@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
1120
1121 /* connect destination PI_SPOOLSS */
1122 nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
1123- &ndr_table_spoolss.syntax_id);
1124+ &ndr_table_spoolss);
1125 if (!NT_STATUS_IS_OK(nt_status)) {
1126 return nt_status;
1127 }
1128@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
1129
1130 /* connect destination PI_SPOOLSS */
1131 nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
1132- &ndr_table_spoolss.syntax_id);
1133+ &ndr_table_spoolss);
1134 if (!NT_STATUS_IS_OK(nt_status)) {
1135 return nt_status;
1136 }
1137diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
1138index 9c4a77e..a4282ec 100644
1139--- a/source3/utils/net_util.c
1140+++ b/source3/utils/net_util.c
1141@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
1142 **/
1143 NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
1144 struct rpc_pipe_client **pp_pipe_hnd,
1145- const struct ndr_syntax_id *interface)
1146+ const struct ndr_interface_table *table)
1147 {
1148 NTSTATUS nt_status;
1149 char *server_name = SMB_STRDUP("127.0.0.1");
1150@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
1151 return nt_status;
1152 }
1153
1154- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
1155+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
1156 &pipe_hnd);
1157 if (!NT_STATUS_IS_OK(nt_status)) {
1158 DEBUG(0, ("couldn't not initialize pipe\n"));
1159--
11601.9.3
1161
1162
1163From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
1164From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1165Date: Fri, 17 May 2013 16:24:42 +0200
1166Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
1167 cli_rpc_pipe_open_krb5().
1168MIME-Version: 1.0
1169Content-Type: text/plain; charset=UTF-8
1170Content-Transfer-Encoding: 8bit
1171
1172Guenther
1173
1174Signed-off-by: Günther Deschner <gd@samba.org>
1175Reviewed-by: Stefan Metzmacher <metze@samba.org>
1176Reviewed-by: Andreas Schneider <asn@samba.org>
1177(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
1178---
1179 source3/rpc_client/cli_pipe.h | 9 ---------
1180 1 file changed, 9 deletions(-)
1181
1182diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
1183index bf785fb..34ae542 100644
1184--- a/source3/rpc_client/cli_pipe.h
1185+++ b/source3/rpc_client/cli_pipe.h
1186@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
1187 const char *domain,
1188 struct rpc_pipe_client **presult);
1189
1190-NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
1191- const struct ndr_syntax_id *interface,
1192- enum dcerpc_transport_t transport,
1193- enum dcerpc_AuthLevel auth_level,
1194- const char *service_princ,
1195- const char *username,
1196- const char *password,
1197- struct rpc_pipe_client **presult);
1198-
1199 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
1200 struct rpc_pipe_client *cli,
1201 DATA_BLOB *session_key);
1202--
12031.9.3
1204
1205
1206From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
1207From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1208Date: Fri, 17 May 2013 16:08:16 +0200
1209Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
1210 libnetapi_get_binding_handle().
1211MIME-Version: 1.0
1212Content-Type: text/plain; charset=UTF-8
1213Content-Transfer-Encoding: 8bit
1214
1215Guenther
1216
1217Signed-off-by: Günther Deschner <gd@samba.org>
1218Reviewed-by: Stefan Metzmacher <metze@samba.org>
1219Reviewed-by: Andreas Schneider <asn@samba.org>
1220(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
1221---
1222 source3/lib/netapi/cm.c | 4 ++--
1223 source3/lib/netapi/file.c | 6 +++---
1224 source3/lib/netapi/getdc.c | 6 +++---
1225 source3/lib/netapi/netapi_private.h | 3 ++-
1226 source3/lib/netapi/netlogon.c | 4 ++--
1227 source3/lib/netapi/serverinfo.c | 6 +++---
1228 source3/lib/netapi/share.c | 10 +++++-----
1229 source3/lib/netapi/shutdown.c | 4 ++--
1230 8 files changed, 22 insertions(+), 21 deletions(-)
1231
1232diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
1233index da3d2e1..c3ae19f 100644
1234--- a/source3/lib/netapi/cm.c
1235+++ b/source3/lib/netapi/cm.c
1236@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
1237
1238 WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
1239 const char *server_name,
1240- const struct ndr_syntax_id *interface,
1241+ const struct ndr_interface_table *table,
1242 struct dcerpc_binding_handle **binding_handle)
1243 {
1244 struct rpc_pipe_client *pipe_cli;
1245@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
1246
1247 *binding_handle = NULL;
1248
1249- result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
1250+ result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
1251 if (!W_ERROR_IS_OK(result)) {
1252 return result;
1253 }
1254diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
1255index 1e406d2..551f9ff 100644
1256--- a/source3/lib/netapi/file.c
1257+++ b/source3/lib/netapi/file.c
1258@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
1259 struct dcerpc_binding_handle *b;
1260
1261 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1262- &ndr_table_srvsvc.syntax_id,
1263+ &ndr_table_srvsvc,
1264 &b);
1265 if (!W_ERROR_IS_OK(werr)) {
1266 goto done;
1267@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
1268 }
1269
1270 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1271- &ndr_table_srvsvc.syntax_id,
1272+ &ndr_table_srvsvc,
1273 &b);
1274 if (!W_ERROR_IS_OK(werr)) {
1275 goto done;
1276@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
1277 }
1278
1279 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1280- &ndr_table_srvsvc.syntax_id,
1281+ &ndr_table_srvsvc,
1282 &b);
1283 if (!W_ERROR_IS_OK(werr)) {
1284 goto done;
1285diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
1286index 3b26d46..ae976f1 100644
1287--- a/source3/lib/netapi/getdc.c
1288+++ b/source3/lib/netapi/getdc.c
1289@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
1290 void *buffer;
1291
1292 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1293- &ndr_table_netlogon.syntax_id,
1294+ &ndr_table_netlogon,
1295 &b);
1296 if (!W_ERROR_IS_OK(werr)) {
1297 goto done;
1298@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
1299 void *buffer;
1300
1301 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1302- &ndr_table_netlogon.syntax_id,
1303+ &ndr_table_netlogon,
1304 &b);
1305 if (!W_ERROR_IS_OK(werr)) {
1306 goto done;
1307@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
1308 struct dcerpc_binding_handle *b;
1309
1310 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1311- &ndr_table_netlogon.syntax_id,
1312+ &ndr_table_netlogon,
1313 &b);
1314 if (!W_ERROR_IS_OK(werr)) {
1315 goto done;
1316diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
1317index 349287b..62aa7ef 100644
1318--- a/source3/lib/netapi/netapi_private.h
1319+++ b/source3/lib/netapi/netapi_private.h
1320@@ -30,6 +30,7 @@
1321 return fn ## _r(ctx, r);
1322
1323 struct dcerpc_binding_handle;
1324+struct ndr_interface_table;
1325
1326 struct libnetapi_private_ctx {
1327 struct {
1328@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
1329 struct rpc_pipe_client **presult);
1330 WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
1331 const char *server_name,
1332- const struct ndr_syntax_id *interface,
1333+ const struct ndr_interface_table *table,
1334 struct dcerpc_binding_handle **binding_handle);
1335 WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
1336 struct rpc_pipe_client *pipe_cli,
1337diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
1338index a046fb7..136cb48 100644
1339--- a/source3/lib/netapi/netlogon.c
1340+++ b/source3/lib/netapi/netlogon.c
1341@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
1342 struct dcerpc_binding_handle *b;
1343
1344 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1345- &ndr_table_netlogon.syntax_id,
1346+ &ndr_table_netlogon,
1347 &b);
1348 if (!W_ERROR_IS_OK(werr)) {
1349 goto done;
1350@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
1351 }
1352
1353 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1354- &ndr_table_netlogon.syntax_id,
1355+ &ndr_table_netlogon,
1356 &b);
1357 if (!W_ERROR_IS_OK(werr)) {
1358 goto done;
1359diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
1360index 046b693..b2a84d1 100644
1361--- a/source3/lib/netapi/serverinfo.c
1362+++ b/source3/lib/netapi/serverinfo.c
1363@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
1364 }
1365
1366 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1367- &ndr_table_srvsvc.syntax_id,
1368+ &ndr_table_srvsvc,
1369 &b);
1370 if (!W_ERROR_IS_OK(werr)) {
1371 goto done;
1372@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
1373 struct dcerpc_binding_handle *b;
1374
1375 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1376- &ndr_table_srvsvc.syntax_id,
1377+ &ndr_table_srvsvc,
1378 &b);
1379 if (!W_ERROR_IS_OK(werr)) {
1380 goto done;
1381@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
1382 struct dcerpc_binding_handle *b;
1383
1384 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1385- &ndr_table_srvsvc.syntax_id,
1386+ &ndr_table_srvsvc,
1387 &b);
1388 if (!W_ERROR_IS_OK(werr)) {
1389 goto done;
1390diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
1391index d12fa1c..090e1a9 100644
1392--- a/source3/lib/netapi/share.c
1393+++ b/source3/lib/netapi/share.c
1394@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
1395 }
1396
1397 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1398- &ndr_table_srvsvc.syntax_id,
1399+ &ndr_table_srvsvc,
1400 &b);
1401 if (!W_ERROR_IS_OK(werr)) {
1402 goto done;
1403@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
1404 }
1405
1406 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1407- &ndr_table_srvsvc.syntax_id,
1408+ &ndr_table_srvsvc,
1409 &b);
1410 if (!W_ERROR_IS_OK(werr)) {
1411 goto done;
1412@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
1413 ZERO_STRUCT(info_ctr);
1414
1415 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1416- &ndr_table_srvsvc.syntax_id,
1417+ &ndr_table_srvsvc,
1418 &b);
1419 if (!W_ERROR_IS_OK(werr)) {
1420 goto done;
1421@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
1422 }
1423
1424 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1425- &ndr_table_srvsvc.syntax_id,
1426+ &ndr_table_srvsvc,
1427 &b);
1428 if (!W_ERROR_IS_OK(werr)) {
1429 goto done;
1430@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
1431 }
1432
1433 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1434- &ndr_table_srvsvc.syntax_id,
1435+ &ndr_table_srvsvc,
1436 &b);
1437 if (!W_ERROR_IS_OK(werr)) {
1438 goto done;
1439diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
1440index 78bc2fc..9e1e8e1 100644
1441--- a/source3/lib/netapi/shutdown.c
1442+++ b/source3/lib/netapi/shutdown.c
1443@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
1444 struct dcerpc_binding_handle *b;
1445
1446 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1447- &ndr_table_initshutdown.syntax_id,
1448+ &ndr_table_initshutdown,
1449 &b);
1450 if (!W_ERROR_IS_OK(werr)) {
1451 goto done;
1452@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
1453 struct dcerpc_binding_handle *b;
1454
1455 werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
1456- &ndr_table_initshutdown.syntax_id,
1457+ &ndr_table_initshutdown,
1458 &b);
1459 if (!W_ERROR_IS_OK(werr)) {
1460 goto done;
1461--
14621.9.3
1463
1464
1465From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
1466From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1467Date: Fri, 17 May 2013 16:10:13 +0200
1468Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
1469 libnetapi_open_pipe().
1470MIME-Version: 1.0
1471Content-Type: text/plain; charset=UTF-8
1472Content-Transfer-Encoding: 8bit
1473
1474Guenther
1475
1476Signed-off-by: Günther Deschner <gd@samba.org>
1477Reviewed-by: Stefan Metzmacher <metze@samba.org>
1478Reviewed-by: Andreas Schneider <asn@samba.org>
1479(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
1480---
1481 source3/lib/netapi/cm.c | 8 ++++----
1482 source3/lib/netapi/group.c | 18 +++++++++---------
1483 source3/lib/netapi/joindomain.c | 10 +++++-----
1484 source3/lib/netapi/localgroup.c | 14 +++++++-------
1485 source3/lib/netapi/netapi_private.h | 2 +-
1486 source3/lib/netapi/user.c | 22 +++++++++++-----------
1487 6 files changed, 37 insertions(+), 37 deletions(-)
1488
1489diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
1490index c3ae19f..dd1f1e3 100644
1491--- a/source3/lib/netapi/cm.c
1492+++ b/source3/lib/netapi/cm.c
1493@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
1494
1495 WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
1496 const char *server_name,
1497- const struct ndr_syntax_id *interface,
1498+ const struct ndr_interface_table *table,
1499 struct rpc_pipe_client **presult)
1500 {
1501 struct rpc_pipe_client *result = NULL;
1502@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
1503 return werr;
1504 }
1505
1506- status = pipe_cm_open(ctx, ipc, interface, &result);
1507+ status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
1508 if (!NT_STATUS_IS_OK(status)) {
1509 libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
1510- get_pipe_name_from_syntax(talloc_tos(), interface),
1511+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
1512 get_friendly_nt_error_msg(status));
1513 return WERR_DEST_NOT_FOUND;
1514 }
1515@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
1516
1517 *binding_handle = NULL;
1518
1519- result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
1520+ result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
1521 if (!W_ERROR_IS_OK(result)) {
1522 return result;
1523 }
1524diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
1525index b806fc4..6d9b248 100644
1526--- a/source3/lib/netapi/group.c
1527+++ b/source3/lib/netapi/group.c
1528@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
1529 }
1530
1531 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1532- &ndr_table_samr.syntax_id,
1533+ &ndr_table_samr,
1534 &pipe_cli);
1535 if (!W_ERROR_IS_OK(werr)) {
1536 goto done;
1537@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
1538 }
1539
1540 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1541- &ndr_table_samr.syntax_id,
1542+ &ndr_table_samr,
1543 &pipe_cli);
1544 if (!W_ERROR_IS_OK(werr)) {
1545 goto done;
1546@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
1547 }
1548
1549 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1550- &ndr_table_samr.syntax_id,
1551+ &ndr_table_samr,
1552 &pipe_cli);
1553 if (!W_ERROR_IS_OK(werr)) {
1554 goto done;
1555@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
1556 }
1557
1558 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1559- &ndr_table_samr.syntax_id,
1560+ &ndr_table_samr,
1561 &pipe_cli);
1562 if (!W_ERROR_IS_OK(werr)) {
1563 goto done;
1564@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
1565 }
1566
1567 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1568- &ndr_table_samr.syntax_id,
1569+ &ndr_table_samr,
1570 &pipe_cli);
1571 if (!W_ERROR_IS_OK(werr)) {
1572 goto done;
1573@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
1574 }
1575
1576 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1577- &ndr_table_samr.syntax_id,
1578+ &ndr_table_samr,
1579 &pipe_cli);
1580 if (!W_ERROR_IS_OK(werr)) {
1581 goto done;
1582@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
1583 }
1584
1585 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1586- &ndr_table_samr.syntax_id,
1587+ &ndr_table_samr,
1588 &pipe_cli);
1589 if (!W_ERROR_IS_OK(werr)) {
1590 goto done;
1591@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
1592
1593
1594 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1595- &ndr_table_samr.syntax_id,
1596+ &ndr_table_samr,
1597 &pipe_cli);
1598 if (!W_ERROR_IS_OK(werr)) {
1599 goto done;
1600@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
1601 }
1602
1603 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1604- &ndr_table_samr.syntax_id,
1605+ &ndr_table_samr,
1606 &pipe_cli);
1607 if (!W_ERROR_IS_OK(werr)) {
1608 goto done;
1609diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
1610index b6fb57a..d8e624f 100644
1611--- a/source3/lib/netapi/joindomain.c
1612+++ b/source3/lib/netapi/joindomain.c
1613@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
1614 DATA_BLOB session_key;
1615
1616 werr = libnetapi_open_pipe(ctx, r->in.server,
1617- &ndr_table_wkssvc.syntax_id,
1618+ &ndr_table_wkssvc,
1619 &pipe_cli);
1620 if (!W_ERROR_IS_OK(werr)) {
1621 goto done;
1622@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
1623 DATA_BLOB session_key;
1624
1625 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1626- &ndr_table_wkssvc.syntax_id,
1627+ &ndr_table_wkssvc,
1628 &pipe_cli);
1629 if (!W_ERROR_IS_OK(werr)) {
1630 goto done;
1631@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
1632 struct dcerpc_binding_handle *b;
1633
1634 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1635- &ndr_table_wkssvc.syntax_id,
1636+ &ndr_table_wkssvc,
1637 &pipe_cli);
1638 if (!W_ERROR_IS_OK(werr)) {
1639 goto done;
1640@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
1641 DATA_BLOB session_key;
1642
1643 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1644- &ndr_table_wkssvc.syntax_id,
1645+ &ndr_table_wkssvc,
1646 &pipe_cli);
1647 if (!W_ERROR_IS_OK(werr)) {
1648 goto done;
1649@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
1650 DATA_BLOB session_key;
1651
1652 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1653- &ndr_table_wkssvc.syntax_id,
1654+ &ndr_table_wkssvc,
1655 &pipe_cli);
1656 if (!W_ERROR_IS_OK(werr)) {
1657 goto done;
1658diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
1659index 17cab68..241970d 100644
1660--- a/source3/lib/netapi/localgroup.c
1661+++ b/source3/lib/netapi/localgroup.c
1662@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
1663 }
1664
1665 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1666- &ndr_table_samr.syntax_id,
1667+ &ndr_table_samr,
1668 &pipe_cli);
1669 if (!W_ERROR_IS_OK(werr)) {
1670 goto done;
1671@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
1672 ZERO_STRUCT(alias_handle);
1673
1674 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1675- &ndr_table_samr.syntax_id,
1676+ &ndr_table_samr,
1677 &pipe_cli);
1678 if (!W_ERROR_IS_OK(werr)) {
1679 goto done;
1680@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
1681 ZERO_STRUCT(alias_handle);
1682
1683 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1684- &ndr_table_samr.syntax_id,
1685+ &ndr_table_samr,
1686 &pipe_cli);
1687 if (!W_ERROR_IS_OK(werr)) {
1688 goto done;
1689@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
1690 ZERO_STRUCT(alias_handle);
1691
1692 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1693- &ndr_table_samr.syntax_id,
1694+ &ndr_table_samr,
1695 &pipe_cli);
1696 if (!W_ERROR_IS_OK(werr)) {
1697 goto done;
1698@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
1699 ZERO_STRUCT(alias_handle);
1700
1701 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1702- &ndr_table_samr.syntax_id,
1703+ &ndr_table_samr,
1704 &pipe_cli);
1705 if (!W_ERROR_IS_OK(werr)) {
1706 goto done;
1707@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
1708
1709 if (r->in.level == 3) {
1710 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1711- &ndr_table_lsarpc.syntax_id,
1712+ &ndr_table_lsarpc,
1713 &lsa_pipe);
1714 if (!W_ERROR_IS_OK(werr)) {
1715 goto done;
1716@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
1717 }
1718
1719 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1720- &ndr_table_samr.syntax_id,
1721+ &ndr_table_samr,
1722 &pipe_cli);
1723 if (!W_ERROR_IS_OK(werr)) {
1724 goto done;
1725diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
1726index 62aa7ef..897cf3d 100644
1727--- a/source3/lib/netapi/netapi_private.h
1728+++ b/source3/lib/netapi/netapi_private.h
1729@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
1730 WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
1731 WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
1732 const char *server_name,
1733- const struct ndr_syntax_id *interface,
1734+ const struct ndr_interface_table *table,
1735 struct rpc_pipe_client **presult);
1736 WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
1737 const char *server_name,
1738diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
1739index a971e2d..4a39f69 100644
1740--- a/source3/lib/netapi/user.c
1741+++ b/source3/lib/netapi/user.c
1742@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
1743 }
1744
1745 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1746- &ndr_table_samr.syntax_id,
1747+ &ndr_table_samr,
1748 &pipe_cli);
1749 if (!W_ERROR_IS_OK(werr)) {
1750 goto done;
1751@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
1752 ZERO_STRUCT(user_handle);
1753
1754 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1755- &ndr_table_samr.syntax_id,
1756+ &ndr_table_samr,
1757 &pipe_cli);
1758
1759 if (!W_ERROR_IS_OK(werr)) {
1760@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
1761 }
1762
1763 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1764- &ndr_table_samr.syntax_id,
1765+ &ndr_table_samr,
1766 &pipe_cli);
1767 if (!W_ERROR_IS_OK(werr)) {
1768 goto done;
1769@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
1770 }
1771
1772 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1773- &ndr_table_samr.syntax_id,
1774+ &ndr_table_samr,
1775 &pipe_cli);
1776 if (!W_ERROR_IS_OK(werr)) {
1777 goto done;
1778@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
1779 }
1780
1781 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1782- &ndr_table_samr.syntax_id,
1783+ &ndr_table_samr,
1784 &pipe_cli);
1785 if (!W_ERROR_IS_OK(werr)) {
1786 goto done;
1787@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
1788 }
1789
1790 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1791- &ndr_table_samr.syntax_id,
1792+ &ndr_table_samr,
1793 &pipe_cli);
1794 if (!W_ERROR_IS_OK(werr)) {
1795 goto done;
1796@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
1797 }
1798
1799 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1800- &ndr_table_samr.syntax_id,
1801+ &ndr_table_samr,
1802 &pipe_cli);
1803 if (!W_ERROR_IS_OK(werr)) {
1804 goto done;
1805@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
1806 }
1807
1808 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1809- &ndr_table_samr.syntax_id,
1810+ &ndr_table_samr,
1811 &pipe_cli);
1812 if (!W_ERROR_IS_OK(werr)) {
1813 goto done;
1814@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
1815 }
1816
1817 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1818- &ndr_table_samr.syntax_id,
1819+ &ndr_table_samr,
1820 &pipe_cli);
1821 if (!W_ERROR_IS_OK(werr)) {
1822 goto done;
1823@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
1824 }
1825
1826 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1827- &ndr_table_samr.syntax_id,
1828+ &ndr_table_samr,
1829 &pipe_cli);
1830 if (!W_ERROR_IS_OK(werr)) {
1831 goto done;
1832@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
1833 }
1834
1835 werr = libnetapi_open_pipe(ctx, r->in.server_name,
1836- &ndr_table_samr.syntax_id,
1837+ &ndr_table_samr,
1838 &pipe_cli);
1839 if (!W_ERROR_IS_OK(werr)) {
1840 goto done;
1841--
18421.9.3
1843
1844
1845From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
1846From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1847Date: Fri, 17 May 2013 16:13:26 +0200
1848Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
1849 pipe_cm() and friends.
1850MIME-Version: 1.0
1851Content-Type: text/plain; charset=UTF-8
1852Content-Transfer-Encoding: 8bit
1853
1854Guenther
1855
1856Signed-off-by: Günther Deschner <gd@samba.org>
1857Reviewed-by: Stefan Metzmacher <metze@samba.org>
1858Reviewed-by: Andreas Schneider <asn@samba.org>
1859(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
1860---
1861 source3/lib/netapi/cm.c | 16 ++++++++--------
1862 1 file changed, 8 insertions(+), 8 deletions(-)
1863
1864diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
1865index dd1f1e3..8551521 100644
1866--- a/source3/lib/netapi/cm.c
1867+++ b/source3/lib/netapi/cm.c
1868@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
1869 ********************************************************************/
1870
1871 static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
1872- const struct ndr_syntax_id *interface,
1873+ const struct ndr_interface_table *table,
1874 struct rpc_pipe_client **presult)
1875 {
1876 struct client_pipe_connection *p;
1877@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
1878
1879 if (strequal(ipc_remote_name, p->pipe->desthost)
1880 && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
1881- interface)) {
1882+ &table->syntax_id)) {
1883 *presult = p->pipe;
1884 return NT_STATUS_OK;
1885 }
1886@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
1887
1888 static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
1889 struct client_ipc_connection *ipc,
1890- const struct ndr_syntax_id *interface,
1891+ const struct ndr_interface_table *table,
1892 struct rpc_pipe_client **presult)
1893 {
1894 struct client_pipe_connection *p;
1895@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
1896 return NT_STATUS_NO_MEMORY;
1897 }
1898
1899- status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
1900+ status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
1901 if (!NT_STATUS_IS_OK(status)) {
1902 TALLOC_FREE(p);
1903 return status;
1904@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
1905
1906 static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
1907 struct client_ipc_connection *ipc,
1908- const struct ndr_syntax_id *interface,
1909+ const struct ndr_interface_table *table,
1910 struct rpc_pipe_client **presult)
1911 {
1912- if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
1913+ if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
1914 return NT_STATUS_OK;
1915 }
1916
1917- return pipe_cm_connect(ctx, ipc, interface, presult);
1918+ return pipe_cm_connect(ctx, ipc, table, presult);
1919 }
1920
1921 /********************************************************************
1922@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
1923 return werr;
1924 }
1925
1926- status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
1927+ status = pipe_cm_open(ctx, ipc, table, &result);
1928 if (!NT_STATUS_IS_OK(status)) {
1929 libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
1930 get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
1931--
19321.9.3
1933
1934
1935From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
1936From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
1937Date: Fri, 17 May 2013 16:16:59 +0200
1938Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
1939 rpc_pipe_open_ncalrpc().
1940MIME-Version: 1.0
1941Content-Type: text/plain; charset=UTF-8
1942Content-Transfer-Encoding: 8bit
1943
1944Guenther
1945
1946Signed-off-by: Günther Deschner <gd@samba.org>
1947Reviewed-by: Stefan Metzmacher <metze@samba.org>
1948Reviewed-by: Andreas Schneider <asn@samba.org>
1949(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
1950---
1951 source3/librpc/rpc/dcerpc_ep.c | 2 +-
1952 source3/rpc_client/cli_pipe.c | 4 ++--
1953 source3/rpc_client/cli_pipe.h | 2 +-
1954 3 files changed, 4 insertions(+), 4 deletions(-)
1955
1956diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
1957index bb080c5..410caa7 100644
1958--- a/source3/librpc/rpc/dcerpc_ep.c
1959+++ b/source3/librpc/rpc/dcerpc_ep.c
1960@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
1961
1962 status = rpc_pipe_open_ncalrpc(tmp_ctx,
1963 ncalrpc_sock,
1964- &ndr_table_epmapper.syntax_id,
1965+ &ndr_table_epmapper,
1966 &cli);
1967 if (!NT_STATUS_IS_OK(status)) {
1968 goto done;
1969diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
1970index 385ae25..427b628 100644
1971--- a/source3/rpc_client/cli_pipe.c
1972+++ b/source3/rpc_client/cli_pipe.c
1973@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
1974 Create a rpc pipe client struct, connecting to a unix domain socket
1975 ********************************************************************/
1976 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
1977- const struct ndr_syntax_id *abstract_syntax,
1978+ const struct ndr_interface_table *table,
1979 struct rpc_pipe_client **presult)
1980 {
1981 struct rpc_pipe_client *result;
1982@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
1983 return NT_STATUS_NO_MEMORY;
1984 }
1985
1986- result->abstract_syntax = *abstract_syntax;
1987+ result->abstract_syntax = table->syntax_id;
1988 result->transfer_syntax = ndr_transfer_syntax_ndr;
1989
1990 result->desthost = get_myname(result);
1991diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
1992index 34ae542..3415db0 100644
1993--- a/source3/rpc_client/cli_pipe.h
1994+++ b/source3/rpc_client/cli_pipe.h
1995@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
1996 struct rpc_pipe_client **presult);
1997
1998 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
1999- const struct ndr_syntax_id *abstract_syntax,
2000+ const struct ndr_interface_table *table,
2001 struct rpc_pipe_client **presult);
2002
2003 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
2004--
20051.9.3
2006
2007
2008From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
2009From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
2010Date: Fri, 17 May 2013 16:44:05 +0200
2011Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
2012 rpc_pipe_open_interface().
2013MIME-Version: 1.0
2014Content-Type: text/plain; charset=UTF-8
2015Content-Transfer-Encoding: 8bit
2016
2017Guenther
2018
2019Signed-off-by: Günther Deschner <gd@samba.org>
2020Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021Reviewed-by: Andreas Schneider <asn@samba.org>
2022(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
2023---
2024 source3/printing/nt_printing_migrate_internal.c | 2 +-
2025 source3/printing/printspoolss.c | 4 +--
2026 source3/rpc_server/rpc_ncacn_np.c | 8 +++---
2027 source3/rpc_server/rpc_ncacn_np.h | 2 +-
2028 source3/smbd/lanman.c | 34 ++++++++++++-------------
2029 source3/smbd/reply.c | 2 +-
2030 6 files changed, 26 insertions(+), 26 deletions(-)
2031
2032diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
2033index 200db07f..6bc7ea2 100644
2034--- a/source3/printing/nt_printing_migrate_internal.c
2035+++ b/source3/printing/nt_printing_migrate_internal.c
2036@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
2037 }
2038
2039 status = rpc_pipe_open_interface(tmp_ctx,
2040- &ndr_table_winreg.syntax_id,
2041+ &ndr_table_winreg,
2042 session_info,
2043 NULL,
2044 msg_ctx,
2045diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
2046index fc1e9c1..0507e83 100644
2047--- a/source3/printing/printspoolss.c
2048+++ b/source3/printing/printspoolss.c
2049@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
2050 * a job id */
2051
2052 status = rpc_pipe_open_interface(fsp->conn,
2053- &ndr_table_spoolss.syntax_id,
2054+ &ndr_table_spoolss,
2055 fsp->conn->session_info,
2056 fsp->conn->sconn->remote_address,
2057 fsp->conn->sconn->msg_ctx,
2058@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
2059 rap_jobid_delete(print_file->svcname, print_file->jobid);
2060
2061 status = rpc_pipe_open_interface(conn,
2062- &ndr_table_spoolss.syntax_id,
2063+ &ndr_table_spoolss,
2064 conn->session_info,
2065 conn->sconn->remote_address,
2066 conn->sconn->msg_ctx,
2067diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
2068index b4602a9..7389b3e 100644
2069--- a/source3/rpc_server/rpc_ncacn_np.c
2070+++ b/source3/rpc_server/rpc_ncacn_np.c
2071@@ -758,7 +758,7 @@ done:
2072 */
2073
2074 NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
2075- const struct ndr_syntax_id *syntax,
2076+ const struct ndr_interface_table *table,
2077 const struct auth_session_info *session_info,
2078 const struct tsocket_address *remote_address,
2079 struct messaging_context *msg_ctx,
2080@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
2081 return NT_STATUS_NO_MEMORY;
2082 }
2083
2084- pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
2085+ pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
2086 if (pipe_name == NULL) {
2087 status = NT_STATUS_INVALID_PARAMETER;
2088 goto done;
2089@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
2090 switch (pipe_mode) {
2091 case RPC_SERVICE_MODE_EMBEDDED:
2092 status = rpc_pipe_open_internal(tmp_ctx,
2093- syntax, session_info,
2094+ &table->syntax_id, session_info,
2095 remote_address, msg_ctx,
2096 &cli);
2097 if (!NT_STATUS_IS_OK(status)) {
2098@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
2099 * to spoolssd. */
2100
2101 status = rpc_pipe_open_external(tmp_ctx,
2102- pipe_name, syntax,
2103+ pipe_name, &table->syntax_id,
2104 session_info,
2105 &cli);
2106 if (!NT_STATUS_IS_OK(status)) {
2107diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
2108index 586d61b..67cd8a1 100644
2109--- a/source3/rpc_server/rpc_ncacn_np.h
2110+++ b/source3/rpc_server/rpc_ncacn_np.h
2111@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
2112 struct messaging_context *msg_ctx,
2113 struct dcerpc_binding_handle **binding_handle);
2114 NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
2115- const struct ndr_syntax_id *syntax,
2116+ const struct ndr_interface_table *table,
2117 const struct auth_session_info *session_info,
2118 const struct tsocket_address *remote_address,
2119 struct messaging_context *msg_ctx,
2120diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
2121index d0dae36..3c488ec 100644
2122--- a/source3/smbd/lanman.c
2123+++ b/source3/smbd/lanman.c
2124@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
2125 }
2126
2127 status = rpc_pipe_open_interface(conn,
2128- &ndr_table_spoolss.syntax_id,
2129+ &ndr_table_spoolss,
2130 conn->session_info,
2131 conn->sconn->remote_address,
2132 conn->sconn->msg_ctx,
2133@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
2134 }
2135
2136 status = rpc_pipe_open_interface(conn,
2137- &ndr_table_spoolss.syntax_id,
2138+ &ndr_table_spoolss,
2139 conn->session_info,
2140 conn->sconn->remote_address,
2141 conn->sconn->msg_ctx,
2142@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
2143 return false;
2144 }
2145
2146- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
2147+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
2148 conn->session_info,
2149 conn->sconn->remote_address,
2150 conn->sconn->msg_ctx,
2151@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
2152 }
2153
2154 status = rpc_pipe_open_interface(
2155- talloc_tos(), &ndr_table_samr.syntax_id,
2156+ talloc_tos(), &ndr_table_samr,
2157 conn->session_info, conn->sconn->remote_address,
2158 conn->sconn->msg_ctx, &samr_pipe);
2159 if (!NT_STATUS_IS_OK(status)) {
2160@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
2161 endp = *rdata + *rdata_len;
2162
2163 status = rpc_pipe_open_interface(
2164- talloc_tos(), &ndr_table_samr.syntax_id,
2165+ talloc_tos(), &ndr_table_samr,
2166 conn->session_info, conn->sconn->remote_address,
2167 conn->sconn->msg_ctx, &samr_pipe);
2168 if (!NT_STATUS_IS_OK(status)) {
2169@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
2170 endp = *rdata + *rdata_len;
2171
2172 status = rpc_pipe_open_interface(
2173- talloc_tos(), &ndr_table_samr.syntax_id,
2174+ talloc_tos(), &ndr_table_samr,
2175 conn->session_info, conn->sconn->remote_address,
2176 conn->sconn->msg_ctx, &samr_pipe);
2177 if (!NT_STATUS_IS_OK(status)) {
2178@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
2179 memcpy(password.data, data, 516);
2180 memcpy(hash.hash, data+516, 16);
2181
2182- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
2183+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
2184 conn->session_info,
2185 conn->sconn->remote_address,
2186 conn->sconn->msg_ctx,
2187@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
2188 ZERO_STRUCT(handle);
2189
2190 status = rpc_pipe_open_interface(conn,
2191- &ndr_table_spoolss.syntax_id,
2192+ &ndr_table_spoolss,
2193 conn->session_info,
2194 conn->sconn->remote_address,
2195 conn->sconn->msg_ctx,
2196@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
2197 ZERO_STRUCT(handle);
2198
2199 status = rpc_pipe_open_interface(conn,
2200- &ndr_table_spoolss.syntax_id,
2201+ &ndr_table_spoolss,
2202 conn->session_info,
2203 conn->sconn->remote_address,
2204 conn->sconn->msg_ctx,
2205@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
2206 ZERO_STRUCT(handle);
2207
2208 status = rpc_pipe_open_interface(conn,
2209- &ndr_table_spoolss.syntax_id,
2210+ &ndr_table_spoolss,
2211 conn->session_info,
2212 conn->sconn->remote_address,
2213 conn->sconn->msg_ctx,
2214@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
2215 p = *rdata;
2216 p2 = p + struct_len;
2217
2218- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
2219+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
2220 conn->session_info,
2221 conn->sconn->remote_address,
2222 conn->sconn->msg_ctx,
2223@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
2224 ZERO_STRUCT(domain_handle);
2225 ZERO_STRUCT(user_handle);
2226
2227- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
2228+ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
2229 conn->session_info,
2230 conn->sconn->remote_address,
2231 conn->sconn->msg_ctx,
2232@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
2233 ZERO_STRUCT(handle);
2234
2235 status = rpc_pipe_open_interface(conn,
2236- &ndr_table_spoolss.syntax_id,
2237+ &ndr_table_spoolss,
2238 conn->session_info,
2239 conn->sconn->remote_address,
2240 conn->sconn->msg_ctx,
2241@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
2242 ZERO_STRUCT(handle);
2243
2244 status = rpc_pipe_open_interface(conn,
2245- &ndr_table_spoolss.syntax_id,
2246+ &ndr_table_spoolss,
2247 conn->session_info,
2248 conn->sconn->remote_address,
2249 conn->sconn->msg_ctx,
2250@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
2251 ZERO_STRUCT(handle);
2252
2253 status = rpc_pipe_open_interface(conn,
2254- &ndr_table_spoolss.syntax_id,
2255+ &ndr_table_spoolss,
2256 conn->session_info,
2257 conn->sconn->remote_address,
2258 conn->sconn->msg_ctx,
2259@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
2260 queuecnt = 0;
2261
2262 status = rpc_pipe_open_interface(conn,
2263- &ndr_table_spoolss.syntax_id,
2264+ &ndr_table_spoolss,
2265 conn->session_info,
2266 conn->sconn->remote_address,
2267 conn->sconn->msg_ctx,
2268@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
2269 }
2270
2271 status = rpc_pipe_open_interface(conn,
2272- &ndr_table_srvsvc.syntax_id,
2273+ &ndr_table_srvsvc,
2274 conn->session_info,
2275 conn->sconn->remote_address,
2276 conn->sconn->msg_ctx,
2277diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
2278index 3f5b950..eace557 100644
2279--- a/source3/smbd/reply.c
2280+++ b/source3/smbd/reply.c
2281@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
2282 ZERO_STRUCT(handle);
2283
2284 status = rpc_pipe_open_interface(conn,
2285- &ndr_table_spoolss.syntax_id,
2286+ &ndr_table_spoolss,
2287 conn->session_info,
2288 conn->sconn->remote_address,
2289 conn->sconn->msg_ctx,
2290--
22911.9.3
2292
2293
2294From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
2295From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
2296Date: Fri, 24 May 2013 13:03:23 +0200
2297Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
2298 cli_rpc_pipe_open_schannel().
2299MIME-Version: 1.0
2300Content-Type: text/plain; charset=UTF-8
2301Content-Transfer-Encoding: 8bit
2302
2303Guenther
2304
2305Signed-off-by: Günther Deschner <gd@samba.org>
2306Reviewed-by: Stefan Metzmacher <metze@samba.org>
2307Reviewed-by: Andreas Schneider <asn@samba.org>
2308(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
2309---
2310 source3/auth/auth_domain.c | 2 +-
2311 source3/rpc_client/cli_pipe.h | 2 +-
2312 source3/rpc_client/cli_pipe_schannel.c | 4 ++--
2313 source3/rpcclient/rpcclient.c | 2 +-
2314 source3/utils/net_rpc.c | 2 +-
2315 5 files changed, 6 insertions(+), 6 deletions(-)
2316
2317diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
2318index 286c75c..a375f11 100644
2319--- a/source3/auth/auth_domain.c
2320+++ b/source3/auth/auth_domain.c
2321@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
2322 if (lp_client_schannel()) {
2323 /* We also setup the creds chain in the open_schannel call. */
2324 result = cli_rpc_pipe_open_schannel(
2325- *cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2326+ *cli, &ndr_table_netlogon, NCACN_NP,
2327 DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
2328 } else {
2329 result = cli_rpc_pipe_open_noauth(
2330diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
2331index 3415db0..d17322a 100644
2332--- a/source3/rpc_client/cli_pipe.h
2333+++ b/source3/rpc_client/cli_pipe.h
2334@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2335 struct rpc_pipe_client **presult);
2336
2337 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
2338- const struct ndr_syntax_id *interface,
2339+ const struct ndr_interface_table *table,
2340 enum dcerpc_transport_t transport,
2341 enum dcerpc_AuthLevel auth_level,
2342 const char *domain,
2343diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
2344index c275720..8bc01a5 100644
2345--- a/source3/rpc_client/cli_pipe_schannel.c
2346+++ b/source3/rpc_client/cli_pipe_schannel.c
2347@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2348 ****************************************************************************/
2349
2350 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
2351- const struct ndr_syntax_id *interface,
2352+ const struct ndr_interface_table *table,
2353 enum dcerpc_transport_t transport,
2354 enum dcerpc_AuthLevel auth_level,
2355 const char *domain,
2356@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
2357 }
2358
2359 status = cli_rpc_pipe_open_schannel_with_key(
2360- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
2361+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
2362 &result);
2363
2364 /* Now we've bound using the session key we can close the netlog pipe. */
2365diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
2366index d204d7f..6b6478e 100644
2367--- a/source3/rpcclient/rpcclient.c
2368+++ b/source3/rpcclient/rpcclient.c
2369@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
2370 break;
2371 case DCERPC_AUTH_TYPE_SCHANNEL:
2372 ntresult = cli_rpc_pipe_open_schannel(
2373- cli, &cmd_entry->table->syntax_id,
2374+ cli, cmd_entry->table,
2375 default_transport,
2376 pipe_default_auth_level,
2377 get_cmdline_auth_info_domain(auth_info),
2378diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
2379index 4503f59..dab9fcd 100644
2380--- a/source3/utils/net_rpc.c
2381+++ b/source3/utils/net_rpc.c
2382@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
2383 &ndr_table_netlogon.syntax_id))) {
2384 /* Always try and create an schannel netlogon pipe. */
2385 nt_status = cli_rpc_pipe_open_schannel(
2386- cli, &table->syntax_id, NCACN_NP,
2387+ cli, table, NCACN_NP,
2388 DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
2389 &pipe_hnd);
2390 if (!NT_STATUS_IS_OK(nt_status)) {
2391--
23921.9.3
2393
2394
2395From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
2396From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
2397Date: Fri, 24 May 2013 13:08:33 +0200
2398Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
2399 cli_rpc_pipe_open_ntlmssp_auth_schannel().
2400MIME-Version: 1.0
2401Content-Type: text/plain; charset=UTF-8
2402Content-Transfer-Encoding: 8bit
2403
2404Guenther
2405
2406Signed-off-by: Günther Deschner <gd@samba.org>
2407Reviewed-by: Stefan Metzmacher <metze@samba.org>
2408Reviewed-by: Andreas Schneider <asn@samba.org>
2409(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
2410---
2411 source3/rpc_client/cli_pipe.h | 2 +-
2412 source3/rpc_client/cli_pipe_schannel.c | 4 ++--
2413 2 files changed, 3 insertions(+), 3 deletions(-)
2414
2415diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
2416index d17322a..7026692 100644
2417--- a/source3/rpc_client/cli_pipe.h
2418+++ b/source3/rpc_client/cli_pipe.h
2419@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2420 struct rpc_pipe_client **presult);
2421
2422 NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2423- const struct ndr_syntax_id *interface,
2424+ const struct ndr_interface_table *table,
2425 enum dcerpc_transport_t transport,
2426 enum dcerpc_AuthLevel auth_level,
2427 const char *domain,
2428diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
2429index 8bc01a5..261a768 100644
2430--- a/source3/rpc_client/cli_pipe_schannel.c
2431+++ b/source3/rpc_client/cli_pipe_schannel.c
2432@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
2433 ****************************************************************************/
2434
2435 NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2436- const struct ndr_syntax_id *interface,
2437+ const struct ndr_interface_table *table,
2438 enum dcerpc_transport_t transport,
2439 enum dcerpc_AuthLevel auth_level,
2440 const char *domain,
2441@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2442 }
2443
2444 status = cli_rpc_pipe_open_schannel_with_key(
2445- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
2446+ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
2447 &result);
2448
2449 /* Now we've bound using the session key we can close the netlog pipe. */
2450--
24511.9.3
2452
2453
2454From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
2455From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
2456Date: Fri, 24 May 2013 13:17:24 +0200
2457Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
2458 cli_rpc_pipe_open_schannel_with_key().
2459MIME-Version: 1.0
2460Content-Type: text/plain; charset=UTF-8
2461Content-Transfer-Encoding: 8bit
2462
2463Guenther
2464
2465Signed-off-by: Günther Deschner <gd@samba.org>
2466Reviewed-by: Stefan Metzmacher <metze@samba.org>
2467Reviewed-by: Andreas Schneider <asn@samba.org>
2468(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
2469---
2470 source3/libnet/libnet_join.c | 2 +-
2471 source3/rpc_client/cli_pipe.c | 6 +++---
2472 source3/rpc_client/cli_pipe.h | 2 +-
2473 source3/rpc_client/cli_pipe_schannel.c | 4 ++--
2474 source3/utils/net_rpc_join.c | 4 ++--
2475 source3/winbindd/winbindd_cm.c | 8 ++++----
2476 6 files changed, 13 insertions(+), 13 deletions(-)
2477
2478diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
2479index 1418385..9f47f3b 100644
2480--- a/source3/libnet/libnet_join.c
2481+++ b/source3/libnet/libnet_join.c
2482@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
2483 }
2484
2485 status = cli_rpc_pipe_open_schannel_with_key(
2486- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2487+ cli, &ndr_table_netlogon, NCACN_NP,
2488 DCERPC_AUTH_LEVEL_PRIVACY,
2489 netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
2490
2491diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
2492index 427b628..34cef32 100644
2493--- a/source3/rpc_client/cli_pipe.c
2494+++ b/source3/rpc_client/cli_pipe.c
2495@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
2496 ****************************************************************************/
2497
2498 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2499- const struct ndr_syntax_id *interface,
2500+ const struct ndr_interface_table *table,
2501 enum dcerpc_transport_t transport,
2502 enum dcerpc_AuthLevel auth_level,
2503 const char *domain,
2504@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2505 struct pipe_auth_data *auth;
2506 NTSTATUS status;
2507
2508- status = cli_rpc_pipe_open(cli, transport, interface, &result);
2509+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
2510 if (!NT_STATUS_IS_OK(status)) {
2511 return status;
2512 }
2513@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2514
2515 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
2516 "for domain %s and bound using schannel.\n",
2517- get_pipe_name_from_syntax(talloc_tos(), interface),
2518+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
2519 result->desthost, domain));
2520
2521 *presult = result;
2522diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
2523index 7026692..65bfbc8 100644
2524--- a/source3/rpc_client/cli_pipe.h
2525+++ b/source3/rpc_client/cli_pipe.h
2526@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
2527 struct rpc_pipe_client **presult);
2528
2529 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2530- const struct ndr_syntax_id *interface,
2531+ const struct ndr_interface_table *table,
2532 enum dcerpc_transport_t transport,
2533 enum dcerpc_AuthLevel auth_level,
2534 const char *domain,
2535diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
2536index 261a768..784e63f 100644
2537--- a/source3/rpc_client/cli_pipe_schannel.c
2538+++ b/source3/rpc_client/cli_pipe_schannel.c
2539@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2540 }
2541
2542 status = cli_rpc_pipe_open_schannel_with_key(
2543- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
2544+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
2545 &result);
2546
2547 /* Now we've bound using the session key we can close the netlog pipe. */
2548@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
2549 }
2550
2551 status = cli_rpc_pipe_open_schannel_with_key(
2552- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
2553+ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
2554 &result);
2555
2556 /* Now we've bound using the session key we can close the netlog pipe. */
2557diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
2558index 56799cd..4b43769 100644
2559--- a/source3/utils/net_rpc_join.c
2560+++ b/source3/utils/net_rpc_join.c
2561@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
2562 }
2563
2564 ntret = cli_rpc_pipe_open_schannel_with_key(
2565- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2566+ cli, &ndr_table_netlogon, NCACN_NP,
2567 DCERPC_AUTH_LEVEL_PRIVACY,
2568 domain, &netlogon_pipe->dc, &pipe_hnd);
2569
2570@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
2571 struct rpc_pipe_client *netlogon_schannel_pipe;
2572
2573 status = cli_rpc_pipe_open_schannel_with_key(
2574- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2575+ cli, &ndr_table_netlogon, NCACN_NP,
2576 DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
2577 &netlogon_schannel_pipe);
2578
2579diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
2580index 61917db..f17fc68 100644
2581--- a/source3/winbindd/winbindd_cm.c
2582+++ b/source3/winbindd/winbindd_cm.c
2583@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2584 goto anonymous;
2585 }
2586 status = cli_rpc_pipe_open_schannel_with_key
2587- (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
2588+ (conn->cli, &ndr_table_samr, NCACN_NP,
2589 DCERPC_AUTH_LEVEL_PRIVACY,
2590 domain->name, &p_creds, &conn->samr_pipe);
2591
2592@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
2593 }
2594
2595 status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
2596- &ndr_table_lsarpc.syntax_id,
2597+ &ndr_table_lsarpc,
2598 NCACN_IP_TCP,
2599 DCERPC_AUTH_LEVEL_PRIVACY,
2600 domain->name,
2601@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
2602 goto anonymous;
2603 }
2604 result = cli_rpc_pipe_open_schannel_with_key
2605- (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
2606+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
2607 DCERPC_AUTH_LEVEL_PRIVACY,
2608 domain->name, &p_creds, &conn->lsa_pipe);
2609
2610@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
2611 */
2612
2613 result = cli_rpc_pipe_open_schannel_with_key(
2614- conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2615+ conn->cli, &ndr_table_netlogon, NCACN_NP,
2616 DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
2617 &conn->netlogon_pipe);
2618
2619--
26201.9.3
2621
2622
2623From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
2624From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
2625Date: Fri, 24 May 2013 13:29:28 +0200
2626Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
2627 cli_rpc_pipe_open_noauth().
2628MIME-Version: 1.0
2629Content-Type: text/plain; charset=UTF-8
2630Content-Transfer-Encoding: 8bit
2631
2632Guenther
2633
2634Signed-off-by: Günther Deschner <gd@samba.org>
2635Reviewed-by: Stefan Metzmacher <metze@samba.org>
2636Reviewed-by: Andreas Schneider <asn@samba.org>
2637(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
2638---
2639 source3/auth/auth_domain.c | 2 +-
2640 source3/client/client.c | 2 +-
2641 source3/lib/netapi/cm.c | 2 +-
2642 source3/libnet/libnet_join.c | 8 ++++----
2643 source3/libsmb/libsmb_dir.c | 2 +-
2644 source3/libsmb/libsmb_server.c | 2 +-
2645 source3/libsmb/passchange.c | 4 ++--
2646 source3/libsmb/trustdom_cache.c | 2 +-
2647 source3/libsmb/trusts_util.c | 2 +-
2648 source3/rpc_client/cli_pipe.c | 4 ++--
2649 source3/rpc_client/cli_pipe.h | 2 +-
2650 source3/rpc_client/cli_pipe_schannel.c | 2 +-
2651 source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
2652 source3/rpcclient/cmd_spoolss.c | 2 +-
2653 source3/rpcclient/cmd_test.c | 4 ++--
2654 source3/rpcclient/rpcclient.c | 2 +-
2655 source3/torture/test_async_echo.c | 2 +-
2656 source3/utils/net_ads.c | 2 +-
2657 source3/utils/net_rpc.c | 20 ++++++++++----------
2658 source3/utils/net_rpc_join.c | 6 +++---
2659 source3/utils/net_rpc_shell.c | 2 +-
2660 source3/utils/net_rpc_trust.c | 2 +-
2661 source3/utils/net_util.c | 8 ++++----
2662 source3/utils/netlookup.c | 2 +-
2663 source3/utils/smbcacls.c | 7 +++----
2664 source3/utils/smbcquotas.c | 2 +-
2665 source3/utils/smbtree.c | 2 +-
2666 source3/winbindd/winbindd_cm.c | 10 +++++-----
2667 28 files changed, 54 insertions(+), 55 deletions(-)
2668
2669diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
2670index a375f11..54ee5a1 100644
2671--- a/source3/auth/auth_domain.c
2672+++ b/source3/auth/auth_domain.c
2673@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
2674 DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
2675 } else {
2676 result = cli_rpc_pipe_open_noauth(
2677- *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
2678+ *cli, &ndr_table_netlogon, &netlogon_pipe);
2679 }
2680
2681 if (!NT_STATUS_IS_OK(result)) {
2682diff --git a/source3/client/client.c b/source3/client/client.c
2683index ab46cb8..dafc5f0 100644
2684--- a/source3/client/client.c
2685+++ b/source3/client/client.c
2686@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
2687 int i;
2688 struct dcerpc_binding_handle *b;
2689
2690- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
2691+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
2692 &pipe_hnd);
2693
2694 if (!NT_STATUS_IS_OK(status)) {
2695diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
2696index 8551521..1cfdccf 100644
2697--- a/source3/lib/netapi/cm.c
2698+++ b/source3/lib/netapi/cm.c
2699@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
2700 return NT_STATUS_NO_MEMORY;
2701 }
2702
2703- status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
2704+ status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
2705 if (!NT_STATUS_IS_OK(status)) {
2706 TALLOC_FREE(p);
2707 return status;
2708diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
2709index 9f47f3b..324c8f3 100644
2710--- a/source3/libnet/libnet_join.c
2711+++ b/source3/libnet/libnet_join.c
2712@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
2713 goto done;
2714 }
2715
2716- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
2717+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
2718 &pipe_hnd);
2719 if (!NT_STATUS_IS_OK(status)) {
2720 DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
2721@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
2722 fstring trust_passwd;
2723 NTSTATUS status;
2724
2725- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
2726+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
2727 &pipe_hnd);
2728 if (!NT_STATUS_IS_OK(status)) {
2729 return status;
2730@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
2731
2732 /* Open the domain */
2733
2734- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
2735+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
2736 &pipe_hnd);
2737 if (!NT_STATUS_IS_OK(status)) {
2738 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
2739@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
2740
2741 /* Open the domain */
2742
2743- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
2744+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
2745 &pipe_hnd);
2746 if (!NT_STATUS_IS_OK(status)) {
2747 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
2748diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
2749index 87e10d8..3a07f11 100644
2750--- a/source3/libsmb/libsmb_dir.c
2751+++ b/source3/libsmb/libsmb_dir.c
2752@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
2753 struct dcerpc_binding_handle *b;
2754
2755 /* Open the server service pipe */
2756- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
2757+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
2758 &pipe_hnd);
2759 if (!NT_STATUS_IS_OK(nt_status)) {
2760 DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
2761diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
2762index d4254da..dff0062 100644
2763--- a/source3/libsmb/libsmb_server.c
2764+++ b/source3/libsmb/libsmb_server.c
2765@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
2766 ipc_srv->cli = ipc_cli;
2767
2768 nt_status = cli_rpc_pipe_open_noauth(
2769- ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
2770+ ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
2771 if (!NT_STATUS_IS_OK(nt_status)) {
2772 DEBUG(1, ("cli_nt_session_open fail!\n"));
2773 errno = ENOTSUP;
2774diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
2775index 3933833..9736ada 100644
2776--- a/source3/libsmb/passchange.c
2777+++ b/source3/libsmb/passchange.c
2778@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
2779 * way.
2780 */
2781 result = cli_rpc_pipe_open_noauth(
2782- cli, &ndr_table_samr.syntax_id, &pipe_hnd);
2783+ cli, &ndr_table_samr, &pipe_hnd);
2784 }
2785
2786 if (!NT_STATUS_IS_OK(result)) {
2787@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
2788 result = NT_STATUS_UNSUCCESSFUL;
2789
2790 /* OK, this is ugly, but... try an anonymous pipe. */
2791- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
2792+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
2793 &pipe_hnd);
2794
2795 if ( NT_STATUS_IS_OK(result) &&
2796diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
2797index 8789d30..dadc751 100644
2798--- a/source3/libsmb/trustdom_cache.c
2799+++ b/source3/libsmb/trustdom_cache.c
2800@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
2801
2802 /* open the LSARPC_PIPE */
2803
2804- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
2805+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
2806 &lsa_pipe);
2807 if (!NT_STATUS_IS_OK(status)) {
2808 goto done;
2809diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
2810index 0d039bc..6156ba0 100644
2811--- a/source3/libsmb/trusts_util.c
2812+++ b/source3/libsmb/trusts_util.c
2813@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
2814 /* Shouldn't we open this with schannel ? JRA. */
2815
2816 nt_status = cli_rpc_pipe_open_noauth(
2817- cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
2818+ cli, &ndr_table_netlogon, &netlogon_pipe);
2819 if (!NT_STATUS_IS_OK(nt_status)) {
2820 DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
2821 dc_name, nt_errstr(nt_status)));
2822diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
2823index 34cef32..1137abd 100644
2824--- a/source3/rpc_client/cli_pipe.c
2825+++ b/source3/rpc_client/cli_pipe.c
2826@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2827 ****************************************************************************/
2828
2829 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2830- const struct ndr_syntax_id *interface,
2831+ const struct ndr_interface_table *table,
2832 struct rpc_pipe_client **presult)
2833 {
2834 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2835- interface, presult);
2836+ &table->syntax_id, presult);
2837 }
2838
2839 /****************************************************************************
2840diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
2841index 65bfbc8..9aae61a 100644
2842--- a/source3/rpc_client/cli_pipe.h
2843+++ b/source3/rpc_client/cli_pipe.h
2844@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2845 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
2846
2847 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2848- const struct ndr_syntax_id *interface,
2849+ const struct ndr_interface_table *table,
2850 struct rpc_pipe_client **presult);
2851
2852 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2853diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
2854index 784e63f..bc672ef 100644
2855--- a/source3/rpc_client/cli_pipe_schannel.c
2856+++ b/source3/rpc_client/cli_pipe_schannel.c
2857@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
2858 struct rpc_pipe_client *netlogon_pipe = NULL;
2859 NTSTATUS status;
2860
2861- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
2862+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
2863 &netlogon_pipe);
2864 if (!NT_STATUS_IS_OK(status)) {
2865 return status;
2866diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
2867index 335647b..c12cd05 100644
2868--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
2869+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
2870@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
2871 * Now start the NT Domain stuff :-).
2872 */
2873
2874- ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
2875+ ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
2876 if (!NT_STATUS_IS_OK(ret)) {
2877 DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
2878 remote_machine, nt_errstr(ret)));
2879diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
2880index 5c499d4..fb011f8 100644
2881--- a/source3/rpcclient/cmd_spoolss.c
2882+++ b/source3/rpcclient/cmd_spoolss.c
2883@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
2884 if ( !NT_STATUS_IS_OK(nt_status) )
2885 return WERR_GENERAL_FAILURE;
2886
2887- nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
2888+ nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
2889 &cli2);
2890 if (!NT_STATUS_IS_OK(nt_status)) {
2891 printf("failed to open spoolss pipe on server %s (%s)\n",
2892diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
2893index 591ae8c..367dc71 100644
2894--- a/source3/rpcclient/cmd_test.c
2895+++ b/source3/rpcclient/cmd_test.c
2896@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
2897 d_printf("testme\n");
2898
2899 status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
2900- &ndr_table_lsarpc.syntax_id,
2901+ &ndr_table_lsarpc,
2902 &lsa_pipe);
2903 if (!NT_STATUS_IS_OK(status)) {
2904 goto done;
2905 }
2906
2907 status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
2908- &ndr_table_samr.syntax_id,
2909+ &ndr_table_samr,
2910 &samr_pipe);
2911 if (!NT_STATUS_IS_OK(status)) {
2912 goto done;
2913diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
2914index 6b6478e..e3b35bb 100644
2915--- a/source3/rpcclient/rpcclient.c
2916+++ b/source3/rpcclient/rpcclient.c
2917@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
2918 goto error;
2919 }
2920
2921- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
2922+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
2923 &lsapipe);
2924 if (!NT_STATUS_IS_OK(result)) {
2925 fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
2926diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
2927index 6df95dd..f21daa4 100644
2928--- a/source3/torture/test_async_echo.c
2929+++ b/source3/torture/test_async_echo.c
2930@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
2931 printf("torture_open_connection failed\n");
2932 goto fail;
2933 }
2934- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
2935+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
2936 &p);
2937 if (!NT_STATUS_IS_OK(status)) {
2938 printf("Could not open echo pipe: %s\n", nt_errstr(status));
2939diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
2940index 5699943..89eebf3 100644
2941--- a/source3/utils/net_ads.c
2942+++ b/source3/utils/net_ads.c
2943@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
2944 SAFE_FREE(srv_cn_escaped);
2945 SAFE_FREE(printername_escaped);
2946
2947- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
2948+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
2949 if (!NT_STATUS_IS_OK(nt_status)) {
2950 d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
2951 servername);
2952diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
2953index dab9fcd..69ff14d 100644
2954--- a/source3/utils/net_rpc.c
2955+++ b/source3/utils/net_rpc.c
2956@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
2957 union lsa_PolicyInformation *info = NULL;
2958 struct dcerpc_binding_handle *b;
2959
2960- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
2961+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
2962 &lsa_pipe);
2963 if (!NT_STATUS_IS_OK(status)) {
2964 d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
2965@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
2966 c->opt_password, &pipe_hnd);
2967 } else {
2968 nt_status = cli_rpc_pipe_open_noauth(
2969- cli, &table->syntax_id,
2970+ cli, table,
2971 &pipe_hnd);
2972 }
2973 if (!NT_STATUS_IS_OK(nt_status)) {
2974@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
2975 NTSTATUS result;
2976 enum netr_SchannelType sec_channel_type;
2977
2978- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
2979+ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
2980 &pipe_hnd);
2981 if (!NT_STATUS_IS_OK(result)) {
2982 DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
2983@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
2984 NTSTATUS status, result;
2985 struct dcerpc_binding_handle *b;
2986
2987- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
2988+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
2989 &pipe_hnd);
2990 if (!NT_STATUS_IS_OK(status)) {
2991 goto done;
2992@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
2993 }
2994
2995 result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
2996- &ndr_table_lsarpc.syntax_id,
2997+ &ndr_table_lsarpc,
2998 &lsa_pipe);
2999 if (!NT_STATUS_IS_OK(result)) {
3000 d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
3001@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
3002
3003 /* Try netr_GetDcName */
3004
3005- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
3006+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
3007 &netr);
3008 if (!NT_STATUS_IS_OK(status)) {
3009 return status;
3010@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
3011 * Call LsaOpenPolicy and LsaQueryInfo
3012 */
3013
3014- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3015+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3016 &pipe_hnd);
3017 if (!NT_STATUS_IS_OK(nt_status)) {
3018 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
3019@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
3020 return -1;
3021 };
3022
3023- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3024+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3025 &pipe_hnd);
3026 if (!NT_STATUS_IS_OK(nt_status)) {
3027 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
3028@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
3029 return -1;
3030 };
3031
3032- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3033+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3034 &pipe_hnd);
3035 if (!NT_STATUS_IS_OK(nt_status)) {
3036 DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
3037@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
3038 /*
3039 * Open \PIPE\samr and get needed policy handles
3040 */
3041- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
3042+ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
3043 &pipe_hnd);
3044 if (!NT_STATUS_IS_OK(nt_status)) {
3045 DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
3046diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
3047index 4b43769..aabbe54 100644
3048--- a/source3/utils/net_rpc_join.c
3049+++ b/source3/utils/net_rpc_join.c
3050@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
3051
3052 /* Fetch domain sid */
3053
3054- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3055+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3056 &pipe_hnd);
3057 if (!NT_STATUS_IS_OK(status)) {
3058 DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
3059@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
3060 }
3061
3062 /* Create domain user */
3063- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
3064+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
3065 &pipe_hnd);
3066 if (!NT_STATUS_IS_OK(status)) {
3067 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
3068@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
3069
3070 /* Now check the whole process from top-to-bottom */
3071
3072- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
3073+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
3074 &pipe_hnd);
3075 if (!NT_STATUS_IS_OK(status)) {
3076 DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
3077diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
3078index 6086066..120cfa6 100644
3079--- a/source3/utils/net_rpc_shell.c
3080+++ b/source3/utils/net_rpc_shell.c
3081@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
3082 return NT_STATUS_NO_MEMORY;
3083 }
3084
3085- status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
3086+ status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
3087 &pipe_hnd);
3088 if (!NT_STATUS_IS_OK(status)) {
3089 d_fprintf(stderr, _("Could not open pipe: %s\n"),
3090diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
3091index 9060700..5e58103 100644
3092--- a/source3/utils/net_rpc_trust.c
3093+++ b/source3/utils/net_rpc_trust.c
3094@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
3095 return status;
3096 }
3097
3098- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
3099+ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
3100 if (!NT_STATUS_IS_OK(status)) {
3101 DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
3102 nt_errstr(status)));
3103diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
3104index a4282ec..13a0ef1 100644
3105--- a/source3/utils/net_util.c
3106+++ b/source3/utils/net_util.c
3107@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
3108
3109 ZERO_STRUCT(pol);
3110
3111- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3112+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3113 &lsa_pipe);
3114 if (!NT_STATUS_IS_OK(status)) {
3115 d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
3116@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
3117 return nt_status;
3118 }
3119
3120- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
3121+ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
3122 &pipe_hnd);
3123 if (!NT_STATUS_IS_OK(nt_status)) {
3124 DEBUG(0, ("couldn't not initialize pipe\n"));
3125@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
3126 ZERO_STRUCTP(dc_info);
3127 ZERO_STRUCT(pol);
3128
3129- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3130+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3131 &pipe_hnd);
3132 if (!NT_STATUS_IS_OK(status)) {
3133 return status;
3134@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
3135
3136 ZERO_STRUCTP(dc_info);
3137
3138- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
3139+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
3140 &dssetup_pipe);
3141 if (!NT_STATUS_IS_OK(status)) {
3142 DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
3143diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
3144index b66c34e..56d3bfe 100644
3145--- a/source3/utils/netlookup.c
3146+++ b/source3/utils/netlookup.c
3147@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
3148 }
3149
3150 nt_status = cli_rpc_pipe_open_noauth(cs->cli,
3151- &ndr_table_lsarpc.syntax_id,
3152+ &ndr_table_lsarpc,
3153 &cs->lsapipe);
3154
3155 if (!NT_STATUS_IS_OK(nt_status)) {
3156diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
3157index 23a1192..f092839 100644
3158--- a/source3/utils/smbcacls.c
3159+++ b/source3/utils/smbcacls.c
3160@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
3161 goto tcon_fail;
3162 }
3163
3164- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3165+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3166 &p);
3167 if (!NT_STATUS_IS_OK(status)) {
3168 goto fail;
3169@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
3170 goto tcon_fail;
3171 }
3172
3173- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
3174+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
3175 &p);
3176 if (!NT_STATUS_IS_OK(status)) {
3177 goto fail;
3178@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
3179 struct policy_handle handle;
3180 NTSTATUS status, result;
3181 TALLOC_CTX *frame = talloc_stackframe();
3182- const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
3183
3184 status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
3185 if (!NT_STATUS_IS_OK(status)) {
3186 goto done;
3187 }
3188
3189- status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
3190+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
3191 if (!NT_STATUS_IS_OK(status)) {
3192 goto tdis;
3193 }
3194diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
3195index bf1f95c..2791b93 100644
3196--- a/source3/utils/smbcquotas.c
3197+++ b/source3/utils/smbcquotas.c
3198@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
3199 NTSTATUS ret;
3200 cli_ipc = connect_one("IPC$");
3201 ret = cli_rpc_pipe_open_noauth(cli_ipc,
3202- &ndr_table_lsarpc.syntax_id,
3203+ &ndr_table_lsarpc,
3204 &global_pipe_hnd);
3205 if (!NT_STATUS_IS_OK(ret)) {
3206 return False;
3207diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
3208index 40b1f09..5c07b12 100644
3209--- a/source3/utils/smbtree.c
3210+++ b/source3/utils/smbtree.c
3211@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
3212 return False;
3213 }
3214
3215- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
3216+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
3217 &pipe_hnd);
3218
3219 if (!NT_STATUS_IS_OK(status)) {
3220diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
3221index f17fc68..facef64 100644
3222--- a/source3/winbindd/winbindd_cm.c
3223+++ b/source3/winbindd/winbindd_cm.c
3224@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
3225 DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
3226
3227 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
3228- &ndr_table_dssetup.syntax_id,
3229+ &ndr_table_dssetup,
3230 &cli);
3231
3232 if (!NT_STATUS_IS_OK(status)) {
3233@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
3234
3235 no_dssetup:
3236 status = cli_rpc_pipe_open_noauth(domain->conn.cli,
3237- &ndr_table_lsarpc.syntax_id, &cli);
3238+ &ndr_table_lsarpc, &cli);
3239
3240 if (!NT_STATUS_IS_OK(status)) {
3241 DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
3242@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
3243 anonymous:
3244
3245 /* Finally fall back to anonymous. */
3246- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
3247+ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
3248 &conn->samr_pipe);
3249
3250 if (!NT_STATUS_IS_OK(status)) {
3251@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
3252 anonymous:
3253
3254 result = cli_rpc_pipe_open_noauth(conn->cli,
3255- &ndr_table_lsarpc.syntax_id,
3256+ &ndr_table_lsarpc,
3257 &conn->lsa_pipe);
3258 if (!NT_STATUS_IS_OK(result)) {
3259 result = NT_STATUS_PIPE_NOT_AVAILABLE;
3260@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
3261 TALLOC_FREE(conn->netlogon_pipe);
3262
3263 result = cli_rpc_pipe_open_noauth(conn->cli,
3264- &ndr_table_netlogon.syntax_id,
3265+ &ndr_table_netlogon,
3266 &netlogon_pipe);
3267 if (!NT_STATUS_IS_OK(result)) {
3268 return result;
3269--
32701.9.3
3271
3272
3273From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
3274From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3275Date: Fri, 24 May 2013 13:33:03 +0200
3276Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
3277 cli_rpc_pipe_open_noauth_transport().
3278MIME-Version: 1.0
3279Content-Type: text/plain; charset=UTF-8
3280Content-Transfer-Encoding: 8bit
3281
3282Guenther
3283
3284Signed-off-by: Günther Deschner <gd@samba.org>
3285Reviewed-by: Stefan Metzmacher <metze@samba.org>
3286Reviewed-by: Andreas Schneider <asn@samba.org>
3287(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
3288---
3289 source3/rpc_client/cli_pipe.c | 13 +++++++------
3290 source3/rpc_client/cli_pipe.h | 2 +-
3291 source3/rpcclient/rpcclient.c | 2 +-
3292 3 files changed, 9 insertions(+), 8 deletions(-)
3293
3294diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3295index 1137abd..4523ab7 100644
3296--- a/source3/rpc_client/cli_pipe.c
3297+++ b/source3/rpc_client/cli_pipe.c
3298@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
3299
3300 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3301 enum dcerpc_transport_t transport,
3302- const struct ndr_syntax_id *interface,
3303+ const struct ndr_interface_table *table,
3304 struct rpc_pipe_client **presult)
3305 {
3306 struct rpc_pipe_client *result;
3307 struct pipe_auth_data *auth;
3308 NTSTATUS status;
3309
3310- status = cli_rpc_pipe_open(cli, transport, interface, &result);
3311+ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
3312 if (!NT_STATUS_IS_OK(status)) {
3313 return status;
3314 }
3315@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3316 status = rpc_pipe_bind(result, auth);
3317 if (!NT_STATUS_IS_OK(status)) {
3318 int lvl = 0;
3319- if (ndr_syntax_id_equal(interface,
3320+ if (ndr_syntax_id_equal(&table->syntax_id,
3321 &ndr_table_dssetup.syntax_id)) {
3322 /* non AD domains just don't have this pipe, avoid
3323 * level 0 statement in that case - gd */
3324@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3325 }
3326 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
3327 "%s failed with error %s\n",
3328- get_pipe_name_from_syntax(talloc_tos(), interface),
3329+ get_pipe_name_from_syntax(talloc_tos(),
3330+ &table->syntax_id),
3331 nt_errstr(status) ));
3332 TALLOC_FREE(result);
3333 return status;
3334@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3335
3336 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
3337 "%s and bound anonymously.\n",
3338- get_pipe_name_from_syntax(talloc_tos(), interface),
3339+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
3340 result->desthost));
3341
3342 *presult = result;
3343@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
3344 struct rpc_pipe_client **presult)
3345 {
3346 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
3347- &table->syntax_id, presult);
3348+ table, presult);
3349 }
3350
3351 /****************************************************************************
3352diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
3353index 9aae61a..f37f8a9 100644
3354--- a/source3/rpc_client/cli_pipe.h
3355+++ b/source3/rpc_client/cli_pipe.h
3356@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
3357
3358 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3359 enum dcerpc_transport_t transport,
3360- const struct ndr_syntax_id *interface,
3361+ const struct ndr_interface_table *table,
3362 struct rpc_pipe_client **presult);
3363
3364 NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
3365diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
3366index e3b35bb..c23ff2d 100644
3367--- a/source3/rpcclient/rpcclient.c
3368+++ b/source3/rpcclient/rpcclient.c
3369@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
3370 case DCERPC_AUTH_TYPE_NONE:
3371 ntresult = cli_rpc_pipe_open_noauth_transport(
3372 cli, default_transport,
3373- &cmd_entry->table->syntax_id,
3374+ cmd_entry->table,
3375 &cmd_entry->rpc_pipe);
3376 break;
3377 case DCERPC_AUTH_TYPE_SPNEGO:
3378--
33791.9.3
3380
3381
3382From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
3383From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3384Date: Fri, 24 May 2013 13:38:01 +0200
3385Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
3386 cli_rpc_pipe_open().
3387MIME-Version: 1.0
3388Content-Type: text/plain; charset=UTF-8
3389Content-Transfer-Encoding: 8bit
3390
3391Guenther
3392
3393Signed-off-by: Günther Deschner <gd@samba.org>
3394Reviewed-by: Stefan Metzmacher <metze@samba.org>
3395Reviewed-by: Andreas Schneider <asn@samba.org>
3396(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
3397---
3398 source3/rpc_client/cli_pipe.c | 14 +++++++-------
3399 1 file changed, 7 insertions(+), 7 deletions(-)
3400
3401diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3402index 4523ab7..4dc7345 100644
3403--- a/source3/rpc_client/cli_pipe.c
3404+++ b/source3/rpc_client/cli_pipe.c
3405@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
3406
3407 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
3408 enum dcerpc_transport_t transport,
3409- const struct ndr_syntax_id *interface,
3410+ const struct ndr_interface_table *table,
3411 struct rpc_pipe_client **presult)
3412 {
3413 switch (transport) {
3414@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
3415 return rpc_pipe_open_tcp(NULL,
3416 smbXcli_conn_remote_name(cli->conn),
3417 smbXcli_conn_remote_sockaddr(cli->conn),
3418- interface, presult);
3419+ &table->syntax_id, presult);
3420 case NCACN_NP:
3421- return rpc_pipe_open_np(cli, interface, presult);
3422+ return rpc_pipe_open_np(cli, &table->syntax_id, presult);
3423 default:
3424 return NT_STATUS_NOT_IMPLEMENTED;
3425 }
3426@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3427 struct pipe_auth_data *auth;
3428 NTSTATUS status;
3429
3430- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
3431+ status = cli_rpc_pipe_open(cli, transport, table, &result);
3432 if (!NT_STATUS_IS_OK(status)) {
3433 return status;
3434 }
3435@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
3436
3437 NTSTATUS status;
3438
3439- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
3440+ status = cli_rpc_pipe_open(cli, transport, table, &result);
3441 if (!NT_STATUS_IS_OK(status)) {
3442 return status;
3443 }
3444@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
3445 struct pipe_auth_data *auth;
3446 NTSTATUS status;
3447
3448- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
3449+ status = cli_rpc_pipe_open(cli, transport, table, &result);
3450 if (!NT_STATUS_IS_OK(status)) {
3451 return status;
3452 }
3453@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
3454 return NT_STATUS_INVALID_PARAMETER;
3455 }
3456
3457- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
3458+ status = cli_rpc_pipe_open(cli, transport, table, &result);
3459 if (!NT_STATUS_IS_OK(status)) {
3460 return status;
3461 }
3462--
34631.9.3
3464
3465
3466From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
3467From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3468Date: Fri, 24 May 2013 13:40:45 +0200
3469Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
3470 rpc_pipe_open_np().
3471MIME-Version: 1.0
3472Content-Type: text/plain; charset=UTF-8
3473Content-Transfer-Encoding: 8bit
3474
3475Guenther
3476
3477Signed-off-by: Günther Deschner <gd@samba.org>
3478Reviewed-by: Stefan Metzmacher <metze@samba.org>
3479Reviewed-by: Andreas Schneider <asn@samba.org>
3480(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
3481---
3482 source3/rpc_client/cli_pipe.c | 8 ++++----
3483 1 file changed, 4 insertions(+), 4 deletions(-)
3484
3485diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3486index 4dc7345..0347d76 100644
3487--- a/source3/rpc_client/cli_pipe.c
3488+++ b/source3/rpc_client/cli_pipe.c
3489@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
3490 ****************************************************************************/
3491
3492 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
3493- const struct ndr_syntax_id *abstract_syntax,
3494+ const struct ndr_interface_table *table,
3495 struct rpc_pipe_client **presult)
3496 {
3497 struct rpc_pipe_client *result;
3498@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
3499 return NT_STATUS_NO_MEMORY;
3500 }
3501
3502- result->abstract_syntax = *abstract_syntax;
3503+ result->abstract_syntax = table->syntax_id;
3504 result->transfer_syntax = ndr_transfer_syntax_ndr;
3505 result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
3506 result->srv_name_slash = talloc_asprintf_strupper_m(
3507@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
3508 return NT_STATUS_NO_MEMORY;
3509 }
3510
3511- status = rpc_transport_np_init(result, cli, abstract_syntax,
3512+ status = rpc_transport_np_init(result, cli, &table->syntax_id,
3513 &result->transport);
3514 if (!NT_STATUS_IS_OK(status)) {
3515 TALLOC_FREE(result);
3516@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
3517 smbXcli_conn_remote_sockaddr(cli->conn),
3518 &table->syntax_id, presult);
3519 case NCACN_NP:
3520- return rpc_pipe_open_np(cli, &table->syntax_id, presult);
3521+ return rpc_pipe_open_np(cli, table, presult);
3522 default:
3523 return NT_STATUS_NOT_IMPLEMENTED;
3524 }
3525--
35261.9.3
3527
3528
3529From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
3530From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3531Date: Fri, 24 May 2013 13:44:00 +0200
3532Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
3533 rpc_pipe_open_tcp().
3534MIME-Version: 1.0
3535Content-Type: text/plain; charset=UTF-8
3536Content-Transfer-Encoding: 8bit
3537
3538Guenther
3539
3540Signed-off-by: Günther Deschner <gd@samba.org>
3541Reviewed-by: Stefan Metzmacher <metze@samba.org>
3542Reviewed-by: Andreas Schneider <asn@samba.org>
3543(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
3544---
3545 source3/rpc_client/cli_pipe.c | 8 ++++----
3546 source3/rpc_client/cli_pipe.h | 2 +-
3547 source3/torture/rpc_open_tcp.c | 2 +-
3548 3 files changed, 6 insertions(+), 6 deletions(-)
3549
3550diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3551index 0347d76..46adf69 100644
3552--- a/source3/rpc_client/cli_pipe.c
3553+++ b/source3/rpc_client/cli_pipe.c
3554@@ -2663,19 +2663,19 @@ done:
3555 */
3556 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
3557 const struct sockaddr_storage *addr,
3558- const struct ndr_syntax_id *abstract_syntax,
3559+ const struct ndr_interface_table *table,
3560 struct rpc_pipe_client **presult)
3561 {
3562 NTSTATUS status;
3563 uint16_t port = 0;
3564
3565- status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
3566+ status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
3567 if (!NT_STATUS_IS_OK(status)) {
3568 return status;
3569 }
3570
3571 return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
3572- abstract_syntax, presult);
3573+ &table->syntax_id, presult);
3574 }
3575
3576 /********************************************************************
3577@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
3578 return rpc_pipe_open_tcp(NULL,
3579 smbXcli_conn_remote_name(cli->conn),
3580 smbXcli_conn_remote_sockaddr(cli->conn),
3581- &table->syntax_id, presult);
3582+ table, presult);
3583 case NCACN_NP:
3584 return rpc_pipe_open_np(cli, table, presult);
3585 default:
3586diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
3587index f37f8a9..6fcc587 100644
3588--- a/source3/rpc_client/cli_pipe.h
3589+++ b/source3/rpc_client/cli_pipe.h
3590@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
3591 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
3592 const char *host,
3593 const struct sockaddr_storage *ss_addr,
3594- const struct ndr_syntax_id *abstract_syntax,
3595+ const struct ndr_interface_table *table,
3596 struct rpc_pipe_client **presult);
3597
3598 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
3599diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
3600index d29f4cf..cd27b5f 100644
3601--- a/source3/torture/rpc_open_tcp.c
3602+++ b/source3/torture/rpc_open_tcp.c
3603@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
3604 }
3605
3606 status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
3607- &((*table)->syntax_id),
3608+ *table,
3609 &rpc_pipe);
3610 if (!NT_STATUS_IS_OK(status)) {
3611 d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
3612--
36131.9.3
3614
3615
3616From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
3617From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3618Date: Fri, 24 May 2013 13:46:07 +0200
3619Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
3620 rpc_pipe_get_tcp_port().
3621MIME-Version: 1.0
3622Content-Type: text/plain; charset=UTF-8
3623Content-Transfer-Encoding: 8bit
3624
3625Guenther
3626
3627Signed-off-by: Günther Deschner <gd@samba.org>
3628Reviewed-by: Stefan Metzmacher <metze@samba.org>
3629Reviewed-by: Andreas Schneider <asn@samba.org>
3630(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
3631---
3632 source3/rpc_client/cli_pipe.c | 10 +++++-----
3633 1 file changed, 5 insertions(+), 5 deletions(-)
3634
3635diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3636index 46adf69..15e77db 100644
3637--- a/source3/rpc_client/cli_pipe.c
3638+++ b/source3/rpc_client/cli_pipe.c
3639@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
3640 */
3641 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
3642 const struct sockaddr_storage *addr,
3643- const struct ndr_syntax_id *abstract_syntax,
3644+ const struct ndr_interface_table *table,
3645 uint16_t *pport)
3646 {
3647 NTSTATUS status;
3648@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
3649 goto done;
3650 }
3651
3652- if (ndr_syntax_id_equal(abstract_syntax,
3653+ if (ndr_syntax_id_equal(&table->syntax_id,
3654 &ndr_table_epmapper.syntax_id)) {
3655 *pport = 135;
3656 return NT_STATUS_OK;
3657@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
3658 }
3659
3660 map_binding->transport = NCACN_IP_TCP;
3661- map_binding->object = *abstract_syntax;
3662+ map_binding->object = table->syntax_id;
3663 map_binding->host = host; /* needed? */
3664 map_binding->endpoint = "0"; /* correct? needed? */
3665
3666@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
3667 status = dcerpc_epm_Map(epm_handle,
3668 tmp_ctx,
3669 discard_const_p(struct GUID,
3670- &(abstract_syntax->uuid)),
3671+ &(table->syntax_id.uuid)),
3672 map_tower,
3673 entry_handle,
3674 max_towers,
3675@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
3676 NTSTATUS status;
3677 uint16_t port = 0;
3678
3679- status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
3680+ status = rpc_pipe_get_tcp_port(host, addr, table, &port);
3681 if (!NT_STATUS_IS_OK(status)) {
3682 return status;
3683 }
3684--
36851.9.3
3686
3687
3688From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
3689From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3690Date: Fri, 24 May 2013 13:47:16 +0200
3691Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
3692 rpc_pipe_open_tcp_port().
3693MIME-Version: 1.0
3694Content-Type: text/plain; charset=UTF-8
3695Content-Transfer-Encoding: 8bit
3696
3697Guenther
3698
3699Signed-off-by: Günther Deschner <gd@samba.org>
3700Reviewed-by: Stefan Metzmacher <metze@samba.org>
3701Reviewed-by: Andreas Schneider <asn@samba.org>
3702(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
3703---
3704 source3/rpc_client/cli_pipe.c | 8 ++++----
3705 1 file changed, 4 insertions(+), 4 deletions(-)
3706
3707diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3708index 15e77db..1b2955f 100644
3709--- a/source3/rpc_client/cli_pipe.c
3710+++ b/source3/rpc_client/cli_pipe.c
3711@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
3712 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
3713 const struct sockaddr_storage *ss_addr,
3714 uint16_t port,
3715- const struct ndr_syntax_id *abstract_syntax,
3716+ const struct ndr_interface_table *table,
3717 struct rpc_pipe_client **presult)
3718 {
3719 struct rpc_pipe_client *result;
3720@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
3721 return NT_STATUS_NO_MEMORY;
3722 }
3723
3724- result->abstract_syntax = *abstract_syntax;
3725+ result->abstract_syntax = table->syntax_id;
3726 result->transfer_syntax = ndr_transfer_syntax_ndr;
3727
3728 result->desthost = talloc_strdup(result, host);
3729@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
3730
3731 /* open the connection to the endpoint mapper */
3732 status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
3733- &ndr_table_epmapper.syntax_id,
3734+ &ndr_table_epmapper,
3735 &epm_pipe);
3736
3737 if (!NT_STATUS_IS_OK(status)) {
3738@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
3739 }
3740
3741 return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
3742- &table->syntax_id, presult);
3743+ table, presult);
3744 }
3745
3746 /********************************************************************
3747--
37481.9.3
3749
3750
3751From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
3752From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3753Date: Fri, 24 May 2013 13:52:05 +0200
3754Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
3755 rpc_transport_np_init().
3756MIME-Version: 1.0
3757Content-Type: text/plain; charset=UTF-8
3758Content-Transfer-Encoding: 8bit
3759
3760Guenther
3761
3762Signed-off-by: Günther Deschner <gd@samba.org>
3763Reviewed-by: Stefan Metzmacher <metze@samba.org>
3764Reviewed-by: Andreas Schneider <asn@samba.org>
3765(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
3766---
3767 source3/rpc_client/cli_pipe.c | 2 +-
3768 source3/rpc_client/rpc_transport.h | 2 +-
3769 source3/rpc_client/rpc_transport_np.c | 4 ++--
3770 3 files changed, 4 insertions(+), 4 deletions(-)
3771
3772diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
3773index 1b2955f..1fa8d91 100644
3774--- a/source3/rpc_client/cli_pipe.c
3775+++ b/source3/rpc_client/cli_pipe.c
3776@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
3777 return NT_STATUS_NO_MEMORY;
3778 }
3779
3780- status = rpc_transport_np_init(result, cli, &table->syntax_id,
3781+ status = rpc_transport_np_init(result, cli, table,
3782 &result->transport);
3783 if (!NT_STATUS_IS_OK(status)) {
3784 TALLOC_FREE(result);
3785diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
3786index bc115dd..2b4a323 100644
3787--- a/source3/rpc_client/rpc_transport.h
3788+++ b/source3/rpc_client/rpc_transport.h
3789@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
3790 TALLOC_CTX *mem_ctx,
3791 struct rpc_cli_transport **presult);
3792 NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
3793- const struct ndr_syntax_id *abstract_syntax,
3794+ const struct ndr_interface_table *table,
3795 struct rpc_cli_transport **presult);
3796
3797 /* The following definitions come from rpc_client/rpc_transport_sock.c */
3798diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
3799index f0696ad..7bd1ca3 100644
3800--- a/source3/rpc_client/rpc_transport_np.c
3801+++ b/source3/rpc_client/rpc_transport_np.c
3802@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
3803 }
3804
3805 NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
3806- const struct ndr_syntax_id *abstract_syntax,
3807+ const struct ndr_interface_table *table,
3808 struct rpc_cli_transport **presult)
3809 {
3810 TALLOC_CTX *frame = talloc_stackframe();
3811@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
3812 goto fail;
3813 }
3814
3815- req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
3816+ req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
3817 if (req == NULL) {
3818 status = NT_STATUS_NO_MEMORY;
3819 goto fail;
3820--
38211.9.3
3822
3823
3824From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
3825From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3826Date: Fri, 24 May 2013 13:56:53 +0200
3827Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
3828 rpc_transport_np_init_send().
3829MIME-Version: 1.0
3830Content-Type: text/plain; charset=UTF-8
3831Content-Transfer-Encoding: 8bit
3832
3833Guenther
3834
3835Signed-off-by: Günther Deschner <gd@samba.org>
3836Reviewed-by: Stefan Metzmacher <metze@samba.org>
3837Reviewed-by: Andreas Schneider <asn@samba.org>
3838(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
3839---
3840 source3/rpc_client/rpc_transport.h | 2 +-
3841 source3/rpc_client/rpc_transport_np.c | 6 +++---
3842 2 files changed, 4 insertions(+), 4 deletions(-)
3843
3844diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
3845index 2b4a323..72e7609 100644
3846--- a/source3/rpc_client/rpc_transport.h
3847+++ b/source3/rpc_client/rpc_transport.h
3848@@ -84,7 +84,7 @@ struct cli_state;
3849 struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
3850 struct tevent_context *ev,
3851 struct cli_state *cli,
3852- const struct ndr_syntax_id *abstract_syntax);
3853+ const struct ndr_interface_table *table);
3854 NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
3855 TALLOC_CTX *mem_ctx,
3856 struct rpc_cli_transport **presult);
3857diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
3858index 7bd1ca3..c0f313e 100644
3859--- a/source3/rpc_client/rpc_transport_np.c
3860+++ b/source3/rpc_client/rpc_transport_np.c
3861@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
3862 struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
3863 struct tevent_context *ev,
3864 struct cli_state *cli,
3865- const struct ndr_syntax_id *abstract_syntax)
3866+ const struct ndr_interface_table *table)
3867 {
3868 struct tevent_req *req;
3869 struct rpc_transport_np_init_state *state;
3870@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
3871 state->ev = ev;
3872 state->cli = cli;
3873 state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
3874- state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
3875+ state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
3876 if (tevent_req_nomem(state->pipe_name, req)) {
3877 return tevent_req_post(req, ev);
3878 }
3879@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
3880 goto fail;
3881 }
3882
3883- req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
3884+ req = rpc_transport_np_init_send(frame, ev, cli, table);
3885 if (req == NULL) {
3886 status = NT_STATUS_NO_MEMORY;
3887 goto fail;
3888--
38891.9.3
3890
3891
3892From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
3893From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3894Date: Wed, 24 Sep 2008 11:04:42 +0200
3895Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
3896MIME-Version: 1.0
3897Content-Type: text/plain; charset=UTF-8
3898Content-Transfer-Encoding: 8bit
3899
3900Guenther
3901
3902Signed-off-by: Günther Deschner <gd@samba.org>
3903Reviewed-by: Stefan Metzmacher <metze@samba.org>
3904Reviewed-by: Andreas Schneider <asn@samba.org>
3905(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
3906---
3907 source3/librpc/idl/libnet_join.idl | 2 ++
3908 1 file changed, 2 insertions(+)
3909
3910diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
3911index 4f28bb6..ac0a350 100644
3912--- a/source3/librpc/idl/libnet_join.idl
3913+++ b/source3/librpc/idl/libnet_join.idl
3914@@ -21,6 +21,7 @@ interface libnetjoin
3915 [in,ref] string *domain_name,
3916 [in] string account_ou,
3917 [in] string admin_account,
3918+ [in] string admin_domain,
3919 [in,noprint] string admin_password,
3920 [in] string machine_password,
3921 [in] wkssvc_joinflags join_flags,
3922@@ -51,6 +52,7 @@ interface libnetjoin
3923 [in] string domain_name,
3924 [in] string account_ou,
3925 [in] string admin_account,
3926+ [in] string admin_domain,
3927 [in,noprint] string admin_password,
3928 [in] string machine_password,
3929 [in] wkssvc_joinflags unjoin_flags,
3930--
39311.9.3
3932
3933
3934From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
3935From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3936Date: Wed, 24 Sep 2008 11:05:37 +0200
3937Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
3938MIME-Version: 1.0
3939Content-Type: text/plain; charset=UTF-8
3940Content-Transfer-Encoding: 8bit
3941
3942Guenther
3943
3944Signed-off-by: Günther Deschner <gd@samba.org>
3945Reviewed-by: Stefan Metzmacher <metze@samba.org>
3946Reviewed-by: Andreas Schneider <asn@samba.org>
3947(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
3948---
3949 source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
3950 1 file changed, 26 insertions(+), 1 deletion(-)
3951
3952diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
3953index 324c8f3..2253079 100644
3954--- a/source3/libnet/libnet_join.c
3955+++ b/source3/libnet/libnet_join.c
3956@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
3957
3958 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
3959 const char *user,
3960+ const char *domain,
3961 const char *pass,
3962 bool use_kerberos,
3963 struct cli_state **cli)
3964@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
3965 NULL, 0,
3966 "IPC$", "IPC",
3967 user,
3968- NULL,
3969+ domain,
3970 pass,
3971 flags,
3972 SMB_SIGNING_DEFAULT);
3973@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
3974
3975 status = libnet_join_connect_dc_ipc(r->in.dc_name,
3976 r->in.admin_account,
3977+ r->in.admin_domain,
3978 r->in.admin_password,
3979 r->in.use_kerberos,
3980 cli);
3981@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
3982
3983 status = libnet_join_connect_dc_ipc(r->in.dc_name,
3984 r->in.admin_account,
3985+ r->in.admin_domain,
3986 r->in.admin_password,
3987 r->in.use_kerberos,
3988 &cli);
3989@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
3990 return WERR_SETUP_DOMAIN_CONTROLLER;
3991 }
3992
3993+ if (!r->in.admin_domain) {
3994+ char *admin_domain = NULL;
3995+ char *admin_account = NULL;
3996+ split_domain_user(mem_ctx,
3997+ r->in.admin_account,
3998+ &admin_domain,
3999+ &admin_account);
4000+ r->in.admin_domain = admin_domain;
4001+ r->in.admin_account = admin_account;
4002+ }
4003+
4004 if (!secrets_init()) {
4005 libnet_join_set_error_string(mem_ctx, r,
4006 "Unable to open secrets database");
4007@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
4008 return WERR_SETUP_DOMAIN_CONTROLLER;
4009 }
4010
4011+ if (!r->in.admin_domain) {
4012+ char *admin_domain = NULL;
4013+ char *admin_account = NULL;
4014+ split_domain_user(mem_ctx,
4015+ r->in.admin_account,
4016+ &admin_domain,
4017+ &admin_account);
4018+ r->in.admin_domain = admin_domain;
4019+ r->in.admin_account = admin_account;
4020+ }
4021+
4022 if (!secrets_init()) {
4023 libnet_unjoin_set_error_string(mem_ctx, r,
4024 "Unable to open secrets database");
4025--
40261.9.3
4027
4028
4029From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
4030From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
4031Date: Thu, 6 Nov 2008 11:40:03 +0100
4032Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
4033MIME-Version: 1.0
4034Content-Type: text/plain; charset=UTF-8
4035Content-Transfer-Encoding: 8bit
4036
4037Guenther
4038
4039Signed-off-by: Günther Deschner <gd@samba.org>
4040Reviewed-by: Stefan Metzmacher <metze@samba.org>
4041Reviewed-by: Andreas Schneider <asn@samba.org>
4042(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
4043---
4044 source3/libnet/libnet_join.c | 9 +++++++++
4045 1 file changed, 9 insertions(+)
4046
4047diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
4048index 2253079..b731d9b 100644
4049--- a/source3/libnet/libnet_join.c
4050+++ b/source3/libnet/libnet_join.c
4051@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
4052 return WERR_INVALID_PARAM;
4053 }
4054
4055+ if (strlen(r->in.machine_name) > 15) {
4056+ libnet_join_set_error_string(mem_ctx, r,
4057+ "Our netbios name can be at most 15 chars long, "
4058+ "\"%s\" is %u chars long\n",
4059+ r->in.machine_name,
4060+ (unsigned int)strlen(r->in.machine_name));
4061+ return WERR_INVALID_PARAM;
4062+ }
4063+
4064 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
4065 &r->in.domain_name,
4066 &r->in.dc_name)) {
4067--
40681.9.3
4069
4070
4071From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
4072From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
4073Date: Thu, 6 Nov 2008 13:37:45 +0100
4074Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
4075 libnetjoin.
4076MIME-Version: 1.0
4077Content-Type: text/plain; charset=UTF-8
4078Content-Transfer-Encoding: 8bit
4079
4080Guenther
4081
4082Signed-off-by: Günther Deschner <gd@samba.org>
4083Reviewed-by: Stefan Metzmacher <metze@samba.org>
4084Reviewed-by: Andreas Schneider <asn@samba.org>
4085(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
4086---
4087 source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
4088 1 file changed, 84 insertions(+), 98 deletions(-)
4089
4090diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
4091index 69ff14d..720e9d2 100644
4092--- a/source3/utils/net_rpc.c
4093+++ b/source3/utils/net_rpc.c
4094@@ -37,6 +37,8 @@
4095 #include "secrets.h"
4096 #include "lib/netapi/netapi.h"
4097 #include "lib/netapi/netapi_net.h"
4098+#include "librpc/gen_ndr/libnet_join.h"
4099+#include "libnet/libnet_join.h"
4100 #include "rpc_client/init_lsa.h"
4101 #include "../libcli/security/security.h"
4102 #include "libsmb/libsmb.h"
4103@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
4104 }
4105
4106 /**
4107- * Join a domain, the old way.
4108+ * Join a domain, the old way. This function exists to allow
4109+ * the message to be displayed when oldjoin was explicitly
4110+ * requested, but not when it was implied by "net rpc join".
4111 *
4112 * This uses 'machinename' as the inital password, and changes it.
4113 *
4114 * The password should be created with 'server manager' or equiv first.
4115 *
4116- * All parameters are provided by the run_rpc_command function, except for
4117- * argc, argv which are passed through.
4118- *
4119- * @param domain_sid The domain sid acquired from the remote server.
4120- * @param cli A cli_state connected to the server.
4121- * @param mem_ctx Talloc context, destroyed on completion of the function.
4122 * @param argc Standard main() style argc.
4123 * @param argv Standard main() style argv. Initial components are already
4124 * stripped.
4125 *
4126- * @return Normal NTSTATUS return.
4127+ * @return A shell status integer (0 for success).
4128 **/
4129
4130-static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
4131- const struct dom_sid *domain_sid,
4132- const char *domain_name,
4133- struct cli_state *cli,
4134- struct rpc_pipe_client *pipe_hnd,
4135- TALLOC_CTX *mem_ctx,
4136- int argc,
4137- const char **argv)
4138+static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
4139 {
4140+ struct libnet_JoinCtx *r = NULL;
4141+ TALLOC_CTX *mem_ctx;
4142+ WERROR werr;
4143+ const char *domain = lp_workgroup(); /* FIXME */
4144+ bool modify_config = lp_config_backend_is_registry();
4145+ enum netr_SchannelType sec_chan_type;
4146+ char *pw = NULL;
4147
4148- fstring trust_passwd;
4149- unsigned char orig_trust_passwd_hash[16];
4150- NTSTATUS result;
4151- enum netr_SchannelType sec_channel_type;
4152+ if (c->display_usage) {
4153+ d_printf("Usage:\n"
4154+ "net rpc oldjoin\n"
4155+ " Join a domain the old way\n");
4156+ return 0;
4157+ }
4158
4159- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
4160- &pipe_hnd);
4161- if (!NT_STATUS_IS_OK(result)) {
4162- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
4163- "error was %s\n",
4164- smbXcli_conn_remote_name(cli->conn),
4165- nt_errstr(result) ));
4166- return result;
4167+ mem_ctx = talloc_init("net_rpc_oldjoin");
4168+ if (!mem_ctx) {
4169+ return -1;
4170+ }
4171+
4172+ werr = libnet_init_JoinCtx(mem_ctx, &r);
4173+ if (!W_ERROR_IS_OK(werr)) {
4174+ goto fail;
4175 }
4176
4177 /*
4178@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
4179 a BDC, the server must agree that we are a BDC.
4180 */
4181 if (argc >= 0) {
4182- sec_channel_type = get_sec_channel_type(argv[0]);
4183+ sec_chan_type = get_sec_channel_type(argv[0]);
4184 } else {
4185- sec_channel_type = get_sec_channel_type(NULL);
4186+ sec_chan_type = get_sec_channel_type(NULL);
4187 }
4188
4189- fstrcpy(trust_passwd, lp_netbios_name());
4190- if (!strlower_m(trust_passwd)) {
4191- return NT_STATUS_UNSUCCESSFUL;
4192+ if (!c->msg_ctx) {
4193+ d_fprintf(stderr, _("Could not initialise message context. "
4194+ "Try running as root\n"));
4195+ werr = WERR_ACCESS_DENIED;
4196+ goto fail;
4197 }
4198
4199- /*
4200- * Machine names can be 15 characters, but the max length on
4201- * a password is 14. --jerry
4202- */
4203-
4204- trust_passwd[14] = '\0';
4205-
4206- E_md4hash(trust_passwd, orig_trust_passwd_hash);
4207-
4208- result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
4209- lp_netbios_name(),
4210- orig_trust_passwd_hash,
4211- sec_channel_type);
4212-
4213- if (NT_STATUS_IS_OK(result))
4214- printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
4215+ pw = talloc_strndup(r, lp_netbios_name(), 14);
4216+ if (pw == NULL) {
4217+ werr = WERR_NOMEM;
4218+ goto fail;
4219+ }
4220
4221+ r->in.msg_ctx = c->msg_ctx;
4222+ r->in.domain_name = domain;
4223+ r->in.secure_channel_type = sec_chan_type;
4224+ r->in.dc_name = c->opt_host;
4225+ r->in.admin_account = "";
4226+ r->in.admin_password = strlower_talloc(r, pw);
4227+ if (r->in.admin_password == NULL) {
4228+ werr = WERR_NOMEM;
4229+ goto fail;
4230+ }
4231+ r->in.debug = true;
4232+ r->in.modify_config = modify_config;
4233+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
4234+ WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
4235+ WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
4236
4237- if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
4238- DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
4239- result = NT_STATUS_UNSUCCESSFUL;
4240+ werr = libnet_Join(mem_ctx, r);
4241+ if (!W_ERROR_IS_OK(werr)) {
4242+ goto fail;
4243 }
4244
4245- return result;
4246-}
4247+ /* Check the short name of the domain */
4248
4249-/**
4250- * Join a domain, the old way.
4251- *
4252- * @param argc Standard main() style argc.
4253- * @param argv Standard main() style argv. Initial components are already
4254- * stripped.
4255- *
4256- * @return A shell status integer (0 for success).
4257- **/
4258+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
4259+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
4260+ d_printf("domain name obtained from the server.\n");
4261+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
4262+ d_printf("You should set \"workgroup = %s\" in %s.\n",
4263+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
4264+ }
4265
4266-static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
4267-{
4268- return run_rpc_command(c, NULL, &ndr_table_netlogon,
4269- NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
4270- rpc_oldjoin_internals,
4271- argc, argv);
4272-}
4273+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
4274
4275-/**
4276- * Join a domain, the old way. This function exists to allow
4277- * the message to be displayed when oldjoin was explicitly
4278- * requested, but not when it was implied by "net rpc join".
4279- *
4280- * @param argc Standard main() style argc.
4281- * @param argv Standard main() style argv. Initial components are already
4282- * stripped.
4283- *
4284- * @return A shell status integer (0 for success).
4285- **/
4286+ if (r->out.dns_domain_name) {
4287+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
4288+ r->out.dns_domain_name);
4289+ } else {
4290+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
4291+ r->out.netbios_domain_name);
4292+ }
4293
4294-static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
4295-{
4296- int rc = -1;
4297+ TALLOC_FREE(mem_ctx);
4298
4299- if (c->display_usage) {
4300- d_printf( "%s\n"
4301- "net rpc oldjoin\n"
4302- " %s\n",
4303- _("Usage:"),
4304- _("Join a domain the old way"));
4305- return 0;
4306- }
4307+ return 0;
4308
4309- rc = net_rpc_perform_oldjoin(c, argc, argv);
4310+fail:
4311+ /* issue an overall failure message at the end. */
4312+ d_fprintf(stderr, _("Failed to join domain: %s\n"),
4313+ r && r->out.error_string ? r->out.error_string :
4314+ get_friendly_werror_msg(werr));
4315
4316- if (rc) {
4317- d_fprintf(stderr, _("Failed to join domain\n"));
4318- }
4319+ TALLOC_FREE(mem_ctx);
4320
4321- return rc;
4322+ return -1;
4323 }
4324
4325 /**
4326@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
4327 return -1;
4328 }
4329
4330- if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
4331+ if ((net_rpc_oldjoin(c, argc, argv) == 0))
4332 return 0;
4333
4334 return net_rpc_join_newstyle(c, argc, argv);
4335--
43361.9.3
4337
4338
4339From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
4340From: Stefan Metzmacher <metze@samba.org>
4341Date: Thu, 13 Jun 2013 19:12:27 +0200
4342Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
4343 libnet_join_joindomain_rpc_unsecure()
4344
4345Signed-off-by: Stefan Metzmacher <metze@samba.org>
4346Reviewed-by: Andreas Schneider <asn@samba.org>
4347(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
4348---
4349 source3/libnet/libnet_join.c | 15 +--------------
4350 1 file changed, 1 insertion(+), 14 deletions(-)
4351
4352diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
4353index b731d9b..d8ec235 100644
4354--- a/source3/libnet/libnet_join.c
4355+++ b/source3/libnet/libnet_join.c
4356@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
4357 struct rpc_pipe_client *pipe_hnd = NULL;
4358 unsigned char orig_trust_passwd_hash[16];
4359 unsigned char new_trust_passwd_hash[16];
4360- fstring trust_passwd;
4361 NTSTATUS status;
4362
4363 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
4364@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
4365 E_md4hash(r->in.machine_password, new_trust_passwd_hash);
4366
4367 /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
4368- fstrcpy(trust_passwd, r->in.admin_password);
4369- if (!strlower_m(trust_passwd)) {
4370- return NT_STATUS_INVALID_PARAMETER;
4371- }
4372-
4373- /*
4374- * Machine names can be 15 characters, but the max length on
4375- * a password is 14. --jerry
4376- */
4377-
4378- trust_passwd[14] = '\0';
4379-
4380- E_md4hash(trust_passwd, orig_trust_passwd_hash);
4381+ E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
4382
4383 status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
4384 r->in.machine_name,
4385--
43861.9.3
4387
4388
4389From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
4390From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
4391Date: Tue, 3 Feb 2009 20:10:05 +0100
4392Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
4393MIME-Version: 1.0
4394Content-Type: text/plain; charset=UTF-8
4395Content-Transfer-Encoding: 8bit
4396
4397Guenther
4398
4399Signed-off-by: Günther Deschner <gd@samba.org>
4400Reviewed-by: Stefan Metzmacher <metze@samba.org>
4401Reviewed-by: Andreas Schneider <asn@samba.org>
4402(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
4403---
4404 source3/utils/net_proto.h | 2 +-
4405 source3/utils/net_rpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
4406 source3/utils/net_rpc_join.c | 29 -------------------
4407 3 files changed, 67 insertions(+), 30 deletions(-)
4408
4409diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
4410index 03fb312..d791708 100644
4411--- a/source3/utils/net_proto.h
4412+++ b/source3/utils/net_proto.h
4413@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
4414 int argc,
4415 const char **argv);
4416 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
4417+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
4418 int net_rpc_join(struct net_context *c, int argc, const char **argv);
4419 NTSTATUS rpc_info_internals(struct net_context *c,
4420 const struct dom_sid *domain_sid,
4421@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
4422 const char *server,
4423 const struct sockaddr_storage *server_ss);
4424 int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
4425-int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
4426
4427 /* The following definitions come from utils/net_rpc_printer.c */
4428
4429diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
4430index 720e9d2..592be44 100644
4431--- a/source3/utils/net_rpc.c
4432+++ b/source3/utils/net_rpc.c
4433@@ -438,6 +438,72 @@ fail:
4434 }
4435
4436 /**
4437+ * check that a join is OK
4438+ *
4439+ * @return A shell status integer (0 for success)
4440+ *
4441+ **/
4442+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
4443+{
4444+ NTSTATUS status;
4445+ TALLOC_CTX *mem_ctx;
4446+ const char *domain = c->opt_target_workgroup;
4447+ const char *dc = c->opt_host;
4448+
4449+ if (c->display_usage) {
4450+ d_printf("Usage\n"
4451+ "net rpc testjoin\n"
4452+ " Test if a join is OK\n");
4453+ return 0;
4454+ }
4455+
4456+ mem_ctx = talloc_init("net_rpc_testjoin");
4457+ if (!mem_ctx) {
4458+ return -1;
4459+ }
4460+
4461+ if (!dc) {
4462+ struct netr_DsRGetDCNameInfo *info;
4463+
4464+ if (!c->msg_ctx) {
4465+ d_fprintf(stderr, _("Could not initialise message context. "
4466+ "Try running as root\n"));
4467+ talloc_destroy(mem_ctx);
4468+ return -1;
4469+ }
4470+
4471+ status = dsgetdcname(mem_ctx,
4472+ c->msg_ctx,
4473+ domain,
4474+ NULL,
4475+ NULL,
4476+ DS_RETURN_DNS_NAME,
4477+ &info);
4478+ if (!NT_STATUS_IS_OK(status)) {
4479+ talloc_destroy(mem_ctx);
4480+ return -1;
4481+ }
4482+
4483+ dc = strip_hostname(info->dc_unc);
4484+ }
4485+
4486+ /* Display success or failure */
4487+ status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
4488+ c->opt_kerberos);
4489+ if (!NT_STATUS_IS_OK(status)) {
4490+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
4491+ domain, nt_errstr(status));
4492+ talloc_destroy(mem_ctx);
4493+ return -1;
4494+ }
4495+
4496+ printf("Join to '%s' is OK\n",domain);
4497+ talloc_destroy(mem_ctx);
4498+
4499+ return 0;
4500+}
4501+
4502+/**
4503 * 'net rpc join' entrypoint.
4504 * @param argc Standard main() style argc.
4505 * @param argv Standard main() style argv. Initial components are already
4506diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
4507index aabbe54..ee39a5c 100644
4508--- a/source3/utils/net_rpc_join.c
4509+++ b/source3/utils/net_rpc_join.c
4510@@ -561,32 +561,3 @@ done:
4511
4512 return retval;
4513 }
4514-
4515-/**
4516- * check that a join is OK
4517- *
4518- * @return A shell status integer (0 for success)
4519- *
4520- **/
4521-int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
4522-{
4523- NTSTATUS nt_status;
4524-
4525- if (c->display_usage) {
4526- d_printf(_("Usage\n"
4527- "net rpc testjoin\n"
4528- " Test if a join is OK\n"));
4529- return 0;
4530- }
4531-
4532- /* Display success or failure */
4533- nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
4534- if (!NT_STATUS_IS_OK(nt_status)) {
4535- fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
4536- c->opt_target_workgroup, nt_errstr(nt_status));
4537- return -1;
4538- }
4539-
4540- printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
4541- return 0;
4542-}
4543--
45441.9.3
4545
4546
4547From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
4548From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
4549Date: Tue, 3 Feb 2009 20:21:05 +0100
4550Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
4551MIME-Version: 1.0
4552Content-Type: text/plain; charset=UTF-8
4553Content-Transfer-Encoding: 8bit
4554
4555Guenther
4556
4557Signed-off-by: Günther Deschner <gd@samba.org>
4558Reviewed-by: Stefan Metzmacher <metze@samba.org>
4559Reviewed-by: Andreas Schneider <asn@samba.org>
4560(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
4561---
4562 source3/utils/net_proto.h | 8 +---
4563 source3/utils/net_rpc.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++
4564 source3/wscript_build | 2 +-
4565 3 files changed, 108 insertions(+), 8 deletions(-)
4566
4567diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
4568index d791708..1809ba9 100644
4569--- a/source3/utils/net_proto.h
4570+++ b/source3/utils/net_proto.h
4571@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
4572 const char **argv);
4573 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
4574 int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
4575+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
4576 int net_rpc_join(struct net_context *c, int argc, const char **argv);
4577 NTSTATUS rpc_info_internals(struct net_context *c,
4578 const struct dom_sid *domain_sid,
4579@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
4580
4581 int net_rpc_audit(struct net_context *c, int argc, const char **argv);
4582
4583-/* The following definitions come from utils/net_rpc_join.c */
4584-
4585-NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
4586- const char *server,
4587- const struct sockaddr_storage *server_ss);
4588-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
4589-
4590 /* The following definitions come from utils/net_rpc_printer.c */
4591
4592 NTSTATUS net_copy_fileattr(struct net_context *c,
4593diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
4594index 592be44..6358460 100644
4595--- a/source3/utils/net_rpc.c
4596+++ b/source3/utils/net_rpc.c
4597@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
4598 }
4599
4600 /**
4601+ * Join a domain using the administrator username and password
4602+ *
4603+ * @param argc Standard main() style argc
4604+ * @param argc Standard main() style argv. Initial components are already
4605+ * stripped. Currently not used.
4606+ * @return A shell status integer (0 for success)
4607+ *
4608+ **/
4609+
4610+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
4611+{
4612+ struct libnet_JoinCtx *r = NULL;
4613+ TALLOC_CTX *mem_ctx;
4614+ WERROR werr;
4615+ const char *domain = lp_workgroup(); /* FIXME */
4616+ bool modify_config = lp_config_backend_is_registry();
4617+ enum netr_SchannelType sec_chan_type;
4618+
4619+ if (c->display_usage) {
4620+ d_printf("Usage:\n"
4621+ "net rpc join\n"
4622+ " Join a domain the new way\n");
4623+ return 0;
4624+ }
4625+
4626+ mem_ctx = talloc_init("net_rpc_join_newstyle");
4627+ if (!mem_ctx) {
4628+ return -1;
4629+ }
4630+
4631+ werr = libnet_init_JoinCtx(mem_ctx, &r);
4632+ if (!W_ERROR_IS_OK(werr)) {
4633+ goto fail;
4634+ }
4635+
4636+ /*
4637+ check what type of join - if the user want's to join as
4638+ a BDC, the server must agree that we are a BDC.
4639+ */
4640+ if (argc >= 0) {
4641+ sec_chan_type = get_sec_channel_type(argv[0]);
4642+ } else {
4643+ sec_chan_type = get_sec_channel_type(NULL);
4644+ }
4645+
4646+ if (!c->msg_ctx) {
4647+ d_fprintf(stderr, _("Could not initialise message context. "
4648+ "Try running as root\n"));
4649+ werr = WERR_ACCESS_DENIED;
4650+ goto fail;
4651+ }
4652+
4653+ r->in.msg_ctx = c->msg_ctx;
4654+ r->in.domain_name = domain;
4655+ r->in.secure_channel_type = sec_chan_type;
4656+ r->in.dc_name = c->opt_host;
4657+ r->in.admin_account = c->opt_user_name;
4658+ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
4659+ r->in.debug = true;
4660+ r->in.use_kerberos = c->opt_kerberos;
4661+ r->in.modify_config = modify_config;
4662+ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
4663+ WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
4664+ WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
4665+
4666+ werr = libnet_Join(mem_ctx, r);
4667+ if (!W_ERROR_IS_OK(werr)) {
4668+ goto fail;
4669+ }
4670+
4671+ /* Check the short name of the domain */
4672+
4673+ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
4674+ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
4675+ d_printf("domain name obtained from the server.\n");
4676+ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
4677+ d_printf("You should set \"workgroup = %s\" in %s.\n",
4678+ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
4679+ }
4680+
4681+ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
4682+
4683+ if (r->out.dns_domain_name) {
4684+ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
4685+ r->out.dns_domain_name);
4686+ } else {
4687+ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
4688+ r->out.netbios_domain_name);
4689+ }
4690+
4691+ TALLOC_FREE(mem_ctx);
4692+
4693+ return 0;
4694+
4695+fail:
4696+ /* issue an overall failure message at the end. */
4697+ d_printf("Failed to join domain: %s\n",
4698+ r && r->out.error_string ? r->out.error_string :
4699+ get_friendly_werror_msg(werr));
4700+
4701+ TALLOC_FREE(mem_ctx);
4702+
4703+ return -1;
4704+}
4705+
4706+/**
4707 * 'net rpc join' entrypoint.
4708 * @param argc Standard main() style argc.
4709 * @param argv Standard main() style argv. Initial components are already
4710diff --git a/source3/wscript_build b/source3/wscript_build
4711index 9461b05..0bf84e2 100755
4712--- a/source3/wscript_build
4713+++ b/source3/wscript_build
4714@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
4715
4716 NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
4717 utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
4718- utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
4719+ utils/net_time.c utils/net_lookup.c
4720 utils/net_cache.c utils/net_groupmap.c
4721 utils/net_idmap.c utils/net_idmap_check.c
4722 utils/interact.c
4723--
47241.9.3
4725
4726
4727From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
4728From: Stefan Metzmacher <metze@samba.org>
4729Date: Mon, 15 Jul 2013 13:28:34 +0200
4730Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
4731 if NET_FLAGS_EXPECT_FALLBACK is passed
4732
4733"net rpc join" tries net_rpc_oldjoin() first and falls back to
4734net_rpc_join_newstyle(). We should not print the join failed
4735if just net_rpc_oldjoin() failed.
4736
4737Signed-off-by: Stefan Metzmacher <metze@samba.org>
4738Reviewed-by: Andreas Schneider <asn@samba.org>
4739(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
4740---
4741 source3/utils/net.h | 1 +
4742 source3/utils/net_proto.h | 1 -
4743 source3/utils/net_rpc.c | 15 +++++++++++++--
4744 3 files changed, 14 insertions(+), 3 deletions(-)
4745
4746diff --git a/source3/utils/net.h b/source3/utils/net.h
4747index 2056d89..e97734a 100644
4748--- a/source3/utils/net.h
4749+++ b/source3/utils/net.h
4750@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
4751 #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */
4752 #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */
4753 #define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */
4754+#define NET_FLAGS_EXPECT_FALLBACK 0x00000200 /* the caller will fallback */
4755
4756 /* net share operation modes */
4757 #define NET_MODE_SHARE_MIGRATE 1
4758diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
4759index 1809ba9..25e9db2 100644
4760--- a/source3/utils/net_proto.h
4761+++ b/source3/utils/net_proto.h
4762@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
4763 const char **argv);
4764 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
4765 int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
4766-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
4767 int net_rpc_join(struct net_context *c, int argc, const char **argv);
4768 NTSTATUS rpc_info_internals(struct net_context *c,
4769 const struct dom_sid *domain_sid,
4770diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
4771index 6358460..dff8801 100644
4772--- a/source3/utils/net_rpc.c
4773+++ b/source3/utils/net_rpc.c
4774@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
4775 return 0;
4776
4777 fail:
4778+ if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
4779+ goto cleanup;
4780+ }
4781+
4782 /* issue an overall failure message at the end. */
4783 d_fprintf(stderr, _("Failed to join domain: %s\n"),
4784 r && r->out.error_string ? r->out.error_string :
4785 get_friendly_werror_msg(werr));
4786
4787+cleanup:
4788 TALLOC_FREE(mem_ctx);
4789
4790 return -1;
4791@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
4792 *
4793 **/
4794
4795-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
4796+static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
4797 {
4798 struct libnet_JoinCtx *r = NULL;
4799 TALLOC_CTX *mem_ctx;
4800@@ -623,6 +628,8 @@ fail:
4801
4802 int net_rpc_join(struct net_context *c, int argc, const char **argv)
4803 {
4804+ int ret;
4805+
4806 if (c->display_usage) {
4807 d_printf("%s\n%s",
4808 _("Usage:"),
4809@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
4810 return -1;
4811 }
4812
4813- if ((net_rpc_oldjoin(c, argc, argv) == 0))
4814+ c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
4815+ ret = net_rpc_oldjoin(c, argc, argv);
4816+ c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
4817+ if (ret == 0) {
4818 return 0;
4819+ }
4820
4821 return net_rpc_join_newstyle(c, argc, argv);
4822 }
4823--
48241.9.3
4825
4826
4827From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
4828From: Stefan Metzmacher <metze@samba.org>
4829Date: Tue, 16 Jul 2013 10:07:30 +0200
4830Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
4831 without AES support
4832
4833LogonGetCapabilities() only works on the credential chain if
4834the server supports AES, so we need to work on a temporary copy
4835until we know the server replied a valid return authenticator.
4836
4837Signed-off-by: Stefan Metzmacher <metze@samba.org>
4838Reviewed-by: Andreas Schneider <asn@samba.org>
4839(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
4840---
4841 source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
4842 1 file changed, 6 insertions(+), 2 deletions(-)
4843
4844diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
4845index 1480486..130ebeb 100644
4846--- a/source4/librpc/rpc/dcerpc_schannel.c
4847+++ b/source4/librpc/rpc/dcerpc_schannel.c
4848@@ -385,6 +385,7 @@ struct auth_schannel_state {
4849 struct loadparm_context *lp_ctx;
4850 uint8_t auth_level;
4851 struct netlogon_creds_CredentialState *creds_state;
4852+ struct netlogon_creds_CredentialState save_creds_state;
4853 struct netr_Authenticator auth;
4854 struct netr_Authenticator return_auth;
4855 union netr_Capabilities capabilities;
4856@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
4857 s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
4858 if (composite_nomem(s->creds_state, c)) return;
4859
4860- netlogon_creds_client_authenticator(s->creds_state, &s->auth);
4861+ s->save_creds_state = *s->creds_state;
4862+ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
4863
4864 s->c.in.server_name = talloc_asprintf(c,
4865 "\\\\%s",
4866@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
4867 }
4868
4869 /* verify credentials */
4870- if (!netlogon_creds_client_check(s->creds_state,
4871+ if (!netlogon_creds_client_check(&s->save_creds_state,
4872 &s->c.out.return_authenticator->cred)) {
4873 composite_error(c, NT_STATUS_UNSUCCESSFUL);
4874 return;
4875 }
4876
4877+ *s->creds_state = s->save_creds_state;
4878+
4879 if (!NT_STATUS_IS_OK(s->c.out.result)) {
4880 composite_error(c, s->c.out.result);
4881 return;
4882--
48831.9.3
4884
4885
4886From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
4887From: Stefan Metzmacher <metze@samba.org>
4888Date: Fri, 22 Mar 2013 15:07:10 +0100
4889Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()
4890
4891Signed-off-by: Stefan Metzmacher <metze@samba.org>
4892Reviewed-by: Andreas Schneider <asn@samba.org>
4893(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
4894---
4895 source3/rpcclient/rpcclient.c | 8 ++++++--
4896 1 file changed, 6 insertions(+), 2 deletions(-)
4897
4898diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
4899index c23ff2d..9bf296e 100644
4900--- a/source3/rpcclient/rpcclient.c
4901+++ b/source3/rpcclient/rpcclient.c
4902@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
4903
4904 /* Create mem_ctx */
4905
4906- if (!(mem_ctx = talloc_init("do_cmd"))) {
4907+ if (!(mem_ctx = talloc_stackframe())) {
4908 DEBUG(0, ("talloc_init() failed\n"));
4909 return NT_STATUS_NO_MEMORY;
4910 }
4911@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
4912 "auth type %u\n",
4913 cmd_entry->table->name,
4914 pipe_default_auth_type ));
4915+ talloc_free(mem_ctx);
4916 return NT_STATUS_UNSUCCESSFUL;
4917 }
4918 if (!NT_STATUS_IS_OK(ntresult)) {
4919 DEBUG(0, ("Could not initialise %s. Error was %s\n",
4920 cmd_entry->table->name,
4921 nt_errstr(ntresult) ));
4922+ talloc_free(mem_ctx);
4923 return ntresult;
4924 }
4925
4926@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
4927 trust_password, &machine_account,
4928 &sec_channel_type))
4929 {
4930+ talloc_free(mem_ctx);
4931 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
4932 }
4933
4934@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
4935 if (!NT_STATUS_IS_OK(ntresult)) {
4936 DEBUG(0, ("Could not initialise credentials for %s.\n",
4937 cmd_entry->table->name));
4938+ talloc_free(mem_ctx);
4939 return ntresult;
4940 }
4941 }
4942@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
4943
4944 /* Cleanup */
4945
4946- talloc_destroy(mem_ctx);
4947+ talloc_free(mem_ctx);
4948
4949 return ntresult;
4950 }
4951--
49521.9.3
4953
4954
4955From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
4956From: Stefan Metzmacher <metze@samba.org>
4957Date: Wed, 24 Apr 2013 12:36:04 +0200
4958Subject: [PATCH 045/249] libcli/auth: make
4959 netlogon_creds_crypt_samlogon_validation more robust
4960
4961Signed-off-by: Stefan Metzmacher <metze@samba.org>
4962Reviewed-by: Andreas Schneider <asn@samba.org>
4963(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
4964---
4965 libcli/auth/credentials.c | 6 +++++-
4966 1 file changed, 5 insertions(+), 1 deletion(-)
4967
4968diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
4969index fb77ede..5c8b25b 100644
4970--- a/libcli/auth/credentials.c
4971+++ b/libcli/auth/credentials.c
4972@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
4973 bool encrypt)
4974 {
4975 static const char zeros[16];
4976-
4977 struct netr_SamBaseInfo *base = NULL;
4978+
4979+ if (validation == NULL) {
4980+ return;
4981+ }
4982+
4983 switch (validation_level) {
4984 case 2:
4985 if (validation->sam2) {
4986--
49871.9.3
4988
4989
4990From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
4991From: Stefan Metzmacher <metze@samba.org>
4992Date: Fri, 14 Jun 2013 09:47:50 +0200
4993Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
4994 netlogon_creds_crypt_samlogon_validation()
4995
4996Signed-off-by: Stefan Metzmacher <metze@samba.org>
4997Reviewed-by: Andreas Schneider <asn@samba.org>
4998(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
4999---
5000 libcli/auth/credentials.c | 8 ++++----
5001 1 file changed, 4 insertions(+), 4 deletions(-)
5002
5003diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
5004index 5c8b25b..2e9c87e 100644
5005--- a/libcli/auth/credentials.c
5006+++ b/libcli/auth/credentials.c
5007@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
5008 static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
5009 uint16_t validation_level,
5010 union netr_Validation *validation,
5011- bool encrypt)
5012+ bool do_encrypt)
5013 {
5014 static const char zeros[16];
5015 struct netr_SamBaseInfo *base = NULL;
5016@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
5017 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
5018 if (memcmp(base->key.key, zeros,
5019 sizeof(base->key.key)) != 0) {
5020- if (encrypt) {
5021+ if (do_encrypt) {
5022 netlogon_creds_aes_encrypt(creds,
5023 base->key.key,
5024 sizeof(base->key.key));
5025@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
5026
5027 if (memcmp(base->LMSessKey.key, zeros,
5028 sizeof(base->LMSessKey.key)) != 0) {
5029- if (encrypt) {
5030+ if (do_encrypt) {
5031 netlogon_creds_aes_encrypt(creds,
5032 base->LMSessKey.key,
5033 sizeof(base->LMSessKey.key));
5034@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
5035 /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
5036 if (memcmp(base->LMSessKey.key, zeros,
5037 sizeof(base->LMSessKey.key)) != 0) {
5038- if (encrypt) {
5039+ if (do_encrypt) {
5040 netlogon_creds_des_encrypt_LMKey(creds,
5041 &base->LMSessKey);
5042 } else {
5043--
50441.9.3
5045
5046
5047From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
5048From: Stefan Metzmacher <metze@samba.org>
5049Date: Thu, 25 Apr 2013 17:01:00 +0200
5050Subject: [PATCH 047/249] libcli/auth: add
5051 netlogon_creds_[de|en]crypt_samlogon_logon()
5052
5053Signed-off-by: Stefan Metzmacher <metze@samba.org>
5054Reviewed-by: Andreas Schneider <asn@samba.org>
5055(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
5056---
5057 libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
5058 libcli/auth/proto.h | 6 +++
5059 2 files changed, 124 insertions(+)
5060
5061diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
5062index 2e9c87e..78a8d7a 100644
5063--- a/libcli/auth/credentials.c
5064+++ b/libcli/auth/credentials.c
5065@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
5066 validation, true);
5067 }
5068
5069+static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
5070+ enum netr_LogonInfoClass level,
5071+ union netr_LogonLevel *logon,
5072+ bool encrypt)
5073+{
5074+ static const char zeros[16];
5075+
5076+ if (logon == NULL) {
5077+ return;
5078+ }
5079+
5080+ switch (level) {
5081+ case NetlogonInteractiveInformation:
5082+ case NetlogonInteractiveTransitiveInformation:
5083+ case NetlogonServiceInformation:
5084+ case NetlogonServiceTransitiveInformation:
5085+ if (logon->password == NULL) {
5086+ return;
5087+ }
5088+
5089+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
5090+ uint8_t *h;
5091+
5092+ h = logon->password->lmpassword.hash;
5093+ if (memcmp(h, zeros, 16) != 0) {
5094+ if (encrypt) {
5095+ netlogon_creds_aes_encrypt(creds, h, 16);
5096+ } else {
5097+ netlogon_creds_aes_decrypt(creds, h, 16);
5098+ }
5099+ }
5100+
5101+ h = logon->password->ntpassword.hash;
5102+ if (memcmp(h, zeros, 16) != 0) {
5103+ if (encrypt) {
5104+ netlogon_creds_aes_encrypt(creds, h, 16);
5105+ } else {
5106+ netlogon_creds_aes_decrypt(creds, h, 16);
5107+ }
5108+ }
5109+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
5110+ uint8_t *h;
5111+
5112+ h = logon->password->lmpassword.hash;
5113+ if (memcmp(h, zeros, 16) != 0) {
5114+ netlogon_creds_arcfour_crypt(creds, h, 16);
5115+ }
5116+
5117+ h = logon->password->ntpassword.hash;
5118+ if (memcmp(h, zeros, 16) != 0) {
5119+ netlogon_creds_arcfour_crypt(creds, h, 16);
5120+ }
5121+ } else {
5122+ struct samr_Password *p;
5123+
5124+ p = &logon->password->lmpassword;
5125+ if (memcmp(p->hash, zeros, 16) != 0) {
5126+ if (encrypt) {
5127+ netlogon_creds_des_encrypt(creds, p);
5128+ } else {
5129+ netlogon_creds_des_decrypt(creds, p);
5130+ }
5131+ }
5132+ p = &logon->password->ntpassword;
5133+ if (memcmp(p->hash, zeros, 16) != 0) {
5134+ if (encrypt) {
5135+ netlogon_creds_des_encrypt(creds, p);
5136+ } else {
5137+ netlogon_creds_des_decrypt(creds, p);
5138+ }
5139+ }
5140+ }
5141+ break;
5142+
5143+ case NetlogonNetworkInformation:
5144+ case NetlogonNetworkTransitiveInformation:
5145+ break;
5146+
5147+ case NetlogonGenericInformation:
5148+ if (logon->generic == NULL) {
5149+ return;
5150+ }
5151+
5152+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
5153+ if (encrypt) {
5154+ netlogon_creds_aes_encrypt(creds,
5155+ logon->generic->data,
5156+ logon->generic->length);
5157+ } else {
5158+ netlogon_creds_aes_decrypt(creds,
5159+ logon->generic->data,
5160+ logon->generic->length);
5161+ }
5162+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
5163+ netlogon_creds_arcfour_crypt(creds,
5164+ logon->generic->data,
5165+ logon->generic->length);
5166+ } else {
5167+ /* Using DES to verify kerberos tickets makes no sense */
5168+ }
5169+ break;
5170+ }
5171+}
5172+
5173+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
5174+ enum netr_LogonInfoClass level,
5175+ union netr_LogonLevel *logon)
5176+{
5177+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
5178+}
5179+
5180+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
5181+ enum netr_LogonInfoClass level,
5182+ union netr_LogonLevel *logon)
5183+{
5184+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
5185+}
5186+
5187 /*
5188 copy a netlogon_creds_CredentialState struct
5189 */
5190diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
5191index 6bc18d7..110e039 100644
5192--- a/libcli/auth/proto.h
5193+++ b/libcli/auth/proto.h
5194@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
5195 void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
5196 uint16_t validation_level,
5197 union netr_Validation *validation);
5198+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
5199+ enum netr_LogonInfoClass level,
5200+ union netr_LogonLevel *logon);
5201+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
5202+ enum netr_LogonInfoClass level,
5203+ union netr_LogonLevel *logon);
5204
5205 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
5206
5207--
52081.9.3
5209
5210
5211From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
5212From: Stefan Metzmacher <metze@samba.org>
5213Date: Wed, 24 Apr 2013 12:53:27 +0200
5214Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()
5215
5216This can be used before netlogon_creds_encrypt_samlogon_logon()
5217in order to keep the provided buffers unchanged.
5218
5219Signed-off-by: Stefan Metzmacher <metze@samba.org>
5220Reviewed-by: Andreas Schneider <asn@samba.org>
5221(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
5222---
5223 libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
5224 libcli/auth/proto.h | 3 ++
5225 2 files changed, 76 insertions(+)
5226
5227diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
5228index 78a8d7a..1f664d3 100644
5229--- a/libcli/auth/credentials.c
5230+++ b/libcli/auth/credentials.c
5231@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
5232 netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
5233 }
5234
5235+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
5236+ enum netr_LogonInfoClass level,
5237+ const union netr_LogonLevel *in)
5238+{
5239+ union netr_LogonLevel *out;
5240+
5241+ if (in == NULL) {
5242+ return NULL;
5243+ }
5244+
5245+ out = talloc(mem_ctx, union netr_LogonLevel);
5246+ if (out == NULL) {
5247+ return NULL;
5248+ }
5249+
5250+ *out = *in;
5251+
5252+ switch (level) {
5253+ case NetlogonInteractiveInformation:
5254+ case NetlogonInteractiveTransitiveInformation:
5255+ case NetlogonServiceInformation:
5256+ case NetlogonServiceTransitiveInformation:
5257+ if (in->password == NULL) {
5258+ return out;
5259+ }
5260+
5261+ out->password = talloc(out, struct netr_PasswordInfo);
5262+ if (out->password == NULL) {
5263+ talloc_free(out);
5264+ return NULL;
5265+ }
5266+ *out->password = *in->password;
5267+
5268+ return out;
5269+
5270+ case NetlogonNetworkInformation:
5271+ case NetlogonNetworkTransitiveInformation:
5272+ break;
5273+
5274+ case NetlogonGenericInformation:
5275+ if (in->generic == NULL) {
5276+ return out;
5277+ }
5278+
5279+ out->generic = talloc(out, struct netr_GenericInfo);
5280+ if (out->generic == NULL) {
5281+ talloc_free(out);
5282+ return NULL;
5283+ }
5284+ *out->generic = *in->generic;
5285+
5286+ if (in->generic->data == NULL) {
5287+ return out;
5288+ }
5289+
5290+ if (in->generic->length == 0) {
5291+ return out;
5292+ }
5293+
5294+ out->generic->data = talloc_memdup(out->generic,
5295+ in->generic->data,
5296+ in->generic->length);
5297+ if (out->generic->data == NULL) {
5298+ talloc_free(out);
5299+ return NULL;
5300+ }
5301+
5302+ return out;
5303+ }
5304+
5305+ return out;
5306+}
5307+
5308 /*
5309 copy a netlogon_creds_CredentialState struct
5310 */
5311diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
5312index 110e039..0c319d3 100644
5313--- a/libcli/auth/proto.h
5314+++ b/libcli/auth/proto.h
5315@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
5316 void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
5317 enum netr_LogonInfoClass level,
5318 union netr_LogonLevel *logon);
5319+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
5320+ enum netr_LogonInfoClass level,
5321+ const union netr_LogonLevel *in);
5322
5323 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
5324
5325--
53261.9.3
5327
5328
5329From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
5330From: Stefan Metzmacher <metze@samba.org>
5331Date: Wed, 24 Apr 2013 16:00:18 +0200
5332Subject: [PATCH 049/249] s4:netlogon: make use of
5333 netlogon_creds_decrypt_samlogon_logon()
5334
5335Signed-off-by: Stefan Metzmacher <metze@samba.org>
5336Reviewed-by: Andreas Schneider <asn@samba.org>
5337(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
5338---
5339 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
5340 1 file changed, 6 insertions(+), 22 deletions(-)
5341
5342diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
5343index 70239a4..c41cd02 100644
5344--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
5345+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
5346@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
5347 user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
5348 NT_STATUS_HAVE_NO_MEMORY(user_info);
5349
5350+ netlogon_creds_decrypt_samlogon_logon(creds,
5351+ r->in.logon_level,
5352+ r->in.logon);
5353+
5354 switch (r->in.logon_level) {
5355 case NetlogonInteractiveInformation:
5356 case NetlogonServiceInformation:
5357 case NetlogonInteractiveTransitiveInformation:
5358 case NetlogonServiceTransitiveInformation:
5359- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
5360- netlogon_creds_aes_decrypt(creds,
5361- r->in.logon->password->lmpassword.hash,
5362- sizeof(r->in.logon->password->lmpassword.hash));
5363- netlogon_creds_aes_decrypt(creds,
5364- r->in.logon->password->ntpassword.hash,
5365- sizeof(r->in.logon->password->ntpassword.hash));
5366- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
5367- netlogon_creds_arcfour_crypt(creds,
5368- r->in.logon->password->lmpassword.hash,
5369- sizeof(r->in.logon->password->lmpassword.hash));
5370- netlogon_creds_arcfour_crypt(creds,
5371- r->in.logon->password->ntpassword.hash,
5372- sizeof(r->in.logon->password->ntpassword.hash));
5373- } else {
5374- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
5375- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
5376- }
5377
5378 /* TODO: we need to deny anonymous access here */
5379 nt_status = auth_context_create(mem_ctx,
5380@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
5381 case NetlogonGenericInformation:
5382 {
5383 if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
5384- netlogon_creds_aes_decrypt(creds,
5385- r->in.logon->generic->data, r->in.logon->generic->length);
5386+ /* OK */
5387 } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
5388- netlogon_creds_arcfour_crypt(creds,
5389- r->in.logon->generic->data, r->in.logon->generic->length);
5390+ /* OK */
5391 } else {
5392 /* Using DES to verify kerberos tickets makes no sense */
5393 return NT_STATUS_INVALID_PARAMETER;
5394--
53951.9.3
5396
5397
5398From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
5399From: Stefan Metzmacher <metze@samba.org>
5400Date: Wed, 24 Apr 2013 16:00:44 +0200
5401Subject: [PATCH 050/249] s3:netlogon: make use of
5402 netlogon_creds_decrypt_samlogon_logon()
5403
5404Signed-off-by: Stefan Metzmacher <metze@samba.org>
5405Reviewed-by: Andreas Schneider <asn@samba.org>
5406(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
5407---
5408 source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
5409 1 file changed, 21 insertions(+), 24 deletions(-)
5410
5411diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
5412index e5ca474..09857b6 100644
5413--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
5414+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
5415@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
5416 struct auth_context *auth_context = NULL;
5417 const char *fn;
5418
5419+#ifdef DEBUG_PASSWORD
5420+ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
5421+ r->in.logon_level,
5422+ r->in.logon);
5423+ if (logon == NULL) {
5424+ logon = r->in.logon;
5425+ }
5426+#endif
5427+
5428 switch (p->opnum) {
5429 case NDR_NETR_LOGONSAMLOGON:
5430 fn = "_netr_LogonSamLogon";
5431@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
5432
5433 status = NT_STATUS_OK;
5434
5435+ netlogon_creds_decrypt_samlogon_logon(creds,
5436+ r->in.logon_level,
5437+ logon);
5438+
5439 switch (r->in.logon_level) {
5440 case NetlogonNetworkInformation:
5441 case NetlogonNetworkTransitiveInformation:
5442@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
5443 uint8_t chal[8];
5444
5445 #ifdef DEBUG_PASSWORD
5446- DEBUG(100,("lm owf password:"));
5447- dump_data(100, logon->password->lmpassword.hash, 16);
5448-
5449- DEBUG(100,("nt owf password:"));
5450- dump_data(100, logon->password->ntpassword.hash, 16);
5451-#endif
5452- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
5453- netlogon_creds_aes_decrypt(creds,
5454- logon->password->lmpassword.hash,
5455- 16);
5456- netlogon_creds_aes_decrypt(creds,
5457- logon->password->ntpassword.hash,
5458- 16);
5459- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
5460- netlogon_creds_arcfour_crypt(creds,
5461- logon->password->lmpassword.hash,
5462- 16);
5463- netlogon_creds_arcfour_crypt(creds,
5464- logon->password->ntpassword.hash,
5465- 16);
5466- } else {
5467- netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
5468- netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
5469+ if (logon != r->in.logon) {
5470+ DEBUG(100,("lm owf password:"));
5471+ dump_data(100,
5472+ r->in.logon->password->lmpassword.hash, 16);
5473+
5474+ DEBUG(100,("nt owf password:"));
5475+ dump_data(100,
5476+ r->in.logon->password->ntpassword.hash, 16);
5477 }
5478
5479-#ifdef DEBUG_PASSWORD
5480 DEBUG(100,("decrypt of lm owf password:"));
5481 dump_data(100, logon->password->lmpassword.hash, 16);
5482
5483--
54841.9.3
5485
5486
5487From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
5488From: Stefan Metzmacher <metze@samba.org>
5489Date: Thu, 25 Apr 2013 18:27:57 +0200
5490Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
5491 static
5492
5493Signed-off-by: Stefan Metzmacher <metze@samba.org>
5494Reviewed-by: Andreas Schneider <asn@samba.org>
5495(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
5496---
5497 source3/rpc_client/cli_pipe.c | 9 +++++----
5498 source3/rpc_client/cli_pipe.h | 6 ------
5499 2 files changed, 5 insertions(+), 10 deletions(-)
5500
5501diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
5502index 1fa8d91..66fa2d2 100644
5503--- a/source3/rpc_client/cli_pipe.c
5504+++ b/source3/rpc_client/cli_pipe.c
5505@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
5506 return status;
5507 }
5508
5509-NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
5510- enum dcerpc_AuthLevel auth_level,
5511- struct netlogon_creds_CredentialState *creds,
5512- struct pipe_auth_data **presult)
5513+static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
5514+ const char *domain,
5515+ enum dcerpc_AuthLevel auth_level,
5516+ struct netlogon_creds_CredentialState *creds,
5517+ struct pipe_auth_data **presult)
5518 {
5519 struct schannel_state *schannel_auth;
5520 struct pipe_auth_data *result;
5521diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
5522index 6fcc587..8eb6040 100644
5523--- a/source3/rpc_client/cli_pipe.h
5524+++ b/source3/rpc_client/cli_pipe.h
5525@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
5526 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
5527 struct pipe_auth_data **presult);
5528
5529-NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
5530- const char *domain,
5531- enum dcerpc_AuthLevel auth_level,
5532- struct netlogon_creds_CredentialState *creds,
5533- struct pipe_auth_data **presult);
5534-
5535 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
5536 const char *host,
5537 const struct sockaddr_storage *ss_addr,
5538--
55391.9.3
5540
5541
5542From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
5543From: Stefan Metzmacher <metze@samba.org>
5544Date: Thu, 25 Apr 2013 18:29:31 +0200
5545Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
5546 netlogon_creds_copy() in rpccli_schannel_bind_data()
5547
5548Signed-off-by: Stefan Metzmacher <metze@samba.org>
5549Reviewed-by: Andreas Schneider <asn@samba.org>
5550(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
5551---
5552 source3/rpc_client/cli_pipe.c | 5 ++++-
5553 1 file changed, 4 insertions(+), 1 deletion(-)
5554
5555diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
5556index 66fa2d2..afe8030 100644
5557--- a/source3/rpc_client/cli_pipe.c
5558+++ b/source3/rpc_client/cli_pipe.c
5559@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
5560
5561 schannel_auth->state = SCHANNEL_STATE_START;
5562 schannel_auth->initiator = true;
5563- schannel_auth->creds = netlogon_creds_copy(result, creds);
5564+ schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
5565+ if (schannel_auth->creds == NULL) {
5566+ goto fail;
5567+ }
5568
5569 result->auth_ctx = schannel_auth;
5570 *presult = result;
5571--
55721.9.3
5573
5574
5575From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
5576From: Stefan Metzmacher <metze@samba.org>
5577Date: Thu, 25 Apr 2013 19:43:58 +0200
5578Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
5579 cli_rpc_pipe_open_schannel_with_key()
5580
5581Signed-off-by: Stefan Metzmacher <metze@samba.org>
5582Reviewed-by: Andreas Schneider <asn@samba.org>
5583(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
5584---
5585 source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
5586 1 file changed, 15 insertions(+), 15 deletions(-)
5587
5588diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
5589index afe8030..ec804e7 100644
5590--- a/source3/rpc_client/cli_pipe.c
5591+++ b/source3/rpc_client/cli_pipe.c
5592@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
5593 enum dcerpc_AuthLevel auth_level,
5594 const char *domain,
5595 struct netlogon_creds_CredentialState **pdc,
5596- struct rpc_pipe_client **presult)
5597+ struct rpc_pipe_client **_rpccli)
5598 {
5599- struct rpc_pipe_client *result;
5600- struct pipe_auth_data *auth;
5601+ struct rpc_pipe_client *rpccli;
5602+ struct pipe_auth_data *rpcauth;
5603 NTSTATUS status;
5604
5605- status = cli_rpc_pipe_open(cli, transport, table, &result);
5606+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
5607 if (!NT_STATUS_IS_OK(status)) {
5608 return status;
5609 }
5610
5611- status = rpccli_schannel_bind_data(result, domain, auth_level,
5612- *pdc, &auth);
5613+ status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
5614+ *pdc, &rpcauth);
5615 if (!NT_STATUS_IS_OK(status)) {
5616 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
5617 nt_errstr(status)));
5618- TALLOC_FREE(result);
5619+ TALLOC_FREE(rpccli);
5620 return status;
5621 }
5622
5623- status = rpc_pipe_bind(result, auth);
5624+ status = rpc_pipe_bind(rpccli, rpcauth);
5625 if (!NT_STATUS_IS_OK(status)) {
5626 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
5627 "cli_rpc_pipe_bind failed with error %s\n",
5628 nt_errstr(status) ));
5629- TALLOC_FREE(result);
5630+ TALLOC_FREE(rpccli);
5631 return status;
5632 }
5633
5634@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
5635 * The credentials on a new netlogon pipe are the ones we are passed
5636 * in - copy them over
5637 */
5638- if (result->dc == NULL) {
5639- result->dc = netlogon_creds_copy(result, *pdc);
5640- if (result->dc == NULL) {
5641- TALLOC_FREE(result);
5642+ if (rpccli->dc == NULL) {
5643+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
5644+ if (rpccli->dc == NULL) {
5645+ TALLOC_FREE(rpccli);
5646 return NT_STATUS_NO_MEMORY;
5647 }
5648 }
5649@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
5650 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
5651 "for domain %s and bound using schannel.\n",
5652 get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
5653- result->desthost, domain));
5654+ rpccli->desthost, domain));
5655
5656- *presult = result;
5657+ *_rpccli = rpccli;
5658 return NT_STATUS_OK;
5659 }
5660
5661--
56621.9.3
5663
5664
5665From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
5666From: Stefan Metzmacher <metze@samba.org>
5667Date: Mon, 5 Aug 2013 20:26:54 +0200
5668Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin
5669
5670Signed-off-by: Stefan Metzmacher <metze@samba.org>
5671
5672Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5673(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
5674---
5675 source3/include/client.h | 1 -
5676 source3/libsmb/cliconnect.c | 5 -----
5677 2 files changed, 6 deletions(-)
5678
5679diff --git a/source3/include/client.h b/source3/include/client.h
5680index 3f92d6d..59fb104 100644
5681--- a/source3/include/client.h
5682+++ b/source3/include/client.h
5683@@ -72,7 +72,6 @@ struct cli_state {
5684 int timeout; /* in milliseconds. */
5685 int initialised;
5686 int win95;
5687- bool is_guestlogin;
5688 /* What the server offered. */
5689 uint32_t server_posix_capabilities;
5690 /* What the client requested. */
5691diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
5692index 13e7704..81bc028 100644
5693--- a/source3/libsmb/cliconnect.c
5694+++ b/source3/libsmb/cliconnect.c
5695@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
5696 p = bytes;
5697
5698 cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
5699- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
5700
5701 status = smb_bytes_talloc_string(cli,
5702 inhdr,
5703@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
5704 p = bytes;
5705
5706 cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
5707- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
5708
5709 status = smb_bytes_talloc_string(cli,
5710 inhdr,
5711@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
5712 p = bytes;
5713
5714 cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
5715- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
5716
5717 status = smb_bytes_talloc_string(cli,
5718 inhdr,
5719@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
5720 p = bytes;
5721
5722 cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
5723- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
5724
5725 status = smb_bytes_talloc_string(cli,
5726 inhdr,
5727@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
5728 state->inbuf = in;
5729 inhdr = in + NBT_HDR_SIZE;
5730 cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
5731- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
5732
5733 blob_length = SVAL(vwv+3, 0);
5734 if (blob_length > num_bytes) {
5735--
57361.9.3
5737
5738
5739From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
5740From: Stefan Metzmacher <metze@samba.org>
5741Date: Sat, 15 Jun 2013 09:41:52 +0200
5742Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
5743
5744Signed-off-by: Stefan Metzmacher <metze@samba.org>
5745
5746Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5747(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
5748---
5749 source3/auth/auth_domain.c | 3 ++-
5750 1 file changed, 2 insertions(+), 1 deletion(-)
5751
5752diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
5753index 54ee5a1..06078e2 100644
5754--- a/source3/auth/auth_domain.c
5755+++ b/source3/auth/auth_domain.c
5756@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
5757
5758 if (!lp_client_schannel()) {
5759 /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
5760- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5761+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5762+ NETLOGON_NEG_SUPPORTS_AES;
5763 enum netr_SchannelType sec_chan_type = 0;
5764 unsigned char machine_pwd[16];
5765 const char *account_name;
5766--
57671.9.3
5768
5769
5770From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
5771From: Stefan Metzmacher <metze@samba.org>
5772Date: Sat, 15 Jun 2013 09:41:52 +0200
5773Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
5774
5775Signed-off-by: Stefan Metzmacher <metze@samba.org>
5776
5777Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5778(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
5779---
5780 source3/libnet/libnet_join.c | 3 ++-
5781 1 file changed, 2 insertions(+), 1 deletion(-)
5782
5783diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
5784index d8ec235..c1eccda 100644
5785--- a/source3/libnet/libnet_join.c
5786+++ b/source3/libnet/libnet_join.c
5787@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
5788 const char *dc_name,
5789 const bool use_kerberos)
5790 {
5791- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5792+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5793+ NETLOGON_NEG_SUPPORTS_AES;
5794 struct cli_state *cli = NULL;
5795 struct rpc_pipe_client *pipe_hnd = NULL;
5796 struct rpc_pipe_client *netlogon_pipe = NULL;
5797--
57981.9.3
5799
5800
5801From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
5802From: Stefan Metzmacher <metze@samba.org>
5803Date: Sat, 15 Jun 2013 09:41:52 +0200
5804Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
5805
5806Signed-off-by: Stefan Metzmacher <metze@samba.org>
5807
5808Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5809(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
5810---
5811 source3/rpc_client/cli_netlogon.c | 3 ++-
5812 source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
5813 2 files changed, 6 insertions(+), 3 deletions(-)
5814
5815diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
5816index 3d6a3e1..5e8a2fc 100644
5817--- a/source3/rpc_client/cli_netlogon.c
5818+++ b/source3/rpc_client/cli_netlogon.c
5819@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
5820 struct dcerpc_binding_handle *b = cli->binding_handle;
5821
5822 if (!cli->dc) {
5823- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5824+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5825+ NETLOGON_NEG_SUPPORTS_AES;
5826 result = rpccli_netlogon_setup_creds(cli,
5827 cli->desthost, /* server name */
5828 lp_workgroup(), /* domain */
5829diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
5830index bc672ef..de745c0 100644
5831--- a/source3/rpc_client/cli_pipe_schannel.c
5832+++ b/source3/rpc_client/cli_pipe_schannel.c
5833@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
5834 const char *password,
5835 struct rpc_pipe_client **presult)
5836 {
5837- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5838+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5839+ NETLOGON_NEG_SUPPORTS_AES;
5840 struct rpc_pipe_client *netlogon_pipe = NULL;
5841 struct rpc_pipe_client *result = NULL;
5842 NTSTATUS status;
5843@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
5844 const char *domain,
5845 struct rpc_pipe_client **presult)
5846 {
5847- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5848+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5849+ NETLOGON_NEG_SUPPORTS_AES;
5850 struct rpc_pipe_client *netlogon_pipe = NULL;
5851 struct rpc_pipe_client *result = NULL;
5852 NTSTATUS status;
5853--
58541.9.3
5855
5856
5857From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
5858From: Stefan Metzmacher <metze@samba.org>
5859Date: Sat, 15 Jun 2013 09:41:52 +0200
5860Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
5861
5862Signed-off-by: Stefan Metzmacher <metze@samba.org>
5863
5864Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5865(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
5866---
5867 source3/rpcclient/cmd_netlogon.c | 3 ++-
5868 source3/rpcclient/rpcclient.c | 3 ++-
5869 2 files changed, 4 insertions(+), 2 deletions(-)
5870
5871diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
5872index 01d6da4..d92434b 100644
5873--- a/source3/rpcclient/cmd_netlogon.c
5874+++ b/source3/rpcclient/cmd_netlogon.c
5875@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
5876 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
5877 NTSTATUS result;
5878 const char *server_name = cli->desthost;
5879- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5880+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5881+ NETLOGON_NEG_SUPPORTS_AES;
5882 struct netr_Authenticator clnt_creds, srv_cred;
5883 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
5884 unsigned char trust_passwd_hash[16];
5885diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
5886index 9bf296e..cb7b70f 100644
5887--- a/source3/rpcclient/rpcclient.c
5888+++ b/source3/rpcclient/rpcclient.c
5889@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
5890
5891 if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
5892 &ndr_table_netlogon.syntax_id)) {
5893- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
5894+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
5895+ NETLOGON_NEG_SUPPORTS_AES;
5896 enum netr_SchannelType sec_channel_type;
5897 uchar trust_password[16];
5898 const char *machine_account;
5899--
59001.9.3
5901
5902
5903From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
5904From: Stefan Metzmacher <metze@samba.org>
5905Date: Thu, 25 Apr 2013 19:57:09 +0200
5906Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
5907 rpc_pipe_bind_step_two_done()
5908
5909Signed-off-by: Stefan Metzmacher <metze@samba.org>
5910
5911Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5912(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
5913---
5914 source3/rpc_client/cli_pipe.c | 19 +++++++------------
5915 1 file changed, 7 insertions(+), 12 deletions(-)
5916
5917diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
5918index ec804e7..c354a6f 100644
5919--- a/source3/rpc_client/cli_pipe.c
5920+++ b/source3/rpc_client/cli_pipe.c
5921@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
5922 status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
5923 TALLOC_FREE(subreq);
5924 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
5925- if (state->cli->dc && state->cli->dc->negotiate_flags &
5926- NETLOGON_NEG_SUPPORTS_AES) {
5927+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
5928 DEBUG(5, ("AES is not supported and the error was %s\n",
5929 nt_errstr(status)));
5930 tevent_req_nterror(req,
5931@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
5932 return;
5933 }
5934
5935- TALLOC_FREE(state->cli->dc);
5936- state->cli->dc = talloc_steal(state->cli, state->creds);
5937-
5938 if (!NT_STATUS_IS_OK(state->r.out.result)) {
5939 DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
5940 nt_errstr(state->r.out.result)));
5941@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
5942 return;
5943 }
5944
5945- if (state->creds->negotiate_flags !=
5946- state->r.out.capabilities->server_capabilities) {
5947- DEBUG(0, ("The client capabilities don't match the server "
5948- "capabilities: local[0x%08X] remote[0x%08X]\n",
5949- state->creds->negotiate_flags,
5950- state->capabilities.server_capabilities));
5951+ if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
5952+ DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
5953+ "but AES was not negotiated - downgrade detected",
5954+ state->cli->desthost));
5955 tevent_req_nterror(req,
5956 NT_STATUS_INVALID_NETWORK_RESPONSE);
5957 return;
5958 }
5959
5960- /* TODO: Add downgrade dectection. */
5961+ TALLOC_FREE(state->cli->dc);
5962+ state->cli->dc = talloc_move(state->cli, &state->creds);
5963
5964 tevent_req_done(req);
5965 return;
5966--
59671.9.3
5968
5969
5970From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
5971From: Stefan Metzmacher <metze@samba.org>
5972Date: Thu, 25 Apr 2013 19:45:52 +0200
5973Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
5974 rpc_pipe_bind
5975
5976Signed-off-by: Stefan Metzmacher <metze@samba.org>
5977
5978Reviewed-by: Andrew Bartlett <abartlet@samba.org>
5979(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
5980---
5981 source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
5982 1 file changed, 12 insertions(+), 12 deletions(-)
5983
5984diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
5985index c354a6f..eb172db 100644
5986--- a/source3/rpc_client/cli_pipe.c
5987+++ b/source3/rpc_client/cli_pipe.c
5988@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
5989 return status;
5990 }
5991
5992+ /*
5993+ * The credentials on a new netlogon pipe are the ones we are passed
5994+ * in - copy them over
5995+ *
5996+ * This may get overwritten... in rpc_pipe_bind()...
5997+ */
5998+ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
5999+ if (rpccli->dc == NULL) {
6000+ TALLOC_FREE(rpccli);
6001+ return NT_STATUS_NO_MEMORY;
6002+ }
6003+
6004 status = rpc_pipe_bind(rpccli, rpcauth);
6005 if (!NT_STATUS_IS_OK(status)) {
6006 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
6007@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
6008 return status;
6009 }
6010
6011- /*
6012- * The credentials on a new netlogon pipe are the ones we are passed
6013- * in - copy them over
6014- */
6015- if (rpccli->dc == NULL) {
6016- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
6017- if (rpccli->dc == NULL) {
6018- TALLOC_FREE(rpccli);
6019- return NT_STATUS_NO_MEMORY;
6020- }
6021- }
6022-
6023 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
6024 "for domain %s and bound using schannel.\n",
6025 get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
6026--
60271.9.3
6028
6029
6030From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
6031From: Stefan Metzmacher <metze@samba.org>
6032Date: Thu, 25 Apr 2013 19:34:13 +0200
6033Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
6034 cli_rpc_pipe_open_schannel_with_key()
6035
6036Signed-off-by: Stefan Metzmacher <metze@samba.org>
6037
6038Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6039(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
6040---
6041 source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
6042 1 file changed, 101 insertions(+)
6043
6044diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
6045index eb172db..314eb92 100644
6046--- a/source3/rpc_client/cli_pipe.c
6047+++ b/source3/rpc_client/cli_pipe.c
6048@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
6049 struct rpc_pipe_client *rpccli;
6050 struct pipe_auth_data *rpcauth;
6051 NTSTATUS status;
6052+ NTSTATUS result;
6053+ struct netlogon_creds_CredentialState save_creds;
6054+ struct netr_Authenticator auth;
6055+ struct netr_Authenticator return_auth;
6056+ union netr_Capabilities capabilities;
6057
6058 status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
6059 if (!NT_STATUS_IS_OK(status)) {
6060@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
6061 return status;
6062 }
6063
6064+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
6065+ goto done;
6066+ }
6067+
6068+ save_creds = *rpccli->dc;
6069+ ZERO_STRUCT(return_auth);
6070+ ZERO_STRUCT(capabilities);
6071+
6072+ netlogon_creds_client_authenticator(&save_creds, &auth);
6073+
6074+ status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
6075+ talloc_tos(),
6076+ rpccli->srv_name_slash,
6077+ save_creds.computer_name,
6078+ &auth, &return_auth,
6079+ 1, &capabilities,
6080+ &result);
6081+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
6082+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
6083+ DEBUG(5, ("AES was negotiated and the error was %s - "
6084+ "downgrade detected\n",
6085+ nt_errstr(status)));
6086+ TALLOC_FREE(rpccli);
6087+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
6088+ }
6089+
6090+ /* This is probably an old Samba Version */
6091+ DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
6092+ nt_errstr(status)));
6093+ goto done;
6094+ }
6095+
6096+ if (!NT_STATUS_IS_OK(status)) {
6097+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
6098+ nt_errstr(status)));
6099+ TALLOC_FREE(rpccli);
6100+ return status;
6101+ }
6102+
6103+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
6104+ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
6105+ /* This means AES isn't supported. */
6106+ DEBUG(5, ("AES was negotiated and the result was %s - "
6107+ "downgrade detected\n",
6108+ nt_errstr(result)));
6109+ TALLOC_FREE(rpccli);
6110+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
6111+ }
6112+
6113+ /* This is probably an old Windows version */
6114+ DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
6115+ nt_errstr(result)));
6116+ goto done;
6117+ }
6118+
6119+ /*
6120+ * We need to check the credential state here, cause win2k3 and earlier
6121+ * returns NT_STATUS_NOT_IMPLEMENTED
6122+ */
6123+ if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
6124+ /*
6125+ * Server replied with bad credential. Fail.
6126+ */
6127+ DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
6128+ "replied with bad credential\n",
6129+ rpccli->desthost));
6130+ TALLOC_FREE(rpccli);
6131+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
6132+ }
6133+ *rpccli->dc = save_creds;
6134+
6135+ if (!NT_STATUS_IS_OK(result)) {
6136+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
6137+ nt_errstr(result)));
6138+ TALLOC_FREE(rpccli);
6139+ return result;
6140+ }
6141+
6142+ if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
6143+ /* This means AES isn't supported. */
6144+ DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
6145+ "was OK - downgrade detected\n"));
6146+ TALLOC_FREE(rpccli);
6147+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
6148+ }
6149+
6150+ if (save_creds.negotiate_flags != capabilities.server_capabilities) {
6151+ DEBUG(0, ("The client capabilities don't match the server "
6152+ "capabilities: local[0x%08X] remote[0x%08X]\n",
6153+ save_creds.negotiate_flags,
6154+ capabilities.server_capabilities));
6155+ TALLOC_FREE(rpccli);
6156+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
6157+ }
6158+
6159+done:
6160 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
6161 "for domain %s and bound using schannel.\n",
6162 get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
6163--
61641.9.3
6165
6166
6167From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
6168From: Stefan Metzmacher <metze@samba.org>
6169Date: Thu, 25 Apr 2013 18:30:36 +0200
6170Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
6171 from rpc_pipe_bind*
6172
6173It's done in the caller now.
6174
6175Signed-off-by: Stefan Metzmacher <metze@samba.org>
6176
6177Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6178(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
6179---
6180 source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
6181 1 file changed, 1 insertion(+), 149 deletions(-)
6182
6183diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
6184index 314eb92..cba055a 100644
6185--- a/source3/rpc_client/cli_pipe.c
6186+++ b/source3/rpc_client/cli_pipe.c
6187@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
6188 DATA_BLOB rpc_out;
6189 bool auth3;
6190 uint32_t rpc_call_id;
6191- struct netr_Authenticator auth;
6192- struct netr_Authenticator return_auth;
6193- struct netlogon_creds_CredentialState *creds;
6194- union netr_Capabilities capabilities;
6195- struct netr_LogonGetCapabilities r;
6196 };
6197
6198 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
6199-static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
6200 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
6201 struct rpc_pipe_bind_state *state,
6202 DATA_BLOB *credentials);
6203@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
6204
6205 case DCERPC_AUTH_TYPE_NONE:
6206 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
6207+ case DCERPC_AUTH_TYPE_SCHANNEL:
6208 /* Bind complete. */
6209 tevent_req_done(req);
6210 return;
6211
6212- case DCERPC_AUTH_TYPE_SCHANNEL:
6213- rpc_pipe_bind_step_two_trigger(req);
6214- return;
6215-
6216 case DCERPC_AUTH_TYPE_NTLMSSP:
6217 case DCERPC_AUTH_TYPE_SPNEGO:
6218 case DCERPC_AUTH_TYPE_KRB5:
6219@@ -1763,145 +1754,6 @@ err_out:
6220 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
6221 }
6222
6223-static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
6224-
6225-static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
6226-{
6227- struct rpc_pipe_bind_state *state =
6228- tevent_req_data(req,
6229- struct rpc_pipe_bind_state);
6230- struct dcerpc_binding_handle *b = state->cli->binding_handle;
6231- struct schannel_state *schannel_auth =
6232- talloc_get_type_abort(state->cli->auth->auth_ctx,
6233- struct schannel_state);
6234- struct tevent_req *subreq;
6235-
6236- if (schannel_auth == NULL ||
6237- !ndr_syntax_id_equal(&state->cli->abstract_syntax,
6238- &ndr_table_netlogon.syntax_id)) {
6239- tevent_req_done(req);
6240- return;
6241- }
6242-
6243- ZERO_STRUCT(state->return_auth);
6244-
6245- state->creds = netlogon_creds_copy(state, schannel_auth->creds);
6246- if (state->creds == NULL) {
6247- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
6248- return;
6249- }
6250-
6251- netlogon_creds_client_authenticator(state->creds, &state->auth);
6252-
6253- state->r.in.server_name = state->cli->srv_name_slash;
6254- state->r.in.computer_name = state->creds->computer_name;
6255- state->r.in.credential = &state->auth;
6256- state->r.in.query_level = 1;
6257- state->r.in.return_authenticator = &state->return_auth;
6258-
6259- state->r.out.capabilities = &state->capabilities;
6260- state->r.out.return_authenticator = &state->return_auth;
6261-
6262- subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
6263- state->ev,
6264- b,
6265- &state->r);
6266- if (subreq == NULL) {
6267- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
6268- return;
6269- }
6270-
6271- tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
6272- return;
6273-}
6274-
6275-static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
6276-{
6277- struct tevent_req *req =
6278- tevent_req_callback_data(subreq,
6279- struct tevent_req);
6280- struct rpc_pipe_bind_state *state =
6281- tevent_req_data(req,
6282- struct rpc_pipe_bind_state);
6283- NTSTATUS status;
6284-
6285- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
6286- TALLOC_FREE(subreq);
6287- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
6288- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
6289- DEBUG(5, ("AES is not supported and the error was %s\n",
6290- nt_errstr(status)));
6291- tevent_req_nterror(req,
6292- NT_STATUS_INVALID_NETWORK_RESPONSE);
6293- return;
6294- }
6295-
6296- /* This is probably NT */
6297- DEBUG(5, ("We are checking against an NT - %s\n",
6298- nt_errstr(status)));
6299- tevent_req_done(req);
6300- return;
6301- } else if (!NT_STATUS_IS_OK(status)) {
6302- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
6303- nt_errstr(status)));
6304- tevent_req_nterror(req, status);
6305- return;
6306- }
6307-
6308- if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
6309- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
6310- /* This means AES isn't supported. */
6311- DEBUG(5, ("AES is not supported and the error was %s\n",
6312- nt_errstr(state->r.out.result)));
6313- tevent_req_nterror(req,
6314- NT_STATUS_INVALID_NETWORK_RESPONSE);
6315- return;
6316- }
6317-
6318- /* This is probably an old Samba version */
6319- DEBUG(5, ("We are checking against an old Samba version - %s\n",
6320- nt_errstr(state->r.out.result)));
6321- tevent_req_done(req);
6322- return;
6323- }
6324-
6325- /* We need to check the credential state here, cause win2k3 and earlier
6326- * returns NT_STATUS_NOT_IMPLEMENTED */
6327- if (!netlogon_creds_client_check(state->creds,
6328- &state->r.out.return_authenticator->cred)) {
6329- /*
6330- * Server replied with bad credential. Fail.
6331- */
6332- DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
6333- "replied with bad credential\n",
6334- state->cli->desthost));
6335- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
6336- return;
6337- }
6338-
6339- if (!NT_STATUS_IS_OK(state->r.out.result)) {
6340- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
6341- nt_errstr(state->r.out.result)));
6342- tevent_req_nterror(req, state->r.out.result);
6343- return;
6344- }
6345-
6346- if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
6347- DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
6348- "but AES was not negotiated - downgrade detected",
6349- state->cli->desthost));
6350- tevent_req_nterror(req,
6351- NT_STATUS_INVALID_NETWORK_RESPONSE);
6352- return;
6353- }
6354-
6355- TALLOC_FREE(state->cli->dc);
6356- state->cli->dc = talloc_move(state->cli, &state->creds);
6357-
6358- tevent_req_done(req);
6359- return;
6360-}
6361-
6362 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
6363 struct rpc_pipe_bind_state *state,
6364 DATA_BLOB *auth_token)
6365--
63661.9.3
6367
6368
6369From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
6370From: Stefan Metzmacher <metze@samba.org>
6371Date: Thu, 25 Apr 2013 19:33:28 +0200
6372Subject: [PATCH 063/249] s3:rpc_client: remove unused
6373 cli_rpc_pipe_open_ntlmssp_auth_schannel()
6374
6375Signed-off-by: Stefan Metzmacher <metze@samba.org>
6376
6377Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6378(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
6379---
6380 source3/rpc_client/cli_pipe.h | 9 ----
6381 source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
6382 2 files changed, 89 deletions(-)
6383
6384diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
6385index 8eb6040..ab99373 100644
6386--- a/source3/rpc_client/cli_pipe.h
6387+++ b/source3/rpc_client/cli_pipe.h
6388@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
6389 struct netlogon_creds_CredentialState **pdc,
6390 struct rpc_pipe_client **presult);
6391
6392-NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
6393- const struct ndr_interface_table *table,
6394- enum dcerpc_transport_t transport,
6395- enum dcerpc_AuthLevel auth_level,
6396- const char *domain,
6397- const char *username,
6398- const char *password,
6399- struct rpc_pipe_client **presult);
6400-
6401 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
6402 const struct ndr_interface_table *table,
6403 enum dcerpc_transport_t transport,
6404diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
6405index de745c0..aaae44b 100644
6406--- a/source3/rpc_client/cli_pipe_schannel.c
6407+++ b/source3/rpc_client/cli_pipe_schannel.c
6408@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
6409
6410 /****************************************************************************
6411 Open a named pipe to an SMB server and bind using schannel (bind type 68).
6412- Fetch the session key ourselves using a temporary netlogon pipe. This
6413- version uses an ntlmssp auth bound netlogon pipe to get the key.
6414- ****************************************************************************/
6415-
6416-static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
6417- const char *domain,
6418- const char *username,
6419- const char *password,
6420- uint32 *pneg_flags,
6421- struct rpc_pipe_client **presult)
6422-{
6423- struct rpc_pipe_client *netlogon_pipe = NULL;
6424- NTSTATUS status;
6425-
6426- status = cli_rpc_pipe_open_spnego(
6427- cli, &ndr_table_netlogon, NCACN_NP,
6428- GENSEC_OID_NTLMSSP,
6429- DCERPC_AUTH_LEVEL_PRIVACY,
6430- smbXcli_conn_remote_name(cli->conn),
6431- domain, username, password, &netlogon_pipe);
6432- if (!NT_STATUS_IS_OK(status)) {
6433- return status;
6434- }
6435-
6436- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
6437- pneg_flags);
6438- if (!NT_STATUS_IS_OK(status)) {
6439- TALLOC_FREE(netlogon_pipe);
6440- return status;
6441- }
6442-
6443- *presult = netlogon_pipe;
6444- return NT_STATUS_OK;
6445-}
6446-
6447-/****************************************************************************
6448- Open a named pipe to an SMB server and bind using schannel (bind type 68).
6449- Fetch the session key ourselves using a temporary netlogon pipe. This version
6450- uses an ntlmssp bind to get the session key.
6451- ****************************************************************************/
6452-
6453-NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
6454- const struct ndr_interface_table *table,
6455- enum dcerpc_transport_t transport,
6456- enum dcerpc_AuthLevel auth_level,
6457- const char *domain,
6458- const char *username,
6459- const char *password,
6460- struct rpc_pipe_client **presult)
6461-{
6462- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
6463- NETLOGON_NEG_SUPPORTS_AES;
6464- struct rpc_pipe_client *netlogon_pipe = NULL;
6465- struct rpc_pipe_client *result = NULL;
6466- NTSTATUS status;
6467-
6468- status = get_schannel_session_key_auth_ntlmssp(
6469- cli, domain, username, password, &neg_flags, &netlogon_pipe);
6470- if (!NT_STATUS_IS_OK(status)) {
6471- DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
6472- "key from server %s for domain %s.\n",
6473- smbXcli_conn_remote_name(cli->conn), domain ));
6474- return status;
6475- }
6476-
6477- status = cli_rpc_pipe_open_schannel_with_key(
6478- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
6479- &result);
6480-
6481- /* Now we've bound using the session key we can close the netlog pipe. */
6482- TALLOC_FREE(netlogon_pipe);
6483-
6484- if (NT_STATUS_IS_OK(status)) {
6485- *presult = result;
6486- }
6487- return status;
6488-}
6489-
6490-/****************************************************************************
6491- Open a named pipe to an SMB server and bind using schannel (bind type 68).
6492 Fetch the session key ourselves using a temporary netlogon pipe.
6493 ****************************************************************************/
6494
6495--
64961.9.3
6497
6498
6499From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
6500From: Stefan Metzmacher <metze@samba.org>
6501Date: Sat, 3 Aug 2013 11:26:13 +0200
6502Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
6503 before returning NOT_IMPLEMENTED
6504
6505Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
6506
6507Signed-off-by: Stefan Metzmacher <metze@samba.org>
6508
6509Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6510(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
6511---
6512 auth/gensec/gensec.c | 7 ++++---
6513 1 file changed, 4 insertions(+), 3 deletions(-)
6514
6515diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
6516index ea62861..9a8f0ef 100644
6517--- a/auth/gensec/gensec.c
6518+++ b/auth/gensec/gensec.c
6519@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
6520 TALLOC_CTX *mem_ctx,
6521 DATA_BLOB *session_key)
6522 {
6523- if (!gensec_security->ops->session_key) {
6524- return NT_STATUS_NOT_IMPLEMENTED;
6525- }
6526 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
6527 return NT_STATUS_NO_USER_SESSION_KEY;
6528 }
6529
6530+ if (!gensec_security->ops->session_key) {
6531+ return NT_STATUS_NOT_IMPLEMENTED;
6532+ }
6533+
6534 return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
6535 }
6536
6537--
65381.9.3
6539
6540
6541From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
6542From: Stefan Metzmacher <metze@samba.org>
6543Date: Sat, 3 Aug 2013 11:43:58 +0200
6544Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()
6545
6546Signed-off-by: Stefan Metzmacher <metze@samba.org>
6547
6548Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6549(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
6550---
6551 auth/gensec/gensec.h | 3 +++
6552 auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
6553 2 files changed, 29 insertions(+)
6554
6555diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
6556index 396a16d..c080861 100644
6557--- a/auth/gensec/gensec.h
6558+++ b/auth/gensec/gensec.h
6559@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
6560 const char *oid_string);
6561 const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
6562 const char *sasl_name);
6563+const struct gensec_security_ops *gensec_security_by_auth_type(
6564+ struct gensec_security *gensec_security,
6565+ uint32_t auth_type);
6566 struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
6567 TALLOC_CTX *mem_ctx);
6568 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
6569diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
6570index e46f0ee..c2cfa1c 100644
6571--- a/auth/gensec/gensec_start.c
6572+++ b/auth/gensec/gensec_start.c
6573@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
6574 return NULL;
6575 }
6576
6577+_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
6578+ struct gensec_security *gensec_security,
6579+ uint32_t auth_type)
6580+{
6581+ int i;
6582+ struct gensec_security_ops **backends;
6583+ const struct gensec_security_ops *backend;
6584+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
6585+ if (!mem_ctx) {
6586+ return NULL;
6587+ }
6588+ backends = gensec_security_mechs(gensec_security, mem_ctx);
6589+ for (i=0; backends && backends[i]; i++) {
6590+ if (!gensec_security_ops_enabled(backends[i], gensec_security))
6591+ continue;
6592+ if (backends[i]->auth_type == auth_type) {
6593+ backend = backends[i];
6594+ talloc_free(mem_ctx);
6595+ return backend;
6596+ }
6597+ }
6598+ talloc_free(mem_ctx);
6599+
6600+ return NULL;
6601+}
6602+
6603 static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
6604 const char *name)
6605 {
6606--
66071.9.3
6608
6609
6610From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
6611From: Stefan Metzmacher <metze@samba.org>
6612Date: Wed, 24 Apr 2013 12:33:28 +0200
6613Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
6614 NETLOGON SSP as 64bit
6615
6616See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
6617
6618Signed-off-by: Stefan Metzmacher <metze@samba.org>
6619
6620Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6621(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
6622---
6623 libcli/auth/schannel.h | 2 +-
6624 libcli/auth/schannel_sign.c | 17 +++++++++++++----
6625 source3/librpc/rpc/dcerpc_helpers.c | 4 ++--
6626 3 files changed, 16 insertions(+), 7 deletions(-)
6627
6628diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
6629index bfccd95..271b5bb 100644
6630--- a/libcli/auth/schannel.h
6631+++ b/libcli/auth/schannel.h
6632@@ -30,7 +30,7 @@ enum schannel_position {
6633
6634 struct schannel_state {
6635 enum schannel_position state;
6636- uint32_t seq_num;
6637+ uint64_t seq_num;
6638 bool initiator;
6639 struct netlogon_creds_CredentialState *creds;
6640 };
6641diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
6642index 1871da2..6e5d454 100644
6643--- a/libcli/auth/schannel_sign.c
6644+++ b/libcli/auth/schannel_sign.c
6645@@ -24,6 +24,17 @@
6646 #include "../libcli/auth/schannel.h"
6647 #include "../lib/crypto/crypto.h"
6648
6649+#define SETUP_SEQNUM(state, buf, initiator) do { \
6650+ uint8_t *_buf = buf; \
6651+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
6652+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
6653+ if (initiator) { \
6654+ _seq_num_high |= 0x80000000; \
6655+ } \
6656+ RSIVAL(_buf, 0, _seq_num_low); \
6657+ RSIVAL(_buf, 4, _seq_num_high); \
6658+} while(0)
6659+
6660 static void netsec_offset_and_sizes(struct schannel_state *state,
6661 bool do_seal,
6662 uint32_t *_min_sig_size,
6663@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
6664 confounder = NULL;
6665 }
6666
6667- RSIVAL(seq_num, 0, state->seq_num);
6668- SIVAL(seq_num, 4, state->initiator?0:0x80);
6669+ SETUP_SEQNUM(state, seq_num, !state->initiator);
6670
6671 if (do_unseal) {
6672 netsec_do_seal(state, seq_num,
6673@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
6674 &checksum_length,
6675 &confounder_ofs);
6676
6677- RSIVAL(seq_num, 0, state->seq_num);
6678- SIVAL(seq_num, 4, state->initiator?0x80:0);
6679+ SETUP_SEQNUM(state, seq_num, state->initiator);
6680
6681 if (do_seal) {
6682 confounder = _confounder;
6683diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
6684index a55e419..0095990 100644
6685--- a/source3/librpc/rpc/dcerpc_helpers.c
6686+++ b/source3/librpc/rpc/dcerpc_helpers.c
6687@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
6688 return NT_STATUS_INVALID_PARAMETER;
6689 }
6690
6691- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
6692- sas->seq_num));
6693+ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
6694+ (unsigned long long)sas->seq_num));
6695
6696 switch (auth_level) {
6697 case DCERPC_AUTH_LEVEL_PRIVACY:
6698--
66991.9.3
6700
6701
6702From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
6703From: Stefan Metzmacher <metze@samba.org>
6704Date: Fri, 2 Aug 2013 12:53:42 +0200
6705Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()
6706
6707Signed-off-by: Stefan Metzmacher <metze@samba.org>
6708
6709Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6710(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
6711---
6712 libcli/auth/schannel_proto.h | 3 +++
6713 libcli/auth/schannel_sign.c | 23 +++++++++++++++++++++++
6714 2 files changed, 26 insertions(+)
6715
6716diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
6717index 0414218..da76559 100644
6718--- a/libcli/auth/schannel_proto.h
6719+++ b/libcli/auth/schannel_proto.h
6720@@ -28,6 +28,9 @@ struct schannel_state;
6721 struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
6722 struct loadparm_context *lp_ctx);
6723
6724+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
6725+ struct netlogon_creds_CredentialState *creds,
6726+ bool initiator);
6727 NTSTATUS netsec_incoming_packet(struct schannel_state *state,
6728 bool do_unseal,
6729 uint8_t *data, size_t length,
6730diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
6731index 6e5d454..518a6a9 100644
6732--- a/libcli/auth/schannel_sign.c
6733+++ b/libcli/auth/schannel_sign.c
6734@@ -35,6 +35,29 @@
6735 RSIVAL(_buf, 4, _seq_num_high); \
6736 } while(0)
6737
6738+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
6739+ struct netlogon_creds_CredentialState *creds,
6740+ bool initiator)
6741+{
6742+ struct schannel_state *state;
6743+
6744+ state = talloc(mem_ctx, struct schannel_state);
6745+ if (state == NULL) {
6746+ return NULL;
6747+ }
6748+
6749+ state->state = SCHANNEL_STATE_UPDATE_1;
6750+ state->initiator = initiator;
6751+ state->seq_num = 0;
6752+ state->creds = netlogon_creds_copy(state, creds);
6753+ if (state->creds == NULL) {
6754+ talloc_free(state);
6755+ return NULL;
6756+ }
6757+
6758+ return state;
6759+}
6760+
6761 static void netsec_offset_and_sizes(struct schannel_state *state,
6762 bool do_seal,
6763 uint32_t *_min_sig_size,
6764--
67651.9.3
6766
6767
6768From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
6769From: Stefan Metzmacher <metze@samba.org>
6770Date: Fri, 2 Aug 2013 13:28:11 +0200
6771Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()
6772
6773Signed-off-by: Stefan Metzmacher <metze@samba.org>
6774
6775Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6776(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
6777---
6778 source3/rpc_client/cli_pipe.c | 9 +--------
6779 1 file changed, 1 insertion(+), 8 deletions(-)
6780
6781diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
6782index cba055a..9e979b0 100644
6783--- a/source3/rpc_client/cli_pipe.c
6784+++ b/source3/rpc_client/cli_pipe.c
6785@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
6786 goto fail;
6787 }
6788
6789- schannel_auth = talloc_zero(result, struct schannel_state);
6790+ schannel_auth = netsec_create_state(result, creds, true /* initiator */);
6791 if (schannel_auth == NULL) {
6792 goto fail;
6793 }
6794
6795- schannel_auth->state = SCHANNEL_STATE_START;
6796- schannel_auth->initiator = true;
6797- schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
6798- if (schannel_auth->creds == NULL) {
6799- goto fail;
6800- }
6801-
6802 result->auth_ctx = schannel_auth;
6803 *presult = result;
6804 return NT_STATUS_OK;
6805--
68061.9.3
6807
6808
6809From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
6810From: Stefan Metzmacher <metze@samba.org>
6811Date: Fri, 2 Aug 2013 13:28:59 +0200
6812Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
6813 NL_AUTH_MESSAGE
6814
6815We need to use the same computer_name value as in the netr_Authenticate3()
6816request.
6817
6818We abuse cli->auth->user_name to pass the value down.
6819
6820Signed-off-by: Stefan Metzmacher <metze@samba.org>
6821
6822Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6823(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
6824---
6825 source3/rpc_client/cli_pipe.c | 13 ++++++-------
6826 1 file changed, 6 insertions(+), 7 deletions(-)
6827
6828diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
6829index 9e979b0..1de71fb 100644
6830--- a/source3/rpc_client/cli_pipe.c
6831+++ b/source3/rpc_client/cli_pipe.c
6832@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
6833 NTSTATUS status;
6834 struct NL_AUTH_MESSAGE r;
6835
6836- /* Use lp_workgroup() if domain not specified */
6837+ if (!cli->auth->user_name || !cli->auth->user_name[0]) {
6838+ return NT_STATUS_INVALID_PARAMETER_MIX;
6839+ }
6840
6841 if (!cli->auth->domain || !cli->auth->domain[0]) {
6842- cli->auth->domain = talloc_strdup(cli, lp_workgroup());
6843- if (cli->auth->domain == NULL) {
6844- return NT_STATUS_NO_MEMORY;
6845- }
6846+ return NT_STATUS_INVALID_PARAMETER_MIX;
6847 }
6848
6849 /*
6850@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
6851 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
6852 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
6853 r.oem_netbios_domain.a = cli->auth->domain;
6854- r.oem_netbios_computer.a = lp_netbios_name();
6855+ r.oem_netbios_computer.a = cli->auth->user_name;
6856
6857 status = dcerpc_push_schannel_bind(cli, &r, auth_token);
6858 if (!NT_STATUS_IS_OK(status)) {
6859@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
6860 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
6861 result->auth_level = auth_level;
6862
6863- result->user_name = talloc_strdup(result, "");
6864+ result->user_name = talloc_strdup(result, creds->computer_name);
6865 result->domain = talloc_strdup(result, domain);
6866 if ((result->user_name == NULL) || (result->domain == NULL)) {
6867 goto fail;
6868--
68691.9.3
6870
6871
6872From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
6873From: Stefan Metzmacher <metze@samba.org>
6874Date: Sat, 3 Aug 2013 08:50:54 +0200
6875Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
6876 cli_get_session_key() for schannel
6877
6878SCHANNEL connections don't have a user session key,
6879they're like anonymous connections.
6880
6881Signed-off-by: Stefan Metzmacher <metze@samba.org>
6882
6883Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6884(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
6885---
6886 source3/rpc_client/cli_pipe.c | 7 -------
6887 1 file changed, 7 deletions(-)
6888
6889diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
6890index 1de71fb..470469f 100644
6891--- a/source3/rpc_client/cli_pipe.c
6892+++ b/source3/rpc_client/cli_pipe.c
6893@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
6894 {
6895 NTSTATUS status;
6896 struct pipe_auth_data *a;
6897- struct schannel_state *schannel_auth;
6898 struct gensec_security *gensec_security;
6899 DATA_BLOB sk = data_blob_null;
6900 bool make_dup = false;
6901@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
6902 }
6903
6904 switch (cli->auth->auth_type) {
6905- case DCERPC_AUTH_TYPE_SCHANNEL:
6906- schannel_auth = talloc_get_type_abort(a->auth_ctx,
6907- struct schannel_state);
6908- sk = data_blob_const(schannel_auth->creds->session_key, 16);
6909- make_dup = true;
6910- break;
6911 case DCERPC_AUTH_TYPE_SPNEGO:
6912 case DCERPC_AUTH_TYPE_NTLMSSP:
6913 case DCERPC_AUTH_TYPE_KRB5:
6914--
69151.9.3
6916
6917
6918From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
6919From: Stefan Metzmacher <metze@samba.org>
6920Date: Fri, 2 Aug 2013 13:33:37 +0200
6921Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()
6922
6923Signed-off-by: Stefan Metzmacher <metze@samba.org>
6924
6925Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6926(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
6927---
6928 source3/rpc_server/srv_pipe.c | 12 ++++--------
6929 1 file changed, 4 insertions(+), 8 deletions(-)
6930
6931diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
6932index 7daff04..9043a14 100644
6933--- a/source3/rpc_server/srv_pipe.c
6934+++ b/source3/rpc_server/srv_pipe.c
6935@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
6936 */
6937
6938 become_root();
6939- status = schannel_get_creds_state(p, lp_ctx,
6940- neg.oem_netbios_computer.a, &creds);
6941+ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
6942+ neg.oem_netbios_computer.a, &creds);
6943 unbecome_root();
6944
6945 talloc_unlink(p, lp_ctx);
6946@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
6947 return False;
6948 }
6949
6950- schannel_auth = talloc_zero(p, struct schannel_state);
6951+ schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
6952+ TALLOC_FREE(creds);
6953 if (!schannel_auth) {
6954- TALLOC_FREE(creds);
6955 return False;
6956 }
6957
6958- schannel_auth->state = SCHANNEL_STATE_START;
6959- schannel_auth->initiator = false;
6960- schannel_auth->creds = creds;
6961-
6962 /*
6963 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
6964 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
6965--
69661.9.3
6967
6968
6969From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
6970From: Stefan Metzmacher <metze@samba.org>
6971Date: Fri, 2 Aug 2013 13:36:30 +0200
6972Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
6973 schannel_state->seq_num.
6974
6975This is a layer violation and not needed anymore as we know
6976how the seqnum handling works now.
6977
6978Signed-off-by: Stefan Metzmacher <metze@samba.org>
6979
6980Reviewed-by: Andrew Bartlett <abartlet@samba.org>
6981(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
6982---
6983 source3/librpc/rpc/dcerpc_helpers.c | 3 ---
6984 1 file changed, 3 deletions(-)
6985
6986diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
6987index 0095990..97999d7 100644
6988--- a/source3/librpc/rpc/dcerpc_helpers.c
6989+++ b/source3/librpc/rpc/dcerpc_helpers.c
6990@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
6991 return NT_STATUS_INVALID_PARAMETER;
6992 }
6993
6994- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
6995- (unsigned long long)sas->seq_num));
6996-
6997 switch (auth_level) {
6998 case DCERPC_AUTH_LEVEL_PRIVACY:
6999 status = netsec_outgoing_packet(sas,
7000--
70011.9.3
7002
7003
7004From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
7005From: Stefan Metzmacher <metze@samba.org>
7006Date: Fri, 2 Aug 2013 10:08:54 +0200
7007Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()
7008
7009We use cli_credentials_get_netlogon_creds() which returns the same value.
7010
7011dcerpc_schannel_creds() is a layer violation.
7012
7013Signed-off-by: Stefan Metzmacher <metze@samba.org>
7014
7015Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7016(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
7017---
7018 source4/libnet/libnet_samsync.c | 7 +++----
7019 1 file changed, 3 insertions(+), 4 deletions(-)
7020
7021diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
7022index 9629b9f..206d81e 100644
7023--- a/source4/libnet/libnet_samsync.c
7024+++ b/source4/libnet/libnet_samsync.c
7025@@ -25,7 +25,6 @@
7026 #include "libcli/auth/libcli_auth.h"
7027 #include "../libcli/samsync/samsync.h"
7028 #include "auth/gensec/gensec.h"
7029-#include "auth/gensec/schannel.h"
7030 #include "auth/credentials/credentials.h"
7031 #include "libcli/auth/schannel.h"
7032 #include "librpc/gen_ndr/ndr_netlogon.h"
7033@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
7034
7035 /* get NETLOGON credentials */
7036
7037- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
7038- if (!NT_STATUS_IS_OK(nt_status)) {
7039- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
7040+ creds = cli_credentials_get_netlogon_creds(machine_account);
7041+ if (creds == NULL) {
7042+ r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
7043 talloc_free(samsync_ctx);
7044 return nt_status;
7045 }
7046--
70471.9.3
7048
7049
7050From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
7051From: Stefan Metzmacher <metze@samba.org>
7052Date: Fri, 2 Aug 2013 10:08:54 +0200
7053Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()
7054
7055We use cli_credentials_get_netlogon_creds() which returns the same value.
7056
7057dcerpc_schannel_creds() is a layer violation.
7058
7059Signed-off-by: Stefan Metzmacher <metze@samba.org>
7060
7061Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7062(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
7063---
7064 source4/torture/rpc/samlogon.c | 5 ++---
7065 source4/torture/rpc/samr.c | 6 +++---
7066 source4/torture/rpc/samsync.c | 11 ++++-------
7067 source4/torture/rpc/schannel.c | 6 ++----
7068 4 files changed, 11 insertions(+), 17 deletions(-)
7069
7070diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
7071index 4861038..886ff39 100644
7072--- a/source4/torture/rpc/samlogon.c
7073+++ b/source4/torture/rpc/samlogon.c
7074@@ -29,7 +29,6 @@
7075 #include "lib/cmdline/popt_common.h"
7076 #include "torture/rpc/torture_rpc.h"
7077 #include "auth/gensec/gensec.h"
7078-#include "auth/gensec/schannel.h"
7079 #include "libcli/auth/libcli_auth.h"
7080 #include "param/param.h"
7081
7082@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
7083 torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
7084 talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
7085
7086- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
7087- if (!NT_STATUS_IS_OK(status)) {
7088+ creds = cli_credentials_get_netlogon_creds(machine_credentials);
7089+ if (creds == NULL) {
7090 ret = false;
7091 goto failed;
7092 }
7093diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
7094index cdfa2b8..d4d64f9 100644
7095--- a/source4/torture/rpc/samr.c
7096+++ b/source4/torture/rpc/samr.c
7097@@ -37,7 +37,6 @@
7098 #include "torture/rpc/torture_rpc.h"
7099 #include "param/param.h"
7100 #include "auth/gensec/gensec.h"
7101-#include "auth/gensec/schannel.h"
7102 #include "auth/gensec/gensec_proto.h"
7103 #include "../libcli/auth/schannel.h"
7104
7105@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
7106
7107 static bool test_SamLogon(struct torture_context *tctx,
7108 struct dcerpc_pipe *p,
7109+ struct cli_credentials *machine_credentials,
7110 struct cli_credentials *test_credentials,
7111 NTSTATUS expected_result,
7112 bool interactive)
7113@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
7114 struct netr_Authenticator a;
7115 struct dcerpc_binding_handle *b = p->binding_handle;
7116
7117- torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
7118+ torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
7119
7120 if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
7121 flags |= CLI_CRED_LANMAN_AUTH;
7122@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
7123 torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
7124 interactive ? "interactive" : "network", acct_name, password);
7125
7126- if (!test_SamLogon(tctx, p, test_credentials,
7127+ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
7128 expected_samlogon_result, interactive)) {
7129 torture_warning(tctx, "new password did not work\n");
7130 ret = false;
7131diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
7132index 81027d0..15cab73 100644
7133--- a/source4/torture/rpc/samsync.c
7134+++ b/source4/torture/rpc/samsync.c
7135@@ -27,7 +27,6 @@
7136 #include "system/time.h"
7137 #include "torture/rpc/torture_rpc.h"
7138 #include "auth/gensec/gensec.h"
7139-#include "auth/gensec/schannel.h"
7140 #include "libcli/auth/libcli_auth.h"
7141 #include "libcli/samsync/samsync.h"
7142 #include "libcli/security/security.h"
7143@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
7144 }
7145 samsync_state->b = samsync_state->p->binding_handle;
7146
7147- status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
7148- samsync_state, &samsync_state->creds);
7149- if (!NT_STATUS_IS_OK(status)) {
7150+ samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
7151+ if (samsync_state->creds == NULL) {
7152 ret = false;
7153 }
7154
7155@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
7156 goto failed;
7157 }
7158
7159- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
7160- samsync_state, &samsync_state->creds_netlogon_wksta);
7161- if (!NT_STATUS_IS_OK(status)) {
7162+ samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
7163+ if (samsync_state->creds_netlogon_wksta == NULL) {
7164 torture_comment(torture, "Failed to obtail schanel creds!\n");
7165 ret = false;
7166 }
7167diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
7168index 8203749..0098dcf 100644
7169--- a/source4/torture/rpc/schannel.c
7170+++ b/source4/torture/rpc/schannel.c
7171@@ -26,14 +26,12 @@
7172 #include "auth/credentials/credentials.h"
7173 #include "torture/rpc/torture_rpc.h"
7174 #include "lib/cmdline/popt_common.h"
7175-#include "auth/gensec/schannel.h"
7176 #include "../libcli/auth/schannel.h"
7177 #include "libcli/auth/libcli_auth.h"
7178 #include "libcli/security/security.h"
7179 #include "system/filesys.h"
7180 #include "param/param.h"
7181 #include "librpc/rpc/dcerpc_proto.h"
7182-#include "auth/gensec/gensec.h"
7183 #include "libcli/composite/composite.h"
7184 #include "lib/events/events.h"
7185
7186@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
7187
7188 torture_assert_ntstatus_ok(tctx, status, "bind auth");
7189
7190- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
7191- torture_assert_ntstatus_ok(tctx, status, "schannel creds");
7192+ creds = cli_credentials_get_netlogon_creds(credentials);
7193+ torture_assert(tctx, (creds != NULL), "schannel creds");
7194
7195 /* checks the capabilities */
7196 torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
7197--
71981.9.3
7199
7200
7201From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
7202From: Stefan Metzmacher <metze@samba.org>
7203Date: Fri, 2 Aug 2013 12:31:41 +0200
7204Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
7205 dcerpc_schannel_creds()
7206
7207Signed-off-by: Stefan Metzmacher <metze@samba.org>
7208
7209Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7210(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
7211---
7212 source4/auth/gensec/schannel.c | 23 -----------------------
7213 source4/auth/gensec/schannel.h | 26 --------------------------
7214 2 files changed, 49 deletions(-)
7215 delete mode 100644 source4/auth/gensec/schannel.h
7216
7217diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
7218index e7c545f..10d2565 100644
7219--- a/source4/auth/gensec/schannel.c
7220+++ b/source4/auth/gensec/schannel.c
7221@@ -29,7 +29,6 @@
7222 #include "../libcli/auth/schannel.h"
7223 #include "librpc/rpc/dcerpc.h"
7224 #include "param/param.h"
7225-#include "auth/gensec/schannel.h"
7226 #include "auth/gensec/gensec_toplevel_proto.h"
7227
7228 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
7229@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7230 }
7231
7232 /**
7233- * Return the struct netlogon_creds_CredentialState.
7234- *
7235- * Make sure not to call this unless gensec is using schannel...
7236- */
7237-
7238-/* TODO: make this non-public */
7239-
7240-_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
7241- TALLOC_CTX *mem_ctx,
7242- struct netlogon_creds_CredentialState **creds)
7243-{
7244- struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
7245-
7246- *creds = talloc_reference(mem_ctx, state->creds);
7247- if (!*creds) {
7248- return NT_STATUS_NO_MEMORY;
7249- }
7250- return NT_STATUS_OK;
7251-}
7252-
7253-
7254-/**
7255 * Returns anonymous credentials for schannel, matching Win2k3.
7256 *
7257 */
7258diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
7259deleted file mode 100644
7260index 88a32a7..0000000
7261--- a/source4/auth/gensec/schannel.h
7262+++ /dev/null
7263@@ -1,26 +0,0 @@
7264-/*
7265- Unix SMB/CIFS implementation.
7266-
7267- dcerpc schannel operations
7268-
7269- Copyright (C) Andrew Tridgell 2004
7270- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7271-
7272- This program is free software; you can redistribute it and/or modify
7273- it under the terms of the GNU General Public License as published by
7274- the Free Software Foundation; either version 3 of the License, or
7275- (at your option) any later version.
7276-
7277- This program is distributed in the hope that it will be useful,
7278- but WITHOUT ANY WARRANTY; without even the implied warranty of
7279- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7280- GNU General Public License for more details.
7281-
7282- You should have received a copy of the GNU General Public License
7283- along with this program. If not, see <http://www.gnu.org/licenses/>.
7284-*/
7285-
7286-struct netlogon_creds_CredentialState;
7287-NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
7288- TALLOC_CTX *mem_ctx,
7289- struct netlogon_creds_CredentialState **creds);
7290--
72911.9.3
7292
7293
7294From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
7295From: Stefan Metzmacher <metze@samba.org>
7296Date: Fri, 2 Aug 2013 13:04:07 +0200
7297Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
7298 netsec_create_state()
7299
7300Signed-off-by: Stefan Metzmacher <metze@samba.org>
7301
7302Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7303(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
7304---
7305 source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
7306 1 file changed, 30 insertions(+), 68 deletions(-)
7307
7308diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
7309index 10d2565..3896a41 100644
7310--- a/source4/auth/gensec/schannel.c
7311+++ b/source4/auth/gensec/schannel.c
7312@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
7313
7314 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
7315 {
7316- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
7317- uint32_t sig_size;
7318-
7319- sig_size = netsec_outgoing_sig_size(state);
7320+ struct schannel_state *state =
7321+ talloc_get_type_abort(gensec_security->private_data,
7322+ struct schannel_state);
7323
7324- return sig_size;
7325+ return netsec_outgoing_sig_size(state);
7326 }
7327
7328 static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
7329@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7330 struct tevent_context *ev,
7331 const DATA_BLOB in, DATA_BLOB *out)
7332 {
7333- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
7334+ struct schannel_state *state =
7335+ talloc_get_type(gensec_security->private_data,
7336+ struct schannel_state);
7337 NTSTATUS status;
7338 enum ndr_err_code ndr_err;
7339 struct NL_AUTH_MESSAGE bind_schannel;
7340@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7341
7342 switch (gensec_security->gensec_role) {
7343 case GENSEC_CLIENT:
7344- if (state->state != SCHANNEL_STATE_START) {
7345+ if (state != NULL) {
7346 /* we could parse the bind ack, but we don't know what it is yet */
7347 return NT_STATUS_OK;
7348 }
7349
7350- state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
7351- if (state->creds == NULL) {
7352+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
7353+ if (creds == NULL) {
7354 return NT_STATUS_INVALID_PARAMETER_MIX;
7355 }
7356- /*
7357- * We need to create a reference here or we don't get
7358- * updates performed on the credentials if we create a
7359- * copy.
7360- */
7361- state->creds = talloc_reference(state, state->creds);
7362- if (state->creds == NULL) {
7363+
7364+ state = netsec_create_state(gensec_security,
7365+ creds, true /* initiator */);
7366+ if (state == NULL) {
7367 return NT_STATUS_NO_MEMORY;
7368 }
7369+ gensec_security->private_data = state;
7370
7371 bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
7372 #if 0
7373@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7374 return status;
7375 }
7376
7377- state->state = SCHANNEL_STATE_UPDATE_1;
7378-
7379 return NT_STATUS_MORE_PROCESSING_REQUIRED;
7380 case GENSEC_SERVER:
7381
7382- if (state->state != SCHANNEL_STATE_START) {
7383+ if (state != NULL) {
7384 /* no third leg on this protocol */
7385 return NT_STATUS_INVALID_PARAMETER;
7386 }
7387@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7388 return status;
7389 }
7390
7391- state->creds = talloc_steal(state, creds);
7392+ state = netsec_create_state(gensec_security,
7393+ creds, false /* not initiator */);
7394+ if (state == NULL) {
7395+ return NT_STATUS_NO_MEMORY;
7396+ }
7397+ gensec_security->private_data = state;
7398
7399 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
7400 bind_schannel_ack.Flags = 0;
7401@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7402 return status;
7403 }
7404
7405- state->state = SCHANNEL_STATE_UPDATE_1;
7406-
7407 return NT_STATUS_OK;
7408 }
7409 return NT_STATUS_INVALID_PARAMETER;
7410@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
7411 return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
7412 }
7413
7414-static NTSTATUS schannel_start(struct gensec_security *gensec_security)
7415-{
7416- struct schannel_state *state;
7417-
7418- state = talloc_zero(gensec_security, struct schannel_state);
7419- if (!state) {
7420- return NT_STATUS_NO_MEMORY;
7421- }
7422-
7423- state->state = SCHANNEL_STATE_START;
7424- gensec_security->private_data = state;
7425-
7426- return NT_STATUS_OK;
7427-}
7428-
7429 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
7430 {
7431- NTSTATUS status;
7432- struct schannel_state *state;
7433-
7434- status = schannel_start(gensec_security);
7435- if (!NT_STATUS_IS_OK(status)) {
7436- return status;
7437- }
7438-
7439- state = (struct schannel_state *)gensec_security->private_data;
7440- state->initiator = false;
7441-
7442 return NT_STATUS_OK;
7443 }
7444
7445 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
7446 {
7447- NTSTATUS status;
7448- struct schannel_state *state;
7449-
7450- status = schannel_start(gensec_security);
7451- if (!NT_STATUS_IS_OK(status)) {
7452- return status;
7453- }
7454-
7455- state = (struct schannel_state *)gensec_security->private_data;
7456- state->initiator = true;
7457-
7458 return NT_STATUS_OK;
7459 }
7460
7461-
7462 static bool schannel_have_feature(struct gensec_security *gensec_security,
7463 uint32_t feature)
7464 {
7465@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
7466 const DATA_BLOB *sig)
7467 {
7468 struct schannel_state *state =
7469- talloc_get_type(gensec_security->private_data,
7470- struct schannel_state);
7471+ talloc_get_type_abort(gensec_security->private_data,
7472+ struct schannel_state);
7473
7474 return netsec_incoming_packet(state, true,
7475 discard_const_p(uint8_t, data),
7476@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
7477 const DATA_BLOB *sig)
7478 {
7479 struct schannel_state *state =
7480- talloc_get_type(gensec_security->private_data,
7481- struct schannel_state);
7482+ talloc_get_type_abort(gensec_security->private_data,
7483+ struct schannel_state);
7484
7485 return netsec_incoming_packet(state, false,
7486 discard_const_p(uint8_t, data),
7487@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
7488 DATA_BLOB *sig)
7489 {
7490 struct schannel_state *state =
7491- talloc_get_type(gensec_security->private_data,
7492- struct schannel_state);
7493+ talloc_get_type_abort(gensec_security->private_data,
7494+ struct schannel_state);
7495
7496 return netsec_outgoing_packet(state, mem_ctx, true,
7497 data, length, sig);
7498@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
7499 DATA_BLOB *sig)
7500 {
7501 struct schannel_state *state =
7502- talloc_get_type(gensec_security->private_data,
7503- struct schannel_state);
7504+ talloc_get_type_abort(gensec_security->private_data,
7505+ struct schannel_state);
7506
7507 return netsec_outgoing_packet(state, mem_ctx, false,
7508 discard_const_p(uint8_t, data),
7509--
75101.9.3
7511
7512
7513From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
7514From: Stefan Metzmacher <metze@samba.org>
7515Date: Fri, 2 Aug 2013 13:25:20 +0200
7516Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
7517 from netlogon_creds_CredentialState
7518
7519We need to use the same computer_name we used in the netr_Authenticate3
7520request.
7521
7522Signed-off-by: Stefan Metzmacher <metze@samba.org>
7523
7524Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7525(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
7526---
7527 source4/auth/gensec/schannel.c | 6 +++---
7528 1 file changed, 3 insertions(+), 3 deletions(-)
7529
7530diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
7531index 3896a41..91f166b 100644
7532--- a/source4/auth/gensec/schannel.c
7533+++ b/source4/auth/gensec/schannel.c
7534@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
7535 NL_FLAG_UTF8_DNS_DOMAIN_NAME |
7536 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
7537 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
7538- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
7539+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
7540 bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
7541 /* w2k3 refuses us if we use the full DNS workstation?
7542 why? perhaps because we don't fill in the dNSHostName
7543 attribute in the machine account? */
7544- bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
7545+ bind_schannel.utf8_netbios_computer = creds->computer_name;
7546 #else
7547 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
7548 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
7549 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
7550- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
7551+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
7552 #endif
7553
7554 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
7555--
75561.9.3
7557
7558
7559From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
7560From: Stefan Metzmacher <metze@samba.org>
7561Date: Sat, 3 Aug 2013 11:21:32 +0200
7562Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
7563 not supported
7564
7565There's a sequence number attached to the connection,
7566which needs to be incremented with each message...
7567
7568Signed-off-by: Stefan Metzmacher <metze@samba.org>
7569
7570Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7571(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
7572---
7573 source4/auth/gensec/schannel.c | 3 ---
7574 1 file changed, 3 deletions(-)
7575
7576diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
7577index 91f166b..7fc0c7c 100644
7578--- a/source4/auth/gensec/schannel.c
7579+++ b/source4/auth/gensec/schannel.c
7580@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
7581 if (feature & GENSEC_FEATURE_DCE_STYLE) {
7582 return true;
7583 }
7584- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
7585- return true;
7586- }
7587 return false;
7588 }
7589
7590--
75911.9.3
7592
7593
7594From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
7595From: Stefan Metzmacher <metze@samba.org>
7596Date: Sat, 3 Aug 2013 11:27:55 +0200
7597Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
7598 schannel_session_key()
7599
7600gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
7601before calling schannel_session_key(), as we don't provide
7602GENSEC_FEATURE_SESSION_KEY.
7603
7604Signed-off-by: Stefan Metzmacher <metze@samba.org>
7605
7606Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7607(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
7608---
7609 source4/auth/gensec/schannel.c | 8 --------
7610 1 file changed, 8 deletions(-)
7611
7612diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
7613index 7fc0c7c..ebf6469 100644
7614--- a/source4/auth/gensec/schannel.c
7615+++ b/source4/auth/gensec/schannel.c
7616@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
7617 return netsec_outgoing_sig_size(state);
7618 }
7619
7620-static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
7621- TALLOC_CTX *mem_ctx,
7622- DATA_BLOB *session_key)
7623-{
7624- return NT_STATUS_NOT_IMPLEMENTED;
7625-}
7626-
7627 static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
7628 struct tevent_context *ev,
7629 const DATA_BLOB in, DATA_BLOB *out)
7630@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
7631 .sign_packet = schannel_sign_packet,
7632 .check_packet = schannel_check_packet,
7633 .unseal_packet = schannel_unseal_packet,
7634- .session_key = schannel_session_key,
7635 .session_info = schannel_session_info,
7636 .sig_size = schannel_sig_size,
7637 .have_feature = schannel_have_feature,
7638--
76391.9.3
7640
7641
7642From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
7643From: Stefan Metzmacher <metze@samba.org>
7644Date: Sat, 3 Aug 2013 11:32:31 +0200
7645Subject: [PATCH 080/249] s4:gensec/schannel: only require
7646 librpc/gen_ndr/dcerpc.h
7647
7648We just need DCERPC_AUTH_TYPE_SCHANNEL
7649
7650Signed-off-by: Stefan Metzmacher <metze@samba.org>
7651
7652Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7653(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
7654---
7655 source4/auth/gensec/schannel.c | 2 +-
7656 1 file changed, 1 insertion(+), 1 deletion(-)
7657
7658diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
7659index ebf6469..e67432c 100644
7660--- a/source4/auth/gensec/schannel.c
7661+++ b/source4/auth/gensec/schannel.c
7662@@ -27,7 +27,7 @@
7663 #include "auth/gensec/gensec.h"
7664 #include "auth/gensec/gensec_proto.h"
7665 #include "../libcli/auth/schannel.h"
7666-#include "librpc/rpc/dcerpc.h"
7667+#include "librpc/gen_ndr/dcerpc.h"
7668 #include "param/param.h"
7669 #include "auth/gensec/gensec_toplevel_proto.h"
7670
7671--
76721.9.3
7673
7674
7675From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
7676From: Stefan Metzmacher <metze@samba.org>
7677Date: Fri, 2 Aug 2013 13:37:54 +0200
7678Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
7679 private
7680
7681Signed-off-by: Stefan Metzmacher <metze@samba.org>
7682
7683Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7684(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
7685---
7686 libcli/auth/schannel.h | 13 -------------
7687 libcli/auth/schannel_sign.c | 12 ++++++++++++
7688 2 files changed, 12 insertions(+), 13 deletions(-)
7689
7690diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
7691index 271b5bb..c53d68e 100644
7692--- a/libcli/auth/schannel.h
7693+++ b/libcli/auth/schannel.h
7694@@ -22,17 +22,4 @@
7695
7696 #include "libcli/auth/libcli_auth.h"
7697 #include "libcli/auth/schannel_state.h"
7698-
7699-enum schannel_position {
7700- SCHANNEL_STATE_START = 0,
7701- SCHANNEL_STATE_UPDATE_1
7702-};
7703-
7704-struct schannel_state {
7705- enum schannel_position state;
7706- uint64_t seq_num;
7707- bool initiator;
7708- struct netlogon_creds_CredentialState *creds;
7709-};
7710-
7711 #include "libcli/auth/schannel_proto.h"
7712diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
7713index 518a6a9..88a6e1e 100644
7714--- a/libcli/auth/schannel_sign.c
7715+++ b/libcli/auth/schannel_sign.c
7716@@ -24,6 +24,18 @@
7717 #include "../libcli/auth/schannel.h"
7718 #include "../lib/crypto/crypto.h"
7719
7720+enum schannel_position {
7721+ SCHANNEL_STATE_START = 0,
7722+ SCHANNEL_STATE_UPDATE_1
7723+};
7724+
7725+struct schannel_state {
7726+ enum schannel_position state;
7727+ uint64_t seq_num;
7728+ bool initiator;
7729+ struct netlogon_creds_CredentialState *creds;
7730+};
7731+
7732 #define SETUP_SEQNUM(state, buf, initiator) do { \
7733 uint8_t *_buf = buf; \
7734 uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
7735--
77361.9.3
7737
7738
7739From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
7740From: Stefan Metzmacher <metze@samba.org>
7741Date: Fri, 2 Aug 2013 15:42:21 +0200
7742Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position
7743
7744Signed-off-by: Stefan Metzmacher <metze@samba.org>
7745
7746Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7747(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
7748---
7749 libcli/auth/schannel_sign.c | 7 -------
7750 1 file changed, 7 deletions(-)
7751
7752diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
7753index 88a6e1e..9502cba 100644
7754--- a/libcli/auth/schannel_sign.c
7755+++ b/libcli/auth/schannel_sign.c
7756@@ -24,13 +24,7 @@
7757 #include "../libcli/auth/schannel.h"
7758 #include "../lib/crypto/crypto.h"
7759
7760-enum schannel_position {
7761- SCHANNEL_STATE_START = 0,
7762- SCHANNEL_STATE_UPDATE_1
7763-};
7764-
7765 struct schannel_state {
7766- enum schannel_position state;
7767 uint64_t seq_num;
7768 bool initiator;
7769 struct netlogon_creds_CredentialState *creds;
7770@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
7771 return NULL;
7772 }
7773
7774- state->state = SCHANNEL_STATE_UPDATE_1;
7775 state->initiator = initiator;
7776 state->seq_num = 0;
7777 state->creds = netlogon_creds_copy(state, creds);
7778--
77791.9.3
7780
7781
7782From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
7783From: Stefan Metzmacher <metze@samba.org>
7784Date: Mon, 5 Aug 2013 07:12:01 +0200
7785Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h
7786
7787We should treat most gensec related structures private.
7788
7789It's a long way, but this is a start.
7790
7791Signed-off-by: Stefan Metzmacher <metze@samba.org>
7792
7793Reviewed-by: Andrew Bartlett <abartlet@samba.org>
7794(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
7795---
7796 auth/gensec/gensec.c | 1 +
7797 auth/gensec/gensec.h | 100 ++-------------------------
7798 auth/gensec/gensec_internal.h | 127 +++++++++++++++++++++++++++++++++++
7799 auth/gensec/gensec_start.c | 1 +
7800 auth/gensec/gensec_util.c | 1 +
7801 auth/gensec/spnego.c | 1 +
7802 auth/ntlmssp/gensec_ntlmssp.c | 1 +
7803 auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
7804 auth/ntlmssp/ntlmssp.c | 1 +
7805 auth/ntlmssp/ntlmssp_client.c | 1 +
7806 auth/ntlmssp/ntlmssp_server.c | 1 +
7807 source3/libads/authdata.c | 1 +
7808 source3/librpc/crypto/gse.c | 1 +
7809 source3/libsmb/ntlmssp_wrap.c | 1 +
7810 source3/utils/ntlm_auth.c | 1 +
7811 source4/auth/gensec/cyrus_sasl.c | 1 +
7812 source4/auth/gensec/gensec_gssapi.c | 1 +
7813 source4/auth/gensec/gensec_krb5.c | 1 +
7814 source4/auth/gensec/pygensec.c | 1 +
7815 source4/auth/gensec/schannel.c | 1 +
7816 source4/ldap_server/ldap_backend.c | 1 +
7817 source4/libcli/ldap/ldap_bind.c | 1 +
7818 source4/torture/auth/ntlmssp.c | 1 +
7819 source4/utils/ntlm_auth.c | 1 +
7820 24 files changed, 153 insertions(+), 96 deletions(-)
7821 create mode 100644 auth/gensec/gensec_internal.h
7822
7823diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
7824index 9a8f0ef..d364a34 100644
7825--- a/auth/gensec/gensec.c
7826+++ b/auth/gensec/gensec.c
7827@@ -26,6 +26,7 @@
7828 #include "lib/tsocket/tsocket.h"
7829 #include "lib/util/tevent_ntstatus.h"
7830 #include "auth/gensec/gensec.h"
7831+#include "auth/gensec/gensec_internal.h"
7832 #include "librpc/rpc/dcerpc.h"
7833
7834 /*
7835diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
7836index c080861..5d39d81 100644
7837--- a/auth/gensec/gensec.h
7838+++ b/auth/gensec/gensec.h
7839@@ -76,6 +76,7 @@ struct gensec_settings;
7840 struct tevent_context;
7841 struct tevent_req;
7842 struct smb_krb5_context;
7843+struct tsocket_address;
7844
7845 struct gensec_settings {
7846 struct loadparm_context *lp_ctx;
7847@@ -93,106 +94,13 @@ struct gensec_settings {
7848 const char *server_netbios_name;
7849 };
7850
7851-struct gensec_security_ops {
7852- const char *name;
7853- const char *sasl_name;
7854- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
7855- const char **oid; /* NULL if not offered by SPNEGO */
7856- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
7857- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
7858- /**
7859- Determine if a packet has the right 'magic' for this mechanism
7860- */
7861- NTSTATUS (*magic)(struct gensec_security *gensec_security,
7862- const DATA_BLOB *first_packet);
7863- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
7864- struct tevent_context *ev,
7865- const DATA_BLOB in, DATA_BLOB *out);
7866- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
7867- uint8_t *data, size_t length,
7868- const uint8_t *whole_pdu, size_t pdu_length,
7869- DATA_BLOB *sig);
7870- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
7871- const uint8_t *data, size_t length,
7872- const uint8_t *whole_pdu, size_t pdu_length,
7873- DATA_BLOB *sig);
7874- size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
7875- size_t (*max_input_size)(struct gensec_security *gensec_security);
7876- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
7877- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
7878- const uint8_t *data, size_t length,
7879- const uint8_t *whole_pdu, size_t pdu_length,
7880- const DATA_BLOB *sig);
7881- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
7882- uint8_t *data, size_t length,
7883- const uint8_t *whole_pdu, size_t pdu_length,
7884- const DATA_BLOB *sig);
7885- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
7886- TALLOC_CTX *mem_ctx,
7887- const DATA_BLOB *in,
7888- DATA_BLOB *out);
7889- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
7890- TALLOC_CTX *mem_ctx,
7891- const DATA_BLOB *in,
7892- DATA_BLOB *out);
7893- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
7894- TALLOC_CTX *mem_ctx,
7895- const DATA_BLOB *in,
7896- DATA_BLOB *out,
7897- size_t *len_processed);
7898- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
7899- TALLOC_CTX *mem_ctx,
7900- const DATA_BLOB *in,
7901- DATA_BLOB *out,
7902- size_t *len_processed);
7903- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
7904- DATA_BLOB blob, size_t *size);
7905- NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
7906- DATA_BLOB *session_key);
7907- NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
7908- struct auth_session_info **session_info);
7909- void (*want_feature)(struct gensec_security *gensec_security,
7910- uint32_t feature);
7911- bool (*have_feature)(struct gensec_security *gensec_security,
7912- uint32_t feature);
7913- NTTIME (*expire_time)(struct gensec_security *gensec_security);
7914- bool enabled;
7915- bool kerberos;
7916- enum gensec_priority priority;
7917-};
7918-
7919-struct gensec_security_ops_wrapper {
7920- const struct gensec_security_ops *op;
7921- const char *oid;
7922-};
7923+struct gensec_security_ops;
7924+struct gensec_security_ops_wrapper;
7925
7926 #define GENSEC_INTERFACE_VERSION 0
7927
7928-struct gensec_security {
7929- const struct gensec_security_ops *ops;
7930- void *private_data;
7931- struct cli_credentials *credentials;
7932- struct gensec_target target;
7933- enum gensec_role gensec_role;
7934- bool subcontext;
7935- uint32_t want_features;
7936- uint32_t max_update_size;
7937- uint8_t dcerpc_auth_level;
7938- struct tsocket_address *local_addr, *remote_addr;
7939- struct gensec_settings *settings;
7940-
7941- /* When we are a server, this may be filled in to provide an
7942- * NTLM authentication backend, and user lookup (such as if no
7943- * PAC is found) */
7944- struct auth4_context *auth_context;
7945-};
7946-
7947 /* this structure is used by backends to determine the size of some critical types */
7948-struct gensec_critical_sizes {
7949- int interface_version;
7950- int sizeof_gensec_security_ops;
7951- int sizeof_gensec_security;
7952-};
7953+struct gensec_critical_sizes;
7954 const struct gensec_critical_sizes *gensec_interface_version(void);
7955
7956 /* Socket wrapper */
7957diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
7958new file mode 100644
7959index 0000000..41b6f0d
7960--- /dev/null
7961+++ b/auth/gensec/gensec_internal.h
7962@@ -0,0 +1,127 @@
7963+/*
7964+ Unix SMB/CIFS implementation.
7965+
7966+ Generic Authentication Interface
7967+
7968+ Copyright (C) Andrew Tridgell 2003
7969+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7970+
7971+ This program is free software; you can redistribute it and/or modify
7972+ it under the terms of the GNU General Public License as published by
7973+ the Free Software Foundation; either version 3 of the License, or
7974+ (at your option) any later version.
7975+
7976+ This program is distributed in the hope that it will be useful,
7977+ but WITHOUT ANY WARRANTY; without even the implied warranty of
7978+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
7979+ GNU General Public License for more details.
7980+
7981+ You should have received a copy of the GNU General Public License
7982+ along with this program. If not, see <http://www.gnu.org/licenses/>.
7983+*/
7984+
7985+#ifndef __GENSEC_INTERNAL_H__
7986+#define __GENSEC_INTERNAL_H__
7987+
7988+struct gensec_security;
7989+
7990+struct gensec_security_ops {
7991+ const char *name;
7992+ const char *sasl_name;
7993+ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
7994+ const char **oid; /* NULL if not offered by SPNEGO */
7995+ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
7996+ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
7997+ /**
7998+ Determine if a packet has the right 'magic' for this mechanism
7999+ */
8000+ NTSTATUS (*magic)(struct gensec_security *gensec_security,
8001+ const DATA_BLOB *first_packet);
8002+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
8003+ struct tevent_context *ev,
8004+ const DATA_BLOB in, DATA_BLOB *out);
8005+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
8006+ uint8_t *data, size_t length,
8007+ const uint8_t *whole_pdu, size_t pdu_length,
8008+ DATA_BLOB *sig);
8009+ NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
8010+ const uint8_t *data, size_t length,
8011+ const uint8_t *whole_pdu, size_t pdu_length,
8012+ DATA_BLOB *sig);
8013+ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
8014+ size_t (*max_input_size)(struct gensec_security *gensec_security);
8015+ size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
8016+ NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
8017+ const uint8_t *data, size_t length,
8018+ const uint8_t *whole_pdu, size_t pdu_length,
8019+ const DATA_BLOB *sig);
8020+ NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
8021+ uint8_t *data, size_t length,
8022+ const uint8_t *whole_pdu, size_t pdu_length,
8023+ const DATA_BLOB *sig);
8024+ NTSTATUS (*wrap)(struct gensec_security *gensec_security,
8025+ TALLOC_CTX *mem_ctx,
8026+ const DATA_BLOB *in,
8027+ DATA_BLOB *out);
8028+ NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
8029+ TALLOC_CTX *mem_ctx,
8030+ const DATA_BLOB *in,
8031+ DATA_BLOB *out);
8032+ NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
8033+ TALLOC_CTX *mem_ctx,
8034+ const DATA_BLOB *in,
8035+ DATA_BLOB *out,
8036+ size_t *len_processed);
8037+ NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
8038+ TALLOC_CTX *mem_ctx,
8039+ const DATA_BLOB *in,
8040+ DATA_BLOB *out,
8041+ size_t *len_processed);
8042+ NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
8043+ DATA_BLOB blob, size_t *size);
8044+ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
8045+ DATA_BLOB *session_key);
8046+ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
8047+ struct auth_session_info **session_info);
8048+ void (*want_feature)(struct gensec_security *gensec_security,
8049+ uint32_t feature);
8050+ bool (*have_feature)(struct gensec_security *gensec_security,
8051+ uint32_t feature);
8052+ NTTIME (*expire_time)(struct gensec_security *gensec_security);
8053+ bool enabled;
8054+ bool kerberos;
8055+ enum gensec_priority priority;
8056+};
8057+
8058+struct gensec_security_ops_wrapper {
8059+ const struct gensec_security_ops *op;
8060+ const char *oid;
8061+};
8062+
8063+struct gensec_security {
8064+ const struct gensec_security_ops *ops;
8065+ void *private_data;
8066+ struct cli_credentials *credentials;
8067+ struct gensec_target target;
8068+ enum gensec_role gensec_role;
8069+ bool subcontext;
8070+ uint32_t want_features;
8071+ uint32_t max_update_size;
8072+ uint8_t dcerpc_auth_level;
8073+ struct tsocket_address *local_addr, *remote_addr;
8074+ struct gensec_settings *settings;
8075+
8076+ /* When we are a server, this may be filled in to provide an
8077+ * NTLM authentication backend, and user lookup (such as if no
8078+ * PAC is found) */
8079+ struct auth4_context *auth_context;
8080+};
8081+
8082+/* this structure is used by backends to determine the size of some critical types */
8083+struct gensec_critical_sizes {
8084+ int interface_version;
8085+ int sizeof_gensec_security_ops;
8086+ int sizeof_gensec_security;
8087+};
8088+
8089+#endif /* __GENSEC_H__ */
8090diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
8091index c2cfa1c..34029f5 100644
8092--- a/auth/gensec/gensec_start.c
8093+++ b/auth/gensec/gensec_start.c
8094@@ -27,6 +27,7 @@
8095 #include "librpc/rpc/dcerpc.h"
8096 #include "auth/credentials/credentials.h"
8097 #include "auth/gensec/gensec.h"
8098+#include "auth/gensec/gensec_internal.h"
8099 #include "lib/param/param.h"
8100 #include "lib/util/tsort.h"
8101 #include "lib/util/samba_modules.h"
8102diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
8103index 64952b1..568128a 100644
8104--- a/auth/gensec/gensec_util.c
8105+++ b/auth/gensec/gensec_util.c
8106@@ -22,6 +22,7 @@
8107
8108 #include "includes.h"
8109 #include "auth/gensec/gensec.h"
8110+#include "auth/gensec/gensec_internal.h"
8111 #include "auth/common_auth.h"
8112 #include "../lib/util/asn1.h"
8113
8114diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
8115index da1fc0e..38a45f8 100644
8116--- a/auth/gensec/spnego.c
8117+++ b/auth/gensec/spnego.c
8118@@ -27,6 +27,7 @@
8119 #include "librpc/gen_ndr/ndr_dcerpc.h"
8120 #include "auth/credentials/credentials.h"
8121 #include "auth/gensec/gensec.h"
8122+#include "auth/gensec/gensec_internal.h"
8123 #include "param/param.h"
8124 #include "lib/util/asn1.h"
8125
8126diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
8127index 9e1d8a8..654c0e3 100644
8128--- a/auth/ntlmssp/gensec_ntlmssp.c
8129+++ b/auth/ntlmssp/gensec_ntlmssp.c
8130@@ -22,6 +22,7 @@
8131 #include "includes.h"
8132 #include "auth/ntlmssp/ntlmssp.h"
8133 #include "auth/gensec/gensec.h"
8134+#include "auth/gensec/gensec_internal.h"
8135 #include "auth/ntlmssp/ntlmssp_private.h"
8136
8137 NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
8138diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
8139index f4dfab3..69c56fb 100644
8140--- a/auth/ntlmssp/gensec_ntlmssp_server.c
8141+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
8142@@ -31,6 +31,7 @@
8143 #include "../libcli/auth/libcli_auth.h"
8144 #include "../lib/crypto/crypto.h"
8145 #include "auth/gensec/gensec.h"
8146+#include "auth/gensec/gensec_internal.h"
8147 #include "auth/common_auth.h"
8148 #include "param/param.h"
8149
8150diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
8151index 1a2d662..916b376 100644
8152--- a/auth/ntlmssp/ntlmssp.c
8153+++ b/auth/ntlmssp/ntlmssp.c
8154@@ -29,6 +29,7 @@ struct auth_session_info;
8155 #include "../libcli/auth/libcli_auth.h"
8156 #include "librpc/gen_ndr/ndr_dcerpc.h"
8157 #include "auth/gensec/gensec.h"
8158+#include "auth/gensec/gensec_internal.h"
8159
8160 /**
8161 * Callbacks for NTLMSSP - for both client and server operating modes
8162diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
8163index fc66a8d..f99257d 100644
8164--- a/auth/ntlmssp/ntlmssp_client.c
8165+++ b/auth/ntlmssp/ntlmssp_client.c
8166@@ -29,6 +29,7 @@ struct auth_session_info;
8167 #include "../libcli/auth/libcli_auth.h"
8168 #include "auth/credentials/credentials.h"
8169 #include "auth/gensec/gensec.h"
8170+#include "auth/gensec/gensec_internal.h"
8171 #include "param/param.h"
8172 #include "auth/ntlmssp/ntlmssp_private.h"
8173 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
8174diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
8175index 57179e1..2f3f0bb 100644
8176--- a/auth/ntlmssp/ntlmssp_server.c
8177+++ b/auth/ntlmssp/ntlmssp_server.c
8178@@ -28,6 +28,7 @@
8179 #include "../libcli/auth/libcli_auth.h"
8180 #include "../lib/crypto/crypto.h"
8181 #include "auth/gensec/gensec.h"
8182+#include "auth/gensec/gensec_internal.h"
8183 #include "auth/common_auth.h"
8184
8185 /**
8186diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
8187index 2c667a6..582917d 100644
8188--- a/source3/libads/authdata.c
8189+++ b/source3/libads/authdata.c
8190@@ -30,6 +30,7 @@
8191 #include "lib/param/param.h"
8192 #include "librpc/crypto/gse.h"
8193 #include "auth/gensec/gensec.h"
8194+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
8195 #include "../libcli/auth/spnego.h"
8196
8197 #ifdef HAVE_KRB5
8198diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
8199index 11a5457..8db3cdd 100644
8200--- a/source3/librpc/crypto/gse.c
8201+++ b/source3/librpc/crypto/gse.c
8202@@ -26,6 +26,7 @@
8203 #include "libads/kerberos_proto.h"
8204 #include "auth/common_auth.h"
8205 #include "auth/gensec/gensec.h"
8206+#include "auth/gensec/gensec_internal.h"
8207 #include "auth/credentials/credentials.h"
8208 #include "../librpc/gen_ndr/dcerpc.h"
8209
8210diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
8211index 9ce4b12..46f68ae 100644
8212--- a/source3/libsmb/ntlmssp_wrap.c
8213+++ b/source3/libsmb/ntlmssp_wrap.c
8214@@ -23,6 +23,7 @@
8215 #include "auth/ntlmssp/ntlmssp_private.h"
8216 #include "auth_generic.h"
8217 #include "auth/gensec/gensec.h"
8218+#include "auth/gensec/gensec_internal.h"
8219 #include "auth/credentials/credentials.h"
8220 #include "librpc/rpc/dcerpc.h"
8221 #include "lib/param/param.h"
8222diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
8223index a5e0cd2..5fcb60e 100644
8224--- a/source3/utils/ntlm_auth.c
8225+++ b/source3/utils/ntlm_auth.c
8226@@ -32,6 +32,7 @@
8227 #include "../libcli/auth/spnego.h"
8228 #include "auth/ntlmssp/ntlmssp.h"
8229 #include "auth/gensec/gensec.h"
8230+#include "auth/gensec/gensec_internal.h"
8231 #include "auth/credentials/credentials.h"
8232 #include "librpc/crypto/gse.h"
8233 #include "smb_krb5.h"
8234diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
8235index 2e733bf..08dccd6 100644
8236--- a/source4/auth/gensec/cyrus_sasl.c
8237+++ b/source4/auth/gensec/cyrus_sasl.c
8238@@ -23,6 +23,7 @@
8239 #include "lib/tsocket/tsocket.h"
8240 #include "auth/credentials/credentials.h"
8241 #include "auth/gensec/gensec.h"
8242+#include "auth/gensec/gensec_internal.h"
8243 #include "auth/gensec/gensec_proto.h"
8244 #include "auth/gensec/gensec_toplevel_proto.h"
8245 #include <sasl/sasl.h>
8246diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
8247index 4fc544f..63a53bf 100644
8248--- a/source4/auth/gensec/gensec_gssapi.c
8249+++ b/source4/auth/gensec/gensec_gssapi.c
8250@@ -34,6 +34,7 @@
8251 #include "auth/credentials/credentials.h"
8252 #include "auth/credentials/credentials_krb5.h"
8253 #include "auth/gensec/gensec.h"
8254+#include "auth/gensec/gensec_internal.h"
8255 #include "auth/gensec/gensec_proto.h"
8256 #include "auth/gensec/gensec_toplevel_proto.h"
8257 #include "param/param.h"
8258diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
8259index fbec64c..ecc3331 100644
8260--- a/source4/auth/gensec/gensec_krb5.c
8261+++ b/source4/auth/gensec/gensec_krb5.c
8262@@ -34,6 +34,7 @@
8263 #include "auth/credentials/credentials_krb5.h"
8264 #include "auth/kerberos/kerberos_credentials.h"
8265 #include "auth/gensec/gensec.h"
8266+#include "auth/gensec/gensec_internal.h"
8267 #include "auth/gensec/gensec_proto.h"
8268 #include "auth/gensec/gensec_toplevel_proto.h"
8269 #include "param/param.h"
8270diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
8271index 02e5ae2..fd6daff 100644
8272--- a/source4/auth/gensec/pygensec.c
8273+++ b/source4/auth/gensec/pygensec.c
8274@@ -20,6 +20,7 @@
8275 #include "includes.h"
8276 #include "param/pyparam.h"
8277 #include "auth/gensec/gensec.h"
8278+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
8279 #include "auth/credentials/pycredentials.h"
8280 #include "libcli/util/pyerrors.h"
8281 #include "python/modules.h"
8282diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
8283index e67432c..eb2e100 100644
8284--- a/source4/auth/gensec/schannel.c
8285+++ b/source4/auth/gensec/schannel.c
8286@@ -25,6 +25,7 @@
8287 #include "auth/auth.h"
8288 #include "auth/credentials/credentials.h"
8289 #include "auth/gensec/gensec.h"
8290+#include "auth/gensec/gensec_internal.h"
8291 #include "auth/gensec/gensec_proto.h"
8292 #include "../libcli/auth/schannel.h"
8293 #include "librpc/gen_ndr/dcerpc.h"
8294diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
8295index 4a195e5..f0da82c 100644
8296--- a/source4/ldap_server/ldap_backend.c
8297+++ b/source4/ldap_server/ldap_backend.c
8298@@ -23,6 +23,7 @@
8299 #include "../lib/util/dlinklist.h"
8300 #include "auth/credentials/credentials.h"
8301 #include "auth/gensec/gensec.h"
8302+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
8303 #include "param/param.h"
8304 #include "smbd/service_stream.h"
8305 #include "dsdb/samdb/samdb.h"
8306diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
8307index b355e18..f0a498b 100644
8308--- a/source4/libcli/ldap/ldap_bind.c
8309+++ b/source4/libcli/ldap/ldap_bind.c
8310@@ -27,6 +27,7 @@
8311 #include "libcli/ldap/ldap_client.h"
8312 #include "lib/tls/tls.h"
8313 #include "auth/gensec/gensec.h"
8314+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
8315 #include "auth/gensec/gensec_socket.h"
8316 #include "auth/credentials/credentials.h"
8317 #include "lib/stream/packet.h"
8318diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
8319index bdaa65b..45e5889 100644
8320--- a/source4/torture/auth/ntlmssp.c
8321+++ b/source4/torture/auth/ntlmssp.c
8322@@ -19,6 +19,7 @@
8323
8324 #include "includes.h"
8325 #include "auth/gensec/gensec.h"
8326+#include "auth/gensec/gensec_internal.h"
8327 #include "auth/ntlmssp/ntlmssp.h"
8328 #include "auth/ntlmssp/ntlmssp_private.h"
8329 #include "lib/cmdline/popt_common.h"
8330diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
8331index 136e238..1e2feb0 100644
8332--- a/source4/utils/ntlm_auth.c
8333+++ b/source4/utils/ntlm_auth.c
8334@@ -27,6 +27,7 @@
8335 #include <ldb.h>
8336 #include "auth/credentials/credentials.h"
8337 #include "auth/gensec/gensec.h"
8338+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
8339 #include "auth/auth.h"
8340 #include "librpc/gen_ndr/ndr_netlogon.h"
8341 #include "auth/auth_sam.h"
8342--
83431.9.3
8344
8345
8346From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
8347From: Stefan Metzmacher <metze@samba.org>
8348Date: Mon, 5 Aug 2013 10:37:26 +0200
8349Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
8350 gensec_use_kerberos_mechs()
8351
8352We now always copy.
8353
8354Signed-off-by: Stefan Metzmacher <metze@samba.org>
8355
8356Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8357(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
8358---
8359 auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
8360 1 file changed, 20 insertions(+), 18 deletions(-)
8361
8362diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
8363index 34029f5..096ad36 100644
8364--- a/auth/gensec/gensec_start.c
8365+++ b/auth/gensec/gensec_start.c
8366@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
8367 use_kerberos = cli_credentials_get_kerberos_state(creds);
8368 }
8369
8370- if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
8371- if (!talloc_reference(mem_ctx, old_gensec_list)) {
8372- return NULL;
8373- }
8374- return old_gensec_list;
8375- }
8376-
8377 for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
8378 /* noop */
8379 }
8380@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
8381 j = 0;
8382 for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
8383 int oid_idx;
8384- bool found_spnego = false;
8385+ bool keep = false;
8386+
8387 for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
8388 if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
8389- new_gensec_list[j] = old_gensec_list[i];
8390- j++;
8391- found_spnego = true;
8392+ keep = true;
8393 break;
8394 }
8395 }
8396- if (found_spnego) {
8397- continue;
8398- }
8399+
8400 switch (use_kerberos) {
8401+ case CRED_AUTO_USE_KERBEROS:
8402+ keep = true;
8403+ break;
8404+
8405 case CRED_DONT_USE_KERBEROS:
8406 if (old_gensec_list[i]->kerberos == false) {
8407- new_gensec_list[j] = old_gensec_list[i];
8408- j++;
8409+ keep = true;
8410 }
8411+
8412 break;
8413+
8414 case CRED_MUST_USE_KERBEROS:
8415 if (old_gensec_list[i]->kerberos == true) {
8416- new_gensec_list[j] = old_gensec_list[i];
8417- j++;
8418+ keep = true;
8419 }
8420+
8421 break;
8422 default:
8423 /* Can't happen or invalid parameter */
8424 return NULL;
8425 }
8426+
8427+ if (!keep) {
8428+ continue;
8429+ }
8430+
8431+ new_gensec_list[j] = old_gensec_list[i];
8432+ j++;
8433 }
8434 new_gensec_list[j] = NULL;
8435
8436--
84371.9.3
8438
8439
8440From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
8441From: Stefan Metzmacher <metze@samba.org>
8442Date: Mon, 5 Aug 2013 10:39:16 +0200
8443Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
8444 gensec_security_mechs()
8445
8446We now always copy.
8447
8448Signed-off-by: Stefan Metzmacher <metze@samba.org>
8449
8450Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8451(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
8452---
8453 auth/gensec/gensec_start.c | 27 +++++++++------------------
8454 1 file changed, 9 insertions(+), 18 deletions(-)
8455
8456diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
8457index 096ad36..00e2759 100644
8458--- a/auth/gensec/gensec_start.c
8459+++ b/auth/gensec/gensec_start.c
8460@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
8461 struct gensec_security *gensec_security,
8462 TALLOC_CTX *mem_ctx)
8463 {
8464- struct gensec_security_ops **backends;
8465- if (!gensec_security) {
8466- backends = gensec_security_all();
8467- if (!talloc_reference(mem_ctx, backends)) {
8468- return NULL;
8469- }
8470- return backends;
8471- } else {
8472- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
8473+ struct cli_credentials *creds = NULL;
8474+ struct gensec_security_ops **backends = gensec_security_all();
8475+
8476+ if (gensec_security != NULL) {
8477+ creds = gensec_get_credentials(gensec_security);
8478+
8479 if (gensec_security->settings->backends) {
8480 backends = gensec_security->settings->backends;
8481- } else {
8482- backends = gensec_security_all();
8483 }
8484- if (!creds) {
8485- if (!talloc_reference(mem_ctx, backends)) {
8486- return NULL;
8487- }
8488- return backends;
8489- }
8490- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
8491 }
8492+
8493+ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
8494+
8495 }
8496
8497 static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
8498--
84991.9.3
8500
8501
8502From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
8503From: Stefan Metzmacher <metze@samba.org>
8504Date: Mon, 5 Aug 2013 16:12:13 +0200
8505Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
8506 backends
8507
8508Signed-off-by: Stefan Metzmacher <metze@samba.org>
8509
8510Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8511(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
8512---
8513 auth/gensec/gensec.c | 202 ++++++++++++++++++++++++++++++++----------
8514 auth/gensec/gensec_internal.h | 7 ++
8515 2 files changed, 160 insertions(+), 49 deletions(-)
8516
8517diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
8518index d364a34..abcbcb9 100644
8519--- a/auth/gensec/gensec.c
8520+++ b/auth/gensec/gensec.c
8521@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
8522 const DATA_BLOB in, DATA_BLOB *out)
8523 {
8524 NTSTATUS status;
8525+ const struct gensec_security_ops *ops = gensec_security->ops;
8526+ TALLOC_CTX *frame = NULL;
8527+ struct tevent_req *subreq = NULL;
8528+ bool ok;
8529
8530- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
8531- ev, in, out);
8532- if (!NT_STATUS_IS_OK(status)) {
8533- return status;
8534- }
8535+ if (ops->update_send == NULL) {
8536
8537- /*
8538- * Because callers using the
8539- * gensec_start_mech_by_auth_type() never call
8540- * gensec_want_feature(), it isn't sensible for them
8541- * to have to call gensec_have_feature() manually, and
8542- * these are not points of negotiation, but are
8543- * asserted by the client
8544- */
8545- switch (gensec_security->dcerpc_auth_level) {
8546- case DCERPC_AUTH_LEVEL_INTEGRITY:
8547- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
8548- DEBUG(0,("Did not manage to negotiate mandetory feature "
8549- "SIGN for dcerpc auth_level %u\n",
8550- gensec_security->dcerpc_auth_level));
8551- return NT_STATUS_ACCESS_DENIED;
8552- }
8553- break;
8554- case DCERPC_AUTH_LEVEL_PRIVACY:
8555- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
8556- DEBUG(0,("Did not manage to negotiate mandetory feature "
8557- "SIGN for dcerpc auth_level %u\n",
8558- gensec_security->dcerpc_auth_level));
8559- return NT_STATUS_ACCESS_DENIED;
8560+ status = ops->update(gensec_security, out_mem_ctx,
8561+ ev, in, out);
8562+ if (!NT_STATUS_IS_OK(status)) {
8563+ return status;
8564 }
8565- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
8566- DEBUG(0,("Did not manage to negotiate mandetory feature "
8567- "SEAL for dcerpc auth_level %u\n",
8568- gensec_security->dcerpc_auth_level));
8569- return NT_STATUS_ACCESS_DENIED;
8570+
8571+ /*
8572+ * Because callers using the
8573+ * gensec_start_mech_by_auth_type() never call
8574+ * gensec_want_feature(), it isn't sensible for them
8575+ * to have to call gensec_have_feature() manually, and
8576+ * these are not points of negotiation, but are
8577+ * asserted by the client
8578+ */
8579+ switch (gensec_security->dcerpc_auth_level) {
8580+ case DCERPC_AUTH_LEVEL_INTEGRITY:
8581+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
8582+ DEBUG(0,("Did not manage to negotiate mandetory feature "
8583+ "SIGN for dcerpc auth_level %u\n",
8584+ gensec_security->dcerpc_auth_level));
8585+ return NT_STATUS_ACCESS_DENIED;
8586+ }
8587+ break;
8588+ case DCERPC_AUTH_LEVEL_PRIVACY:
8589+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
8590+ DEBUG(0,("Did not manage to negotiate mandetory feature "
8591+ "SIGN for dcerpc auth_level %u\n",
8592+ gensec_security->dcerpc_auth_level));
8593+ return NT_STATUS_ACCESS_DENIED;
8594+ }
8595+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
8596+ DEBUG(0,("Did not manage to negotiate mandetory feature "
8597+ "SEAL for dcerpc auth_level %u\n",
8598+ gensec_security->dcerpc_auth_level));
8599+ return NT_STATUS_ACCESS_DENIED;
8600+ }
8601+ break;
8602+ default:
8603+ break;
8604 }
8605- break;
8606- default:
8607- break;
8608+
8609+ return NT_STATUS_OK;
8610 }
8611
8612- return NT_STATUS_OK;
8613+ frame = talloc_stackframe();
8614+
8615+ subreq = ops->update_send(frame, ev, gensec_security, in);
8616+ if (subreq == NULL) {
8617+ goto fail;
8618+ }
8619+ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
8620+ if (!ok) {
8621+ goto fail;
8622+ }
8623+ status = ops->update_recv(subreq, out_mem_ctx, out);
8624+ fail:
8625+ TALLOC_FREE(frame);
8626+ return status;
8627 }
8628
8629 struct gensec_update_state {
8630- struct tevent_immediate *im;
8631+ const struct gensec_security_ops *ops;
8632+ struct tevent_req *subreq;
8633 struct gensec_security *gensec_security;
8634- DATA_BLOB in;
8635 DATA_BLOB out;
8636+
8637+ /*
8638+ * only for sync backends, we should remove this
8639+ * once all backends are async.
8640+ */
8641+ struct tevent_immediate *im;
8642+ DATA_BLOB in;
8643 };
8644
8645 static void gensec_update_async_trigger(struct tevent_context *ctx,
8646 struct tevent_immediate *im,
8647 void *private_data);
8648+static void gensec_update_subreq_done(struct tevent_req *subreq);
8649+
8650 /**
8651 * Next state function for the GENSEC state machine async version
8652 *
8653@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
8654 return NULL;
8655 }
8656
8657- state->gensec_security = gensec_security;
8658- state->in = in;
8659- state->out = data_blob(NULL, 0);
8660- state->im = tevent_create_immediate(state);
8661- if (tevent_req_nomem(state->im, req)) {
8662+ state->ops = gensec_security->ops;
8663+ state->gensec_security = gensec_security;
8664+
8665+ if (state->ops->update_send == NULL) {
8666+ state->in = in;
8667+ state->im = tevent_create_immediate(state);
8668+ if (tevent_req_nomem(state->im, req)) {
8669+ return tevent_req_post(req, ev);
8670+ }
8671+
8672+ tevent_schedule_immediate(state->im, ev,
8673+ gensec_update_async_trigger,
8674+ req);
8675+
8676+ return req;
8677+ }
8678+
8679+ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
8680+ if (tevent_req_nomem(state->subreq, req)) {
8681 return tevent_req_post(req, ev);
8682 }
8683
8684- tevent_schedule_immediate(state->im, ev,
8685- gensec_update_async_trigger,
8686- req);
8687+ tevent_req_set_callback(state->subreq,
8688+ gensec_update_subreq_done,
8689+ req);
8690
8691 return req;
8692 }
8693@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
8694 tevent_req_data(req, struct gensec_update_state);
8695 NTSTATUS status;
8696
8697- status = gensec_update(state->gensec_security, state, ctx,
8698- state->in, &state->out);
8699+ status = state->ops->update(state->gensec_security, state, ctx,
8700+ state->in, &state->out);
8701+ if (tevent_req_nterror(req, status)) {
8702+ return;
8703+ }
8704+
8705+ tevent_req_done(req);
8706+}
8707+
8708+static void gensec_update_subreq_done(struct tevent_req *subreq)
8709+{
8710+ struct tevent_req *req =
8711+ tevent_req_callback_data(subreq,
8712+ struct tevent_req);
8713+ struct gensec_update_state *state =
8714+ tevent_req_data(req,
8715+ struct gensec_update_state);
8716+ NTSTATUS status;
8717+
8718+ state->subreq = NULL;
8719+
8720+ status = state->ops->update_recv(subreq, state, &state->out);
8721+ TALLOC_FREE(subreq);
8722 if (tevent_req_nterror(req, status)) {
8723 return;
8724 }
8725
8726+ /*
8727+ * Because callers using the
8728+ * gensec_start_mech_by_authtype() never call
8729+ * gensec_want_feature(), it isn't sensible for them
8730+ * to have to call gensec_have_feature() manually, and
8731+ * these are not points of negotiation, but are
8732+ * asserted by the client
8733+ */
8734+ switch (state->gensec_security->dcerpc_auth_level) {
8735+ case DCERPC_AUTH_LEVEL_INTEGRITY:
8736+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
8737+ DEBUG(0,("Did not manage to negotiate mandetory feature "
8738+ "SIGN for dcerpc auth_level %u\n",
8739+ state->gensec_security->dcerpc_auth_level));
8740+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
8741+ return;
8742+ }
8743+ break;
8744+ case DCERPC_AUTH_LEVEL_PRIVACY:
8745+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
8746+ DEBUG(0,("Did not manage to negotiate mandetory feature "
8747+ "SIGN for dcerpc auth_level %u\n",
8748+ state->gensec_security->dcerpc_auth_level));
8749+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
8750+ return;
8751+ }
8752+ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
8753+ DEBUG(0,("Did not manage to negotiate mandetory feature "
8754+ "SEAL for dcerpc auth_level %u\n",
8755+ state->gensec_security->dcerpc_auth_level));
8756+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
8757+ return;
8758+ }
8759+ break;
8760+ default:
8761+ break;
8762+ }
8763+
8764 tevent_req_done(req);
8765 }
8766
8767diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
8768index 41b6f0d..c04164a 100644
8769--- a/auth/gensec/gensec_internal.h
8770+++ b/auth/gensec/gensec_internal.h
8771@@ -40,6 +40,13 @@ struct gensec_security_ops {
8772 NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
8773 struct tevent_context *ev,
8774 const DATA_BLOB in, DATA_BLOB *out);
8775+ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
8776+ struct tevent_context *ev,
8777+ struct gensec_security *gensec_security,
8778+ const DATA_BLOB in);
8779+ NTSTATUS (*update_recv)(struct tevent_req *req,
8780+ TALLOC_CTX *out_mem_ctx,
8781+ DATA_BLOB *out);
8782 NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
8783 uint8_t *data, size_t length,
8784 const uint8_t *whole_pdu, size_t pdu_length,
8785--
87861.9.3
8787
8788
8789From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
8790From: Stefan Metzmacher <metze@samba.org>
8791Date: Mon, 5 Aug 2013 11:10:55 +0200
8792Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
8793 parameters
8794
8795Signed-off-by: Stefan Metzmacher <metze@samba.org>
8796
8797Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8798(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
8799---
8800 auth/gensec/gensec.h | 2 +-
8801 auth/gensec/gensec_start.c | 2 +-
8802 auth/gensec/spnego.c | 2 +-
8803 3 files changed, 3 insertions(+), 3 deletions(-)
8804
8805diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
8806index 5d39d81..d0bc451 100644
8807--- a/auth/gensec/gensec.h
8808+++ b/auth/gensec/gensec.h
8809@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
8810 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
8811 struct gensec_security *gensec_security,
8812 TALLOC_CTX *mem_ctx,
8813- const char **oid_strings,
8814+ const char * const *oid_strings,
8815 const char *skip);
8816 const char **gensec_security_oids(struct gensec_security *gensec_security,
8817 TALLOC_CTX *mem_ctx,
8818diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
8819index 00e2759..2874c13 100644
8820--- a/auth/gensec/gensec_start.c
8821+++ b/auth/gensec/gensec_start.c
8822@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
8823 _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
8824 struct gensec_security *gensec_security,
8825 TALLOC_CTX *mem_ctx,
8826- const char **oid_strings,
8827+ const char * const *oid_strings,
8828 const char *skip)
8829 {
8830 struct gensec_security_ops_wrapper *backends_out;
8831diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
8832index 38a45f8..0eb6da1 100644
8833--- a/auth/gensec/spnego.c
8834+++ b/auth/gensec/spnego.c
8835@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
8836 struct spnego_state *spnego_state,
8837 TALLOC_CTX *out_mem_ctx,
8838 struct tevent_context *ev,
8839- const char **mechType,
8840+ const char * const *mechType,
8841 const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
8842 {
8843 int i;
8844--
88451.9.3
8846
8847
8848From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
8849From: Stefan Metzmacher <metze@samba.org>
8850Date: Mon, 5 Aug 2013 11:20:21 +0200
8851Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
8852 const if possible.
8853
8854Signed-off-by: Stefan Metzmacher <metze@samba.org>
8855
8856Reviewed-by: Andrew Bartlett <abartlet@samba.org>
8857(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
8858---
8859 auth/gensec/gensec.h | 14 +++++-----
8860 auth/gensec/gensec_start.c | 52 ++++++++++++++++++++------------------
8861 auth/gensec/spnego.c | 8 +++---
8862 source3/auth/auth_generic.c | 15 ++++++-----
8863 source3/libads/authdata.c | 11 ++++----
8864 source3/libsmb/auth_generic.c | 15 ++++++-----
8865 source3/utils/ntlm_auth.c | 22 ++++++++--------
8866 source4/ldap_server/ldap_backend.c | 4 +--
8867 8 files changed, 75 insertions(+), 66 deletions(-)
8868
8869diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
8870index d0bc451..ac1fadf 100644
8871--- a/auth/gensec/gensec.h
8872+++ b/auth/gensec/gensec.h
8873@@ -85,7 +85,7 @@ struct gensec_settings {
8874 /* this allows callers to specify a specific set of ops that
8875 * should be used, rather than those loaded by the plugin
8876 * mechanism */
8877- struct gensec_security_ops **backends;
8878+ const struct gensec_security_ops * const *backends;
8879
8880 /* To fill in our own name in the NTLMSSP server */
8881 const char *server_dns_domain;
8882@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
8883 const struct gensec_security_ops *gensec_security_by_auth_type(
8884 struct gensec_security *gensec_security,
8885 uint32_t auth_type);
8886-struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
8887+const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
8888 TALLOC_CTX *mem_ctx);
8889 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
8890 struct gensec_security *gensec_security,
8891@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
8892 const DATA_BLOB *in,
8893 DATA_BLOB *out);
8894
8895-struct gensec_security_ops **gensec_security_all(void);
8896-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
8897-struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
8898- struct gensec_security_ops **old_gensec_list,
8899- struct cli_credentials *creds);
8900+const struct gensec_security_ops * const *gensec_security_all(void);
8901+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
8902+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
8903+ const struct gensec_security_ops * const *old_gensec_list,
8904+ struct cli_credentials *creds);
8905
8906 NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
8907 const char *sasl_name);
8908diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
8909index 2874c13..3ae64d5 100644
8910--- a/auth/gensec/gensec_start.c
8911+++ b/auth/gensec/gensec_start.c
8912@@ -33,17 +33,17 @@
8913 #include "lib/util/samba_modules.h"
8914
8915 /* the list of currently registered GENSEC backends */
8916-static struct gensec_security_ops **generic_security_ops;
8917+static const struct gensec_security_ops **generic_security_ops;
8918 static int gensec_num_backends;
8919
8920 /* Return all the registered mechs. Don't modify the return pointer,
8921- * but you may talloc_reference it if convient */
8922-_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
8923+ * but you may talloc_referen it if convient */
8924+_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
8925 {
8926 return generic_security_ops;
8927 }
8928
8929-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
8930+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
8931 {
8932 return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
8933 }
8934@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
8935 * more compplex.
8936 */
8937
8938-_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
8939- struct gensec_security_ops **old_gensec_list,
8940- struct cli_credentials *creds)
8941+_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
8942+ const struct gensec_security_ops * const *old_gensec_list,
8943+ struct cli_credentials *creds)
8944 {
8945- struct gensec_security_ops **new_gensec_list;
8946+ const struct gensec_security_ops **new_gensec_list;
8947 int i, j, num_mechs_in;
8948 enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
8949
8950@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
8951 /* noop */
8952 }
8953
8954- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
8955+ new_gensec_list = talloc_array(mem_ctx,
8956+ const struct gensec_security_ops *,
8957+ num_mechs_in + 1);
8958 if (!new_gensec_list) {
8959 return NULL;
8960 }
8961@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
8962 return new_gensec_list;
8963 }
8964
8965-_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
8966+_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
8967 struct gensec_security *gensec_security,
8968 TALLOC_CTX *mem_ctx)
8969 {
8970 struct cli_credentials *creds = NULL;
8971- struct gensec_security_ops **backends = gensec_security_all();
8972+ const struct gensec_security_ops * const *backends = gensec_security_all();
8973
8974 if (gensec_security != NULL) {
8975 creds = gensec_get_credentials(gensec_security);
8976@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
8977 uint8_t auth_type)
8978 {
8979 int i;
8980- struct gensec_security_ops **backends;
8981+ const struct gensec_security_ops **backends;
8982 const struct gensec_security_ops *backend;
8983 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
8984 if (!mem_ctx) {
8985@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
8986 const char *oid_string)
8987 {
8988 int i, j;
8989- struct gensec_security_ops **backends;
8990+ const struct gensec_security_ops **backends;
8991 const struct gensec_security_ops *backend;
8992 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
8993 if (!mem_ctx) {
8994@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
8995 const char *sasl_name)
8996 {
8997 int i;
8998- struct gensec_security_ops **backends;
8999+ const struct gensec_security_ops **backends;
9000 const struct gensec_security_ops *backend;
9001 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
9002 if (!mem_ctx) {
9003@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
9004 uint32_t auth_type)
9005 {
9006 int i;
9007- struct gensec_security_ops **backends;
9008+ const struct gensec_security_ops **backends;
9009 const struct gensec_security_ops *backend;
9010 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
9011 if (!mem_ctx) {
9012@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
9013 const char *name)
9014 {
9015 int i;
9016- struct gensec_security_ops **backends;
9017+ const struct gensec_security_ops **backends;
9018 const struct gensec_security_ops *backend;
9019 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
9020 if (!mem_ctx) {
9021@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
9022 const char **sasl_names)
9023 {
9024 const struct gensec_security_ops **backends_out;
9025- struct gensec_security_ops **backends;
9026+ const struct gensec_security_ops **backends;
9027 int i, k, sasl_idx;
9028 int num_backends_out = 0;
9029
9030@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
9031 const char *skip)
9032 {
9033 struct gensec_security_ops_wrapper *backends_out;
9034- struct gensec_security_ops **backends;
9035+ const struct gensec_security_ops **backends;
9036 int i, j, k, oid_idx;
9037 int num_backends_out = 0;
9038
9039@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
9040 static const char **gensec_security_oids_from_ops(
9041 struct gensec_security *gensec_security,
9042 TALLOC_CTX *mem_ctx,
9043- struct gensec_security_ops **ops,
9044+ const struct gensec_security_ops * const *ops,
9045 const char *skip)
9046 {
9047 int i;
9048@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
9049 TALLOC_CTX *mem_ctx,
9050 const char *skip)
9051 {
9052- struct gensec_security_ops **ops
9053- = gensec_security_mechs(gensec_security, mem_ctx);
9054+ const struct gensec_security_ops **ops;
9055+
9056+ ops = gensec_security_mechs(gensec_security, mem_ctx);
9057+
9058 return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
9059 }
9060
9061@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
9062
9063 generic_security_ops = talloc_realloc(talloc_autofree_context(),
9064 generic_security_ops,
9065- struct gensec_security_ops *,
9066+ const struct gensec_security_ops *,
9067 gensec_num_backends+2);
9068 if (!generic_security_ops) {
9069 return NT_STATUS_NO_MEMORY;
9070 }
9071
9072- generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
9073+ generic_security_ops[gensec_num_backends] = ops;
9074 gensec_num_backends++;
9075 generic_security_ops[gensec_num_backends] = NULL;
9076
9077@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
9078 return &critical_sizes;
9079 }
9080
9081-static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
9082+static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
9083 return (*gs2)->priority - (*gs1)->priority;
9084 }
9085
9086diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
9087index 0eb6da1..d90a50c 100644
9088--- a/auth/gensec/spnego.c
9089+++ b/auth/gensec/spnego.c
9090@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
9091 const DATA_BLOB in, DATA_BLOB *out)
9092 {
9093 int i,j;
9094- struct gensec_security_ops **all_ops
9095- = gensec_security_mechs(gensec_security, out_mem_ctx);
9096- for (i=0; all_ops[i]; i++) {
9097+ const struct gensec_security_ops **all_ops;
9098+
9099+ all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
9100+
9101+ for (i=0; all_ops && all_ops[i]; i++) {
9102 bool is_spnego;
9103 NTSTATUS nt_status;
9104
9105diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
9106index a2ba4e3..e15c87e 100644
9107--- a/source3/auth/auth_generic.c
9108+++ b/source3/auth/auth_generic.c
9109@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
9110 return nt_status;
9111 }
9112 } else {
9113+ const struct gensec_security_ops **backends = NULL;
9114 struct gensec_settings *gensec_settings;
9115 struct loadparm_context *lp_ctx;
9116 size_t idx = 0;
9117@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
9118 return NT_STATUS_NO_MEMORY;
9119 }
9120
9121- gensec_settings->backends = talloc_zero_array(gensec_settings,
9122- struct gensec_security_ops *, 4);
9123- if (gensec_settings->backends == NULL) {
9124+ backends = talloc_zero_array(gensec_settings,
9125+ const struct gensec_security_ops *, 4);
9126+ if (backends == NULL) {
9127 TALLOC_FREE(tmp_ctx);
9128 return NT_STATUS_NO_MEMORY;
9129 }
9130+ gensec_settings->backends = backends;
9131
9132 gensec_init();
9133
9134 /* These need to be in priority order, krb5 before NTLMSSP */
9135 #if defined(HAVE_KRB5)
9136- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
9137+ backends[idx++] = &gensec_gse_krb5_security_ops;
9138 #endif
9139
9140- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
9141+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
9142
9143- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
9144- GENSEC_OID_SPNEGO);
9145+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
9146
9147 /*
9148 * This is anonymous for now, because we just use it
9149diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
9150index 582917d..801e551 100644
9151--- a/source3/libads/authdata.c
9152+++ b/source3/libads/authdata.c
9153@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
9154 const char *cc = "MEMORY:kerberos_return_pac";
9155 struct auth_session_info *session_info;
9156 struct gensec_security *gensec_server_context;
9157-
9158+ const struct gensec_security_ops **backends;
9159 struct gensec_settings *gensec_settings;
9160 size_t idx = 0;
9161 struct auth4_context *auth_context;
9162@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
9163 goto out;
9164 }
9165
9166- gensec_settings->backends = talloc_zero_array(gensec_settings,
9167- struct gensec_security_ops *, 2);
9168- if (gensec_settings->backends == NULL) {
9169+ backends = talloc_zero_array(gensec_settings,
9170+ const struct gensec_security_ops *, 2);
9171+ if (backends == NULL) {
9172 status = NT_STATUS_NO_MEMORY;
9173 goto out;
9174 }
9175+ gensec_settings->backends = backends;
9176
9177 gensec_init();
9178
9179- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
9180+ backends[idx++] = &gensec_gse_krb5_security_ops;
9181
9182 status = gensec_server_start(tmp_ctx, gensec_settings,
9183 auth_context, &gensec_server_context);
9184diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
9185index ba0a0ce..e30c1b7 100644
9186--- a/source3/libsmb/auth_generic.c
9187+++ b/source3/libsmb/auth_generic.c
9188@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
9189 NTSTATUS nt_status;
9190 size_t idx = 0;
9191 struct gensec_settings *gensec_settings;
9192+ const struct gensec_security_ops **backends = NULL;
9193 struct loadparm_context *lp_ctx;
9194
9195 ans = talloc_zero(mem_ctx, struct auth_generic_state);
9196@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
9197 return NT_STATUS_NO_MEMORY;
9198 }
9199
9200- gensec_settings->backends = talloc_zero_array(gensec_settings,
9201- struct gensec_security_ops *, 4);
9202- if (gensec_settings->backends == NULL) {
9203+ backends = talloc_zero_array(gensec_settings,
9204+ const struct gensec_security_ops *, 4);
9205+ if (backends == NULL) {
9206 TALLOC_FREE(ans);
9207 return NT_STATUS_NO_MEMORY;
9208 }
9209+ gensec_settings->backends = backends;
9210
9211 gensec_init();
9212
9213 /* These need to be in priority order, krb5 before NTLMSSP */
9214 #if defined(HAVE_KRB5)
9215- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
9216+ backends[idx++] = &gensec_gse_krb5_security_ops;
9217 #endif
9218
9219- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
9220+ backends[idx++] = &gensec_ntlmssp3_client_ops;
9221
9222- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
9223- GENSEC_OID_SPNEGO);
9224+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
9225
9226 nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
9227
9228diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
9229index 5fcb60e..25e717c 100644
9230--- a/source3/utils/ntlm_auth.c
9231+++ b/source3/utils/ntlm_auth.c
9232@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
9233 NTSTATUS nt_status;
9234
9235 TALLOC_CTX *tmp_ctx;
9236-
9237+ const struct gensec_security_ops **backends;
9238 struct gensec_settings *gensec_settings;
9239 size_t idx = 0;
9240 struct cli_credentials *server_credentials;
9241@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
9242 gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
9243 get_mydnsfullname());
9244
9245- gensec_settings->backends = talloc_zero_array(gensec_settings,
9246- struct gensec_security_ops *, 4);
9247+ backends = talloc_zero_array(gensec_settings,
9248+ const struct gensec_security_ops *, 4);
9249
9250- if (gensec_settings->backends == NULL) {
9251+ if (backends == NULL) {
9252 TALLOC_FREE(tmp_ctx);
9253 return NT_STATUS_NO_MEMORY;
9254 }
9255-
9256+ gensec_settings->backends = backends;
9257+
9258 gensec_init();
9259
9260 /* These need to be in priority order, krb5 before NTLMSSP */
9261 #if defined(HAVE_KRB5)
9262- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
9263+ backends[idx++] = &gensec_gse_krb5_security_ops;
9264 #endif
9265-
9266- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
9267
9268- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
9269- GENSEC_OID_SPNEGO);
9270-
9271+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
9272+
9273+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
9274+
9275 /*
9276 * This is anonymous for now, because we just use it
9277 * to set the kerberos state at the moment
9278diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
9279index f0da82c..3432594 100644
9280--- a/source4/ldap_server/ldap_backend.c
9281+++ b/source4/ldap_server/ldap_backend.c
9282@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
9283
9284 if (conn->server_credentials) {
9285 char **sasl_mechs = NULL;
9286- struct gensec_security_ops **backends = gensec_security_all();
9287- struct gensec_security_ops **ops
9288+ const struct gensec_security_ops * const *backends = gensec_security_all();
9289+ const struct gensec_security_ops **ops
9290 = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
9291 unsigned int i, j = 0;
9292 for (i = 0; ops && ops[i]; i++) {
9293--
92941.9.3
9295
9296
9297From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
9298From: Stefan Metzmacher <metze@samba.org>
9299Date: Mon, 5 Aug 2013 10:43:38 +0200
9300Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
9301 read_negTokenInit()
9302
9303Also add error checks.
9304
9305Signed-off-by: Stefan Metzmacher <metze@samba.org>
9306
9307Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9308(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
9309---
9310 libcli/auth/spnego_parse.c | 19 +++++++++++++++----
9311 1 file changed, 15 insertions(+), 4 deletions(-)
9312
9313diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
9314index 3bf7aea..2c73613 100644
9315--- a/libcli/auth/spnego_parse.c
9316+++ b/libcli/auth/spnego_parse.c
9317@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
9318 asn1_start_tag(asn1, ASN1_CONTEXT(0));
9319 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
9320
9321- token->mechTypes = talloc(NULL, const char *);
9322+ token->mechTypes = talloc(mem_ctx, const char *);
9323+ if (token->mechTypes == NULL) {
9324+ asn1->has_error = true;
9325+ return false;
9326+ }
9327 for (i = 0; !asn1->has_error &&
9328 0 < asn1_tag_remaining(asn1); i++) {
9329 char *oid;
9330- token->mechTypes = talloc_realloc(NULL,
9331- token->mechTypes,
9332- const char *, i+2);
9333+ const char **p;
9334+ p = talloc_realloc(mem_ctx,
9335+ token->mechTypes,
9336+ const char *, i+2);
9337+ if (p == NULL) {
9338+ TALLOC_FREE(token->mechTypes);
9339+ asn1->has_error = true;
9340+ return false;
9341+ }
9342+ token->mechTypes = p;
9343 asn1_read_OID(asn1, token->mechTypes, &oid);
9344 token->mechTypes[i] = oid;
9345 }
9346--
93471.9.3
9348
9349
9350From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
9351From: Stefan Metzmacher <metze@samba.org>
9352Date: Mon, 5 Aug 2013 10:46:47 +0200
9353Subject: [PATCH 090/249] libcli/auth: add more const to
9354 spnego_negTokenInit->mechTypes
9355
9356Signed-off-by: Stefan Metzmacher <metze@samba.org>
9357
9358Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9359
9360Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
9361Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
9362(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
9363---
9364 libcli/auth/spnego.h | 2 +-
9365 libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
9366 libcli/auth/spnego_proto.h | 2 +-
9367 source3/utils/ntlm_auth.c | 2 +-
9368 4 files changed, 19 insertions(+), 14 deletions(-)
9369
9370diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
9371index 9a93f2e..539b903 100644
9372--- a/libcli/auth/spnego.h
9373+++ b/libcli/auth/spnego.h
9374@@ -49,7 +49,7 @@ enum spnego_negResult {
9375 };
9376
9377 struct spnego_negTokenInit {
9378- const char **mechTypes;
9379+ const char * const *mechTypes;
9380 DATA_BLOB reqFlags;
9381 uint8_t reqFlagsPadding;
9382 DATA_BLOB mechToken;
9383diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
9384index 2c73613..b1ca07d 100644
9385--- a/libcli/auth/spnego_parse.c
9386+++ b/libcli/auth/spnego_parse.c
9387@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
9388
9389 switch (context) {
9390 /* Read mechTypes */
9391- case ASN1_CONTEXT(0):
9392+ case ASN1_CONTEXT(0): {
9393+ const char **mechTypes;
9394+
9395 asn1_start_tag(asn1, ASN1_CONTEXT(0));
9396 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
9397
9398- token->mechTypes = talloc(mem_ctx, const char *);
9399- if (token->mechTypes == NULL) {
9400+ mechTypes = talloc(mem_ctx, const char *);
9401+ if (mechTypes == NULL) {
9402 asn1->has_error = true;
9403 return false;
9404 }
9405@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
9406 char *oid;
9407 const char **p;
9408 p = talloc_realloc(mem_ctx,
9409- token->mechTypes,
9410+ mechTypes,
9411 const char *, i+2);
9412 if (p == NULL) {
9413- TALLOC_FREE(token->mechTypes);
9414+ talloc_free(mechTypes);
9415 asn1->has_error = true;
9416 return false;
9417 }
9418- token->mechTypes = p;
9419- asn1_read_OID(asn1, token->mechTypes, &oid);
9420- token->mechTypes[i] = oid;
9421+ mechTypes = p;
9422+
9423+ asn1_read_OID(asn1, mechTypes, &oid);
9424+ mechTypes[i] = oid;
9425 }
9426- token->mechTypes[i] = NULL;
9427+ mechTypes[i] = NULL;
9428+ token->mechTypes = mechTypes;
9429
9430 asn1_end_tag(asn1);
9431 asn1_end_tag(asn1);
9432 break;
9433+ }
9434 /* Read reqFlags */
9435 case ASN1_CONTEXT(1):
9436 asn1_start_tag(asn1, ASN1_CONTEXT(1));
9437@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
9438 switch(spnego->type) {
9439 case SPNEGO_NEG_TOKEN_INIT:
9440 if (spnego->negTokenInit.mechTypes) {
9441- talloc_free(spnego->negTokenInit.mechTypes);
9442+ talloc_free(discard_const(spnego->negTokenInit.mechTypes));
9443 }
9444 data_blob_free(&spnego->negTokenInit.reqFlags);
9445 data_blob_free(&spnego->negTokenInit.mechToken);
9446@@ -390,7 +395,7 @@ out:
9447 }
9448
9449 bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
9450- const char **mech_types,
9451+ const char * const *mech_types,
9452 DATA_BLOB *blob)
9453 {
9454 struct asn1_data *asn1 = asn1_init(mem_ctx);
9455diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
9456index 5fd5e59..c0fa934 100644
9457--- a/libcli/auth/spnego_proto.h
9458+++ b/libcli/auth/spnego_proto.h
9459@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
9460 ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
9461 bool spnego_free_data(struct spnego_data *spnego);
9462 bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
9463- const char **mech_types,
9464+ const char * const *mech_types,
9465 DATA_BLOB *blob);
9466diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
9467index 25e717c..1df615c 100644
9468--- a/source3/utils/ntlm_auth.c
9469+++ b/source3/utils/ntlm_auth.c
9470@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
9471
9472 /* The server offers a list of mechanisms */
9473
9474- const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
9475+ const char *const *mechType = spnego.negTokenInit.mechTypes;
9476
9477 while (*mechType != NULL) {
9478
9479--
94801.9.3
9481
9482
9483From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
9484From: Stefan Metzmacher <metze@samba.org>
9485Date: Fri, 9 Aug 2013 10:15:05 +0200
9486Subject: [PATCH 091/249] auth/credentials: make sure
9487 cli_credentials_get_nt_hash() always returns a talloc object
9488
9489Signed-off-by: Stefan Metzmacher <metze@samba.org>
9490---
9491 auth/credentials/credentials.c | 19 ++++++++++++++-----
9492 auth/credentials/credentials.h | 4 ++--
9493 2 files changed, 16 insertions(+), 7 deletions(-)
9494
9495diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
9496index be497bc..57a7c0b 100644
9497--- a/auth/credentials/credentials.c
9498+++ b/auth/credentials/credentials.c
9499@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
9500 * @param cred credentials context
9501 * @retval If set, the cleartext password, otherwise NULL
9502 */
9503-_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
9504- TALLOC_CTX *mem_ctx)
9505+_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
9506+ TALLOC_CTX *mem_ctx)
9507 {
9508 const char *password = cli_credentials_get_password(cred);
9509
9510@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
9511 if (!nt_hash) {
9512 return NULL;
9513 }
9514-
9515+
9516 E_md4hash(password, nt_hash->hash);
9517
9518 return nt_hash;
9519- } else {
9520- return cred->nt_hash;
9521+ } else if (cred->nt_hash != NULL) {
9522+ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
9523+ if (!nt_hash) {
9524+ return NULL;
9525+ }
9526+
9527+ *nt_hash = *cred->nt_hash;
9528+
9529+ return nt_hash;
9530 }
9531+
9532+ return NULL;
9533 }
9534
9535 /**
9536diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
9537index cb09dc3..766a513 100644
9538--- a/auth/credentials/credentials.h
9539+++ b/auth/credentials/credentials.h
9540@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
9541 enum credentials_obtained obtained);
9542 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
9543 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
9544-const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
9545- TALLOC_CTX *mem_ctx);
9546+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
9547+ TALLOC_CTX *mem_ctx);
9548 bool cli_credentials_set_realm(struct cli_credentials *cred,
9549 const char *val,
9550 enum credentials_obtained obtained);
9551--
95521.9.3
9553
9554
9555From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
9556From: Howard Chu <hyc@symas.com>
9557Date: Tue, 17 Sep 2013 13:09:50 -0700
9558Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module
9559
9560Signed-off-by: Howard Chu <hyc@symas.com>
9561Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9562Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
9563(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
9564---
9565 auth/gensec/external.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
9566 auth/gensec/gensec.h | 3 +-
9567 auth/gensec/wscript_build | 7 ++++
9568 3 files changed, 91 insertions(+), 1 deletion(-)
9569 create mode 100644 auth/gensec/external.c
9570
9571diff --git a/auth/gensec/external.c b/auth/gensec/external.c
9572new file mode 100644
9573index 0000000..a26e435
9574--- /dev/null
9575+++ b/auth/gensec/external.c
9576@@ -0,0 +1,82 @@
9577+/*
9578+ Unix SMB/CIFS implementation.
9579+
9580+ SASL/EXTERNAL authentication.
9581+
9582+ Copyright (C) Howard Chu <hyc@symas.com> 2013
9583+
9584+ This program is free software; you can redistribute it and/or modify
9585+ it under the terms of the GNU General Public License as published by
9586+ the Free Software Foundation; either version 3 of the License, or
9587+ (at your option) any later version.
9588+
9589+ This program is distributed in the hope that it will be useful,
9590+ but WITHOUT ANY WARRANTY; without even the implied warranty of
9591+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9592+ GNU General Public License for more details.
9593+
9594+ You should have received a copy of the GNU General Public License
9595+ along with this program. If not, see <http://www.gnu.org/licenses/>.
9596+*/
9597+
9598+#include "includes.h"
9599+#include "auth/credentials/credentials.h"
9600+#include "auth/gensec/gensec.h"
9601+#include "auth/gensec/gensec_internal.h"
9602+#include "auth/gensec/gensec_proto.h"
9603+#include "auth/gensec/gensec_toplevel_proto.h"
9604+
9605+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
9606+ * layer is already mutually authenticated.
9607+ */
9608+
9609+NTSTATUS gensec_external_init(void);
9610+
9611+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
9612+{
9613+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
9614+ return NT_STATUS_INVALID_PARAMETER;
9615+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
9616+ return NT_STATUS_INVALID_PARAMETER;
9617+
9618+ return NT_STATUS_OK;
9619+}
9620+
9621+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
9622+ TALLOC_CTX *out_mem_ctx,
9623+ struct tevent_context *ev,
9624+ const DATA_BLOB in, DATA_BLOB *out)
9625+{
9626+ *out = data_blob_talloc(out_mem_ctx, "", 0);
9627+ return NT_STATUS_OK;
9628+}
9629+
9630+/* We have no features */
9631+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
9632+ uint32_t feature)
9633+{
9634+ return false;
9635+}
9636+
9637+static const struct gensec_security_ops gensec_external_ops = {
9638+ .name = "sasl-EXTERNAL",
9639+ .sasl_name = "EXTERNAL",
9640+ .client_start = gensec_external_start,
9641+ .update = gensec_external_update,
9642+ .have_feature = gensec_external_have_feature,
9643+ .enabled = true,
9644+ .priority = GENSEC_EXTERNAL
9645+};
9646+
9647+
9648+NTSTATUS gensec_external_init(void)
9649+{
9650+ NTSTATUS ret;
9651+
9652+ ret = gensec_register(&gensec_external_ops);
9653+ if (!NT_STATUS_IS_OK(ret)) {
9654+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
9655+ gensec_external_ops.name));
9656+ }
9657+ return ret;
9658+}
9659diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
9660index ac1fadf..6974f87 100644
9661--- a/auth/gensec/gensec.h
9662+++ b/auth/gensec/gensec.h
9663@@ -41,7 +41,8 @@ enum gensec_priority {
9664 GENSEC_SCHANNEL = 60,
9665 GENSEC_NTLMSSP = 50,
9666 GENSEC_SASL = 20,
9667- GENSEC_OTHER = 0
9668+ GENSEC_OTHER = 10,
9669+ GENSEC_EXTERNAL = 0
9670 };
9671
9672 struct gensec_security;
9673diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
9674index fcd74a3..71222f7 100755
9675--- a/auth/gensec/wscript_build
9676+++ b/auth/gensec/wscript_build
9677@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
9678 init_function='gensec_spnego_init',
9679 deps='asn1util samba-credentials SPNEGO_PARSE'
9680 )
9681+
9682+bld.SAMBA_MODULE('gensec_external',
9683+ source='external.c',
9684+ autoproto='external_proto.h',
9685+ subsystem='gensec',
9686+ init_function='gensec_external_init'
9687+ )
9688--
96891.9.3
9690
9691
9692From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
9693From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
9694Date: Wed, 18 Sep 2013 17:24:10 +0200
9695Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
9696MIME-Version: 1.0
9697Content-Type: text/plain; charset=UTF-8
9698Content-Transfer-Encoding: 8bit
9699
9700Guenther
9701
9702Signed-off-by: Günther Deschner <gd@samba.org>
9703Pair-Programmed-With: Andreas Schneider <asn@samba.org>
9704Reviewed-by: Stefan Metzmacher <metze@samba.org>
9705(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
9706---
9707 auth/gensec/schannel.c | 330 ++++++++++++++++++++++++++++++++++++++
9708 auth/gensec/wscript_build | 8 +
9709 source4/auth/gensec/schannel.c | 330 --------------------------------------
9710 source4/auth/gensec/wscript_build | 10 --
9711 4 files changed, 338 insertions(+), 340 deletions(-)
9712 create mode 100644 auth/gensec/schannel.c
9713 delete mode 100644 source4/auth/gensec/schannel.c
9714
9715diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
9716new file mode 100644
9717index 0000000..eb2e100
9718--- /dev/null
9719+++ b/auth/gensec/schannel.c
9720@@ -0,0 +1,330 @@
9721+/*
9722+ Unix SMB/CIFS implementation.
9723+
9724+ dcerpc schannel operations
9725+
9726+ Copyright (C) Andrew Tridgell 2004
9727+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9728+
9729+ This program is free software; you can redistribute it and/or modify
9730+ it under the terms of the GNU General Public License as published by
9731+ the Free Software Foundation; either version 3 of the License, or
9732+ (at your option) any later version.
9733+
9734+ This program is distributed in the hope that it will be useful,
9735+ but WITHOUT ANY WARRANTY; without even the implied warranty of
9736+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9737+ GNU General Public License for more details.
9738+
9739+ You should have received a copy of the GNU General Public License
9740+ along with this program. If not, see <http://www.gnu.org/licenses/>.
9741+*/
9742+
9743+#include "includes.h"
9744+#include "librpc/gen_ndr/ndr_schannel.h"
9745+#include "auth/auth.h"
9746+#include "auth/credentials/credentials.h"
9747+#include "auth/gensec/gensec.h"
9748+#include "auth/gensec/gensec_internal.h"
9749+#include "auth/gensec/gensec_proto.h"
9750+#include "../libcli/auth/schannel.h"
9751+#include "librpc/gen_ndr/dcerpc.h"
9752+#include "param/param.h"
9753+#include "auth/gensec/gensec_toplevel_proto.h"
9754+
9755+_PUBLIC_ NTSTATUS gensec_schannel_init(void);
9756+
9757+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
9758+{
9759+ struct schannel_state *state =
9760+ talloc_get_type_abort(gensec_security->private_data,
9761+ struct schannel_state);
9762+
9763+ return netsec_outgoing_sig_size(state);
9764+}
9765+
9766+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
9767+ struct tevent_context *ev,
9768+ const DATA_BLOB in, DATA_BLOB *out)
9769+{
9770+ struct schannel_state *state =
9771+ talloc_get_type(gensec_security->private_data,
9772+ struct schannel_state);
9773+ NTSTATUS status;
9774+ enum ndr_err_code ndr_err;
9775+ struct NL_AUTH_MESSAGE bind_schannel;
9776+ struct NL_AUTH_MESSAGE bind_schannel_ack;
9777+ struct netlogon_creds_CredentialState *creds;
9778+ const char *workstation;
9779+ const char *domain;
9780+
9781+ *out = data_blob(NULL, 0);
9782+
9783+ switch (gensec_security->gensec_role) {
9784+ case GENSEC_CLIENT:
9785+ if (state != NULL) {
9786+ /* we could parse the bind ack, but we don't know what it is yet */
9787+ return NT_STATUS_OK;
9788+ }
9789+
9790+ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
9791+ if (creds == NULL) {
9792+ return NT_STATUS_INVALID_PARAMETER_MIX;
9793+ }
9794+
9795+ state = netsec_create_state(gensec_security,
9796+ creds, true /* initiator */);
9797+ if (state == NULL) {
9798+ return NT_STATUS_NO_MEMORY;
9799+ }
9800+ gensec_security->private_data = state;
9801+
9802+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
9803+#if 0
9804+ /* to support this we'd need to have access to the full domain name */
9805+ /* 0x17, 23 */
9806+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
9807+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
9808+ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
9809+ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
9810+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
9811+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
9812+ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
9813+ /* w2k3 refuses us if we use the full DNS workstation?
9814+ why? perhaps because we don't fill in the dNSHostName
9815+ attribute in the machine account? */
9816+ bind_schannel.utf8_netbios_computer = creds->computer_name;
9817+#else
9818+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
9819+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
9820+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
9821+ bind_schannel.oem_netbios_computer.a = creds->computer_name;
9822+#endif
9823+
9824+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
9825+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
9826+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
9827+ status = ndr_map_error2ntstatus(ndr_err);
9828+ DEBUG(3, ("Could not create schannel bind: %s\n",
9829+ nt_errstr(status)));
9830+ return status;
9831+ }
9832+
9833+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
9834+ case GENSEC_SERVER:
9835+
9836+ if (state != NULL) {
9837+ /* no third leg on this protocol */
9838+ return NT_STATUS_INVALID_PARAMETER;
9839+ }
9840+
9841+ /* parse the schannel startup blob */
9842+ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
9843+ (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
9844+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
9845+ status = ndr_map_error2ntstatus(ndr_err);
9846+ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
9847+ nt_errstr(status)));
9848+ return status;
9849+ }
9850+
9851+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
9852+ domain = bind_schannel.oem_netbios_domain.a;
9853+ if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
9854+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
9855+ domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
9856+ return NT_STATUS_LOGON_FAILURE;
9857+ }
9858+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
9859+ domain = bind_schannel.utf8_dns_domain.u;
9860+ if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
9861+ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
9862+ domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
9863+ return NT_STATUS_LOGON_FAILURE;
9864+ }
9865+ } else {
9866+ DEBUG(3, ("Request for schannel to without domain\n"));
9867+ return NT_STATUS_LOGON_FAILURE;
9868+ }
9869+
9870+ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
9871+ workstation = bind_schannel.oem_netbios_computer.a;
9872+ } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
9873+ workstation = bind_schannel.utf8_netbios_computer.u;
9874+ } else {
9875+ DEBUG(3, ("Request for schannel to without netbios workstation\n"));
9876+ return NT_STATUS_LOGON_FAILURE;
9877+ }
9878+
9879+ status = schannel_get_creds_state(out_mem_ctx,
9880+ gensec_security->settings->lp_ctx,
9881+ workstation, &creds);
9882+ if (!NT_STATUS_IS_OK(status)) {
9883+ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
9884+ workstation, nt_errstr(status)));
9885+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
9886+ return NT_STATUS_LOGON_FAILURE;
9887+ }
9888+ return status;
9889+ }
9890+
9891+ state = netsec_create_state(gensec_security,
9892+ creds, false /* not initiator */);
9893+ if (state == NULL) {
9894+ return NT_STATUS_NO_MEMORY;
9895+ }
9896+ gensec_security->private_data = state;
9897+
9898+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
9899+ bind_schannel_ack.Flags = 0;
9900+ bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
9901+ * this does not have
9902+ * any meaning here
9903+ * - gd */
9904+
9905+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
9906+ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
9907+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
9908+ status = ndr_map_error2ntstatus(ndr_err);
9909+ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
9910+ workstation, nt_errstr(status)));
9911+ return status;
9912+ }
9913+
9914+ return NT_STATUS_OK;
9915+ }
9916+ return NT_STATUS_INVALID_PARAMETER;
9917+}
9918+
9919+/**
9920+ * Returns anonymous credentials for schannel, matching Win2k3.
9921+ *
9922+ */
9923+
9924+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
9925+ TALLOC_CTX *mem_ctx,
9926+ struct auth_session_info **_session_info)
9927+{
9928+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
9929+}
9930+
9931+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
9932+{
9933+ return NT_STATUS_OK;
9934+}
9935+
9936+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
9937+{
9938+ return NT_STATUS_OK;
9939+}
9940+
9941+static bool schannel_have_feature(struct gensec_security *gensec_security,
9942+ uint32_t feature)
9943+{
9944+ if (feature & (GENSEC_FEATURE_SIGN |
9945+ GENSEC_FEATURE_SEAL)) {
9946+ return true;
9947+ }
9948+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
9949+ return true;
9950+ }
9951+ return false;
9952+}
9953+
9954+/*
9955+ unseal a packet
9956+*/
9957+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
9958+ uint8_t *data, size_t length,
9959+ const uint8_t *whole_pdu, size_t pdu_length,
9960+ const DATA_BLOB *sig)
9961+{
9962+ struct schannel_state *state =
9963+ talloc_get_type_abort(gensec_security->private_data,
9964+ struct schannel_state);
9965+
9966+ return netsec_incoming_packet(state, true,
9967+ discard_const_p(uint8_t, data),
9968+ length, sig);
9969+}
9970+
9971+/*
9972+ check the signature on a packet
9973+*/
9974+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
9975+ const uint8_t *data, size_t length,
9976+ const uint8_t *whole_pdu, size_t pdu_length,
9977+ const DATA_BLOB *sig)
9978+{
9979+ struct schannel_state *state =
9980+ talloc_get_type_abort(gensec_security->private_data,
9981+ struct schannel_state);
9982+
9983+ return netsec_incoming_packet(state, false,
9984+ discard_const_p(uint8_t, data),
9985+ length, sig);
9986+}
9987+/*
9988+ seal a packet
9989+*/
9990+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
9991+ TALLOC_CTX *mem_ctx,
9992+ uint8_t *data, size_t length,
9993+ const uint8_t *whole_pdu, size_t pdu_length,
9994+ DATA_BLOB *sig)
9995+{
9996+ struct schannel_state *state =
9997+ talloc_get_type_abort(gensec_security->private_data,
9998+ struct schannel_state);
9999+
10000+ return netsec_outgoing_packet(state, mem_ctx, true,
10001+ data, length, sig);
10002+}
10003+
10004+/*
10005+ sign a packet
10006+*/
10007+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
10008+ TALLOC_CTX *mem_ctx,
10009+ const uint8_t *data, size_t length,
10010+ const uint8_t *whole_pdu, size_t pdu_length,
10011+ DATA_BLOB *sig)
10012+{
10013+ struct schannel_state *state =
10014+ talloc_get_type_abort(gensec_security->private_data,
10015+ struct schannel_state);
10016+
10017+ return netsec_outgoing_packet(state, mem_ctx, false,
10018+ discard_const_p(uint8_t, data),
10019+ length, sig);
10020+}
10021+
10022+static const struct gensec_security_ops gensec_schannel_security_ops = {
10023+ .name = "schannel",
10024+ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
10025+ .client_start = schannel_client_start,
10026+ .server_start = schannel_server_start,
10027+ .update = schannel_update,
10028+ .seal_packet = schannel_seal_packet,
10029+ .sign_packet = schannel_sign_packet,
10030+ .check_packet = schannel_check_packet,
10031+ .unseal_packet = schannel_unseal_packet,
10032+ .session_info = schannel_session_info,
10033+ .sig_size = schannel_sig_size,
10034+ .have_feature = schannel_have_feature,
10035+ .enabled = true,
10036+ .priority = GENSEC_SCHANNEL
10037+};
10038+
10039+_PUBLIC_ NTSTATUS gensec_schannel_init(void)
10040+{
10041+ NTSTATUS ret;
10042+ ret = gensec_register(&gensec_schannel_security_ops);
10043+ if (!NT_STATUS_IS_OK(ret)) {
10044+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
10045+ gensec_schannel_security_ops.name));
10046+ return ret;
10047+ }
10048+
10049+ return ret;
10050+}
10051diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
10052index 71222f7..7329eec 100755
10053--- a/auth/gensec/wscript_build
10054+++ b/auth/gensec/wscript_build
10055@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
10056 deps='asn1util samba-credentials SPNEGO_PARSE'
10057 )
10058
10059+bld.SAMBA_MODULE('gensec_schannel',
10060+ source='schannel.c',
10061+ autoproto='schannel_proto.h',
10062+ subsystem='gensec',
10063+ init_function='gensec_schannel_init',
10064+ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
10065+ )
10066+
10067 bld.SAMBA_MODULE('gensec_external',
10068 source='external.c',
10069 autoproto='external_proto.h',
10070diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
10071deleted file mode 100644
10072index eb2e100..0000000
10073--- a/source4/auth/gensec/schannel.c
10074+++ /dev/null
10075@@ -1,330 +0,0 @@
10076-/*
10077- Unix SMB/CIFS implementation.
10078-
10079- dcerpc schannel operations
10080-
10081- Copyright (C) Andrew Tridgell 2004
10082- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10083-
10084- This program is free software; you can redistribute it and/or modify
10085- it under the terms of the GNU General Public License as published by
10086- the Free Software Foundation; either version 3 of the License, or
10087- (at your option) any later version.
10088-
10089- This program is distributed in the hope that it will be useful,
10090- but WITHOUT ANY WARRANTY; without even the implied warranty of
10091- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10092- GNU General Public License for more details.
10093-
10094- You should have received a copy of the GNU General Public License
10095- along with this program. If not, see <http://www.gnu.org/licenses/>.
10096-*/
10097-
10098-#include "includes.h"
10099-#include "librpc/gen_ndr/ndr_schannel.h"
10100-#include "auth/auth.h"
10101-#include "auth/credentials/credentials.h"
10102-#include "auth/gensec/gensec.h"
10103-#include "auth/gensec/gensec_internal.h"
10104-#include "auth/gensec/gensec_proto.h"
10105-#include "../libcli/auth/schannel.h"
10106-#include "librpc/gen_ndr/dcerpc.h"
10107-#include "param/param.h"
10108-#include "auth/gensec/gensec_toplevel_proto.h"
10109-
10110-_PUBLIC_ NTSTATUS gensec_schannel_init(void);
10111-
10112-static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
10113-{
10114- struct schannel_state *state =
10115- talloc_get_type_abort(gensec_security->private_data,
10116- struct schannel_state);
10117-
10118- return netsec_outgoing_sig_size(state);
10119-}
10120-
10121-static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
10122- struct tevent_context *ev,
10123- const DATA_BLOB in, DATA_BLOB *out)
10124-{
10125- struct schannel_state *state =
10126- talloc_get_type(gensec_security->private_data,
10127- struct schannel_state);
10128- NTSTATUS status;
10129- enum ndr_err_code ndr_err;
10130- struct NL_AUTH_MESSAGE bind_schannel;
10131- struct NL_AUTH_MESSAGE bind_schannel_ack;
10132- struct netlogon_creds_CredentialState *creds;
10133- const char *workstation;
10134- const char *domain;
10135-
10136- *out = data_blob(NULL, 0);
10137-
10138- switch (gensec_security->gensec_role) {
10139- case GENSEC_CLIENT:
10140- if (state != NULL) {
10141- /* we could parse the bind ack, but we don't know what it is yet */
10142- return NT_STATUS_OK;
10143- }
10144-
10145- creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
10146- if (creds == NULL) {
10147- return NT_STATUS_INVALID_PARAMETER_MIX;
10148- }
10149-
10150- state = netsec_create_state(gensec_security,
10151- creds, true /* initiator */);
10152- if (state == NULL) {
10153- return NT_STATUS_NO_MEMORY;
10154- }
10155- gensec_security->private_data = state;
10156-
10157- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
10158-#if 0
10159- /* to support this we'd need to have access to the full domain name */
10160- /* 0x17, 23 */
10161- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
10162- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
10163- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
10164- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
10165- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
10166- bind_schannel.oem_netbios_computer.a = creds->computer_name;
10167- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
10168- /* w2k3 refuses us if we use the full DNS workstation?
10169- why? perhaps because we don't fill in the dNSHostName
10170- attribute in the machine account? */
10171- bind_schannel.utf8_netbios_computer = creds->computer_name;
10172-#else
10173- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
10174- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
10175- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
10176- bind_schannel.oem_netbios_computer.a = creds->computer_name;
10177-#endif
10178-
10179- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
10180- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
10181- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
10182- status = ndr_map_error2ntstatus(ndr_err);
10183- DEBUG(3, ("Could not create schannel bind: %s\n",
10184- nt_errstr(status)));
10185- return status;
10186- }
10187-
10188- return NT_STATUS_MORE_PROCESSING_REQUIRED;
10189- case GENSEC_SERVER:
10190-
10191- if (state != NULL) {
10192- /* no third leg on this protocol */
10193- return NT_STATUS_INVALID_PARAMETER;
10194- }
10195-
10196- /* parse the schannel startup blob */
10197- ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
10198- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
10199- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
10200- status = ndr_map_error2ntstatus(ndr_err);
10201- DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
10202- nt_errstr(status)));
10203- return status;
10204- }
10205-
10206- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
10207- domain = bind_schannel.oem_netbios_domain.a;
10208- if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
10209- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
10210- domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
10211- return NT_STATUS_LOGON_FAILURE;
10212- }
10213- } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
10214- domain = bind_schannel.utf8_dns_domain.u;
10215- if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
10216- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
10217- domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
10218- return NT_STATUS_LOGON_FAILURE;
10219- }
10220- } else {
10221- DEBUG(3, ("Request for schannel to without domain\n"));
10222- return NT_STATUS_LOGON_FAILURE;
10223- }
10224-
10225- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
10226- workstation = bind_schannel.oem_netbios_computer.a;
10227- } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
10228- workstation = bind_schannel.utf8_netbios_computer.u;
10229- } else {
10230- DEBUG(3, ("Request for schannel to without netbios workstation\n"));
10231- return NT_STATUS_LOGON_FAILURE;
10232- }
10233-
10234- status = schannel_get_creds_state(out_mem_ctx,
10235- gensec_security->settings->lp_ctx,
10236- workstation, &creds);
10237- if (!NT_STATUS_IS_OK(status)) {
10238- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
10239- workstation, nt_errstr(status)));
10240- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
10241- return NT_STATUS_LOGON_FAILURE;
10242- }
10243- return status;
10244- }
10245-
10246- state = netsec_create_state(gensec_security,
10247- creds, false /* not initiator */);
10248- if (state == NULL) {
10249- return NT_STATUS_NO_MEMORY;
10250- }
10251- gensec_security->private_data = state;
10252-
10253- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
10254- bind_schannel_ack.Flags = 0;
10255- bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
10256- * this does not have
10257- * any meaning here
10258- * - gd */
10259-
10260- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
10261- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
10262- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
10263- status = ndr_map_error2ntstatus(ndr_err);
10264- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
10265- workstation, nt_errstr(status)));
10266- return status;
10267- }
10268-
10269- return NT_STATUS_OK;
10270- }
10271- return NT_STATUS_INVALID_PARAMETER;
10272-}
10273-
10274-/**
10275- * Returns anonymous credentials for schannel, matching Win2k3.
10276- *
10277- */
10278-
10279-static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
10280- TALLOC_CTX *mem_ctx,
10281- struct auth_session_info **_session_info)
10282-{
10283- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
10284-}
10285-
10286-static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
10287-{
10288- return NT_STATUS_OK;
10289-}
10290-
10291-static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
10292-{
10293- return NT_STATUS_OK;
10294-}
10295-
10296-static bool schannel_have_feature(struct gensec_security *gensec_security,
10297- uint32_t feature)
10298-{
10299- if (feature & (GENSEC_FEATURE_SIGN |
10300- GENSEC_FEATURE_SEAL)) {
10301- return true;
10302- }
10303- if (feature & GENSEC_FEATURE_DCE_STYLE) {
10304- return true;
10305- }
10306- return false;
10307-}
10308-
10309-/*
10310- unseal a packet
10311-*/
10312-static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
10313- uint8_t *data, size_t length,
10314- const uint8_t *whole_pdu, size_t pdu_length,
10315- const DATA_BLOB *sig)
10316-{
10317- struct schannel_state *state =
10318- talloc_get_type_abort(gensec_security->private_data,
10319- struct schannel_state);
10320-
10321- return netsec_incoming_packet(state, true,
10322- discard_const_p(uint8_t, data),
10323- length, sig);
10324-}
10325-
10326-/*
10327- check the signature on a packet
10328-*/
10329-static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
10330- const uint8_t *data, size_t length,
10331- const uint8_t *whole_pdu, size_t pdu_length,
10332- const DATA_BLOB *sig)
10333-{
10334- struct schannel_state *state =
10335- talloc_get_type_abort(gensec_security->private_data,
10336- struct schannel_state);
10337-
10338- return netsec_incoming_packet(state, false,
10339- discard_const_p(uint8_t, data),
10340- length, sig);
10341-}
10342-/*
10343- seal a packet
10344-*/
10345-static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
10346- TALLOC_CTX *mem_ctx,
10347- uint8_t *data, size_t length,
10348- const uint8_t *whole_pdu, size_t pdu_length,
10349- DATA_BLOB *sig)
10350-{
10351- struct schannel_state *state =
10352- talloc_get_type_abort(gensec_security->private_data,
10353- struct schannel_state);
10354-
10355- return netsec_outgoing_packet(state, mem_ctx, true,
10356- data, length, sig);
10357-}
10358-
10359-/*
10360- sign a packet
10361-*/
10362-static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
10363- TALLOC_CTX *mem_ctx,
10364- const uint8_t *data, size_t length,
10365- const uint8_t *whole_pdu, size_t pdu_length,
10366- DATA_BLOB *sig)
10367-{
10368- struct schannel_state *state =
10369- talloc_get_type_abort(gensec_security->private_data,
10370- struct schannel_state);
10371-
10372- return netsec_outgoing_packet(state, mem_ctx, false,
10373- discard_const_p(uint8_t, data),
10374- length, sig);
10375-}
10376-
10377-static const struct gensec_security_ops gensec_schannel_security_ops = {
10378- .name = "schannel",
10379- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
10380- .client_start = schannel_client_start,
10381- .server_start = schannel_server_start,
10382- .update = schannel_update,
10383- .seal_packet = schannel_seal_packet,
10384- .sign_packet = schannel_sign_packet,
10385- .check_packet = schannel_check_packet,
10386- .unseal_packet = schannel_unseal_packet,
10387- .session_info = schannel_session_info,
10388- .sig_size = schannel_sig_size,
10389- .have_feature = schannel_have_feature,
10390- .enabled = true,
10391- .priority = GENSEC_SCHANNEL
10392-};
10393-
10394-_PUBLIC_ NTSTATUS gensec_schannel_init(void)
10395-{
10396- NTSTATUS ret;
10397- ret = gensec_register(&gensec_schannel_security_ops);
10398- if (!NT_STATUS_IS_OK(ret)) {
10399- DEBUG(0,("Failed to register '%s' gensec backend!\n",
10400- gensec_schannel_security_ops.name));
10401- return ret;
10402- }
10403-
10404- return ret;
10405-}
10406diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
10407index 04fccc5..a3eff97 100755
10408--- a/source4/auth/gensec/wscript_build
10409+++ b/source4/auth/gensec/wscript_build
10410@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
10411 )
10412
10413
10414-bld.SAMBA_MODULE('gensec_schannel',
10415- source='schannel.c',
10416- subsystem='gensec',
10417- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
10418- internal_module=True,
10419- autoproto='schannel_proto.h',
10420- init_function='gensec_schannel_init'
10421- )
10422-
10423-
10424 bld.SAMBA_PYTHON('pygensec',
10425 source='pygensec.c',
10426 deps='gensec pytalloc-util pyparam_util',
10427--
104281.9.3
10429
10430
10431From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
10432From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10433Date: Wed, 18 Sep 2013 17:24:49 +0200
10434Subject: [PATCH 094/249] gensec: remove duplicate
10435 gensec_security_by_authtype() call.
10436MIME-Version: 1.0
10437Content-Type: text/plain; charset=UTF-8
10438Content-Transfer-Encoding: 8bit
10439
10440We should use the equivalent gensec_security_by_auth_type() call which is
10441exposed in the public header.
10442
10443Guenther
10444
10445Signed-off-by: Günther Deschner <gd@samba.org>
10446Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10447Reviewed-by: Stefan Metzmacher <metze@samba.org>
10448(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
10449---
10450 auth/gensec/gensec_start.c | 29 ++---------------------------
10451 1 file changed, 2 insertions(+), 27 deletions(-)
10452
10453diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
10454index 3ae64d5..906ef67 100644
10455--- a/auth/gensec/gensec_start.c
10456+++ b/auth/gensec/gensec_start.c
10457@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
10458
10459 }
10460
10461-static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
10462- uint8_t auth_type)
10463-{
10464- int i;
10465- const struct gensec_security_ops **backends;
10466- const struct gensec_security_ops *backend;
10467- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
10468- if (!mem_ctx) {
10469- return NULL;
10470- }
10471- backends = gensec_security_mechs(gensec_security, mem_ctx);
10472- for (i=0; backends && backends[i]; i++) {
10473- if (!gensec_security_ops_enabled(backends[i], gensec_security))
10474- continue;
10475- if (backends[i]->auth_type == auth_type) {
10476- backend = backends[i];
10477- talloc_free(mem_ctx);
10478- return backend;
10479- }
10480- }
10481- talloc_free(mem_ctx);
10482-
10483- return NULL;
10484-}
10485-
10486 _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
10487 struct gensec_security *gensec_security,
10488 const char *oid_string)
10489@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
10490 _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
10491 uint8_t auth_type, uint8_t auth_level)
10492 {
10493- gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
10494+ gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
10495 if (!gensec_security->ops) {
10496 DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
10497 return NT_STATUS_INVALID_PARAMETER;
10498@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
10499 _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
10500 {
10501 const struct gensec_security_ops *ops;
10502- ops = gensec_security_by_authtype(gensec_security, authtype);
10503+ ops = gensec_security_by_auth_type(gensec_security, authtype);
10504 if (ops) {
10505 return ops->name;
10506 }
10507--
105081.9.3
10509
10510
10511From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
10512From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10513Date: Wed, 18 Sep 2013 17:25:55 +0200
10514Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
10515 gensec_security_by_auth_type().
10516MIME-Version: 1.0
10517Content-Type: text/plain; charset=UTF-8
10518Content-Transfer-Encoding: 8bit
10519
10520We have equivalent checks in other gensec_security_by_X calls already.
10521
10522Guenther
10523
10524Signed-off-by: Günther Deschner <gd@samba.org>
10525Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10526Reviewed-by: Stefan Metzmacher <metze@samba.org>
10527(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
10528---
10529 auth/gensec/gensec_start.c | 6 ++++--
10530 1 file changed, 4 insertions(+), 2 deletions(-)
10531
10532diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
10533index 906ef67..476134a 100644
10534--- a/auth/gensec/gensec_start.c
10535+++ b/auth/gensec/gensec_start.c
10536@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
10537 }
10538 backends = gensec_security_mechs(gensec_security, mem_ctx);
10539 for (i=0; backends && backends[i]; i++) {
10540- if (!gensec_security_ops_enabled(backends[i], gensec_security))
10541- continue;
10542+ if (gensec_security != NULL &&
10543+ !gensec_security_ops_enabled(backends[i], gensec_security)) {
10544+ continue;
10545+ }
10546 if (backends[i]->auth_type == auth_type) {
10547 backend = backends[i];
10548 talloc_free(mem_ctx);
10549--
105501.9.3
10551
10552
10553From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
10554From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10555Date: Wed, 18 Sep 2013 17:27:28 +0200
10556Subject: [PATCH 096/249] s3-auth: also load schannel module from
10557 auth_generic_client_prepare().
10558MIME-Version: 1.0
10559Content-Type: text/plain; charset=UTF-8
10560Content-Transfer-Encoding: 8bit
10561
10562Guenther
10563
10564Signed-off-by: Günther Deschner <gd@samba.org>
10565Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10566Reviewed-by: Stefan Metzmacher <metze@samba.org>
10567(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
10568---
10569 source3/libsmb/auth_generic.c | 3 ++-
10570 1 file changed, 2 insertions(+), 1 deletion(-)
10571
10572diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
10573index e30c1b7..3130dec 100644
10574--- a/source3/libsmb/auth_generic.c
10575+++ b/source3/libsmb/auth_generic.c
10576@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
10577 }
10578
10579 backends = talloc_zero_array(gensec_settings,
10580- const struct gensec_security_ops *, 4);
10581+ const struct gensec_security_ops *, 5);
10582 if (backends == NULL) {
10583 TALLOC_FREE(ans);
10584 return NT_STATUS_NO_MEMORY;
10585@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
10586 backends[idx++] = &gensec_ntlmssp3_client_ops;
10587
10588 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
10589+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
10590
10591 nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
10592
10593--
105941.9.3
10595
10596
10597From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
10598From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10599Date: Wed, 18 Sep 2013 17:44:10 +0200
10600Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
10601 CredentialState struct to gensec.
10602MIME-Version: 1.0
10603Content-Type: text/plain; charset=UTF-8
10604Content-Transfer-Encoding: 8bit
10605
10606Guenther
10607
10608Signed-off-by: Günther Deschner <gd@samba.org>
10609Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10610Reviewed-by: Stefan Metzmacher <metze@samba.org>
10611(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
10612---
10613 source3/rpc_client/cli_pipe.c | 5 ++++-
10614 1 file changed, 4 insertions(+), 1 deletion(-)
10615
10616diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
10617index 470469f..2acbad6 100644
10618--- a/source3/rpc_client/cli_pipe.c
10619+++ b/source3/rpc_client/cli_pipe.c
10620@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
10621 const char *username,
10622 const char *password,
10623 enum credentials_use_kerberos use_kerberos,
10624+ struct netlogon_creds_CredentialState *creds,
10625 struct pipe_auth_data **presult)
10626 {
10627 struct auth_generic_state *auth_generic_ctx;
10628@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
10629 }
10630
10631 cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
10632+ cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
10633
10634 status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
10635 if (!NT_STATUS_IS_OK(status)) {
10636@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
10637 server, target_service,
10638 domain, username, password,
10639 CRED_AUTO_USE_KERBEROS,
10640+ NULL,
10641 &auth);
10642 if (!NT_STATUS_IS_OK(status)) {
10643 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
10644@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
10645 DCERPC_AUTH_TYPE_SPNEGO, auth_level,
10646 server, target_service,
10647 domain, username, password,
10648- use_kerberos,
10649+ use_kerberos, NULL,
10650 &auth);
10651 if (!NT_STATUS_IS_OK(status)) {
10652 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
10653--
106541.9.3
10655
10656
10657From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
10658From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10659Date: Wed, 18 Sep 2013 18:23:40 +0200
10660Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
10661 auth_generic_prepare() as well.
10662MIME-Version: 1.0
10663Content-Type: text/plain; charset=UTF-8
10664Content-Transfer-Encoding: 8bit
10665
10666Guenther
10667
10668Signed-off-by: Günther Deschner <gd@samba.org>
10669Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10670Reviewed-by: Stefan Metzmacher <metze@samba.org>
10671(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
10672---
10673 source3/auth/auth_generic.c | 5 ++++-
10674 1 file changed, 4 insertions(+), 1 deletion(-)
10675
10676diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
10677index e15c87e..e07d3b7 100644
10678--- a/source3/auth/auth_generic.c
10679+++ b/source3/auth/auth_generic.c
10680@@ -32,6 +32,7 @@
10681 #include "librpc/crypto/gse.h"
10682 #include "auth/credentials/credentials.h"
10683 #include "lib/param/loadparm.h"
10684+#include "librpc/gen_ndr/dcerpc.h"
10685
10686 static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
10687 TALLOC_CTX *mem_ctx,
10688@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
10689 }
10690
10691 backends = talloc_zero_array(gensec_settings,
10692- const struct gensec_security_ops *, 4);
10693+ const struct gensec_security_ops *, 5);
10694 if (backends == NULL) {
10695 TALLOC_FREE(tmp_ctx);
10696 return NT_STATUS_NO_MEMORY;
10697@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
10698
10699 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
10700
10701+ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
10702+
10703 /*
10704 * This is anonymous for now, because we just use it
10705 * to set the kerberos state at the moment
10706--
107071.9.3
10708
10709
10710From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
10711From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10712Date: Wed, 18 Sep 2013 18:33:14 +0200
10713Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
10714MIME-Version: 1.0
10715Content-Type: text/plain; charset=UTF-8
10716Content-Transfer-Encoding: 8bit
10717
10718Guenther
10719
10720Signed-off-by: Günther Deschner <gd@samba.org>
10721Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10722Reviewed-by: Stefan Metzmacher <metze@samba.org>
10723(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
10724---
10725 source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
10726 1 file changed, 13 insertions(+), 9 deletions(-)
10727
10728diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
10729index 2acbad6..8a642e2 100644
10730--- a/source3/rpc_client/cli_pipe.c
10731+++ b/source3/rpc_client/cli_pipe.c
10732@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
10733
10734 switch (auth->auth_type) {
10735 case DCERPC_AUTH_TYPE_SCHANNEL:
10736- ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
10737- if (!NT_STATUS_IS_OK(ret)) {
10738- return ret;
10739- }
10740- break;
10741-
10742 case DCERPC_AUTH_TYPE_NTLMSSP:
10743 case DCERPC_AUTH_TYPE_KRB5:
10744 case DCERPC_AUTH_TYPE_SPNEGO:
10745@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
10746 struct netr_Authenticator auth;
10747 struct netr_Authenticator return_auth;
10748 union netr_Capabilities capabilities;
10749+ const char *target_service = table->authservices->names[0];
10750
10751 status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
10752 if (!NT_STATUS_IS_OK(status)) {
10753 return status;
10754 }
10755
10756- status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
10757- *pdc, &rpcauth);
10758+ status = rpccli_generic_bind_data(rpccli,
10759+ DCERPC_AUTH_TYPE_SCHANNEL,
10760+ auth_level,
10761+ NULL,
10762+ target_service,
10763+ domain,
10764+ (*pdc)->computer_name,
10765+ NULL,
10766+ CRED_AUTO_USE_KERBEROS,
10767+ *pdc,
10768+ &rpcauth);
10769 if (!NT_STATUS_IS_OK(status)) {
10770- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
10771+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
10772 nt_errstr(status)));
10773 TALLOC_FREE(rpccli);
10774 return status;
10775--
107761.9.3
10777
10778
10779From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
10780From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10781Date: Wed, 18 Sep 2013 18:34:58 +0200
10782Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
10783MIME-Version: 1.0
10784Content-Type: text/plain; charset=UTF-8
10785Content-Transfer-Encoding: 8bit
10786
10787Guenther
10788
10789Signed-off-by: Günther Deschner <gd@samba.org>
10790Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10791Reviewed-by: Stefan Metzmacher <metze@samba.org>
10792(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
10793---
10794 source3/rpc_server/srv_pipe.c | 9 +++++++--
10795 1 file changed, 7 insertions(+), 2 deletions(-)
10796
10797diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
10798index 9043a14..fd7a90a 100644
10799--- a/source3/rpc_server/srv_pipe.c
10800+++ b/source3/rpc_server/srv_pipe.c
10801@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
10802 break;
10803
10804 case DCERPC_AUTH_TYPE_SCHANNEL:
10805- if (!pipe_schannel_auth_bind(p, pkt,
10806- &auth_info, &auth_resp)) {
10807+ if (!pipe_auth_generic_bind(p, pkt,
10808+ &auth_info, &auth_resp)) {
10809+ goto err_exit;
10810+ }
10811+ if (!session_info_set_session_key(p->session_info, generic_session_key())) {
10812+ DEBUG(0, ("session_info_set_session_key failed\n"));
10813 goto err_exit;
10814 }
10815+ p->pipe_bound = true;
10816 break;
10817
10818 case DCERPC_AUTH_TYPE_SPNEGO:
10819--
108201.9.3
10821
10822
10823From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
10824From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10825Date: Wed, 18 Sep 2013 18:36:19 +0200
10826Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
10827MIME-Version: 1.0
10828Content-Type: text/plain; charset=UTF-8
10829Content-Transfer-Encoding: 8bit
10830
10831Guenther
10832
10833Signed-off-by: Günther Deschner <gd@samba.org>
10834Pair-Programmed-With: Andreas Schneider <asn@samba.org>
10835Reviewed-by: Stefan Metzmacher <metze@samba.org>
10836(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
10837---
10838 source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
10839 1 file changed, 3 insertions(+), 32 deletions(-)
10840
10841diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
10842index 97999d7..b9e05cb 100644
10843--- a/source3/librpc/rpc/dcerpc_helpers.c
10844+++ b/source3/librpc/rpc/dcerpc_helpers.c
10845@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
10846 size_t max_len;
10847 size_t mod_len;
10848 struct gensec_security *gensec_security;
10849- struct schannel_state *schannel_auth;
10850
10851 /* no auth token cases first */
10852 switch (auth->auth_level) {
10853@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
10854 case DCERPC_AUTH_TYPE_SPNEGO:
10855 case DCERPC_AUTH_TYPE_NTLMSSP:
10856 case DCERPC_AUTH_TYPE_KRB5:
10857+ case DCERPC_AUTH_TYPE_SCHANNEL:
10858 gensec_security = talloc_get_type_abort(auth->auth_ctx,
10859 struct gensec_security);
10860 *auth_len = gensec_sig_size(gensec_security, max_len);
10861 break;
10862-
10863- case DCERPC_AUTH_TYPE_SCHANNEL:
10864- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
10865- struct schannel_state);
10866- *auth_len = netsec_outgoing_sig_size(schannel_auth);
10867- break;
10868 default:
10869 return NT_STATUS_INVALID_PARAMETER;
10870 }
10871@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
10872 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
10873 size_t pad_len, DATA_BLOB *rpc_out)
10874 {
10875- struct schannel_state *schannel_auth;
10876 struct gensec_security *gensec_security;
10877 char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
10878 DATA_BLOB auth_info;
10879@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
10880 case DCERPC_AUTH_TYPE_SPNEGO:
10881 case DCERPC_AUTH_TYPE_KRB5:
10882 case DCERPC_AUTH_TYPE_NTLMSSP:
10883+ case DCERPC_AUTH_TYPE_SCHANNEL:
10884 gensec_security = talloc_get_type_abort(auth->auth_ctx,
10885 struct gensec_security);
10886 status = add_generic_auth_footer(gensec_security,
10887 auth->auth_level,
10888 rpc_out);
10889 break;
10890- case DCERPC_AUTH_TYPE_SCHANNEL:
10891- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
10892- struct schannel_state);
10893- status = add_schannel_auth_footer(schannel_auth,
10894- auth->auth_level,
10895- rpc_out);
10896- break;
10897 default:
10898 status = NT_STATUS_INVALID_PARAMETER;
10899 break;
10900@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
10901 DATA_BLOB *raw_pkt,
10902 size_t *pad_len)
10903 {
10904- struct schannel_state *schannel_auth;
10905 struct gensec_security *gensec_security;
10906 NTSTATUS status;
10907 struct dcerpc_auth auth_info;
10908@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
10909 case DCERPC_AUTH_TYPE_SPNEGO:
10910 case DCERPC_AUTH_TYPE_KRB5:
10911 case DCERPC_AUTH_TYPE_NTLMSSP:
10912+ case DCERPC_AUTH_TYPE_SCHANNEL:
10913
10914 DEBUG(10, ("GENSEC auth\n"));
10915
10916@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
10917 return status;
10918 }
10919 break;
10920-
10921- case DCERPC_AUTH_TYPE_SCHANNEL:
10922-
10923- DEBUG(10, ("SCHANNEL auth\n"));
10924-
10925- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
10926- struct schannel_state);
10927- status = get_schannel_auth_footer(pkt, schannel_auth,
10928- auth->auth_level,
10929- &data, &full_pkt,
10930- &auth_info.credentials);
10931- if (!NT_STATUS_IS_OK(status)) {
10932- return status;
10933- }
10934- break;
10935-
10936 default:
10937 DEBUG(0, ("process_request_pdu: "
10938 "unknown auth type %u set.\n",
10939--
109401.9.3
10941
10942
10943From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
10944From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
10945Date: Thu, 19 Sep 2013 11:03:31 +0200
10946Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
10947 dcerpc_helpers.c
10948MIME-Version: 1.0
10949Content-Type: text/plain; charset=UTF-8
10950Content-Transfer-Encoding: 8bit
10951
10952Guenther
10953
10954Signed-off-by: Günther Deschner <gd@samba.org>
10955Reviewed-by: Stefan Metzmacher <metze@samba.org>
10956(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
10957---
10958 source3/librpc/rpc/dcerpc.h | 3 -
10959 source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
10960 2 files changed, 127 deletions(-)
10961
10962diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
10963index b3ae3b4..38d59cd 100644
10964--- a/source3/librpc/rpc/dcerpc.h
10965+++ b/source3/librpc/rpc/dcerpc.h
10966@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
10967 const DATA_BLOB *blob,
10968 struct ncacn_packet *r,
10969 bool bigendian);
10970-NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
10971- struct NL_AUTH_MESSAGE *r,
10972- DATA_BLOB *blob);
10973 NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
10974 enum dcerpc_AuthType auth_type,
10975 enum dcerpc_AuthLevel auth_level,
10976diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
10977index b9e05cb..2400bfd 100644
10978--- a/source3/librpc/rpc/dcerpc_helpers.c
10979+++ b/source3/librpc/rpc/dcerpc_helpers.c
10980@@ -21,9 +21,6 @@
10981 #include "includes.h"
10982 #include "librpc/rpc/dcerpc.h"
10983 #include "librpc/gen_ndr/ndr_dcerpc.h"
10984-#include "librpc/gen_ndr/ndr_schannel.h"
10985-#include "../libcli/auth/schannel.h"
10986-#include "../libcli/auth/spnego.h"
10987 #include "librpc/crypto/gse.h"
10988 #include "auth/gensec/gensec.h"
10989
10990@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
10991 }
10992
10993 /**
10994-* @brief NDR Encodes a NL_AUTH_MESSAGE
10995-*
10996-* @param mem_ctx The memory context the blob will be allocated on
10997-* @param r The NL_AUTH_MESSAGE to encode
10998-* @param blob [out] The encoded blob if successful
10999-*
11000-* @return a NTSTATUS error code
11001-*/
11002-NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
11003- struct NL_AUTH_MESSAGE *r,
11004- DATA_BLOB *blob)
11005-{
11006- enum ndr_err_code ndr_err;
11007-
11008- ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
11009- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
11010- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
11011- return ndr_map_error2ntstatus(ndr_err);
11012- }
11013-
11014- if (DEBUGLEVEL >= 10) {
11015- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
11016- }
11017-
11018- return NT_STATUS_OK;
11019-}
11020-
11021-/**
11022 * @brief NDR Encodes a dcerpc_auth structure
11023 *
11024 * @param mem_ctx The memory context the blob will be allocated on
11025@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
11026 }
11027 }
11028
11029-/*******************************************************************
11030- Create and add the schannel sign/seal auth data.
11031- ********************************************************************/
11032-
11033-static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
11034- enum dcerpc_AuthLevel auth_level,
11035- DATA_BLOB *rpc_out)
11036-{
11037- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
11038- size_t data_and_pad_len = rpc_out->length
11039- - DCERPC_RESPONSE_LENGTH
11040- - DCERPC_AUTH_TRAILER_LENGTH;
11041- DATA_BLOB auth_blob;
11042- NTSTATUS status;
11043-
11044- if (!sas) {
11045- return NT_STATUS_INVALID_PARAMETER;
11046- }
11047-
11048- switch (auth_level) {
11049- case DCERPC_AUTH_LEVEL_PRIVACY:
11050- status = netsec_outgoing_packet(sas,
11051- rpc_out->data,
11052- true,
11053- data_p,
11054- data_and_pad_len,
11055- &auth_blob);
11056- break;
11057- case DCERPC_AUTH_LEVEL_INTEGRITY:
11058- status = netsec_outgoing_packet(sas,
11059- rpc_out->data,
11060- false,
11061- data_p,
11062- data_and_pad_len,
11063- &auth_blob);
11064- break;
11065- default:
11066- status = NT_STATUS_INTERNAL_ERROR;
11067- break;
11068- }
11069-
11070- if (!NT_STATUS_IS_OK(status)) {
11071- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
11072- nt_errstr(status)));
11073- return status;
11074- }
11075-
11076- if (DEBUGLEVEL >= 10) {
11077- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
11078- }
11079-
11080- /* Finally attach the blob. */
11081- if (!data_blob_append(NULL, rpc_out,
11082- auth_blob.data, auth_blob.length)) {
11083- return NT_STATUS_NO_MEMORY;
11084- }
11085- data_blob_free(&auth_blob);
11086-
11087- return NT_STATUS_OK;
11088-}
11089-
11090-/*******************************************************************
11091- Check/unseal the Schannel auth data. (Unseal in place).
11092- ********************************************************************/
11093-
11094-static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
11095- struct schannel_state *auth_state,
11096- enum dcerpc_AuthLevel auth_level,
11097- DATA_BLOB *data, DATA_BLOB *full_pkt,
11098- DATA_BLOB *auth_token)
11099-{
11100- switch (auth_level) {
11101- case DCERPC_AUTH_LEVEL_PRIVACY:
11102- /* Data portion is encrypted. */
11103- return netsec_incoming_packet(auth_state,
11104- true,
11105- data->data,
11106- data->length,
11107- auth_token);
11108-
11109- case DCERPC_AUTH_LEVEL_INTEGRITY:
11110- /* Data is signed. */
11111- return netsec_incoming_packet(auth_state,
11112- false,
11113- data->data,
11114- data->length,
11115- auth_token);
11116-
11117- default:
11118- return NT_STATUS_INVALID_PARAMETER;
11119- }
11120-}
11121-
11122 /**
11123 * @brief Append an auth footer according to what is the current mechanism
11124 *
11125--
111261.9.3
11127
11128
11129From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
11130From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11131Date: Thu, 19 Sep 2013 11:04:19 +0200
11132Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
11133 cli_pipe.c
11134MIME-Version: 1.0
11135Content-Type: text/plain; charset=UTF-8
11136Content-Transfer-Encoding: 8bit
11137
11138Guenther
11139
11140Signed-off-by: Günther Deschner <gd@samba.org>
11141Reviewed-by: Stefan Metzmacher <metze@samba.org>
11142(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
11143---
11144 source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
11145 1 file changed, 76 deletions(-)
11146
11147diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
11148index 8a642e2..b73f2f2 100644
11149--- a/source3/rpc_client/cli_pipe.c
11150+++ b/source3/rpc_client/cli_pipe.c
11151@@ -22,11 +22,8 @@
11152 #include "includes.h"
11153 #include "../lib/util/tevent_ntstatus.h"
11154 #include "librpc/gen_ndr/ndr_epmapper_c.h"
11155-#include "../librpc/gen_ndr/ndr_schannel.h"
11156 #include "../librpc/gen_ndr/ndr_dssetup.h"
11157 #include "../libcli/auth/schannel.h"
11158-#include "../libcli/auth/spnego.h"
11159-#include "../auth/ntlmssp/ntlmssp.h"
11160 #include "auth_generic.h"
11161 #include "librpc/gen_ndr/ndr_dcerpc.h"
11162 #include "librpc/gen_ndr/ndr_netlogon_c.h"
11163@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
11164 }
11165
11166 /*******************************************************************
11167- Creates schannel auth bind.
11168- ********************************************************************/
11169-
11170-static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
11171- DATA_BLOB *auth_token)
11172-{
11173- NTSTATUS status;
11174- struct NL_AUTH_MESSAGE r;
11175-
11176- if (!cli->auth->user_name || !cli->auth->user_name[0]) {
11177- return NT_STATUS_INVALID_PARAMETER_MIX;
11178- }
11179-
11180- if (!cli->auth->domain || !cli->auth->domain[0]) {
11181- return NT_STATUS_INVALID_PARAMETER_MIX;
11182- }
11183-
11184- /*
11185- * Now marshall the data into the auth parse_struct.
11186- */
11187-
11188- r.MessageType = NL_NEGOTIATE_REQUEST;
11189- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
11190- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
11191- r.oem_netbios_domain.a = cli->auth->domain;
11192- r.oem_netbios_computer.a = cli->auth->user_name;
11193-
11194- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
11195- if (!NT_STATUS_IS_OK(status)) {
11196- return status;
11197- }
11198-
11199- return NT_STATUS_OK;
11200-}
11201-
11202-/*******************************************************************
11203 Creates the internals of a DCE/RPC bind request or alter context PDU.
11204 ********************************************************************/
11205
11206@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
11207 return status;
11208 }
11209
11210-static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
11211- const char *domain,
11212- enum dcerpc_AuthLevel auth_level,
11213- struct netlogon_creds_CredentialState *creds,
11214- struct pipe_auth_data **presult)
11215-{
11216- struct schannel_state *schannel_auth;
11217- struct pipe_auth_data *result;
11218-
11219- result = talloc(mem_ctx, struct pipe_auth_data);
11220- if (result == NULL) {
11221- return NT_STATUS_NO_MEMORY;
11222- }
11223-
11224- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
11225- result->auth_level = auth_level;
11226-
11227- result->user_name = talloc_strdup(result, creds->computer_name);
11228- result->domain = talloc_strdup(result, domain);
11229- if ((result->user_name == NULL) || (result->domain == NULL)) {
11230- goto fail;
11231- }
11232-
11233- schannel_auth = netsec_create_state(result, creds, true /* initiator */);
11234- if (schannel_auth == NULL) {
11235- goto fail;
11236- }
11237-
11238- result->auth_ctx = schannel_auth;
11239- *presult = result;
11240- return NT_STATUS_OK;
11241-
11242- fail:
11243- TALLOC_FREE(result);
11244- return NT_STATUS_NO_MEMORY;
11245-}
11246-
11247 /**
11248 * Create an rpc pipe client struct, connecting to a tcp port.
11249 */
11250--
112511.9.3
11252
11253
11254From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
11255From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11256Date: Thu, 19 Sep 2013 11:05:21 +0200
11257Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
11258 srv_pipe.c
11259MIME-Version: 1.0
11260Content-Type: text/plain; charset=UTF-8
11261Content-Transfer-Encoding: 8bit
11262
11263Guenther
11264
11265Signed-off-by: Günther Deschner <gd@samba.org>
11266Reviewed-by: Stefan Metzmacher <metze@samba.org>
11267
11268Autobuild-User(master): Günther Deschner <gd@samba.org>
11269Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
11270(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
11271---
11272 source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
11273 1 file changed, 116 deletions(-)
11274
11275diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
11276index fd7a90a..06752a8 100644
11277--- a/source3/rpc_server/srv_pipe.c
11278+++ b/source3/rpc_server/srv_pipe.c
11279@@ -30,11 +30,8 @@
11280 #include "includes.h"
11281 #include "system/filesys.h"
11282 #include "srv_pipe_internal.h"
11283-#include "../librpc/gen_ndr/ndr_schannel.h"
11284 #include "../librpc/gen_ndr/dcerpc.h"
11285 #include "../librpc/rpc/rpc_common.h"
11286-#include "../libcli/auth/schannel.h"
11287-#include "../libcli/auth/spnego.h"
11288 #include "dcesrv_auth_generic.h"
11289 #include "rpc_server.h"
11290 #include "rpc_dce.h"
11291@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
11292 }
11293
11294 /*******************************************************************
11295- Handle an schannel bind auth.
11296-*******************************************************************/
11297-
11298-static bool pipe_schannel_auth_bind(struct pipes_struct *p,
11299- TALLOC_CTX *mem_ctx,
11300- struct dcerpc_auth *auth_info,
11301- DATA_BLOB *response)
11302-{
11303- struct NL_AUTH_MESSAGE neg;
11304- struct NL_AUTH_MESSAGE reply;
11305- bool ret;
11306- NTSTATUS status;
11307- struct netlogon_creds_CredentialState *creds;
11308- enum ndr_err_code ndr_err;
11309- struct schannel_state *schannel_auth;
11310- struct loadparm_context *lp_ctx;
11311-
11312- ndr_err = ndr_pull_struct_blob(
11313- &auth_info->credentials, mem_ctx, &neg,
11314- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
11315- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
11316- DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
11317- return false;
11318- }
11319-
11320- if (DEBUGLEVEL >= 10) {
11321- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
11322- }
11323-
11324- if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
11325- DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
11326- return false;
11327- }
11328-
11329- lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
11330- if (!lp_ctx) {
11331- DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
11332- return false;
11333- }
11334-
11335- /*
11336- * The neg.oem_netbios_computer.a key here must match the remote computer name
11337- * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
11338- * operations that use credentials.
11339- */
11340-
11341- become_root();
11342- status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
11343- neg.oem_netbios_computer.a, &creds);
11344- unbecome_root();
11345-
11346- talloc_unlink(p, lp_ctx);
11347- if (!NT_STATUS_IS_OK(status)) {
11348- DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
11349- return False;
11350- }
11351-
11352- schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
11353- TALLOC_FREE(creds);
11354- if (!schannel_auth) {
11355- return False;
11356- }
11357-
11358- /*
11359- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
11360- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
11361- * struct of the person who opened the pipe. I need to test this further. JRA.
11362- *
11363- * VL. As we are mapping this to guest set the generic key
11364- * "SystemLibraryDTC" key here. It's a bit difficult to test against
11365- * W2k3, as it does not allow schannel binds against SAMR and LSA
11366- * anymore.
11367- */
11368-
11369- ret = session_info_set_session_key(p->session_info, generic_session_key());
11370-
11371- if (!ret) {
11372- DEBUG(0, ("session_info_set_session_key failed\n"));
11373- return false;
11374- }
11375-
11376- /*** SCHANNEL verifier ***/
11377-
11378- reply.MessageType = NL_NEGOTIATE_RESPONSE;
11379- reply.Flags = 0;
11380- reply.Buffer.dummy = 5; /* ??? actually I don't think
11381- * this has any meaning
11382- * here - gd */
11383-
11384- ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
11385- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
11386- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
11387- DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
11388- return false;
11389- }
11390-
11391- if (DEBUGLEVEL >= 10) {
11392- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
11393- }
11394-
11395- DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
11396- neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
11397-
11398- /* We're finished with this bind - no more packets. */
11399- p->auth.auth_ctx = schannel_auth;
11400- p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
11401-
11402- p->pipe_bound = True;
11403-
11404- return True;
11405-}
11406-
11407-/*******************************************************************
11408 Handle an NTLMSSP bind auth.
11409 *******************************************************************/
11410
11411--
114121.9.3
11413
11414
11415From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
11416From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11417Date: Mon, 12 Aug 2013 17:22:15 +0200
11418Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
11419 functions.
11420MIME-Version: 1.0
11421Content-Type: text/plain; charset=UTF-8
11422Content-Transfer-Encoding: 8bit
11423
11424Guenther
11425
11426Signed-off-by: Günther Deschner <gd@samba.org>
11427Reviewed-by: Stefan Metzmacher <metze@samba.org>
11428(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
11429---
11430 librpc/ndr/ndr_table.c | 6 +++---
11431 1 file changed, 3 insertions(+), 3 deletions(-)
11432
11433diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
11434index 7ca0417..01d9094 100644
11435--- a/librpc/ndr/ndr_table.c
11436+++ b/librpc/ndr/ndr_table.c
11437@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
11438 int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
11439 {
11440 const struct ndr_interface_list *l;
11441- for (l=ndr_interfaces;l;l=l->next){
11442+ for (l=ndr_table_list();l;l=l->next){
11443 if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
11444 l->table->syntax_id.if_version == if_version) {
11445 return l->table->num_calls;
11446@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
11447 const struct ndr_interface_table *ndr_table_by_name(const char *name)
11448 {
11449 const struct ndr_interface_list *l;
11450- for (l=ndr_interfaces;l;l=l->next) {
11451+ for (l=ndr_table_list();l;l=l->next) {
11452 if (strcasecmp(l->table->name, name) == 0) {
11453 return l->table;
11454 }
11455@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
11456 const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
11457 {
11458 const struct ndr_interface_list *l;
11459- for (l=ndr_interfaces;l;l=l->next) {
11460+ for (l=ndr_table_list();l;l=l->next) {
11461 if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
11462 return l->table;
11463 }
11464--
114651.9.3
11466
11467
11468From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
11469From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11470Date: Thu, 8 Aug 2013 17:34:56 +0200
11471Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
11472 ndr_init_table() first.
11473MIME-Version: 1.0
11474Content-Type: text/plain; charset=UTF-8
11475Content-Transfer-Encoding: 8bit
11476
11477Guenther
11478
11479Signed-off-by: Günther Deschner <gd@samba.org>
11480Reviewed-by: Stefan Metzmacher <metze@samba.org>
11481(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
11482---
11483 librpc/ndr/ndr_table.c | 1 +
11484 1 file changed, 1 insertion(+)
11485
11486diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
11487index 01d9094..f73b9fc 100644
11488--- a/librpc/ndr/ndr_table.c
11489+++ b/librpc/ndr/ndr_table.c
11490@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
11491 */
11492 const struct ndr_interface_list *ndr_table_list(void)
11493 {
11494+ ndr_table_init();
11495 return ndr_interfaces;
11496 }
11497
11498--
114991.9.3
11500
11501
11502From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
11503From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11504Date: Thu, 8 Aug 2013 17:40:22 +0200
11505Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
11506MIME-Version: 1.0
11507Content-Type: text/plain; charset=UTF-8
11508Content-Transfer-Encoding: 8bit
11509
11510Guenther
11511
11512Signed-off-by: Günther Deschner <gd@samba.org>
11513Reviewed-by: Stefan Metzmacher <metze@samba.org>
11514(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
11515---
11516 source3/lib/netapi/cm.c | 2 +-
11517 source3/rpc_client/cli_pipe.c | 7 +++----
11518 2 files changed, 4 insertions(+), 5 deletions(-)
11519
11520diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
11521index 1cfdccf..bb5d6b2 100644
11522--- a/source3/lib/netapi/cm.c
11523+++ b/source3/lib/netapi/cm.c
11524@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
11525 status = pipe_cm_open(ctx, ipc, table, &result);
11526 if (!NT_STATUS_IS_OK(status)) {
11527 libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
11528- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
11529+ table->name,
11530 get_friendly_nt_error_msg(status));
11531 return WERR_DEST_NOT_FOUND;
11532 }
11533diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
11534index b73f2f2..64e7f1c 100644
11535--- a/source3/rpc_client/cli_pipe.c
11536+++ b/source3/rpc_client/cli_pipe.c
11537@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
11538 }
11539 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
11540 "%s failed with error %s\n",
11541- get_pipe_name_from_syntax(talloc_tos(),
11542- &table->syntax_id),
11543+ table->name,
11544 nt_errstr(status) ));
11545 TALLOC_FREE(result);
11546 return status;
11547@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
11548
11549 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
11550 "%s and bound anonymously.\n",
11551- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
11552+ table->name,
11553 result->desthost));
11554
11555 *presult = result;
11556@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
11557 done:
11558 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
11559 "for domain %s and bound using schannel.\n",
11560- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
11561+ table->name,
11562 rpccli->desthost, domain));
11563
11564 *_rpccli = rpccli;
11565--
115661.9.3
11567
11568
11569From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
11570From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11571Date: Wed, 18 Sep 2013 10:58:16 +0200
11572Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
11573 get_pipe_name_from_syntax() in DEBUG.
11574MIME-Version: 1.0
11575Content-Type: text/plain; charset=UTF-8
11576Content-Transfer-Encoding: 8bit
11577
11578Guenther
11579
11580Signed-off-by: Günther Deschner <gd@samba.org>
11581Reviewed-by: Stefan Metzmacher <metze@samba.org>
11582(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
11583---
11584 source3/rpc_server/rpc_handles.c | 15 +++++++++------
11585 source3/rpc_server/srv_pipe.c | 22 ++++++++++++++--------
11586 source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
11587 source3/wscript_build | 3 ++-
11588 4 files changed, 36 insertions(+), 20 deletions(-)
11589
11590diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
11591index 70c3919..409299a 100644
11592--- a/source3/rpc_server/rpc_handles.c
11593+++ b/source3/rpc_server/rpc_handles.c
11594@@ -27,6 +27,7 @@
11595 #include "rpc_server/rpc_pipes.h"
11596 #include "../libcli/security/security.h"
11597 #include "lib/tsocket/tsocket.h"
11598+#include "librpc/ndr/ndr_table.h"
11599
11600 #undef DBGC_CLASS
11601 #define DBGC_CLASS DBGC_RPC_SRV
11602@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
11603
11604 DEBUG(10,("init_pipe_handle_list: created handle list for "
11605 "pipe %s\n",
11606- get_pipe_name_from_syntax(talloc_tos(), syntax)));
11607+ ndr_interface_name(&syntax->uuid,
11608+ syntax->if_version)));
11609 }
11610
11611 /*
11612@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
11613
11614 DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
11615 "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
11616- get_pipe_name_from_syntax(talloc_tos(), syntax)));
11617+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
11618
11619 return True;
11620 }
11621@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
11622 TALLOC_FREE(p->pipe_handles);
11623
11624 DEBUG(10,("Deleted handle list for RPC connection %s\n",
11625- get_pipe_name_from_syntax(talloc_tos(),
11626- &p->contexts->syntax)));
11627+ ndr_interface_name(&p->contexts->syntax.uuid,
11628+ p->contexts->syntax.if_version)));
11629 }
11630 }
11631
11632@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
11633 if (p->pipe_handles->count > MAX_OPEN_POLS) {
11634 DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
11635 (int) p->pipe_handles->count,
11636- get_pipe_name_from_syntax(talloc_tos(),
11637- &p->contexts->syntax)));
11638+ ndr_interface_name(&p->contexts->syntax.uuid,
11639+ p->contexts->syntax.if_version)));
11640+
11641 *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
11642 return NULL;
11643 }
11644diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
11645index 06752a8..19dbc37 100644
11646--- a/source3/rpc_server/srv_pipe.c
11647+++ b/source3/rpc_server/srv_pipe.c
11648@@ -41,6 +41,7 @@
11649 #include "rpc_server/srv_pipe.h"
11650 #include "rpc_server/rpc_contexts.h"
11651 #include "lib/param/param.h"
11652+#include "librpc/ndr/ndr_table.h"
11653
11654 #undef DBGC_CLASS
11655 #define DBGC_CLASS DBGC_RPC_SRV
11656@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
11657 bool ok;
11658
11659 DEBUG(3,("check_bind_req for %s\n",
11660- get_pipe_name_from_syntax(talloc_tos(), abstract)));
11661+ ndr_interface_name(&abstract->uuid,
11662+ abstract->if_version)));
11663
11664 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
11665 if (rpc_srv_pipe_exists_by_id(abstract) &&
11666@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
11667 if (NT_STATUS_IS_ERR(status)) {
11668 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
11669 "%s in bind request.\n",
11670- get_pipe_name_from_syntax(talloc_tos(), &id)));
11671+ ndr_interface_name(&id.uuid,
11672+ id.if_version)));
11673
11674 return setup_bind_nak(p, pkt);
11675 }
11676@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
11677 } else {
11678 DEBUG(0, ("module %s doesn't provide functions for "
11679 "pipe %s!\n",
11680- get_pipe_name_from_syntax(talloc_tos(), &id),
11681- get_pipe_name_from_syntax(talloc_tos(), &id)));
11682+ ndr_interface_name(&id.uuid,
11683+ id.if_version),
11684+ ndr_interface_name(&id.uuid,
11685+ id.if_version)));
11686 return setup_bind_nak(p, pkt);
11687 }
11688 }
11689@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
11690 TALLOC_CTX *frame = talloc_stackframe();
11691
11692 DEBUG(5, ("Requested %s rpc service\n",
11693- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
11694+ ndr_interface_name(&pipe_fns->syntax.uuid,
11695+ pipe_fns->syntax.if_version)));
11696
11697 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
11698 &pipe_fns->syntax);
11699@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
11700
11701 /* interpret the command */
11702 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
11703- get_pipe_name_from_syntax(talloc_tos(), syntax),
11704+ ndr_interface_name(&syntax->uuid, syntax->if_version),
11705 pkt->u.request.opnum));
11706
11707 if (DEBUGLEVEL >= 50) {
11708@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
11709 /* do the actual command */
11710 if(!api_rpc_cmds[fn_num].fn(p)) {
11711 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
11712- get_pipe_name_from_syntax(talloc_tos(), syntax),
11713+ ndr_interface_name(&syntax->uuid, syntax->if_version),
11714 api_rpc_cmds[fn_num].name));
11715 data_blob_free(&p->out_data.rdata);
11716 return False;
11717@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
11718 }
11719
11720 DEBUG(5,("api_rpcTNP: called %s successfully\n",
11721- get_pipe_name_from_syntax(talloc_tos(), syntax)));
11722+ ndr_interface_name(&syntax->uuid, syntax->if_version)));
11723
11724 /* Check for buffer underflow in rpc parsing */
11725 if ((DEBUGLEVEL >= 10) &&
11726diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
11727index 3f8ff44..fcbfa77 100644
11728--- a/source3/rpc_server/srv_pipe_hnd.c
11729+++ b/source3/rpc_server/srv_pipe_hnd.c
11730@@ -30,6 +30,7 @@
11731 #include "rpc_server/rpc_config.h"
11732 #include "../lib/tsocket/tsocket.h"
11733 #include "../lib/util/tevent_ntstatus.h"
11734+#include "librpc/ndr/ndr_table.h"
11735
11736 #undef DBGC_CLASS
11737 #define DBGC_CLASS DBGC_RPC_SRV
11738@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
11739 }
11740
11741 DEBUG(6,(" name: %s len: %u\n",
11742- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
11743+ ndr_interface_name(&p->contexts->syntax.uuid,
11744+ p->contexts->syntax.if_version),
11745 (unsigned int)n));
11746
11747 /*
11748@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
11749 DEBUG(5,("read_from_pipe: too large read (%u) requested on "
11750 "pipe %s. We can only service %d sized reads.\n",
11751 (unsigned int)n,
11752- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
11753+ ndr_interface_name(&p->contexts->syntax.uuid,
11754+ p->contexts->syntax.if_version),
11755 RPC_MAX_PDU_FRAG_LEN ));
11756 n = RPC_MAX_PDU_FRAG_LEN;
11757 }
11758@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
11759
11760 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
11761 "current_pdu_sent = %u returning %d bytes.\n",
11762- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
11763+ ndr_interface_name(&p->contexts->syntax.uuid,
11764+ p->contexts->syntax.if_version),
11765 (unsigned int)p->out_data.frag.length,
11766 (unsigned int)p->out_data.current_pdu_sent,
11767 (int)data_returned));
11768@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
11769
11770 DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
11771 "= %u, p->out_data.rdata.length = %u.\n",
11772- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
11773+ ndr_interface_name(&p->contexts->syntax.uuid,
11774+ p->contexts->syntax.if_version),
11775 (int)p->fault_state,
11776 (unsigned int)p->out_data.data_sent_length,
11777 (unsigned int)p->out_data.rdata.length));
11778@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
11779
11780 if(!create_next_pdu(p)) {
11781 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
11782- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
11783+ ndr_interface_name(&p->contexts->syntax.uuid,
11784+ p->contexts->syntax.if_version)));
11785 return -1;
11786 }
11787
11788diff --git a/source3/wscript_build b/source3/wscript_build
11789index 0bf84e2..bb2e928 100755
11790--- a/source3/wscript_build
11791+++ b/source3/wscript_build
11792@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
11793 deps='''ndr ndr-standard
11794 RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
11795 LIBTSOCKET gse dcerpc-binding
11796- libsmb''',
11797+ libsmb
11798+ ndr-table''',
11799 vars=locals(),
11800 private_library=True)
11801
11802--
118031.9.3
11804
11805
11806From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
11807From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11808Date: Thu, 8 Aug 2013 17:33:29 +0200
11809Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
11810 function.
11811MIME-Version: 1.0
11812Content-Type: text/plain; charset=UTF-8
11813Content-Transfer-Encoding: 8bit
11814
11815Guenther
11816
11817Signed-off-by: Günther Deschner <gd@samba.org>
11818Reviewed-by: Stefan Metzmacher <metze@samba.org>
11819(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
11820---
11821 librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
11822 librpc/rpc/rpc_common.h | 3 +++
11823 2 files changed, 58 insertions(+)
11824
11825diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
11826index 0b9cca3..4046f32 100644
11827--- a/librpc/rpc/dcerpc_util.c
11828+++ b/librpc/rpc/dcerpc_util.c
11829@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
11830 tevent_req_received(req);
11831 return NT_STATUS_OK;
11832 }
11833+
11834+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
11835+ enum dcerpc_transport_t transport,
11836+ const struct ndr_interface_table *table)
11837+{
11838+ NTSTATUS status;
11839+ const char *p = NULL;
11840+ const char *endpoint = NULL;
11841+ int i;
11842+ struct dcerpc_binding *default_binding = NULL;
11843+ TALLOC_CTX *frame = talloc_stackframe();
11844+
11845+ /* Find one of the default pipes for this interface */
11846+
11847+ for (i = 0; i < table->endpoints->count; i++) {
11848+
11849+ status = dcerpc_parse_binding(frame, table->endpoints->names[i],
11850+ &default_binding);
11851+ if (NT_STATUS_IS_OK(status)) {
11852+ if (transport == NCA_UNKNOWN &&
11853+ default_binding->endpoint != NULL) {
11854+ p = default_binding->endpoint;
11855+ break;
11856+ }
11857+ if (default_binding->transport == transport &&
11858+ default_binding->endpoint != NULL) {
11859+ p = default_binding->endpoint;
11860+ break;
11861+ }
11862+ }
11863+ }
11864+
11865+ if (i == table->endpoints->count || p == NULL) {
11866+ goto done;
11867+ }
11868+
11869+ /*
11870+ * extract the pipe name without \\pipe from for example
11871+ * ncacn_np:[\\pipe\\epmapper]
11872+ */
11873+ if (default_binding->transport == NCACN_NP) {
11874+ if (strncasecmp(p, "\\pipe\\", 6) == 0) {
11875+ p += 6;
11876+ }
11877+ if (strncmp(p, "\\", 1) == 0) {
11878+ p += 1;
11879+ }
11880+ }
11881+
11882+ endpoint = talloc_strdup(mem_ctx, p);
11883+
11884+ done:
11885+ talloc_free(frame);
11886+ return endpoint;
11887+}
11888diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
11889index e2b3755..d2816f5 100644
11890--- a/librpc/rpc/rpc_common.h
11891+++ b/librpc/rpc/rpc_common.h
11892@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
11893 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
11894 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
11895 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
11896+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
11897+ enum dcerpc_transport_t transport,
11898+ const struct ndr_interface_table *table);
11899
11900 /**
11901 * @brief Pull a dcerpc_auth structure, taking account of any auth
11902--
119031.9.3
11904
11905
11906From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
11907From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
11908Date: Wed, 18 Sep 2013 10:59:14 +0200
11909Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
11910 function.
11911MIME-Version: 1.0
11912Content-Type: text/plain; charset=UTF-8
11913Content-Transfer-Encoding: 8bit
11914
11915Guenther
11916
11917Signed-off-by: Günther Deschner <gd@samba.org>
11918Reviewed-by: Stefan Metzmacher <metze@samba.org>
11919(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
11920---
11921 source3/rpc_client/rpc_transport_np.c | 4 +++-
11922 source3/rpc_server/rpc_ncacn_np.c | 12 ++++++++++--
11923 source3/rpc_server/srv_pipe.c | 28 +++++++++++++++++++++-------
11924 3 files changed, 34 insertions(+), 10 deletions(-)
11925
11926diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
11927index c0f313e..91943f4 100644
11928--- a/source3/rpc_client/rpc_transport_np.c
11929+++ b/source3/rpc_client/rpc_transport_np.c
11930@@ -22,6 +22,7 @@
11931 #include "rpc_client/rpc_transport.h"
11932 #include "libsmb/cli_np_tstream.h"
11933 #include "client.h"
11934+#include "librpc/ndr/ndr_table.h"
11935
11936 #undef DBGC_CLASS
11937 #define DBGC_CLASS DBGC_RPC_CLI
11938@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
11939 state->ev = ev;
11940 state->cli = cli;
11941 state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
11942- state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
11943+ state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
11944+ table);
11945 if (tevent_req_nomem(state->pipe_name, req)) {
11946 return tevent_req_post(req, ev);
11947 }
11948diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
11949index 7389b3e..46b77fd 100644
11950--- a/source3/rpc_server/rpc_ncacn_np.c
11951+++ b/source3/rpc_server/rpc_ncacn_np.c
11952@@ -36,6 +36,7 @@
11953 #include "../lib/util/tevent_ntstatus.h"
11954 #include "rpc_contexts.h"
11955 #include "rpc_server/rpc_config.h"
11956+#include "librpc/ndr/ndr_table.h"
11957
11958 #undef DBGC_CLASS
11959 #define DBGC_CLASS DBGC_RPC_SRV
11960@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
11961 struct pipe_rpc_fns *context_fns;
11962 const char *pipe_name;
11963 int ret;
11964+ const struct ndr_interface_table *table;
11965
11966- pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
11967+ table = ndr_table_by_uuid(&syntax->uuid);
11968+ if (table == NULL) {
11969+ DEBUG(0,("unknown interface\n"));
11970+ return NULL;
11971+ }
11972+
11973+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
11974
11975 DEBUG(4,("Create pipe requested %s\n", pipe_name));
11976
11977@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
11978 return NT_STATUS_NO_MEMORY;
11979 }
11980
11981- pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
11982+ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
11983 if (pipe_name == NULL) {
11984 status = NT_STATUS_INVALID_PARAMETER;
11985 goto done;
11986diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
11987index 19dbc37..5f834fb 100644
11988--- a/source3/rpc_server/srv_pipe.c
11989+++ b/source3/rpc_server/srv_pipe.c
11990@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
11991 struct dcerpc_ack_ctx bind_ack_ctx;
11992 DATA_BLOB auth_resp = data_blob_null;
11993 DATA_BLOB auth_blob = data_blob_null;
11994+ const struct ndr_interface_table *table;
11995
11996 /* No rebinds on a bound pipe - use alter context. */
11997 if (p->pipe_bound) {
11998@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
11999 * that this is a pipe name we support.
12000 */
12001 id = pkt->u.bind.ctx_list[0].abstract_syntax;
12002+
12003+ table = ndr_table_by_uuid(&id.uuid);
12004+ if (table == NULL) {
12005+ DEBUG(0,("unknown interface\n"));
12006+ return false;
12007+ }
12008+
12009 if (rpc_srv_pipe_exists_by_id(&id)) {
12010 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
12011 rpc_srv_get_pipe_cli_name(&id),
12012 rpc_srv_get_pipe_srv_name(&id)));
12013 } else {
12014 status = smb_probe_module(
12015- "rpc", get_pipe_name_from_syntax(
12016- talloc_tos(),
12017- &id));
12018+ "rpc", dcerpc_default_transport_endpoint(pkt,
12019+ NCACN_NP, table));
12020
12021 if (NT_STATUS_IS_ERR(status)) {
12022 DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
12023@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
12024 }
12025
12026 if (rpc_srv_get_pipe_interface_by_cli_name(
12027- get_pipe_name_from_syntax(talloc_tos(),
12028- &id),
12029+ dcerpc_default_transport_endpoint(pkt,
12030+ NCACN_NP, table),
12031 &id)) {
12032 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
12033 rpc_srv_get_pipe_cli_name(&id),
12034@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
12035 {
12036 int fn_num;
12037 uint32_t offset1;
12038+ const struct ndr_interface_table *table;
12039
12040 /* interpret the command */
12041 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
12042 ndr_interface_name(&syntax->uuid, syntax->if_version),
12043 pkt->u.request.opnum));
12044
12045+ table = ndr_table_by_uuid(&syntax->uuid);
12046+ if (table == NULL) {
12047+ DEBUG(0,("unknown interface\n"));
12048+ return false;
12049+ }
12050+
12051 if (DEBUGLEVEL >= 50) {
12052 fstring name;
12053 slprintf(name, sizeof(name)-1, "in_%s",
12054- get_pipe_name_from_syntax(talloc_tos(), syntax));
12055+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
12056 dump_pdu_region(name, pkt->u.request.opnum,
12057 &p->in_data.data, 0,
12058 p->in_data.data.length);
12059@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
12060 if (DEBUGLEVEL >= 50) {
12061 fstring name;
12062 slprintf(name, sizeof(name)-1, "out_%s",
12063- get_pipe_name_from_syntax(talloc_tos(), syntax));
12064+ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
12065 dump_pdu_region(name, pkt->u.request.opnum,
12066 &p->out_data.rdata, offset1,
12067 p->out_data.rdata.length);
12068--
120691.9.3
12070
12071
12072From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
12073From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
12074Date: Wed, 7 Aug 2013 17:43:08 +0200
12075Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
12076MIME-Version: 1.0
12077Content-Type: text/plain; charset=UTF-8
12078Content-Transfer-Encoding: 8bit
12079
12080Guenther
12081
12082Signed-off-by: Günther Deschner <gd@samba.org>
12083Reviewed-by: Stefan Metzmacher <metze@samba.org>
12084
12085Autobuild-User(master): Günther Deschner <gd@samba.org>
12086Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
12087(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
12088---
12089 source3/librpc/rpc/dcerpc.h | 8 --
12090 source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
12091 source3/wscript_build | 1 -
12092 3 files changed, 218 deletions(-)
12093 delete mode 100644 source3/librpc/rpc/rpc_common.c
12094
12095diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
12096index 38d59cd..b18b7ba 100644
12097--- a/source3/librpc/rpc/dcerpc.h
12098+++ b/source3/librpc/rpc/dcerpc.h
12099@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
12100 DATA_BLOB *raw_pkt,
12101 size_t *pad_len);
12102
12103-/* The following definitions come from librpc/rpc/rpc_common.c */
12104-
12105-bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
12106-const struct ndr_interface_table *get_iface_from_syntax(
12107- const struct ndr_syntax_id *syntax);
12108-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
12109- const struct ndr_syntax_id *syntax);
12110-
12111 #endif /* __S3_DCERPC_H__ */
12112diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
12113deleted file mode 100644
12114index 1219b2d..0000000
12115--- a/source3/librpc/rpc/rpc_common.c
12116+++ /dev/null
12117@@ -1,209 +0,0 @@
12118-/*
12119- * Unix SMB/CIFS implementation.
12120- * RPC Pipe client / server routines
12121- * Largely rewritten by Jeremy Allison 2005.
12122- *
12123- * This program is free software; you can redistribute it and/or modify
12124- * it under the terms of the GNU General Public License as published by
12125- * the Free Software Foundation; either version 3 of the License, or
12126- * (at your option) any later version.
12127- *
12128- * This program is distributed in the hope that it will be useful,
12129- * but WITHOUT ANY WARRANTY; without even the implied warranty of
12130- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12131- * GNU General Public License for more details.
12132- *
12133- * You should have received a copy of the GNU General Public License
12134- * along with this program; if not, see <http://www.gnu.org/licenses/>.
12135- */
12136-
12137-#include "includes.h"
12138-#include "librpc/rpc/dcerpc.h"
12139-#include "../librpc/gen_ndr/ndr_lsa.h"
12140-#include "../librpc/gen_ndr/ndr_dssetup.h"
12141-#include "../librpc/gen_ndr/ndr_samr.h"
12142-#include "../librpc/gen_ndr/ndr_netlogon.h"
12143-#include "../librpc/gen_ndr/ndr_srvsvc.h"
12144-#include "../librpc/gen_ndr/ndr_wkssvc.h"
12145-#include "../librpc/gen_ndr/ndr_winreg.h"
12146-#include "../librpc/gen_ndr/ndr_spoolss.h"
12147-#include "../librpc/gen_ndr/ndr_dfs.h"
12148-#include "../librpc/gen_ndr/ndr_echo.h"
12149-#include "../librpc/gen_ndr/ndr_initshutdown.h"
12150-#include "../librpc/gen_ndr/ndr_svcctl.h"
12151-#include "../librpc/gen_ndr/ndr_eventlog.h"
12152-#include "../librpc/gen_ndr/ndr_ntsvcs.h"
12153-#include "../librpc/gen_ndr/ndr_epmapper.h"
12154-#include "../librpc/gen_ndr/ndr_drsuapi.h"
12155-#include "../librpc/gen_ndr/ndr_fsrvp.h"
12156-
12157-static const char *get_pipe_name_from_iface(
12158- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
12159-{
12160- int i;
12161- const struct ndr_interface_string_array *ep = interface->endpoints;
12162- char *p;
12163-
12164- for (i=0; i<ep->count; i++) {
12165- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
12166- break;
12167- }
12168- }
12169- if (i == ep->count) {
12170- return NULL;
12171- }
12172-
12173- /*
12174- * extract the pipe name without \\pipe from for example
12175- * ncacn_np:[\\pipe\\epmapper]
12176- */
12177- p = strchr(ep->names[i]+15, ']');
12178- if (p == NULL) {
12179- return "PIPE";
12180- }
12181- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
12182-}
12183-
12184-static const struct ndr_interface_table **interfaces;
12185-
12186-bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
12187-{
12188- int num_interfaces = talloc_array_length(interfaces);
12189- const struct ndr_interface_table **tmp;
12190- int i;
12191-
12192- for (i=0; i<num_interfaces; i++) {
12193- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
12194- &interface->syntax_id)) {
12195- return true;
12196- }
12197- }
12198-
12199- tmp = talloc_realloc(NULL, interfaces,
12200- const struct ndr_interface_table *,
12201- num_interfaces + 1);
12202- if (tmp == NULL) {
12203- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
12204- return false;
12205- }
12206- interfaces = tmp;
12207- interfaces[num_interfaces] = interface;
12208- return true;
12209-}
12210-
12211-static bool initialize_interfaces(void)
12212-{
12213- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
12214- return false;
12215- }
12216- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
12217- return false;
12218- }
12219- if (!smb_register_ndr_interface(&ndr_table_samr)) {
12220- return false;
12221- }
12222- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
12223- return false;
12224- }
12225- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
12226- return false;
12227- }
12228- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
12229- return false;
12230- }
12231- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
12232- return false;
12233- }
12234- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
12235- return false;
12236- }
12237- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
12238- return false;
12239- }
12240- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
12241- return false;
12242- }
12243- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
12244- return false;
12245- }
12246- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
12247- return false;
12248- }
12249- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
12250- return false;
12251- }
12252- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
12253- return false;
12254- }
12255- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
12256- return false;
12257- }
12258- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
12259- return false;
12260- }
12261- if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
12262- return false;
12263- }
12264- return true;
12265-}
12266-
12267-const struct ndr_interface_table *get_iface_from_syntax(
12268- const struct ndr_syntax_id *syntax)
12269-{
12270- int num_interfaces;
12271- int i;
12272-
12273- if (interfaces == NULL) {
12274- if (!initialize_interfaces()) {
12275- return NULL;
12276- }
12277- }
12278- num_interfaces = talloc_array_length(interfaces);
12279-
12280- for (i=0; i<num_interfaces; i++) {
12281- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
12282- return interfaces[i];
12283- }
12284- }
12285-
12286- return NULL;
12287-}
12288-
12289-/****************************************************************************
12290- Return the pipe name from the interface.
12291- ****************************************************************************/
12292-
12293-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
12294- const struct ndr_syntax_id *syntax)
12295-{
12296- const struct ndr_interface_table *interface;
12297- char *guid_str;
12298- const char *result;
12299-
12300- interface = get_iface_from_syntax(syntax);
12301- if (interface != NULL) {
12302- result = get_pipe_name_from_iface(mem_ctx, interface);
12303- if (result != NULL) {
12304- return result;
12305- }
12306- }
12307-
12308- /*
12309- * Here we should ask \\epmapper, but for now our code is only
12310- * interested in the known pipes mentioned in pipe_names[]
12311- */
12312-
12313- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
12314- if (guid_str == NULL) {
12315- return NULL;
12316- }
12317- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
12318- (int)syntax->if_version);
12319- TALLOC_FREE(guid_str);
12320-
12321- if (result == NULL) {
12322- return "PIPE";
12323- }
12324- return result;
12325-}
12326-
12327diff --git a/source3/wscript_build b/source3/wscript_build
12328index bb2e928..8126cf6 100755
12329--- a/source3/wscript_build
12330+++ b/source3/wscript_build
12331@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
12332
12333 LIBMSRPC_SRC = '''
12334 rpc_client/cli_pipe.c
12335- librpc/rpc/rpc_common.c
12336 rpc_client/rpc_transport_np.c
12337 rpc_client/rpc_transport_sock.c
12338 rpc_client/rpc_transport_tstream.c
12339--
123401.9.3
12341
12342
12343From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
12344From: Volker Lendecke <vl@samba.org>
12345Date: Wed, 14 Aug 2013 09:27:59 +0000
12346Subject: [PATCH 112/249] winbind3: Fix an invalid free
12347MIME-Version: 1.0
12348Content-Type: text/plain; charset=UTF-8
12349Content-Transfer-Encoding: 8bit
12350
12351This fixes a warning I've never seen before :-)
12352
12353../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]
12354
12355Signed-off-by: Volker Lendecke <vl@samba.org>
12356Reviewed-by: Stefan Metzmacher <metze@samba.org>
12357
12358Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
12359Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
12360(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
12361---
12362 source3/winbindd/winbindd_cm.c | 2 +-
12363 1 file changed, 1 insertion(+), 1 deletion(-)
12364
12365diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
12366index facef64..d868826 100644
12367--- a/source3/winbindd/winbindd_cm.c
12368+++ b/source3/winbindd/winbindd_cm.c
12369@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
12370 }
12371
12372 if (!strupper_m(*machine_krb5_principal)) {
12373- SAFE_FREE(machine_krb5_principal);
12374+ SAFE_FREE(*machine_krb5_principal);
12375 return NT_STATUS_INVALID_PARAMETER;
12376 }
12377 }
12378--
123791.9.3
12380
12381
12382From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
12383From: Andrew Bartlett <abartlet@samba.org>
12384Date: Fri, 11 Oct 2013 13:34:13 +1300
12385Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
12386 parameter
12387
12388This uses the documeted "winbindd socket directory" parameter instead.
12389
12390This came about due to the merge of the two smb.conf tables in s3 and
12391s4 for the Samba 4.0 release. The s4 code used a real parameter,
12392which caused this to be documented, whereas no automatic procedure
12393existed to notice the parametric option and the need to document that.
12394The fact that this was not used consistently in both codebases is one
12395of the many areas of technical debt we still need to pay off here.
12396
12397Andrew Bartlett
12398
12399Signed-off-by: Andrew Bartlett <abartlet@samba.org>
12400Reviewed-by: Andreas Schneider <asn@samba.org>
12401(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
12402---
12403 selftest/target/Samba3.pm | 2 +-
12404 source3/include/proto.h | 1 +
12405 source3/param/loadparm.c | 1 +
12406 source3/winbindd/winbindd.c | 9 ++-------
12407 source3/winbindd/winbindd_proto.h | 1 -
12408 5 files changed, 5 insertions(+), 9 deletions(-)
12409
12410diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
12411index ba01154..d8f0c27 100755
12412--- a/selftest/target/Samba3.pm
12413+++ b/selftest/target/Samba3.pm
12414@@ -972,7 +972,7 @@ sub provision($$$$$$)
12415 printing = bsd
12416 printcap name = /dev/null
12417
12418- winbindd:socket dir = $wbsockdir
12419+ winbindd socket directory = $wbsockdir
12420 nmbd:socket dir = $nmbdsockdir
12421 idmap config * : range = 100000-200000
12422 winbind enum users = yes
12423diff --git a/source3/include/proto.h b/source3/include/proto.h
12424index cbad7ac..53cd59d 100644
12425--- a/source3/include/proto.h
12426+++ b/source3/include/proto.h
12427@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
12428 const char *lp_template_homedir(void);
12429 const char *lp_template_shell(void);
12430 const char *lp_winbind_separator(void);
12431+const char *lp_winbindd_socket_directory(void);
12432 bool lp_winbind_enum_users(void);
12433 bool lp_winbind_enum_groups(void);
12434 bool lp_winbind_use_default_domain(void);
12435diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
12436index 4b31023..b2804ae 100644
12437--- a/source3/param/loadparm.c
12438+++ b/source3/param/loadparm.c
12439@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
12440 string_set(&Globals.szTemplateShell, "/bin/false");
12441 string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
12442 string_set(&Globals.szWinbindSeparator, "\\");
12443+ string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
12444
12445 string_set(&Globals.szCupsServer, "");
12446 string_set(&Globals.szIPrintServer, "");
12447diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
12448index f101e52..69a17bf 100644
12449--- a/source3/winbindd/winbindd.c
12450+++ b/source3/winbindd/winbindd.c
12451@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
12452 char *path = NULL;
12453
12454 if (asprintf(&path, "%s/%s",
12455- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
12456+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
12457 unlink(path);
12458 SAFE_FREE(path);
12459 }
12460@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
12461 * Winbindd socket accessor functions
12462 */
12463
12464-const char *get_winbind_pipe_dir(void)
12465-{
12466- return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
12467-}
12468-
12469 char *get_winbind_priv_pipe_dir(void)
12470 {
12471 return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
12472@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
12473
12474 pub_state->privileged = false;
12475 pub_state->fd = create_pipe_sock(
12476- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
12477+ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
12478 if (pub_state->fd == -1) {
12479 goto failed;
12480 }
12481diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
12482index 3df7d7c..cfc19d0 100644
12483--- a/source3/winbindd/winbindd_proto.h
12484+++ b/source3/winbindd/winbindd_proto.h
12485@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
12486 bool winbindd_setup_sig_hup_handler(const char *lfile);
12487 bool winbindd_use_idmap_cache(void);
12488 bool winbindd_use_cache(void);
12489-const char *get_winbind_pipe_dir(void);
12490 char *get_winbind_priv_pipe_dir(void);
12491 struct tevent_context *winbind_event_context(void);
12492 int main(int argc, char **argv, char **envp);
12493--
124941.9.3
12495
12496
12497From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
12498From: Andrew Bartlett <abartlet@samba.org>
12499Date: Mon, 14 Oct 2013 15:33:20 +1300
12500Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
12501 share_params *p so should be FN_LOCAL_PARM_CHAR
12502
12503This was found when trying to autogenerate prototypes for lp_ functions again.
12504
12505Andrew Bartlett
12506
12507Signed-off-by: Andrew Bartlett <abartlet@samba.org>
12508Reviewed-by: Stefan Metzmacher <metze@samba.org>
12509---
12510 lib/param/loadparm.c | 2 +-
12511 lib/param/param_functions.c | 2 +-
12512 source3/param/loadparm.c | 2 +-
12513 3 files changed, 3 insertions(+), 3 deletions(-)
12514
12515diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
12516index 455c5e6..4497dbf 100644
12517--- a/lib/param/loadparm.c
12518+++ b/lib/param/loadparm.c
12519@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
12520
12521 #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
12522
12523-#define FN_LOCAL_CHAR(fn_name,val) \
12524+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
12525 _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
12526 struct loadparm_service *sDefault) { \
12527 return((service != NULL)? service->val : sDefault->val); \
12528diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
12529index d9d5df6..60f9c07 100644
12530--- a/lib/param/param_functions.c
12531+++ b/lib/param/param_functions.c
12532@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
12533 FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
12534 FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
12535 FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
12536-FN_LOCAL_CHAR(magicchar, magic_char)
12537+FN_LOCAL_PARM_CHAR(magicchar, magic_char)
12538 FN_LOCAL_STRING(cups_options, szCupsOptions)
12539 FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
12540 FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
12541diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
12542index b2804ae..40f3242 100644
12543--- a/source3/param/loadparm.c
12544+++ b/source3/param/loadparm.c
12545@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
12546 bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
12547 #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
12548 int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
12549-#define FN_LOCAL_CHAR(fn_name,val) \
12550+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
12551 char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
12552
12553
12554--
125551.9.3
12556
12557
12558From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
12559From: Andrew Bartlett <abartlet@samba.org>
12560Date: Mon, 14 Oct 2013 13:47:27 +1300
12561Subject: [PATCH 115/249] build: Move loadparm-related build rules to
12562 source3/param/wscript_build
12563
12564Signed-off-by: Andrew Bartlett <abartlet@samba.org>
12565Reviewed-by: Stefan Metzmacher <metze@samba.org>
12566---
12567 source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
12568 source3/wscript_build | 36 ++----------------------------------
12569 2 files changed, 34 insertions(+), 34 deletions(-)
12570 create mode 100644 source3/param/wscript_build
12571
12572diff --git a/source3/param/wscript_build b/source3/param/wscript_build
12573new file mode 100644
12574index 0000000..278d5f5
12575--- /dev/null
12576+++ b/source3/param/wscript_build
12577@@ -0,0 +1,32 @@
12578+#!/usr/bin/env python
12579+
12580+bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
12581+ source='util.c',
12582+ deps='talloc')
12583+
12584+bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
12585+ source='loadparm_ctx.c',
12586+ deps='''talloc s3_param_h param''')
12587+
12588+bld.SAMBA_GENERATOR('s3_param_global_h',
12589+ source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
12590+ target='param_global.h',
12591+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
12592+
12593+bld.SAMBA3_PYTHON('pys3param',
12594+ source='pyparam.c',
12595+ deps='param',
12596+ public_deps='samba-hostconfig pytalloc-util talloc',
12597+ realname='samba/samba3/param.so')
12598+
12599+bld.SAMBA3_SUBSYSTEM('param_service',
12600+ source='service.c',
12601+ deps = 'USER_UTIL param PRINTING')
12602+
12603+bld.SAMBA3_BINARY('test_lp_load',
12604+ source='test_lp_load.c',
12605+ deps='''
12606+ talloc
12607+ param
12608+ popt_samba3''',
12609+ install=False)
12610diff --git a/source3/wscript_build b/source3/wscript_build
12611index 8126cf6..13d15c3 100755
12612--- a/source3/wscript_build
12613+++ b/source3/wscript_build
12614@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
12615 source=SERVER_MUTEX_SRC,
12616 deps='talloc')
12617
12618-bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
12619- source=PARAM_UTIL_SRC,
12620- deps='talloc')
12621-
12622-bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
12623- source='param/loadparm_ctx.c',
12624- deps='''talloc s3_param_h param''',
12625- vars=locals())
12626-
12627-bld.SAMBA_GENERATOR('param/param_global_h',
12628- source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
12629- target='param/param_global.h',
12630- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
12631-
12632 bld.SAMBA3_SUBSYSTEM('param',
12633 source=PARAM_WITHOUT_REG_SRC,
12634- deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
12635-
12636-bld.SAMBA3_PYTHON('pys3param',
12637- source='param/pyparam.c',
12638- deps='param',
12639- public_deps='samba-hostconfig pytalloc-util talloc',
12640- realname='samba/samba3/param.so')
12641-
12642-bld.SAMBA3_SUBSYSTEM('param_service',
12643- source='param/service.c',
12644- deps = 'USER_UTIL param PRINTING')
12645+ deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
12646
12647 bld.SAMBA3_SUBSYSTEM('REGFIO',
12648 source=REGFIO_SRC,
12649@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
12650 install=False,
12651 vars=locals())
12652
12653-bld.SAMBA3_BINARY('test_lp_load',
12654- source=TEST_LP_LOAD_SRC,
12655- deps='''
12656- talloc
12657- param
12658- popt_samba3''',
12659- install=False,
12660- vars=locals())
12661-
12662 bld.SAMBA3_BINARY('dbwrap_tool',
12663 source=DBWRAP_TOOL_SRC,
12664 deps='''
12665@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
12666 bld.RECURSE('libsmb')
12667 bld.RECURSE('modules')
12668 bld.RECURSE('pam_smbpass')
12669+bld.RECURSE('param')
12670 bld.RECURSE('passdb')
12671 bld.RECURSE('rpc_server')
12672 bld.RECURSE('script')
12673--
126741.9.3
12675
12676
12677From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
12678From: Andrew Bartlett <abartlet@samba.org>
12679Date: Mon, 14 Oct 2013 15:34:40 +1300
12680Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
12681 for allocated and subbed string parameters
12682
12683This allows us not to generate array entries for these, which in turn allows
12684us to avoid initialising them. The issue is that we do not have the
12685% macro sub context nor a talloc context handy (yet).
12686
12687Andrew Bartlett
12688
12689Signed-off-by: Andrew Bartlett <abartlet@samba.org>
12690Reviewed-by: Stefan Metzmacher <metze@samba.org>
12691---
12692 lib/param/loadparm.c | 21 ++++++++++-----------
12693 1 file changed, 10 insertions(+), 11 deletions(-)
12694
12695diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
12696index 4497dbf..23b45e2 100644
12697--- a/lib/param/loadparm.c
12698+++ b/lib/param/loadparm.c
12699@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
12700 #define lpcfg_default_service global_loadparm_context->sDefault
12701 #define lpcfg_global_service(i) global_loadparm_context->services[i]
12702
12703-#define FN_GLOBAL_STRING(fn_name,var_name) \
12704+#define FN_GLOBAL_STRING(fn_name,var_name) \
12705+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
12706+ if (lp_ctx == NULL) return NULL; \
12707+ if (lp_ctx->s3_fns) { \
12708+ smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
12709+ } \
12710+ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
12711+}
12712+
12713+#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
12714 _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
12715 if (lp_ctx == NULL) return NULL; \
12716 if (lp_ctx->s3_fns) { \
12717@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
12718 return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
12719 }
12720
12721-#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
12722- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
12723- if (lp_ctx == NULL) return NULL; \
12724- if (lp_ctx->s3_fns) { \
12725- SMB_ASSERT(lp_ctx->s3_fns->fn_name); \
12726- return lp_ctx->s3_fns->fn_name(); \
12727- } \
12728- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
12729- }
12730-
12731 #define FN_GLOBAL_LIST(fn_name,var_name) \
12732 _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
12733 if (lp_ctx == NULL) return NULL; \
12734--
127351.9.3
12736
12737
12738From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
12739From: Andrew Bartlett <abartlet@samba.org>
12740Date: Mon, 14 Oct 2013 15:36:18 +1300
12741Subject: [PATCH 117/249] param: Skip generating hooks for local and string
12742 parameters
12743
12744Signed-off-by: Andrew Bartlett <abartlet@samba.org>
12745Reviewed-by: Stefan Metzmacher <metze@samba.org>
12746---
12747 script/mks3param.pl | 9 ++++++++-
12748 1 file changed, 8 insertions(+), 1 deletion(-)
12749
12750diff --git a/script/mks3param.pl b/script/mks3param.pl
12751index 4222ca5..799958c 100644
12752--- a/script/mks3param.pl
12753+++ b/script/mks3param.pl
12754@@ -108,7 +108,14 @@ sub handle_loadparm($$)
12755 {
12756 my ($file,$line) = @_;
12757
12758- if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
12759+ # Local parameters don't need the ->s3_fns because the struct
12760+ # loadparm_service is shared and lpcfg_service() checks the ->s3_fns
12761+ # hook
12762+ #
12763+ # STRING isn't handled as we do not yet have a way to pass in a memory context nor
12764+ # do we have a good way of dealing with the % macros yet.
12765+
12766+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
12767 my $scope = $1;
12768 my $type = $2;
12769 my $name = $3;
12770--
127711.9.3
12772
12773
12774From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
12775From: Andrew Bartlett <abartlet@samba.org>
12776Date: Mon, 14 Oct 2013 15:39:10 +1300
12777Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
12778 after proto.h was frozen
12779
12780This autogenerates the parameters so that we can keep everything in sync easier,
12781particularly when adding new parameters. This will also make it easier to move
12782to a fully autogenerated system in the future, as it reduces special cases.
12783
12784Andrew Bartlett
12785
12786Signed-off-by: Andrew Bartlett <abartlet@samba.org>
12787Reviewed-by: Stefan Metzmacher <metze@samba.org>
12788---
12789 script/mks3param_proto.pl | 199 ++++++++++++++++++++++++++++++++++++++++++++
12790 source3/include/proto.h | 2 +
12791 source3/param/wscript_build | 5 ++
12792 3 files changed, 206 insertions(+)
12793 create mode 100644 script/mks3param_proto.pl
12794
12795diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
12796new file mode 100644
12797index 0000000..446e343
12798--- /dev/null
12799+++ b/script/mks3param_proto.pl
12800@@ -0,0 +1,199 @@
12801+#!/usr/bin/perl
12802+# Generate loadparm interfaces tables for Samba3/Samba4 integration
12803+# by Andrew Bartlett
12804+# based on mkproto.pl Written by Jelmer Vernooij
12805+# based on the original mkproto.sh by Andrew Tridgell
12806+
12807+use strict;
12808+
12809+# don't use warnings module as it is not portable enough
12810+# use warnings;
12811+
12812+use Getopt::Long;
12813+use File::Basename;
12814+use File::Path;
12815+
12816+#####################################################################
12817+# read a file into a string
12818+
12819+my $file = undef;
12820+my $public_define = undef;
12821+my $_public = "";
12822+my $_private = "";
12823+my $public_data = \$_public;
12824+my $builddir = ".";
12825+my $srcdir = ".";
12826+
12827+sub public($)
12828+{
12829+ my ($d) = @_;
12830+ $$public_data .= $d;
12831+}
12832+
12833+sub usage()
12834+{
12835+ print "Usage: mks3param.pl [options] [c files]\n";
12836+ print "OPTIONS:\n";
12837+ print " --srcdir=path Read files relative to this directory\n";
12838+ print " --builddir=path Write file relative to this directory\n";
12839+ print " --help Print this help message\n\n";
12840+ exit 0;
12841+}
12842+
12843+GetOptions(
12844+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
12845+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
12846+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
12847+ 'help' => \&usage
12848+) or exit(1);
12849+
12850+sub normalize_define($$)
12851+{
12852+ my ($define, $file) = @_;
12853+
12854+ if (not defined($define) and defined($file)) {
12855+ $define = "__" . uc($file) . "__";
12856+ $define =~ tr{./}{__};
12857+ $define =~ tr{\-}{_};
12858+ } elsif (not defined($define)) {
12859+ $define = '_S3_PARAM_PROTO_H_';
12860+ }
12861+
12862+ return $define;
12863+}
12864+
12865+$public_define = normalize_define($public_define, $file);
12866+
12867+sub file_load($)
12868+{
12869+ my($filename) = @_;
12870+ local(*INPUTFILE);
12871+ open(INPUTFILE, $filename) or return undef;
12872+ my($saved_delim) = $/;
12873+ undef $/;
12874+ my($data) = <INPUTFILE>;
12875+ close(INPUTFILE);
12876+ $/ = $saved_delim;
12877+ return $data;
12878+}
12879+
12880+sub print_header($$)
12881+{
12882+ my ($file, $header_name) = @_;
12883+ $file->("#ifndef $header_name\n");
12884+ $file->("#define $header_name\n\n");
12885+ $file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
12886+}
12887+
12888+sub print_footer($$)
12889+{
12890+ my ($file, $header_name) = @_;
12891+ $file->("\n#endif /* $header_name */\n\n");
12892+}
12893+
12894+sub handle_loadparm($$)
12895+{
12896+ my ($file,$line) = @_;
12897+
12898+ my $scope;
12899+ my $type;
12900+ my $name;
12901+ my $var;
12902+ my $param;
12903+
12904+ if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
12905+ $scope = $1;
12906+ $type = $2;
12907+ $name = $3;
12908+ $var = $4;
12909+ $param = "int";
12910+ } elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
12911+ $scope = $1;
12912+ $type = $2;
12913+ $name = $3;
12914+ $var = $4;
12915+ $param = "const struct share_params *p";
12916+ } else {
12917+ return;
12918+ }
12919+
12920+ my %tmap = (
12921+ "BOOL" => "bool ",
12922+ "CONST_STRING" => "const char *",
12923+ "STRING" => "char *",
12924+ "INTEGER" => "int ",
12925+ "CHAR" => "char ",
12926+ "LIST" => "const char **",
12927+ );
12928+
12929+ my %smap = (
12930+ "GLOBAL" => "void",
12931+ "LOCAL" => "$param"
12932+ );
12933+
12934+ if (($type eq "STRING") and ($scope eq "GLOBAL")) {
12935+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
12936+ } elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
12937+ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
12938+ } else {
12939+ $file->("$tmap{$type}lp_$name($smap{$scope});\n");
12940+ }
12941+}
12942+
12943+sub process_file($$)
12944+{
12945+ my ($file, $filename) = @_;
12946+
12947+ $filename =~ s/\.o$/\.c/g;
12948+
12949+ if ($filename =~ /^\//) {
12950+ open(FH, "<$filename") or die("Failed to open $filename");
12951+ } elsif (!open(FH, "< $builddir/$filename")) {
12952+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
12953+ }
12954+
12955+ my $comment = undef;
12956+ my $incomment = 0;
12957+ while (my $line = <FH>) {
12958+ if ($line =~ /^\/\*\*/) {
12959+ $comment = "";
12960+ $incomment = 1;
12961+ }
12962+
12963+ if ($incomment) {
12964+ $comment .= $line;
12965+ if ($line =~ /\*\//) {
12966+ $incomment = 0;
12967+ }
12968+ }
12969+
12970+ # these are ordered for maximum speed
12971+ next if ($line =~ /^\s/);
12972+
12973+ next unless ($line =~ /\(/);
12974+
12975+ next if ($line =~ /^\/|[;]/);
12976+
12977+ if ($line =~ /^FN_/) {
12978+ handle_loadparm($file, $line);
12979+ }
12980+ next;
12981+ }
12982+
12983+ close(FH);
12984+}
12985+
12986+
12987+print_header(\&public, $public_define);
12988+
12989+process_file(\&public, $_) foreach (@ARGV);
12990+print_footer(\&public, $public_define);
12991+
12992+if (not defined($file)) {
12993+ print STDOUT $$public_data;
12994+}
12995+
12996+mkpath(dirname($file), 0, 0755);
12997+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
12998+print PUBLIC "$$public_data";
12999+close(PUBLIC);
13000diff --git a/source3/include/proto.h b/source3/include/proto.h
13001index 53cd59d..614baa4 100644
13002--- a/source3/include/proto.h
13003+++ b/source3/include/proto.h
13004@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
13005
13006 /* The following definitions come from param/loadparm.c */
13007
13008+#include "source3/param/param_proto.h"
13009+
13010 const char **lp_smb_ports(void);
13011 const char *lp_dos_charset(void);
13012 const char *lp_unix_charset(void);
13013diff --git a/source3/param/wscript_build b/source3/param/wscript_build
13014index 278d5f5..643c27e 100644
13015--- a/source3/param/wscript_build
13016+++ b/source3/param/wscript_build
13017@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
13018 target='param_global.h',
13019 rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
13020
13021+bld.SAMBA_GENERATOR('s3_param_proto_h',
13022+ source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
13023+ target='param_proto.h',
13024+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
13025+
13026 bld.SAMBA3_PYTHON('pys3param',
13027 source='pyparam.c',
13028 deps='param',
13029--
130301.9.3
13031
13032
13033From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
13034From: Andrew Bartlett <abartlet@samba.org>
13035Date: Mon, 14 Oct 2013 15:46:43 +1300
13036Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table
13037
13038This allows us to use more lpcfg_ functions without adding them
13039manually.
13040
13041Signed-off-by: Andrew Bartlett <abartlet@samba.org>
13042Reviewed-by: Stefan Metzmacher <metze@samba.org>
13043---
13044 lib/param/wscript_build | 1 +
13045 script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
13046 source3/param/loadparm_ctx.c | 64 +------------------
13047 source3/param/wscript_build | 5 ++
13048 4 files changed, 146 insertions(+), 63 deletions(-)
13049 create mode 100644 script/mks3param_ctx_table.pl
13050
13051diff --git a/lib/param/wscript_build b/lib/param/wscript_build
13052index 10e05a3..0e1a2e0 100644
13053--- a/lib/param/wscript_build
13054+++ b/lib/param/wscript_build
13055@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
13056 target='s3_param.h',
13057 rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
13058
13059+
13060 bld.SAMBA_GENERATOR('param_global_h',
13061 source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
13062 target='param_global.h',
13063diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
13064new file mode 100644
13065index 0000000..cfd6e02
13066--- /dev/null
13067+++ b/script/mks3param_ctx_table.pl
13068@@ -0,0 +1,139 @@
13069+#!/usr/bin/perl
13070+# Generate loadparm interfaces tables for Samba3/Samba4 integration
13071+# by Andrew Bartlett
13072+# based on mkproto.pl Written by Jelmer Vernooij
13073+# based on the original mkproto.sh by Andrew Tridgell
13074+
13075+use strict;
13076+
13077+# don't use warnings module as it is not portable enough
13078+# use warnings;
13079+
13080+use Getopt::Long;
13081+use File::Basename;
13082+use File::Path;
13083+
13084+#####################################################################
13085+# read a file into a string
13086+
13087+my $file = undef;
13088+my $public_define = undef;
13089+my $_public = "";
13090+my $_private = "";
13091+my $public_data = \$_public;
13092+my $builddir = ".";
13093+my $srcdir = ".";
13094+
13095+sub public($)
13096+{
13097+ my ($d) = @_;
13098+ $$public_data .= $d;
13099+}
13100+
13101+sub usage()
13102+{
13103+ print "Usage: mks3param.pl [options] [c files]\n";
13104+ print "OPTIONS:\n";
13105+ print " --srcdir=path Read files relative to this directory\n";
13106+ print " --builddir=path Write file relative to this directory\n";
13107+ print " --help Print this help message\n\n";
13108+ exit 0;
13109+}
13110+
13111+GetOptions(
13112+ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
13113+ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
13114+ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
13115+ 'help' => \&usage
13116+) or exit(1);
13117+
13118+sub file_load($)
13119+{
13120+ my($filename) = @_;
13121+ local(*INPUTFILE);
13122+ open(INPUTFILE, $filename) or return undef;
13123+ my($saved_delim) = $/;
13124+ undef $/;
13125+ my($data) = <INPUTFILE>;
13126+ close(INPUTFILE);
13127+ $/ = $saved_delim;
13128+ return $data;
13129+}
13130+
13131+sub print_header($)
13132+{
13133+ my ($file) = @_;
13134+ $file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
13135+ $file->("static const struct loadparm_s3_helpers s3_fns = \n");
13136+ $file->("{\n");
13137+ $file->("\t.get_parametric = lp_parm_const_string_service,\n");
13138+ $file->("\t.get_parm_struct = lp_get_parameter,\n");
13139+ $file->("\t.get_parm_ptr = lp_parm_ptr,\n");
13140+ $file->("\t.get_service = lp_service_for_s4_ctx,\n");
13141+ $file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
13142+ $file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
13143+ $file->("\t.get_numservices = lp_numservices,\n");
13144+ $file->("\t.load = lp_load_for_s4_ctx,\n");
13145+ $file->("\t.set_cmdline = lp_set_cmdline,\n");
13146+ $file->("\t.dump = lp_dump,\n");
13147+}
13148+
13149+sub print_footer($)
13150+{
13151+ my ($file) = @_;
13152+ $file->("};");
13153+}
13154+
13155+sub handle_loadparm($$)
13156+{
13157+ my ($file,$line) = @_;
13158+
13159+ # STRING isn't handled here, as we still don't know what to do with the substituted vars */
13160+ # LOCAL also isn't handled here
13161+ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
13162+ my $scope = $1;
13163+ my $type = $2;
13164+ my $name = $3;
13165+
13166+ $file->(".$name = lp_$name,\n");
13167+ }
13168+}
13169+
13170+sub process_file($$)
13171+{
13172+ my ($file, $filename) = @_;
13173+
13174+ $filename =~ s/\.o$/\.c/g;
13175+
13176+ if ($filename =~ /^\//) {
13177+ open(FH, "<$filename") or die("Failed to open $filename");
13178+ } elsif (!open(FH, "< $builddir/$filename")) {
13179+ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
13180+ }
13181+
13182+ my $comment = undef;
13183+ my $incomment = 0;
13184+ while (my $line = <FH>) {
13185+ if ($line =~ /^FN_/) {
13186+ handle_loadparm($file, $line);
13187+ }
13188+ next;
13189+ }
13190+
13191+ close(FH);
13192+}
13193+
13194+
13195+print_header(\&public);
13196+
13197+process_file(\&public, $_) foreach (@ARGV);
13198+print_footer(\&public);
13199+
13200+if (not defined($file)) {
13201+ print STDOUT $$public_data;
13202+}
13203+
13204+mkpath(dirname($file), 0, 0755);
13205+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
13206+print PUBLIC "$$public_data";
13207+close(PUBLIC);
13208diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
13209index 63ead53..5cbc920 100644
13210--- a/source3/param/loadparm_ctx.c
13211+++ b/source3/param/loadparm_ctx.c
13212@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
13213 return status;
13214 }
13215
13216-/* These are in the order that they appear in the s4 loadparm file.
13217- * All of the s4 loadparm functions should be here eventually, once
13218- * they are implemented in the s3 loadparm, have the same format (enum
13219- * values in particular) and defaults. */
13220-static const struct loadparm_s3_helpers s3_fns =
13221-{
13222- .get_parametric = lp_parm_const_string_service,
13223- .get_parm_struct = lp_get_parameter,
13224- .get_parm_ptr = lp_parm_ptr,
13225- .get_service = lp_service_for_s4_ctx,
13226- .get_servicebynum = lp_servicebynum_for_s4_ctx,
13227- .get_default_loadparm_service = lp_default_loadparm_service,
13228- .get_numservices = lp_numservices,
13229- .load = lp_load_for_s4_ctx,
13230- .set_cmdline = lp_set_cmdline,
13231- .dump = lp_dump,
13232-
13233- ._server_role = lp__server_role,
13234- ._security = lp__security,
13235- ._domain_master = lp__domain_master,
13236- ._domain_logons = lp__domain_logons,
13237-
13238- .winbind_separator = lp_winbind_separator,
13239- .template_homedir = lp_template_homedir,
13240- .template_shell = lp_template_shell,
13241-
13242- .dos_charset = lp_dos_charset,
13243- .unix_charset = lp_unix_charset,
13244-
13245- .realm = lp_realm,
13246- .dnsdomain = lp_dnsdomain,
13247- .socket_options = lp_socket_options,
13248- .workgroup = lp_workgroup,
13249-
13250- .netbios_name = lp_netbios_name,
13251- .netbios_scope = lp_netbios_scope,
13252- .netbios_aliases = lp_netbios_aliases,
13253-
13254- .lanman_auth = lp_lanman_auth,
13255- .ntlm_auth = lp_ntlm_auth,
13256-
13257- .client_plaintext_auth = lp_client_plaintext_auth,
13258- .client_lanman_auth = lp_client_lanman_auth,
13259- .client_ntlmv2_auth = lp_client_ntlmv2_auth,
13260- .client_use_spnego_principal = lp_client_use_spnego_principal,
13261-
13262- .private_dir = lp_private_dir,
13263- .ncalrpc_dir = lp_ncalrpc_dir,
13264- .lockdir = lp_lockdir,
13265-
13266- .passdb_backend = lp_passdb_backend,
13267-
13268- .host_msdfs = lp_host_msdfs,
13269- .unix_extensions = lp_unix_extensions,
13270- .use_spnego = lp_use_spnego,
13271- .use_mmap = lp_use_mmap,
13272- .use_ntdb = lp_use_ntdb,
13273-
13274- .srv_minprotocol = lp_srv_minprotocol,
13275- .srv_maxprotocol = lp_srv_maxprotocol,
13276-
13277- .passwordserver = lp_passwordserver
13278-};
13279+#include "loadparm_ctx_table.c"
13280
13281 const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
13282 {
13283diff --git a/source3/param/wscript_build b/source3/param/wscript_build
13284index 643c27e..673cb4d 100644
13285--- a/source3/param/wscript_build
13286+++ b/source3/param/wscript_build
13287@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
13288 target='param_proto.h',
13289 rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
13290
13291+bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
13292+ source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
13293+ target='loadparm_ctx_table.c',
13294+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
13295+
13296 bld.SAMBA3_PYTHON('pys3param',
13297 source='pyparam.c',
13298 deps='param',
13299--
133001.9.3
13301
13302
13303From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
13304From: Andrew Bartlett <abartlet@samba.org>
13305Date: Mon, 14 Oct 2013 15:49:25 +1300
13306Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes
13307
13308This also ensures we remove prototypes from parameters we remove or
13309rename, and easily see how many special cases we have left.
13310
13311Signed-off-by: Andrew Bartlett <abartlet@samba.org>
13312Reviewed-by: Stefan Metzmacher <metze@samba.org>
13313---
13314 source3/include/proto.h | 361 +-----------------------------------------------
13315 1 file changed, 1 insertion(+), 360 deletions(-)
13316
13317diff --git a/source3/include/proto.h b/source3/include/proto.h
13318index 614baa4..5e068d2 100644
13319--- a/source3/include/proto.h
13320+++ b/source3/include/proto.h
13321@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
13322
13323 #include "source3/param/param_proto.h"
13324
13325-const char **lp_smb_ports(void);
13326-const char *lp_dos_charset(void);
13327-const char *lp_unix_charset(void);
13328-char *lp_logfile(TALLOC_CTX *ctx);
13329-char *lp_configfile(TALLOC_CTX *ctx);
13330-const char *lp_smb_passwd_file(void);
13331-const char *lp_private_dir(void);
13332-char *lp_serverstring(TALLOC_CTX *ctx);
13333-int lp_printcap_cache_time(void);
13334-char *lp_addport_cmd(TALLOC_CTX *ctx);
13335-char *lp_enumports_cmd(TALLOC_CTX *ctx);
13336-char *lp_addprinter_cmd(TALLOC_CTX *ctx);
13337-char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
13338-char *lp_os2_driver_map(TALLOC_CTX *ctx);
13339-const char *lp_lockdir(void);
13340 const char *lp_statedir(void);
13341 const char *lp_cachedir(void);
13342-const char *lp_piddir(void);
13343-char *lp_mangling_method(TALLOC_CTX *ctx);
13344-int lp_mangle_prefix(void);
13345-const char *lp_utmpdir(void);
13346-const char *lp_wtmpdir(void);
13347-bool lp_utmp(void);
13348-char *lp_rootdir(TALLOC_CTX *ctx);
13349-char *lp_defaultservice(TALLOC_CTX *ctx);
13350-char *lp_msg_command(TALLOC_CTX *ctx);
13351-char *lp_get_quota_command(TALLOC_CTX *ctx);
13352-char *lp_set_quota_command(TALLOC_CTX *ctx);
13353-char *lp_auto_services(TALLOC_CTX *ctx);
13354-char *lp_passwd_program(TALLOC_CTX *ctx);
13355-char *lp_passwd_chat(TALLOC_CTX *ctx);
13356-const char *lp_passwordserver(void);
13357-const char **lp_name_resolve_order(void);
13358-const char *lp_netbios_scope(void);
13359-const char *lp_netbios_name(void);
13360-const char *lp_workgroup(void);
13361-const char *lp_realm(void);
13362-const char *lp_dnsdomain(void);
13363-const char *lp_afs_username_map(void);
13364-int lp_afs_token_lifetime(void);
13365-char *lp_log_nt_token_command(TALLOC_CTX *ctx);
13366-char *lp_username_map(TALLOC_CTX *ctx);
13367-const char *lp_logon_script(void);
13368-const char *lp_logon_path(void);
13369-const char *lp_logon_drive(void);
13370-const char *lp_logon_home(void);
13371-char *lp_remote_announce(TALLOC_CTX *ctx);
13372-char *lp_remote_browse_sync(TALLOC_CTX *ctx);
13373-bool lp_nmbd_bind_explicit_broadcast(void);
13374-const char **lp_wins_server_list(void);
13375-const char **lp_interfaces(void);
13376-const char *lp_nbt_client_socket_address(void);
13377-char *lp_nis_home_map_name(TALLOC_CTX *ctx);
13378-const char **lp_netbios_aliases(void);
13379-const char *lp_passdb_backend(void);
13380-const char **lp_preload_modules(void);
13381-char *lp_panic_action(TALLOC_CTX *ctx);
13382-char *lp_adduser_script(TALLOC_CTX *ctx);
13383-char *lp_renameuser_script(TALLOC_CTX *ctx);
13384-char *lp_deluser_script(TALLOC_CTX *ctx);
13385-const char *lp_guestaccount(void);
13386-char *lp_addgroup_script(TALLOC_CTX *ctx);
13387-char *lp_delgroup_script(TALLOC_CTX *ctx);
13388-char *lp_addusertogroup_script(TALLOC_CTX *ctx);
13389-char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
13390-char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
13391-char *lp_addmachine_script(TALLOC_CTX *ctx);
13392-char *lp_shutdown_script(TALLOC_CTX *ctx);
13393-char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
13394-char *lp_username_map_script(TALLOC_CTX *ctx);
13395-int lp_username_map_cache_time(void);
13396-char *lp_check_password_script(TALLOC_CTX *ctx);
13397-char *lp_wins_hook(TALLOC_CTX *ctx);
13398-const char *lp_template_homedir(void);
13399-const char *lp_template_shell(void);
13400-const char *lp_winbind_separator(void);
13401-const char *lp_winbindd_socket_directory(void);
13402-bool lp_winbind_enum_users(void);
13403-bool lp_winbind_enum_groups(void);
13404-bool lp_winbind_use_default_domain(void);
13405-bool lp_winbind_trusted_domains_only(void);
13406-bool lp_winbind_nested_groups(void);
13407-int lp_winbind_expand_groups(void);
13408-bool lp_winbind_refresh_tickets(void);
13409-bool lp_winbind_offline_logon(void);
13410-bool lp_winbind_normalize_names(void);
13411-bool lp_winbind_rpc_only(void);
13412-bool lp_create_krb5_conf(void);
13413 int lp_winbind_max_domain_connections(void);
13414-int lp_idmap_cache_time(void);
13415-int lp_idmap_negative_cache_time(void);
13416 bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
13417 bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
13418 const char *lp_idmap_backend(const char *domain_name);
13419 const char *lp_idmap_default_backend (void);
13420-int lp_keepalive(void);
13421-bool lp_passdb_expand_explicit(void);
13422-char *lp_ldap_suffix(TALLOC_CTX *ctx);
13423-char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
13424-int lp_ldap_ssl(void);
13425-bool lp_ldap_ssl_ads(void);
13426-int lp_ldap_deref(void);
13427-int lp_ldap_follow_referral(void);
13428-int lp_ldap_passwd_sync(void);
13429-bool lp_ldap_delete_dn(void);
13430-int lp_ldap_replication_sleep(void);
13431-int lp_ldap_timeout(void);
13432-int lp_ldap_connection_timeout(void);
13433-int lp_ldap_page_size(void);
13434-int lp_ldap_debug_level(void);
13435-int lp_ldap_debug_threshold(void);
13436-char *lp_add_share_cmd(TALLOC_CTX *ctx);
13437-char *lp_change_share_cmd(TALLOC_CTX *ctx);
13438-char *lp_delete_share_cmd(TALLOC_CTX *ctx);
13439-char *lp_usershare_path(TALLOC_CTX *ctx);
13440-const char **lp_usershare_prefix_allow_list(void);
13441-const char **lp_usershare_prefix_deny_list(void);
13442-const char **lp_eventlog_list(void);
13443-bool lp_registry_shares(void);
13444-bool lp_usershare_allow_guests(void);
13445-bool lp_usershare_owner_only(void);
13446-bool lp_disable_netbios(void);
13447-bool lp_reset_on_zero_vc(void);
13448-bool lp_log_writeable_files_on_exit(void);
13449-bool lp_ms_add_printer_wizard(void);
13450-bool lp_wins_dns_proxy(void);
13451-bool lp_we_are_a_wins_server(void);
13452-bool lp_wins_proxy(void);
13453-bool lp_local_master(void);
13454-const char **lp_init_logon_delayed_hosts(void);
13455-int lp_init_logon_delay(void);
13456-bool lp_load_printers(void);
13457 bool lp_readraw(void);
13458-bool lp_large_readwrite(void);
13459 bool lp_writeraw(void);
13460-bool lp_null_passwords(void);
13461-bool lp_obey_pam_restrictions(void);
13462-bool lp_encrypted_passwords(void);
13463-int lp_client_schannel(void);
13464-int lp_server_schannel(void);
13465-bool lp_syslog_only(void);
13466-bool lp_timestamp_logs(void);
13467-bool lp_debug_prefix_timestamp(void);
13468-bool lp_debug_hires_timestamp(void);
13469-bool lp_debug_pid(void);
13470-bool lp_debug_uid(void);
13471-bool lp_debug_class(void);
13472-bool lp_enable_core_files(void);
13473-bool lp_browse_list(void);
13474-bool lp_nis_home_map(void);
13475-bool lp_bind_interfaces_only(void);
13476-bool lp_pam_password_change(void);
13477-bool lp_unix_password_sync(void);
13478-bool lp_passwd_chat_debug(void);
13479-int lp_passwd_chat_timeout(void);
13480-bool lp_nt_pipe_support(void);
13481-bool lp_nt_status_support(void);
13482-bool lp_stat_cache(void);
13483-int lp_max_stat_cache_size(void);
13484-bool lp_allow_trusted_domains(void);
13485-bool lp_map_untrusted_to_domain(void);
13486-int lp_restrict_anonymous(void);
13487-bool lp_lanman_auth(void);
13488-bool lp_ntlm_auth(void);
13489-bool lp_client_plaintext_auth(void);
13490-bool lp_client_lanman_auth(void);
13491-bool lp_client_ntlmv2_auth(void);
13492-bool lp_host_msdfs(void);
13493-bool lp_enhanced_browsing(void);
13494-bool lp_use_mmap(void);
13495-bool lp_use_ntdb(void);
13496-bool lp_unix_extensions(void);
13497-bool lp_unicode(void);
13498-bool lp_use_spnego(void);
13499-bool lp_client_use_spnego(void);
13500-bool lp_client_use_spnego_principal(void);
13501-bool lp_hostname_lookups(void);
13502-bool lp_change_notify(const struct share_params *p );
13503-bool lp_kernel_change_notify(const struct share_params *p );
13504-const char * lp_dedicated_keytab_file(void);
13505-int lp_kerberos_method(void);
13506-bool lp_defer_sharing_violations(void);
13507-bool lp_enable_privileges(void);
13508-bool lp_enable_asu_support(void);
13509-int lp_os_level(void);
13510-int lp_max_ttl(void);
13511-int lp_max_wins_ttl(void);
13512-int lp_min_wins_ttl(void);
13513-int lp_max_log_size(void);
13514-int lp_max_open_files(void);
13515-int lp_open_files_db_hash_size(void);
13516-int lp_max_xmit(void);
13517-int lp_maxmux(void);
13518-int lp_passwordlevel(void);
13519-int lp_usernamelevel(void);
13520-int lp_deadtime(void);
13521-bool lp_getwd_cache(void);
13522-int lp_srv_maxprotocol(void);
13523-int lp_srv_minprotocol(void);
13524-int lp_cli_maxprotocol(void);
13525-int lp_cli_minprotocol(void);
13526 int lp_security(void);
13527-int lp__server_role(void);
13528-int lp__security(void);
13529-int lp__domain_master(void);
13530-bool lp__domain_logons(void);
13531-const char **lp_auth_methods(void);
13532-bool lp_paranoid_server_security(void);
13533-int lp_maxdisksize(void);
13534-int lp_lpqcachetime(void);
13535-int lp_max_smbd_processes(void);
13536-bool lp__disable_spoolss(void);
13537-int lp_syslog(void);
13538-int lp_lm_announce(void);
13539-int lp_lm_interval(void);
13540-int lp_machine_password_timeout(void);
13541-int lp_map_to_guest(void);
13542-int lp_oplock_break_wait_time(void);
13543-int lp_lock_spin_time(void);
13544-int lp_usershare_max_shares(void);
13545-const char *lp_socket_options(void);
13546-int lp_config_backend(void);
13547-int lp_smb2_max_read(void);
13548-int lp_smb2_max_write(void);
13549-int lp_smb2_max_trans(void);
13550 int lp_smb2_max_credits(void);
13551-char *lp_preexec(TALLOC_CTX *ctx, int );
13552-char *lp_postexec(TALLOC_CTX *ctx, int );
13553-char *lp_rootpreexec(TALLOC_CTX *ctx, int );
13554-char *lp_rootpostexec(TALLOC_CTX *ctx, int );
13555-char *lp_servicename(TALLOC_CTX *ctx, int );
13556-const char *lp_const_servicename(int );
13557-char *lp_pathname(TALLOC_CTX *ctx, int );
13558-char *lp_dontdescend(TALLOC_CTX *ctx, int );
13559-char *lp_username(TALLOC_CTX *ctx, int );
13560-const char **lp_invalid_users(int );
13561-const char **lp_valid_users(int );
13562-const char **lp_admin_users(int );
13563-const char **lp_svcctl_list(void);
13564-char *lp_cups_options(TALLOC_CTX *ctx, int );
13565-char *lp_cups_server(TALLOC_CTX *ctx);
13566 int lp_cups_encrypt(void);
13567-char *lp_iprint_server(TALLOC_CTX *ctx);
13568-int lp_cups_connection_timeout(void);
13569-const char *lp_ctdbd_socket(void);
13570-const char *_lp_ctdbd_socket(void);
13571-const char **lp_cluster_addresses(void);
13572-bool lp_clustering(void);
13573-int lp_ctdb_timeout(void);
13574-int lp_ctdb_locktime_warn_threshold(void);
13575-char *lp_printcommand(TALLOC_CTX *ctx, int );
13576-char *lp_lpqcommand(TALLOC_CTX *ctx, int );
13577-char *lp_lprmcommand(TALLOC_CTX *ctx, int );
13578-char *lp_lppausecommand(TALLOC_CTX *ctx, int );
13579-char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
13580-char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
13581-char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
13582-const char *lp_printjob_username(int );
13583-const char **lp_hostsallow(int );
13584-const char **lp_hostsdeny(int );
13585-char *lp_magicscript(TALLOC_CTX *ctx, int );
13586-char *lp_magicoutput(TALLOC_CTX *ctx, int );
13587-char *lp_comment(TALLOC_CTX *ctx, int );
13588-char *lp_force_user(TALLOC_CTX *ctx, int );
13589-char *lp_force_group(TALLOC_CTX *ctx, int );
13590-const char **lp_readlist(int );
13591-const char **lp_writelist(int );
13592-char *lp_fstype(TALLOC_CTX *ctx, int );
13593-const char **lp_vfs_objects(int );
13594-char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
13595-char *lp_veto_files(TALLOC_CTX *ctx, int );
13596-char *lp_hide_files(TALLOC_CTX *ctx, int );
13597-char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
13598-bool lp_msdfs_root(int );
13599-char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
13600-char *lp_dfree_command(TALLOC_CTX *ctx, int );
13601-bool lp_autoloaded(int );
13602-bool lp_preexec_close(int );
13603-bool lp_rootpreexec_close(int );
13604-int lp_casesensitive(int );
13605-bool lp_preservecase(int );
13606-bool lp_shortpreservecase(int );
13607-bool lp_hide_dot_files(int );
13608-bool lp_hide_special_files(int );
13609-bool lp_hideunreadable(int );
13610-bool lp_hideunwriteable_files(int );
13611-bool lp_browseable(int );
13612-bool lp_access_based_share_enum(int );
13613-bool lp_readonly(int );
13614-bool lp_guest_ok(int );
13615-bool lp_guest_only(int );
13616-bool lp_administrative_share(int );
13617-bool lp_print_ok(int );
13618-bool lp_print_notify_backchannel(int );
13619-bool lp_map_hidden(int );
13620-bool lp_map_archive(int );
13621-bool lp_store_dos_attributes(int );
13622-bool lp_dmapi_support(int );
13623-bool lp_locking(const struct share_params *p );
13624-int lp_strict_locking(const struct share_params *p );
13625-bool lp_posix_locking(const struct share_params *p );
13626-bool lp_oplocks(int );
13627-bool lp_kernel_oplocks(int );
13628-bool lp_level2_oplocks(int );
13629-bool lp_kernel_share_modes(int);
13630-bool lp_onlyuser(int );
13631-bool lp_manglednames(const struct share_params *p );
13632-bool lp_allow_insecure_widelinks(void);
13633 bool lp_widelinks(int );
13634-bool lp_symlinks(int );
13635-bool lp_syncalways(int );
13636-bool lp_strict_allocate(int );
13637-bool lp_strict_sync(int );
13638-bool lp_map_system(int );
13639-bool lp_delete_readonly(int );
13640-bool lp_fake_oplocks(int );
13641-bool lp_recursive_veto_delete(int );
13642-bool lp_dos_filemode(int );
13643-bool lp_dos_filetimes(int );
13644-bool lp_dos_filetime_resolution(int );
13645-bool lp_fake_dir_create_times(int);
13646-bool lp_async_smb_echo_handler(void);
13647-bool lp_multicast_dns_register(void);
13648-bool lp_blocking_locks(int );
13649-bool lp_inherit_perms(int );
13650-bool lp_inherit_acls(int );
13651-bool lp_inherit_owner(int );
13652-bool lp_use_client_driver(int );
13653-bool lp_default_devmode(int );
13654-bool lp_force_printername(int );
13655-bool lp_nt_acl_support(int );
13656-bool lp_force_unknown_acl_user(int );
13657-bool lp_ea_support(int );
13658-bool lp__use_sendfile(int );
13659-bool lp_profile_acls(int );
13660-bool lp_map_acl_inherit(int );
13661-bool lp_afs_share(int );
13662-bool lp_acl_check_permissions(int );
13663-bool lp_acl_group_control(int );
13664-bool lp_acl_map_full_control(int );
13665-bool lp_acl_allow_execute_always(int);
13666-bool lp_durable_handles(int);
13667-int lp_create_mask(int );
13668-int lp_force_create_mode(int );
13669-int lp_dir_mask(int );
13670-int lp_force_dir_mode(int );
13671-int lp_max_connections(int );
13672-int lp_defaultcase(int );
13673-int lp_minprintspace(int );
13674-int lp_printing(int );
13675-int lp_max_reported_jobs(int );
13676-int lp_oplock_contention_limit(int );
13677-int lp_csc_policy(int );
13678-int lp_write_cache_size(int );
13679-int lp_block_size(int );
13680-int lp_dfree_cache_time(int );
13681-int lp_allocation_roundup_size(int );
13682-int lp_aio_read_size(int );
13683-int lp_aio_write_size(int );
13684-int lp_map_readonly(int );
13685-int lp_directory_name_cache_size(int );
13686-int lp_smb_encrypt(int );
13687-char lp_magicchar(const struct share_params *p );
13688-int lp_winbind_cache_time(void);
13689-int lp_winbind_reconnect_delay(void);
13690-int lp_winbind_request_timeout(void);
13691-int lp_winbind_max_clients(void);
13692-const char **lp_winbind_nss_info(void);
13693-int lp_algorithmic_rid_base(void);
13694-int lp_name_cache_timeout(void);
13695-int lp_client_signing(void);
13696-int lp_server_signing(void);
13697-int lp_client_ldap_sasl_wrapping(void);
13698+
13699 char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
13700 const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
13701 struct loadparm_service;
13702--
137031.9.3
13704
13705
13706From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
13707From: Andrew Bartlett <abartlet@samba.org>
13708Date: Wed, 16 Oct 2013 14:45:31 +1300
13709Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works
13710
13711Signed-off-by: Andrew Bartlett <abartlet@samba.org>
13712Reviewed-by: Stefan Metzmacher <metze@samba.org>
13713Reviewed-by: Volker Lendecke <vl@samba.org>
13714---
13715 lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
13716 1 file changed, 69 insertions(+)
13717
13718diff --git a/lib/param/README b/lib/param/README
13719index 403a217..b567d71 100644
13720--- a/lib/param/README
13721+++ b/lib/param/README
13722@@ -1,4 +1,73 @@
13723+libsamba-hostconfig
13724+-------------------
13725+
13726 This directory contains "libsamba-hostconfig".
13727
13728 The libsamba-hostconfig library provides access to all host-wide configuration
13729 such as the configured shares, default parameter values and host secret keys.
13730+
13731+
13732+Adding a parameter
13733+------------------
13734+
13735+To add or change an smb.conf option, you only have to modify
13736+lib/param/param_table.c and lib/param/param_functions.c. The rest is
13737+generated for you.
13738+
13739+
13740+Using smb.conf parameters in the code
13741+-------------------------------------
13742+
13743+Call the lpcfg_*() function. To get the lp_ctx, have the caller pass
13744+it to you. To get a lp_ctx for the source3/param loadparm system, use:
13745+
13746+struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
13747+
13748+Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
13749+
13750+To get a lp_ctx for the lib/param loadparm system, typically the
13751+pointer is already set up by popt at startup, and is passed down from
13752+cmdline_lp_ctx.
13753+
13754+In pure source3/ code, you may use lp_*() functions, but are
13755+encouraged to use the lpcfg_*() functions so that code can be made
13756+common.
13757+
13758+
13759+How does loadparm_init_s3() work?
13760+---------------------------------
13761+
13762+loadparm_s3_helpers() returns a initialised table of function
13763+pointers, pointing at all global lp_*() functions, except for those
13764+that return substituted strings (% macros). The lpcfg_*() function
13765+then calls this plugged in function, allowing the one function and
13766+pattern to use either loadparm system.
13767+
13768+
13769+There is a lot of generated code, here, what generates what?
13770+------------------------------------------------------------
13771+
13772+The regular format of the CPP macros in param_functions.c is used to
13773+generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
13774+and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
13775+the initilisation of the glue table (mks3param_ctx_table.pl).
13776+
13777+I have tried combining some of these, but it just makes the scripts more
13778+complex.
13779+
13780+The CPP macros are defined in and expand in lib/param/loadparm.c and
13781+source3/param/loadparm.c to read the values from the generated
13782+stuctures. They are CPP #included into these files so that the same
13783+macro has two definitions, depending on the system it is loading into.
13784+
13785+
13786+Why was this done, rather than a 'proper' fix, or just using one system or the other?
13787+-------------------------------------------------------------------------------------
13788+
13789+This was done to allow merging from both ends - merging more parts of
13790+the loadparm handling, and merging code that needs to read the
13791+smb.conf, without having to do it all at once. Ideally
13792+param_functions.c would be generated from param_table.c or (even
13793+better) our XML manpage source, and the CPP macros would instead be
13794+generated expanded as generated C files, but this is a task nobody has
13795+taken on yet.
13796--
137971.9.3
13798
13799
13800From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
13801From: Stefan Metzmacher <metze@samba.org>
13802Date: Mon, 12 Aug 2013 08:19:08 +0200
13803Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()
13804
13805Signed-off-by: Stefan Metzmacher <metze@samba.org>
13806---
13807 librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
13808 librpc/rpc/rpc_common.h | 8 ++++++++
13809 2 files changed, 33 insertions(+)
13810
13811diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
13812index 9354bbd..714baa7 100644
13813--- a/librpc/rpc/binding_handle.c
13814+++ b/librpc/rpc/binding_handle.c
13815@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
13816 return h->ops->set_timeout(h, timeout);
13817 }
13818
13819+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
13820+ enum dcerpc_AuthType *auth_type,
13821+ enum dcerpc_AuthLevel *auth_level)
13822+{
13823+ enum dcerpc_AuthType _auth_type;
13824+ enum dcerpc_AuthLevel _auth_level;
13825+
13826+ if (auth_type == NULL) {
13827+ auth_type = &_auth_type;
13828+ }
13829+
13830+ if (auth_level == NULL) {
13831+ auth_level = &_auth_level;
13832+ }
13833+
13834+ *auth_type = DCERPC_AUTH_TYPE_NONE;
13835+ *auth_level = DCERPC_AUTH_LEVEL_NONE;
13836+
13837+ if (h->ops->auth_info == NULL) {
13838+ return;
13839+ }
13840+
13841+ h->ops->auth_info(h, auth_type, auth_level);
13842+}
13843+
13844 struct dcerpc_binding_handle_raw_call_state {
13845 const struct dcerpc_binding_handle_ops *ops;
13846 uint8_t *out_data;
13847diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
13848index d2816f5..978229e 100644
13849--- a/librpc/rpc/rpc_common.h
13850+++ b/librpc/rpc/rpc_common.h
13851@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
13852 uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
13853 uint32_t timeout);
13854
13855+ void (*auth_info)(struct dcerpc_binding_handle *h,
13856+ enum dcerpc_AuthType *auth_type,
13857+ enum dcerpc_AuthLevel *auth_level);
13858+
13859 struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
13860 struct tevent_context *ev,
13861 struct dcerpc_binding_handle *h,
13862@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
13863 uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
13864 uint32_t timeout);
13865
13866+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
13867+ enum dcerpc_AuthType *auth_type,
13868+ enum dcerpc_AuthLevel *auth_level);
13869+
13870 struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
13871 struct tevent_context *ev,
13872 struct dcerpc_binding_handle *h,
13873--
138741.9.3
13875
13876
13877From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
13878From: Stefan Metzmacher <metze@samba.org>
13879Date: Mon, 12 Aug 2013 08:19:35 +0200
13880Subject: [PATCH 123/249] s3:rpc_client: implement
13881 dcerpc_binding_handle_auth_info()
13882
13883Signed-off-by: Stefan Metzmacher <metze@samba.org>
13884---
13885 source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
13886 1 file changed, 20 insertions(+)
13887
13888diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
13889index 64e7f1c..a343997 100644
13890--- a/source3/rpc_client/cli_pipe.c
13891+++ b/source3/rpc_client/cli_pipe.c
13892@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
13893 return rpccli_set_timeout(hs->rpc_cli, timeout);
13894 }
13895
13896+static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
13897+ enum dcerpc_AuthType *auth_type,
13898+ enum dcerpc_AuthLevel *auth_level)
13899+{
13900+ struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
13901+ struct rpccli_bh_state);
13902+
13903+ if (hs->rpc_cli == NULL) {
13904+ return;
13905+ }
13906+
13907+ if (hs->rpc_cli->auth == NULL) {
13908+ return;
13909+ }
13910+
13911+ *auth_type = hs->rpc_cli->auth->auth_type;
13912+ *auth_level = hs->rpc_cli->auth->auth_level;
13913+}
13914+
13915 struct rpccli_bh_raw_call_state {
13916 DATA_BLOB in_data;
13917 DATA_BLOB out_data;
13918@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
13919 .name = "rpccli",
13920 .is_connected = rpccli_bh_is_connected,
13921 .set_timeout = rpccli_bh_set_timeout,
13922+ .auth_info = rpccli_bh_auth_info,
13923 .raw_call_send = rpccli_bh_raw_call_send,
13924 .raw_call_recv = rpccli_bh_raw_call_recv,
13925 .disconnect_send = rpccli_bh_disconnect_send,
13926--
139271.9.3
13928
13929
13930From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
13931From: Stefan Metzmacher <metze@samba.org>
13932Date: Mon, 12 Aug 2013 08:19:57 +0200
13933Subject: [PATCH 124/249] s4:librpc: implement
13934 dcerpc_binding_handle_auth_info()
13935
13936Signed-off-by: Stefan Metzmacher <metze@samba.org>
13937---
13938 source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
13939 1 file changed, 24 insertions(+)
13940
13941diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
13942index 2826160..56b821e 100644
13943--- a/source4/librpc/rpc/dcerpc.c
13944+++ b/source4/librpc/rpc/dcerpc.c
13945@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
13946 return old;
13947 }
13948
13949+static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
13950+ enum dcerpc_AuthType *auth_type,
13951+ enum dcerpc_AuthLevel *auth_level)
13952+{
13953+ struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
13954+ struct dcerpc_bh_state);
13955+
13956+ if (hs->p == NULL) {
13957+ return;
13958+ }
13959+
13960+ if (hs->p->conn == NULL) {
13961+ return;
13962+ }
13963+
13964+ if (hs->p->conn->security_state.auth_info == NULL) {
13965+ return;
13966+ }
13967+
13968+ *auth_type = hs->p->conn->security_state.auth_info->auth_type;
13969+ *auth_level = hs->p->conn->security_state.auth_info->auth_level;
13970+}
13971+
13972 struct dcerpc_bh_raw_call_state {
13973 struct tevent_context *ev;
13974 struct dcerpc_binding_handle *h;
13975@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
13976 .name = "dcerpc",
13977 .is_connected = dcerpc_bh_is_connected,
13978 .set_timeout = dcerpc_bh_set_timeout,
13979+ .auth_info = dcerpc_bh_auth_info,
13980 .raw_call_send = dcerpc_bh_raw_call_send,
13981 .raw_call_recv = dcerpc_bh_raw_call_recv,
13982 .disconnect_send = dcerpc_bh_disconnect_send,
13983--
139841.9.3
13985
13986
13987From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
13988From: Stefan Metzmacher <metze@samba.org>
13989Date: Tue, 17 Sep 2013 04:25:39 +0200
13990Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()
13991
13992We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.
13993
13994Signed-off-by: Stefan Metzmacher <metze@samba.org>
13995---
13996 source3/winbindd/winbindd_cm.c | 1 -
13997 1 file changed, 1 deletion(-)
13998
13999diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
14000index d868826..c4f59d3 100644
14001--- a/source3/winbindd/winbindd_cm.c
14002+++ b/source3/winbindd/winbindd_cm.c
14003@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
14004 &ndr_table_lsarpc,
14005 &conn->lsa_pipe);
14006 if (!NT_STATUS_IS_OK(result)) {
14007- result = NT_STATUS_PIPE_NOT_AVAILABLE;
14008 goto done;
14009 }
14010
14011--
140121.9.3
14013
14014
14015From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
14016From: Stefan Metzmacher <metze@samba.org>
14017Date: Mon, 2 Sep 2013 09:24:42 +0200
14018Subject: [PATCH 126/249] s3:include: add forward declaration for struct
14019 messaging_context; in g_lock.h
14020
14021Signed-off-by: Stefan Metzmacher <metze@samba.org>
14022---
14023 source3/include/g_lock.h | 1 +
14024 1 file changed, 1 insertion(+)
14025
14026diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
14027index 004c452..f513349 100644
14028--- a/source3/include/g_lock.h
14029+++ b/source3/include/g_lock.h
14030@@ -23,6 +23,7 @@
14031 #include "dbwrap/dbwrap.h"
14032
14033 struct g_lock_ctx;
14034+struct messaging_context;
14035
14036 enum g_lock_type {
14037 G_LOCK_READ = 0,
14038--
140391.9.3
14040
14041
14042From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
14043From: Stefan Metzmacher <metze@samba.org>
14044Date: Mon, 2 Sep 2013 19:29:05 +0200
14045Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
14046 messages.h
14047
14048The function already used 'uint8_t' instead of 'uint8'.
14049
14050Signed-off-by: Stefan Metzmacher <metze@samba.org>
14051---
14052 source3/include/messages.h | 2 +-
14053 1 file changed, 1 insertion(+), 1 deletion(-)
14054
14055diff --git a/source3/include/messages.h b/source3/include/messages.h
14056index 09c39cc..50b2a84 100644
14057--- a/source3/include/messages.h
14058+++ b/source3/include/messages.h
14059@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
14060
14061 NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
14062 struct server_id server, uint32_t msg_type,
14063- const uint8 *buf, size_t len);
14064+ const uint8_t *buf, size_t len);
14065 void messaging_dispatch_rec(struct messaging_context *msg_ctx,
14066 struct messaging_rec *rec);
14067
14068--
140691.9.3
14070
14071
14072From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
14073From: Stefan Metzmacher <metze@samba.org>
14074Date: Tue, 27 Aug 2013 12:09:51 +0200
14075Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
14076 check_trustdomain_security()
14077
14078Signed-off-by: Stefan Metzmacher <metze@samba.org>
14079---
14080 source3/auth/auth_domain.c | 22 ----------------------
14081 1 file changed, 22 deletions(-)
14082
14083diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
14084index 06078e2..9f88c4a 100644
14085--- a/source3/auth/auth_domain.c
14086+++ b/source3/auth/auth_domain.c
14087@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
14088 struct auth_serversupplied_info **server_info)
14089 {
14090 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
14091- unsigned char trust_md4_password[16];
14092- char *trust_password;
14093 fstring dc_name;
14094 struct sockaddr_storage dc_ss;
14095
14096@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
14097 if ( !is_trusted_domain( user_info->mapped.domain_name ) )
14098 return NT_STATUS_NOT_IMPLEMENTED;
14099
14100- /*
14101- * Get the trusted account password for the trusted domain
14102- * No need to become_root() as secrets_init() is done at startup.
14103- */
14104-
14105- if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
14106- NULL, NULL)) {
14107- DEBUG(0, ("check_trustdomain_security: could not fetch trust "
14108- "account password for domain %s\n",
14109- user_info->mapped.domain_name));
14110- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
14111- }
14112-
14113-#ifdef DEBUG_PASSWORD
14114- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
14115- trust_password));
14116-#endif
14117- E_md4hash(trust_password, trust_md4_password);
14118- SAFE_FREE(trust_password);
14119-
14120 /* use get_dc_name() for consistency even through we know that it will be
14121 a netbios name */
14122
14123--
141241.9.3
14125
14126
14127From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
14128From: Stefan Metzmacher <metze@samba.org>
14129Date: Mon, 2 Sep 2013 20:18:39 +0200
14130Subject: [PATCH 129/249] s3:libsmb: remove unused
14131 change_trust_account_password()
14132
14133Signed-off-by: Stefan Metzmacher <metze@samba.org>
14134---
14135 source3/include/proto.h | 1 -
14136 source3/libsmb/trusts_util.c | 72 --------------------------------------------
14137 2 files changed, 73 deletions(-)
14138
14139diff --git a/source3/include/proto.h b/source3/include/proto.h
14140index 5e068d2..a40d3c1 100644
14141--- a/source3/include/proto.h
14142+++ b/source3/include/proto.h
14143@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
14144 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
14145 TALLOC_CTX *mem_ctx,
14146 const char *domain) ;
14147-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
14148
14149 /* The following definitions come from param/loadparm.c */
14150
14151diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
14152index 6156ba0..8a0e53d 100644
14153--- a/source3/libsmb/trusts_util.c
14154+++ b/source3/libsmb/trusts_util.c
14155@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
14156 sec_channel_type);
14157 }
14158
14159-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
14160-{
14161- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
14162- struct sockaddr_storage pdc_ss;
14163- fstring dc_name;
14164- struct cli_state *cli = NULL;
14165- struct rpc_pipe_client *netlogon_pipe = NULL;
14166-
14167- DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
14168- domain));
14169-
14170- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
14171- /* Use the PDC *only* for this */
14172-
14173- if ( !get_pdc_ip(domain, &pdc_ss) ) {
14174- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
14175- goto failed;
14176- }
14177-
14178- if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
14179- goto failed;
14180- } else {
14181- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
14182- fstrcpy( dc_name, remote_machine );
14183- }
14184-
14185- /* if this next call fails, then give up. We can't do
14186- password changes on BDC's --jerry */
14187-
14188- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
14189- NULL, 0,
14190- "IPC$", "IPC",
14191- "", "",
14192- "", 0, SMB_SIGNING_DEFAULT))) {
14193- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
14194- nt_status = NT_STATUS_UNSUCCESSFUL;
14195- goto failed;
14196- }
14197-
14198- /*
14199- * Ok - we have an anonymous connection to the IPC$ share.
14200- * Now start the NT Domain stuff :-).
14201- */
14202-
14203- /* Shouldn't we open this with schannel ? JRA. */
14204-
14205- nt_status = cli_rpc_pipe_open_noauth(
14206- cli, &ndr_table_netlogon, &netlogon_pipe);
14207- if (!NT_STATUS_IS_OK(nt_status)) {
14208- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
14209- dc_name, nt_errstr(nt_status)));
14210- cli_shutdown(cli);
14211- cli = NULL;
14212- goto failed;
14213- }
14214-
14215- nt_status = trust_pw_find_change_and_store_it(
14216- netlogon_pipe, netlogon_pipe, domain);
14217-
14218- cli_shutdown(cli);
14219- cli = NULL;
14220-
14221-failed:
14222- if (!NT_STATUS_IS_OK(nt_status)) {
14223- DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
14224- current_timestring(talloc_tos(), False), domain));
14225- }
14226- else
14227- DEBUG(5,("change_trust_account_password: sucess!\n"));
14228-
14229- return nt_status;
14230-}
14231--
142321.9.3
14233
14234
14235From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
14236From: Stefan Metzmacher <metze@samba.org>
14237Date: Mon, 2 Sep 2013 20:19:28 +0200
14238Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
14239 trust_pw_find_change_and_store_it()
14240
14241Signed-off-by: Stefan Metzmacher <metze@samba.org>
14242---
14243 source3/include/proto.h | 5 -----
14244 source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
14245 2 files changed, 15 insertions(+), 40 deletions(-)
14246
14247diff --git a/source3/include/proto.h b/source3/include/proto.h
14248index a40d3c1..216a377 100644
14249--- a/source3/include/proto.h
14250+++ b/source3/include/proto.h
14251@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
14252
14253 /* The following definitions come from libsmb/trusts_util.c */
14254
14255-NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
14256- const char *domain,
14257- const char *account_name,
14258- unsigned char orig_trust_passwd_hash[16],
14259- enum netr_SchannelType sec_channel_type);
14260 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
14261 TALLOC_CTX *mem_ctx,
14262 const char *domain) ;
14263diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
14264index 8a0e53d..428e0c1 100644
14265--- a/source3/libsmb/trusts_util.c
14266+++ b/source3/libsmb/trusts_util.c
14267@@ -29,20 +29,27 @@
14268
14269 /*********************************************************
14270 Change the domain password on the PDC.
14271- Store the password ourselves, but use the supplied password
14272- Caller must have already setup the connection to the NETLOGON pipe
14273+ Do most of the legwork ourselfs. Caller must have
14274+ already setup the connection to the NETLOGON pipe
14275 **********************************************************/
14276
14277-NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
14278- const char *domain,
14279- const char *account_name,
14280- unsigned char orig_trust_passwd_hash[16],
14281- enum netr_SchannelType sec_channel_type)
14282+NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
14283+ TALLOC_CTX *mem_ctx,
14284+ const char *domain)
14285 {
14286+ unsigned char old_trust_passwd_hash[16];
14287 unsigned char new_trust_passwd_hash[16];
14288+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
14289+ const char *account_name;
14290 char *new_trust_passwd;
14291 NTSTATUS nt_status;
14292
14293+ if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
14294+ &sec_channel_type)) {
14295+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
14296+ return NT_STATUS_UNSUCCESSFUL;
14297+ }
14298+
14299 switch (sec_channel_type) {
14300 case SEC_CHAN_WKSTA:
14301 case SEC_CHAN_DOMAIN:
14302@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
14303
14304 nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
14305 account_name,
14306- orig_trust_passwd_hash,
14307+ old_trust_passwd_hash,
14308 new_trust_passwd,
14309 new_trust_passwd_hash,
14310 sec_channel_type);
14311@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
14312
14313 return nt_status;
14314 }
14315-
14316-/*********************************************************
14317- Change the domain password on the PDC.
14318- Do most of the legwork ourselfs. Caller must have
14319- already setup the connection to the NETLOGON pipe
14320-**********************************************************/
14321-
14322-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
14323- TALLOC_CTX *mem_ctx,
14324- const char *domain)
14325-{
14326- unsigned char old_trust_passwd_hash[16];
14327- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
14328- const char *account_name;
14329-
14330- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
14331- &sec_channel_type)) {
14332- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
14333- return NT_STATUS_UNSUCCESSFUL;
14334- }
14335-
14336- return trust_pw_change_and_store_it(cli, mem_ctx, domain,
14337- account_name,
14338- old_trust_passwd_hash,
14339- sec_channel_type);
14340-}
14341-
14342--
143431.9.3
14344
14345
14346From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
14347From: Stefan Metzmacher <metze@samba.org>
14348Date: Fri, 20 Sep 2013 04:14:00 +0200
14349Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static
14350
14351Signed-off-by: Stefan Metzmacher <metze@samba.org>
14352---
14353 source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
14354 1 file changed, 2 insertions(+), 2 deletions(-)
14355
14356diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
14357index 130ebeb..cd62508 100644
14358--- a/source4/librpc/rpc/dcerpc_schannel.c
14359+++ b/source4/librpc/rpc/dcerpc_schannel.c
14360@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
14361 Initiate establishing a schannel key using netlogon challenge
14362 on a secondary pipe
14363 */
14364-struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
14365+static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
14366 struct dcerpc_pipe *p,
14367 struct cli_credentials *credentials,
14368 struct loadparm_context *lp_ctx)
14369@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
14370 /*
14371 Receive result of schannel key request
14372 */
14373-NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
14374+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
14375 {
14376 NTSTATUS status = composite_wait(c);
14377
14378--
143791.9.3
14380
14381
14382From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
14383From: Stefan Metzmacher <metze@samba.org>
14384Date: Fri, 20 Sep 2013 04:16:00 +0200
14385Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
14386 netlogon_creds_CredentialState
14387
14388cli_credentials_set_netlogon_creds() should only be used directly before
14389a DCERPC bind in order to pass the session information to the
14390gensec layer.
14391
14392Signed-off-by: Stefan Metzmacher <metze@samba.org>
14393---
14394 source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
14395 1 file changed, 15 insertions(+), 9 deletions(-)
14396
14397diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
14398index cd62508..c4bedfa 100644
14399--- a/source4/librpc/rpc/dcerpc_schannel.c
14400+++ b/source4/librpc/rpc/dcerpc_schannel.c
14401@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
14402 return;
14403 }
14404
14405- /* setup current netlogon credentials */
14406- cli_credentials_set_netlogon_creds(s->credentials, s->creds);
14407-
14408 composite_done(c);
14409 }
14410
14411@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
14412 /*
14413 Receive result of schannel key request
14414 */
14415-static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
14416+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
14417+ TALLOC_CTX *mem_ctx,
14418+ struct netlogon_creds_CredentialState **creds)
14419 {
14420 NTSTATUS status = composite_wait(c);
14421-
14422+
14423+ if (NT_STATUS_IS_OK(status)) {
14424+ struct schannel_key_state *s =
14425+ talloc_get_type_abort(c->private_data,
14426+ struct schannel_key_state);
14427+ *creds = talloc_move(mem_ctx, &s->creds);
14428+ }
14429+
14430 talloc_free(c);
14431 return status;
14432 }
14433@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
14434 NTSTATUS status;
14435
14436 /* receive schannel key */
14437- status = c->status = dcerpc_schannel_key_recv(ctx);
14438+ status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
14439 if (!composite_is_ok(c)) {
14440 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
14441 return;
14442 }
14443
14444 /* send bind auth request with received creds */
14445+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
14446+
14447 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
14448 lpcfg_gensec_settings(c, s->lp_ctx),
14449 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
14450@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
14451 &ndr_table_netlogon.syntax_id)) {
14452 ZERO_STRUCT(s->return_auth);
14453
14454- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
14455- if (composite_nomem(s->creds_state, c)) return;
14456-
14457 s->save_creds_state = *s->creds_state;
14458 netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
14459
14460@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
14461 }
14462
14463 *s->creds_state = s->save_creds_state;
14464+ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
14465
14466 if (!NT_STATUS_IS_OK(s->c.out.result)) {
14467 composite_error(c, s->c.out.result);
14468--
144691.9.3
14470
14471
14472From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
14473From: Stefan Metzmacher <metze@samba.org>
14474Date: Fri, 20 Sep 2013 04:33:07 +0200
14475Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
14476 cli_credentials_set_netlogon_creds()
14477
14478Typically cli_credentials_set_netlogon_creds() should be used directly
14479before the DCERPC bind. And cli_credentials_get_netlogon_creds()
14480should be only used by the gensec layer, which only needs a copy.
14481
14482Signed-off-by: Stefan Metzmacher <metze@samba.org>
14483---
14484 auth/credentials/credentials.c | 6 +++++-
14485 1 file changed, 5 insertions(+), 1 deletion(-)
14486
14487diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
14488index 57a7c0b..9ce38d0 100644
14489--- a/auth/credentials/credentials.c
14490+++ b/auth/credentials/credentials.c
14491@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
14492 _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
14493 struct netlogon_creds_CredentialState *netlogon_creds)
14494 {
14495- cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
14496+ TALLOC_FREE(cred->netlogon_creds);
14497+ if (netlogon_creds == NULL) {
14498+ return;
14499+ }
14500+ cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
14501 }
14502
14503 /**
14504--
145051.9.3
14506
14507
14508From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
14509From: Volker Lendecke <vl@samba.org>
14510Date: Sat, 9 Nov 2013 19:14:15 +0100
14511Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch
14512
14513We have checked sec_channel_type a few lines above already
14514
14515Signed-off-by: Volker Lendecke <vl@samba.org>
14516Reviewed-by: Ira Cooper <ira@samba.org>
14517(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
14518---
14519 source3/libsmb/trusts_util.c | 2 --
14520 1 file changed, 2 deletions(-)
14521
14522diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
14523index 428e0c1..52fb481 100644
14524--- a/source3/libsmb/trusts_util.c
14525+++ b/source3/libsmb/trusts_util.c
14526@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
14527 }
14528 break;
14529 }
14530- default:
14531- break;
14532 }
14533 }
14534
14535--
145361.9.3
14537
14538
14539From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
14540From: Stefan Metzmacher <metze@samba.org>
14541Date: Fri, 29 Nov 2013 09:46:01 +0100
14542Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly
14543
14544This removes the useless static auth_anonymous_session_info() wrapper.
14545
14546auth_anonymous_session_info() is also a public function in source4.
14547
14548Signed-off-by: Stefan Metzmacher <metze@samba.org>
14549Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14550(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
14551---
14552 source3/rpc_server/rpc_server.c | 22 ++++++----------------
14553 1 file changed, 6 insertions(+), 16 deletions(-)
14554
14555diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
14556index de54ddc..c3a7f28 100644
14557--- a/source3/rpc_server/rpc_server.c
14558+++ b/source3/rpc_server/rpc_server.c
14559@@ -37,19 +37,6 @@
14560 #define SERVER_TCP_LOW_PORT 1024
14561 #define SERVER_TCP_HIGH_PORT 1300
14562
14563-static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
14564- struct auth_session_info **session_info)
14565-{
14566- NTSTATUS status;
14567-
14568- status = make_session_info_guest(mem_ctx, session_info);
14569- if (!NT_STATUS_IS_OK(status)) {
14570- return status;
14571- }
14572-
14573- return NT_STATUS_OK;
14574-}
14575-
14576 /* Creates a pipes_struct and initializes it with the information
14577 * sent from the client */
14578 static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
14579@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
14580 }
14581
14582 if (ncacn_conn->session_info == NULL) {
14583- status = auth_anonymous_session_info(ncacn_conn,
14584- &ncacn_conn->session_info);
14585+ /*
14586+ * TODO: use auth_anonymous_session_info() here?
14587+ */
14588+ status = make_session_info_guest(ncacn_conn,
14589+ &ncacn_conn->session_info);
14590 if (!NT_STATUS_IS_OK(status)) {
14591 DEBUG(2, ("Failed to create "
14592- "auth_anonymous_session_info - %s\n",
14593+ "make_session_info_guest - %s\n",
14594 nt_errstr(status)));
14595 talloc_free(ncacn_conn);
14596 return;
14597--
145981.9.3
14599
14600
14601From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
14602From: Garming Sam <garming@catalyst.net.nz>
14603Date: Fri, 29 Nov 2013 16:51:08 +1300
14604Subject: [PATCH 136/249] selftest: add new rpc client test
14605
14606Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
14607
14608Signed-off-by: Garming Sam <garming@catalyst.net.nz>
14609Signed-off-by: Andrew Bartlett <abartlet@samba.org>
14610Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14611Reviewed-by: Stefan Metzmacher <metze@samba.org>
14612(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
14613---
14614 source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
14615 source3/selftest/tests.py | 2 ++
14616 2 files changed, 29 insertions(+)
14617 create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh
14618
14619diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
14620new file mode 100755
14621index 0000000..01af7f8
14622--- /dev/null
14623+++ b/source3/script/tests/test_rpcclient_samlogon.sh
14624@@ -0,0 +1,27 @@
14625+#!/bin/sh
14626+
14627+if [ $# -lt 3 ]; then
14628+cat <<EOF
14629+Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
14630+EOF
14631+exit 1;
14632+fi
14633+
14634+USERNAME="$1"
14635+PASSWORD="$2"
14636+shift 2
14637+ADDARGS="$*"
14638+
14639+rpcclient_samlogon()
14640+{
14641+ $VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
14642+}
14643+
14644+
14645+incdir=`dirname $0`/../../../testprogs/blackbox
14646+. $incdir/subunit.sh
14647+testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
14648+testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
14649+testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
14650+
14651+testok $0 $failed
14652diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
14653index 85d67d6..f9cc3d1 100755
14654--- a/source3/selftest/tests.py
14655+++ b/source3/selftest/tests.py
14656@@ -394,6 +394,8 @@ for s in signseal_options:
14657 plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
14658 "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
14659
14660+plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
14661+ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
14662
14663 options_list = ["", "-e"]
14664 for options in options_list:
14665--
146661.9.3
14667
14668
14669From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
14670From: Stefan Metzmacher <metze@samba.org>
14671Date: Fri, 29 Nov 2013 08:45:38 +0100
14672Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
14673 netlogon secure channel fails
14674
14675This is based on a patch from Garming Sam <garming@catalyst.net.nz>.
14676
14677Signed-off-by: Stefan Metzmacher <metze@samba.org>
14678Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14679(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
14680---
14681 source3/rpcclient/rpcclient.c | 5 +++++
14682 1 file changed, 5 insertions(+)
14683
14684diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
14685index cb7b70f..0cbec20 100644
14686--- a/source3/rpcclient/rpcclient.c
14687+++ b/source3/rpcclient/rpcclient.c
14688@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
14689 trust_password, &machine_account,
14690 &sec_channel_type))
14691 {
14692+ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
14693+ get_cmdline_auth_info_domain(auth_info),
14694+ cmd_entry->table->name));
14695+ TALLOC_FREE(cmd_entry->rpc_pipe);
14696 talloc_free(mem_ctx);
14697 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
14698 }
14699@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
14700 if (!NT_STATUS_IS_OK(ntresult)) {
14701 DEBUG(0, ("Could not initialise credentials for %s.\n",
14702 cmd_entry->table->name));
14703+ TALLOC_FREE(cmd_entry->rpc_pipe);
14704 talloc_free(mem_ctx);
14705 return ntresult;
14706 }
14707--
147081.9.3
14709
14710
14711From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
14712From: Garming Sam <garming@catalyst.net.nz>
14713Date: Mon, 2 Dec 2013 13:20:39 +1300
14714Subject: [PATCH 138/249] selftest: add new credential change test
14715
14716Signed-off-by: Garming Sam <garming@catalyst.net.nz>
14717Reviewed-by: Stefan Metzmacher <metze@samba.org>
14718Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14719(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
14720---
14721 source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
14722 source3/selftest/tests.py | 3 +++
14723 2 files changed, 19 insertions(+)
14724 create mode 100755 source3/script/tests/test_net_cred_change.sh
14725
14726diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
14727new file mode 100755
14728index 0000000..9013d07
14729--- /dev/null
14730+++ b/source3/script/tests/test_net_cred_change.sh
14731@@ -0,0 +1,16 @@
14732+#!/bin/sh
14733+
14734+if [ $# -lt 1 ]; then
14735+cat <<EOF
14736+Usage: test_net_cred_change.sh CONFIGURATION
14737+EOF
14738+exit 1;
14739+fi
14740+
14741+incdir=`dirname $0`/../../../testprogs/blackbox
14742+. $incdir/subunit.sh
14743+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
14744+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
14745+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
14746+
14747+testok $0 $failed
14748diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
14749index f9cc3d1..aac1bbb 100755
14750--- a/source3/selftest/tests.py
14751+++ b/source3/selftest/tests.py
14752@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
14753
14754 plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
14755
14756+for env in ["member", "s3member"]:
14757+ plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
14758+
14759 env = "s3member"
14760 t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
14761 plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
14762--
147631.9.3
14764
14765
14766From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
14767From: Garming Sam <garming@catalyst.net.nz>
14768Date: Mon, 23 Dec 2013 17:12:39 +1300
14769Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo
14770
14771Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
14772Signed-off-by: Garming Sam <garming@catalyst.net.nz>
14773Reviewed-by: Stefan Metzmacher <metze@samba.org>
14774
14775Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
14776Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
14777(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
14778---
14779 source4/selftest/tests.py | 4 ++--
14780 1 file changed, 2 insertions(+), 2 deletions(-)
14781
14782diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
14783index e738d1d9..c3a33c7 100755
14784--- a/source4/selftest/tests.py
14785+++ b/source4/selftest/tests.py
14786@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
14787 plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
14788 plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
14789 plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
14790-plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
14791-plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
14792+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
14793+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
14794 plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
14795 plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
14796 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
14797--
147981.9.3
14799
14800
14801From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
14802From: Stefan Metzmacher <metze@samba.org>
14803Date: Tue, 17 Dec 2013 19:35:37 +0100
14804Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
14805 = 0
14806
14807This is what windows returns, the value is ignored by the client anyway.
14808
14809Signed-off-by: Stefan Metzmacher <metze@samba.org>
14810Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14811(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
14812---
14813 libcli/auth/credentials.c | 2 +-
14814 1 file changed, 1 insertion(+), 1 deletion(-)
14815
14816diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
14817index 1f664d3..197db86 100644
14818--- a/libcli/auth/credentials.c
14819+++ b/libcli/auth/credentials.c
14820@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
14821 netlogon_creds_step(creds);
14822 if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
14823 return_authenticator->cred = creds->server;
14824- return_authenticator->timestamp = creds->sequence;
14825+ return_authenticator->timestamp = 0;
14826 return NT_STATUS_OK;
14827 } else {
14828 ZERO_STRUCTP(return_authenticator);
14829--
148301.9.3
14831
14832
14833From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
14834From: Stefan Metzmacher <metze@samba.org>
14835Date: Tue, 17 Dec 2013 19:40:15 +0100
14836Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
14837 attacks
14838
14839creds->sequence (timestamp) is the value that is used to increment the internal
14840state, it's not a real sequence number. The sequence comes
14841from adding all timestamps of the whole session.
14842
14843Signed-off-by: Stefan Metzmacher <metze@samba.org>
14844Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14845(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
14846---
14847 libcli/auth/credentials.c | 2 --
14848 1 file changed, 2 deletions(-)
14849
14850diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
14851index 197db86..afb4a04 100644
14852--- a/libcli/auth/credentials.c
14853+++ b/libcli/auth/credentials.c
14854@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
14855 return NT_STATUS_ACCESS_DENIED;
14856 }
14857
14858- /* TODO: this may allow the a replay attack on a non-signed
14859- connection. Should we check that this is increasing? */
14860 creds->sequence = received_authenticator->timestamp;
14861 netlogon_creds_step(creds);
14862 if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
14863--
148641.9.3
14865
14866
14867From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
14868From: Stefan Metzmacher <metze@samba.org>
14869Date: Tue, 17 Dec 2013 19:55:12 +0100
14870Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
14871 creds->sequence
14872
14873If the last usage of netlogon_creds_client_authenticator()
14874is in the past try to use the current timestamp and increment
14875more than just 2.
14876
14877If we use netlogon_creds_client_authenticator() a lot within a
14878second, we increment keep incrementing by 2.
14879
14880Signed-off-by: Stefan Metzmacher <metze@samba.org>
14881Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14882
14883Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
14884Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
14885(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
14886---
14887 libcli/auth/credentials.c | 22 ++++++++++++++++++++++
14888 1 file changed, 22 insertions(+)
14889
14890diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
14891index afb4a04..f52538a 100644
14892--- a/libcli/auth/credentials.c
14893+++ b/libcli/auth/credentials.c
14894@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
14895 void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
14896 struct netr_Authenticator *next)
14897 {
14898+ uint32_t t32n = (uint32_t)time(NULL);
14899+
14900+ /*
14901+ * we always increment and ignore an overflow here
14902+ */
14903 creds->sequence += 2;
14904+
14905+ if (t32n > creds->sequence) {
14906+ /*
14907+ * we may increment more
14908+ */
14909+ creds->sequence = t32n;
14910+ } else {
14911+ uint32_t d = creds->sequence - t32n;
14912+
14913+ if (d >= INT32_MAX) {
14914+ /*
14915+ * got an overflow of time_t vs. uint32_t
14916+ */
14917+ creds->sequence = t32n;
14918+ }
14919+ }
14920+
14921 netlogon_creds_step(creds);
14922
14923 next->cred = creds->client;
14924--
149251.9.3
14926
14927
14928From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
14929From: Stefan Metzmacher <metze@samba.org>
14930Date: Fri, 3 Jan 2014 12:56:38 +0100
14931Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...
14932
14933This avoids flakey crashes in the promoted_dc environment.
14934
14935See the examples below, we had up to 50% of the daily build failing...
14936
14937Signed-off-by: Stefan Metzmacher <metze@samba.org>
14938Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14939
14940https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout
14941
14942 [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
14943 Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
14944 FSMO transfer of 'schema' role successful
14945 Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
14946 ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE - <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
14947 UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
14948 REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
14949 traceback
14950 380
14951
14952https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout
14953
14954 [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
14955 ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
14956 REASON: unable to set up environment promoted_dc - exiting
14957
14958https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr
14959
14960 Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
14961 Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
14962 ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
14963 ===============================================================
14964 INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
14965 Please read the Trouble-Shooting section of the Samba HOWTO
14966 ===============================================================
14967 smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
14968 [Thread debugging using libthread_db enabled]
14969 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
14970 stat_loc=0x7fff67c7709c, options=<value optimized out>)
14971 at ../sysdeps/unix/sysv/linux/waitpid.c:32
14972 32 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
14973 in ../sysdeps/unix/sysv/linux/waitpid.c
14974 #0 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
14975 stat_loc=0x7fff67c7709c, options=<value optimized out>)
14976 at ../sysdeps/unix/sysv/linux/waitpid.c:32
14977 oldtype = <value optimized out>
14978 result = <value optimized out>
14979 #1 0x00002af6b5baeb39 in do_system (line=<value optimized out>)
14980 at ../sysdeps/posix/system.c:149
14981 __result = -512
14982 _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
14983 __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
14984 _avail = 1
14985 status = <value optimized out>
14986 save = <value optimized out>
14987 pid = 886733
14988 sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
14989 sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
14990 sa_restorer = 0x2af6b5b730f0}
14991 omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
14992 0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
14993 47239099003120, 140734934511792, 47239558787328}}
14994 #2 0x00002af6b311821f in smb_panic_default (
14995 why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
14996 result = 32767
14997 pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
14998 cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
14999 __FUNCTION__ = "smb_panic_default"
15000 #3 0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
15001 at ../lib/util/fault.c:162
15002 No locals.
15003 #4 0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
15004 counter = 1
15005 __FUNCTION__ = "fault_report"
15006 #5 0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
15007 No locals.
15008 #6 <signal handler called>
15009 No symbol table info available.
15010 #7 0x00002af6cabef930 in replmd_check_urgent_objectclass (
15011 objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
15012 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
15013 i = 2
15014 j = 0
15015 #8 0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
15016 schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
15017 msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
15018 is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
15019 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
15020 omd_value = 0x7fff67c77810
15021 ndr_err = 3508465920
15022 omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
15023 count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
15024 i = 10998
15025 now = 130323687620000000
15026 our_invocation_id = 0x2af6d1796390
15027 ret = 0
15028 attrs = 0x7fff67c77750
15029 attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
15030 0x0}
15031 attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
15032 0x2af6cabffc8d "instanceType", 0x0}
15033 res = 0x2af6d10b0eb0
15034 ldb = 0x2af6b17f2470
15035 objectclass_el = 0x0
15036 situation = REPL_URGENT_ON_UPDATE
15037 rmd_is_provided = false
15038 __FUNCTION__ = "replmd_update_rpmd"
15039 #9 0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
15040 req=0x2af6d05e8ad0)
15041 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
15042 msds_intid_struct = 0x2af6d05e8ad0
15043 ldb = 0x2af6b17f2470
15044 ac = 0x2af6d0c31580
15045 down_req = 0x2af6d0e6a100
15046 msg = 0x2af6d11ef100
15047 t = 1387895162
15048 ret = 1741125936
15049 is_urgent = false
15050 rodc = false
15051 functional_level = 3
15052 guid_blob = 0x0
15053 sd_propagation_control = 0x0
15054 #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
15055 message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
15056 at ../source4/dsdb/samdb/ldb_modules/util.c:460
15057 ops = 0x2af6cae06b40
15058 mod_req = 0x2af6d05e8ad0
15059 ret = 0
15060 ldb = 0x2af6b17f2470
15061 tmp_ctx = 0x2af6d0ed62f0
15062 res = 0x2af6d0e6a100
15063 __FUNCTION__ = "dsdb_module_modify"
15064 #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
15065 req=0x2af6ce6ea980, re_delete=true)
15066 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
15067 ret = 0
15068 retb = true
15069 disallow_move_on_delete = false
15070 old_dn = 0x2af6d6a2a010
15071 new_dn = 0x2af6d0794a90
15072 rdn_name = 0x2af6d0885c10 "CN"
15073 rdn_value = 0x2af6d10d7368
15074 new_rdn_value = 0x2af6d0c45a00
15075 guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
15076 clock_seq = "\200\251", node = "n\316\366*\000"}
15077 ldb = 0x2af6b17f2470
15078 schema = 0x2af6d05e5570
15079 msg = 0x2af6d1183fe0
15080 old_msg = 0x2af6d1902800
15081 el = 0x2af6d0874900
15082 tmp_ctx = 0x2af6d0b77560
15083 res = 0x2af6d0d57980
15084 parent_res = 0x30
15085 preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
15086 0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
15087 0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
15088 0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
15089 0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
15090 0x2af6cac0561a "lDAPDisplayName",
15091 0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
15092 0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
15093 0x2af6cac021e8 "msDS-LastKnownRDN",
15094 0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
15095 0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
15096 0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
15097 0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
15098 0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
15099 0x2af6cabff775 "replPropertyMetaData",
15100 0x2af6cac05696 "sAMAccountName",
15101 0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
15102 0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
15103 0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
15104 0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
15105 0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
15106 0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
15107 0x2af6cabff753 "whenChanged", 0x0}
15108 i = 12
15109 el_count = 1
15110 deletion_state = OBJECT_TOMBSTONE
15111 next_deletion_state = OBJECT_TOMBSTONE
15112 __FUNCTION__ = "replmd_delete_internals"
15113 #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
15114 ar=0x2af6d74c0b40)
15115 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
15116 del_req = 0x2af6ce6ea980
15117 res = 0x2af6d0cdebf0
15118 tmp_ctx = 0x2af6d0949230
15119 deleted_objects_dn = 0x2af6d1a49f00
15120 msg = 0x2af6d0a39620
15121 ret = 0
15122 #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
15123 ares=0x2af6d0d715c0)
15124 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
15125 ret = 10998
15126 ac = 0x2af6d74c0b40
15127 replmd_private = 0x2af6b188c7c0
15128 modified_partition = 0x2af6d141b670
15129 partition_ctrl = 0x2af6d1905f40
15130 partition = 0x2af6ce6bdbe0
15131 controls = 0x0
15132 __FUNCTION__ = "replmd_op_callback"
15133 #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
15134 ctrls=0x2af6d1629aa0, response=0x0, error=0)
15135 at ../lib/ldb/common/ldb_modules.c:832
15136 ares = 0x2af6d0d715c0
15137 #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
15138 req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
15139 callback=0x2af6cabf0334 <replmd_op_callback>)
15140 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
15141 conflict_dn = 0x2af6cac03470
15142 ar = 0x2af6d74c0b40
15143 res = 0x2af6b354f89b
15144 attrs = {0x2af6cabff775 "replPropertyMetaData",
15145 0x2af6cabff5b5 "objectGUID", 0x0}
15146 ret = -682882240
15147 omd_value = 0x7fff67c77e20
15148 omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
15149 count = 0, reserved = 0, array = 0x28}}}
15150 rmd = 0x2af6d74c0ae0
15151 ndr_err = 10998
15152 rename_incoming_record = false
15153 rodc = false
15154 rmd_name = 0x7fff67c77e10
15155 omd_name = 0x2af6d74c0b40
15156 msg = 0x2af6b1883e50
15157 __FUNCTION__ = "replmd_op_possible_conflict_callback"
15158 #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
15159 ares=0x2af6b1883eb0)
15160 at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
15161 ar = 0x2af6d74c0b40
15162 #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
15163 ctrls=0x2af6d1629aa0, response=0x0, error=0)
15164 at ../lib/ldb/common/ldb_modules.c:832
15165 ares = 0x2af6b1883eb0
15166 #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
15167 ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
15168 ac = 0x2af6d0949370
15169 module = 0x2af6cd27bf12
15170 nreq = 0x2af6d05b67b0
15171 ret = 0
15172 partition_ctrl = 0x2af6d0d71740
15173 #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
15174 at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
15175 ldb = 0x2af6b17f2470
15176 req = 0x2af6d087a1e0
15177 ares = 0x2af6d05a1fa0
15178 #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
15179 te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
15180 at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
15181 ctx = 0x2af6d1cd7ed0
15182 ret = 0
15183 #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
15184 at ../lib/tevent/tevent_timed.c:341
15185 current_time = {tv_sec = 0, tv_usec = 0}
15186 te = 0x2af6d17f75d0
15187 #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
15188 location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
15189 at ../lib/tevent/tevent_epoll.c:912
15190 epoll_ev = 0x2af6b17efb00
15191 tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
15192 panic_triggered = false
15193 #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
15194 location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
15195 at ../lib/tevent/tevent_standard.c:112
15196 glue_ptr = 0x2af6b17ef9b0
15197 glue = 0x2af6b17ef9b0
15198 ret = 10998
15199 #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
15200 location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
15201 at ../lib/tevent/tevent.c:530
15202 ret = 0
15203 nesting_stack_ptr = 0x0
15204 #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
15205 at ../lib/ldb/common/ldb.c:621
15206 ev = 0x2af6b17ef8c0
15207 ret = 0
15208 #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
15209 oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
15210 _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
15211 req = 0x2af6d0c45a00
15212 ret = 0
15213 res = 0x2af6d69238f0
15214 #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
15215 working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
15216 at ../source4/dsdb/repl/replicated_objects.c:773
15217 werr = {w = 0}
15218 ext_res = 0x0
15219 cur_schema = 0x0
15220 new_schema = 0x0
15221 ret = 0
15222 seq_num1 = 5554
15223 seq_num2 = 47239626746464
15224 used_global_schema = false
15225 tmp_ctx = 0x2af6d03c5860
15226 __FUNCTION__ = "dsdb_replicated_objects_commit"
15227 #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
15228 req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
15229 ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
15230 state = 0x2af6d17db050
15231 rf1 = {blobsize = 274, consecutive_sync_failures = 0,
15232 last_success = 130323684670000000,
15233 last_attempt = 130323687610000000, result_last_attempt = {w = 0},
15234 other_info = 0x2af6d0949910, other_info_length = 66,
15235 replica_flags = 112, schedule = '\021' <repeats 84 times>,
15236 reserved = 0, highwatermark = {tmp_highest_usn = 12398,
15237 reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
15238 time_low = 984092159, time_mid = 850,
15239 time_hi_and_version = 18870, clock_seq = "\251X",
15240 node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
15241 time_low = 1460694408, time_mid = 52035,
15242 time_hi_and_version = 18738, clock_seq = "\204}",
15243 node = "\264\365\276\372\256\303"}, transport_guid = {
15244 time_low = 0, time_mid = 0, time_hi_and_version = 0,
15245 clock_seq = "\000", node = "\000\000\000\000\000"}}
15246 service = 0x2af6d0ff6b00
15247 partition = 0x2af6d0b6f220
15248 drsuapi = 0x2af6d1c8d480
15249 schema = 0x2af6d05e5570
15250 working_schema = 0x0
15251 mapping_ctr = 0x2af6d1b02c10
15252 object_count = 50
15253 first_object = 0x2af6d0571800
15254 linked_attributes_count = 0
15255 linked_attributes = 0x2af6d5212140
15256 uptodateness_vector = 0x2af6d1a741c0
15257 objects = 0x2af6d0e2bc60
15258 more_data = false
15259 status = {w = 0}
15260 nt_status = {v = 3006553120}
15261 dsdb_repl_flags = 0
15262 __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
15263 #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
15264 subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
15265 req = 0x2af6d17daed0
15266 state = 0x2af6d17db050
15267 status = {v = 0}
15268 r = 0x2af6d17db0d0
15269 ctr_level = 6
15270 ctr1 = 0x0
15271 ctr6 = 0x2af6d1b02bb0
15272 extended_ret = DRSUAPI_EXOP_ERR_NONE
15273 #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
15274 location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
15275 at ../lib/tevent/tevent_req.c:102
15276 No locals.
15277 #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
15278 state=TEVENT_REQ_DONE,
15279 location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
15280 at ../lib/tevent/tevent_req.c:117
15281 No locals.
15282 #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
15283 location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
15284 at ../lib/tevent/tevent_req.c:123
15285 No locals.
15286 #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
15287 subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
15288 req = 0x2af6d1a73f70
15289 status = {v = 0}
15290 #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
15291 location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
15292 at ../lib/tevent/tevent_req.c:102
15293 No locals.
15294 #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
15295 state=TEVENT_REQ_DONE,
15296 location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
15297 at ../lib/tevent/tevent_req.c:117
15298 No locals.
15299 #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
15300 location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
15301 at ../lib/tevent/tevent_req.c:123
15302 No locals.
15303 #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
15304 at ../librpc/rpc/binding_handle.c:517
15305 req = 0x2af6d122f4c0
15306 state = 0x2af6d122f640
15307 h = 0x2af6d0959d10
15308 error = {v = 0}
15309 out_flags = 0
15310 ndr_err = NDR_ERR_SUCCESS
15311 #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
15312 location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
15313 at ../lib/tevent/tevent_req.c:102
15314 No locals.
15315 #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
15316 state=TEVENT_REQ_DONE,
15317 location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
15318 at ../lib/tevent/tevent_req.c:117
15319 No locals.
15320 #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
15321 location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
15322 at ../lib/tevent/tevent_req.c:123
15323 No locals.
15324 #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
15325 at ../librpc/rpc/binding_handle.c:188
15326 req = 0x2af6d522f7a0
15327 state = 0x2af6d522f920
15328 error = {v = 0}
15329 #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
15330 location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
15331 at ../lib/tevent/tevent_req.c:102
15332 No locals.
15333 #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
15334 state=TEVENT_REQ_DONE,
15335 location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
15336 at ../lib/tevent/tevent_req.c:117
15337 No locals.
15338 #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
15339 im=0x2af6d0712500, private_data=0x2af6d0712430)
15340 at ../lib/tevent/tevent_req.c:174
15341 req = 0x2af6d0712430
15342 #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
15343 at ../lib/tevent/tevent_immediate.c:135
15344 im = 0x2af6d0712500
15345 handler = 0x2af6b333e423 <tevent_req_trigger>
15346 private_data = 0x2af6d0712430
15347 #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
15348 location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
15349 at ../lib/tevent/tevent_epoll.c:907
15350 epoll_ev = 0x2af6b17efb00
15351 tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
15352 panic_triggered = false
15353 #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
15354 location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
15355 at ../lib/tevent/tevent_standard.c:112
15356 glue_ptr = 0x2af6b17ef9b0
15357 glue = 0x2af6b17ef9b0
15358 ret = 10998
15359 #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
15360 location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
15361 at ../lib/tevent/tevent.c:530
15362 ret = 0
15363 nesting_stack_ptr = 0x0
15364 #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
15365 location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
15366 at ../lib/tevent/tevent.c:634
15367 ret = 0
15368 #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
15369 location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
15370 at ../lib/tevent/tevent_standard.c:138
15371 glue_ptr = 0x2af6b17ef9b0
15372 glue = 0x2af6b17ef9b0
15373 ret = 10998
15374 #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
15375 location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
15376 at ../lib/tevent/tevent.c:653
15377 No locals.
15378 #52 0x00002af6b15a37bc in binary_smbd_main (
15379 binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
15380 at ../source4/smbd/server.c:503
15381 opt_daemon = false
15382 opt_interactive = true
15383 opt = -1
15384 pc = 0x2af6b17d5040
15385 static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
15386 0x2af6b2aca9e7 <server_service_echo_init>, 0}
15387 shared_init = 0x2af6b18143b0
15388 event_ctx = 0x2af6b17ef8c0
15389 stdin_event_flags = 1
15390 status = {v = 0}
15391 model = 0x2af6b17d5b90 "single"
15392 max_runtime = 7500
15393
15394Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
15395Autobuild-Date(master): Mon Jan 6 01:16:13 CET 2014 on sn-devel-104
15396(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
15397---
15398 source4/selftest/tests.py | 6 ++++--
15399 1 file changed, 4 insertions(+), 2 deletions(-)
15400
15401diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
15402index c3a33c7..9567a8e 100755
15403--- a/source4/selftest/tests.py
15404+++ b/source4/selftest/tests.py
15405@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
15406 plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
15407 plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
15408 plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
15409-for env in ["dc", "s4member", "rodc", "promoted_dc"]:
15410- plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
15411 plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
15412 plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
15413 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
15414@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
15415 extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
15416
15417 plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
15418+
15419+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
15420+ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
15421+
15422 # TODO: Verifying the databases really should be a part of the
15423 # environment teardown.
15424 # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
15425--
154261.9.3
15427
15428
15429From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
15430From: Stefan Metzmacher <metze@samba.org>
15431Date: Fri, 3 Jan 2014 08:35:27 +0100
15432Subject: [PATCH 144/249] s4:librpc: always try to negotiate
15433 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
15434
15435If the gensec backend supports it there's no reason not sign the header.
15436
15437Signed-off-by: Stefan Metzmacher <metze@samba.org>
15438Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15439(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
15440---
15441 librpc/rpc/binding.c | 1 -
15442 librpc/rpc/rpc_common.h | 5 ++++-
15443 source4/librpc/rpc/dcerpc.c | 12 ++----------
15444 source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
15445 4 files changed, 16 insertions(+), 16 deletions(-)
15446
15447diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
15448index 49651e8..52122cf 100644
15449--- a/librpc/rpc/binding.c
15450+++ b/librpc/rpc/binding.c
15451@@ -88,7 +88,6 @@ static const struct {
15452 {"padcheck", DCERPC_DEBUG_PAD_CHECK},
15453 {"bigendian", DCERPC_PUSH_BIGENDIAN},
15454 {"smb2", DCERPC_SMB2},
15455- {"hdrsign", DCERPC_HEADER_SIGNING},
15456 {"ndr64", DCERPC_NDR64},
15457 {"localaddress", DCERPC_LOCALADDRESS}
15458 };
15459diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
15460index 978229e..93d3bb4 100644
15461--- a/librpc/rpc/rpc_common.h
15462+++ b/librpc/rpc/rpc_common.h
15463@@ -98,7 +98,7 @@ struct dcerpc_binding {
15464 /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
15465 #define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
15466
15467-/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
15468+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
15469 #define DCERPC_HEADER_SIGNING (1<<20)
15470
15471 /* use NDR64 transport */
15472@@ -113,6 +113,9 @@ struct dcerpc_binding {
15473 /* use aes schannel with hmac-sh256 session key */
15474 #define DCERPC_SCHANNEL_AES (1<<24)
15475
15476+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
15477+#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
15478+
15479 /* The following definitions come from ../librpc/rpc/dcerpc_error.c */
15480
15481 const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
15482diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
15483index 56b821e..2f6c8dd 100644
15484--- a/source4/librpc/rpc/dcerpc.c
15485+++ b/source4/librpc/rpc/dcerpc.c
15486@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
15487 pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
15488 }
15489
15490- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
15491+ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
15492 pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
15493 }
15494
15495@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
15496 conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
15497 }
15498
15499- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
15500+ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
15501 (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
15502 conn->flags |= DCERPC_HEADER_SIGNING;
15503 }
15504@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
15505 pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
15506 }
15507
15508- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
15509- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
15510- }
15511-
15512 /* construct the NDR form of the packet */
15513 status = ncacn_push_auth(&blob, mem_ctx,
15514 &pkt,
15515@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
15516 pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
15517 }
15518
15519- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
15520- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
15521- }
15522-
15523 pkt.u.alter.max_xmit_frag = 5840;
15524 pkt.u.alter.max_recv_frag = 5840;
15525 pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
15526diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
15527index d5e5620..9a5d04d 100644
15528--- a/source4/librpc/rpc/dcerpc_auth.c
15529+++ b/source4/librpc/rpc/dcerpc_auth.c
15530@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
15531
15532 if (!composite_is_ok(c)) return;
15533
15534- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
15535- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
15536- }
15537-
15538 if (state->credentials.length == 0) {
15539 composite_done(c);
15540 return;
15541@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
15542 TALLOC_FREE(subreq);
15543 if (!composite_is_ok(c)) return;
15544
15545+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
15546+ struct dcecli_security *sec = &state->pipe->conn->security_state;
15547+
15548+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
15549+ }
15550+
15551 if (!state->more_processing) {
15552 /* The first gensec_update has not requested a second run, so
15553 * we're done here. */
15554@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
15555
15556 sec->auth_info->credentials = state->credentials;
15557
15558+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
15559+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
15560+ }
15561+
15562 /* The first request always is a dcerpc_bind. The subsequent ones
15563 * depend on gensec results */
15564 subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
15565--
155661.9.3
15567
15568
15569From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
15570From: Stefan Metzmacher <metze@samba.org>
15571Date: Fri, 3 Jan 2014 08:39:12 +0100
15572Subject: [PATCH 145/249] s4:rpc_server: support
15573 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
15574
15575If the gensec backend supports it there's no reason to disable it.
15576
15577Signed-off-by: Stefan Metzmacher <metze@samba.org>
15578Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15579(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
15580---
15581 source4/rpc_server/dcerpc_server.c | 6 ------
15582 source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++-----
15583 2 files changed, 32 insertions(+), 11 deletions(-)
15584
15585diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
15586index ad53685..3b35703 100644
15587--- a/source4/rpc_server/dcerpc_server.c
15588+++ b/source4/rpc_server/dcerpc_server.c
15589@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
15590 call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
15591 }
15592
15593- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
15594- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
15595- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
15596- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
15597- }
15598-
15599 /* handle any authentication that is being requested */
15600 if (!dcesrv_auth_bind(call)) {
15601 talloc_free(call->context);
15602diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
15603index c891cc6..152715b 100644
15604--- a/source4/rpc_server/dcesrv_auth.c
15605+++ b/source4/rpc_server/dcesrv_auth.c
15606@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
15607 return false;
15608 }
15609
15610- if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
15611- gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
15612- }
15613-
15614 return true;
15615 }
15616
15617@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
15618 {
15619 struct dcesrv_connection *dce_conn = call->conn;
15620 NTSTATUS status;
15621+ bool want_header_signing = false;
15622
15623 if (!call->conn->auth_state.gensec_security) {
15624 return NT_STATUS_OK;
15625 }
15626
15627+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
15628+ want_header_signing = true;
15629+ }
15630+
15631+ if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
15632+ want_header_signing = false;
15633+ }
15634+
15635 status = gensec_update(dce_conn->auth_state.gensec_security,
15636 call, call->event_ctx,
15637 dce_conn->auth_state.auth_info->credentials,
15638@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
15639 return status;
15640 }
15641
15642- if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
15643+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
15644+ GENSEC_FEATURE_SIGN_PKT_HEADER))
15645+ {
15646+ want_header_signing = false;
15647+ }
15648+
15649+ if (want_header_signing) {
15650 gensec_want_feature(dce_conn->auth_state.gensec_security,
15651 GENSEC_FEATURE_SIGN_PKT_HEADER);
15652+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
15653+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
15654 }
15655
15656 /* Now that we are authenticated, go back to the generic session key... */
15657@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
15658 } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
15659 dce_conn->auth_state.auth_info->auth_pad_length = 0;
15660 dce_conn->auth_state.auth_info->auth_reserved = 0;
15661+
15662+ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
15663+ GENSEC_FEATURE_SIGN_PKT_HEADER))
15664+ {
15665+ want_header_signing = false;
15666+ }
15667+
15668+ if (want_header_signing) {
15669+ gensec_want_feature(dce_conn->auth_state.gensec_security,
15670+ GENSEC_FEATURE_SIGN_PKT_HEADER);
15671+ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
15672+ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
15673+ }
15674+
15675 return NT_STATUS_OK;
15676 } else {
15677 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
15678--
156791.9.3
15680
15681
15682From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
15683From: Stefan Metzmacher <metze@samba.org>
15684Date: Tue, 31 Dec 2013 09:53:55 +0100
15685Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
15686 always supported
15687
15688Signed-off-by: Stefan Metzmacher <metze@samba.org>
15689Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15690(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
15691---
15692 auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
15693 1 file changed, 4 insertions(+)
15694
15695diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
15696index 654c0e3..5672589 100644
15697--- a/auth/ntlmssp/gensec_ntlmssp.c
15698+++ b/auth/ntlmssp/gensec_ntlmssp.c
15699@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
15700 return true;
15701 }
15702 }
15703+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
15704+ return true;
15705+ }
15706+
15707 return false;
15708 }
15709
15710--
157111.9.3
15712
15713
15714From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
15715From: Stefan Metzmacher <metze@samba.org>
15716Date: Tue, 31 Dec 2013 09:54:54 +0100
15717Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
15718 GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
15719
15720Signed-off-by: Stefan Metzmacher <metze@samba.org>
15721Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15722(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
15723---
15724 source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
15725 1 file changed, 12 insertions(+)
15726
15727diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
15728index 63a53bf..ffdefcf 100644
15729--- a/source4/auth/gensec/gensec_gssapi.c
15730+++ b/source4/auth/gensec/gensec_gssapi.c
15731@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
15732 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
15733 return true;
15734 }
15735+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
15736+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
15737+ /* TODO: implement this using gss_wrap_iov() */
15738+ return false;
15739+ }
15740+
15741+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
15742+ return true;
15743+ }
15744+
15745+ return false;
15746+ }
15747 return false;
15748 }
15749
15750--
157511.9.3
15752
15753
15754From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
15755From: Stefan Metzmacher <metze@samba.org>
15756Date: Fri, 3 Jan 2014 15:30:46 +0100
15757Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
15758 gensec_gssapi_[un]seal_packet() rejects header signing
15759
15760If header signing is requested we should error out instead of
15761silently ignoring it, our peer would hopefully reject it,
15762but we should also do that.
15763
15764TODO: we should implement header signing using gss_wrap_iov().
15765
15766Signed-off-by: Stefan Metzmacher <metze@samba.org>
15767Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15768(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
15769---
15770 source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
15771 1 file changed, 12 insertions(+)
15772
15773diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
15774index ffdefcf..b8f007d 100644
15775--- a/source4/auth/gensec/gensec_gssapi.c
15776+++ b/source4/auth/gensec/gensec_gssapi.c
15777@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
15778 int conf_state;
15779 ssize_t sig_length;
15780
15781+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
15782+ DEBUG(1, ("gensec_gssapi_seal_packet: "
15783+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
15784+ return NT_STATUS_ACCESS_DENIED;
15785+ }
15786+
15787 input_token.length = length;
15788 input_token.value = data;
15789
15790@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
15791
15792 dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
15793
15794+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
15795+ DEBUG(1, ("gensec_gssapi_unseal_packet: "
15796+ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
15797+ return NT_STATUS_ACCESS_DENIED;
15798+ }
15799+
15800 in = data_blob_talloc(gensec_security, NULL, sig->length + length);
15801
15802 memcpy(in.data, sig->data, sig->length);
15803--
158041.9.3
15805
15806
15807From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
15808From: Stefan Metzmacher <metze@samba.org>
15809Date: Tue, 31 Dec 2013 09:42:36 +0100
15810Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
15811 schannel.c
15812
15813Signed-off-by: Stefan Metzmacher <metze@samba.org>
15814Reviewed-by: Andrew Bartlett <abartlet@samba.org>
15815(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
15816---
15817 auth/gensec/schannel.c | 380 ++++++++++++++++++++++++++++++++++++++++
15818 libcli/auth/schannel_proto.h | 14 --
15819 libcli/auth/schannel_sign.c | 404 -------------------------------------------
15820 libcli/auth/wscript_build | 2 +-
15821 4 files changed, 381 insertions(+), 419 deletions(-)
15822 delete mode 100644 libcli/auth/schannel_sign.c
15823
15824diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
15825index eb2e100..c60ab4f 100644
15826--- a/auth/gensec/schannel.c
15827+++ b/auth/gensec/schannel.c
15828@@ -31,6 +31,386 @@
15829 #include "librpc/gen_ndr/dcerpc.h"
15830 #include "param/param.h"
15831 #include "auth/gensec/gensec_toplevel_proto.h"
15832+#include "lib/crypto/crypto.h"
15833+
15834+struct schannel_state {
15835+ uint64_t seq_num;
15836+ bool initiator;
15837+ struct netlogon_creds_CredentialState *creds;
15838+};
15839+
15840+#define SETUP_SEQNUM(state, buf, initiator) do { \
15841+ uint8_t *_buf = buf; \
15842+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
15843+ uint32_t _seq_num_high = (state)->seq_num >> 32; \
15844+ if (initiator) { \
15845+ _seq_num_high |= 0x80000000; \
15846+ } \
15847+ RSIVAL(_buf, 0, _seq_num_low); \
15848+ RSIVAL(_buf, 4, _seq_num_high); \
15849+} while(0)
15850+
15851+static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
15852+ struct netlogon_creds_CredentialState *creds,
15853+ bool initiator)
15854+{
15855+ struct schannel_state *state;
15856+
15857+ state = talloc(mem_ctx, struct schannel_state);
15858+ if (state == NULL) {
15859+ return NULL;
15860+ }
15861+
15862+ state->initiator = initiator;
15863+ state->seq_num = 0;
15864+ state->creds = netlogon_creds_copy(state, creds);
15865+ if (state->creds == NULL) {
15866+ talloc_free(state);
15867+ return NULL;
15868+ }
15869+
15870+ return state;
15871+}
15872+
15873+static void netsec_offset_and_sizes(struct schannel_state *state,
15874+ bool do_seal,
15875+ uint32_t *_min_sig_size,
15876+ uint32_t *_used_sig_size,
15877+ uint32_t *_checksum_length,
15878+ uint32_t *_confounder_ofs)
15879+{
15880+ uint32_t min_sig_size;
15881+ uint32_t used_sig_size;
15882+ uint32_t checksum_length;
15883+ uint32_t confounder_ofs;
15884+
15885+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
15886+ min_sig_size = 48;
15887+ used_sig_size = 56;
15888+ /*
15889+ * Note: windows has a bug here and uses the old values...
15890+ *
15891+ * checksum_length = 32;
15892+ * confounder_ofs = 48;
15893+ */
15894+ checksum_length = 8;
15895+ confounder_ofs = 24;
15896+ } else {
15897+ min_sig_size = 24;
15898+ used_sig_size = 32;
15899+ checksum_length = 8;
15900+ confounder_ofs = 24;
15901+ }
15902+
15903+ if (do_seal) {
15904+ min_sig_size += 8;
15905+ }
15906+
15907+ if (_min_sig_size) {
15908+ *_min_sig_size = min_sig_size;
15909+ }
15910+
15911+ if (_used_sig_size) {
15912+ *_used_sig_size = used_sig_size;
15913+ }
15914+
15915+ if (_checksum_length) {
15916+ *_checksum_length = checksum_length;
15917+ }
15918+
15919+ if (_confounder_ofs) {
15920+ *_confounder_ofs = confounder_ofs;
15921+ }
15922+}
15923+
15924+/*******************************************************************
15925+ Encode or Decode the sequence number (which is symmetric)
15926+ ********************************************************************/
15927+static void netsec_do_seq_num(struct schannel_state *state,
15928+ const uint8_t *checksum,
15929+ uint32_t checksum_length,
15930+ uint8_t seq_num[8])
15931+{
15932+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
15933+ AES_KEY key;
15934+ uint8_t iv[AES_BLOCK_SIZE];
15935+
15936+ AES_set_encrypt_key(state->creds->session_key, 128, &key);
15937+ ZERO_STRUCT(iv);
15938+ memcpy(iv+0, checksum, 8);
15939+ memcpy(iv+8, checksum, 8);
15940+
15941+ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
15942+ } else {
15943+ static const uint8_t zeros[4];
15944+ uint8_t sequence_key[16];
15945+ uint8_t digest1[16];
15946+
15947+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
15948+ hmac_md5(digest1, checksum, checksum_length, sequence_key);
15949+ arcfour_crypt(seq_num, sequence_key, 8);
15950+ }
15951+
15952+ state->seq_num++;
15953+}
15954+
15955+static void netsec_do_seal(struct schannel_state *state,
15956+ const uint8_t seq_num[8],
15957+ uint8_t confounder[8],
15958+ uint8_t *data, uint32_t length,
15959+ bool forward)
15960+{
15961+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
15962+ AES_KEY key;
15963+ uint8_t iv[AES_BLOCK_SIZE];
15964+ uint8_t sess_kf0[16];
15965+ int i;
15966+
15967+ for (i = 0; i < 16; i++) {
15968+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
15969+ }
15970+
15971+ AES_set_encrypt_key(sess_kf0, 128, &key);
15972+ ZERO_STRUCT(iv);
15973+ memcpy(iv+0, seq_num, 8);
15974+ memcpy(iv+8, seq_num, 8);
15975+
15976+ if (forward) {
15977+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
15978+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
15979+ } else {
15980+ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
15981+ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
15982+ }
15983+ } else {
15984+ uint8_t sealing_key[16];
15985+ static const uint8_t zeros[4];
15986+ uint8_t digest2[16];
15987+ uint8_t sess_kf0[16];
15988+ int i;
15989+
15990+ for (i = 0; i < 16; i++) {
15991+ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
15992+ }
15993+
15994+ hmac_md5(sess_kf0, zeros, 4, digest2);
15995+ hmac_md5(digest2, seq_num, 8, sealing_key);
15996+
15997+ arcfour_crypt(confounder, sealing_key, 8);
15998+ arcfour_crypt(data, sealing_key, length);
15999+ }
16000+}
16001+
16002+/*******************************************************************
16003+ Create a digest over the entire packet (including the data), and
16004+ MD5 it with the session key.
16005+ ********************************************************************/
16006+static void netsec_do_sign(struct schannel_state *state,
16007+ const uint8_t *confounder,
16008+ const uint8_t *data, size_t length,
16009+ uint8_t header[8],
16010+ uint8_t *checksum)
16011+{
16012+ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
16013+ struct HMACSHA256Context ctx;
16014+
16015+ hmac_sha256_init(state->creds->session_key,
16016+ sizeof(state->creds->session_key),
16017+ &ctx);
16018+
16019+ if (confounder) {
16020+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
16021+ SSVAL(header, 2, NL_SEAL_AES128);
16022+ SSVAL(header, 4, 0xFFFF);
16023+ SSVAL(header, 6, 0x0000);
16024+
16025+ hmac_sha256_update(header, 8, &ctx);
16026+ hmac_sha256_update(confounder, 8, &ctx);
16027+ } else {
16028+ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
16029+ SSVAL(header, 2, NL_SEAL_NONE);
16030+ SSVAL(header, 4, 0xFFFF);
16031+ SSVAL(header, 6, 0x0000);
16032+
16033+ hmac_sha256_update(header, 8, &ctx);
16034+ }
16035+
16036+ hmac_sha256_update(data, length, &ctx);
16037+
16038+ hmac_sha256_final(checksum, &ctx);
16039+ } else {
16040+ uint8_t packet_digest[16];
16041+ static const uint8_t zeros[4];
16042+ MD5_CTX ctx;
16043+
16044+ MD5Init(&ctx);
16045+ MD5Update(&ctx, zeros, 4);
16046+ if (confounder) {
16047+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
16048+ SSVAL(header, 2, NL_SEAL_RC4);
16049+ SSVAL(header, 4, 0xFFFF);
16050+ SSVAL(header, 6, 0x0000);
16051+
16052+ MD5Update(&ctx, header, 8);
16053+ MD5Update(&ctx, confounder, 8);
16054+ } else {
16055+ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
16056+ SSVAL(header, 2, NL_SEAL_NONE);
16057+ SSVAL(header, 4, 0xFFFF);
16058+ SSVAL(header, 6, 0x0000);
16059+
16060+ MD5Update(&ctx, header, 8);
16061+ }
16062+ MD5Update(&ctx, data, length);
16063+ MD5Final(packet_digest, &ctx);
16064+
16065+ hmac_md5(state->creds->session_key,
16066+ packet_digest, sizeof(packet_digest),
16067+ checksum);
16068+ }
16069+}
16070+
16071+static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
16072+ bool do_unseal,
16073+ uint8_t *data, size_t length,
16074+ const DATA_BLOB *sig)
16075+{
16076+ uint32_t min_sig_size = 0;
16077+ uint8_t header[8];
16078+ uint8_t checksum[32];
16079+ uint32_t checksum_length = sizeof(checksum_length);
16080+ uint8_t _confounder[8];
16081+ uint8_t *confounder = NULL;
16082+ uint32_t confounder_ofs = 0;
16083+ uint8_t seq_num[8];
16084+ int ret;
16085+
16086+ netsec_offset_and_sizes(state,
16087+ do_unseal,
16088+ &min_sig_size,
16089+ NULL,
16090+ &checksum_length,
16091+ &confounder_ofs);
16092+
16093+ if (sig->length < min_sig_size) {
16094+ return NT_STATUS_ACCESS_DENIED;
16095+ }
16096+
16097+ if (do_unseal) {
16098+ confounder = _confounder;
16099+ memcpy(confounder, sig->data+confounder_ofs, 8);
16100+ } else {
16101+ confounder = NULL;
16102+ }
16103+
16104+ SETUP_SEQNUM(state, seq_num, !state->initiator);
16105+
16106+ if (do_unseal) {
16107+ netsec_do_seal(state, seq_num,
16108+ confounder,
16109+ data, length,
16110+ false);
16111+ }
16112+
16113+ netsec_do_sign(state, confounder,
16114+ data, length,
16115+ header, checksum);
16116+
16117+ ret = memcmp(checksum, sig->data+16, checksum_length);
16118+ if (ret != 0) {
16119+ dump_data_pw("calc digest:", checksum, checksum_length);
16120+ dump_data_pw("wire digest:", sig->data+16, checksum_length);
16121+ return NT_STATUS_ACCESS_DENIED;
16122+ }
16123+
16124+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
16125+
16126+ ret = memcmp(seq_num, sig->data+8, 8);
16127+ if (ret != 0) {
16128+ dump_data_pw("calc seq num:", seq_num, 8);
16129+ dump_data_pw("wire seq num:", sig->data+8, 8);
16130+ return NT_STATUS_ACCESS_DENIED;
16131+ }
16132+
16133+ return NT_STATUS_OK;
16134+}
16135+
16136+static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
16137+{
16138+ uint32_t sig_size = 0;
16139+
16140+ netsec_offset_and_sizes(state,
16141+ true,
16142+ NULL,
16143+ &sig_size,
16144+ NULL,
16145+ NULL);
16146+
16147+ return sig_size;
16148+}
16149+
16150+static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
16151+ TALLOC_CTX *mem_ctx,
16152+ bool do_seal,
16153+ uint8_t *data, size_t length,
16154+ DATA_BLOB *sig)
16155+{
16156+ uint32_t min_sig_size = 0;
16157+ uint32_t used_sig_size = 0;
16158+ uint8_t header[8];
16159+ uint8_t checksum[32];
16160+ uint32_t checksum_length = sizeof(checksum_length);
16161+ uint8_t _confounder[8];
16162+ uint8_t *confounder = NULL;
16163+ uint32_t confounder_ofs = 0;
16164+ uint8_t seq_num[8];
16165+
16166+ netsec_offset_and_sizes(state,
16167+ do_seal,
16168+ &min_sig_size,
16169+ &used_sig_size,
16170+ &checksum_length,
16171+ &confounder_ofs);
16172+
16173+ SETUP_SEQNUM(state, seq_num, state->initiator);
16174+
16175+ if (do_seal) {
16176+ confounder = _confounder;
16177+ generate_random_buffer(confounder, 8);
16178+ } else {
16179+ confounder = NULL;
16180+ }
16181+
16182+ netsec_do_sign(state, confounder,
16183+ data, length,
16184+ header, checksum);
16185+
16186+ if (do_seal) {
16187+ netsec_do_seal(state, seq_num,
16188+ confounder,
16189+ data, length,
16190+ true);
16191+ }
16192+
16193+ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
16194+
16195+ (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
16196+
16197+ memcpy(sig->data, header, 8);
16198+ memcpy(sig->data+8, seq_num, 8);
16199+ memcpy(sig->data+16, checksum, checksum_length);
16200+
16201+ if (confounder) {
16202+ memcpy(sig->data+confounder_ofs, confounder, 8);
16203+ }
16204+
16205+ dump_data_pw("signature:", sig->data+ 0, 8);
16206+ dump_data_pw("seq_num :", sig->data+ 8, 8);
16207+ dump_data_pw("digest :", sig->data+16, checksum_length);
16208+ dump_data_pw("confound :", sig->data+confounder_ofs, 8);
16209+
16210+ return NT_STATUS_OK;
16211+}
16212
16213 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
16214
16215diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
16216index da76559..bce37c8 100644
16217--- a/libcli/auth/schannel_proto.h
16218+++ b/libcli/auth/schannel_proto.h
16219@@ -28,18 +28,4 @@ struct schannel_state;
16220 struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
16221 struct loadparm_context *lp_ctx);
16222
16223-struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
16224- struct netlogon_creds_CredentialState *creds,
16225- bool initiator);
16226-NTSTATUS netsec_incoming_packet(struct schannel_state *state,
16227- bool do_unseal,
16228- uint8_t *data, size_t length,
16229- const DATA_BLOB *sig);
16230-uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
16231-NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
16232- TALLOC_CTX *mem_ctx,
16233- bool do_seal,
16234- uint8_t *data, size_t length,
16235- DATA_BLOB *sig);
16236-
16237 #endif
16238diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
16239deleted file mode 100644
16240index 9502cba..0000000
16241--- a/libcli/auth/schannel_sign.c
16242+++ /dev/null
16243@@ -1,404 +0,0 @@
16244-/*
16245- Unix SMB/CIFS implementation.
16246-
16247- schannel library code
16248-
16249- Copyright (C) Andrew Tridgell 2004
16250- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
16251-
16252- This program is free software; you can redistribute it and/or modify
16253- it under the terms of the GNU General Public License as published by
16254- the Free Software Foundation; either version 3 of the License, or
16255- (at your option) any later version.
16256-
16257- This program is distributed in the hope that it will be useful,
16258- but WITHOUT ANY WARRANTY; without even the implied warranty of
16259- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16260- GNU General Public License for more details.
16261-
16262- You should have received a copy of the GNU General Public License
16263- along with this program. If not, see <http://www.gnu.org/licenses/>.
16264-*/
16265-
16266-#include "includes.h"
16267-#include "../libcli/auth/schannel.h"
16268-#include "../lib/crypto/crypto.h"
16269-
16270-struct schannel_state {
16271- uint64_t seq_num;
16272- bool initiator;
16273- struct netlogon_creds_CredentialState *creds;
16274-};
16275-
16276-#define SETUP_SEQNUM(state, buf, initiator) do { \
16277- uint8_t *_buf = buf; \
16278- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
16279- uint32_t _seq_num_high = (state)->seq_num >> 32; \
16280- if (initiator) { \
16281- _seq_num_high |= 0x80000000; \
16282- } \
16283- RSIVAL(_buf, 0, _seq_num_low); \
16284- RSIVAL(_buf, 4, _seq_num_high); \
16285-} while(0)
16286-
16287-struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
16288- struct netlogon_creds_CredentialState *creds,
16289- bool initiator)
16290-{
16291- struct schannel_state *state;
16292-
16293- state = talloc(mem_ctx, struct schannel_state);
16294- if (state == NULL) {
16295- return NULL;
16296- }
16297-
16298- state->initiator = initiator;
16299- state->seq_num = 0;
16300- state->creds = netlogon_creds_copy(state, creds);
16301- if (state->creds == NULL) {
16302- talloc_free(state);
16303- return NULL;
16304- }
16305-
16306- return state;
16307-}
16308-
16309-static void netsec_offset_and_sizes(struct schannel_state *state,
16310- bool do_seal,
16311- uint32_t *_min_sig_size,
16312- uint32_t *_used_sig_size,
16313- uint32_t *_checksum_length,
16314- uint32_t *_confounder_ofs)
16315-{
16316- uint32_t min_sig_size;
16317- uint32_t used_sig_size;
16318- uint32_t checksum_length;
16319- uint32_t confounder_ofs;
16320-
16321- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
16322- min_sig_size = 48;
16323- used_sig_size = 56;
16324- /*
16325- * Note: windows has a bug here and uses the old values...
16326- *
16327- * checksum_length = 32;
16328- * confounder_ofs = 48;
16329- */
16330- checksum_length = 8;
16331- confounder_ofs = 24;
16332- } else {
16333- min_sig_size = 24;
16334- used_sig_size = 32;
16335- checksum_length = 8;
16336- confounder_ofs = 24;
16337- }
16338-
16339- if (do_seal) {
16340- min_sig_size += 8;
16341- }
16342-
16343- if (_min_sig_size) {
16344- *_min_sig_size = min_sig_size;
16345- }
16346-
16347- if (_used_sig_size) {
16348- *_used_sig_size = used_sig_size;
16349- }
16350-
16351- if (_checksum_length) {
16352- *_checksum_length = checksum_length;
16353- }
16354-
16355- if (_confounder_ofs) {
16356- *_confounder_ofs = confounder_ofs;
16357- }
16358-}
16359-
16360-/*******************************************************************
16361- Encode or Decode the sequence number (which is symmetric)
16362- ********************************************************************/
16363-static void netsec_do_seq_num(struct schannel_state *state,
16364- const uint8_t *checksum,
16365- uint32_t checksum_length,
16366- uint8_t seq_num[8])
16367-{
16368- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
16369- AES_KEY key;
16370- uint8_t iv[AES_BLOCK_SIZE];
16371-
16372- AES_set_encrypt_key(state->creds->session_key, 128, &key);
16373- ZERO_STRUCT(iv);
16374- memcpy(iv+0, checksum, 8);
16375- memcpy(iv+8, checksum, 8);
16376-
16377- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
16378- } else {
16379- static const uint8_t zeros[4];
16380- uint8_t sequence_key[16];
16381- uint8_t digest1[16];
16382-
16383- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
16384- hmac_md5(digest1, checksum, checksum_length, sequence_key);
16385- arcfour_crypt(seq_num, sequence_key, 8);
16386- }
16387-
16388- state->seq_num++;
16389-}
16390-
16391-static void netsec_do_seal(struct schannel_state *state,
16392- const uint8_t seq_num[8],
16393- uint8_t confounder[8],
16394- uint8_t *data, uint32_t length,
16395- bool forward)
16396-{
16397- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
16398- AES_KEY key;
16399- uint8_t iv[AES_BLOCK_SIZE];
16400- uint8_t sess_kf0[16];
16401- int i;
16402-
16403- for (i = 0; i < 16; i++) {
16404- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
16405- }
16406-
16407- AES_set_encrypt_key(sess_kf0, 128, &key);
16408- ZERO_STRUCT(iv);
16409- memcpy(iv+0, seq_num, 8);
16410- memcpy(iv+8, seq_num, 8);
16411-
16412- if (forward) {
16413- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
16414- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
16415- } else {
16416- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
16417- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
16418- }
16419- } else {
16420- uint8_t sealing_key[16];
16421- static const uint8_t zeros[4];
16422- uint8_t digest2[16];
16423- uint8_t sess_kf0[16];
16424- int i;
16425-
16426- for (i = 0; i < 16; i++) {
16427- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
16428- }
16429-
16430- hmac_md5(sess_kf0, zeros, 4, digest2);
16431- hmac_md5(digest2, seq_num, 8, sealing_key);
16432-
16433- arcfour_crypt(confounder, sealing_key, 8);
16434- arcfour_crypt(data, sealing_key, length);
16435- }
16436-}
16437-
16438-/*******************************************************************
16439- Create a digest over the entire packet (including the data), and
16440- MD5 it with the session key.
16441- ********************************************************************/
16442-static void netsec_do_sign(struct schannel_state *state,
16443- const uint8_t *confounder,
16444- const uint8_t *data, size_t length,
16445- uint8_t header[8],
16446- uint8_t *checksum)
16447-{
16448- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
16449- struct HMACSHA256Context ctx;
16450-
16451- hmac_sha256_init(state->creds->session_key,
16452- sizeof(state->creds->session_key),
16453- &ctx);
16454-
16455- if (confounder) {
16456- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
16457- SSVAL(header, 2, NL_SEAL_AES128);
16458- SSVAL(header, 4, 0xFFFF);
16459- SSVAL(header, 6, 0x0000);
16460-
16461- hmac_sha256_update(header, 8, &ctx);
16462- hmac_sha256_update(confounder, 8, &ctx);
16463- } else {
16464- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
16465- SSVAL(header, 2, NL_SEAL_NONE);
16466- SSVAL(header, 4, 0xFFFF);
16467- SSVAL(header, 6, 0x0000);
16468-
16469- hmac_sha256_update(header, 8, &ctx);
16470- }
16471-
16472- hmac_sha256_update(data, length, &ctx);
16473-
16474- hmac_sha256_final(checksum, &ctx);
16475- } else {
16476- uint8_t packet_digest[16];
16477- static const uint8_t zeros[4];
16478- MD5_CTX ctx;
16479-
16480- MD5Init(&ctx);
16481- MD5Update(&ctx, zeros, 4);
16482- if (confounder) {
16483- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
16484- SSVAL(header, 2, NL_SEAL_RC4);
16485- SSVAL(header, 4, 0xFFFF);
16486- SSVAL(header, 6, 0x0000);
16487-
16488- MD5Update(&ctx, header, 8);
16489- MD5Update(&ctx, confounder, 8);
16490- } else {
16491- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
16492- SSVAL(header, 2, NL_SEAL_NONE);
16493- SSVAL(header, 4, 0xFFFF);
16494- SSVAL(header, 6, 0x0000);
16495-
16496- MD5Update(&ctx, header, 8);
16497- }
16498- MD5Update(&ctx, data, length);
16499- MD5Final(packet_digest, &ctx);
16500-
16501- hmac_md5(state->creds->session_key,
16502- packet_digest, sizeof(packet_digest),
16503- checksum);
16504- }
16505-}
16506-
16507-NTSTATUS netsec_incoming_packet(struct schannel_state *state,
16508- bool do_unseal,
16509- uint8_t *data, size_t length,
16510- const DATA_BLOB *sig)
16511-{
16512- uint32_t min_sig_size = 0;
16513- uint8_t header[8];
16514- uint8_t checksum[32];
16515- uint32_t checksum_length = sizeof(checksum_length);
16516- uint8_t _confounder[8];
16517- uint8_t *confounder = NULL;
16518- uint32_t confounder_ofs = 0;
16519- uint8_t seq_num[8];
16520- int ret;
16521-
16522- netsec_offset_and_sizes(state,
16523- do_unseal,
16524- &min_sig_size,
16525- NULL,
16526- &checksum_length,
16527- &confounder_ofs);
16528-
16529- if (sig->length < min_sig_size) {
16530- return NT_STATUS_ACCESS_DENIED;
16531- }
16532-
16533- if (do_unseal) {
16534- confounder = _confounder;
16535- memcpy(confounder, sig->data+confounder_ofs, 8);
16536- } else {
16537- confounder = NULL;
16538- }
16539-
16540- SETUP_SEQNUM(state, seq_num, !state->initiator);
16541-
16542- if (do_unseal) {
16543- netsec_do_seal(state, seq_num,
16544- confounder,
16545- data, length,
16546- false);
16547- }
16548-
16549- netsec_do_sign(state, confounder,
16550- data, length,
16551- header, checksum);
16552-
16553- ret = memcmp(checksum, sig->data+16, checksum_length);
16554- if (ret != 0) {
16555- dump_data_pw("calc digest:", checksum, checksum_length);
16556- dump_data_pw("wire digest:", sig->data+16, checksum_length);
16557- return NT_STATUS_ACCESS_DENIED;
16558- }
16559-
16560- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
16561-
16562- ret = memcmp(seq_num, sig->data+8, 8);
16563- if (ret != 0) {
16564- dump_data_pw("calc seq num:", seq_num, 8);
16565- dump_data_pw("wire seq num:", sig->data+8, 8);
16566- return NT_STATUS_ACCESS_DENIED;
16567- }
16568-
16569- return NT_STATUS_OK;
16570-}
16571-
16572-uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
16573-{
16574- uint32_t sig_size = 0;
16575-
16576- netsec_offset_and_sizes(state,
16577- true,
16578- NULL,
16579- &sig_size,
16580- NULL,
16581- NULL);
16582-
16583- return sig_size;
16584-}
16585-
16586-NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
16587- TALLOC_CTX *mem_ctx,
16588- bool do_seal,
16589- uint8_t *data, size_t length,
16590- DATA_BLOB *sig)
16591-{
16592- uint32_t min_sig_size = 0;
16593- uint32_t used_sig_size = 0;
16594- uint8_t header[8];
16595- uint8_t checksum[32];
16596- uint32_t checksum_length = sizeof(checksum_length);
16597- uint8_t _confounder[8];
16598- uint8_t *confounder = NULL;
16599- uint32_t confounder_ofs = 0;
16600- uint8_t seq_num[8];
16601-
16602- netsec_offset_and_sizes(state,
16603- do_seal,
16604- &min_sig_size,
16605- &used_sig_size,
16606- &checksum_length,
16607- &confounder_ofs);
16608-
16609- SETUP_SEQNUM(state, seq_num, state->initiator);
16610-
16611- if (do_seal) {
16612- confounder = _confounder;
16613- generate_random_buffer(confounder, 8);
16614- } else {
16615- confounder = NULL;
16616- }
16617-
16618- netsec_do_sign(state, confounder,
16619- data, length,
16620- header, checksum);
16621-
16622- if (do_seal) {
16623- netsec_do_seal(state, seq_num,
16624- confounder,
16625- data, length,
16626- true);
16627- }
16628-
16629- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
16630-
16631- (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
16632-
16633- memcpy(sig->data, header, 8);
16634- memcpy(sig->data+8, seq_num, 8);
16635- memcpy(sig->data+16, checksum, checksum_length);
16636-
16637- if (confounder) {
16638- memcpy(sig->data+confounder_ofs, confounder, 8);
16639- }
16640-
16641- dump_data_pw("signature:", sig->data+ 0, 8);
16642- dump_data_pw("seq_num :", sig->data+ 8, 8);
16643- dump_data_pw("digest :", sig->data+16, checksum_length);
16644- dump_data_pw("confound :", sig->data+confounder_ofs, 8);
16645-
16646- return NT_STATUS_OK;
16647-}
16648diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
16649index df23058..ca2be2d 100755
16650--- a/libcli/auth/wscript_build
16651+++ b/libcli/auth/wscript_build
16652@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
16653
16654
16655 bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
16656- source='schannel_state_tdb.c schannel_sign.c',
16657+ source='schannel_state_tdb.c',
16658 deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
16659 )
16660
16661--
166621.9.3
16663
16664
16665From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
16666From: Stefan Metzmacher <metze@samba.org>
16667Date: Tue, 31 Dec 2013 10:11:18 +0100
16668Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
16669 in schannel.c
16670
16671Signed-off-by: Stefan Metzmacher <metze@samba.org>
16672Reviewed-by: Andrew Bartlett <abartlet@samba.org>
16673(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
16674---
16675 auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
16676 1 file changed, 46 insertions(+), 10 deletions(-)
16677
16678diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
16679index c60ab4f..3d30e83 100644
16680--- a/auth/gensec/schannel.c
16681+++ b/auth/gensec/schannel.c
16682@@ -34,6 +34,7 @@
16683 #include "lib/crypto/crypto.h"
16684
16685 struct schannel_state {
16686+ struct gensec_security *gensec;
16687 uint64_t seq_num;
16688 bool initiator;
16689 struct netlogon_creds_CredentialState *creds;
16690@@ -50,17 +51,19 @@ struct schannel_state {
16691 RSIVAL(_buf, 4, _seq_num_high); \
16692 } while(0)
16693
16694-static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
16695+static struct schannel_state *netsec_create_state(
16696+ struct gensec_security *gensec,
16697 struct netlogon_creds_CredentialState *creds,
16698 bool initiator)
16699 {
16700 struct schannel_state *state;
16701
16702- state = talloc(mem_ctx, struct schannel_state);
16703+ state = talloc(gensec, struct schannel_state);
16704 if (state == NULL) {
16705 return NULL;
16706 }
16707
16708+ state->gensec = gensec;
16709 state->initiator = initiator;
16710 state->seq_num = 0;
16711 state->creds = netlogon_creds_copy(state, creds);
16712@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
16713 return NULL;
16714 }
16715
16716+ gensec->private_data = state;
16717+
16718 return state;
16719 }
16720
16721@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
16722 static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
16723 bool do_unseal,
16724 uint8_t *data, size_t length,
16725+ const uint8_t *whole_pdu, size_t pdu_length,
16726 const DATA_BLOB *sig)
16727 {
16728 uint32_t min_sig_size = 0;
16729@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
16730 uint32_t confounder_ofs = 0;
16731 uint8_t seq_num[8];
16732 int ret;
16733+ const uint8_t *sign_data = NULL;
16734+ size_t sign_length = 0;
16735
16736 netsec_offset_and_sizes(state,
16737 do_unseal,
16738@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
16739 false);
16740 }
16741
16742+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
16743+ sign_data = whole_pdu;
16744+ sign_length = pdu_length;
16745+ } else {
16746+ sign_data = data;
16747+ sign_length = length;
16748+ }
16749+
16750 netsec_do_sign(state, confounder,
16751- data, length,
16752+ sign_data, sign_length,
16753 header, checksum);
16754
16755 ret = memcmp(checksum, sig->data+16, checksum_length);
16756@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
16757 TALLOC_CTX *mem_ctx,
16758 bool do_seal,
16759 uint8_t *data, size_t length,
16760+ const uint8_t *whole_pdu, size_t pdu_length,
16761 DATA_BLOB *sig)
16762 {
16763 uint32_t min_sig_size = 0;
16764@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
16765 uint8_t *confounder = NULL;
16766 uint32_t confounder_ofs = 0;
16767 uint8_t seq_num[8];
16768+ const uint8_t *sign_data = NULL;
16769+ size_t sign_length = 0;
16770
16771 netsec_offset_and_sizes(state,
16772 do_seal,
16773@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
16774 confounder = NULL;
16775 }
16776
16777+ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
16778+ sign_data = whole_pdu;
16779+ sign_length = pdu_length;
16780+ } else {
16781+ sign_data = data;
16782+ sign_length = length;
16783+ }
16784+
16785 netsec_do_sign(state, confounder,
16786- data, length,
16787+ sign_data, sign_length,
16788 header, checksum);
16789
16790 if (do_seal) {
16791@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
16792 if (state == NULL) {
16793 return NT_STATUS_NO_MEMORY;
16794 }
16795- gensec_security->private_data = state;
16796
16797 bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
16798 #if 0
16799@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
16800 if (state == NULL) {
16801 return NT_STATUS_NO_MEMORY;
16802 }
16803- gensec_security->private_data = state;
16804
16805 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
16806 bind_schannel_ack.Flags = 0;
16807@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
16808 if (feature & GENSEC_FEATURE_DCE_STYLE) {
16809 return true;
16810 }
16811+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
16812+ return true;
16813+ }
16814 return false;
16815 }
16816
16817@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
16818
16819 return netsec_incoming_packet(state, true,
16820 discard_const_p(uint8_t, data),
16821- length, sig);
16822+ length,
16823+ whole_pdu, pdu_length,
16824+ sig);
16825 }
16826
16827 /*
16828@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
16829
16830 return netsec_incoming_packet(state, false,
16831 discard_const_p(uint8_t, data),
16832- length, sig);
16833+ length,
16834+ whole_pdu, pdu_length,
16835+ sig);
16836 }
16837 /*
16838 seal a packet
16839@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
16840 struct schannel_state);
16841
16842 return netsec_outgoing_packet(state, mem_ctx, true,
16843- data, length, sig);
16844+ data, length,
16845+ whole_pdu, pdu_length,
16846+ sig);
16847 }
16848
16849 /*
16850@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
16851
16852 return netsec_outgoing_packet(state, mem_ctx, false,
16853 discard_const_p(uint8_t, data),
16854- length, sig);
16855+ length,
16856+ whole_pdu, pdu_length,
16857+ sig);
16858 }
16859
16860 static const struct gensec_security_ops gensec_schannel_security_ops = {
16861--
168621.9.3
16863
16864
16865From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
16866From: Stefan Metzmacher <metze@samba.org>
16867Date: Sun, 5 Jan 2014 06:16:03 +0100
16868Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data
16869
16870Signed-off-by: Stefan Metzmacher <metze@samba.org>
16871Reviewed-by: Andrew Bartlett <abartlet@samba.org>
16872(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
16873---
16874 source3/rpc_client/cli_pipe.c | 6 +++---
16875 1 file changed, 3 insertions(+), 3 deletions(-)
16876
16877diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
16878index a343997..7d1e347 100644
16879--- a/source3/rpc_client/cli_pipe.c
16880+++ b/source3/rpc_client/cli_pipe.c
16881@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
16882 {
16883 struct pipe_auth_data *result;
16884
16885- result = talloc(mem_ctx, struct pipe_auth_data);
16886+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
16887 if (result == NULL) {
16888 return NT_STATUS_NO_MEMORY;
16889 }
16890@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
16891 {
16892 struct pipe_auth_data *result;
16893
16894- result = talloc(mem_ctx, struct pipe_auth_data);
16895+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
16896 if (result == NULL) {
16897 return NT_STATUS_NO_MEMORY;
16898 }
16899@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
16900 struct pipe_auth_data *result;
16901 NTSTATUS status;
16902
16903- result = talloc(mem_ctx, struct pipe_auth_data);
16904+ result = talloc_zero(mem_ctx, struct pipe_auth_data);
16905 if (result == NULL) {
16906 return NT_STATUS_NO_MEMORY;
16907 }
16908--
169091.9.3
16910
16911
16912From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
16913From: Stefan Metzmacher <metze@samba.org>
16914Date: Sun, 5 Jan 2014 06:31:44 +0100
16915Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static
16916
16917Signed-off-by: Stefan Metzmacher <metze@samba.org>
16918Reviewed-by: Andrew Bartlett <abartlet@samba.org>
16919(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
16920---
16921 source3/rpc_client/cli_pipe.c | 4 ++--
16922 source3/rpc_client/cli_pipe.h | 10 ----------
16923 2 files changed, 2 insertions(+), 12 deletions(-)
16924
16925diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
16926index 7d1e347..3d12454 100644
16927--- a/source3/rpc_client/cli_pipe.c
16928+++ b/source3/rpc_client/cli_pipe.c
16929@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
16930 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
16931 bool *is_last_frag);
16932
16933-struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
16934+static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
16935 struct tevent_context *ev,
16936 struct rpc_pipe_client *cli,
16937 uint8_t op_num,
16938@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
16939 tevent_req_done(req);
16940 }
16941
16942-NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
16943+static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
16944 DATA_BLOB *reply_pdu)
16945 {
16946 struct rpc_api_pipe_req_state *state = tevent_req_data(
16947diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
16948index ab99373..826f9bf 100644
16949--- a/source3/rpc_client/cli_pipe.h
16950+++ b/source3/rpc_client/cli_pipe.h
16951@@ -27,16 +27,6 @@
16952
16953 /* The following definitions come from rpc_client/cli_pipe.c */
16954
16955-struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
16956- struct tevent_context *ev,
16957- struct rpc_pipe_client *cli,
16958- uint8_t op_num,
16959- DATA_BLOB *req_data);
16960-
16961-NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
16962- TALLOC_CTX *mem_ctx,
16963- DATA_BLOB *reply_pdu);
16964-
16965 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
16966 struct tevent_context *ev,
16967 struct rpc_pipe_client *cli,
16968--
169691.9.3
16970
16971
16972From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
16973From: Stefan Metzmacher <metze@samba.org>
16974Date: Sun, 5 Jan 2014 07:56:20 +0100
16975Subject: [PATCH 153/249] s3:rpc_client: add some const to
16976 rpc_api_pipe_req_send()
16977
16978Signed-off-by: Stefan Metzmacher <metze@samba.org>
16979Reviewed-by: Andrew Bartlett <abartlet@samba.org>
16980(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
16981---
16982 source3/rpc_client/cli_pipe.c | 4 ++--
16983 1 file changed, 2 insertions(+), 2 deletions(-)
16984
16985diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
16986index 3d12454..6b7fee2 100644
16987--- a/source3/rpc_client/cli_pipe.c
16988+++ b/source3/rpc_client/cli_pipe.c
16989@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
16990 struct rpc_pipe_client *cli;
16991 uint8_t op_num;
16992 uint32_t call_id;
16993- DATA_BLOB *req_data;
16994+ const DATA_BLOB *req_data;
16995 uint32_t req_data_sent;
16996 DATA_BLOB rpc_out;
16997 DATA_BLOB reply_pdu;
16998@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
16999 struct tevent_context *ev,
17000 struct rpc_pipe_client *cli,
17001 uint8_t op_num,
17002- DATA_BLOB *req_data)
17003+ const DATA_BLOB *req_data)
17004 {
17005 struct tevent_req *req, *subreq;
17006 struct rpc_api_pipe_req_state *state;
17007--
170081.9.3
17009
17010
17011From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
17012From: Stefan Metzmacher <metze@samba.org>
17013Date: Sun, 5 Jan 2014 08:26:15 +0100
17014Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
17015 any other gensec backend
17016
17017Signed-off-by: Stefan Metzmacher <metze@samba.org>
17018Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17019(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
17020---
17021 source3/rpc_client/cli_pipe.c | 4 ++--
17022 1 file changed, 2 insertions(+), 2 deletions(-)
17023
17024diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
17025index 6b7fee2..b142774 100644
17026--- a/source3/rpc_client/cli_pipe.c
17027+++ b/source3/rpc_client/cli_pipe.c
17028@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
17029
17030 case DCERPC_AUTH_TYPE_NONE:
17031 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
17032- case DCERPC_AUTH_TYPE_SCHANNEL:
17033 /* Bind complete. */
17034 tevent_req_done(req);
17035 return;
17036
17037+ case DCERPC_AUTH_TYPE_SCHANNEL:
17038 case DCERPC_AUTH_TYPE_NTLMSSP:
17039 case DCERPC_AUTH_TYPE_SPNEGO:
17040 case DCERPC_AUTH_TYPE_KRB5:
17041@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
17042
17043 case DCERPC_AUTH_TYPE_NONE:
17044 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
17045- case DCERPC_AUTH_TYPE_SCHANNEL:
17046 /* Bind complete. */
17047 tevent_req_done(req);
17048 return;
17049
17050+ case DCERPC_AUTH_TYPE_SCHANNEL:
17051 case DCERPC_AUTH_TYPE_NTLMSSP:
17052 case DCERPC_AUTH_TYPE_KRB5:
17053 case DCERPC_AUTH_TYPE_SPNEGO:
17054--
170551.9.3
17056
17057
17058From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
17059From: Stefan Metzmacher <metze@samba.org>
17060Date: Fri, 3 Jan 2014 22:41:33 +0100
17061Subject: [PATCH 155/249] s3:rpc_client: implement
17062 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
17063
17064Signed-off-by: Stefan Metzmacher <metze@samba.org>
17065Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17066(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
17067---
17068 source3/librpc/rpc/dcerpc.h | 4 +++-
17069 source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
17070 2 files changed, 41 insertions(+), 7 deletions(-)
17071
17072diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
17073index b18b7ba..aaf8d68 100644
17074--- a/source3/librpc/rpc/dcerpc.h
17075+++ b/source3/librpc/rpc/dcerpc.h
17076@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
17077 struct pipe_auth_data {
17078 enum dcerpc_AuthType auth_type;
17079 enum dcerpc_AuthLevel auth_level;
17080-
17081+ bool client_hdr_signing;
17082+ bool hdr_signing;
17083+
17084 void *auth_ctx;
17085
17086 /* Only the client code uses these 3 for now */
17087diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
17088index b142774..1cab580 100644
17089--- a/source3/rpc_client/cli_pipe.c
17090+++ b/source3/rpc_client/cli_pipe.c
17091@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
17092
17093 static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
17094 TALLOC_CTX *mem_ctx,
17095- DATA_BLOB *auth_token)
17096+ DATA_BLOB *auth_token,
17097+ bool *client_hdr_signing)
17098 {
17099 struct gensec_security *gensec_security;
17100 DATA_BLOB null_blob = data_blob_null;
17101+ NTSTATUS status;
17102
17103 gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
17104 struct gensec_security);
17105
17106 DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
17107- return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
17108+ status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
17109+
17110+ if (!NT_STATUS_IS_OK(status) &&
17111+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
17112+ {
17113+ return status;
17114+ }
17115+
17116+ if (client_hdr_signing != NULL) {
17117+ *client_hdr_signing = gensec_have_feature(gensec_security,
17118+ GENSEC_FEATURE_SIGN_PKT_HEADER);
17119+ }
17120+
17121+ return status;
17122 }
17123
17124 /*******************************************************************
17125@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
17126 const struct ndr_syntax_id *abstract,
17127 const struct ndr_syntax_id *transfer,
17128 const DATA_BLOB *auth_info,
17129+ bool client_hdr_signing,
17130 DATA_BLOB *blob)
17131 {
17132 uint16 auth_len = auth_info->length;
17133 NTSTATUS status;
17134 union dcerpc_payload u;
17135 struct dcerpc_ctx_list ctx_list;
17136+ uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
17137
17138 if (auth_len) {
17139 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
17140 }
17141
17142+ if (client_hdr_signing) {
17143+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
17144+ }
17145+
17146 ctx_list.context_id = 0;
17147 ctx_list.num_transfer_syntaxes = 1;
17148 ctx_list.abstract_syntax = *abstract;
17149@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
17150 u.bind.auth_info = *auth_info;
17151
17152 status = dcerpc_push_ncacn_packet(mem_ctx,
17153- ptype,
17154- DCERPC_PFC_FLAG_FIRST |
17155- DCERPC_PFC_FLAG_LAST,
17156+ ptype, pfc_flags,
17157 auth_len,
17158 rpc_call_id,
17159 &u,
17160@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
17161 case DCERPC_AUTH_TYPE_NTLMSSP:
17162 case DCERPC_AUTH_TYPE_KRB5:
17163 case DCERPC_AUTH_TYPE_SPNEGO:
17164- ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
17165+ ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
17166+ &auth_token,
17167+ &auth->client_hdr_signing);
17168
17169 if (!NT_STATUS_IS_OK(ret) &&
17170 !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
17171@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
17172 abstract,
17173 transfer,
17174 &auth_info,
17175+ auth->client_hdr_signing,
17176 rpc_out);
17177 return ret;
17178 }
17179@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
17180 abstract,
17181 transfer,
17182 &auth_info,
17183+ false, /* client_hdr_signing */
17184 rpc_out);
17185 data_blob_free(&auth_info);
17186 return status;
17187@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
17188 case DCERPC_AUTH_TYPE_SPNEGO:
17189 gensec_security = talloc_get_type_abort(pauth->auth_ctx,
17190 struct gensec_security);
17191+
17192+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
17193+ if (pauth->client_hdr_signing) {
17194+ pauth->hdr_signing = true;
17195+ gensec_want_feature(gensec_security,
17196+ GENSEC_FEATURE_SIGN_PKT_HEADER);
17197+ }
17198+ }
17199+
17200 status = gensec_update(gensec_security, state, NULL,
17201 auth.credentials, &auth_token);
17202 if (NT_STATUS_EQUAL(status,
17203--
172041.9.3
17205
17206
17207From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
17208From: Stefan Metzmacher <metze@samba.org>
17209Date: Fri, 3 Jan 2014 22:56:03 +0100
17210Subject: [PATCH 156/249] s3:rpc_server: add support for
17211 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
17212
17213If the backend supports it there's no reason to avoid it.
17214
17215Signed-off-by: Stefan Metzmacher <metze@samba.org>
17216Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17217(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
17218---
17219 source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
17220 1 file changed, 22 insertions(+), 3 deletions(-)
17221
17222diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
17223index 5f834fb..f572819 100644
17224--- a/source3/rpc_server/srv_pipe.c
17225+++ b/source3/rpc_server/srv_pipe.c
17226@@ -42,6 +42,7 @@
17227 #include "rpc_server/rpc_contexts.h"
17228 #include "lib/param/param.h"
17229 #include "librpc/ndr/ndr_table.h"
17230+#include "auth/gensec/gensec.h"
17231
17232 #undef DBGC_CLASS
17233 #define DBGC_CLASS DBGC_RPC_SRV
17234@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
17235 *******************************************************************/
17236
17237 static bool pipe_auth_generic_bind(struct pipes_struct *p,
17238- TALLOC_CTX *mem_ctx,
17239+ struct ncacn_packet *pkt,
17240 struct dcerpc_auth *auth_info,
17241 DATA_BLOB *response)
17242 {
17243+ TALLOC_CTX *mem_ctx = pkt;
17244 struct gensec_security *gensec_security = NULL;
17245 NTSTATUS status;
17246
17247@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
17248 p->auth.auth_ctx = gensec_security;
17249 p->auth.auth_type = auth_info->auth_type;
17250
17251+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
17252+ p->auth.client_hdr_signing = true;
17253+ p->auth.hdr_signing = gensec_have_feature(gensec_security,
17254+ GENSEC_FEATURE_SIGN_PKT_HEADER);
17255+ }
17256+
17257+ if (p->auth.hdr_signing) {
17258+ gensec_want_feature(gensec_security,
17259+ GENSEC_FEATURE_SIGN_PKT_HEADER);
17260+ }
17261+
17262 return true;
17263 }
17264
17265@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
17266 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
17267 NTSTATUS status;
17268 struct ndr_syntax_id id;
17269+ uint8_t pfc_flags = 0;
17270 union dcerpc_payload u;
17271 struct dcerpc_ack_ctx bind_ack_ctx;
17272 DATA_BLOB auth_resp = data_blob_null;
17273@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
17274 * header and are never sending more than one PDU here.
17275 */
17276
17277+ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
17278+
17279+ if (p->auth.hdr_signing) {
17280+ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
17281+ }
17282+
17283 status = dcerpc_push_ncacn_packet(p->mem_ctx,
17284 DCERPC_PKT_BIND_ACK,
17285- DCERPC_PFC_FLAG_FIRST |
17286- DCERPC_PFC_FLAG_LAST,
17287+ pfc_flags,
17288 auth_resp.length,
17289 pkt->call_id,
17290 &u,
17291--
172921.9.3
17293
17294
17295From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
17296From: Stefan Metzmacher <metze@samba.org>
17297Date: Fri, 3 Jan 2014 09:25:23 +0100
17298Subject: [PATCH 157/249] librpc/ndr: add
17299 LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
17300
17301This lets ndr_pull_subcontext_end() make sure that all
17302subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
17303
17304Signed-off-by: Stefan Metzmacher <metze@samba.org>
17305Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17306(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
17307---
17308 librpc/idl/idl_types.h | 2 ++
17309 librpc/ndr/libndr.h | 6 ++++++
17310 librpc/ndr/ndr.c | 20 ++++++++++++++++++++
17311 3 files changed, 28 insertions(+)
17312
17313diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
17314index c50efac..838c219 100644
17315--- a/librpc/idl/idl_types.h
17316+++ b/librpc/idl/idl_types.h
17317@@ -53,3 +53,5 @@
17318
17319 #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
17320 #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
17321+
17322+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
17323diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
17324index a950519..8070c3c 100644
17325--- a/librpc/ndr/libndr.h
17326+++ b/librpc/ndr/libndr.h
17327@@ -123,6 +123,12 @@ struct ndr_print {
17328 #define LIBNDR_FLAG_STR_RAW8 (1<<13)
17329 #define LIBNDR_STRING_FLAGS (0x7FFC)
17330
17331+/*
17332+ * This lets ndr_pull_subcontext_end() return
17333+ * NDR_ERR_UNREAD_BYTES.
17334+ */
17335+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
17336+
17337 /* set if relative pointers should *not* be marshalled in reverse order */
17338 #define LIBNDR_FLAG_NO_RELATIVE_REVERSE (1<<18)
17339
17340diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
17341index e86cf2f..15a7f12 100644
17342--- a/librpc/ndr/ndr.c
17343+++ b/librpc/ndr/ndr.c
17344@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
17345 ssize_t size_is)
17346 {
17347 uint32_t advance;
17348+ uint32_t highest_ofs;
17349+
17350 if (size_is >= 0) {
17351 advance = size_is;
17352 } else if (header_size > 0) {
17353@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
17354 } else {
17355 advance = subndr->offset;
17356 }
17357+
17358+ if (subndr->offset > ndr->relative_highest_offset) {
17359+ highest_ofs = subndr->offset;
17360+ } else {
17361+ highest_ofs = subndr->relative_highest_offset;
17362+ }
17363+ if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
17364+ /*
17365+ * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
17366+ */
17367+ highest_ofs = advance;
17368+ }
17369+ if (highest_ofs < advance) {
17370+ return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
17371+ "not all bytes consumed ofs[%u] advance[%u]",
17372+ highest_ofs, advance);
17373+ }
17374+
17375 NDR_CHECK(ndr_pull_advance(ndr, advance));
17376 return NDR_ERR_SUCCESS;
17377 }
17378--
173791.9.3
17380
17381
17382From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
17383From: Stefan Metzmacher <metze@samba.org>
17384Date: Fri, 3 Jan 2014 15:06:23 +0100
17385Subject: [PATCH 158/249] dcerpc.idl: add documentation references
17386
17387To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].
17388
17389Signed-off-by: Stefan Metzmacher <metze@samba.org>
17390Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17391(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
17392---
17393 librpc/idl/dcerpc.idl | 13 +++++++++++--
17394 1 file changed, 11 insertions(+), 2 deletions(-)
17395
17396diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
17397index 86f22a4..23cac89 100644
17398--- a/librpc/idl/dcerpc.idl
17399+++ b/librpc/idl/dcerpc.idl
17400@@ -5,8 +5,17 @@
17401 but given that pidl can handle it nicely it simplifies things a lot
17402 to do it this way
17403
17404- see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
17405- layouts
17406+ See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
17407+ DCERPC specification:
17408+ http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
17409+
17410+ See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
17411+ http://www.opengroup.org/onlinepubs/9629399/chap12.htm
17412+
17413+ See also [MS-RPCE] for the Microsoft
17414+ "Remote Procedure Call Protocol Extensions".
17415+ http://msdn.microsoft.com/en-us/library/cc243560.aspx
17416+
17417 */
17418 import "misc.idl";
17419
17420--
174211.9.3
17422
17423
17424From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
17425From: Stefan Metzmacher <metze@samba.org>
17426Date: Thu, 2 Jan 2014 11:18:38 +0100
17427Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer
17428
17429See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
17430
17431Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
17432
17433Signed-off-by: Gregor Beck <gbeck@sernet.de>
17434Signed-off-by: Stefan Metzmacher <metze@samba.org>
17435Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17436(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
17437---
17438 librpc/idl/dcerpc.idl | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
17439 librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
17440 librpc/wscript_build | 2 +-
17441 3 files changed, 134 insertions(+), 1 deletion(-)
17442 create mode 100644 librpc/ndr/ndr_dcerpc.c
17443
17444diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
17445index 23cac89..8e9be0e 100644
17446--- a/librpc/idl/dcerpc.idl
17447+++ b/librpc/idl/dcerpc.idl
17448@@ -19,6 +19,8 @@
17449 */
17450 import "misc.idl";
17451
17452+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
17453+
17454 interface dcerpc
17455 {
17456 typedef struct {
17457@@ -514,4 +516,69 @@ interface dcerpc
17458 uint8 serial_low;
17459 [switch_is(ptype)] dcerpc_payload u;
17460 } ncadg_packet;
17461+
17462+ typedef [bitmap16bit] bitmap {
17463+ DCERPC_SEC_VT_COMMAND_ENUM = 0x3FFF,
17464+ DCERPC_SEC_VT_COMMAND_END = 0x4000,
17465+ DCERPC_SEC_VT_MUST_PROCESS = 0x8000
17466+ } dcerpc_sec_vt_command;
17467+
17468+ typedef [enum16bit] enum {
17469+ DCERPC_SEC_VT_COMMAND_BITMASK1 = 0x0001,
17470+ DCERPC_SEC_VT_COMMAND_PCONTEXT = 0x0002,
17471+ DCERPC_SEC_VT_COMMAND_HEADER2 = 0x0003
17472+ } dcerpc_sec_vt_command_enum;
17473+
17474+ typedef [bitmap32bit] bitmap {
17475+ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
17476+ } dcerpc_sec_vt_bitmask1;
17477+
17478+ typedef struct {
17479+ ndr_syntax_id abstract_syntax;
17480+ ndr_syntax_id transfer_syntax;
17481+ } dcerpc_sec_vt_pcontext;
17482+
17483+ typedef struct {
17484+ dcerpc_pkt_type ptype; /* Packet type */
17485+ [value(0)] uint8 reserved1;
17486+ [value(0)] uint16 reserved2;
17487+ uint8 drep[4]; /* NDR data representation */
17488+ uint32 call_id; /* Call identifier */
17489+ uint16 context_id;
17490+ uint16 opnum;
17491+ } dcerpc_sec_vt_header2;
17492+
17493+ typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
17494+ [case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
17495+ [case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
17496+ [case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
17497+ [default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
17498+ } dcerpc_sec_vt_union;
17499+
17500+ typedef struct {
17501+ dcerpc_sec_vt_command command;
17502+ [switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
17503+ [subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
17504+ dcerpc_sec_vt_union u;
17505+ } dcerpc_sec_vt;
17506+
17507+ typedef [public,nopush,nopull] struct {
17508+ uint16 count;
17509+ } dcerpc_sec_vt_count;
17510+
17511+ /*
17512+ * We assume that the whole verification trailer fits into
17513+ * the last 1024 bytes after the stub data.
17514+ *
17515+ * There're currently only 3 commands defined and each should
17516+ * only be used once.
17517+ */
17518+ const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
17519+
17520+ typedef [public,flag(NDR_PAHEX)] struct {
17521+ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
17522+ [value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
17523+ dcerpc_sec_vt_count count;
17524+ dcerpc_sec_vt commands[count.count];
17525+ } dcerpc_sec_verification_trailer;
17526 }
17527diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
17528new file mode 100644
17529index 0000000..88a7f38
17530--- /dev/null
17531+++ b/librpc/ndr/ndr_dcerpc.c
17532@@ -0,0 +1,66 @@
17533+/*
17534+ Unix SMB/CIFS implementation.
17535+
17536+ Manually parsed structures found in the DCERPC protocol
17537+
17538+ Copyright (C) Stefan Metzmacher 2014
17539+ Copyright (C) Gregor Beck 2014
17540+
17541+ This program is free software; you can redistribute it and/or modify
17542+ it under the terms of the GNU General Public License as published by
17543+ the Free Software Foundation; either version 3 of the License, or
17544+ (at your option) any later version.
17545+
17546+ This program is distributed in the hope that it will be useful,
17547+ but WITHOUT ANY WARRANTY; without even the implied warranty of
17548+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17549+ GNU General Public License for more details.
17550+
17551+ You should have received a copy of the GNU General Public License
17552+ along with this program. If not, see <http://www.gnu.org/licenses/>.
17553+*/
17554+
17555+#include "includes.h"
17556+#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
17557+
17558+#include "librpc/gen_ndr/ndr_misc.h"
17559+
17560+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
17561+
17562+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
17563+{
17564+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
17565+ /* nothing */
17566+ return NDR_ERR_SUCCESS;
17567+}
17568+
17569+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
17570+{
17571+ uint32_t _saved_ofs = ndr->offset;
17572+
17573+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
17574+
17575+ if (!(ndr_flags & NDR_SCALARS)) {
17576+ return NDR_ERR_SUCCESS;
17577+ }
17578+
17579+ r->count = 0;
17580+
17581+ while (true) {
17582+ uint16_t command;
17583+ uint16_t length;
17584+
17585+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
17586+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
17587+ NDR_CHECK(ndr_pull_advance(ndr, length));
17588+
17589+ r->count += 1;
17590+
17591+ if (command & DCERPC_SEC_VT_COMMAND_END) {
17592+ break;
17593+ }
17594+ }
17595+
17596+ ndr->offset = _saved_ofs;
17597+ return NDR_ERR_SUCCESS;
17598+}
17599diff --git a/librpc/wscript_build b/librpc/wscript_build
17600index 2017a29..a5cf687 100644
17601--- a/librpc/wscript_build
17602+++ b/librpc/wscript_build
17603@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
17604 )
17605
17606 bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
17607- source='gen_ndr/ndr_dcerpc.c',
17608+ source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
17609 public_deps='ndr',
17610 public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
17611 header_path= [ ('*gen_ndr*', 'gen_ndr') ],
17612--
176131.9.3
17614
17615
17616From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
17617From: Stefan Metzmacher <metze@samba.org>
17618Date: Sun, 5 Jan 2014 07:57:51 +0100
17619Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
17620 data not the total data.
17621
17622Signed-off-by: Stefan Metzmacher <metze@samba.org>
17623Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17624(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
17625---
17626 source3/rpc_client/cli_pipe.c | 2 +-
17627 1 file changed, 1 insertion(+), 1 deletion(-)
17628
17629diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
17630index 1cab580..5edd897 100644
17631--- a/source3/rpc_client/cli_pipe.c
17632+++ b/source3/rpc_client/cli_pipe.c
17633@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
17634
17635 ZERO_STRUCT(u.request);
17636
17637- u.request.alloc_hint = state->req_data->length;
17638+ u.request.alloc_hint = data_left;
17639 u.request.context_id = 0;
17640 u.request.opnum = state->op_num;
17641
17642--
176431.9.3
17644
17645
17646From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
17647From: Stefan Metzmacher <metze@samba.org>
17648Date: Sun, 5 Jan 2014 08:12:45 +0100
17649Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
17650 if needed
17651
17652Signed-off-by: Stefan Metzmacher <metze@samba.org>
17653Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17654
17655Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
17656Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104
17657(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
17658---
17659 source3/librpc/rpc/dcerpc.h | 1 +
17660 source3/rpc_client/cli_pipe.c | 202 ++++++++++++++++++++++++++++++++++++++--
17661 source3/rpc_client/rpc_client.h | 1 +
17662 3 files changed, 194 insertions(+), 10 deletions(-)
17663
17664diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
17665index aaf8d68..9d0f861 100644
17666--- a/source3/librpc/rpc/dcerpc.h
17667+++ b/source3/librpc/rpc/dcerpc.h
17668@@ -41,6 +41,7 @@ struct pipe_auth_data {
17669 enum dcerpc_AuthLevel auth_level;
17670 bool client_hdr_signing;
17671 bool hdr_signing;
17672+ bool verified_bitmask1;
17673
17674 void *auth_ctx;
17675
17676diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
17677index 5edd897..a45023f 100644
17678--- a/source3/rpc_client/cli_pipe.c
17679+++ b/source3/rpc_client/cli_pipe.c
17680@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
17681 uint32_t call_id;
17682 const DATA_BLOB *req_data;
17683 uint32_t req_data_sent;
17684+ DATA_BLOB req_trailer;
17685+ uint32_t req_trailer_sent;
17686+ bool verify_bitmask1;
17687+ bool verify_pcontext;
17688 DATA_BLOB rpc_out;
17689 DATA_BLOB reply_pdu;
17690 };
17691
17692 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
17693 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
17694+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
17695 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
17696 bool *is_last_frag);
17697
17698@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
17699 goto post_status;
17700 }
17701
17702+ status = prepare_verification_trailer(state);
17703+ if (!NT_STATUS_IS_OK(status)) {
17704+ goto post_status;
17705+ }
17706+
17707 status = prepare_next_frag(state, &is_last_frag);
17708 if (!NT_STATUS_IS_OK(status)) {
17709 goto post_status;
17710@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
17711 return NULL;
17712 }
17713
17714+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
17715+{
17716+ struct pipe_auth_data *a = state->cli->auth;
17717+ struct dcerpc_sec_verification_trailer *t;
17718+ struct dcerpc_sec_vt *c = NULL;
17719+ struct ndr_push *ndr = NULL;
17720+ enum ndr_err_code ndr_err;
17721+ size_t align = 0;
17722+ size_t pad = 0;
17723+
17724+ if (a == NULL) {
17725+ return NT_STATUS_OK;
17726+ }
17727+
17728+ if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
17729+ return NT_STATUS_OK;
17730+ }
17731+
17732+ t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
17733+ if (t == NULL) {
17734+ return NT_STATUS_NO_MEMORY;
17735+ }
17736+
17737+ if (!a->verified_bitmask1) {
17738+ t->commands = talloc_realloc(t, t->commands,
17739+ struct dcerpc_sec_vt,
17740+ t->count.count + 1);
17741+ if (t->commands == NULL) {
17742+ return NT_STATUS_NO_MEMORY;
17743+ }
17744+ c = &t->commands[t->count.count++];
17745+ ZERO_STRUCTP(c);
17746+
17747+ c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
17748+ if (a->client_hdr_signing) {
17749+ c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
17750+ }
17751+ state->verify_bitmask1 = true;
17752+ }
17753+
17754+ if (!state->cli->verified_pcontext) {
17755+ t->commands = talloc_realloc(t, t->commands,
17756+ struct dcerpc_sec_vt,
17757+ t->count.count + 1);
17758+ if (t->commands == NULL) {
17759+ return NT_STATUS_NO_MEMORY;
17760+ }
17761+ c = &t->commands[t->count.count++];
17762+ ZERO_STRUCTP(c);
17763+
17764+ c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
17765+ c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
17766+ c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
17767+
17768+ state->verify_pcontext = true;
17769+ }
17770+
17771+ if (!a->hdr_signing) {
17772+ t->commands = talloc_realloc(t, t->commands,
17773+ struct dcerpc_sec_vt,
17774+ t->count.count + 1);
17775+ if (t->commands == NULL) {
17776+ return NT_STATUS_NO_MEMORY;
17777+ }
17778+ c = &t->commands[t->count.count++];
17779+ ZERO_STRUCTP(c);
17780+
17781+ c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
17782+ c->u.header2.ptype = DCERPC_PKT_REQUEST;
17783+ c->u.header2.drep[0] = DCERPC_DREP_LE;
17784+ c->u.header2.drep[1] = 0;
17785+ c->u.header2.drep[2] = 0;
17786+ c->u.header2.drep[3] = 0;
17787+ c->u.header2.call_id = state->call_id;
17788+ c->u.header2.context_id = 0;
17789+ c->u.header2.opnum = state->op_num;
17790+ }
17791+
17792+ if (t->count.count == 0) {
17793+ TALLOC_FREE(t);
17794+ return NT_STATUS_OK;
17795+ }
17796+
17797+ c = &t->commands[t->count.count - 1];
17798+ c->command |= DCERPC_SEC_VT_COMMAND_END;
17799+
17800+ if (DEBUGLEVEL >= 10) {
17801+ NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
17802+ }
17803+
17804+ ndr = ndr_push_init_ctx(state);
17805+ if (ndr == NULL) {
17806+ return NT_STATUS_NO_MEMORY;
17807+ }
17808+
17809+ ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
17810+ NDR_SCALARS | NDR_BUFFERS,
17811+ t);
17812+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
17813+ return ndr_map_error2ntstatus(ndr_err);
17814+ }
17815+ state->req_trailer = ndr_push_blob(ndr);
17816+
17817+ align = state->req_data->length & 0x3;
17818+ if (align > 0) {
17819+ pad = 4 - align;
17820+ }
17821+ if (pad > 0) {
17822+ bool ok;
17823+ uint8_t *p;
17824+ const uint8_t zeros[4] = { 0, };
17825+
17826+ ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
17827+ if (!ok) {
17828+ return NT_STATUS_NO_MEMORY;
17829+ }
17830+
17831+ /* move the padding to the start */
17832+ p = state->req_trailer.data;
17833+ memmove(p + pad, p, state->req_trailer.length - pad);
17834+ memset(p, 0, pad);
17835+ }
17836+
17837+ return NT_STATUS_OK;
17838+}
17839+
17840 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
17841 bool *is_last_frag)
17842 {
17843- size_t data_sent_thistime;
17844 size_t auth_len;
17845 size_t frag_len;
17846 uint8_t flags = 0;
17847 size_t pad_len;
17848 size_t data_left;
17849+ size_t data_thistime;
17850+ size_t trailer_left;
17851+ size_t trailer_thistime = 0;
17852+ size_t total_left;
17853+ size_t total_thistime;
17854 NTSTATUS status;
17855+ bool ok;
17856 union dcerpc_payload u;
17857
17858 data_left = state->req_data->length - state->req_data_sent;
17859+ trailer_left = state->req_trailer.length - state->req_trailer_sent;
17860+ total_left = data_left + trailer_left;
17861+ if ((total_left < data_left) || (total_left < trailer_left)) {
17862+ /*
17863+ * overflow
17864+ */
17865+ return NT_STATUS_INVALID_PARAMETER_MIX;
17866+ }
17867
17868 status = dcerpc_guess_sizes(state->cli->auth,
17869- DCERPC_REQUEST_LENGTH, data_left,
17870+ DCERPC_REQUEST_LENGTH, total_left,
17871 state->cli->max_xmit_frag,
17872 CLIENT_NDR_PADDING_SIZE,
17873- &data_sent_thistime,
17874+ &total_thistime,
17875 &frag_len, &auth_len, &pad_len);
17876 if (!NT_STATUS_IS_OK(status)) {
17877 return status;
17878@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
17879 flags = DCERPC_PFC_FLAG_FIRST;
17880 }
17881
17882- if (data_sent_thistime == data_left) {
17883+ if (total_thistime == total_left) {
17884 flags |= DCERPC_PFC_FLAG_LAST;
17885 }
17886
17887+ data_thistime = MIN(total_thistime, data_left);
17888+ if (data_thistime < total_thistime) {
17889+ trailer_thistime = total_thistime - data_thistime;
17890+ }
17891+
17892 data_blob_free(&state->rpc_out);
17893
17894 ZERO_STRUCT(u.request);
17895
17896- u.request.alloc_hint = data_left;
17897+ u.request.alloc_hint = total_left;
17898 u.request.context_id = 0;
17899 u.request.opnum = state->op_num;
17900
17901@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
17902 * at this stage */
17903 dcerpc_set_frag_length(&state->rpc_out, frag_len);
17904
17905- /* Copy in the data. */
17906- if (!data_blob_append(NULL, &state->rpc_out,
17907+ if (data_thistime > 0) {
17908+ /* Copy in the data. */
17909+ ok = data_blob_append(NULL, &state->rpc_out,
17910 state->req_data->data + state->req_data_sent,
17911- data_sent_thistime)) {
17912- return NT_STATUS_NO_MEMORY;
17913+ data_thistime);
17914+ if (!ok) {
17915+ return NT_STATUS_NO_MEMORY;
17916+ }
17917+ state->req_data_sent += data_thistime;
17918+ }
17919+
17920+ if (trailer_thistime > 0) {
17921+ /* Copy in the verification trailer. */
17922+ ok = data_blob_append(NULL, &state->rpc_out,
17923+ state->req_trailer.data + state->req_trailer_sent,
17924+ trailer_thistime);
17925+ if (!ok) {
17926+ return NT_STATUS_NO_MEMORY;
17927+ }
17928+ state->req_trailer_sent += trailer_thistime;
17929 }
17930
17931 switch (state->cli->auth->auth_level) {
17932@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
17933 return NT_STATUS_INVALID_PARAMETER;
17934 }
17935
17936- state->req_data_sent += data_sent_thistime;
17937 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
17938
17939 return status;
17940@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
17941 tevent_req_nterror(req, status);
17942 return;
17943 }
17944+
17945+ if (state->cli->auth == NULL) {
17946+ tevent_req_done(req);
17947+ return;
17948+ }
17949+
17950+ if (state->verify_bitmask1) {
17951+ state->cli->auth->verified_bitmask1 = true;
17952+ }
17953+
17954+ if (state->verify_pcontext) {
17955+ state->cli->verified_pcontext = true;
17956+ }
17957+
17958 tevent_req_done(req);
17959 }
17960
17961diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
17962index 6561b28..8024f01 100644
17963--- a/source3/rpc_client/rpc_client.h
17964+++ b/source3/rpc_client/rpc_client.h
17965@@ -39,6 +39,7 @@ struct rpc_pipe_client {
17966
17967 struct ndr_syntax_id abstract_syntax;
17968 struct ndr_syntax_id transfer_syntax;
17969+ bool verified_pcontext;
17970
17971 char *desthost;
17972 char *srv_name_slash;
17973--
179741.9.3
17975
17976
17977From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
17978From: Stefan Metzmacher <metze@samba.org>
17979Date: Thu, 18 Apr 2013 19:16:42 +0200
17980Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure
17981
17982This provides an abstraction to hide netlogon_creds_CredentialState,
17983which is stored in a node local tdb.
17984
17985Where the global state (netlogon_creds_CredentialState) between client and
17986server was only kept in memory (on the client side), we now use
17987the abstracted netlogon_creds_cli_context.
17988
17989We now use a node specific computer name in order to establish
17990individual netlogon sessions per node.
17991
17992If the caller wants to use some netlogon calls with credential chain
17993(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
17994to get the current netlogon_creds_CredentialState in a g_lock'ed
17995fashion, a talloc_free() will release the lock.
17996
17997The locking is needed as there might be more than one process
17998(multiple winbindd child, cmdline tools) which want to talk
17999to a specific domain controller. The usage of netlogon_creds_CredentialState
18000needs to be serialized as it uses sequence numbers.
18001
18002LogonSamLogonEx doesn't use the credential chain, but for some operations
18003it needs the global session in order to de/encrypt individual fields.
18004It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
18005functions, which just make sure the session hasn't changed between
18006get and validate.
18007
18008This is prepares the proper fix for a large number of bugs:
18009https://bugzilla.samba.org/show_bug.cgi?id=6563
18010https://bugzilla.samba.org/show_bug.cgi?id=7944
18011https://bugzilla.samba.org/show_bug.cgi?id=7945
18012https://bugzilla.samba.org/show_bug.cgi?id=7568
18013https://bugzilla.samba.org/show_bug.cgi?id=8599
18014
18015Signed-off-by: Stefan Metzmacher <metze@samba.org>
18016Reviewed-by: Andrew Bartlett <abartlet@samba.org>
18017(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
18018---
18019 libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
18020 libcli/auth/netlogon_creds_cli.h | 138 ++
18021 libcli/auth/wscript_build | 4 +
18022 3 files changed, 2738 insertions(+)
18023 create mode 100644 libcli/auth/netlogon_creds_cli.c
18024 create mode 100644 libcli/auth/netlogon_creds_cli.h
18025
18026diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
18027new file mode 100644
18028index 0000000..75d6b2c
18029--- /dev/null
18030+++ b/libcli/auth/netlogon_creds_cli.c
18031@@ -0,0 +1,2596 @@
18032+/*
18033+ Unix SMB/CIFS implementation.
18034+
18035+ module to store/fetch session keys for the schannel client
18036+
18037+ Copyright (C) Stefan Metzmacher 2013
18038+
18039+ This program is free software; you can redistribute it and/or modify
18040+ it under the terms of the GNU General Public License as published by
18041+ the Free Software Foundation; either version 3 of the License, or
18042+ (at your option) any later version.
18043+
18044+ This program is distributed in the hope that it will be useful,
18045+ but WITHOUT ANY WARRANTY; without even the implied warranty of
18046+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18047+ GNU General Public License for more details.
18048+
18049+ You should have received a copy of the GNU General Public License
18050+ along with this program. If not, see <http://www.gnu.org/licenses/>.
18051+*/
18052+
18053+#include "includes.h"
18054+#include "system/filesys.h"
18055+#include <tevent.h>
18056+#include "lib/util/tevent_ntstatus.h"
18057+#include "lib/dbwrap/dbwrap.h"
18058+#include "lib/dbwrap/dbwrap_rbt.h"
18059+#include "lib/util/util_tdb.h"
18060+#include "libcli/security/security.h"
18061+#include "../lib/param/param.h"
18062+#include "../libcli/auth/schannel.h"
18063+#include "../librpc/gen_ndr/ndr_schannel.h"
18064+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
18065+#include "../librpc/gen_ndr/server_id.h"
18066+#include "netlogon_creds_cli.h"
18067+#include "source3/include/messages.h"
18068+#include "source3/include/g_lock.h"
18069+
18070+struct netlogon_creds_cli_locked_state;
18071+
18072+struct netlogon_creds_cli_context {
18073+ struct {
18074+ const char *computer;
18075+ const char *account;
18076+ uint32_t proposed_flags;
18077+ uint32_t required_flags;
18078+ enum netr_SchannelType type;
18079+ enum dcerpc_AuthLevel auth_level;
18080+ } client;
18081+
18082+ struct {
18083+ const char *computer;
18084+ const char *netbios_domain;
18085+ uint32_t cached_flags;
18086+ bool try_validation6;
18087+ bool try_logon_ex;
18088+ bool try_logon_with;
18089+ } server;
18090+
18091+ struct {
18092+ const char *key_name;
18093+ TDB_DATA key_data;
18094+ struct db_context *ctx;
18095+ struct g_lock_ctx *g_ctx;
18096+ struct netlogon_creds_cli_locked_state *locked_state;
18097+ } db;
18098+};
18099+
18100+struct netlogon_creds_cli_locked_state {
18101+ struct netlogon_creds_cli_context *context;
18102+ bool is_glocked;
18103+ struct netlogon_creds_CredentialState *creds;
18104+};
18105+
18106+static int netlogon_creds_cli_locked_state_destructor(
18107+ struct netlogon_creds_cli_locked_state *state)
18108+{
18109+ struct netlogon_creds_cli_context *context = state->context;
18110+
18111+ if (context == NULL) {
18112+ return 0;
18113+ }
18114+
18115+ if (context->db.locked_state == state) {
18116+ context->db.locked_state = NULL;
18117+ }
18118+
18119+ if (state->is_glocked) {
18120+ g_lock_unlock(context->db.g_ctx,
18121+ context->db.key_name);
18122+ }
18123+
18124+ return 0;
18125+}
18126+
18127+static NTSTATUS netlogon_creds_cli_context_common(
18128+ const char *client_computer,
18129+ const char *client_account,
18130+ enum netr_SchannelType type,
18131+ enum dcerpc_AuthLevel auth_level,
18132+ uint32_t proposed_flags,
18133+ uint32_t required_flags,
18134+ const char *server_computer,
18135+ const char *server_netbios_domain,
18136+ TALLOC_CTX *mem_ctx,
18137+ struct netlogon_creds_cli_context **_context)
18138+{
18139+ struct netlogon_creds_cli_context *context = NULL;
18140+
18141+ *_context = NULL;
18142+
18143+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
18144+ if (context == NULL) {
18145+ return NT_STATUS_NO_MEMORY;
18146+ }
18147+
18148+ context->client.computer = talloc_strdup(context, client_computer);
18149+ if (context->client.computer == NULL) {
18150+ talloc_free(context);
18151+ return NT_STATUS_NO_MEMORY;
18152+ }
18153+
18154+ context->client.account = talloc_strdup(context, client_account);
18155+ if (context->client.account == NULL) {
18156+ talloc_free(context);
18157+ return NT_STATUS_NO_MEMORY;
18158+ }
18159+
18160+ context->client.proposed_flags = proposed_flags;
18161+ context->client.required_flags = required_flags;
18162+ context->client.type = type;
18163+ context->client.auth_level = auth_level;
18164+
18165+ context->server.computer = talloc_strdup(context, server_computer);
18166+ if (context->server.computer == NULL) {
18167+ talloc_free(context);
18168+ return NT_STATUS_NO_MEMORY;
18169+ }
18170+
18171+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
18172+ if (context->server.netbios_domain == NULL) {
18173+ talloc_free(context);
18174+ return NT_STATUS_NO_MEMORY;
18175+ }
18176+
18177+ context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
18178+ client_computer,
18179+ client_account,
18180+ server_computer,
18181+ server_netbios_domain);
18182+ if (context->db.key_name == NULL) {
18183+ talloc_free(context);
18184+ return NT_STATUS_NO_MEMORY;
18185+ }
18186+
18187+ context->db.key_data = string_term_tdb_data(context->db.key_name);
18188+
18189+ *_context = context;
18190+ return NT_STATUS_OK;
18191+}
18192+
18193+static struct db_context *netlogon_creds_cli_global_db;
18194+
18195+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
18196+{
18197+ char *fname;
18198+ struct db_context *global_db;
18199+
18200+ if (netlogon_creds_cli_global_db != NULL) {
18201+ return NT_STATUS_OK;
18202+ }
18203+
18204+ fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
18205+ if (fname == NULL) {
18206+ return NT_STATUS_NO_MEMORY;
18207+ }
18208+
18209+ global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
18210+ fname, 0,
18211+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
18212+ O_RDWR|O_CREAT,
18213+ 0600, DBWRAP_LOCK_ORDER_2);
18214+ if (global_db == NULL) {
18215+ DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
18216+ fname, strerror(errno)));
18217+ talloc_free(fname);
18218+ return NT_STATUS_NO_MEMORY;
18219+ }
18220+ TALLOC_FREE(fname);
18221+
18222+ netlogon_creds_cli_global_db = global_db;
18223+ return NT_STATUS_OK;
18224+}
18225+
18226+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
18227+ struct messaging_context *msg_ctx,
18228+ const char *client_account,
18229+ enum netr_SchannelType type,
18230+ const char *server_computer,
18231+ const char *server_netbios_domain,
18232+ TALLOC_CTX *mem_ctx,
18233+ struct netlogon_creds_cli_context **_context)
18234+{
18235+ TALLOC_CTX *frame = talloc_stackframe();
18236+ NTSTATUS status;
18237+ struct netlogon_creds_cli_context *context = NULL;
18238+ const char *client_computer;
18239+ uint32_t proposed_flags;
18240+ uint32_t required_flags = 0;
18241+ bool reject_md5_servers = false;
18242+ bool require_strong_key = false;
18243+ int require_sign_or_seal = true;
18244+ bool seal_secure_channel = true;
18245+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
18246+ bool neutralize_nt4_emulation = false;
18247+ struct server_id self = {
18248+ .vnn = NONCLUSTER_VNN,
18249+ .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
18250+ };
18251+
18252+ if (msg_ctx != NULL) {
18253+ self = messaging_server_id(msg_ctx);
18254+ }
18255+
18256+ *_context = NULL;
18257+
18258+ if (self.vnn != NONCLUSTER_VNN) {
18259+ client_computer = talloc_asprintf(frame,
18260+ "%s_cluster_vnn_%u",
18261+ lpcfg_netbios_name(lp_ctx),
18262+ (unsigned)self.vnn);
18263+ if (client_computer == NULL) {
18264+ TALLOC_FREE(frame);
18265+ return NT_STATUS_NO_MEMORY;
18266+ }
18267+ } else {
18268+ client_computer = lpcfg_netbios_name(lp_ctx);
18269+ }
18270+
18271+ /*
18272+ * allow overwrite per domain
18273+ * reject md5 servers:<netbios_domain>
18274+ */
18275+ //TODO: add lpcfp_reject_md5_servers()
18276+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
18277+ "__default__",
18278+ "reject md5 servers",
18279+ reject_md5_servers);
18280+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
18281+ "reject md5 servers",
18282+ server_netbios_domain,
18283+ reject_md5_servers);
18284+
18285+ /*
18286+ * allow overwrite per domain
18287+ * require strong key:<netbios_domain>
18288+ */
18289+ //TODO: add lpcfp_require_strong_key()
18290+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
18291+ "__default__",
18292+ "require strong key",
18293+ require_strong_key);
18294+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
18295+ "require strong key",
18296+ server_netbios_domain,
18297+ require_strong_key);
18298+
18299+ /*
18300+ * allow overwrite per domain
18301+ * client schannel:<netbios_domain>
18302+ */
18303+ require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
18304+ require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
18305+ "client schannel",
18306+ server_netbios_domain,
18307+ require_sign_or_seal);
18308+
18309+ /*
18310+ * allow overwrite per domain
18311+ * winbind sealed pipes:<netbios_domain>
18312+ */
18313+ seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
18314+ seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
18315+ "winbind sealed pipes",
18316+ server_netbios_domain,
18317+ seal_secure_channel);
18318+
18319+ /*
18320+ * allow overwrite per domain
18321+ * neutralize nt4 emulation:<netbios_domain>
18322+ */
18323+ //TODO: add lpcfp_neutralize_nt4_emulation()
18324+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
18325+ "__default__",
18326+ "neutralize nt4 emulation",
18327+ neutralize_nt4_emulation);
18328+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
18329+ "neutralize nt4 emulation",
18330+ server_netbios_domain,
18331+ neutralize_nt4_emulation);
18332+
18333+ proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
18334+ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
18335+
18336+ switch (type) {
18337+ case SEC_CHAN_WKSTA:
18338+ if (lpcfg_security(lp_ctx) == SEC_ADS) {
18339+ /*
18340+ * AD domains should be secure
18341+ */
18342+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
18343+ require_sign_or_seal = true;
18344+ require_strong_key = true;
18345+ }
18346+ break;
18347+
18348+ case SEC_CHAN_DOMAIN:
18349+ break;
18350+
18351+ case SEC_CHAN_DNS_DOMAIN:
18352+ /*
18353+ * AD domains should be secure
18354+ */
18355+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
18356+ require_sign_or_seal = true;
18357+ require_strong_key = true;
18358+ neutralize_nt4_emulation = true;
18359+ break;
18360+
18361+ case SEC_CHAN_BDC:
18362+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
18363+ require_sign_or_seal = true;
18364+ require_strong_key = true;
18365+ break;
18366+
18367+ case SEC_CHAN_RODC:
18368+ required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
18369+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
18370+ require_sign_or_seal = true;
18371+ require_strong_key = true;
18372+ neutralize_nt4_emulation = true;
18373+ break;
18374+
18375+ default:
18376+ TALLOC_FREE(frame);
18377+ return NT_STATUS_INVALID_PARAMETER;
18378+ }
18379+
18380+ if (neutralize_nt4_emulation) {
18381+ proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
18382+ }
18383+
18384+ if (require_sign_or_seal == false) {
18385+ proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
18386+ } else {
18387+ required_flags |= NETLOGON_NEG_ARCFOUR;
18388+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
18389+ }
18390+
18391+ if (reject_md5_servers) {
18392+ required_flags |= NETLOGON_NEG_ARCFOUR;
18393+ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
18394+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
18395+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
18396+ }
18397+
18398+ if (require_strong_key) {
18399+ required_flags |= NETLOGON_NEG_ARCFOUR;
18400+ required_flags |= NETLOGON_NEG_STRONG_KEYS;
18401+ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
18402+ }
18403+
18404+ proposed_flags |= required_flags;
18405+
18406+ if (seal_secure_channel) {
18407+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
18408+ } else {
18409+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
18410+ }
18411+
18412+ status = netlogon_creds_cli_context_common(client_computer,
18413+ client_account,
18414+ type,
18415+ auth_level,
18416+ proposed_flags,
18417+ required_flags,
18418+ server_computer,
18419+ server_netbios_domain,
18420+ mem_ctx,
18421+ &context);
18422+ if (!NT_STATUS_IS_OK(status)) {
18423+ TALLOC_FREE(frame);
18424+ return status;
18425+ }
18426+
18427+ if (msg_ctx != NULL) {
18428+ context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
18429+ if (context->db.g_ctx == NULL) {
18430+ TALLOC_FREE(context);
18431+ TALLOC_FREE(frame);
18432+ return NT_STATUS_NO_MEMORY;
18433+ }
18434+ }
18435+
18436+ if (netlogon_creds_cli_global_db != NULL) {
18437+ context->db.ctx = netlogon_creds_cli_global_db;
18438+ *_context = context;
18439+ TALLOC_FREE(frame);
18440+ return NT_STATUS_OK;
18441+ }
18442+
18443+ status = netlogon_creds_cli_open_global_db(lp_ctx);
18444+ if (!NT_STATUS_IS_OK(status)) {
18445+ TALLOC_FREE(context);
18446+ TALLOC_FREE(frame);
18447+ return NT_STATUS_NO_MEMORY;
18448+ }
18449+
18450+ context->db.ctx = netlogon_creds_cli_global_db;
18451+ *_context = context;
18452+ TALLOC_FREE(frame);
18453+ return NT_STATUS_OK;
18454+}
18455+
18456+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
18457+ const char *client_account,
18458+ enum netr_SchannelType type,
18459+ uint32_t proposed_flags,
18460+ uint32_t required_flags,
18461+ enum dcerpc_AuthLevel auth_level,
18462+ const char *server_computer,
18463+ const char *server_netbios_domain,
18464+ TALLOC_CTX *mem_ctx,
18465+ struct netlogon_creds_cli_context **_context)
18466+{
18467+ NTSTATUS status;
18468+ struct netlogon_creds_cli_context *context = NULL;
18469+
18470+ *_context = NULL;
18471+
18472+ status = netlogon_creds_cli_context_common(client_computer,
18473+ client_account,
18474+ type,
18475+ auth_level,
18476+ proposed_flags,
18477+ required_flags,
18478+ server_computer,
18479+ server_netbios_domain,
18480+ mem_ctx,
18481+ &context);
18482+ if (!NT_STATUS_IS_OK(status)) {
18483+ return status;
18484+ }
18485+
18486+ context->db.ctx = db_open_rbt(context);
18487+ if (context->db.ctx == NULL) {
18488+ talloc_free(context);
18489+ return NT_STATUS_NO_MEMORY;
18490+ }
18491+
18492+ *_context = context;
18493+ return NT_STATUS_OK;
18494+}
18495+
18496+NTSTATUS netlogon_creds_cli_context_copy(
18497+ const struct netlogon_creds_cli_context *src,
18498+ TALLOC_CTX *mem_ctx,
18499+ struct netlogon_creds_cli_context **_dst)
18500+{
18501+ struct netlogon_creds_cli_context *dst;
18502+
18503+ dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
18504+ if (dst == NULL) {
18505+ return NT_STATUS_NO_MEMORY;
18506+ }
18507+
18508+ *dst = *src;
18509+
18510+ dst->client.computer = talloc_strdup(dst, src->client.computer);
18511+ if (dst->client.computer == NULL) {
18512+ TALLOC_FREE(dst);
18513+ return NT_STATUS_NO_MEMORY;
18514+ }
18515+ dst->client.account = talloc_strdup(dst, src->client.account);
18516+ if (dst->client.account == NULL) {
18517+ TALLOC_FREE(dst);
18518+ return NT_STATUS_NO_MEMORY;
18519+ }
18520+ dst->server.computer = talloc_strdup(dst, src->server.computer);
18521+ if (dst->server.computer == NULL) {
18522+ TALLOC_FREE(dst);
18523+ return NT_STATUS_NO_MEMORY;
18524+ }
18525+ dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
18526+ if (dst->server.netbios_domain == NULL) {
18527+ TALLOC_FREE(dst);
18528+ return NT_STATUS_NO_MEMORY;
18529+ }
18530+
18531+ dst->db.key_name = talloc_strdup(dst, src->db.key_name);
18532+ if (dst->db.key_name == NULL) {
18533+ TALLOC_FREE(dst);
18534+ return NT_STATUS_NO_MEMORY;
18535+ }
18536+
18537+ dst->db.key_data = string_term_tdb_data(dst->db.key_name);
18538+
18539+ *_dst = dst;
18540+ return NT_STATUS_OK;
18541+}
18542+
18543+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
18544+ struct netlogon_creds_cli_context *context)
18545+{
18546+ return context->client.auth_level;
18547+}
18548+
18549+struct netlogon_creds_cli_fetch_state {
18550+ TALLOC_CTX *mem_ctx;
18551+ struct netlogon_creds_CredentialState *creds;
18552+ uint32_t required_flags;
18553+ NTSTATUS status;
18554+};
18555+
18556+static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
18557+ void *private_data)
18558+{
18559+ struct netlogon_creds_cli_fetch_state *state =
18560+ (struct netlogon_creds_cli_fetch_state *)private_data;
18561+ enum ndr_err_code ndr_err;
18562+ DATA_BLOB blob;
18563+ uint32_t tmp_flags;
18564+
18565+ state->creds = talloc_zero(state->mem_ctx,
18566+ struct netlogon_creds_CredentialState);
18567+ if (state->creds == NULL) {
18568+ state->status = NT_STATUS_NO_MEMORY;
18569+ return;
18570+ }
18571+
18572+ blob.data = data.dptr;
18573+ blob.length = data.dsize;
18574+
18575+ ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
18576+ (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
18577+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
18578+ TALLOC_FREE(state->creds);
18579+ state->status = ndr_map_error2ntstatus(ndr_err);
18580+ return;
18581+ }
18582+
18583+ tmp_flags = state->creds->negotiate_flags;
18584+ tmp_flags &= state->required_flags;
18585+ if (tmp_flags != state->required_flags) {
18586+ TALLOC_FREE(state->creds);
18587+ state->status = NT_STATUS_DOWNGRADE_DETECTED;
18588+ return;
18589+ }
18590+
18591+ state->status = NT_STATUS_OK;
18592+}
18593+
18594+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
18595+ TALLOC_CTX *mem_ctx,
18596+ struct netlogon_creds_CredentialState **_creds)
18597+{
18598+ NTSTATUS status;
18599+ struct netlogon_creds_cli_fetch_state fstate = {
18600+ .mem_ctx = mem_ctx,
18601+ .status = NT_STATUS_INTERNAL_ERROR,
18602+ .required_flags = context->client.required_flags,
18603+ };
18604+ static const struct netr_Credential zero_creds;
18605+
18606+ *_creds = NULL;
18607+
18608+ status = dbwrap_parse_record(context->db.ctx,
18609+ context->db.key_data,
18610+ netlogon_creds_cli_fetch_parser,
18611+ &fstate);
18612+ if (!NT_STATUS_IS_OK(status)) {
18613+ return status;
18614+ }
18615+ status = fstate.status;
18616+ if (!NT_STATUS_IS_OK(status)) {
18617+ return status;
18618+ }
18619+
18620+ /*
18621+ * mark it as invalid for step operations.
18622+ */
18623+ fstate.creds->sequence = 0;
18624+ fstate.creds->seed = zero_creds;
18625+ fstate.creds->client = zero_creds;
18626+ fstate.creds->server = zero_creds;
18627+
18628+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
18629+ *_creds = fstate.creds;
18630+ return NT_STATUS_OK;
18631+ }
18632+
18633+ /*
18634+ * It is really important to try SamLogonEx here,
18635+ * because multiple processes can talk to the same
18636+ * domain controller, without using the credential
18637+ * chain.
18638+ *
18639+ * With a normal SamLogon call, we must keep the
18640+ * credentials chain updated and intact between all
18641+ * users of the machine account (which would imply
18642+ * cross-node communication for every NTLM logon).
18643+ *
18644+ * The credentials chain is not per NETLOGON pipe
18645+ * connection, but globally on the server/client pair
18646+ * by computer name, while the client is free to use
18647+ * any computer name. We include the cluster node number
18648+ * in our computer name in order to avoid cross node
18649+ * coordination of the credential chain.
18650+ *
18651+ * It's also important to use NetlogonValidationSamInfo4 (6),
18652+ * because it relies on the rpc transport encryption
18653+ * and avoids using the global netlogon schannel
18654+ * session key to en/decrypt secret information
18655+ * like the user_session_key for network logons.
18656+ *
18657+ * [MS-APDS] 3.1.5.2 NTLM Network Logon
18658+ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
18659+ * NETLOGON_NEG_AUTHENTICATED_RPC set together
18660+ * are the indication that the server supports
18661+ * NetlogonValidationSamInfo4 (6). And it must only
18662+ * be used if "SealSecureChannel" is used.
18663+ *
18664+ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
18665+ * check is done in netlogon_creds_cli_LogonSamLogon*().
18666+ */
18667+ context->server.cached_flags = fstate.creds->negotiate_flags;
18668+ context->server.try_validation6 = true;
18669+ context->server.try_logon_ex = true;
18670+ context->server.try_logon_with = true;
18671+
18672+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
18673+ context->server.try_validation6 = false;
18674+ context->server.try_logon_ex = false;
18675+ }
18676+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
18677+ context->server.try_validation6 = false;
18678+ }
18679+
18680+ *_creds = fstate.creds;
18681+ return NT_STATUS_OK;
18682+}
18683+
18684+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
18685+ const struct netlogon_creds_CredentialState *creds1)
18686+{
18687+ TALLOC_CTX *frame = talloc_stackframe();
18688+ struct netlogon_creds_CredentialState *creds2;
18689+ DATA_BLOB blob1;
18690+ DATA_BLOB blob2;
18691+ NTSTATUS status;
18692+ enum ndr_err_code ndr_err;
18693+ int cmp;
18694+
18695+ status = netlogon_creds_cli_get(context, frame, &creds2);
18696+ if (!NT_STATUS_IS_OK(status)) {
18697+ TALLOC_FREE(frame);
18698+ return false;
18699+ }
18700+
18701+ ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
18702+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
18703+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
18704+ TALLOC_FREE(frame);
18705+ return false;
18706+ }
18707+
18708+ ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
18709+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
18710+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
18711+ TALLOC_FREE(frame);
18712+ return false;
18713+ }
18714+
18715+ if (blob1.length != blob2.length) {
18716+ TALLOC_FREE(frame);
18717+ return false;
18718+ }
18719+
18720+ cmp = memcmp(blob1.data, blob2.data, blob1.length);
18721+ if (cmp != 0) {
18722+ TALLOC_FREE(frame);
18723+ return false;
18724+ }
18725+
18726+ TALLOC_FREE(frame);
18727+ return true;
18728+}
18729+
18730+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
18731+ struct netlogon_creds_CredentialState **_creds)
18732+{
18733+ struct netlogon_creds_CredentialState *creds = *_creds;
18734+ NTSTATUS status;
18735+ enum ndr_err_code ndr_err;
18736+ DATA_BLOB blob;
18737+ TDB_DATA data;
18738+
18739+ *_creds = NULL;
18740+
18741+ if (context->db.locked_state == NULL) {
18742+ /*
18743+ * this was not the result of netlogon_creds_cli_lock*()
18744+ */
18745+ TALLOC_FREE(creds);
18746+ return NT_STATUS_INVALID_PAGE_PROTECTION;
18747+ }
18748+
18749+ if (context->db.locked_state->creds != creds) {
18750+ /*
18751+ * this was not the result of netlogon_creds_cli_lock*()
18752+ */
18753+ TALLOC_FREE(creds);
18754+ return NT_STATUS_INVALID_PAGE_PROTECTION;
18755+ }
18756+
18757+ ndr_err = ndr_push_struct_blob(&blob, creds, creds,
18758+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
18759+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
18760+ TALLOC_FREE(creds);
18761+ status = ndr_map_error2ntstatus(ndr_err);
18762+ return status;
18763+ }
18764+
18765+ data.dptr = blob.data;
18766+ data.dsize = blob.length;
18767+
18768+ status = dbwrap_store(context->db.ctx,
18769+ context->db.key_data,
18770+ data, TDB_REPLACE);
18771+ TALLOC_FREE(creds);
18772+ if (!NT_STATUS_IS_OK(status)) {
18773+ return status;
18774+ }
18775+
18776+ return NT_STATUS_OK;
18777+}
18778+
18779+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
18780+ struct netlogon_creds_CredentialState **_creds)
18781+{
18782+ struct netlogon_creds_CredentialState *creds = *_creds;
18783+ NTSTATUS status;
18784+
18785+ *_creds = NULL;
18786+
18787+ if (context->db.locked_state == NULL) {
18788+ /*
18789+ * this was not the result of netlogon_creds_cli_lock*()
18790+ */
18791+ TALLOC_FREE(creds);
18792+ return NT_STATUS_INVALID_PAGE_PROTECTION;
18793+ }
18794+
18795+ if (context->db.locked_state->creds != creds) {
18796+ /*
18797+ * this was not the result of netlogon_creds_cli_lock*()
18798+ */
18799+ TALLOC_FREE(creds);
18800+ return NT_STATUS_INVALID_PAGE_PROTECTION;
18801+ }
18802+
18803+ status = dbwrap_delete(context->db.ctx,
18804+ context->db.key_data);
18805+ TALLOC_FREE(creds);
18806+ if (!NT_STATUS_IS_OK(status)) {
18807+ return status;
18808+ }
18809+
18810+ return NT_STATUS_OK;
18811+}
18812+
18813+struct netlogon_creds_cli_lock_state {
18814+ struct netlogon_creds_cli_locked_state *locked_state;
18815+ struct netlogon_creds_CredentialState *creds;
18816+};
18817+
18818+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
18819+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
18820+
18821+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
18822+ struct tevent_context *ev,
18823+ struct netlogon_creds_cli_context *context)
18824+{
18825+ struct tevent_req *req;
18826+ struct netlogon_creds_cli_lock_state *state;
18827+ struct netlogon_creds_cli_locked_state *locked_state;
18828+ struct tevent_req *subreq;
18829+
18830+ req = tevent_req_create(mem_ctx, &state,
18831+ struct netlogon_creds_cli_lock_state);
18832+ if (req == NULL) {
18833+ return NULL;
18834+ }
18835+
18836+ if (context->db.locked_state != NULL) {
18837+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
18838+ return tevent_req_post(req, ev);
18839+ }
18840+
18841+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
18842+ if (tevent_req_nomem(locked_state, req)) {
18843+ return tevent_req_post(req, ev);
18844+ }
18845+ talloc_set_destructor(locked_state,
18846+ netlogon_creds_cli_locked_state_destructor);
18847+ locked_state->context = context;
18848+
18849+ context->db.locked_state = locked_state;
18850+ state->locked_state = locked_state;
18851+
18852+ if (context->db.g_ctx == NULL) {
18853+ netlogon_creds_cli_lock_fetch(req);
18854+ if (!tevent_req_is_in_progress(req)) {
18855+ return tevent_req_post(req, ev);
18856+ }
18857+
18858+ return req;
18859+ }
18860+
18861+ subreq = g_lock_lock_send(state, ev,
18862+ context->db.g_ctx,
18863+ context->db.key_name,
18864+ G_LOCK_WRITE);
18865+ if (tevent_req_nomem(subreq, req)) {
18866+ return tevent_req_post(req, ev);
18867+ }
18868+ tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
18869+
18870+ return req;
18871+}
18872+
18873+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
18874+{
18875+ struct tevent_req *req =
18876+ tevent_req_callback_data(subreq,
18877+ struct tevent_req);
18878+ struct netlogon_creds_cli_lock_state *state =
18879+ tevent_req_data(req,
18880+ struct netlogon_creds_cli_lock_state);
18881+ NTSTATUS status;
18882+
18883+ status = g_lock_lock_recv(subreq);
18884+ TALLOC_FREE(subreq);
18885+ if (tevent_req_nterror(req, status)) {
18886+ return;
18887+ }
18888+ state->locked_state->is_glocked = true;
18889+
18890+ netlogon_creds_cli_lock_fetch(req);
18891+}
18892+
18893+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
18894+{
18895+ struct netlogon_creds_cli_lock_state *state =
18896+ tevent_req_data(req,
18897+ struct netlogon_creds_cli_lock_state);
18898+ struct netlogon_creds_cli_context *context = state->locked_state->context;
18899+ struct netlogon_creds_cli_fetch_state fstate = {
18900+ .status = NT_STATUS_INTERNAL_ERROR,
18901+ .required_flags = context->client.required_flags,
18902+ };
18903+ NTSTATUS status;
18904+
18905+ fstate.mem_ctx = state;
18906+ status = dbwrap_parse_record(context->db.ctx,
18907+ context->db.key_data,
18908+ netlogon_creds_cli_fetch_parser,
18909+ &fstate);
18910+ if (tevent_req_nterror(req, status)) {
18911+ return;
18912+ }
18913+ status = fstate.status;
18914+ if (tevent_req_nterror(req, status)) {
18915+ return;
18916+ }
18917+
18918+ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
18919+ state->creds = fstate.creds;
18920+ tevent_req_done(req);
18921+ return;
18922+ }
18923+
18924+ context->server.cached_flags = fstate.creds->negotiate_flags;
18925+ context->server.try_validation6 = true;
18926+ context->server.try_logon_ex = true;
18927+ context->server.try_logon_with = true;
18928+
18929+ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
18930+ context->server.try_validation6 = false;
18931+ context->server.try_logon_ex = false;
18932+ }
18933+ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
18934+ context->server.try_validation6 = false;
18935+ }
18936+
18937+ state->creds = fstate.creds;
18938+ tevent_req_done(req);
18939+ return;
18940+}
18941+
18942+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
18943+ TALLOC_CTX *mem_ctx,
18944+ struct netlogon_creds_CredentialState **creds)
18945+{
18946+ struct netlogon_creds_cli_lock_state *state =
18947+ tevent_req_data(req,
18948+ struct netlogon_creds_cli_lock_state);
18949+ NTSTATUS status;
18950+
18951+ if (tevent_req_is_nterror(req, &status)) {
18952+ tevent_req_received(req);
18953+ return status;
18954+ }
18955+
18956+ talloc_steal(state->creds, state->locked_state);
18957+ state->locked_state->creds = state->creds;
18958+ *creds = talloc_move(mem_ctx, &state->creds);
18959+ tevent_req_received(req);
18960+ return NT_STATUS_OK;
18961+}
18962+
18963+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
18964+ TALLOC_CTX *mem_ctx,
18965+ struct netlogon_creds_CredentialState **creds)
18966+{
18967+ TALLOC_CTX *frame = talloc_stackframe();
18968+ struct tevent_context *ev;
18969+ struct tevent_req *req;
18970+ NTSTATUS status = NT_STATUS_NO_MEMORY;
18971+
18972+ ev = samba_tevent_context_init(frame);
18973+ if (ev == NULL) {
18974+ goto fail;
18975+ }
18976+ req = netlogon_creds_cli_lock_send(frame, ev, context);
18977+ if (req == NULL) {
18978+ goto fail;
18979+ }
18980+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
18981+ goto fail;
18982+ }
18983+ status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
18984+ fail:
18985+ TALLOC_FREE(frame);
18986+ return status;
18987+}
18988+
18989+struct netlogon_creds_cli_auth_state {
18990+ struct tevent_context *ev;
18991+ struct netlogon_creds_cli_context *context;
18992+ struct dcerpc_binding_handle *binding_handle;
18993+ struct samr_Password current_nt_hash;
18994+ struct samr_Password previous_nt_hash;
18995+ struct samr_Password used_nt_hash;
18996+ char *srv_name_slash;
18997+ uint32_t current_flags;
18998+ struct netr_Credential client_challenge;
18999+ struct netr_Credential server_challenge;
19000+ struct netlogon_creds_CredentialState *creds;
19001+ struct netr_Credential client_credential;
19002+ struct netr_Credential server_credential;
19003+ uint32_t rid;
19004+ bool try_auth3;
19005+ bool try_auth2;
19006+ bool require_auth2;
19007+ bool try_previous_nt_hash;
19008+ struct netlogon_creds_cli_locked_state *locked_state;
19009+};
19010+
19011+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
19012+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
19013+
19014+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
19015+ struct tevent_context *ev,
19016+ struct netlogon_creds_cli_context *context,
19017+ struct dcerpc_binding_handle *b,
19018+ struct samr_Password current_nt_hash,
19019+ const struct samr_Password *previous_nt_hash)
19020+{
19021+ struct tevent_req *req;
19022+ struct netlogon_creds_cli_auth_state *state;
19023+ struct netlogon_creds_cli_locked_state *locked_state;
19024+ NTSTATUS status;
19025+
19026+ req = tevent_req_create(mem_ctx, &state,
19027+ struct netlogon_creds_cli_auth_state);
19028+ if (req == NULL) {
19029+ return NULL;
19030+ }
19031+
19032+ state->ev = ev;
19033+ state->context = context;
19034+ state->binding_handle = b;
19035+ state->current_nt_hash = current_nt_hash;
19036+ if (previous_nt_hash != NULL) {
19037+ state->previous_nt_hash = *previous_nt_hash;
19038+ state->try_previous_nt_hash = true;
19039+ }
19040+
19041+ if (context->db.locked_state != NULL) {
19042+ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
19043+ return tevent_req_post(req, ev);
19044+ }
19045+
19046+ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
19047+ if (tevent_req_nomem(locked_state, req)) {
19048+ return tevent_req_post(req, ev);
19049+ }
19050+ talloc_set_destructor(locked_state,
19051+ netlogon_creds_cli_locked_state_destructor);
19052+ locked_state->context = context;
19053+
19054+ context->db.locked_state = locked_state;
19055+ state->locked_state = locked_state;
19056+
19057+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
19058+ context->server.computer);
19059+ if (tevent_req_nomem(state->srv_name_slash, req)) {
19060+ return tevent_req_post(req, ev);
19061+ }
19062+
19063+ state->try_auth3 = true;
19064+ state->try_auth2 = true;
19065+
19066+ if (context->client.required_flags != 0) {
19067+ state->require_auth2 = true;
19068+ }
19069+
19070+ state->used_nt_hash = state->current_nt_hash;
19071+ state->current_flags = context->client.proposed_flags;
19072+
19073+ if (context->db.g_ctx != NULL) {
19074+ struct tevent_req *subreq;
19075+
19076+ subreq = g_lock_lock_send(state, ev,
19077+ context->db.g_ctx,
19078+ context->db.key_name,
19079+ G_LOCK_WRITE);
19080+ if (tevent_req_nomem(subreq, req)) {
19081+ return tevent_req_post(req, ev);
19082+ }
19083+ tevent_req_set_callback(subreq,
19084+ netlogon_creds_cli_auth_locked,
19085+ req);
19086+
19087+ return req;
19088+ }
19089+
19090+ status = dbwrap_delete(state->context->db.ctx,
19091+ state->context->db.key_data);
19092+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
19093+ status = NT_STATUS_OK;
19094+ }
19095+ if (tevent_req_nterror(req, status)) {
19096+ return tevent_req_post(req, ev);
19097+ }
19098+
19099+ netlogon_creds_cli_auth_challenge_start(req);
19100+ if (!tevent_req_is_in_progress(req)) {
19101+ return tevent_req_post(req, ev);
19102+ }
19103+
19104+ return req;
19105+}
19106+
19107+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
19108+{
19109+ struct tevent_req *req =
19110+ tevent_req_callback_data(subreq,
19111+ struct tevent_req);
19112+ struct netlogon_creds_cli_auth_state *state =
19113+ tevent_req_data(req,
19114+ struct netlogon_creds_cli_auth_state);
19115+ NTSTATUS status;
19116+
19117+ status = g_lock_lock_recv(subreq);
19118+ TALLOC_FREE(subreq);
19119+ if (tevent_req_nterror(req, status)) {
19120+ return;
19121+ }
19122+ state->locked_state->is_glocked = true;
19123+
19124+ status = dbwrap_delete(state->context->db.ctx,
19125+ state->context->db.key_data);
19126+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
19127+ status = NT_STATUS_OK;
19128+ }
19129+ if (tevent_req_nterror(req, status)) {
19130+ return;
19131+ }
19132+
19133+ netlogon_creds_cli_auth_challenge_start(req);
19134+}
19135+
19136+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
19137+
19138+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
19139+{
19140+ struct netlogon_creds_cli_auth_state *state =
19141+ tevent_req_data(req,
19142+ struct netlogon_creds_cli_auth_state);
19143+ struct tevent_req *subreq;
19144+
19145+ TALLOC_FREE(state->creds);
19146+
19147+ generate_random_buffer(state->client_challenge.data,
19148+ sizeof(state->client_challenge.data));
19149+
19150+ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
19151+ state->binding_handle,
19152+ state->srv_name_slash,
19153+ state->context->client.computer,
19154+ &state->client_challenge,
19155+ &state->server_challenge);
19156+ if (tevent_req_nomem(subreq, req)) {
19157+ return;
19158+ }
19159+ tevent_req_set_callback(subreq,
19160+ netlogon_creds_cli_auth_challenge_done,
19161+ req);
19162+}
19163+
19164+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
19165+
19166+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
19167+{
19168+ struct tevent_req *req =
19169+ tevent_req_callback_data(subreq,
19170+ struct tevent_req);
19171+ struct netlogon_creds_cli_auth_state *state =
19172+ tevent_req_data(req,
19173+ struct netlogon_creds_cli_auth_state);
19174+ NTSTATUS status;
19175+ NTSTATUS result;
19176+
19177+ status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
19178+ TALLOC_FREE(subreq);
19179+ if (tevent_req_nterror(req, status)) {
19180+ return;
19181+ }
19182+ if (tevent_req_nterror(req, result)) {
19183+ return;
19184+ }
19185+
19186+ if (!state->try_auth3 && !state->try_auth2) {
19187+ state->current_flags = 0;
19188+ }
19189+
19190+ /* Calculate the session key and client credentials */
19191+
19192+ state->creds = netlogon_creds_client_init(state,
19193+ state->context->client.account,
19194+ state->context->client.computer,
19195+ state->context->client.type,
19196+ &state->client_challenge,
19197+ &state->server_challenge,
19198+ &state->used_nt_hash,
19199+ &state->client_credential,
19200+ state->current_flags);
19201+ if (tevent_req_nomem(state->creds, req)) {
19202+ return;
19203+ }
19204+
19205+ if (state->try_auth3) {
19206+ subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
19207+ state->binding_handle,
19208+ state->srv_name_slash,
19209+ state->context->client.account,
19210+ state->context->client.type,
19211+ state->context->client.computer,
19212+ &state->client_credential,
19213+ &state->server_credential,
19214+ &state->creds->negotiate_flags,
19215+ &state->rid);
19216+ if (tevent_req_nomem(subreq, req)) {
19217+ return;
19218+ }
19219+ } else if (state->try_auth2) {
19220+ state->rid = 0;
19221+
19222+ subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
19223+ state->binding_handle,
19224+ state->srv_name_slash,
19225+ state->context->client.account,
19226+ state->context->client.type,
19227+ state->context->client.computer,
19228+ &state->client_credential,
19229+ &state->server_credential,
19230+ &state->creds->negotiate_flags);
19231+ if (tevent_req_nomem(subreq, req)) {
19232+ return;
19233+ }
19234+ } else {
19235+ state->rid = 0;
19236+
19237+ subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
19238+ state->binding_handle,
19239+ state->srv_name_slash,
19240+ state->context->client.account,
19241+ state->context->client.type,
19242+ state->context->client.computer,
19243+ &state->client_credential,
19244+ &state->server_credential);
19245+ if (tevent_req_nomem(subreq, req)) {
19246+ return;
19247+ }
19248+ }
19249+ tevent_req_set_callback(subreq,
19250+ netlogon_creds_cli_auth_srvauth_done,
19251+ req);
19252+}
19253+
19254+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
19255+{
19256+ struct tevent_req *req =
19257+ tevent_req_callback_data(subreq,
19258+ struct tevent_req);
19259+ struct netlogon_creds_cli_auth_state *state =
19260+ tevent_req_data(req,
19261+ struct netlogon_creds_cli_auth_state);
19262+ NTSTATUS status;
19263+ NTSTATUS result;
19264+ bool ok;
19265+ enum ndr_err_code ndr_err;
19266+ DATA_BLOB blob;
19267+ TDB_DATA data;
19268+ uint32_t tmp_flags;
19269+
19270+ if (state->try_auth3) {
19271+ status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
19272+ &result);
19273+ TALLOC_FREE(subreq);
19274+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
19275+ state->try_auth3 = false;
19276+ netlogon_creds_cli_auth_challenge_start(req);
19277+ return;
19278+ }
19279+ if (tevent_req_nterror(req, status)) {
19280+ return;
19281+ }
19282+ } else if (state->try_auth2) {
19283+ status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
19284+ &result);
19285+ TALLOC_FREE(subreq);
19286+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
19287+ state->try_auth2 = false;
19288+ if (state->require_auth2) {
19289+ status = NT_STATUS_DOWNGRADE_DETECTED;
19290+ tevent_req_nterror(req, status);
19291+ return;
19292+ }
19293+ netlogon_creds_cli_auth_challenge_start(req);
19294+ return;
19295+ }
19296+ if (tevent_req_nterror(req, status)) {
19297+ return;
19298+ }
19299+ } else {
19300+ status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
19301+ &result);
19302+ TALLOC_FREE(subreq);
19303+ if (tevent_req_nterror(req, status)) {
19304+ return;
19305+ }
19306+ }
19307+
19308+ if (!NT_STATUS_IS_OK(result) &&
19309+ !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
19310+ {
19311+ tevent_req_nterror(req, result);
19312+ return;
19313+ }
19314+
19315+ tmp_flags = state->creds->negotiate_flags;
19316+ tmp_flags &= state->context->client.required_flags;
19317+ if (tmp_flags != state->context->client.required_flags) {
19318+ if (NT_STATUS_IS_OK(result)) {
19319+ tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
19320+ return;
19321+ }
19322+ tevent_req_nterror(req, result);
19323+ return;
19324+ }
19325+
19326+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
19327+
19328+ tmp_flags = state->context->client.proposed_flags;
19329+ if ((state->current_flags == tmp_flags) &&
19330+ (state->creds->negotiate_flags != tmp_flags))
19331+ {
19332+ /*
19333+ * lets retry with the negotiated flags
19334+ */
19335+ state->current_flags = state->creds->negotiate_flags;
19336+ netlogon_creds_cli_auth_challenge_start(req);
19337+ return;
19338+ }
19339+
19340+ if (!state->try_previous_nt_hash) {
19341+ /*
19342+ * we already retried, giving up...
19343+ */
19344+ tevent_req_nterror(req, result);
19345+ return;
19346+ }
19347+
19348+ /*
19349+ * lets retry with the old nt hash.
19350+ */
19351+ state->try_previous_nt_hash = false;
19352+ state->used_nt_hash = state->previous_nt_hash;
19353+ state->current_flags = state->context->client.proposed_flags;
19354+ netlogon_creds_cli_auth_challenge_start(req);
19355+ return;
19356+ }
19357+
19358+ ok = netlogon_creds_client_check(state->creds,
19359+ &state->server_credential);
19360+ if (!ok) {
19361+ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
19362+ return;
19363+ }
19364+
19365+ ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
19366+ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
19367+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
19368+ status = ndr_map_error2ntstatus(ndr_err);
19369+ tevent_req_nterror(req, status);
19370+ return;
19371+ }
19372+
19373+ data.dptr = blob.data;
19374+ data.dsize = blob.length;
19375+
19376+ status = dbwrap_store(state->context->db.ctx,
19377+ state->context->db.key_data,
19378+ data, TDB_REPLACE);
19379+ TALLOC_FREE(state->locked_state);
19380+ if (tevent_req_nterror(req, status)) {
19381+ return;
19382+ }
19383+
19384+ tevent_req_done(req);
19385+}
19386+
19387+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
19388+{
19389+ NTSTATUS status;
19390+
19391+ if (tevent_req_is_nterror(req, &status)) {
19392+ tevent_req_received(req);
19393+ return status;
19394+ }
19395+
19396+ tevent_req_received(req);
19397+ return NT_STATUS_OK;
19398+}
19399+
19400+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
19401+ struct dcerpc_binding_handle *b,
19402+ struct samr_Password current_nt_hash,
19403+ const struct samr_Password *previous_nt_hash)
19404+{
19405+ TALLOC_CTX *frame = talloc_stackframe();
19406+ struct tevent_context *ev;
19407+ struct tevent_req *req;
19408+ NTSTATUS status = NT_STATUS_NO_MEMORY;
19409+
19410+ ev = samba_tevent_context_init(frame);
19411+ if (ev == NULL) {
19412+ goto fail;
19413+ }
19414+ req = netlogon_creds_cli_auth_send(frame, ev, context, b,
19415+ current_nt_hash,
19416+ previous_nt_hash);
19417+ if (req == NULL) {
19418+ goto fail;
19419+ }
19420+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
19421+ goto fail;
19422+ }
19423+ status = netlogon_creds_cli_auth_recv(req);
19424+ fail:
19425+ TALLOC_FREE(frame);
19426+ return status;
19427+}
19428+
19429+struct netlogon_creds_cli_check_state {
19430+ struct tevent_context *ev;
19431+ struct netlogon_creds_cli_context *context;
19432+ struct dcerpc_binding_handle *binding_handle;
19433+
19434+ char *srv_name_slash;
19435+
19436+ union netr_Capabilities caps;
19437+
19438+ struct netlogon_creds_CredentialState *creds;
19439+ struct netlogon_creds_CredentialState tmp_creds;
19440+ struct netr_Authenticator req_auth;
19441+ struct netr_Authenticator rep_auth;
19442+};
19443+
19444+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
19445+ NTSTATUS status);
19446+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
19447+
19448+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
19449+ struct tevent_context *ev,
19450+ struct netlogon_creds_cli_context *context,
19451+ struct dcerpc_binding_handle *b)
19452+{
19453+ struct tevent_req *req;
19454+ struct netlogon_creds_cli_check_state *state;
19455+ struct tevent_req *subreq;
19456+ enum dcerpc_AuthType auth_type;
19457+ enum dcerpc_AuthLevel auth_level;
19458+
19459+ req = tevent_req_create(mem_ctx, &state,
19460+ struct netlogon_creds_cli_check_state);
19461+ if (req == NULL) {
19462+ return NULL;
19463+ }
19464+
19465+ state->ev = ev;
19466+ state->context = context;
19467+ state->binding_handle = b;
19468+
19469+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
19470+ context->server.computer);
19471+ if (tevent_req_nomem(state->srv_name_slash, req)) {
19472+ return tevent_req_post(req, ev);
19473+ }
19474+
19475+ dcerpc_binding_handle_auth_info(state->binding_handle,
19476+ &auth_type, &auth_level);
19477+
19478+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
19479+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
19480+ return tevent_req_post(req, ev);
19481+ }
19482+
19483+ switch (auth_level) {
19484+ case DCERPC_AUTH_LEVEL_INTEGRITY:
19485+ case DCERPC_AUTH_LEVEL_PRIVACY:
19486+ break;
19487+ default:
19488+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
19489+ return tevent_req_post(req, ev);
19490+ }
19491+
19492+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
19493+ state->context);
19494+ if (tevent_req_nomem(subreq, req)) {
19495+ return tevent_req_post(req, ev);
19496+ }
19497+
19498+ tevent_req_set_callback(subreq,
19499+ netlogon_creds_cli_check_locked,
19500+ req);
19501+
19502+ return req;
19503+}
19504+
19505+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
19506+ NTSTATUS status)
19507+{
19508+ struct netlogon_creds_cli_check_state *state =
19509+ tevent_req_data(req,
19510+ struct netlogon_creds_cli_check_state);
19511+
19512+ if (state->creds == NULL) {
19513+ return;
19514+ }
19515+
19516+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
19517+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
19518+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
19519+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
19520+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
19521+ TALLOC_FREE(state->creds);
19522+ return;
19523+ }
19524+
19525+ netlogon_creds_cli_delete(state->context, &state->creds);
19526+}
19527+
19528+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
19529+
19530+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
19531+{
19532+ struct tevent_req *req =
19533+ tevent_req_callback_data(subreq,
19534+ struct tevent_req);
19535+ struct netlogon_creds_cli_check_state *state =
19536+ tevent_req_data(req,
19537+ struct netlogon_creds_cli_check_state);
19538+ NTSTATUS status;
19539+
19540+ status = netlogon_creds_cli_lock_recv(subreq, state,
19541+ &state->creds);
19542+ TALLOC_FREE(subreq);
19543+ if (tevent_req_nterror(req, status)) {
19544+ return;
19545+ }
19546+
19547+ /*
19548+ * we defer all callbacks in order to cleanup
19549+ * the database record.
19550+ */
19551+ tevent_req_defer_callback(req, state->ev);
19552+
19553+ state->tmp_creds = *state->creds;
19554+ netlogon_creds_client_authenticator(&state->tmp_creds,
19555+ &state->req_auth);
19556+ ZERO_STRUCT(state->rep_auth);
19557+
19558+ subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
19559+ state->binding_handle,
19560+ state->srv_name_slash,
19561+ state->context->client.computer,
19562+ &state->req_auth,
19563+ &state->rep_auth,
19564+ 1,
19565+ &state->caps);
19566+ if (tevent_req_nomem(subreq, req)) {
19567+ status = NT_STATUS_NO_MEMORY;
19568+ netlogon_creds_cli_check_cleanup(req, status);
19569+ return;
19570+ }
19571+ tevent_req_set_callback(subreq,
19572+ netlogon_creds_cli_check_caps,
19573+ req);
19574+}
19575+
19576+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
19577+{
19578+ struct tevent_req *req =
19579+ tevent_req_callback_data(subreq,
19580+ struct tevent_req);
19581+ struct netlogon_creds_cli_check_state *state =
19582+ tevent_req_data(req,
19583+ struct netlogon_creds_cli_check_state);
19584+ NTSTATUS status;
19585+ NTSTATUS result;
19586+ bool ok;
19587+
19588+ status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
19589+ &result);
19590+ TALLOC_FREE(subreq);
19591+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
19592+ /*
19593+ * Note that the negotiated flags are already checked
19594+ * for our required flags after the ServerAuthenticate3/2 call.
19595+ */
19596+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
19597+
19598+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
19599+ /*
19600+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
19601+ * already, we expect this to work!
19602+ */
19603+ status = NT_STATUS_DOWNGRADE_DETECTED;
19604+ tevent_req_nterror(req, status);
19605+ netlogon_creds_cli_check_cleanup(req, status);
19606+ return;
19607+ }
19608+
19609+ if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
19610+ /*
19611+ * If we have negotiated NETLOGON_NEG_STRONG_KEYS
19612+ * we expect this to work at least as far as the
19613+ * NOT_SUPPORTED error handled below!
19614+ *
19615+ * NT 4.0 and Old Samba servers are not
19616+ * allowed without "require strong key = no"
19617+ */
19618+ status = NT_STATUS_DOWNGRADE_DETECTED;
19619+ tevent_req_nterror(req, status);
19620+ netlogon_creds_cli_check_cleanup(req, status);
19621+ return;
19622+ }
19623+
19624+ /*
19625+ * If we not require NETLOGON_NEG_SUPPORTS_AES or
19626+ * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
19627+ * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
19628+ *
19629+ * This is needed against NT 4.0 and old Samba servers.
19630+ *
19631+ * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
19632+ * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
19633+ * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
19634+ * with the next request as the sequence number processing
19635+ * gets out of sync.
19636+ */
19637+ netlogon_creds_cli_check_cleanup(req, result);
19638+ tevent_req_done(req);
19639+ return;
19640+ }
19641+ if (tevent_req_nterror(req, status)) {
19642+ netlogon_creds_cli_check_cleanup(req, status);
19643+ return;
19644+ }
19645+
19646+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
19647+ /*
19648+ * Note that the negotiated flags are already checked
19649+ * for our required flags after the ServerAuthenticate3/2 call.
19650+ */
19651+ uint32_t negotiated = state->tmp_creds.negotiate_flags;
19652+
19653+ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
19654+ /*
19655+ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
19656+ * already, we expect this to work!
19657+ */
19658+ status = NT_STATUS_DOWNGRADE_DETECTED;
19659+ tevent_req_nterror(req, status);
19660+ netlogon_creds_cli_check_cleanup(req, status);
19661+ return;
19662+ }
19663+
19664+ /*
19665+ * This is ok, the server does not support
19666+ * NETLOGON_NEG_SUPPORTS_AES.
19667+ *
19668+ * netr_LogonGetCapabilities() was
19669+ * netr_LogonDummyRoutine1() before
19670+ * NETLOGON_NEG_SUPPORTS_AES was invented.
19671+ */
19672+ netlogon_creds_cli_check_cleanup(req, result);
19673+ tevent_req_done(req);
19674+ return;
19675+ }
19676+
19677+ ok = netlogon_creds_client_check(&state->tmp_creds,
19678+ &state->rep_auth.cred);
19679+ if (!ok) {
19680+ status = NT_STATUS_ACCESS_DENIED;
19681+ tevent_req_nterror(req, status);
19682+ netlogon_creds_cli_check_cleanup(req, status);
19683+ return;
19684+ }
19685+
19686+ if (tevent_req_nterror(req, result)) {
19687+ netlogon_creds_cli_check_cleanup(req, result);
19688+ return;
19689+ }
19690+
19691+ if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
19692+ status = NT_STATUS_DOWNGRADE_DETECTED;
19693+ tevent_req_nterror(req, status);
19694+ netlogon_creds_cli_check_cleanup(req, status);
19695+ return;
19696+ }
19697+
19698+ /*
19699+ * This is the key check that makes this check secure. If we
19700+ * get OK here (rather than NOT_SUPPORTED), then the server
19701+ * did support AES. If the server only proposed STRONG_KEYS
19702+ * and not AES, then it should have failed with
19703+ * NOT_IMPLEMENTED. We always send AES as a client, so the
19704+ * server should always have returned it.
19705+ */
19706+ if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
19707+ status = NT_STATUS_DOWNGRADE_DETECTED;
19708+ tevent_req_nterror(req, status);
19709+ netlogon_creds_cli_check_cleanup(req, status);
19710+ return;
19711+ }
19712+
19713+ *state->creds = state->tmp_creds;
19714+ status = netlogon_creds_cli_store(state->context,
19715+ &state->creds);
19716+ netlogon_creds_cli_check_cleanup(req, status);
19717+ if (tevent_req_nterror(req, status)) {
19718+ return;
19719+ }
19720+
19721+ tevent_req_done(req);
19722+}
19723+
19724+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
19725+{
19726+ NTSTATUS status;
19727+
19728+ if (tevent_req_is_nterror(req, &status)) {
19729+ netlogon_creds_cli_check_cleanup(req, status);
19730+ tevent_req_received(req);
19731+ return status;
19732+ }
19733+
19734+ tevent_req_received(req);
19735+ return NT_STATUS_OK;
19736+}
19737+
19738+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
19739+ struct dcerpc_binding_handle *b)
19740+{
19741+ TALLOC_CTX *frame = talloc_stackframe();
19742+ struct tevent_context *ev;
19743+ struct tevent_req *req;
19744+ NTSTATUS status = NT_STATUS_NO_MEMORY;
19745+
19746+ ev = samba_tevent_context_init(frame);
19747+ if (ev == NULL) {
19748+ goto fail;
19749+ }
19750+ req = netlogon_creds_cli_check_send(frame, ev, context, b);
19751+ if (req == NULL) {
19752+ goto fail;
19753+ }
19754+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
19755+ goto fail;
19756+ }
19757+ status = netlogon_creds_cli_check_recv(req);
19758+ fail:
19759+ TALLOC_FREE(frame);
19760+ return status;
19761+}
19762+
19763+struct netlogon_creds_cli_ServerPasswordSet_state {
19764+ struct tevent_context *ev;
19765+ struct netlogon_creds_cli_context *context;
19766+ struct dcerpc_binding_handle *binding_handle;
19767+ uint32_t old_timeout;
19768+
19769+ char *srv_name_slash;
19770+ enum dcerpc_AuthType auth_type;
19771+ enum dcerpc_AuthLevel auth_level;
19772+
19773+ struct samr_CryptPassword samr_crypt_password;
19774+ struct netr_CryptPassword netr_crypt_password;
19775+ struct samr_Password samr_password;
19776+
19777+ struct netlogon_creds_CredentialState *creds;
19778+ struct netlogon_creds_CredentialState tmp_creds;
19779+ struct netr_Authenticator req_auth;
19780+ struct netr_Authenticator rep_auth;
19781+};
19782+
19783+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
19784+ NTSTATUS status);
19785+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
19786+
19787+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
19788+ struct tevent_context *ev,
19789+ struct netlogon_creds_cli_context *context,
19790+ struct dcerpc_binding_handle *b,
19791+ const char *new_password,
19792+ const uint32_t *new_version)
19793+{
19794+ struct tevent_req *req;
19795+ struct netlogon_creds_cli_ServerPasswordSet_state *state;
19796+ struct tevent_req *subreq;
19797+ bool ok;
19798+
19799+ req = tevent_req_create(mem_ctx, &state,
19800+ struct netlogon_creds_cli_ServerPasswordSet_state);
19801+ if (req == NULL) {
19802+ return NULL;
19803+ }
19804+
19805+ state->ev = ev;
19806+ state->context = context;
19807+ state->binding_handle = b;
19808+
19809+ /*
19810+ * netr_ServerPasswordSet
19811+ */
19812+ E_md4hash(new_password, state->samr_password.hash);
19813+
19814+ /*
19815+ * netr_ServerPasswordSet2
19816+ */
19817+ ok = encode_pw_buffer(state->samr_crypt_password.data,
19818+ new_password, STR_UNICODE);
19819+ if (!ok) {
19820+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
19821+ return tevent_req_post(req, ev);
19822+ }
19823+
19824+ if (new_version != NULL) {
19825+ struct NL_PASSWORD_VERSION version;
19826+ uint32_t len = IVAL(state->samr_crypt_password.data, 512);
19827+ uint32_t ofs = 512 - len;
19828+ uint8_t *p;
19829+
19830+ if (ofs < 12) {
19831+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
19832+ return tevent_req_post(req, ev);
19833+ }
19834+ ofs -= 12;
19835+
19836+ version.ReservedField = 0;
19837+ version.PasswordVersionNumber = *new_version;
19838+ version.PasswordVersionPresent =
19839+ NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
19840+
19841+ p = state->samr_crypt_password.data + ofs;
19842+ SIVAL(p, 0, version.ReservedField);
19843+ SIVAL(p, 4, version.PasswordVersionNumber);
19844+ SIVAL(p, 8, version.PasswordVersionPresent);
19845+ }
19846+
19847+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
19848+ context->server.computer);
19849+ if (tevent_req_nomem(state->srv_name_slash, req)) {
19850+ return tevent_req_post(req, ev);
19851+ }
19852+
19853+ dcerpc_binding_handle_auth_info(state->binding_handle,
19854+ &state->auth_type,
19855+ &state->auth_level);
19856+
19857+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
19858+ state->context);
19859+ if (tevent_req_nomem(subreq, req)) {
19860+ return tevent_req_post(req, ev);
19861+ }
19862+
19863+ tevent_req_set_callback(subreq,
19864+ netlogon_creds_cli_ServerPasswordSet_locked,
19865+ req);
19866+
19867+ return req;
19868+}
19869+
19870+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
19871+ NTSTATUS status)
19872+{
19873+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
19874+ tevent_req_data(req,
19875+ struct netlogon_creds_cli_ServerPasswordSet_state);
19876+
19877+ if (state->creds == NULL) {
19878+ return;
19879+ }
19880+
19881+ dcerpc_binding_handle_set_timeout(state->binding_handle,
19882+ state->old_timeout);
19883+
19884+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
19885+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
19886+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
19887+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
19888+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
19889+ TALLOC_FREE(state->creds);
19890+ return;
19891+ }
19892+
19893+ netlogon_creds_cli_delete(state->context, &state->creds);
19894+}
19895+
19896+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
19897+
19898+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
19899+{
19900+ struct tevent_req *req =
19901+ tevent_req_callback_data(subreq,
19902+ struct tevent_req);
19903+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
19904+ tevent_req_data(req,
19905+ struct netlogon_creds_cli_ServerPasswordSet_state);
19906+ NTSTATUS status;
19907+
19908+ status = netlogon_creds_cli_lock_recv(subreq, state,
19909+ &state->creds);
19910+ TALLOC_FREE(subreq);
19911+ if (tevent_req_nterror(req, status)) {
19912+ return;
19913+ }
19914+
19915+ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
19916+ switch (state->auth_level) {
19917+ case DCERPC_AUTH_LEVEL_INTEGRITY:
19918+ case DCERPC_AUTH_LEVEL_PRIVACY:
19919+ break;
19920+ default:
19921+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
19922+ return;
19923+ }
19924+ } else {
19925+ uint32_t tmp = state->creds->negotiate_flags;
19926+
19927+ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
19928+ /*
19929+ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
19930+ * it should be used, which means
19931+ * we had a chance to verify no downgrade
19932+ * happened.
19933+ *
19934+ * This relies on netlogon_creds_cli_check*
19935+ * being called before, as first request after
19936+ * the DCERPC bind.
19937+ */
19938+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
19939+ return;
19940+ }
19941+ }
19942+
19943+ state->old_timeout = dcerpc_binding_handle_set_timeout(
19944+ state->binding_handle, 600000);
19945+
19946+ /*
19947+ * we defer all callbacks in order to cleanup
19948+ * the database record.
19949+ */
19950+ tevent_req_defer_callback(req, state->ev);
19951+
19952+ state->tmp_creds = *state->creds;
19953+ netlogon_creds_client_authenticator(&state->tmp_creds,
19954+ &state->req_auth);
19955+ ZERO_STRUCT(state->rep_auth);
19956+
19957+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
19958+
19959+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
19960+ netlogon_creds_aes_encrypt(&state->tmp_creds,
19961+ state->samr_crypt_password.data,
19962+ 516);
19963+ } else {
19964+ netlogon_creds_arcfour_crypt(&state->tmp_creds,
19965+ state->samr_crypt_password.data,
19966+ 516);
19967+ }
19968+
19969+ memcpy(state->netr_crypt_password.data,
19970+ state->samr_crypt_password.data, 512);
19971+ state->netr_crypt_password.length =
19972+ IVAL(state->samr_crypt_password.data, 512);
19973+
19974+ subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
19975+ state->binding_handle,
19976+ state->srv_name_slash,
19977+ state->tmp_creds.account_name,
19978+ state->tmp_creds.secure_channel_type,
19979+ state->tmp_creds.computer_name,
19980+ &state->req_auth,
19981+ &state->rep_auth,
19982+ &state->netr_crypt_password);
19983+ if (tevent_req_nomem(subreq, req)) {
19984+ status = NT_STATUS_NO_MEMORY;
19985+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
19986+ return;
19987+ }
19988+ } else {
19989+ netlogon_creds_des_encrypt(&state->tmp_creds,
19990+ &state->samr_password);
19991+
19992+ subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
19993+ state->binding_handle,
19994+ state->srv_name_slash,
19995+ state->tmp_creds.account_name,
19996+ state->tmp_creds.secure_channel_type,
19997+ state->tmp_creds.computer_name,
19998+ &state->req_auth,
19999+ &state->rep_auth,
20000+ &state->samr_password);
20001+ if (tevent_req_nomem(subreq, req)) {
20002+ status = NT_STATUS_NO_MEMORY;
20003+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
20004+ return;
20005+ }
20006+ }
20007+
20008+ tevent_req_set_callback(subreq,
20009+ netlogon_creds_cli_ServerPasswordSet_done,
20010+ req);
20011+}
20012+
20013+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
20014+{
20015+ struct tevent_req *req =
20016+ tevent_req_callback_data(subreq,
20017+ struct tevent_req);
20018+ struct netlogon_creds_cli_ServerPasswordSet_state *state =
20019+ tevent_req_data(req,
20020+ struct netlogon_creds_cli_ServerPasswordSet_state);
20021+ NTSTATUS status;
20022+ NTSTATUS result;
20023+ bool ok;
20024+
20025+ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
20026+ status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
20027+ &result);
20028+ TALLOC_FREE(subreq);
20029+ if (tevent_req_nterror(req, status)) {
20030+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
20031+ return;
20032+ }
20033+ } else {
20034+ status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
20035+ &result);
20036+ TALLOC_FREE(subreq);
20037+ if (tevent_req_nterror(req, status)) {
20038+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
20039+ return;
20040+ }
20041+ }
20042+
20043+ ok = netlogon_creds_client_check(&state->tmp_creds,
20044+ &state->rep_auth.cred);
20045+ if (!ok) {
20046+ status = NT_STATUS_ACCESS_DENIED;
20047+ tevent_req_nterror(req, status);
20048+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
20049+ return;
20050+ }
20051+
20052+ if (tevent_req_nterror(req, result)) {
20053+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
20054+ return;
20055+ }
20056+
20057+ dcerpc_binding_handle_set_timeout(state->binding_handle,
20058+ state->old_timeout);
20059+
20060+ *state->creds = state->tmp_creds;
20061+ status = netlogon_creds_cli_store(state->context,
20062+ &state->creds);
20063+ if (tevent_req_nterror(req, status)) {
20064+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
20065+ return;
20066+ }
20067+
20068+ tevent_req_done(req);
20069+}
20070+
20071+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
20072+{
20073+ NTSTATUS status;
20074+
20075+ if (tevent_req_is_nterror(req, &status)) {
20076+ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
20077+ tevent_req_received(req);
20078+ return status;
20079+ }
20080+
20081+ tevent_req_received(req);
20082+ return NT_STATUS_OK;
20083+}
20084+
20085+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
20086+ struct netlogon_creds_cli_context *context,
20087+ struct dcerpc_binding_handle *b,
20088+ const char *new_password,
20089+ const uint32_t *new_version)
20090+{
20091+ TALLOC_CTX *frame = talloc_stackframe();
20092+ struct tevent_context *ev;
20093+ struct tevent_req *req;
20094+ NTSTATUS status = NT_STATUS_NO_MEMORY;
20095+
20096+ ev = samba_tevent_context_init(frame);
20097+ if (ev == NULL) {
20098+ goto fail;
20099+ }
20100+ req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
20101+ new_password,
20102+ new_version);
20103+ if (req == NULL) {
20104+ goto fail;
20105+ }
20106+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
20107+ goto fail;
20108+ }
20109+ status = netlogon_creds_cli_ServerPasswordSet_recv(req);
20110+ fail:
20111+ TALLOC_FREE(frame);
20112+ return status;
20113+}
20114+
20115+struct netlogon_creds_cli_LogonSamLogon_state {
20116+ struct tevent_context *ev;
20117+ struct netlogon_creds_cli_context *context;
20118+ struct dcerpc_binding_handle *binding_handle;
20119+
20120+ char *srv_name_slash;
20121+
20122+ enum netr_LogonInfoClass logon_level;
20123+ const union netr_LogonLevel *const_logon;
20124+ union netr_LogonLevel *logon;
20125+ uint32_t flags;
20126+
20127+ uint16_t validation_level;
20128+ union netr_Validation *validation;
20129+ uint8_t authoritative;
20130+
20131+ /*
20132+ * do we need encryption at the application layer?
20133+ */
20134+ bool user_encrypt;
20135+ bool try_logon_ex;
20136+ bool try_validation6;
20137+
20138+ /*
20139+ * the read only credentials before we started the operation
20140+ */
20141+ struct netlogon_creds_CredentialState *ro_creds;
20142+
20143+ struct netlogon_creds_CredentialState *lk_creds;
20144+
20145+ struct netlogon_creds_CredentialState tmp_creds;
20146+ struct netr_Authenticator req_auth;
20147+ struct netr_Authenticator rep_auth;
20148+};
20149+
20150+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
20151+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
20152+ NTSTATUS status);
20153+
20154+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
20155+ struct tevent_context *ev,
20156+ struct netlogon_creds_cli_context *context,
20157+ struct dcerpc_binding_handle *b,
20158+ enum netr_LogonInfoClass logon_level,
20159+ const union netr_LogonLevel *logon,
20160+ uint32_t flags)
20161+{
20162+ struct tevent_req *req;
20163+ struct netlogon_creds_cli_LogonSamLogon_state *state;
20164+
20165+ req = tevent_req_create(mem_ctx, &state,
20166+ struct netlogon_creds_cli_LogonSamLogon_state);
20167+ if (req == NULL) {
20168+ return NULL;
20169+ }
20170+
20171+ state->ev = ev;
20172+ state->context = context;
20173+ state->binding_handle = b;
20174+
20175+ state->logon_level = logon_level;
20176+ state->const_logon = logon;
20177+ state->flags = flags;
20178+
20179+ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
20180+ context->server.computer);
20181+ if (tevent_req_nomem(state->srv_name_slash, req)) {
20182+ return tevent_req_post(req, ev);
20183+ }
20184+
20185+ switch (logon_level) {
20186+ case NetlogonInteractiveInformation:
20187+ case NetlogonInteractiveTransitiveInformation:
20188+ case NetlogonServiceInformation:
20189+ case NetlogonServiceTransitiveInformation:
20190+ case NetlogonGenericInformation:
20191+ state->user_encrypt = true;
20192+ break;
20193+
20194+ case NetlogonNetworkInformation:
20195+ case NetlogonNetworkTransitiveInformation:
20196+ break;
20197+ }
20198+
20199+ state->validation = talloc_zero(state, union netr_Validation);
20200+ if (tevent_req_nomem(state->validation, req)) {
20201+ return tevent_req_post(req, ev);
20202+ }
20203+
20204+ netlogon_creds_cli_LogonSamLogon_start(req);
20205+ if (!tevent_req_is_in_progress(req)) {
20206+ return tevent_req_post(req, ev);
20207+ }
20208+
20209+ /*
20210+ * we defer all callbacks in order to cleanup
20211+ * the database record.
20212+ */
20213+ tevent_req_defer_callback(req, state->ev);
20214+ return req;
20215+}
20216+
20217+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
20218+ NTSTATUS status)
20219+{
20220+ struct netlogon_creds_cli_LogonSamLogon_state *state =
20221+ tevent_req_data(req,
20222+ struct netlogon_creds_cli_LogonSamLogon_state);
20223+
20224+ if (state->lk_creds == NULL) {
20225+ return;
20226+ }
20227+
20228+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
20229+ /*
20230+ * This is a hack to recover from a bug in old
20231+ * Samba servers, when LogonSamLogonEx() fails:
20232+ *
20233+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
20234+ *
20235+ * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
20236+ *
20237+ * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
20238+ * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
20239+ * If the sign/seal check fails.
20240+ *
20241+ * In that case we need to cleanup the netlogon session.
20242+ *
20243+ * It's the job of the caller to disconnect the current
20244+ * connection, if netlogon_creds_cli_LogonSamLogon()
20245+ * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
20246+ */
20247+ if (!state->context->server.try_logon_with) {
20248+ status = NT_STATUS_NETWORK_ACCESS_DENIED;
20249+ }
20250+ }
20251+
20252+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
20253+ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
20254+ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
20255+ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
20256+ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
20257+ TALLOC_FREE(state->lk_creds);
20258+ return;
20259+ }
20260+
20261+ netlogon_creds_cli_delete(state->context, &state->lk_creds);
20262+}
20263+
20264+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
20265+
20266+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
20267+{
20268+ struct netlogon_creds_cli_LogonSamLogon_state *state =
20269+ tevent_req_data(req,
20270+ struct netlogon_creds_cli_LogonSamLogon_state);
20271+ struct tevent_req *subreq;
20272+ NTSTATUS status;
20273+ enum dcerpc_AuthType auth_type;
20274+ enum dcerpc_AuthLevel auth_level;
20275+
20276+ TALLOC_FREE(state->ro_creds);
20277+ TALLOC_FREE(state->logon);
20278+ ZERO_STRUCTP(state->validation);
20279+
20280+ dcerpc_binding_handle_auth_info(state->binding_handle,
20281+ &auth_type, &auth_level);
20282+
20283+ state->try_logon_ex = state->context->server.try_logon_ex;
20284+ state->try_validation6 = state->context->server.try_validation6;
20285+
20286+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
20287+ state->try_logon_ex = false;
20288+ }
20289+
20290+ if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
20291+ state->try_validation6 = false;
20292+ }
20293+
20294+ if (state->try_logon_ex) {
20295+ if (state->try_validation6) {
20296+ state->validation_level = 6;
20297+ } else {
20298+ state->validation_level = 3;
20299+ state->user_encrypt = true;
20300+ }
20301+
20302+ state->logon = netlogon_creds_shallow_copy_logon(state,
20303+ state->logon_level,
20304+ state->const_logon);
20305+ if (tevent_req_nomem(state->logon, req)) {
20306+ status = NT_STATUS_NO_MEMORY;
20307+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20308+ return;
20309+ }
20310+
20311+ if (state->user_encrypt) {
20312+ status = netlogon_creds_cli_get(state->context,
20313+ state,
20314+ &state->ro_creds);
20315+ if (!NT_STATUS_IS_OK(status)) {
20316+ status = NT_STATUS_ACCESS_DENIED;
20317+ tevent_req_nterror(req, status);
20318+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20319+ return;
20320+ }
20321+
20322+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
20323+ state->logon_level,
20324+ state->logon);
20325+ }
20326+
20327+ subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
20328+ state->binding_handle,
20329+ state->srv_name_slash,
20330+ state->context->client.computer,
20331+ state->logon_level,
20332+ state->logon,
20333+ state->validation_level,
20334+ state->validation,
20335+ &state->authoritative,
20336+ &state->flags);
20337+ if (tevent_req_nomem(subreq, req)) {
20338+ status = NT_STATUS_NO_MEMORY;
20339+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20340+ return;
20341+ }
20342+ tevent_req_set_callback(subreq,
20343+ netlogon_creds_cli_LogonSamLogon_done,
20344+ req);
20345+ return;
20346+ }
20347+
20348+ if (state->lk_creds == NULL) {
20349+ subreq = netlogon_creds_cli_lock_send(state, state->ev,
20350+ state->context);
20351+ if (tevent_req_nomem(subreq, req)) {
20352+ status = NT_STATUS_NO_MEMORY;
20353+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20354+ return;
20355+ }
20356+ tevent_req_set_callback(subreq,
20357+ netlogon_creds_cli_LogonSamLogon_done,
20358+ req);
20359+ return;
20360+ }
20361+
20362+ state->tmp_creds = *state->lk_creds;
20363+ netlogon_creds_client_authenticator(&state->tmp_creds,
20364+ &state->req_auth);
20365+ ZERO_STRUCT(state->rep_auth);
20366+
20367+ state->logon = netlogon_creds_shallow_copy_logon(state,
20368+ state->logon_level,
20369+ state->const_logon);
20370+ if (tevent_req_nomem(state->logon, req)) {
20371+ status = NT_STATUS_NO_MEMORY;
20372+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20373+ return;
20374+ }
20375+
20376+ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
20377+ state->logon_level,
20378+ state->logon);
20379+
20380+ state->validation_level = 3;
20381+
20382+ if (state->context->server.try_logon_with) {
20383+ subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
20384+ state->binding_handle,
20385+ state->srv_name_slash,
20386+ state->context->client.computer,
20387+ &state->req_auth,
20388+ &state->rep_auth,
20389+ state->logon_level,
20390+ state->logon,
20391+ state->validation_level,
20392+ state->validation,
20393+ &state->authoritative,
20394+ &state->flags);
20395+ if (tevent_req_nomem(subreq, req)) {
20396+ status = NT_STATUS_NO_MEMORY;
20397+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20398+ return;
20399+ }
20400+ } else {
20401+ state->flags = 0;
20402+
20403+ subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
20404+ state->binding_handle,
20405+ state->srv_name_slash,
20406+ state->context->client.computer,
20407+ &state->req_auth,
20408+ &state->rep_auth,
20409+ state->logon_level,
20410+ state->logon,
20411+ state->validation_level,
20412+ state->validation,
20413+ &state->authoritative);
20414+ if (tevent_req_nomem(subreq, req)) {
20415+ status = NT_STATUS_NO_MEMORY;
20416+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20417+ return;
20418+ }
20419+ }
20420+
20421+ tevent_req_set_callback(subreq,
20422+ netlogon_creds_cli_LogonSamLogon_done,
20423+ req);
20424+}
20425+
20426+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
20427+{
20428+ struct tevent_req *req =
20429+ tevent_req_callback_data(subreq,
20430+ struct tevent_req);
20431+ struct netlogon_creds_cli_LogonSamLogon_state *state =
20432+ tevent_req_data(req,
20433+ struct netlogon_creds_cli_LogonSamLogon_state);
20434+ NTSTATUS status;
20435+ NTSTATUS result;
20436+ bool ok;
20437+
20438+ if (state->try_logon_ex) {
20439+ status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
20440+ state->validation,
20441+ &result);
20442+ TALLOC_FREE(subreq);
20443+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
20444+ state->context->server.try_validation6 = false;
20445+ state->context->server.try_logon_ex = false;
20446+ netlogon_creds_cli_LogonSamLogon_start(req);
20447+ return;
20448+ }
20449+ if (tevent_req_nterror(req, status)) {
20450+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20451+ return;
20452+ }
20453+
20454+ if ((state->validation_level == 6) &&
20455+ (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
20456+ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
20457+ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
20458+ {
20459+ state->context->server.try_validation6 = false;
20460+ netlogon_creds_cli_LogonSamLogon_start(req);
20461+ return;
20462+ }
20463+
20464+ if (tevent_req_nterror(req, result)) {
20465+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
20466+ return;
20467+ }
20468+
20469+ if (state->ro_creds == NULL) {
20470+ tevent_req_done(req);
20471+ return;
20472+ }
20473+
20474+ ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
20475+ if (!ok) {
20476+ /*
20477+ * We got a race, lets retry with on authenticator
20478+ * protection.
20479+ */
20480+ TALLOC_FREE(state->ro_creds);
20481+ state->try_logon_ex = false;
20482+ netlogon_creds_cli_LogonSamLogon_start(req);
20483+ return;
20484+ }
20485+
20486+ netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
20487+ state->validation_level,
20488+ state->validation);
20489+
20490+ tevent_req_done(req);
20491+ return;
20492+ }
20493+
20494+ if (state->lk_creds == NULL) {
20495+ status = netlogon_creds_cli_lock_recv(subreq, state,
20496+ &state->lk_creds);
20497+ TALLOC_FREE(subreq);
20498+ if (tevent_req_nterror(req, status)) {
20499+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20500+ return;
20501+ }
20502+
20503+ netlogon_creds_cli_LogonSamLogon_start(req);
20504+ return;
20505+ }
20506+
20507+ if (state->context->server.try_logon_with) {
20508+ status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
20509+ state->validation,
20510+ &result);
20511+ TALLOC_FREE(subreq);
20512+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
20513+ state->context->server.try_logon_with = false;
20514+ netlogon_creds_cli_LogonSamLogon_start(req);
20515+ return;
20516+ }
20517+ if (tevent_req_nterror(req, status)) {
20518+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20519+ return;
20520+ }
20521+ } else {
20522+ status = dcerpc_netr_LogonSamLogon_recv(subreq,
20523+ state->validation,
20524+ &result);
20525+ TALLOC_FREE(subreq);
20526+ if (tevent_req_nterror(req, status)) {
20527+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20528+ return;
20529+ }
20530+ }
20531+
20532+ ok = netlogon_creds_client_check(&state->tmp_creds,
20533+ &state->rep_auth.cred);
20534+ if (!ok) {
20535+ status = NT_STATUS_ACCESS_DENIED;
20536+ tevent_req_nterror(req, status);
20537+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20538+ return;
20539+ }
20540+
20541+ *state->lk_creds = state->tmp_creds;
20542+ status = netlogon_creds_cli_store(state->context,
20543+ &state->lk_creds);
20544+ if (tevent_req_nterror(req, status)) {
20545+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20546+ return;
20547+ }
20548+
20549+ if (tevent_req_nterror(req, result)) {
20550+ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
20551+ return;
20552+ }
20553+
20554+ netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
20555+ state->validation_level,
20556+ state->validation);
20557+
20558+ tevent_req_done(req);
20559+}
20560+
20561+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
20562+ TALLOC_CTX *mem_ctx,
20563+ uint16_t *validation_level,
20564+ union netr_Validation **validation,
20565+ uint8_t *authoritative,
20566+ uint32_t *flags)
20567+{
20568+ struct netlogon_creds_cli_LogonSamLogon_state *state =
20569+ tevent_req_data(req,
20570+ struct netlogon_creds_cli_LogonSamLogon_state);
20571+ NTSTATUS status;
20572+
20573+ /* authoritative is also returned on error */
20574+ *authoritative = state->authoritative;
20575+
20576+ if (tevent_req_is_nterror(req, &status)) {
20577+ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
20578+ tevent_req_received(req);
20579+ return status;
20580+ }
20581+
20582+ *validation_level = state->validation_level;
20583+ *validation = talloc_move(mem_ctx, &state->validation);
20584+ *flags = state->flags;
20585+
20586+ tevent_req_received(req);
20587+ return NT_STATUS_OK;
20588+}
20589+
20590+NTSTATUS netlogon_creds_cli_LogonSamLogon(
20591+ struct netlogon_creds_cli_context *context,
20592+ struct dcerpc_binding_handle *b,
20593+ enum netr_LogonInfoClass logon_level,
20594+ const union netr_LogonLevel *logon,
20595+ TALLOC_CTX *mem_ctx,
20596+ uint16_t *validation_level,
20597+ union netr_Validation **validation,
20598+ uint8_t *authoritative,
20599+ uint32_t *flags)
20600+{
20601+ TALLOC_CTX *frame = talloc_stackframe();
20602+ struct tevent_context *ev;
20603+ struct tevent_req *req;
20604+ NTSTATUS status = NT_STATUS_NO_MEMORY;
20605+
20606+ ev = samba_tevent_context_init(frame);
20607+ if (ev == NULL) {
20608+ goto fail;
20609+ }
20610+ req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
20611+ logon_level, logon,
20612+ *flags);
20613+ if (req == NULL) {
20614+ goto fail;
20615+ }
20616+ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
20617+ goto fail;
20618+ }
20619+ status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
20620+ validation_level,
20621+ validation,
20622+ authoritative,
20623+ flags);
20624+ fail:
20625+ TALLOC_FREE(frame);
20626+ return status;
20627+}
20628diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
20629new file mode 100644
20630index 0000000..f8f2bef
20631--- /dev/null
20632+++ b/libcli/auth/netlogon_creds_cli.h
20633@@ -0,0 +1,138 @@
20634+/*
20635+ Unix SMB/CIFS implementation.
20636+
20637+ module to store/fetch session keys for the schannel client
20638+
20639+ Copyright (C) Stefan Metzmacher 2013
20640+
20641+ This program is free software; you can redistribute it and/or modify
20642+ it under the terms of the GNU General Public License as published by
20643+ the Free Software Foundation; either version 3 of the License, or
20644+ (at your option) any later version.
20645+
20646+ This program is distributed in the hope that it will be useful,
20647+ but WITHOUT ANY WARRANTY; without even the implied warranty of
20648+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20649+ GNU General Public License for more details.
20650+
20651+ You should have received a copy of the GNU General Public License
20652+ along with this program. If not, see <http://www.gnu.org/licenses/>.
20653+*/
20654+
20655+#ifndef NETLOGON_CREDS_CLI_H
20656+#define NETLOGON_CREDS_CLI_H
20657+
20658+#include "librpc/gen_ndr/dcerpc.h"
20659+#include "librpc/gen_ndr/schannel.h"
20660+
20661+struct netlogon_creds_cli_context;
20662+struct messaging_context;
20663+struct dcerpc_binding_handle;
20664+
20665+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
20666+
20667+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
20668+ struct messaging_context *msg_ctx,
20669+ const char *client_account,
20670+ enum netr_SchannelType type,
20671+ const char *server_computer,
20672+ const char *server_netbios_domain,
20673+ TALLOC_CTX *mem_ctx,
20674+ struct netlogon_creds_cli_context **_context);
20675+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
20676+ const char *client_account,
20677+ enum netr_SchannelType type,
20678+ enum dcerpc_AuthLevel auth_level,
20679+ uint32_t proposed_flags,
20680+ uint32_t required_flags,
20681+ const char *server_computer,
20682+ const char *server_netbios_domain,
20683+ TALLOC_CTX *mem_ctx,
20684+ struct netlogon_creds_cli_context **_context);
20685+NTSTATUS netlogon_creds_cli_context_copy(
20686+ const struct netlogon_creds_cli_context *src,
20687+ TALLOC_CTX *mem_ctx,
20688+ struct netlogon_creds_cli_context **_dst);
20689+
20690+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
20691+ struct netlogon_creds_cli_context *context);
20692+
20693+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
20694+ TALLOC_CTX *mem_ctx,
20695+ struct netlogon_creds_CredentialState **_creds);
20696+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
20697+ const struct netlogon_creds_CredentialState *creds1);
20698+
20699+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
20700+ struct netlogon_creds_CredentialState **_creds);
20701+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
20702+ struct netlogon_creds_CredentialState **_creds);
20703+
20704+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
20705+ struct tevent_context *ev,
20706+ struct netlogon_creds_cli_context *context);
20707+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
20708+ TALLOC_CTX *mem_ctx,
20709+ struct netlogon_creds_CredentialState **creds);
20710+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
20711+ TALLOC_CTX *mem_ctx,
20712+ struct netlogon_creds_CredentialState **creds);
20713+
20714+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
20715+ struct tevent_context *ev,
20716+ struct netlogon_creds_cli_context *context,
20717+ struct dcerpc_binding_handle *b,
20718+ struct samr_Password current_nt_hash,
20719+ const struct samr_Password *previous_nt_hash);
20720+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
20721+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
20722+ struct dcerpc_binding_handle *b,
20723+ struct samr_Password current_nt_hash,
20724+ const struct samr_Password *previous_nt_hash);
20725+
20726+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
20727+ struct tevent_context *ev,
20728+ struct netlogon_creds_cli_context *context,
20729+ struct dcerpc_binding_handle *b);
20730+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
20731+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
20732+ struct dcerpc_binding_handle *b);
20733+
20734+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
20735+ struct tevent_context *ev,
20736+ struct netlogon_creds_cli_context *context,
20737+ struct dcerpc_binding_handle *b,
20738+ const char *new_password,
20739+ const uint32_t *new_version);
20740+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
20741+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
20742+ struct netlogon_creds_cli_context *context,
20743+ struct dcerpc_binding_handle *b,
20744+ const char *new_password,
20745+ const uint32_t *new_version);
20746+
20747+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
20748+ struct tevent_context *ev,
20749+ struct netlogon_creds_cli_context *context,
20750+ struct dcerpc_binding_handle *b,
20751+ enum netr_LogonInfoClass logon_level,
20752+ const union netr_LogonLevel *logon,
20753+ uint32_t flags);
20754+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
20755+ TALLOC_CTX *mem_ctx,
20756+ uint16_t *validation_level,
20757+ union netr_Validation **validation,
20758+ uint8_t *authoritative,
20759+ uint32_t *flags);
20760+NTSTATUS netlogon_creds_cli_LogonSamLogon(
20761+ struct netlogon_creds_cli_context *context,
20762+ struct dcerpc_binding_handle *b,
20763+ enum netr_LogonInfoClass logon_level,
20764+ const union netr_LogonLevel *logon,
20765+ TALLOC_CTX *mem_ctx,
20766+ uint16_t *validation_level,
20767+ union netr_Validation **validation,
20768+ uint8_t *authoritative,
20769+ uint32_t *flags);
20770+
20771+#endif /* NETLOGON_CREDS_CLI_H */
20772diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
20773index ca2be2d..51eb293 100755
20774--- a/libcli/auth/wscript_build
20775+++ b/libcli/auth/wscript_build
20776@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
20777 deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
20778 )
20779
20780+bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
20781+ source='netlogon_creds_cli.c',
20782+ deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
20783+ )
20784
20785 bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
20786 source='pam_errors.c',
20787--
207881.9.3
20789
20790
20791From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
20792From: Stefan Metzmacher <metze@samba.org>
20793Date: Fri, 13 Dec 2013 17:31:45 +0100
20794Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
20795 netlogon_creds_cli_context_common()
20796
20797Until all callers are fixed to pass the same 'server_computer'
20798value, we try to calculate a server_netbios_name and use this
20799as unique identifier for a specific domain controller.
20800
20801Otherwise winbind would use 'hostname.example.com'
20802while 'net rpc testjoin' would use 'HOSTNAME',
20803which leads to 2 records in netlogon_creds_cli.tdb
20804for the same domain controller.
20805
20806Once all callers are fixed we can think about reverting this
20807commit.
20808
20809Signed-off-by: Stefan Metzmacher <metze@samba.org>
20810Reviewed-by: Andrew Bartlett <abartlet@samba.org>
20811(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
20812---
20813 libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
20814 1 file changed, 48 insertions(+), 10 deletions(-)
20815
20816diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
20817index 75d6b2c..a872b31 100644
20818--- a/libcli/auth/netlogon_creds_cli.c
20819+++ b/libcli/auth/netlogon_creds_cli.c
20820@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
20821 struct netlogon_creds_cli_context **_context)
20822 {
20823 struct netlogon_creds_cli_context *context = NULL;
20824+ TALLOC_CTX *frame = talloc_stackframe();
20825+ char *_key_name = NULL;
20826+ char *server_netbios_name = NULL;
20827+ char *p = NULL;
20828
20829 *_context = NULL;
20830
20831 context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
20832 if (context == NULL) {
20833+ TALLOC_FREE(frame);
20834 return NT_STATUS_NO_MEMORY;
20835 }
20836
20837 context->client.computer = talloc_strdup(context, client_computer);
20838 if (context->client.computer == NULL) {
20839- talloc_free(context);
20840+ TALLOC_FREE(context);
20841+ TALLOC_FREE(frame);
20842 return NT_STATUS_NO_MEMORY;
20843 }
20844
20845 context->client.account = talloc_strdup(context, client_account);
20846 if (context->client.account == NULL) {
20847- talloc_free(context);
20848+ TALLOC_FREE(context);
20849+ TALLOC_FREE(frame);
20850 return NT_STATUS_NO_MEMORY;
20851 }
20852
20853@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
20854
20855 context->server.computer = talloc_strdup(context, server_computer);
20856 if (context->server.computer == NULL) {
20857- talloc_free(context);
20858+ TALLOC_FREE(context);
20859+ TALLOC_FREE(frame);
20860 return NT_STATUS_NO_MEMORY;
20861 }
20862
20863 context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
20864 if (context->server.netbios_domain == NULL) {
20865- talloc_free(context);
20866+ TALLOC_FREE(context);
20867+ TALLOC_FREE(frame);
20868 return NT_STATUS_NO_MEMORY;
20869 }
20870
20871- context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
20872- client_computer,
20873- client_account,
20874- server_computer,
20875- server_netbios_domain);
20876+ /*
20877+ * TODO:
20878+ * Force the callers to provide a unique
20879+ * value for server_computer and use this directly.
20880+ *
20881+ * For now we have to deal with
20882+ * "HOSTNAME" vs. "hostname.example.com".
20883+ */
20884+ server_netbios_name = talloc_strdup(frame, server_computer);
20885+ if (server_netbios_name == NULL) {
20886+ TALLOC_FREE(context);
20887+ TALLOC_FREE(frame);
20888+ return NT_STATUS_NO_MEMORY;
20889+ }
20890+
20891+ p = strchr(server_netbios_name, '.');
20892+ if (p != NULL) {
20893+ p[0] = '\0';
20894+ }
20895+
20896+ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
20897+ client_computer,
20898+ client_account,
20899+ server_netbios_name,
20900+ server_netbios_domain);
20901+ if (_key_name == NULL) {
20902+ TALLOC_FREE(context);
20903+ TALLOC_FREE(frame);
20904+ return NT_STATUS_NO_MEMORY;
20905+ }
20906+
20907+ context->db.key_name = talloc_strdup_upper(context, _key_name);
20908 if (context->db.key_name == NULL) {
20909- talloc_free(context);
20910+ TALLOC_FREE(context);
20911+ TALLOC_FREE(frame);
20912 return NT_STATUS_NO_MEMORY;
20913 }
20914
20915 context->db.key_data = string_term_tdb_data(context->db.key_name);
20916
20917 *_context = context;
20918+ TALLOC_FREE(frame);
20919 return NT_STATUS_OK;
20920 }
20921
20922--
209231.9.3
20924
20925
20926From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
20927From: Stefan Metzmacher <metze@samba.org>
20928Date: Thu, 17 Oct 2013 19:01:28 +0200
20929Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true
20930
20931Signed-off-by: Stefan Metzmacher <metze@samba.org>
20932Reviewed-by: Andrew Bartlett <abartlet@samba.org>
20933(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
20934---
20935 source3/param/loadparm.c | 1 +
20936 1 file changed, 1 insertion(+)
20937
20938diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
20939index 40f3242..7d95256 100644
20940--- a/source3/param/loadparm.c
20941+++ b/source3/param/loadparm.c
20942@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
20943 Globals.security = SEC_USER;
20944 Globals.bEncryptPasswords = true;
20945 Globals.clientSchannel = Auto;
20946+ Globals.bWinbindSealedPipes = true;
20947 Globals.serverSchannel = Auto;
20948 Globals.bReadRaw = true;
20949 Globals.bWriteRaw = true;
20950--
209511.9.3
20952
20953
20954From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
20955From: Stefan Metzmacher <metze@samba.org>
20956Date: Thu, 17 Oct 2013 18:39:56 +0200
20957Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
20958 defaulting to false
20959
20960Signed-off-by: Stefan Metzmacher <metze@samba.org>
20961Reviewed-by: Andrew Bartlett <abartlet@samba.org>
20962(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
20963---
20964 .../smbdotconf/winbind/netutralizent4emulation.xml | 19 +++++++++++++++++++
20965 lib/param/param_functions.c | 1 +
20966 lib/param/param_table.c | 9 +++++++++
20967 3 files changed, 29 insertions(+)
20968 create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
20969
20970diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
20971new file mode 100644
20972index 0000000..8294a90
20973--- /dev/null
20974+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
20975@@ -0,0 +1,19 @@
20976+<samba:parameter name="neutralize nt4 emulation"
20977+ context="G"
20978+ type="boolean"
20979+ advanced="1" developer="1"
20980+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
20981+<description>
20982+ <para>This option controls whether winbindd sends
20983+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
20984+ the NT4 emulation of a domain controller.</para>
20985+
20986+ <para>Typically you should not need set this.
20987+ It can be useful for upgrades from NT4 to AD domains.</para>
20988+
20989+ <para>The behavior can be controlled per netbios domain
20990+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
20991+</description>
20992+
20993+<value type="default">no</value>
20994+</samba:parameter>
20995diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
20996index 60f9c07..aef091b 100644
20997--- a/lib/param/param_functions.c
20998+++ b/lib/param/param_functions.c
20999@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
21000 FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
21001 FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
21002 FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
21003+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
21004 FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
21005 FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
21006 FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
21007diff --git a/lib/param/param_table.c b/lib/param/param_table.c
21008index 8e3f952..edf6829 100644
21009--- a/lib/param/param_table.c
21010+++ b/lib/param/param_table.c
21011@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
21012 .enum_list = NULL,
21013 .flags = FLAG_ADVANCED,
21014 },
21015+ {
21016+ .label = "neutralize nt4 emulation",
21017+ .type = P_BOOL,
21018+ .p_class = P_GLOBAL,
21019+ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
21020+ .special = NULL,
21021+ .enum_list = NULL,
21022+ .flags = FLAG_ADVANCED,
21023+ },
21024
21025 {N_("DNS options"), P_SEP, P_SEPARATOR},
21026 {
21027--
210281.9.3
21029
21030
21031From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
21032From: Stefan Metzmacher <metze@samba.org>
21033Date: Thu, 17 Oct 2013 18:39:56 +0200
21034Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
21035 defaulting to false
21036
21037Signed-off-by: Stefan Metzmacher <metze@samba.org>
21038Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21039(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
21040---
21041 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
21042 lib/param/param_functions.c | 1 +
21043 lib/param/param_table.c | 9 +++++++++
21044 3 files changed, 33 insertions(+)
21045 create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
21046
21047diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
21048new file mode 100644
21049index 0000000..18f8bcb
21050--- /dev/null
21051+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
21052@@ -0,0 +1,23 @@
21053+<samba:parameter name="reject md5 servers"
21054+ context="G"
21055+ type="boolean"
21056+ advanced="1"
21057+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
21058+<description>
21059+ <para>This option controls whether winbindd requires support
21060+ for aes support for the netlogon secure channel.</para>
21061+
21062+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
21063+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
21064+
21065+ <para>You can set this to yes if all domain controllers support aes.
21066+ This will prevent downgrade attacks.</para>
21067+
21068+ <para>The behavior can be controlled per netbios domain
21069+ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
21070+
21071+ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
21072+</description>
21073+
21074+<value type="default">no</value>
21075+</samba:parameter>
21076diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
21077index aef091b..ecd7f8e 100644
21078--- a/lib/param/param_functions.c
21079+++ b/lib/param/param_functions.c
21080@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
21081 FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
21082 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
21083 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
21084+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
21085 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
21086 FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
21087 FN_GLOBAL_BOOL(stat_cache, bStatCache)
21088diff --git a/lib/param/param_table.c b/lib/param/param_table.c
21089index edf6829..b53f850 100644
21090--- a/lib/param/param_table.c
21091+++ b/lib/param/param_table.c
21092@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
21093 .enum_list = NULL,
21094 .flags = FLAG_ADVANCED,
21095 },
21096+ {
21097+ .label = "reject md5 servers",
21098+ .type = P_BOOL,
21099+ .p_class = P_GLOBAL,
21100+ .offset = GLOBAL_VAR(bRejectMD5Servers),
21101+ .special = NULL,
21102+ .enum_list = NULL,
21103+ .flags = FLAG_ADVANCED,
21104+ },
21105
21106 {N_("DNS options"), P_SEP, P_SEPARATOR},
21107 {
21108--
211091.9.3
21110
21111
21112From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
21113From: Stefan Metzmacher <metze@samba.org>
21114Date: Thu, 17 Oct 2013 18:39:56 +0200
21115Subject: [PATCH 167/249] lib/param: add "require strong key" option,
21116 defaulting to true
21117
21118Signed-off-by: Stefan Metzmacher <metze@samba.org>
21119Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21120(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
21121---
21122 docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
21123 lib/param/loadparm.c | 1 +
21124 lib/param/param_functions.c | 1 +
21125 lib/param/param_table.c | 9 ++++++++
21126 4 files changed, 38 insertions(+)
21127 create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
21128
21129diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
21130new file mode 100644
21131index 0000000..de749bb
21132--- /dev/null
21133+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
21134@@ -0,0 +1,27 @@
21135+<samba:parameter name="require strong key"
21136+ context="G"
21137+ type="boolean"
21138+ advanced="1"
21139+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
21140+<description>
21141+ <para>This option controls whether winbindd requires support
21142+ for md5 strong key support for the netlogon secure channel.</para>
21143+
21144+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
21145+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
21146+
21147+ <para>You can set this to no if some domain controllers only support des.
21148+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
21149+
21150+ <para>The behavior can be controlled per netbios domain
21151+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
21152+
21153+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
21154+
21155+ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
21156+
21157+ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
21158+</description>
21159+
21160+<value type="default">yes</value>
21161+</samba:parameter>
21162diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
21163index 23b45e2..a84a166 100644
21164--- a/lib/param/loadparm.c
21165+++ b/lib/param/loadparm.c
21166@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
21167
21168 lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
21169 lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
21170+ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
21171 lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
21172 lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
21173 lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
21174diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
21175index ecd7f8e..41b137f 100644
21176--- a/lib/param/param_functions.c
21177+++ b/lib/param/param_functions.c
21178@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
21179 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
21180 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
21181 FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
21182+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
21183 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
21184 FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
21185 FN_GLOBAL_BOOL(stat_cache, bStatCache)
21186diff --git a/lib/param/param_table.c b/lib/param/param_table.c
21187index b53f850..36e8554 100644
21188--- a/lib/param/param_table.c
21189+++ b/lib/param/param_table.c
21190@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
21191 .enum_list = NULL,
21192 .flags = FLAG_ADVANCED,
21193 },
21194+ {
21195+ .label = "require strong key",
21196+ .type = P_BOOL,
21197+ .p_class = P_GLOBAL,
21198+ .offset = GLOBAL_VAR(bRequireStrongKey),
21199+ .special = NULL,
21200+ .enum_list = NULL,
21201+ .flags = FLAG_ADVANCED,
21202+ },
21203
21204 {N_("DNS options"), P_SEP, P_SEPARATOR},
21205 {
21206--
212071.9.3
21208
21209
21210From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
21211From: Stefan Metzmacher <metze@samba.org>
21212Date: Thu, 17 Oct 2013 19:01:47 +0200
21213Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true
21214
21215Signed-off-by: Stefan Metzmacher <metze@samba.org>
21216Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21217(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
21218---
21219 source3/param/loadparm.c | 1 +
21220 1 file changed, 1 insertion(+)
21221
21222diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
21223index 7d95256..ed46e53 100644
21224--- a/source3/param/loadparm.c
21225+++ b/source3/param/loadparm.c
21226@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
21227 Globals.bEncryptPasswords = true;
21228 Globals.clientSchannel = Auto;
21229 Globals.bWinbindSealedPipes = true;
21230+ Globals.bRequireStrongKey = true;
21231 Globals.serverSchannel = Auto;
21232 Globals.bReadRaw = true;
21233 Globals.bWriteRaw = true;
21234--
212351.9.3
21236
21237
21238From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
21239From: Stefan Metzmacher <metze@samba.org>
21240Date: Thu, 17 Oct 2013 18:48:15 +0200
21241Subject: [PATCH 169/249] libcli/auth: make use of real options in
21242 netlogon_creds_cli_context_global()
21243
21244Signed-off-by: Stefan Metzmacher <metze@samba.org>
21245Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21246(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
21247---
21248 libcli/auth/netlogon_creds_cli.c | 18 +++---------------
21249 1 file changed, 3 insertions(+), 15 deletions(-)
21250
21251diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
21252index a872b31..6590b21 100644
21253--- a/libcli/auth/netlogon_creds_cli.c
21254+++ b/libcli/auth/netlogon_creds_cli.c
21255@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
21256 * allow overwrite per domain
21257 * reject md5 servers:<netbios_domain>
21258 */
21259- //TODO: add lpcfp_reject_md5_servers()
21260- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
21261- "__default__",
21262- "reject md5 servers",
21263- reject_md5_servers);
21264+ reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
21265 reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
21266 "reject md5 servers",
21267 server_netbios_domain,
21268@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
21269 * allow overwrite per domain
21270 * require strong key:<netbios_domain>
21271 */
21272- //TODO: add lpcfp_require_strong_key()
21273- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
21274- "__default__",
21275- "require strong key",
21276- require_strong_key);
21277+ require_strong_key = lpcfg_require_strong_key(lp_ctx);
21278 require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
21279 "require strong key",
21280 server_netbios_domain,
21281@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
21282 * allow overwrite per domain
21283 * neutralize nt4 emulation:<netbios_domain>
21284 */
21285- //TODO: add lpcfp_neutralize_nt4_emulation()
21286- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
21287- "__default__",
21288- "neutralize nt4 emulation",
21289- neutralize_nt4_emulation);
21290+ neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
21291 neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
21292 "neutralize nt4 emulation",
21293 server_netbios_domain,
21294--
212951.9.3
21296
21297
21298From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
21299From: Stefan Metzmacher <metze@samba.org>
21300Date: Mon, 23 Dec 2013 10:45:27 +0100
21301Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
21302 ads and other options.
21303
21304It implies 'require strong key = yes' and 'client schannel = yes'.
21305
21306Signed-off-by: Stefan Metzmacher <metze@samba.org>
21307Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21308(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
21309---
21310 docs-xml/smbdotconf/security/security.xml | 5 ++++-
21311 1 file changed, 4 insertions(+), 1 deletion(-)
21312
21313diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
21314index 406089f..2f5c3f7 100644
21315--- a/docs-xml/smbdotconf/security/security.xml
21316+++ b/docs-xml/smbdotconf/security/security.xml
21317@@ -99,7 +99,10 @@
21318
21319 <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
21320 Controller. </para>
21321-
21322+
21323+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
21324+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
21325+
21326 <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
21327 </description>
21328
21329--
213301.9.3
21331
21332
21333From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
21334From: Stefan Metzmacher <metze@samba.org>
21335Date: Mon, 23 Dec 2013 10:46:57 +0100
21336Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
21337 schannel' with 'require strong key = yes'
21338
21339Signed-off-by: Stefan Metzmacher <metze@samba.org>
21340Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21341(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
21342---
21343 docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
21344 1 file changed, 5 insertions(+)
21345
21346diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
21347index e229182..ac4cc59 100644
21348--- a/docs-xml/smbdotconf/security/clientschannel.xml
21349+++ b/docs-xml/smbdotconf/security/clientschannel.xml
21350@@ -12,6 +12,11 @@
21351 enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
21352 if the server is not able to speak netlogon schannel.
21353 </para>
21354+
21355+ <para>Note that for active directory domains this is hardcoded to
21356+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
21357+
21358+ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
21359 </description>
21360 <value type="default">auto</value>
21361 <value type="example">yes</value>
21362--
213631.9.3
21364
21365
21366From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
21367From: Stefan Metzmacher <metze@samba.org>
21368Date: Thu, 17 Oct 2013 19:31:58 +0200
21369Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
21370 option for all connections
21371
21372Signed-off-by: Stefan Metzmacher <metze@samba.org>
21373Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21374(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
21375---
21376 source3/winbindd/winbindd.h | 3 +++
21377 source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
21378 2 files changed, 20 insertions(+), 3 deletions(-)
21379
21380diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
21381index 72eb3ec..afde685 100644
21382--- a/source3/winbindd/winbindd.h
21383+++ b/source3/winbindd/winbindd.h
21384@@ -25,6 +25,7 @@
21385
21386 #include "nsswitch/winbind_struct_protocol.h"
21387 #include "nsswitch/libwbclient/wbclient.h"
21388+#include "librpc/gen_ndr/dcerpc.h"
21389 #include "librpc/gen_ndr/wbint.h"
21390
21391 #include "talloc_dict.h"
21392@@ -105,6 +106,8 @@ struct getpwent_user {
21393 struct winbindd_cm_conn {
21394 struct cli_state *cli;
21395
21396+ enum dcerpc_AuthLevel auth_level;
21397+
21398 struct rpc_pipe_client *samr_pipe;
21399 struct policy_handle sam_connect_handle, sam_domain_handle;
21400
21401diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
21402index c4f59d3..6c1244e 100644
21403--- a/source3/winbindd/winbindd_cm.c
21404+++ b/source3/winbindd/winbindd_cm.c
21405@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
21406 }
21407
21408 if (NT_STATUS_IS_OK(result)) {
21409+ bool seal_pipes = true;
21410
21411 winbindd_set_locator_kdc_envs(domain);
21412
21413@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
21414 */
21415 store_current_dc_in_gencache(domain->name, domain->dcname,
21416 new_conn->cli);
21417+
21418+ seal_pipes = lp_winbind_sealed_pipes();
21419+ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
21420+ domain->name,
21421+ seal_pipes);
21422+
21423+ if (seal_pipes) {
21424+ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
21425+ } else {
21426+ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
21427+ }
21428 } else {
21429 /* Ensure we setup the retry handler. */
21430 set_domain_offline(domain);
21431@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
21432 }
21433 }
21434
21435+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
21436+
21437 if (conn->cli) {
21438 cli_shutdown(conn->cli);
21439 }
21440@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
21441 &ndr_table_samr,
21442 NCACN_NP,
21443 GENSEC_OID_NTLMSSP,
21444- DCERPC_AUTH_LEVEL_PRIVACY,
21445+ conn->auth_level,
21446 smbXcli_conn_remote_name(conn->cli->conn),
21447 domain_name,
21448 machine_account,
21449@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
21450
21451 if (conn->lsa_pipe_tcp &&
21452 conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
21453- conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
21454+ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
21455 rpccli_is_connected(conn->lsa_pipe_tcp)) {
21456 goto done;
21457 }
21458@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
21459 result = cli_rpc_pipe_open_spnego
21460 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
21461 GENSEC_OID_NTLMSSP,
21462- DCERPC_AUTH_LEVEL_PRIVACY,
21463+ conn->auth_level,
21464 smbXcli_conn_remote_name(conn->cli->conn),
21465 conn->cli->domain, conn->cli->user_name, conn->cli->password,
21466 &conn->lsa_pipe);
21467--
214681.9.3
21469
21470
21471From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
21472From: Stefan Metzmacher <metze@samba.org>
21473Date: Thu, 14 Nov 2013 18:53:06 +0100
21474Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description
21475
21476Signed-off-by: Stefan Metzmacher <metze@samba.org>
21477Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21478(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
21479---
21480 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
21481 1 file changed, 3 insertions(+), 3 deletions(-)
21482
21483diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
21484index 26f446e..63f5588 100644
21485--- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
21486+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
21487@@ -4,12 +4,12 @@
21488 advanced="1" developer="1"
21489 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
21490 <description>
21491- <para>This option controls whether any requests made over the Samba 4 winbind
21492+ <para>This option controls whether any requests from winbindd to domain controllers
21493 pipe will be sealed. Disabling sealing can be useful for debugging
21494 purposes.</para>
21495
21496- <para>Note that this option only applies to the Samba 4 winbind and not
21497- to the standard winbind.</para>
21498+ <para>The behavior can be controlled per netbios domain
21499+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
21500 </description>
21501
21502 <value type="default">yes</value>
21503--
215041.9.3
21505
21506
21507From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
21508From: Stefan Metzmacher <metze@samba.org>
21509Date: Sat, 27 Jul 2013 11:30:13 +0200
21510Subject: [PATCH 174/249] s3:rpc_client: make use of the new
21511 netlogon_creds_cli_context
21512
21513This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
21514and lets the secure channel session state be stored in node local database.
21515
21516This is the proper fix for a large number of bugs:
21517https://bugzilla.samba.org/show_bug.cgi?id=6563
21518https://bugzilla.samba.org/show_bug.cgi?id=7944
21519https://bugzilla.samba.org/show_bug.cgi?id=7945
21520https://bugzilla.samba.org/show_bug.cgi?id=7568
21521https://bugzilla.samba.org/show_bug.cgi?id=8599
21522
21523Signed-off-by: Stefan Metzmacher <metze@samba.org>
21524Reviewed-by: Andrew Bartlett <abartlet@samba.org>
21525(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
21526---
21527 source3/libnet/libnet_join.c | 3 +-
21528 source3/libnet/libnet_samsync.c | 19 +-
21529 source3/rpc_client/cli_netlogon.c | 436 ++++++++-------------------------
21530 source3/rpc_client/cli_pipe.c | 139 +++--------
21531 source3/rpc_client/cli_pipe.h | 2 +-
21532 source3/rpc_client/cli_pipe_schannel.c | 3 +-
21533 source3/rpc_client/rpc_client.h | 2 +-
21534 source3/rpcclient/cmd_netlogon.c | 57 ++++-
21535 source3/winbindd/winbindd.h | 9 -
21536 source3/winbindd/winbindd_cm.c | 36 +--
21537 source3/winbindd/winbindd_pam.c | 136 ++--------
21538 source3/wscript_build | 6 +-
21539 12 files changed, 250 insertions(+), 598 deletions(-)
21540
21541diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
21542index c1eccda..5dc620f 100644
21543--- a/source3/libnet/libnet_join.c
21544+++ b/source3/libnet/libnet_join.c
21545@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
21546 status = cli_rpc_pipe_open_schannel_with_key(
21547 cli, &ndr_table_netlogon, NCACN_NP,
21548 DCERPC_AUTH_LEVEL_PRIVACY,
21549- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
21550+ netbios_domain_name,
21551+ netlogon_pipe->netlogon_creds, &pipe_hnd);
21552
21553 cli_shutdown(cli);
21554
21555diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
21556index a103785..02d3fc6 100644
21557--- a/source3/libnet/libnet_samsync.c
21558+++ b/source3/libnet/libnet_samsync.c
21559@@ -30,6 +30,7 @@
21560 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
21561 #include "../libcli/security/security.h"
21562 #include "messages.h"
21563+#include "../libcli/auth/netlogon_creds_cli.h"
21564
21565 /**
21566 * Fix up the delta, dealing with encryption issues so that the final
21567@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
21568
21569 do {
21570 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
21571+ struct netlogon_creds_CredentialState *creds = NULL;
21572
21573- netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
21574+ status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
21575+ mem_ctx, &creds);
21576+ if (!NT_STATUS_IS_OK(status)) {
21577+ return status;
21578+ }
21579+
21580+ netlogon_creds_client_authenticator(creds, &credential);
21581
21582 if (ctx->single_object_replication &&
21583 !ctx->force_full_replication) {
21584@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
21585 }
21586
21587 if (!NT_STATUS_IS_OK(status)) {
21588+ TALLOC_FREE(creds);
21589 return status;
21590 }
21591
21592 /* Check returned credentials. */
21593- if (!netlogon_creds_client_check(ctx->cli->dc,
21594+ if (!netlogon_creds_client_check(creds,
21595 &return_authenticator.cred)) {
21596+ TALLOC_FREE(creds);
21597 DEBUG(0,("credentials chain check failed\n"));
21598 return NT_STATUS_ACCESS_DENIED;
21599 }
21600
21601 if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
21602+ TALLOC_FREE(creds);
21603 return result;
21604 }
21605
21606 if (NT_STATUS_IS_ERR(result)) {
21607+ TALLOC_FREE(creds);
21608 break;
21609 }
21610
21611 samsync_fix_delta_array(mem_ctx,
21612- ctx->cli->dc,
21613+ creds,
21614 database_id,
21615 delta_enum_array);
21616+ TALLOC_FREE(creds);
21617
21618 /* Process results */
21619 callback_status = ctx->ops->process_objects(mem_ctx, database_id,
21620diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
21621index 5e8a2fc..fcd24d6 100644
21622--- a/source3/rpc_client/cli_netlogon.c
21623+++ b/source3/rpc_client/cli_netlogon.c
21624@@ -23,11 +23,13 @@
21625 #include "includes.h"
21626 #include "rpc_client/rpc_client.h"
21627 #include "../libcli/auth/libcli_auth.h"
21628+#include "../libcli/auth/netlogon_creds_cli.h"
21629 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
21630 #include "rpc_client/cli_netlogon.h"
21631 #include "rpc_client/init_netlogon.h"
21632 #include "rpc_client/util_netlogon.h"
21633 #include "../libcli/security/security.h"
21634+#include "lib/param/param.h"
21635
21636 /****************************************************************************
21637 Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
21638@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
21639 enum netr_SchannelType sec_chan_type,
21640 uint32_t *neg_flags_inout)
21641 {
21642+ TALLOC_CTX *frame = talloc_stackframe();
21643+ struct loadparm_context *lp_ctx;
21644 NTSTATUS status;
21645- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
21646- struct netr_Credential clnt_chal_send;
21647- struct netr_Credential srv_chal_recv;
21648 struct samr_Password password;
21649- bool retried = false;
21650 fstring mach_acct;
21651- uint32_t neg_flags = *neg_flags_inout;
21652 struct dcerpc_binding_handle *b = cli->binding_handle;
21653+ struct netlogon_creds_CredentialState *creds = NULL;
21654
21655 if (!ndr_syntax_id_equal(&cli->abstract_syntax,
21656 &ndr_table_netlogon.syntax_id)) {
21657+ TALLOC_FREE(frame);
21658 return NT_STATUS_INVALID_PARAMETER;
21659 }
21660
21661- TALLOC_FREE(cli->dc);
21662-
21663- /* Store the machine account password we're going to use. */
21664- memcpy(password.hash, machine_pwd, 16);
21665-
21666- fstr_sprintf( mach_acct, "%s$", machine_account);
21667-
21668- again:
21669- /* Create the client challenge. */
21670- generate_random_buffer(clnt_chal_send.data, 8);
21671-
21672- /* Get the server challenge. */
21673- status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
21674- cli->srv_name_slash,
21675- clnt_name,
21676- &clnt_chal_send,
21677- &srv_chal_recv,
21678- &result);
21679- if (!NT_STATUS_IS_OK(status)) {
21680- return status;
21681- }
21682- if (!NT_STATUS_IS_OK(result)) {
21683- return result;
21684+ if (!strequal(lp_netbios_name(), clnt_name)) {
21685+ TALLOC_FREE(frame);
21686+ return NT_STATUS_INVALID_PARAMETER;
21687 }
21688
21689- /* Calculate the session key and client credentials */
21690+ TALLOC_FREE(cli->netlogon_creds);
21691
21692- cli->dc = netlogon_creds_client_init(cli,
21693- mach_acct,
21694- clnt_name,
21695- sec_chan_type,
21696- &clnt_chal_send,
21697- &srv_chal_recv,
21698- &password,
21699- &clnt_chal_send,
21700- neg_flags);
21701+ fstr_sprintf( mach_acct, "%s$", machine_account);
21702
21703- if (!cli->dc) {
21704+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
21705+ if (lp_ctx == NULL) {
21706+ TALLOC_FREE(frame);
21707 return NT_STATUS_NO_MEMORY;
21708 }
21709-
21710- /*
21711- * Send client auth-2 challenge and receive server repy.
21712- */
21713-
21714- status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
21715- cli->srv_name_slash,
21716- cli->dc->account_name,
21717- sec_chan_type,
21718- cli->dc->computer_name,
21719- &clnt_chal_send, /* input. */
21720- &srv_chal_recv, /* output. */
21721- &neg_flags,
21722- &result);
21723+ status = netlogon_creds_cli_context_global(lp_ctx,
21724+ NULL, /* msg_ctx */
21725+ mach_acct,
21726+ sec_chan_type,
21727+ server_name,
21728+ domain,
21729+ cli, &cli->netlogon_creds);
21730+ talloc_unlink(frame, lp_ctx);
21731 if (!NT_STATUS_IS_OK(status)) {
21732+ TALLOC_FREE(frame);
21733 return status;
21734 }
21735- /* we might be talking to NT4, so let's downgrade in that case and retry
21736- * with the returned neg_flags - gd */
21737
21738- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
21739- retried = true;
21740- TALLOC_FREE(cli->dc);
21741- goto again;
21742+ status = netlogon_creds_cli_get(cli->netlogon_creds,
21743+ frame, &creds);
21744+ if (NT_STATUS_IS_OK(status)) {
21745+ DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
21746+ "cached credential\n",
21747+ cli->desthost));
21748+ *neg_flags_inout = creds->negotiate_flags;
21749+ TALLOC_FREE(frame);
21750+ return NT_STATUS_OK;
21751 }
21752
21753- if (!NT_STATUS_IS_OK(result)) {
21754- return result;
21755- }
21756-
21757- /*
21758- * Check the returned value using the initial
21759- * server received challenge.
21760- */
21761-
21762- if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
21763- /*
21764- * Server replied with bad credential. Fail.
21765- */
21766- DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
21767- "replied with bad credential\n",
21768- cli->desthost ));
21769- return NT_STATUS_ACCESS_DENIED;
21770- }
21771+ /* Store the machine account password we're going to use. */
21772+ memcpy(password.hash, machine_pwd, 16);
21773
21774 DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
21775 "chain established.\n",
21776 cli->desthost ));
21777
21778- cli->dc->negotiate_flags = neg_flags;
21779- *neg_flags_inout = neg_flags;
21780+ status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
21781+ password, NULL);
21782+ if (!NT_STATUS_IS_OK(status)) {
21783+ TALLOC_FREE(frame);
21784+ return status;
21785+ }
21786+
21787+ status = netlogon_creds_cli_get(cli->netlogon_creds,
21788+ frame, &creds);
21789+ if (!NT_STATUS_IS_OK(status)) {
21790+ TALLOC_FREE(frame);
21791+ return NT_STATUS_INTERNAL_ERROR;
21792+ }
21793
21794+ *neg_flags_inout = creds->negotiate_flags;
21795+ TALLOC_FREE(frame);
21796 return NT_STATUS_OK;
21797 }
21798
21799@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
21800 const char *username,
21801 const char *password,
21802 const char *workstation,
21803- uint16_t validation_level,
21804+ uint16_t _ignored_validation_level,
21805 int logon_type)
21806 {
21807- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
21808 NTSTATUS status;
21809- struct netr_Authenticator clnt_creds;
21810- struct netr_Authenticator ret_creds;
21811 union netr_LogonLevel *logon;
21812- union netr_Validation validation;
21813- uint8_t authoritative;
21814+ uint16_t validation_level = 0;
21815+ union netr_Validation *validation = NULL;
21816+ uint8_t authoritative = 0;
21817+ uint32_t flags = 0;
21818 fstring clnt_name_slash;
21819- struct dcerpc_binding_handle *b = cli->binding_handle;
21820-
21821- ZERO_STRUCT(ret_creds);
21822
21823 logon = talloc_zero(mem_ctx, union netr_LogonLevel);
21824 if (!logon) {
21825@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
21826
21827 /* Initialise input parameters */
21828
21829- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
21830-
21831 switch (logon_type) {
21832 case NetlogonInteractiveInformation: {
21833
21834@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
21835
21836 nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
21837
21838- if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
21839- netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
21840- netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
21841- } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
21842- netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
21843- netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
21844- } else {
21845- netlogon_creds_des_encrypt(cli->dc, &lmpassword);
21846- netlogon_creds_des_encrypt(cli->dc, &ntpassword);
21847- }
21848-
21849 password_info->identity_info.domain_name.string = domain;
21850 password_info->identity_info.parameter_control = logon_parameters;
21851 password_info->identity_info.logon_id_low = 0xdead;
21852@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
21853 return NT_STATUS_INVALID_INFO_CLASS;
21854 }
21855
21856- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
21857- cli->srv_name_slash,
21858- lp_netbios_name(),
21859- &clnt_creds,
21860- &ret_creds,
21861- logon_type,
21862- logon,
21863- validation_level,
21864- &validation,
21865- &authoritative,
21866- &result);
21867+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
21868+ cli->binding_handle,
21869+ logon_type,
21870+ logon,
21871+ mem_ctx,
21872+ &validation_level,
21873+ &validation,
21874+ &authoritative,
21875+ &flags);
21876 if (!NT_STATUS_IS_OK(status)) {
21877 return status;
21878 }
21879
21880- /* Always check returned credentials */
21881- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
21882- DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
21883- return NT_STATUS_ACCESS_DENIED;
21884- }
21885-
21886- return result;
21887+ return NT_STATUS_OK;
21888 }
21889
21890 static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
21891@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
21892 const char *domain,
21893 const char *workstation,
21894 const uint8 chal[8],
21895- uint16_t validation_level,
21896+ uint16_t _ignored_validation_level,
21897 DATA_BLOB lm_response,
21898 DATA_BLOB nt_response,
21899 struct netr_SamInfo3 **info3)
21900 {
21901- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
21902 NTSTATUS status;
21903 const char *workstation_name_slash;
21904- const char *server_name_slash;
21905- struct netr_Authenticator clnt_creds;
21906- struct netr_Authenticator ret_creds;
21907 union netr_LogonLevel *logon = NULL;
21908 struct netr_NetworkInfo *network_info;
21909- uint8_t authoritative;
21910- union netr_Validation validation;
21911+ uint16_t validation_level = 0;
21912+ union netr_Validation *validation = NULL;
21913+ uint8_t authoritative = 0;
21914+ uint32_t flags = 0;
21915 struct netr_ChallengeResponse lm;
21916 struct netr_ChallengeResponse nt;
21917- struct dcerpc_binding_handle *b = cli->binding_handle;
21918
21919 *info3 = NULL;
21920
21921- ZERO_STRUCT(ret_creds);
21922-
21923 ZERO_STRUCT(lm);
21924 ZERO_STRUCT(nt);
21925
21926@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
21927 return NT_STATUS_NO_MEMORY;
21928 }
21929
21930- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
21931-
21932- if (server[0] != '\\' && server[1] != '\\') {
21933- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
21934- } else {
21935- server_name_slash = server;
21936- }
21937-
21938 if (workstation[0] != '\\' && workstation[1] != '\\') {
21939 workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
21940 } else {
21941 workstation_name_slash = workstation;
21942 }
21943
21944- if (!workstation_name_slash || !server_name_slash) {
21945+ if (!workstation_name_slash) {
21946 DEBUG(0, ("talloc_asprintf failed!\n"));
21947 return NT_STATUS_NO_MEMORY;
21948 }
21949@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
21950
21951 /* Marshall data and send request */
21952
21953- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
21954- server_name_slash,
21955- lp_netbios_name(),
21956- &clnt_creds,
21957- &ret_creds,
21958- NetlogonNetworkInformation,
21959- logon,
21960- validation_level,
21961- &validation,
21962- &authoritative,
21963- &result);
21964+ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
21965+ cli->binding_handle,
21966+ NetlogonNetworkInformation,
21967+ logon,
21968+ mem_ctx,
21969+ &validation_level,
21970+ &validation,
21971+ &authoritative,
21972+ &flags);
21973 if (!NT_STATUS_IS_OK(status)) {
21974 return status;
21975 }
21976
21977- /* Always check returned credentials. */
21978- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
21979- DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
21980- return NT_STATUS_ACCESS_DENIED;
21981- }
21982-
21983- if (!NT_STATUS_IS_OK(result)) {
21984- return result;
21985- }
21986-
21987- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
21988- &validation);
21989-
21990- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
21991- if (!NT_STATUS_IS_OK(result)) {
21992- return result;
21993+ status = map_validation_to_info3(mem_ctx,
21994+ validation_level, validation,
21995+ info3);
21996+ if (!NT_STATUS_IS_OK(status)) {
21997+ return status;
21998 }
21999
22000- return result;
22001+ return NT_STATUS_OK;
22002 }
22003
22004 NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
22005@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
22006 DATA_BLOB nt_response,
22007 struct netr_SamInfo3 **info3)
22008 {
22009- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
22010- NTSTATUS status;
22011- const char *workstation_name_slash;
22012- const char *server_name_slash;
22013- union netr_LogonLevel *logon = NULL;
22014- struct netr_NetworkInfo *network_info;
22015- uint8_t authoritative;
22016- union netr_Validation validation;
22017- struct netr_ChallengeResponse lm;
22018- struct netr_ChallengeResponse nt;
22019- uint32_t flags = 0;
22020- struct dcerpc_binding_handle *b = cli->binding_handle;
22021-
22022- *info3 = NULL;
22023-
22024- ZERO_STRUCT(lm);
22025- ZERO_STRUCT(nt);
22026-
22027- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
22028- if (!logon) {
22029- return NT_STATUS_NO_MEMORY;
22030- }
22031-
22032- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
22033- if (!network_info) {
22034- return NT_STATUS_NO_MEMORY;
22035- }
22036-
22037- if (server[0] != '\\' && server[1] != '\\') {
22038- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
22039- } else {
22040- server_name_slash = server;
22041- }
22042-
22043- if (workstation[0] != '\\' && workstation[1] != '\\') {
22044- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
22045- } else {
22046- workstation_name_slash = workstation;
22047- }
22048-
22049- if (!workstation_name_slash || !server_name_slash) {
22050- DEBUG(0, ("talloc_asprintf failed!\n"));
22051- return NT_STATUS_NO_MEMORY;
22052- }
22053-
22054- /* Initialise input parameters */
22055-
22056- lm.data = lm_response.data;
22057- lm.length = lm_response.length;
22058- nt.data = nt_response.data;
22059- nt.length = nt_response.length;
22060-
22061- network_info->identity_info.domain_name.string = domain;
22062- network_info->identity_info.parameter_control = logon_parameters;
22063- network_info->identity_info.logon_id_low = 0xdead;
22064- network_info->identity_info.logon_id_high = 0xbeef;
22065- network_info->identity_info.account_name.string = username;
22066- network_info->identity_info.workstation.string = workstation_name_slash;
22067-
22068- memcpy(network_info->challenge, chal, 8);
22069- network_info->nt = nt;
22070- network_info->lm = lm;
22071-
22072- logon->network = network_info;
22073-
22074- /* Marshall data and send request */
22075-
22076- status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
22077- server_name_slash,
22078- lp_netbios_name(),
22079- NetlogonNetworkInformation,
22080- logon,
22081- validation_level,
22082- &validation,
22083- &authoritative,
22084- &flags,
22085- &result);
22086- if (!NT_STATUS_IS_OK(status)) {
22087- return status;
22088- }
22089-
22090- if (!NT_STATUS_IS_OK(result)) {
22091- return result;
22092- }
22093-
22094- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
22095- &validation);
22096-
22097- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
22098- if (!NT_STATUS_IS_OK(result)) {
22099- return result;
22100- }
22101-
22102- return result;
22103+ return rpccli_netlogon_sam_network_logon(cli,
22104+ mem_ctx,
22105+ logon_parameters,
22106+ server,
22107+ username,
22108+ domain,
22109+ workstation,
22110+ chal,
22111+ validation_level,
22112+ lm_response,
22113+ nt_response,
22114+ info3);
22115 }
22116
22117 /*********************************************************
22118@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
22119 const unsigned char new_trust_passwd_hash[16],
22120 enum netr_SchannelType sec_channel_type)
22121 {
22122- NTSTATUS result, status;
22123- struct netr_Authenticator clnt_creds, srv_cred;
22124- struct dcerpc_binding_handle *b = cli->binding_handle;
22125+ NTSTATUS result;
22126
22127- if (!cli->dc) {
22128+ if (cli->netlogon_creds == NULL) {
22129 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
22130 NETLOGON_NEG_SUPPORTS_AES;
22131 result = rpccli_netlogon_setup_creds(cli,
22132@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
22133 }
22134 }
22135
22136- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
22137-
22138- if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
22139-
22140- struct netr_CryptPassword new_password;
22141- uint32_t old_timeout;
22142-
22143- init_netr_CryptPassword(new_trust_pwd_cleartext,
22144- cli->dc,
22145- &new_password);
22146-
22147- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
22148-
22149- status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
22150- cli->srv_name_slash,
22151- cli->dc->account_name,
22152- sec_channel_type,
22153- cli->dc->computer_name,
22154- &clnt_creds,
22155- &srv_cred,
22156- &new_password,
22157- &result);
22158-
22159- dcerpc_binding_handle_set_timeout(b, old_timeout);
22160-
22161- if (!NT_STATUS_IS_OK(status)) {
22162- DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
22163- nt_errstr(status)));
22164- return status;
22165- }
22166- } else {
22167-
22168- struct samr_Password new_password;
22169- uint32_t old_timeout;
22170-
22171- memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
22172- netlogon_creds_des_encrypt(cli->dc, &new_password);
22173-
22174- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
22175-
22176- status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
22177- cli->srv_name_slash,
22178- cli->dc->account_name,
22179- sec_channel_type,
22180- cli->dc->computer_name,
22181- &clnt_creds,
22182- &srv_cred,
22183- &new_password,
22184- &result);
22185-
22186- dcerpc_binding_handle_set_timeout(b, old_timeout);
22187-
22188- if (!NT_STATUS_IS_OK(status)) {
22189- DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
22190- nt_errstr(status)));
22191- return status;
22192- }
22193- }
22194-
22195- /* Always check returned credentials. */
22196- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
22197- DEBUG(0,("credentials chain check failed\n"));
22198- return NT_STATUS_ACCESS_DENIED;
22199- }
22200-
22201+ result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
22202+ cli->binding_handle,
22203+ new_trust_pwd_cleartext,
22204+ NULL); /* new_version */
22205 if (!NT_STATUS_IS_OK(result)) {
22206- DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
22207+ DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
22208 nt_errstr(result)));
22209 return result;
22210 }
22211
22212- return result;
22213+ return NT_STATUS_OK;
22214 }
22215
22216diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
22217index a45023f..fe1613d 100644
22218--- a/source3/rpc_client/cli_pipe.c
22219+++ b/source3/rpc_client/cli_pipe.c
22220@@ -24,6 +24,7 @@
22221 #include "librpc/gen_ndr/ndr_epmapper_c.h"
22222 #include "../librpc/gen_ndr/ndr_dssetup.h"
22223 #include "../libcli/auth/schannel.h"
22224+#include "../libcli/auth/netlogon_creds_cli.h"
22225 #include "auth_generic.h"
22226 #include "librpc/gen_ndr/ndr_dcerpc.h"
22227 #include "librpc/gen_ndr/ndr_netlogon_c.h"
22228@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
22229 enum dcerpc_transport_t transport,
22230 enum dcerpc_AuthLevel auth_level,
22231 const char *domain,
22232- struct netlogon_creds_CredentialState **pdc,
22233+ struct netlogon_creds_cli_context *netlogon_creds,
22234 struct rpc_pipe_client **_rpccli)
22235 {
22236 struct rpc_pipe_client *rpccli;
22237 struct pipe_auth_data *rpcauth;
22238+ struct netlogon_creds_CredentialState *creds = NULL;
22239 NTSTATUS status;
22240- NTSTATUS result;
22241- struct netlogon_creds_CredentialState save_creds;
22242- struct netr_Authenticator auth;
22243- struct netr_Authenticator return_auth;
22244- union netr_Capabilities capabilities;
22245 const char *target_service = table->authservices->names[0];
22246+ int rpc_pipe_bind_dbglvl = 0;
22247
22248 status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
22249 if (!NT_STATUS_IS_OK(status)) {
22250 return status;
22251 }
22252
22253+ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
22254+ if (!NT_STATUS_IS_OK(status)) {
22255+ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
22256+ nt_errstr(status)));
22257+ TALLOC_FREE(rpccli);
22258+ return status;
22259+ }
22260+
22261 status = rpccli_generic_bind_data(rpccli,
22262 DCERPC_AUTH_TYPE_SCHANNEL,
22263 auth_level,
22264 NULL,
22265 target_service,
22266 domain,
22267- (*pdc)->computer_name,
22268+ creds->computer_name,
22269 NULL,
22270 CRED_AUTO_USE_KERBEROS,
22271- *pdc,
22272+ creds,
22273 &rpcauth);
22274 if (!NT_STATUS_IS_OK(status)) {
22275 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
22276@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
22277 return status;
22278 }
22279
22280- /*
22281- * The credentials on a new netlogon pipe are the ones we are passed
22282- * in - copy them over
22283- *
22284- * This may get overwritten... in rpc_pipe_bind()...
22285- */
22286- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
22287- if (rpccli->dc == NULL) {
22288- TALLOC_FREE(rpccli);
22289- return NT_STATUS_NO_MEMORY;
22290- }
22291-
22292 status = rpc_pipe_bind(rpccli, rpcauth);
22293+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
22294+ rpc_pipe_bind_dbglvl = 1;
22295+ netlogon_creds_cli_delete(netlogon_creds, &creds);
22296+ }
22297 if (!NT_STATUS_IS_OK(status)) {
22298- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
22299- "cli_rpc_pipe_bind failed with error %s\n",
22300- nt_errstr(status) ));
22301+ DEBUG(rpc_pipe_bind_dbglvl,
22302+ ("cli_rpc_pipe_open_schannel_with_key: "
22303+ "rpc_pipe_bind failed with error %s\n",
22304+ nt_errstr(status)));
22305 TALLOC_FREE(rpccli);
22306 return status;
22307 }
22308
22309- if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
22310- goto done;
22311- }
22312-
22313- save_creds = *rpccli->dc;
22314- ZERO_STRUCT(return_auth);
22315- ZERO_STRUCT(capabilities);
22316+ TALLOC_FREE(creds);
22317
22318- netlogon_creds_client_authenticator(&save_creds, &auth);
22319-
22320- status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
22321- talloc_tos(),
22322- rpccli->srv_name_slash,
22323- save_creds.computer_name,
22324- &auth, &return_auth,
22325- 1, &capabilities,
22326- &result);
22327- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
22328- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
22329- DEBUG(5, ("AES was negotiated and the error was %s - "
22330- "downgrade detected\n",
22331- nt_errstr(status)));
22332- TALLOC_FREE(rpccli);
22333- return NT_STATUS_INVALID_NETWORK_RESPONSE;
22334- }
22335-
22336- /* This is probably an old Samba Version */
22337- DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
22338- nt_errstr(status)));
22339+ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
22340 goto done;
22341 }
22342
22343+ status = netlogon_creds_cli_check(netlogon_creds,
22344+ rpccli->binding_handle);
22345 if (!NT_STATUS_IS_OK(status)) {
22346- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
22347+ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
22348 nt_errstr(status)));
22349 TALLOC_FREE(rpccli);
22350 return status;
22351 }
22352
22353- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
22354- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
22355- /* This means AES isn't supported. */
22356- DEBUG(5, ("AES was negotiated and the result was %s - "
22357- "downgrade detected\n",
22358- nt_errstr(result)));
22359- TALLOC_FREE(rpccli);
22360- return NT_STATUS_INVALID_NETWORK_RESPONSE;
22361- }
22362-
22363- /* This is probably an old Windows version */
22364- DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
22365- nt_errstr(result)));
22366- goto done;
22367- }
22368-
22369- /*
22370- * We need to check the credential state here, cause win2k3 and earlier
22371- * returns NT_STATUS_NOT_IMPLEMENTED
22372- */
22373- if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
22374- /*
22375- * Server replied with bad credential. Fail.
22376- */
22377- DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
22378- "replied with bad credential\n",
22379- rpccli->desthost));
22380- TALLOC_FREE(rpccli);
22381- return NT_STATUS_INVALID_NETWORK_RESPONSE;
22382- }
22383- *rpccli->dc = save_creds;
22384-
22385- if (!NT_STATUS_IS_OK(result)) {
22386- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
22387- nt_errstr(result)));
22388- TALLOC_FREE(rpccli);
22389- return result;
22390- }
22391-
22392- if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
22393- /* This means AES isn't supported. */
22394- DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
22395- "was OK - downgrade detected\n"));
22396- TALLOC_FREE(rpccli);
22397- return NT_STATUS_INVALID_NETWORK_RESPONSE;
22398- }
22399-
22400- if (save_creds.negotiate_flags != capabilities.server_capabilities) {
22401- DEBUG(0, ("The client capabilities don't match the server "
22402- "capabilities: local[0x%08X] remote[0x%08X]\n",
22403- save_creds.negotiate_flags,
22404- capabilities.server_capabilities));
22405+ status = netlogon_creds_cli_context_copy(netlogon_creds,
22406+ rpccli,
22407+ &rpccli->netlogon_creds);
22408+ if (!NT_STATUS_IS_OK(status)) {
22409+ DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
22410+ nt_errstr(status)));
22411 TALLOC_FREE(rpccli);
22412- return NT_STATUS_INVALID_NETWORK_RESPONSE;
22413+ return status;
22414 }
22415
22416 done:
22417diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
22418index 826f9bf..cf0c5c6 100644
22419--- a/source3/rpc_client/cli_pipe.h
22420+++ b/source3/rpc_client/cli_pipe.h
22421@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
22422 enum dcerpc_transport_t transport,
22423 enum dcerpc_AuthLevel auth_level,
22424 const char *domain,
22425- struct netlogon_creds_CredentialState **pdc,
22426+ struct netlogon_creds_cli_context *netlogon_creds,
22427 struct rpc_pipe_client **presult);
22428
22429 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
22430diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
22431index aaae44b..e3d65c8 100644
22432--- a/source3/rpc_client/cli_pipe_schannel.c
22433+++ b/source3/rpc_client/cli_pipe_schannel.c
22434@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
22435 }
22436
22437 status = cli_rpc_pipe_open_schannel_with_key(
22438- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
22439+ cli, table, transport, auth_level, domain,
22440+ netlogon_pipe->netlogon_creds,
22441 &result);
22442
22443 /* Now we've bound using the session key we can close the netlog pipe. */
22444diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
22445index 8024f01..7c4cceb 100644
22446--- a/source3/rpc_client/rpc_client.h
22447+++ b/source3/rpc_client/rpc_client.h
22448@@ -50,7 +50,7 @@ struct rpc_pipe_client {
22449 struct pipe_auth_data *auth;
22450
22451 /* The following is only non-null on a netlogon client pipe. */
22452- struct netlogon_creds_CredentialState *dc;
22453+ struct netlogon_creds_cli_context *netlogon_creds;
22454 };
22455
22456 #endif /* _RPC_CLIENT_H */
22457diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
22458index d92434b..2e0b5e5 100644
22459--- a/source3/rpcclient/cmd_netlogon.c
22460+++ b/source3/rpcclient/cmd_netlogon.c
22461@@ -26,6 +26,7 @@
22462 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
22463 #include "rpc_client/cli_netlogon.h"
22464 #include "secrets.h"
22465+#include "../libcli/auth/netlogon_creds_cli.h"
22466
22467 static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
22468 TALLOC_CTX *mem_ctx, int argc,
22469@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
22470
22471 do {
22472 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
22473+ struct netlogon_creds_CredentialState *creds = NULL;
22474
22475- netlogon_creds_client_authenticator(cli->dc, &credential);
22476+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
22477+ mem_ctx, &creds);
22478+ if (!NT_STATUS_IS_OK(status)) {
22479+ return status;
22480+ }
22481+
22482+ netlogon_creds_client_authenticator(creds, &credential);
22483
22484 status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
22485 logon_server,
22486@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
22487 0xffff,
22488 &result);
22489 if (!NT_STATUS_IS_OK(status)) {
22490+ TALLOC_FREE(creds);
22491 return status;
22492 }
22493
22494 /* Check returned credentials. */
22495- if (!netlogon_creds_client_check(cli->dc,
22496+ if (!netlogon_creds_client_check(creds,
22497 &return_authenticator.cred)) {
22498 DEBUG(0,("credentials chain check failed\n"));
22499+ TALLOC_FREE(creds);
22500 return NT_STATUS_ACCESS_DENIED;
22501 }
22502+ TALLOC_FREE(creds);
22503
22504 if (NT_STATUS_IS_ERR(result)) {
22505 break;
22506@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
22507
22508 do {
22509 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
22510+ struct netlogon_creds_CredentialState *creds = NULL;
22511+
22512+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
22513+ mem_ctx, &creds);
22514+ if (!NT_STATUS_IS_OK(status)) {
22515+ return status;
22516+ }
22517
22518- netlogon_creds_client_authenticator(cli->dc, &credential);
22519+ netlogon_creds_client_authenticator(creds, &credential);
22520
22521 status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
22522 logon_server,
22523@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
22524 0xffff,
22525 &result);
22526 if (!NT_STATUS_IS_OK(status)) {
22527+ TALLOC_FREE(creds);
22528 return status;
22529 }
22530
22531 /* Check returned credentials. */
22532- if (!netlogon_creds_client_check(cli->dc,
22533+ if (!netlogon_creds_client_check(creds,
22534 &return_authenticator.cred)) {
22535 DEBUG(0,("credentials chain check failed\n"));
22536+ TALLOC_FREE(creds);
22537 return NT_STATUS_ACCESS_DENIED;
22538 }
22539+ TALLOC_FREE(creds);
22540
22541 if (NT_STATUS_IS_ERR(result)) {
22542 break;
22543@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
22544 struct netr_ChangeLogEntry e;
22545 uint32_t rid = 500;
22546 struct dcerpc_binding_handle *b = cli->binding_handle;
22547+ struct netlogon_creds_CredentialState *creds = NULL;
22548
22549 if (argc > 2) {
22550 fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
22551@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
22552 return status;
22553 }
22554
22555- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
22556+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
22557+ mem_ctx, &creds);
22558+ if (!NT_STATUS_IS_OK(status)) {
22559+ return status;
22560+ }
22561+
22562+ netlogon_creds_client_authenticator(creds, &clnt_creds);
22563
22564 ZERO_STRUCT(e);
22565
22566@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
22567 &delta_enum_array,
22568 &result);
22569 if (!NT_STATUS_IS_OK(status)) {
22570+ TALLOC_FREE(creds);
22571 return status;
22572 }
22573
22574- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
22575+ if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
22576 DEBUG(0,("credentials chain check failed\n"));
22577+ TALLOC_FREE(creds);
22578 return NT_STATUS_ACCESS_DENIED;
22579 }
22580+ TALLOC_FREE(creds);
22581
22582 return result;
22583 }
22584@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
22585 union netr_Capabilities capabilities;
22586 uint32_t level = 1;
22587 struct dcerpc_binding_handle *b = cli->binding_handle;
22588+ struct netlogon_creds_CredentialState *creds = NULL;
22589
22590 if (argc > 2) {
22591 fprintf(stderr, "Usage: %s <level>\n", argv[0]);
22592@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
22593
22594 ZERO_STRUCT(return_authenticator);
22595
22596- netlogon_creds_client_authenticator(cli->dc, &credential);
22597+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
22598+ mem_ctx, &creds);
22599+ if (!NT_STATUS_IS_OK(status)) {
22600+ return status;
22601+ }
22602+
22603+ netlogon_creds_client_authenticator(creds, &credential);
22604
22605 status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
22606 cli->desthost,
22607@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
22608 &capabilities,
22609 &result);
22610 if (!NT_STATUS_IS_OK(status)) {
22611+ TALLOC_FREE(creds);
22612 return status;
22613 }
22614
22615- if (!netlogon_creds_client_check(cli->dc,
22616+ if (!netlogon_creds_client_check(creds,
22617 &return_authenticator.cred)) {
22618 DEBUG(0,("credentials chain check failed\n"));
22619+ TALLOC_FREE(creds);
22620 return NT_STATUS_ACCESS_DENIED;
22621 }
22622+ TALLOC_FREE(creds);
22623
22624 printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
22625
22626diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
22627index afde685..b5fc010 100644
22628--- a/source3/winbindd/winbindd.h
22629+++ b/source3/winbindd/winbindd.h
22630@@ -165,16 +165,7 @@ struct winbindd_domain {
22631 time_t startup_time; /* When we set "startup" true. monotonic clock */
22632 bool startup; /* are we in the first 30 seconds after startup_time ? */
22633
22634- bool can_do_samlogon_ex; /* Due to the lack of finer control what type
22635- * of DC we have, let us try to do a
22636- * credential-chain less samlogon_ex call
22637- * with AD and schannel. If this fails with
22638- * DCERPC_FAULT_OP_RNG_ERROR, then set this
22639- * to False. This variable is around so that
22640- * we don't have to try _ex every time. */
22641-
22642 bool can_do_ncacn_ip_tcp;
22643- bool can_do_validation6;
22644
22645 /* Lookup methods for this domain (LDAP or RPC) */
22646 struct winbindd_methods *methods;
22647diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
22648index 6c1244e..e0d1d0c 100644
22649--- a/source3/winbindd/winbindd_cm.c
22650+++ b/source3/winbindd/winbindd_cm.c
22651@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
22652 domain->active_directory ? "" : "NOT "));
22653
22654 domain->can_do_ncacn_ip_tcp = domain->active_directory;
22655- domain->can_do_validation6 = domain->active_directory;
22656
22657 domain->initialized = True;
22658
22659@@ -2248,7 +2247,6 @@ done:
22660 domain->name, domain->active_directory ? "" : "NOT "));
22661
22662 domain->can_do_ncacn_ip_tcp = domain->active_directory;
22663- domain->can_do_validation6 = domain->active_directory;
22664
22665 TALLOC_FREE(cli);
22666
22667@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
22668 ***********************************************************************/
22669
22670 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
22671- struct netlogon_creds_CredentialState **ppdc)
22672+ struct netlogon_creds_cli_context **ppdc)
22673 {
22674 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
22675 struct rpc_pipe_client *netlogon_pipe;
22676@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
22677 /* Return a pointer to the struct netlogon_creds_CredentialState from the
22678 netlogon pipe. */
22679
22680- if (!domain->conn.netlogon_pipe->dc) {
22681+ if (!domain->conn.netlogon_pipe->netlogon_creds) {
22682 return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
22683 }
22684
22685- *ppdc = domain->conn.netlogon_pipe->dc;
22686+ *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
22687 return NT_STATUS_OK;
22688 }
22689
22690@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
22691 {
22692 struct winbindd_cm_conn *conn;
22693 NTSTATUS status, result;
22694- struct netlogon_creds_CredentialState *p_creds;
22695+ struct netlogon_creds_cli_context *p_creds;
22696 char *machine_password = NULL;
22697 char *machine_account = NULL;
22698 const char *domain_name = NULL;
22699@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
22700 status = cli_rpc_pipe_open_schannel_with_key
22701 (conn->cli, &ndr_table_samr, NCACN_NP,
22702 DCERPC_AUTH_LEVEL_PRIVACY,
22703- domain->name, &p_creds, &conn->samr_pipe);
22704+ domain->name, p_creds, &conn->samr_pipe);
22705
22706 if (!NT_STATUS_IS_OK(status)) {
22707 DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
22708@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
22709 struct rpc_pipe_client **cli)
22710 {
22711 struct winbindd_cm_conn *conn;
22712- struct netlogon_creds_CredentialState *creds;
22713+ struct netlogon_creds_cli_context *creds;
22714 NTSTATUS status;
22715
22716 DEBUG(10,("cm_connect_lsa_tcp\n"));
22717@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
22718 NCACN_IP_TCP,
22719 DCERPC_AUTH_LEVEL_PRIVACY,
22720 domain->name,
22721- &creds,
22722+ creds,
22723 &conn->lsa_pipe_tcp);
22724 if (!NT_STATUS_IS_OK(status)) {
22725 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
22726@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
22727 {
22728 struct winbindd_cm_conn *conn;
22729 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
22730- struct netlogon_creds_CredentialState *p_creds;
22731+ struct netlogon_creds_cli_context *p_creds;
22732
22733 result = init_dc_connection_rpc(domain);
22734 if (!NT_STATUS_IS_OK(result))
22735@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
22736 result = cli_rpc_pipe_open_schannel_with_key
22737 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
22738 DCERPC_AUTH_LEVEL_PRIVACY,
22739- domain->name, &p_creds, &conn->lsa_pipe);
22740+ domain->name, p_creds, &conn->lsa_pipe);
22741
22742 if (!NT_STATUS_IS_OK(result)) {
22743 DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
22744@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
22745 no_schannel:
22746 if ((lp_client_schannel() == False) ||
22747 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
22748- /*
22749- * NetSamLogonEx only works for schannel
22750- */
22751- domain->can_do_samlogon_ex = False;
22752
22753 /* We're done - just keep the existing connection to NETLOGON
22754 * open */
22755@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
22756
22757 result = cli_rpc_pipe_open_schannel_with_key(
22758 conn->cli, &ndr_table_netlogon, NCACN_NP,
22759- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
22760+ DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
22761+ netlogon_pipe->netlogon_creds,
22762 &conn->netlogon_pipe);
22763
22764 /* We can now close the initial netlogon pipe. */
22765@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
22766 return result;
22767 }
22768
22769- /*
22770- * Always try netr_LogonSamLogonEx. We will fall back for NT4
22771- * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
22772- * supported). We used to only try SamLogonEx for AD, but
22773- * Samba DCs can also do it. And because we don't distinguish
22774- * between Samba and NT4, always try it once.
22775- */
22776- domain->can_do_samlogon_ex = true;
22777-
22778 *cli = conn->netlogon_pipe;
22779 return NT_STATUS_OK;
22780 }
22781diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
22782index c356686..39483a5 100644
22783--- a/source3/winbindd/winbindd_pam.c
22784+++ b/source3/winbindd/winbindd_pam.c
22785@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
22786
22787 do {
22788 struct rpc_pipe_client *netlogon_pipe;
22789- const struct pipe_auth_data *auth;
22790- uint32_t neg_flags = 0;
22791
22792 ZERO_STRUCTP(info3);
22793 retry = false;
22794@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
22795 }
22796 netr_attempts = 0;
22797
22798- auth = netlogon_pipe->auth;
22799- if (netlogon_pipe->dc) {
22800- neg_flags = netlogon_pipe->dc->negotiate_flags;
22801- }
22802-
22803- /* It is really important to try SamLogonEx here,
22804- * because in a clustered environment, we want to use
22805- * one machine account from multiple physical
22806- * computers.
22807- *
22808- * With a normal SamLogon call, we must keep the
22809- * credentials chain updated and intact between all
22810- * users of the machine account (which would imply
22811- * cross-node communication for every NTLM logon).
22812- *
22813- * (The credentials chain is not per NETLOGON pipe
22814- * connection, but globally on the server/client pair
22815- * by machine name).
22816- *
22817- * When using SamLogonEx, the credentials are not
22818- * supplied, but the session key is implied by the
22819- * wrapping SamLogon context.
22820- *
22821- * -- abartlet 21 April 2008
22822- *
22823- * It's also important to use NetlogonValidationSamInfo4 (6),
22824- * because it relies on the rpc transport encryption
22825- * and avoids using the global netlogon schannel
22826- * session key to en/decrypt secret information
22827- * like the user_session_key for network logons.
22828- *
22829- * [MS-APDS] 3.1.5.2 NTLM Network Logon
22830- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
22831- * NETLOGON_NEG_AUTHENTICATED_RPC set together
22832- * are the indication that the server supports
22833- * NetlogonValidationSamInfo4 (6). And it must only
22834- * be used if "SealSecureChannel" is used.
22835- *
22836- * -- metze 4 February 2011
22837- */
22838-
22839- if (auth == NULL) {
22840- domain->can_do_validation6 = false;
22841- } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
22842- domain->can_do_validation6 = false;
22843- } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
22844- domain->can_do_validation6 = false;
22845- } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
22846- domain->can_do_validation6 = false;
22847- } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
22848- domain->can_do_validation6 = false;
22849- }
22850-
22851- if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
22852- result = rpccli_netlogon_sam_network_logon_ex(
22853- netlogon_pipe,
22854- mem_ctx,
22855- logon_parameters,
22856- server, /* server name */
22857- username, /* user name */
22858- domainname, /* target domain */
22859- workstation, /* workstation */
22860- chal,
22861- 6,
22862- lm_response,
22863- nt_response,
22864- info3);
22865- } else {
22866- result = rpccli_netlogon_sam_network_logon(
22867+ result = rpccli_netlogon_sam_network_logon(
22868 netlogon_pipe,
22869 mem_ctx,
22870 logon_parameters,
22871@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
22872 domainname, /* target domain */
22873 workstation, /* workstation */
22874 chal,
22875- domain->can_do_validation6 ? 6 : 3,
22876+ -1, /* ignored */
22877 lm_response,
22878 nt_response,
22879 info3);
22880- }
22881-
22882- if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
22883-
22884- /*
22885- * It's likely that the server also does not support
22886- * validation level 6
22887- */
22888- domain->can_do_validation6 = false;
22889-
22890- if (domain->can_do_samlogon_ex) {
22891- DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
22892- "retrying with NetSamLogon\n"));
22893- domain->can_do_samlogon_ex = false;
22894- retry = true;
22895- continue;
22896- }
22897-
22898-
22899- /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
22900- * (no Ex). This happens against old Samba
22901- * DCs. Drop the connection.
22902- */
22903- invalidate_cm_connection(&domain->conn);
22904- result = NT_STATUS_LOGON_FAILURE;
22905- break;
22906- }
22907-
22908- if (domain->can_do_validation6 &&
22909- (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
22910- NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
22911- NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
22912- DEBUG(3,("Got a DC that can not do validation level 6, "
22913- "retrying with level 3\n"));
22914- domain->can_do_validation6 = false;
22915- retry = true;
22916- continue;
22917- }
22918
22919 /*
22920 * we increment this after the "feature negotiation"
22921@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
22922 retry = true;
22923 }
22924
22925+ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
22926+ /*
22927+ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
22928+ * (no Ex). This happens against old Samba
22929+ * DCs, if LogonSamLogonEx() fails with an error
22930+ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
22931+ *
22932+ * The server will log something like this:
22933+ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
22934+ *
22935+ * This sets the whole connection into a fault_state mode
22936+ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
22937+ *
22938+ * This also happens to our retry with LogonSamLogonWithFlags()
22939+ * and LogonSamLogon().
22940+ *
22941+ * In order to recover from this situation, we need to
22942+ * drop the connection.
22943+ */
22944+ invalidate_cm_connection(&domain->conn);
22945+ result = NT_STATUS_LOGON_FAILURE;
22946+ break;
22947+ }
22948+
22949 } while ( (attempts < 2) && retry );
22950
22951 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
22952diff --git a/source3/wscript_build b/source3/wscript_build
22953index 13d15c3..0d3ba8e 100755
22954--- a/source3/wscript_build
22955+++ b/source3/wscript_build
22956@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
22957 deps='''ndr ndr-standard
22958 RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
22959 LIBTSOCKET gse dcerpc-binding
22960- libsmb
22961- ndr-table''',
22962+ libsmb ndr-table NETLOGON_CREDS_CLI
22963+ ''',
22964 vars=locals(),
22965 private_library=True)
22966
22967@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
22968
22969 bld.SAMBA3_LIBRARY('libcli_netlogon3',
22970 source=LIBCLI_NETLOGON_SRC,
22971- deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
22972+ deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
22973 private_library=True)
22974
22975 bld.SAMBA3_LIBRARY('cli_spoolss',
22976--
229771.9.3
22978
22979
22980From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
22981From: Stefan Metzmacher <metze@samba.org>
22982Date: Thu, 17 Oct 2013 17:03:00 +0200
22983Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
22984 cli_rpc_pipe_open_schannel_with_key()
22985
22986This means the auth level is now based on the "winbindd sealed pipes" option,
22987defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
22988
22989Signed-off-by: Stefan Metzmacher <metze@samba.org>
22990Reviewed-by: Andrew Bartlett <abartlet@samba.org>
22991(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
22992---
22993 source3/libnet/libnet_join.c | 1 -
22994 source3/rpc_client/cli_pipe.c | 4 +++-
22995 source3/rpc_client/cli_pipe.h | 1 -
22996 source3/rpc_client/cli_pipe_schannel.c | 2 +-
22997 source3/winbindd/winbindd_cm.c | 5 +----
22998 5 files changed, 5 insertions(+), 8 deletions(-)
22999
23000diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
23001index 5dc620f..b2805ee 100644
23002--- a/source3/libnet/libnet_join.c
23003+++ b/source3/libnet/libnet_join.c
23004@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
23005
23006 status = cli_rpc_pipe_open_schannel_with_key(
23007 cli, &ndr_table_netlogon, NCACN_NP,
23008- DCERPC_AUTH_LEVEL_PRIVACY,
23009 netbios_domain_name,
23010 netlogon_pipe->netlogon_creds, &pipe_hnd);
23011
23012diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
23013index fe1613d..31cd7f5 100644
23014--- a/source3/rpc_client/cli_pipe.c
23015+++ b/source3/rpc_client/cli_pipe.c
23016@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
23017 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
23018 const struct ndr_interface_table *table,
23019 enum dcerpc_transport_t transport,
23020- enum dcerpc_AuthLevel auth_level,
23021 const char *domain,
23022 struct netlogon_creds_cli_context *netlogon_creds,
23023 struct rpc_pipe_client **_rpccli)
23024@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
23025 struct rpc_pipe_client *rpccli;
23026 struct pipe_auth_data *rpcauth;
23027 struct netlogon_creds_CredentialState *creds = NULL;
23028+ enum dcerpc_AuthLevel auth_level;
23029 NTSTATUS status;
23030 const char *target_service = table->authservices->names[0];
23031 int rpc_pipe_bind_dbglvl = 0;
23032@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
23033 return status;
23034 }
23035
23036+ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
23037+
23038 status = rpccli_generic_bind_data(rpccli,
23039 DCERPC_AUTH_TYPE_SCHANNEL,
23040 auth_level,
23041diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
23042index cf0c5c6..c21c55d 100644
23043--- a/source3/rpc_client/cli_pipe.h
23044+++ b/source3/rpc_client/cli_pipe.h
23045@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
23046 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
23047 const struct ndr_interface_table *table,
23048 enum dcerpc_transport_t transport,
23049- enum dcerpc_AuthLevel auth_level,
23050 const char *domain,
23051 struct netlogon_creds_cli_context *netlogon_creds,
23052 struct rpc_pipe_client **presult);
23053diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
23054index e3d65c8..8f9161f 100644
23055--- a/source3/rpc_client/cli_pipe_schannel.c
23056+++ b/source3/rpc_client/cli_pipe_schannel.c
23057@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
23058 }
23059
23060 status = cli_rpc_pipe_open_schannel_with_key(
23061- cli, table, transport, auth_level, domain,
23062+ cli, table, transport, domain,
23063 netlogon_pipe->netlogon_creds,
23064 &result);
23065
23066diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
23067index e0d1d0c..1546002 100644
23068--- a/source3/winbindd/winbindd_cm.c
23069+++ b/source3/winbindd/winbindd_cm.c
23070@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
23071 }
23072 status = cli_rpc_pipe_open_schannel_with_key
23073 (conn->cli, &ndr_table_samr, NCACN_NP,
23074- DCERPC_AUTH_LEVEL_PRIVACY,
23075 domain->name, p_creds, &conn->samr_pipe);
23076
23077 if (!NT_STATUS_IS_OK(status)) {
23078@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
23079 status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
23080 &ndr_table_lsarpc,
23081 NCACN_IP_TCP,
23082- DCERPC_AUTH_LEVEL_PRIVACY,
23083 domain->name,
23084 creds,
23085 &conn->lsa_pipe_tcp);
23086@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
23087 }
23088 result = cli_rpc_pipe_open_schannel_with_key
23089 (conn->cli, &ndr_table_lsarpc, NCACN_NP,
23090- DCERPC_AUTH_LEVEL_PRIVACY,
23091 domain->name, p_creds, &conn->lsa_pipe);
23092
23093 if (!NT_STATUS_IS_OK(result)) {
23094@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
23095
23096 result = cli_rpc_pipe_open_schannel_with_key(
23097 conn->cli, &ndr_table_netlogon, NCACN_NP,
23098- DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
23099+ domain->name,
23100 netlogon_pipe->netlogon_creds,
23101 &conn->netlogon_pipe);
23102
23103--
231041.9.3
23105
23106
23107From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
23108From: Stefan Metzmacher <metze@samba.org>
23109Date: Wed, 7 Aug 2013 11:27:25 +0200
23110Subject: [PATCH 176/249] s3:rpc_client: add
23111 rpccli_{create,setup}_netlogon_creds()
23112
23113Signed-off-by: Stefan Metzmacher <metze@samba.org>
23114Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23115(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
23116---
23117 source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
23118 source3/rpc_client/cli_netlogon.h | 16 ++++++
23119 2 files changed, 121 insertions(+)
23120
23121diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
23122index fcd24d6..89aec37 100644
23123--- a/source3/rpc_client/cli_netlogon.c
23124+++ b/source3/rpc_client/cli_netlogon.c
23125@@ -21,15 +21,19 @@
23126 */
23127
23128 #include "includes.h"
23129+#include "libsmb/libsmb.h"
23130 #include "rpc_client/rpc_client.h"
23131+#include "rpc_client/cli_pipe.h"
23132 #include "../libcli/auth/libcli_auth.h"
23133 #include "../libcli/auth/netlogon_creds_cli.h"
23134 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
23135+#include "../librpc/gen_ndr/schannel.h"
23136 #include "rpc_client/cli_netlogon.h"
23137 #include "rpc_client/init_netlogon.h"
23138 #include "rpc_client/util_netlogon.h"
23139 #include "../libcli/security/security.h"
23140 #include "lib/param/param.h"
23141+#include "libcli/smb/smbXcli_base.h"
23142
23143 /****************************************************************************
23144 Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
23145@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
23146 return NT_STATUS_OK;
23147 }
23148
23149+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
23150+ const char *server_netbios_domain,
23151+ const char *client_account,
23152+ enum netr_SchannelType sec_chan_type,
23153+ struct messaging_context *msg_ctx,
23154+ TALLOC_CTX *mem_ctx,
23155+ struct netlogon_creds_cli_context **netlogon_creds)
23156+{
23157+ TALLOC_CTX *frame = talloc_stackframe();
23158+ struct loadparm_context *lp_ctx;
23159+ NTSTATUS status;
23160+
23161+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
23162+ if (lp_ctx == NULL) {
23163+ TALLOC_FREE(frame);
23164+ return NT_STATUS_NO_MEMORY;
23165+ }
23166+ status = netlogon_creds_cli_context_global(lp_ctx,
23167+ msg_ctx,
23168+ client_account,
23169+ sec_chan_type,
23170+ server_computer,
23171+ server_netbios_domain,
23172+ mem_ctx, netlogon_creds);
23173+ TALLOC_FREE(frame);
23174+ if (!NT_STATUS_IS_OK(status)) {
23175+ return status;
23176+ }
23177+
23178+ return NT_STATUS_OK;
23179+}
23180+
23181+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
23182+ struct netlogon_creds_cli_context *netlogon_creds,
23183+ bool force_reauth,
23184+ struct samr_Password current_nt_hash,
23185+ const struct samr_Password *previous_nt_hash)
23186+{
23187+ TALLOC_CTX *frame = talloc_stackframe();
23188+ struct rpc_pipe_client *netlogon_pipe = NULL;
23189+ struct netlogon_creds_CredentialState *creds = NULL;
23190+ NTSTATUS status;
23191+
23192+ status = netlogon_creds_cli_get(netlogon_creds,
23193+ frame, &creds);
23194+ if (NT_STATUS_IS_OK(status)) {
23195+ const char *action = "using";
23196+
23197+ if (force_reauth) {
23198+ action = "overwrite";
23199+ }
23200+
23201+ DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
23202+ __FUNCTION__, action,
23203+ creds->account_name, creds->computer_name,
23204+ smbXcli_conn_remote_name(cli->conn)));
23205+ if (!force_reauth) {
23206+ TALLOC_FREE(frame);
23207+ return NT_STATUS_OK;
23208+ }
23209+ TALLOC_FREE(creds);
23210+ }
23211+
23212+ status = cli_rpc_pipe_open_noauth(cli,
23213+ &ndr_table_netlogon,
23214+ &netlogon_pipe);
23215+ if (!NT_STATUS_IS_OK(status)) {
23216+ DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
23217+ __FUNCTION__,
23218+ smbXcli_conn_remote_name(cli->conn),
23219+ nt_errstr(status)));
23220+ TALLOC_FREE(frame);
23221+ return status;
23222+ }
23223+ talloc_steal(frame, netlogon_pipe);
23224+
23225+ status = netlogon_creds_cli_auth(netlogon_creds,
23226+ netlogon_pipe->binding_handle,
23227+ current_nt_hash,
23228+ previous_nt_hash);
23229+ if (!NT_STATUS_IS_OK(status)) {
23230+ TALLOC_FREE(frame);
23231+ return status;
23232+ }
23233+
23234+ status = netlogon_creds_cli_get(netlogon_creds,
23235+ frame, &creds);
23236+ if (!NT_STATUS_IS_OK(status)) {
23237+ TALLOC_FREE(frame);
23238+ return NT_STATUS_INTERNAL_ERROR;
23239+ }
23240+
23241+ DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
23242+ __FUNCTION__,
23243+ creds->account_name, creds->computer_name,
23244+ smbXcli_conn_remote_name(cli->conn)));
23245+
23246+ TALLOC_FREE(frame);
23247+ return NT_STATUS_OK;
23248+}
23249+
23250 /* Logon domain user */
23251
23252 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
23253diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
23254index ad59d5b..82e0923 100644
23255--- a/source3/rpc_client/cli_netlogon.h
23256+++ b/source3/rpc_client/cli_netlogon.h
23257@@ -23,6 +23,10 @@
23258 #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
23259 #define _RPC_CLIENT_CLI_NETLOGON_H_
23260
23261+struct cli_state;
23262+struct messaging_context;
23263+struct netlogon_creds_cli_context;
23264+
23265 /* The following definitions come from rpc_client/cli_netlogon.c */
23266
23267 NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
23268@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
23269 const unsigned char machine_pwd[16],
23270 enum netr_SchannelType sec_chan_type,
23271 uint32_t *neg_flags_inout);
23272+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
23273+ const char *server_netbios_domain,
23274+ const char *client_account,
23275+ enum netr_SchannelType sec_chan_type,
23276+ struct messaging_context *msg_ctx,
23277+ TALLOC_CTX *mem_ctx,
23278+ struct netlogon_creds_cli_context **netlogon_creds);
23279+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
23280+ struct netlogon_creds_cli_context *netlogon_creds,
23281+ bool force_reauth,
23282+ struct samr_Password current_nt_hash,
23283+ const struct samr_Password *previous_nt_hash);
23284 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
23285 TALLOC_CTX *mem_ctx,
23286 uint32 logon_parameters,
23287--
232881.9.3
23289
23290
23291From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
23292From: Stefan Metzmacher <metze@samba.org>
23293Date: Tue, 17 Dec 2013 20:05:56 +0100
23294Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()
23295
23296Signed-off-by: Stefan Metzmacher <metze@samba.org>
23297Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23298(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
23299---
23300 source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
23301 source3/rpc_client/cli_netlogon.h | 1 +
23302 2 files changed, 22 insertions(+)
23303
23304diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
23305index 89aec37..9342fc3 100644
23306--- a/source3/rpc_client/cli_netlogon.c
23307+++ b/source3/rpc_client/cli_netlogon.c
23308@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
23309 return NT_STATUS_OK;
23310 }
23311
23312+NTSTATUS rpccli_pre_open_netlogon_creds(void)
23313+{
23314+ TALLOC_CTX *frame = talloc_stackframe();
23315+ struct loadparm_context *lp_ctx;
23316+ NTSTATUS status;
23317+
23318+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
23319+ if (lp_ctx == NULL) {
23320+ TALLOC_FREE(frame);
23321+ return NT_STATUS_NO_MEMORY;
23322+ }
23323+
23324+ status = netlogon_creds_cli_open_global_db(lp_ctx);
23325+ TALLOC_FREE(frame);
23326+ if (!NT_STATUS_IS_OK(status)) {
23327+ return status;
23328+ }
23329+
23330+ return NT_STATUS_OK;
23331+}
23332+
23333 NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
23334 const char *server_netbios_domain,
23335 const char *client_account,
23336diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
23337index 82e0923..3096c48 100644
23338--- a/source3/rpc_client/cli_netlogon.h
23339+++ b/source3/rpc_client/cli_netlogon.h
23340@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
23341 const unsigned char machine_pwd[16],
23342 enum netr_SchannelType sec_chan_type,
23343 uint32_t *neg_flags_inout);
23344+NTSTATUS rpccli_pre_open_netlogon_creds(void);
23345 NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
23346 const char *server_netbios_domain,
23347 const char *client_account,
23348--
233491.9.3
23350
23351
23352From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
23353From: Stefan Metzmacher <metze@samba.org>
23354Date: Tue, 27 Aug 2013 14:07:43 +0200
23355Subject: [PATCH 178/249] s3:rpc_client: remove unused
23356 rpccli_netlogon_sam_network_logon_ex()
23357
23358Signed-off-by: Stefan Metzmacher <metze@samba.org>
23359Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23360(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
23361---
23362 source3/rpc_client/cli_netlogon.c | 27 ---------------------------
23363 source3/rpc_client/cli_netlogon.h | 12 ------------
23364 2 files changed, 39 deletions(-)
23365
23366diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
23367index 9342fc3..253d060 100644
23368--- a/source3/rpc_client/cli_netlogon.c
23369+++ b/source3/rpc_client/cli_netlogon.c
23370@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
23371 return NT_STATUS_OK;
23372 }
23373
23374-NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
23375- TALLOC_CTX *mem_ctx,
23376- uint32 logon_parameters,
23377- const char *server,
23378- const char *username,
23379- const char *domain,
23380- const char *workstation,
23381- const uint8 chal[8],
23382- uint16_t validation_level,
23383- DATA_BLOB lm_response,
23384- DATA_BLOB nt_response,
23385- struct netr_SamInfo3 **info3)
23386-{
23387- return rpccli_netlogon_sam_network_logon(cli,
23388- mem_ctx,
23389- logon_parameters,
23390- server,
23391- username,
23392- domain,
23393- workstation,
23394- chal,
23395- validation_level,
23396- lm_response,
23397- nt_response,
23398- info3);
23399-}
23400-
23401 /*********************************************************
23402 Change the domain password on the PDC.
23403
23404diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
23405index 3096c48..f10e5c7 100644
23406--- a/source3/rpc_client/cli_netlogon.h
23407+++ b/source3/rpc_client/cli_netlogon.h
23408@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
23409 DATA_BLOB lm_response,
23410 DATA_BLOB nt_response,
23411 struct netr_SamInfo3 **info3);
23412-NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
23413- TALLOC_CTX *mem_ctx,
23414- uint32 logon_parameters,
23415- const char *server,
23416- const char *username,
23417- const char *domain,
23418- const char *workstation,
23419- const uint8 chal[8],
23420- uint16_t validation_level,
23421- DATA_BLOB lm_response,
23422- DATA_BLOB nt_response,
23423- struct netr_SamInfo3 **info3);
23424 NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
23425 TALLOC_CTX *mem_ctx,
23426 const char *account_name,
23427--
234281.9.3
23429
23430
23431From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
23432From: Stefan Metzmacher <metze@samba.org>
23433Date: Tue, 27 Aug 2013 14:36:24 +0200
23434Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()
23435
23436Signed-off-by: Stefan Metzmacher <metze@samba.org>
23437Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23438(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
23439---
23440 source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
23441 source3/rpc_client/cli_netlogon.h | 14 ++++++
23442 2 files changed, 117 insertions(+)
23443
23444diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
23445index 253d060..e335423 100644
23446--- a/source3/rpc_client/cli_netlogon.c
23447+++ b/source3/rpc_client/cli_netlogon.c
23448@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
23449 return NT_STATUS_OK;
23450 }
23451
23452+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
23453+ struct dcerpc_binding_handle *binding_handle,
23454+ TALLOC_CTX *mem_ctx,
23455+ uint32_t logon_parameters,
23456+ const char *username,
23457+ const char *domain,
23458+ const char *workstation,
23459+ const uint8 chal[8],
23460+ DATA_BLOB lm_response,
23461+ DATA_BLOB nt_response,
23462+ uint8_t *authoritative,
23463+ uint32_t *flags,
23464+ struct netr_SamInfo3 **info3)
23465+{
23466+ NTSTATUS status;
23467+ const char *workstation_name_slash;
23468+ union netr_LogonLevel *logon = NULL;
23469+ struct netr_NetworkInfo *network_info;
23470+ uint16_t validation_level = 0;
23471+ union netr_Validation *validation = NULL;
23472+ uint8_t _authoritative = 0;
23473+ uint32_t _flags = 0;
23474+ struct netr_ChallengeResponse lm;
23475+ struct netr_ChallengeResponse nt;
23476+
23477+ *info3 = NULL;
23478+
23479+ if (authoritative == NULL) {
23480+ authoritative = &_authoritative;
23481+ }
23482+ if (flags == NULL) {
23483+ flags = &_flags;
23484+ }
23485+
23486+ ZERO_STRUCT(lm);
23487+ ZERO_STRUCT(nt);
23488+
23489+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
23490+ if (!logon) {
23491+ return NT_STATUS_NO_MEMORY;
23492+ }
23493+
23494+ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
23495+ if (!network_info) {
23496+ return NT_STATUS_NO_MEMORY;
23497+ }
23498+
23499+ if (workstation[0] != '\\' && workstation[1] != '\\') {
23500+ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
23501+ } else {
23502+ workstation_name_slash = workstation;
23503+ }
23504+
23505+ if (!workstation_name_slash) {
23506+ DEBUG(0, ("talloc_asprintf failed!\n"));
23507+ return NT_STATUS_NO_MEMORY;
23508+ }
23509+
23510+ /* Initialise input parameters */
23511+
23512+ lm.data = lm_response.data;
23513+ lm.length = lm_response.length;
23514+ nt.data = nt_response.data;
23515+ nt.length = nt_response.length;
23516+
23517+ network_info->identity_info.domain_name.string = domain;
23518+ network_info->identity_info.parameter_control = logon_parameters;
23519+ network_info->identity_info.logon_id_low = 0xdead;
23520+ network_info->identity_info.logon_id_high = 0xbeef;
23521+ network_info->identity_info.account_name.string = username;
23522+ network_info->identity_info.workstation.string = workstation_name_slash;
23523+
23524+ memcpy(network_info->challenge, chal, 8);
23525+ network_info->nt = nt;
23526+ network_info->lm = lm;
23527+
23528+ logon->network = network_info;
23529+
23530+ /* Marshall data and send request */
23531+
23532+ status = netlogon_creds_cli_LogonSamLogon(creds,
23533+ binding_handle,
23534+ NetlogonNetworkInformation,
23535+ logon,
23536+ mem_ctx,
23537+ &validation_level,
23538+ &validation,
23539+ authoritative,
23540+ flags);
23541+ if (!NT_STATUS_IS_OK(status)) {
23542+ return status;
23543+ }
23544+
23545+ status = map_validation_to_info3(mem_ctx,
23546+ validation_level, validation,
23547+ info3);
23548+ if (!NT_STATUS_IS_OK(status)) {
23549+ return status;
23550+ }
23551+
23552+ return NT_STATUS_OK;
23553+}
23554+
23555 /*********************************************************
23556 Change the domain password on the PDC.
23557
23558diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
23559index f10e5c7..54ed7ae 100644
23560--- a/source3/rpc_client/cli_netlogon.h
23561+++ b/source3/rpc_client/cli_netlogon.h
23562@@ -26,6 +26,7 @@
23563 struct cli_state;
23564 struct messaging_context;
23565 struct netlogon_creds_cli_context;
23566+struct dcerpc_binding_handle;
23567
23568 /* The following definitions come from rpc_client/cli_netlogon.c */
23569
23570@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
23571 DATA_BLOB lm_response,
23572 DATA_BLOB nt_response,
23573 struct netr_SamInfo3 **info3);
23574+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
23575+ struct dcerpc_binding_handle *binding_handle,
23576+ TALLOC_CTX *mem_ctx,
23577+ uint32_t logon_parameters,
23578+ const char *username,
23579+ const char *domain,
23580+ const char *workstation,
23581+ const uint8 chal[8],
23582+ DATA_BLOB lm_response,
23583+ DATA_BLOB nt_response,
23584+ uint8_t *authoritative,
23585+ uint32_t *flags,
23586+ struct netr_SamInfo3 **info3);
23587 NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
23588 TALLOC_CTX *mem_ctx,
23589 const char *account_name,
23590--
235911.9.3
23592
23593
23594From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
23595From: Stefan Metzmacher <metze@samba.org>
23596Date: Tue, 27 Aug 2013 14:56:06 +0200
23597Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()
23598
23599Signed-off-by: Stefan Metzmacher <metze@samba.org>
23600Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23601(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
23602---
23603 source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
23604 source3/rpc_client/cli_netlogon.h | 8 +++
23605 2 files changed, 141 insertions(+)
23606
23607diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
23608index e335423..a9f8604 100644
23609--- a/source3/rpc_client/cli_netlogon.c
23610+++ b/source3/rpc_client/cli_netlogon.c
23611@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
23612 return NT_STATUS_OK;
23613 }
23614
23615+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
23616+ struct dcerpc_binding_handle *binding_handle,
23617+ uint32_t logon_parameters,
23618+ const char *domain,
23619+ const char *username,
23620+ const char *password,
23621+ const char *workstation,
23622+ enum netr_LogonInfoClass logon_type)
23623+{
23624+ TALLOC_CTX *frame = talloc_stackframe();
23625+ NTSTATUS status;
23626+ union netr_LogonLevel *logon;
23627+ uint16_t validation_level = 0;
23628+ union netr_Validation *validation = NULL;
23629+ uint8_t authoritative = 0;
23630+ uint32_t flags = 0;
23631+ char *workstation_slash = NULL;
23632+
23633+ logon = talloc_zero(frame, union netr_LogonLevel);
23634+ if (logon == NULL) {
23635+ TALLOC_FREE(frame);
23636+ return NT_STATUS_NO_MEMORY;
23637+ }
23638+
23639+ if (workstation == NULL) {
23640+ workstation = lp_netbios_name();
23641+ }
23642+
23643+ workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
23644+ if (workstation_slash == NULL) {
23645+ TALLOC_FREE(frame);
23646+ return NT_STATUS_NO_MEMORY;
23647+ }
23648+
23649+ /* Initialise input parameters */
23650+
23651+ switch (logon_type) {
23652+ case NetlogonInteractiveInformation: {
23653+
23654+ struct netr_PasswordInfo *password_info;
23655+
23656+ struct samr_Password lmpassword;
23657+ struct samr_Password ntpassword;
23658+
23659+ password_info = talloc_zero(frame, struct netr_PasswordInfo);
23660+ if (password_info == NULL) {
23661+ TALLOC_FREE(frame);
23662+ return NT_STATUS_NO_MEMORY;
23663+ }
23664+
23665+ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
23666+
23667+ password_info->identity_info.domain_name.string = domain;
23668+ password_info->identity_info.parameter_control = logon_parameters;
23669+ password_info->identity_info.logon_id_low = 0xdead;
23670+ password_info->identity_info.logon_id_high = 0xbeef;
23671+ password_info->identity_info.account_name.string = username;
23672+ password_info->identity_info.workstation.string = workstation_slash;
23673+
23674+ password_info->lmpassword = lmpassword;
23675+ password_info->ntpassword = ntpassword;
23676+
23677+ logon->password = password_info;
23678+
23679+ break;
23680+ }
23681+ case NetlogonNetworkInformation: {
23682+ struct netr_NetworkInfo *network_info;
23683+ uint8 chal[8];
23684+ unsigned char local_lm_response[24];
23685+ unsigned char local_nt_response[24];
23686+ struct netr_ChallengeResponse lm;
23687+ struct netr_ChallengeResponse nt;
23688+
23689+ ZERO_STRUCT(lm);
23690+ ZERO_STRUCT(nt);
23691+
23692+ network_info = talloc_zero(frame, struct netr_NetworkInfo);
23693+ if (network_info == NULL) {
23694+ TALLOC_FREE(frame);
23695+ return NT_STATUS_NO_MEMORY;
23696+ }
23697+
23698+ generate_random_buffer(chal, 8);
23699+
23700+ SMBencrypt(password, chal, local_lm_response);
23701+ SMBNTencrypt(password, chal, local_nt_response);
23702+
23703+ lm.length = 24;
23704+ lm.data = local_lm_response;
23705+
23706+ nt.length = 24;
23707+ nt.data = local_nt_response;
23708+
23709+ network_info->identity_info.domain_name.string = domain;
23710+ network_info->identity_info.parameter_control = logon_parameters;
23711+ network_info->identity_info.logon_id_low = 0xdead;
23712+ network_info->identity_info.logon_id_high = 0xbeef;
23713+ network_info->identity_info.account_name.string = username;
23714+ network_info->identity_info.workstation.string = workstation_slash;
23715+
23716+ memcpy(network_info->challenge, chal, 8);
23717+ network_info->nt = nt;
23718+ network_info->lm = lm;
23719+
23720+ logon->network = network_info;
23721+
23722+ break;
23723+ }
23724+ default:
23725+ DEBUG(0, ("switch value %d not supported\n",
23726+ logon_type));
23727+ TALLOC_FREE(frame);
23728+ return NT_STATUS_INVALID_INFO_CLASS;
23729+ }
23730+
23731+ status = netlogon_creds_cli_LogonSamLogon(creds,
23732+ binding_handle,
23733+ logon_type,
23734+ logon,
23735+ frame,
23736+ &validation_level,
23737+ &validation,
23738+ &authoritative,
23739+ &flags);
23740+ TALLOC_FREE(frame);
23741+ if (!NT_STATUS_IS_OK(status)) {
23742+ return status;
23743+ }
23744+
23745+ return NT_STATUS_OK;
23746+}
23747+
23748 static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
23749 uint16_t validation_level,
23750 union netr_Validation *validation,
23751diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
23752index 54ed7ae..d4c6670 100644
23753--- a/source3/rpc_client/cli_netlogon.h
23754+++ b/source3/rpc_client/cli_netlogon.h
23755@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
23756 const char *workstation,
23757 uint16_t validation_level,
23758 int logon_type);
23759+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
23760+ struct dcerpc_binding_handle *binding_handle,
23761+ uint32_t logon_parameters,
23762+ const char *domain,
23763+ const char *username,
23764+ const char *password,
23765+ const char *workstation,
23766+ enum netr_LogonInfoClass logon_type);
23767 NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
23768 TALLOC_CTX *mem_ctx,
23769 uint32 logon_parameters,
23770--
237711.9.3
23772
23773
23774From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
23775From: Stefan Metzmacher <metze@samba.org>
23776Date: Tue, 17 Dec 2013 20:06:14 +0100
23777Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
23778 the parent
23779
23780This opens the CLEAR_IF_FIRST tdb in the long living parent.
23781
23782Signed-off-by: Stefan Metzmacher <metze@samba.org>
23783Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23784(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
23785---
23786 source3/winbindd/winbindd.c | 8 ++++++++
23787 1 file changed, 8 insertions(+)
23788
23789diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
23790index 69a17bf..a90c8fe 100644
23791--- a/source3/winbindd/winbindd.c
23792+++ b/source3/winbindd/winbindd.c
23793@@ -31,6 +31,7 @@
23794 #include "../librpc/gen_ndr/srv_lsa.h"
23795 #include "../librpc/gen_ndr/srv_samr.h"
23796 #include "secrets.h"
23797+#include "rpc_client/cli_netlogon.h"
23798 #include "idmap.h"
23799 #include "lib/addrchange.h"
23800 #include "serverid.h"
23801@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
23802 return False;
23803 }
23804
23805+ status = rpccli_pre_open_netlogon_creds();
23806+ if (!NT_STATUS_IS_OK(status)) {
23807+ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
23808+ nt_errstr(status)));
23809+ exit(1);
23810+ }
23811+
23812 /* Unblock all signals we are interested in as they may have been
23813 blocked by the parent process. */
23814
23815--
238161.9.3
23817
23818
23819From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
23820From: Stefan Metzmacher <metze@samba.org>
23821Date: Wed, 7 Aug 2013 11:32:44 +0200
23822Subject: [PATCH 182/249] s3:winbindd: make use of
23823 rpccli_{create,setup}_netlogon_creds()
23824
23825Signed-off-by: Stefan Metzmacher <metze@samba.org>
23826Reviewed-by: Andrew Bartlett <abartlet@samba.org>
23827(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
23828---
23829 source3/winbindd/winbindd.h | 3 +
23830 source3/winbindd/winbindd_cm.c | 125 ++++++++++++++++++++---------------
23831 source3/winbindd/winbindd_dual_srv.c | 1 +
23832 3 files changed, 77 insertions(+), 52 deletions(-)
23833
23834diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
23835index b5fc010..8f89e27 100644
23836--- a/source3/winbindd/winbindd.h
23837+++ b/source3/winbindd/winbindd.h
23838@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
23839 struct policy_handle lsa_policy;
23840
23841 struct rpc_pipe_client *netlogon_pipe;
23842+ struct netlogon_creds_cli_context *netlogon_creds;
23843+ uint32_t netlogon_flags;
23844+ bool netlogon_force_reauth;
23845 };
23846
23847 /* Async child */
23848diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
23849index 1546002..7b6cc96 100644
23850--- a/source3/winbindd/winbindd_cm.c
23851+++ b/source3/winbindd/winbindd_cm.c
23852@@ -79,6 +79,7 @@
23853 #include "auth/gensec/gensec.h"
23854 #include "../libcli/smb/smbXcli_base.h"
23855 #include "lib/param/loadparm.h"
23856+#include "libcli/auth/netlogon_creds_cli.h"
23857
23858 #undef DBGC_CLASS
23859 #define DBGC_CLASS DBGC_WINBIND
23860@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
23861 }
23862
23863 conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
23864+ conn->netlogon_force_reauth = false;
23865+ conn->netlogon_flags = 0;
23866+ TALLOC_FREE(conn->netlogon_creds);
23867
23868 if (conn->cli) {
23869 cli_shutdown(conn->cli);
23870@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
23871 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
23872 struct rpc_pipe_client *netlogon_pipe;
23873
23874- if (lp_client_schannel() == False) {
23875- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
23876+ *ppdc = NULL;
23877+
23878+ if ((!IS_DC) && (!domain->primary)) {
23879+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
23880+ }
23881+
23882+ if (domain->conn.netlogon_creds != NULL) {
23883+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
23884+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
23885+ }
23886+ *ppdc = domain->conn.netlogon_creds;
23887+ return NT_STATUS_OK;
23888 }
23889
23890 result = cm_connect_netlogon(domain, &netlogon_pipe);
23891@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
23892 return result;
23893 }
23894
23895- /* Return a pointer to the struct netlogon_creds_CredentialState from the
23896- netlogon pipe. */
23897+ if (domain->conn.netlogon_creds == NULL) {
23898+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
23899+ }
23900
23901- if (!domain->conn.netlogon_pipe->netlogon_creds) {
23902- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
23903+ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
23904+ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
23905 }
23906
23907- *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
23908+ *ppdc = domain->conn.netlogon_creds;
23909 return NT_STATUS_OK;
23910 }
23911
23912@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
23913 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
23914 struct rpc_pipe_client **cli)
23915 {
23916+ struct messaging_context *msg_ctx = winbind_messaging_context();
23917 struct winbindd_cm_conn *conn;
23918 NTSTATUS result;
23919-
23920- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
23921- uint8_t mach_pwd[16];
23922 enum netr_SchannelType sec_chan_type;
23923+ const char *_account_name;
23924 const char *account_name;
23925- struct rpc_pipe_client *netlogon_pipe = NULL;
23926+ struct samr_Password current_nt_hash;
23927+ struct samr_Password *previous_nt_hash = NULL;
23928+ struct netlogon_creds_CredentialState *creds = NULL;
23929+ bool ok;
23930
23931 *cli = NULL;
23932
23933@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
23934 }
23935
23936 TALLOC_FREE(conn->netlogon_pipe);
23937-
23938- result = cli_rpc_pipe_open_noauth(conn->cli,
23939- &ndr_table_netlogon,
23940- &netlogon_pipe);
23941- if (!NT_STATUS_IS_OK(result)) {
23942- return result;
23943- }
23944+ conn->netlogon_flags = 0;
23945+ TALLOC_FREE(conn->netlogon_creds);
23946
23947 if ((!IS_DC) && (!domain->primary)) {
23948- /* Clear the schannel request bit and drop down */
23949- neg_flags &= ~NETLOGON_NEG_SCHANNEL;
23950 goto no_schannel;
23951 }
23952
23953- if (lp_client_schannel() != False) {
23954- neg_flags |= NETLOGON_NEG_SCHANNEL;
23955+ ok = get_trust_pw_hash(domain->name,
23956+ current_nt_hash.hash,
23957+ &_account_name,
23958+ &sec_chan_type);
23959+ if (!ok) {
23960+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
23961 }
23962
23963- if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
23964- &sec_chan_type))
23965- {
23966- TALLOC_FREE(netlogon_pipe);
23967- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
23968+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
23969+ if (account_name == NULL) {
23970+ return NT_STATUS_NO_MEMORY;
23971 }
23972
23973- result = rpccli_netlogon_setup_creds(
23974- netlogon_pipe,
23975- domain->dcname, /* server name. */
23976- domain->name, /* domain name */
23977- lp_netbios_name(), /* client name */
23978- account_name, /* machine account */
23979- mach_pwd, /* machine password */
23980- sec_chan_type, /* from get_trust_pw */
23981- &neg_flags);
23982+ result = rpccli_create_netlogon_creds(domain->dcname,
23983+ domain->name,
23984+ account_name,
23985+ sec_chan_type,
23986+ msg_ctx,
23987+ domain,
23988+ &conn->netlogon_creds);
23989+ if (!NT_STATUS_IS_OK(result)) {
23990+ SAFE_FREE(previous_nt_hash);
23991+ return result;
23992+ }
23993
23994+ result = rpccli_setup_netlogon_creds(conn->cli,
23995+ conn->netlogon_creds,
23996+ conn->netlogon_force_reauth,
23997+ current_nt_hash,
23998+ previous_nt_hash);
23999+ conn->netlogon_force_reauth = false;
24000+ SAFE_FREE(previous_nt_hash);
24001 if (!NT_STATUS_IS_OK(result)) {
24002- TALLOC_FREE(netlogon_pipe);
24003 return result;
24004 }
24005
24006- if ((lp_client_schannel() == True) &&
24007- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
24008- DEBUG(3, ("Server did not offer schannel\n"));
24009- TALLOC_FREE(netlogon_pipe);
24010- return NT_STATUS_ACCESS_DENIED;
24011+ result = netlogon_creds_cli_get(conn->netlogon_creds,
24012+ talloc_tos(),
24013+ &creds);
24014+ if (!NT_STATUS_IS_OK(result)) {
24015+ return result;
24016 }
24017+ conn->netlogon_flags = creds->negotiate_flags;
24018+ TALLOC_FREE(creds);
24019
24020 no_schannel:
24021- if ((lp_client_schannel() == False) ||
24022- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
24023+ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
24024+ result = cli_rpc_pipe_open_noauth(conn->cli,
24025+ &ndr_table_netlogon,
24026+ &conn->netlogon_pipe);
24027+ if (!NT_STATUS_IS_OK(result)) {
24028+ invalidate_cm_connection(conn);
24029+ return result;
24030+ }
24031
24032- /* We're done - just keep the existing connection to NETLOGON
24033- * open */
24034- conn->netlogon_pipe = netlogon_pipe;
24035 *cli = conn->netlogon_pipe;
24036 return NT_STATUS_OK;
24037 }
24038@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
24039 result = cli_rpc_pipe_open_schannel_with_key(
24040 conn->cli, &ndr_table_netlogon, NCACN_NP,
24041 domain->name,
24042- netlogon_pipe->netlogon_creds,
24043+ conn->netlogon_creds,
24044 &conn->netlogon_pipe);
24045-
24046- /* We can now close the initial netlogon pipe. */
24047- TALLOC_FREE(netlogon_pipe);
24048-
24049 if (!NT_STATUS_IS_OK(result)) {
24050 DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
24051 "was %s\n", nt_errstr(result)));
24052diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
24053index b873655..001591a 100644
24054--- a/source3/winbindd/winbindd_dual_srv.c
24055+++ b/source3/winbindd/winbindd_dual_srv.c
24056@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
24057
24058 again:
24059 invalidate_cm_connection(&domain->conn);
24060+ domain->conn.netlogon_force_reauth = true;
24061
24062 {
24063 struct rpc_pipe_client *netlogon_pipe;
24064--
240651.9.3
24066
24067
24068From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
24069From: Stefan Metzmacher <metze@samba.org>
24070Date: Tue, 27 Aug 2013 13:07:45 +0200
24071Subject: [PATCH 183/249] s3:auth_domain: simplify
24072 connect_to_domain_password_server()
24073
24074Signed-off-by: Stefan Metzmacher <metze@samba.org>
24075Reviewed-by: Andrew Bartlett <abartlet@samba.org>
24076(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
24077---
24078 source3/auth/auth_domain.c | 31 ++++++++++++-------------------
24079 1 file changed, 12 insertions(+), 19 deletions(-)
24080
24081diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
24082index 9f88c4a..ae27bf0 100644
24083--- a/source3/auth/auth_domain.c
24084+++ b/source3/auth/auth_domain.c
24085@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
24086 *
24087 **/
24088
24089-static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
24090+static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24091 const char *domain,
24092 const char *dc_name,
24093 const struct sockaddr_storage *dc_ss,
24094 struct rpc_pipe_client **pipe_ret)
24095 {
24096- NTSTATUS result;
24097+ NTSTATUS result;
24098+ struct cli_state *cli = NULL;
24099 struct rpc_pipe_client *netlogon_pipe = NULL;
24100
24101- *cli = NULL;
24102+ *cli_ret = NULL;
24103
24104 *pipe_ret = NULL;
24105
24106@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
24107 }
24108
24109 /* Attempt connection */
24110- result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
24111+ result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
24112 "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
24113
24114 if (!NT_STATUS_IS_OK(result)) {
24115@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
24116 result = NT_STATUS_NO_LOGON_SERVERS;
24117 }
24118
24119- if (*cli) {
24120- cli_shutdown(*cli);
24121- *cli = NULL;
24122- }
24123-
24124 TALLOC_FREE(mutex);
24125 return result;
24126 }
24127@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
24128 if (lp_client_schannel()) {
24129 /* We also setup the creds chain in the open_schannel call. */
24130 result = cli_rpc_pipe_open_schannel(
24131- *cli, &ndr_table_netlogon, NCACN_NP,
24132+ cli, &ndr_table_netlogon, NCACN_NP,
24133 DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
24134 } else {
24135 result = cli_rpc_pipe_open_noauth(
24136- *cli, &ndr_table_netlogon, &netlogon_pipe);
24137+ cli, &ndr_table_netlogon, &netlogon_pipe);
24138 }
24139
24140 if (!NT_STATUS_IS_OK(result)) {
24141 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
24142 machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24143- cli_shutdown(*cli);
24144- *cli = NULL;
24145+ cli_shutdown(cli);
24146 TALLOC_FREE(mutex);
24147 return result;
24148 }
24149@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24150 DEBUG(0, ("connect_to_domain_password_server: could not fetch "
24151 "trust account password for domain '%s'\n",
24152 domain));
24153- cli_shutdown(*cli);
24154- *cli = NULL;
24155+ cli_shutdown(cli);
24156 TALLOC_FREE(mutex);
24157 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24158 }
24159@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24160 &neg_flags);
24161
24162 if (!NT_STATUS_IS_OK(result)) {
24163- cli_shutdown(*cli);
24164- *cli = NULL;
24165+ cli_shutdown(cli);
24166 TALLOC_FREE(mutex);
24167 return result;
24168 }
24169@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24170 DEBUG(0, ("connect_to_domain_password_server: unable to open "
24171 "the domain client session to machine %s. Error "
24172 "was : %s.\n", dc_name, nt_errstr(result)));
24173- cli_shutdown(*cli);
24174- *cli = NULL;
24175+ cli_shutdown(cli);
24176 TALLOC_FREE(mutex);
24177 return NT_STATUS_NO_LOGON_SERVERS;
24178 }
24179
24180 /* We exit here with the mutex *locked*. JRA */
24181
24182+ *cli_ret = cli;
24183 *pipe_ret = netlogon_pipe;
24184
24185 return NT_STATUS_OK;
24186--
241871.9.3
24188
24189
24190From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
24191From: Stefan Metzmacher <metze@samba.org>
24192Date: Tue, 27 Aug 2013 15:01:10 +0200
24193Subject: [PATCH 184/249] s3:auth_domain: make use of
24194 rpccli_{create,setup}_netlogon_creds()
24195
24196Signed-off-by: Stefan Metzmacher <metze@samba.org>
24197Reviewed-by: Andrew Bartlett <abartlet@samba.org>
24198(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
24199---
24200 source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
24201 1 file changed, 85 insertions(+), 51 deletions(-)
24202
24203diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
24204index ae27bf0..bf2671c 100644
24205--- a/source3/auth/auth_domain.c
24206+++ b/source3/auth/auth_domain.c
24207@@ -27,6 +27,7 @@
24208 #include "secrets.h"
24209 #include "passdb.h"
24210 #include "libsmb/libsmb.h"
24211+#include "libcli/auth/netlogon_creds_cli.h"
24212
24213 #undef DBGC_CLASS
24214 #define DBGC_CLASS DBGC_AUTH
24215@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24216 const struct sockaddr_storage *dc_ss,
24217 struct rpc_pipe_client **pipe_ret)
24218 {
24219+ TALLOC_CTX *frame = talloc_stackframe();
24220+ struct messaging_context *msg_ctx = server_messaging_context();
24221 NTSTATUS result;
24222 struct cli_state *cli = NULL;
24223 struct rpc_pipe_client *netlogon_pipe = NULL;
24224+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
24225+ struct netlogon_creds_CredentialState *creds = NULL;
24226+ uint32_t netlogon_flags = 0;
24227+ enum netr_SchannelType sec_chan_type = 0;
24228+ const char *_account_name = NULL;
24229+ const char *account_name = NULL;
24230+ struct samr_Password current_nt_hash;
24231+ struct samr_Password *previous_nt_hash = NULL;
24232+ bool ok;
24233
24234 *cli_ret = NULL;
24235
24236@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24237
24238 mutex = grab_named_mutex(NULL, dc_name, 10);
24239 if (mutex == NULL) {
24240+ TALLOC_FREE(frame);
24241 return NT_STATUS_NO_LOGON_SERVERS;
24242 }
24243
24244@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24245 }
24246
24247 TALLOC_FREE(mutex);
24248+ TALLOC_FREE(frame);
24249 return result;
24250 }
24251
24252@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24253 * We now have an anonymous connection to IPC$ on the domain password server.
24254 */
24255
24256- /*
24257- * Even if the connect succeeds we need to setup the netlogon
24258- * pipe here. We do this as we may just have changed the domain
24259- * account password on the PDC and yet we may be talking to
24260- * a BDC that doesn't have this replicated yet. In this case
24261- * a successful connect to a DC needs to take the netlogon connect
24262- * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
24263- */
24264+ ok = get_trust_pw_hash(domain,
24265+ current_nt_hash.hash,
24266+ &_account_name,
24267+ &sec_chan_type);
24268+ if (!ok) {
24269+ cli_shutdown(cli);
24270+ TALLOC_FREE(mutex);
24271+ TALLOC_FREE(frame);
24272+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24273+ }
24274
24275- /* open the netlogon pipe. */
24276- if (lp_client_schannel()) {
24277- /* We also setup the creds chain in the open_schannel call. */
24278- result = cli_rpc_pipe_open_schannel(
24279- cli, &ndr_table_netlogon, NCACN_NP,
24280- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
24281- } else {
24282- result = cli_rpc_pipe_open_noauth(
24283- cli, &ndr_table_netlogon, &netlogon_pipe);
24284+ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
24285+ if (account_name == NULL) {
24286+ cli_shutdown(cli);
24287+ TALLOC_FREE(mutex);
24288+ TALLOC_FREE(frame);
24289+ return NT_STATUS_NO_MEMORY;
24290 }
24291
24292+ result = rpccli_create_netlogon_creds(dc_name,
24293+ domain,
24294+ account_name,
24295+ sec_chan_type,
24296+ msg_ctx,
24297+ talloc_tos(),
24298+ &netlogon_creds);
24299 if (!NT_STATUS_IS_OK(result)) {
24300- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
24301-machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24302 cli_shutdown(cli);
24303 TALLOC_FREE(mutex);
24304+ TALLOC_FREE(frame);
24305+ SAFE_FREE(previous_nt_hash);
24306 return result;
24307 }
24308
24309- if (!lp_client_schannel()) {
24310- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
24311- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
24312- NETLOGON_NEG_SUPPORTS_AES;
24313- enum netr_SchannelType sec_chan_type = 0;
24314- unsigned char machine_pwd[16];
24315- const char *account_name;
24316-
24317- if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
24318- &sec_chan_type))
24319- {
24320- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
24321- "trust account password for domain '%s'\n",
24322- domain));
24323- cli_shutdown(cli);
24324- TALLOC_FREE(mutex);
24325- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24326- }
24327+ result = rpccli_setup_netlogon_creds(cli,
24328+ netlogon_creds,
24329+ false, /* force_reauth */
24330+ current_nt_hash,
24331+ previous_nt_hash);
24332+ SAFE_FREE(previous_nt_hash);
24333+ if (!NT_STATUS_IS_OK(result)) {
24334+ cli_shutdown(cli);
24335+ TALLOC_FREE(mutex);
24336+ TALLOC_FREE(frame);
24337+ return result;
24338+ }
24339
24340- result = rpccli_netlogon_setup_creds(netlogon_pipe,
24341- dc_name, /* server name */
24342- domain, /* domain */
24343- lp_netbios_name(), /* client name */
24344- account_name, /* machine account name */
24345- machine_pwd,
24346- sec_chan_type,
24347- &neg_flags);
24348-
24349- if (!NT_STATUS_IS_OK(result)) {
24350- cli_shutdown(cli);
24351- TALLOC_FREE(mutex);
24352- return result;
24353- }
24354+ result = netlogon_creds_cli_get(netlogon_creds,
24355+ talloc_tos(),
24356+ &creds);
24357+ if (!NT_STATUS_IS_OK(result)) {
24358+ cli_shutdown(cli);
24359+ TALLOC_FREE(mutex);
24360+ TALLOC_FREE(frame);
24361+ return result;
24362+ }
24363+ netlogon_flags = creds->negotiate_flags;
24364+ TALLOC_FREE(creds);
24365+
24366+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
24367+ result = cli_rpc_pipe_open_schannel_with_key(
24368+ cli, &ndr_table_netlogon, NCACN_NP,
24369+ domain, netlogon_creds, &netlogon_pipe);
24370+ } else {
24371+ result = cli_rpc_pipe_open_noauth(cli,
24372+ &ndr_table_netlogon,
24373+ &netlogon_pipe);
24374+ }
24375+
24376+ if (!NT_STATUS_IS_OK(result)) {
24377+ DEBUG(0,("connect_to_domain_password_server: "
24378+ "unable to open the domain client session to "
24379+ "machine %s. Flags[0x%08X] Error was : %s.\n",
24380+ dc_name, (unsigned)netlogon_flags,
24381+ nt_errstr(result)));
24382+ cli_shutdown(cli);
24383+ TALLOC_FREE(mutex);
24384+ TALLOC_FREE(frame);
24385+ return result;
24386 }
24387
24388 if(!netlogon_pipe) {
24389@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24390 "was : %s.\n", dc_name, nt_errstr(result)));
24391 cli_shutdown(cli);
24392 TALLOC_FREE(mutex);
24393+ TALLOC_FREE(frame);
24394 return NT_STATUS_NO_LOGON_SERVERS;
24395 }
24396
24397@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
24398 *cli_ret = cli;
24399 *pipe_ret = netlogon_pipe;
24400
24401+ TALLOC_FREE(frame);
24402 return NT_STATUS_OK;
24403 }
24404
24405--
244061.9.3
24407
24408
24409From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
24410From: Stefan Metzmacher <metze@samba.org>
24411Date: Tue, 27 Aug 2013 15:02:26 +0200
24412Subject: [PATCH 185/249] s3:auth_domain: make use of
24413 rpccli_netlogon_network_logon()
24414
24415Signed-off-by: Stefan Metzmacher <metze@samba.org>
24416Reviewed-by: Andrew Bartlett <abartlet@samba.org>
24417(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
24418---
24419 source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
24420 1 file changed, 22 insertions(+), 14 deletions(-)
24421
24422diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
24423index bf2671c..937841c 100644
24424--- a/source3/auth/auth_domain.c
24425+++ b/source3/auth/auth_domain.c
24426@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24427 const char *domain,
24428 const char *dc_name,
24429 const struct sockaddr_storage *dc_ss,
24430- struct rpc_pipe_client **pipe_ret)
24431+ struct rpc_pipe_client **pipe_ret,
24432+ struct netlogon_creds_cli_context **creds_ret)
24433 {
24434 TALLOC_CTX *frame = talloc_stackframe();
24435 struct messaging_context *msg_ctx = server_messaging_context();
24436@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24437 *cli_ret = NULL;
24438
24439 *pipe_ret = NULL;
24440+ *creds_ret = NULL;
24441
24442 /* TODO: Send a SAMLOGON request to determine whether this is a valid
24443 logonserver. We can avoid a 30-second timeout if the DC is down
24444@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
24445
24446 *cli_ret = cli;
24447 *pipe_ret = netlogon_pipe;
24448+ *creds_ret = netlogon_creds;
24449
24450 TALLOC_FREE(frame);
24451 return NT_STATUS_OK;
24452@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
24453 struct netr_SamInfo3 *info3 = NULL;
24454 struct cli_state *cli = NULL;
24455 struct rpc_pipe_client *netlogon_pipe = NULL;
24456+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
24457 NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
24458 int i;
24459+ uint8_t authoritative = 0;
24460+ uint32_t flags = 0;
24461
24462 /*
24463 * At this point, smb_apasswd points to the lanman response to
24464@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
24465 domain,
24466 dc_name,
24467 dc_ss,
24468- &netlogon_pipe);
24469+ &netlogon_pipe,
24470+ &netlogon_creds);
24471 }
24472
24473 if ( !NT_STATUS_IS_OK(nt_status) ) {
24474@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
24475 * in the info3 structure.
24476 */
24477
24478- nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
24479- mem_ctx,
24480- user_info->logon_parameters, /* flags such as 'allow workstation logon' */
24481- dc_name, /* server name */
24482- user_info->client.account_name, /* user name logging on. */
24483- user_info->client.domain_name, /* domain name */
24484- user_info->workstation_name, /* workstation name */
24485- chal, /* 8 byte challenge. */
24486- 3, /* validation level */
24487- user_info->password.response.lanman, /* lanman 24 byte response */
24488- user_info->password.response.nt, /* nt 24 byte response */
24489- &info3); /* info3 out */
24490+ nt_status = rpccli_netlogon_network_logon(netlogon_creds,
24491+ netlogon_pipe->binding_handle,
24492+ mem_ctx,
24493+ user_info->logon_parameters, /* flags such as 'allow workstation logon' */
24494+ user_info->client.account_name, /* user name logging on. */
24495+ user_info->client.domain_name, /* domain name */
24496+ user_info->workstation_name, /* workstation name */
24497+ chal, /* 8 byte challenge. */
24498+ user_info->password.response.lanman, /* lanman 24 byte response */
24499+ user_info->password.response.nt, /* nt 24 byte response */
24500+ &authoritative,
24501+ &flags,
24502+ &info3); /* info3 out */
24503
24504 /* Let go as soon as possible so we avoid any potential deadlocks
24505 with winbind lookup up users or groups. */
24506--
245071.9.3
24508
24509
24510From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
24511From: Stefan Metzmacher <metze@samba.org>
24512Date: Mon, 2 Sep 2013 19:32:23 +0200
24513Subject: [PATCH 186/249] s3:libnet_join: make use of
24514 rpccli_{create,setup}_netlogon_creds()
24515
24516Signed-off-by: Stefan Metzmacher <metze@samba.org>
24517Reviewed-by: Andrew Bartlett <abartlet@samba.org>
24518(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
24519---
24520 source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
24521 source3/libnet/libnet_join.h | 5 +-
24522 source3/utils/net_rpc.c | 4 +-
24523 3 files changed, 86 insertions(+), 33 deletions(-)
24524
24525diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
24526index b2805ee..6e653c3 100644
24527--- a/source3/libnet/libnet_join.c
24528+++ b/source3/libnet/libnet_join.c
24529@@ -40,6 +40,8 @@
24530 #include "libsmb/libsmb.h"
24531 #include "../libcli/smb/smbXcli_base.h"
24532 #include "lib/param/loadparm.h"
24533+#include "libcli/auth/netlogon_creds_cli.h"
24534+#include "auth/credentials/credentials.h"
24535
24536 /****************************************************************
24537 ****************************************************************/
24538@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
24539 /****************************************************************
24540 ****************************************************************/
24541
24542-NTSTATUS libnet_join_ok(const char *netbios_domain_name,
24543- const char *machine_name,
24544+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
24545+ const char *netbios_domain_name,
24546 const char *dc_name,
24547 const bool use_kerberos)
24548 {
24549- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
24550- NETLOGON_NEG_SUPPORTS_AES;
24551+ TALLOC_CTX *frame = talloc_stackframe();
24552 struct cli_state *cli = NULL;
24553- struct rpc_pipe_client *pipe_hnd = NULL;
24554 struct rpc_pipe_client *netlogon_pipe = NULL;
24555+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
24556+ struct netlogon_creds_CredentialState *creds = NULL;
24557+ uint32_t netlogon_flags = 0;
24558+ enum netr_SchannelType sec_chan_type = 0;
24559 NTSTATUS status;
24560 char *machine_password = NULL;
24561- char *machine_account = NULL;
24562+ const char *machine_name = NULL;
24563+ const char *machine_account = NULL;
24564 int flags = 0;
24565+ struct samr_Password current_nt_hash;
24566+ struct samr_Password *previous_nt_hash = NULL;
24567+ bool ok;
24568
24569 if (!dc_name) {
24570+ TALLOC_FREE(frame);
24571 return NT_STATUS_INVALID_PARAMETER;
24572 }
24573
24574 if (!secrets_init()) {
24575+ TALLOC_FREE(frame);
24576 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24577 }
24578
24579- machine_password = secrets_fetch_machine_password(netbios_domain_name,
24580- NULL, NULL);
24581- if (!machine_password) {
24582- return NT_STATUS_NO_TRUST_LSA_SECRET;
24583+ ok = get_trust_pw_clear(netbios_domain_name,
24584+ &machine_password,
24585+ &machine_name,
24586+ &sec_chan_type);
24587+ if (!ok) {
24588+ TALLOC_FREE(frame);
24589+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24590 }
24591
24592- if (asprintf(&machine_account, "%s$", machine_name) == -1) {
24593+ machine_account = talloc_asprintf(frame, "%s$", machine_name);
24594+ if (machine_account == NULL) {
24595 SAFE_FREE(machine_password);
24596- return NT_STATUS_NO_MEMORY;
24597+ SAFE_FREE(previous_nt_hash);
24598+ TALLOC_FREE(frame);
24599+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24600 }
24601
24602 if (use_kerberos) {
24603@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
24604 NULL, 0,
24605 "IPC$", "IPC",
24606 machine_account,
24607- NULL,
24608+ netbios_domain_name,
24609 machine_password,
24610 flags,
24611 SMB_SIGNING_DEFAULT);
24612- free(machine_account);
24613- free(machine_password);
24614+
24615+ E_md4hash(machine_password, current_nt_hash.hash);
24616+ SAFE_FREE(machine_password);
24617
24618 if (!NT_STATUS_IS_OK(status)) {
24619 status = cli_full_connection(&cli, NULL,
24620@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
24621 }
24622
24623 if (!NT_STATUS_IS_OK(status)) {
24624+ SAFE_FREE(previous_nt_hash);
24625+ TALLOC_FREE(frame);
24626 return status;
24627 }
24628
24629- status = get_schannel_session_key(cli, netbios_domain_name,
24630- &neg_flags, &netlogon_pipe);
24631+ status = rpccli_create_netlogon_creds(dc_name,
24632+ netbios_domain_name,
24633+ machine_account,
24634+ sec_chan_type,
24635+ msg_ctx,
24636+ frame,
24637+ &netlogon_creds);
24638 if (!NT_STATUS_IS_OK(status)) {
24639- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
24640- cli_shutdown(cli);
24641- return NT_STATUS_OK;
24642- }
24643+ SAFE_FREE(previous_nt_hash);
24644+ cli_shutdown(cli);
24645+ TALLOC_FREE(frame);
24646+ return status;
24647+ }
24648
24649- DEBUG(0,("libnet_join_ok: failed to get schannel session "
24650- "key from server %s for domain %s. Error was %s\n",
24651- smbXcli_conn_remote_name(cli->conn),
24652- netbios_domain_name, nt_errstr(status)));
24653+ status = rpccli_setup_netlogon_creds(cli,
24654+ netlogon_creds,
24655+ true, /* force_reauth */
24656+ current_nt_hash,
24657+ previous_nt_hash);
24658+ SAFE_FREE(previous_nt_hash);
24659+ if (!NT_STATUS_IS_OK(status)) {
24660+ DEBUG(0,("connect_to_domain_password_server: "
24661+ "unable to open the domain client session to "
24662+ "machine %s. Flags[0x%08X] Error was : %s.\n",
24663+ dc_name, (unsigned)netlogon_flags,
24664+ nt_errstr(status)));
24665+ cli_shutdown(cli);
24666+ TALLOC_FREE(frame);
24667+ return status;
24668+ }
24669+
24670+ status = netlogon_creds_cli_get(netlogon_creds,
24671+ talloc_tos(),
24672+ &creds);
24673+ if (!NT_STATUS_IS_OK(status)) {
24674 cli_shutdown(cli);
24675+ TALLOC_FREE(frame);
24676 return status;
24677 }
24678+ netlogon_flags = creds->negotiate_flags;
24679+ TALLOC_FREE(creds);
24680
24681- if (!lp_client_schannel()) {
24682+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
24683 cli_shutdown(cli);
24684+ TALLOC_FREE(frame);
24685 return NT_STATUS_OK;
24686 }
24687
24688 status = cli_rpc_pipe_open_schannel_with_key(
24689 cli, &ndr_table_netlogon, NCACN_NP,
24690 netbios_domain_name,
24691- netlogon_pipe->netlogon_creds, &pipe_hnd);
24692+ netlogon_creds, &netlogon_pipe);
24693
24694- cli_shutdown(cli);
24695+ TALLOC_FREE(netlogon_pipe);
24696
24697 if (!NT_STATUS_IS_OK(status)) {
24698 DEBUG(0,("libnet_join_ok: failed to open schannel session "
24699@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
24700 "Error was %s\n",
24701 smbXcli_conn_remote_name(cli->conn),
24702 netbios_domain_name, nt_errstr(status)));
24703+ cli_shutdown(cli);
24704+ TALLOC_FREE(frame);
24705 return status;
24706 }
24707
24708+ cli_shutdown(cli);
24709+ TALLOC_FREE(frame);
24710 return NT_STATUS_OK;
24711 }
24712
24713@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
24714 {
24715 NTSTATUS status;
24716
24717- status = libnet_join_ok(r->out.netbios_domain_name,
24718- r->in.machine_name,
24719+ status = libnet_join_ok(r->in.msg_ctx,
24720+ r->out.netbios_domain_name,
24721 r->in.dc_name,
24722 r->in.use_kerberos);
24723 if (!NT_STATUS_IS_OK(status)) {
24724diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
24725index 58c33b2..b7e2f0b 100644
24726--- a/source3/libnet/libnet_join.h
24727+++ b/source3/libnet/libnet_join.h
24728@@ -23,8 +23,9 @@
24729
24730 /* The following definitions come from libnet/libnet_join.c */
24731
24732-NTSTATUS libnet_join_ok(const char *netbios_domain_name,
24733- const char *machine_name,
24734+struct messaging_context;
24735+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
24736+ const char *netbios_domain_name,
24737 const char *dc_name,
24738 const bool use_kerberos);
24739 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
24740diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
24741index dff8801..9de74c0 100644
24742--- a/source3/utils/net_rpc.c
24743+++ b/source3/utils/net_rpc.c
24744@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
24745 }
24746
24747 /* Display success or failure */
24748- status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
24749+ status = libnet_join_ok(c->msg_ctx,
24750+ c->opt_workgroup,
24751+ dc,
24752 c->opt_kerberos);
24753 if (!NT_STATUS_IS_OK(status)) {
24754 fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
24755--
247561.9.3
24757
24758
24759From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
24760From: Stefan Metzmacher <metze@samba.org>
24761Date: Thu, 5 Sep 2013 20:57:02 +0200
24762Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
24763 in libnet_join_joindomain_rpc_unsecure
24764
24765Signed-off-by: Stefan Metzmacher <metze@samba.org>
24766Reviewed-by: Andrew Bartlett <abartlet@samba.org>
24767(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
24768---
24769 source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
24770 1 file changed, 51 insertions(+), 15 deletions(-)
24771
24772diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
24773index 6e653c3..a87eb38 100644
24774--- a/source3/libnet/libnet_join.c
24775+++ b/source3/libnet/libnet_join.c
24776@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
24777 struct libnet_JoinCtx *r,
24778 struct cli_state *cli)
24779 {
24780- struct rpc_pipe_client *pipe_hnd = NULL;
24781- unsigned char orig_trust_passwd_hash[16];
24782- unsigned char new_trust_passwd_hash[16];
24783+ TALLOC_CTX *frame = talloc_stackframe();
24784+ struct rpc_pipe_client *netlogon_pipe = NULL;
24785+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
24786+ struct samr_Password current_nt_hash;
24787+ const char *account_name = NULL;
24788 NTSTATUS status;
24789
24790 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
24791- &pipe_hnd);
24792+ &netlogon_pipe);
24793 if (!NT_STATUS_IS_OK(status)) {
24794+ TALLOC_FREE(frame);
24795 return status;
24796 }
24797
24798@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
24799 r->in.machine_password = generate_random_password(mem_ctx,
24800 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
24801 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
24802- NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
24803+ if (r->in.machine_password == NULL) {
24804+ TALLOC_FREE(frame);
24805+ return NT_STATUS_NO_MEMORY;
24806+ }
24807 }
24808
24809- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
24810-
24811 /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
24812- E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
24813+ E_md4hash(r->in.admin_password, current_nt_hash.hash);
24814
24815- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
24816- r->in.machine_name,
24817- orig_trust_passwd_hash,
24818- r->in.machine_password,
24819- new_trust_passwd_hash,
24820- r->in.secure_channel_type);
24821+ account_name = talloc_asprintf(frame, "%s$",
24822+ r->in.machine_name);
24823+ if (account_name == NULL) {
24824+ TALLOC_FREE(frame);
24825+ return NT_STATUS_NO_MEMORY;
24826+ }
24827
24828- return status;
24829+ status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
24830+ r->in.domain_name,
24831+ account_name,
24832+ r->in.secure_channel_type,
24833+ r->in.msg_ctx,
24834+ frame,
24835+ &netlogon_creds);
24836+ if (!NT_STATUS_IS_OK(status)) {
24837+ TALLOC_FREE(frame);
24838+ return status;
24839+ }
24840+
24841+ status = rpccli_setup_netlogon_creds(cli,
24842+ netlogon_creds,
24843+ true, /* force_reauth */
24844+ current_nt_hash,
24845+ NULL); /* previous_nt_hash */
24846+ if (!NT_STATUS_IS_OK(status)) {
24847+ TALLOC_FREE(frame);
24848+ return status;
24849+ }
24850+
24851+ status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
24852+ netlogon_pipe->binding_handle,
24853+ r->in.machine_password,
24854+ NULL); /* new_version */
24855+ if (!NT_STATUS_IS_OK(status)) {
24856+ TALLOC_FREE(frame);
24857+ return status;
24858+ }
24859+
24860+ TALLOC_FREE(frame);
24861+ return NT_STATUS_OK;
24862 }
24863
24864 /****************************************************************
24865--
248661.9.3
24867
24868
24869From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
24870From: Stefan Metzmacher <metze@samba.org>
24871Date: Wed, 11 Sep 2013 10:06:41 +0200
24872Subject: [PATCH 188/249] s3:rpc_client: use
24873 rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
24874
24875Signed-off-by: Stefan Metzmacher <metze@samba.org>
24876Reviewed-by: Andrew Bartlett <abartlet@samba.org>
24877(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
24878---
24879 source3/rpc_client/cli_pipe.h | 7 --
24880 source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
24881 2 files changed, 66 insertions(+), 103 deletions(-)
24882
24883diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
24884index c21c55d..2a76130 100644
24885--- a/source3/rpc_client/cli_pipe.h
24886+++ b/source3/rpc_client/cli_pipe.h
24887@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
24888 struct rpc_pipe_client *cli,
24889 DATA_BLOB *session_key);
24890
24891-/* The following definitions come from rpc_client/cli_pipe_schannel.c */
24892-
24893-NTSTATUS get_schannel_session_key(struct cli_state *cli,
24894- const char *domain,
24895- uint32 *pneg_flags,
24896- struct rpc_pipe_client **presult);
24897-
24898 #endif /* _CLI_PIPE_H */
24899
24900 /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
24901diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
24902index 8f9161f..1fcf62e 100644
24903--- a/source3/rpc_client/cli_pipe_schannel.c
24904+++ b/source3/rpc_client/cli_pipe_schannel.c
24905@@ -23,67 +23,15 @@
24906 #include "../libcli/auth/schannel.h"
24907 #include "rpc_client/cli_netlogon.h"
24908 #include "rpc_client/cli_pipe.h"
24909-#include "librpc/gen_ndr/ndr_dcerpc.h"
24910 #include "librpc/rpc/dcerpc.h"
24911 #include "passdb.h"
24912 #include "libsmb/libsmb.h"
24913-#include "auth/gensec/gensec.h"
24914 #include "../libcli/smb/smbXcli_base.h"
24915+#include "libcli/auth/netlogon_creds_cli.h"
24916
24917 #undef DBGC_CLASS
24918 #define DBGC_CLASS DBGC_RPC_CLI
24919
24920-
24921-/****************************************************************************
24922- Get a the schannel session key out of an already opened netlogon pipe.
24923- ****************************************************************************/
24924-static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
24925- struct cli_state *cli,
24926- const char *domain,
24927- uint32 *pneg_flags)
24928-{
24929- enum netr_SchannelType sec_chan_type = 0;
24930- unsigned char machine_pwd[16];
24931- const char *machine_account;
24932- NTSTATUS status;
24933-
24934- /* Get the machine account credentials from secrets.tdb. */
24935- if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
24936- &sec_chan_type))
24937- {
24938- DEBUG(0, ("get_schannel_session_key: could not fetch "
24939- "trust account password for domain '%s'\n",
24940- domain));
24941- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
24942- }
24943-
24944- status = rpccli_netlogon_setup_creds(netlogon_pipe,
24945- smbXcli_conn_remote_name(cli->conn), /* server name */
24946- domain, /* domain */
24947- lp_netbios_name(), /* client name */
24948- machine_account, /* machine account name */
24949- machine_pwd,
24950- sec_chan_type,
24951- pneg_flags);
24952-
24953- if (!NT_STATUS_IS_OK(status)) {
24954- DEBUG(3, ("get_schannel_session_key_common: "
24955- "rpccli_netlogon_setup_creds failed with result %s "
24956- "to server %s, domain %s, machine account %s.\n",
24957- nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
24958- machine_account ));
24959- return status;
24960- }
24961-
24962- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
24963- DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
24964- smbXcli_conn_remote_name(cli->conn)));
24965- return NT_STATUS_INVALID_NETWORK_RESPONSE;
24966- }
24967-
24968- return NT_STATUS_OK;
24969-}
24970-
24971 /****************************************************************************
24972 Open a named pipe to an SMB server and bind using schannel (bind type 68).
24973 Fetch the session key ourselves using a temporary netlogon pipe.
24974@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
24975 const char *domain,
24976 struct rpc_pipe_client **presult)
24977 {
24978- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
24979- NETLOGON_NEG_SUPPORTS_AES;
24980- struct rpc_pipe_client *netlogon_pipe = NULL;
24981+ TALLOC_CTX *frame = talloc_stackframe();
24982+ struct messaging_context *msg_ctx = NULL;
24983+ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
24984 struct rpc_pipe_client *result = NULL;
24985 NTSTATUS status;
24986+ struct netlogon_creds_cli_context *netlogon_creds = NULL;
24987+ struct netlogon_creds_CredentialState *creds = NULL;
24988+ uint32_t netlogon_flags = 0;
24989+ enum netr_SchannelType sec_chan_type = 0;
24990+ const char *_account_name = NULL;
24991+ const char *account_name = NULL;
24992+ struct samr_Password current_nt_hash;
24993+ struct samr_Password *previous_nt_hash = NULL;
24994+ bool ok;
24995+
24996+ ok = get_trust_pw_hash(domain,
24997+ current_nt_hash.hash,
24998+ &_account_name,
24999+ &sec_chan_type);
25000+ if (!ok) {
25001+ TALLOC_FREE(frame);
25002+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
25003+ }
25004+
25005+ account_name = talloc_asprintf(frame, "%s$", _account_name);
25006+ if (account_name == NULL) {
25007+ SAFE_FREE(previous_nt_hash);
25008+ TALLOC_FREE(frame);
25009+ return NT_STATUS_NO_MEMORY;
25010+ }
25011+
25012+ status = rpccli_create_netlogon_creds(dc_name,
25013+ domain,
25014+ account_name,
25015+ sec_chan_type,
25016+ msg_ctx,
25017+ frame,
25018+ &netlogon_creds);
25019+ if (!NT_STATUS_IS_OK(status)) {
25020+ SAFE_FREE(previous_nt_hash);
25021+ TALLOC_FREE(frame);
25022+ return status;
25023+ }
25024
25025- status = get_schannel_session_key(cli, domain, &neg_flags,
25026- &netlogon_pipe);
25027+ status = rpccli_setup_netlogon_creds(cli,
25028+ netlogon_creds,
25029+ false, /* force_reauth */
25030+ current_nt_hash,
25031+ previous_nt_hash);
25032+ SAFE_FREE(previous_nt_hash);
25033 if (!NT_STATUS_IS_OK(status)) {
25034- DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
25035- "key from server %s for domain %s.\n",
25036- smbXcli_conn_remote_name(cli->conn), domain ));
25037+ TALLOC_FREE(frame);
25038 return status;
25039 }
25040
25041+ status = netlogon_creds_cli_get(netlogon_creds,
25042+ frame,
25043+ &creds);
25044+ if (!NT_STATUS_IS_OK(status)) {
25045+ TALLOC_FREE(frame);
25046+ return status;
25047+ }
25048+ netlogon_flags = creds->negotiate_flags;
25049+ TALLOC_FREE(creds);
25050+
25051+ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
25052+ TALLOC_FREE(frame);
25053+ return NT_STATUS_DOWNGRADE_DETECTED;
25054+ }
25055+
25056 status = cli_rpc_pipe_open_schannel_with_key(
25057 cli, table, transport, domain,
25058- netlogon_pipe->netlogon_creds,
25059+ netlogon_creds,
25060 &result);
25061
25062- /* Now we've bound using the session key we can close the netlog pipe. */
25063- TALLOC_FREE(netlogon_pipe);
25064-
25065 if (NT_STATUS_IS_OK(status)) {
25066 *presult = result;
25067 }
25068
25069+ TALLOC_FREE(frame);
25070 return status;
25071 }
25072-
25073-/****************************************************************************
25074- Open a netlogon pipe and get the schannel session key.
25075- Now exposed to external callers.
25076- ****************************************************************************/
25077-
25078-
25079-NTSTATUS get_schannel_session_key(struct cli_state *cli,
25080- const char *domain,
25081- uint32 *pneg_flags,
25082- struct rpc_pipe_client **presult)
25083-{
25084- struct rpc_pipe_client *netlogon_pipe = NULL;
25085- NTSTATUS status;
25086-
25087- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
25088- &netlogon_pipe);
25089- if (!NT_STATUS_IS_OK(status)) {
25090- return status;
25091- }
25092-
25093- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
25094- pneg_flags);
25095- if (!NT_STATUS_IS_OK(status)) {
25096- TALLOC_FREE(netlogon_pipe);
25097- return status;
25098- }
25099-
25100- *presult = netlogon_pipe;
25101- return NT_STATUS_OK;
25102-}
25103--
251041.9.3
25105
25106
25107From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
25108From: Stefan Metzmacher <metze@samba.org>
25109Date: Mon, 16 Sep 2013 18:24:44 +0200
25110Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx
25111
25112Signed-off-by: Stefan Metzmacher <metze@samba.org>
25113Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25114(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
25115---
25116 source3/rpcclient/rpcclient.c | 5 +++++
25117 source3/rpcclient/rpcclient.h | 2 ++
25118 2 files changed, 7 insertions(+)
25119
25120diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
25121index 0cbec20..39bf613 100644
25122--- a/source3/rpcclient/rpcclient.c
25123+++ b/source3/rpcclient/rpcclient.c
25124@@ -33,6 +33,7 @@
25125 #include "libsmb/libsmb.h"
25126 #include "auth/gensec/gensec.h"
25127 #include "../libcli/smb/smbXcli_base.h"
25128+#include "messages.h"
25129
25130 enum pipe_auth_type_spnego {
25131 PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
25132@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
25133 static unsigned int timeout = 0;
25134 static enum dcerpc_transport_t default_transport = NCACN_NP;
25135
25136+struct messaging_context *rpcclient_msg_ctx;
25137 struct user_auth_info *rpcclient_auth_info;
25138
25139 /* List to hold groups of commands.
25140@@ -985,6 +987,9 @@ out_free:
25141 /* We must load interfaces after we load the smb.conf */
25142 load_interfaces();
25143
25144+ rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
25145+ samba_tevent_context_init(talloc_autofree_context()));
25146+
25147 /*
25148 * Get password
25149 * from stdin if necessary
25150diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
25151index 762c54a..219da2a 100644
25152--- a/source3/rpcclient/rpcclient.h
25153+++ b/source3/rpcclient/rpcclient.h
25154@@ -41,4 +41,6 @@ struct cmd_set {
25155 const char *usage;
25156 };
25157
25158+extern struct messaging_context *rpcclient_msg_ctx;
25159+
25160 #endif /* RPCCLIENT_H */
25161--
251621.9.3
25163
25164
25165From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
25166From: Stefan Metzmacher <metze@samba.org>
25167Date: Mon, 16 Sep 2013 18:29:30 +0200
25168Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds
25169
25170Signed-off-by: Stefan Metzmacher <metze@samba.org>
25171Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25172(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
25173---
25174 source3/rpcclient/rpcclient.c | 3 +++
25175 source3/rpcclient/rpcclient.h | 1 +
25176 2 files changed, 4 insertions(+)
25177
25178diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
25179index 39bf613..a875ff5 100644
25180--- a/source3/rpcclient/rpcclient.c
25181+++ b/source3/rpcclient/rpcclient.c
25182@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
25183
25184 struct messaging_context *rpcclient_msg_ctx;
25185 struct user_auth_info *rpcclient_auth_info;
25186+struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
25187
25188 /* List to hold groups of commands.
25189 *
25190@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
25191 }
25192 }
25193
25194+ rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
25195+
25196 /* Run command */
25197
25198 if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
25199diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
25200index 219da2a..9288249 100644
25201--- a/source3/rpcclient/rpcclient.h
25202+++ b/source3/rpcclient/rpcclient.h
25203@@ -42,5 +42,6 @@ struct cmd_set {
25204 };
25205
25206 extern struct messaging_context *rpcclient_msg_ctx;
25207+extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
25208
25209 #endif /* RPCCLIENT_H */
25210--
252111.9.3
25212
25213
25214From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
25215From: Stefan Metzmacher <metze@samba.org>
25216Date: Mon, 16 Sep 2013 18:57:09 +0200
25217Subject: [PATCH 191/249] s3:rpcclient: remove unused
25218 rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
25219
25220rpccli_netlogon_setup_creds() is already called in the main do_cmd()
25221
25222Signed-off-by: Stefan Metzmacher <metze@samba.org>
25223Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25224(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
25225---
25226 source3/rpcclient/cmd_netlogon.c | 21 +--------------------
25227 1 file changed, 1 insertion(+), 20 deletions(-)
25228
25229diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
25230index 2e0b5e5..8a865a9 100644
25231--- a/source3/rpcclient/cmd_netlogon.c
25232+++ b/source3/rpcclient/cmd_netlogon.c
25233@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
25234 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
25235 NTSTATUS result;
25236 const char *server_name = cli->desthost;
25237- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
25238- NETLOGON_NEG_SUPPORTS_AES;
25239 struct netr_Authenticator clnt_creds, srv_cred;
25240 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
25241- unsigned char trust_passwd_hash[16];
25242- enum netr_SchannelType sec_channel_type = 0;
25243 struct netr_ChangeLogEntry e;
25244 uint32_t rid = 500;
25245 struct dcerpc_binding_handle *b = cli->binding_handle;
25246@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
25247 sscanf(argv[1], "%d", &rid);
25248 }
25249
25250- if (!secrets_fetch_trust_account_password(lp_workgroup(),
25251- trust_passwd_hash,
25252- NULL, &sec_channel_type)) {
25253+ if (cli->netlogon_creds == NULL) {
25254 return NT_STATUS_UNSUCCESSFUL;
25255 }
25256
25257- status = rpccli_netlogon_setup_creds(cli,
25258- server_name, /* server name */
25259- lp_workgroup(), /* domain */
25260- lp_netbios_name(), /* client name */
25261- lp_netbios_name(), /* machine account name */
25262- trust_passwd_hash,
25263- sec_channel_type,
25264- &neg_flags);
25265-
25266- if (!NT_STATUS_IS_OK(status)) {
25267- return status;
25268- }
25269-
25270 status = netlogon_creds_cli_lock(cli->netlogon_creds,
25271 mem_ctx, &creds);
25272 if (!NT_STATUS_IS_OK(status)) {
25273--
252741.9.3
25275
25276
25277From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
25278From: Stefan Metzmacher <metze@samba.org>
25279Date: Mon, 16 Sep 2013 19:00:22 +0200
25280Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
25281 instead of cli->netlogon_creds
25282
25283Signed-off-by: Stefan Metzmacher <metze@samba.org>
25284Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25285(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
25286---
25287 source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
25288 1 file changed, 17 insertions(+), 5 deletions(-)
25289
25290diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
25291index 8a865a9..59e1e4e 100644
25292--- a/source3/rpcclient/cmd_netlogon.c
25293+++ b/source3/rpcclient/cmd_netlogon.c
25294@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
25295 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
25296 struct netlogon_creds_CredentialState *creds = NULL;
25297
25298- status = netlogon_creds_cli_lock(cli->netlogon_creds,
25299+ if (rpcclient_netlogon_creds == NULL) {
25300+ return NT_STATUS_UNSUCCESSFUL;
25301+ }
25302+
25303+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
25304 mem_ctx, &creds);
25305 if (!NT_STATUS_IS_OK(status)) {
25306 return status;
25307@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
25308 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
25309 struct netlogon_creds_CredentialState *creds = NULL;
25310
25311- status = netlogon_creds_cli_lock(cli->netlogon_creds,
25312+ if (rpcclient_netlogon_creds == NULL) {
25313+ return NT_STATUS_UNSUCCESSFUL;
25314+ }
25315+
25316+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
25317 mem_ctx, &creds);
25318 if (!NT_STATUS_IS_OK(status)) {
25319 return status;
25320@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
25321 sscanf(argv[1], "%d", &rid);
25322 }
25323
25324- if (cli->netlogon_creds == NULL) {
25325+ if (rpcclient_netlogon_creds == NULL) {
25326 return NT_STATUS_UNSUCCESSFUL;
25327 }
25328
25329- status = netlogon_creds_cli_lock(cli->netlogon_creds,
25330+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
25331 mem_ctx, &creds);
25332 if (!NT_STATUS_IS_OK(status)) {
25333 return status;
25334@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
25335
25336 ZERO_STRUCT(return_authenticator);
25337
25338- status = netlogon_creds_cli_lock(cli->netlogon_creds,
25339+ if (rpcclient_netlogon_creds == NULL) {
25340+ return NT_STATUS_UNSUCCESSFUL;
25341+ }
25342+
25343+ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
25344 mem_ctx, &creds);
25345 if (!NT_STATUS_IS_OK(status)) {
25346 return status;
25347--
253481.9.3
25349
25350
25351From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
25352From: Stefan Metzmacher <metze@samba.org>
25353Date: Mon, 16 Sep 2013 19:59:11 +0200
25354Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds
25355
25356Signed-off-by: Stefan Metzmacher <metze@samba.org>
25357Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25358(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
25359---
25360 source3/utils/net.h | 1 +
25361 source3/utils/net_rpc.c | 1 +
25362 2 files changed, 2 insertions(+)
25363
25364diff --git a/source3/utils/net.h b/source3/utils/net.h
25365index e97734a..ce19c57 100644
25366--- a/source3/utils/net.h
25367+++ b/source3/utils/net.h
25368@@ -90,6 +90,7 @@ struct net_context {
25369 bool smb_encrypt;
25370 struct libnetapi_ctx *netapi_ctx;
25371 struct messaging_context *msg_ctx;
25372+ struct netlogon_creds_cli_context *netlogon_creds;
25373
25374 bool display_usage;
25375 void *private_data;
25376diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
25377index 9de74c0..3bf3f30 100644
25378--- a/source3/utils/net_rpc.c
25379+++ b/source3/utils/net_rpc.c
25380@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
25381 nt_errstr(nt_status) ));
25382 goto fail;
25383 }
25384+ c->netlogon_creds = pipe_hnd->netlogon_creds;
25385 } else {
25386 if (conn_flags & NET_FLAGS_SEAL) {
25387 nt_status = cli_rpc_pipe_open_generic_auth(
25388--
253891.9.3
25390
25391
25392From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
25393From: Stefan Metzmacher <metze@samba.org>
25394Date: Sun, 15 Sep 2013 13:19:52 +0200
25395Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()
25396
25397This protects the password change using a domain specific g_lock,
25398so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
25399even on multiple cluster nodes doesn't race anymore.
25400
25401Signed-off-by: Stefan Metzmacher <metze@samba.org>
25402Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25403(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
25404---
25405 source3/include/proto.h | 8 ++
25406 source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
25407 2 files changed, 187 insertions(+)
25408
25409diff --git a/source3/include/proto.h b/source3/include/proto.h
25410index 216a377..edda119 100644
25411--- a/source3/include/proto.h
25412+++ b/source3/include/proto.h
25413@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
25414 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
25415 TALLOC_CTX *mem_ctx,
25416 const char *domain) ;
25417+struct netlogon_creds_cli_context;
25418+struct messaging_context;
25419+struct dcerpc_binding_handle;
25420+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
25421+ struct messaging_context *msg_ctx,
25422+ struct dcerpc_binding_handle *b,
25423+ const char *domain,
25424+ bool force);
25425
25426 /* The following definitions come from param/loadparm.c */
25427
25428diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
25429index 52fb481..b1bc006 100644
25430--- a/source3/libsmb/trusts_util.c
25431+++ b/source3/libsmb/trusts_util.c
25432@@ -20,12 +20,15 @@
25433
25434 #include "includes.h"
25435 #include "../libcli/auth/libcli_auth.h"
25436+#include "../libcli/auth/netlogon_creds_cli.h"
25437 #include "rpc_client/cli_netlogon.h"
25438 #include "rpc_client/cli_pipe.h"
25439 #include "../librpc/gen_ndr/ndr_netlogon.h"
25440 #include "secrets.h"
25441 #include "passdb.h"
25442 #include "libsmb/libsmb.h"
25443+#include "source3/include/messages.h"
25444+#include "source3/include/g_lock.h"
25445
25446 /*********************************************************
25447 Change the domain password on the PDC.
25448@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
25449
25450 return nt_status;
25451 }
25452+
25453+struct trust_pw_change_state {
25454+ struct g_lock_ctx *g_ctx;
25455+ char *g_lock_key;
25456+};
25457+
25458+static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
25459+{
25460+ g_lock_unlock(state->g_ctx, state->g_lock_key);
25461+ return 0;
25462+}
25463+
25464+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
25465+ struct messaging_context *msg_ctx,
25466+ struct dcerpc_binding_handle *b,
25467+ const char *domain,
25468+ bool force)
25469+{
25470+ TALLOC_CTX *frame = talloc_stackframe();
25471+ struct trust_pw_change_state *state;
25472+ struct samr_Password current_nt_hash;
25473+ const struct samr_Password *previous_nt_hash = NULL;
25474+ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
25475+ const char *account_name;
25476+ char *new_trust_passwd;
25477+ char *pwd;
25478+ struct dom_sid sid;
25479+ time_t pass_last_set_time;
25480+ struct timeval g_timeout = { 0, };
25481+ int timeout = 0;
25482+ struct timeval tv = { 0, };
25483+ NTSTATUS status;
25484+
25485+ state = talloc_zero(frame, struct trust_pw_change_state);
25486+ if (state == NULL) {
25487+ TALLOC_FREE(frame);
25488+ return NT_STATUS_NO_MEMORY;
25489+ }
25490+
25491+ state->g_ctx = g_lock_ctx_init(state, msg_ctx);
25492+ if (state->g_ctx == NULL) {
25493+ TALLOC_FREE(frame);
25494+ return NT_STATUS_NO_MEMORY;
25495+ }
25496+
25497+ state->g_lock_key = talloc_asprintf(state,
25498+ "trust_password_change_%s",
25499+ domain);
25500+ if (state->g_lock_key == NULL) {
25501+ TALLOC_FREE(frame);
25502+ return NT_STATUS_NO_MEMORY;
25503+ }
25504+
25505+ g_timeout = timeval_current_ofs(10, 0);
25506+ status = g_lock_lock(state->g_ctx,
25507+ state->g_lock_key,
25508+ G_LOCK_WRITE, g_timeout);
25509+ if (!NT_STATUS_IS_OK(status)) {
25510+ DEBUG(1, ("could not get g_lock on [%s]!\n",
25511+ state->g_lock_key));
25512+ TALLOC_FREE(frame);
25513+ return status;
25514+ }
25515+
25516+ talloc_set_destructor(state, trust_pw_change_state_destructor);
25517+
25518+ if (!get_trust_pw_hash(domain, current_nt_hash.hash,
25519+ &account_name,
25520+ &sec_channel_type)) {
25521+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
25522+ TALLOC_FREE(frame);
25523+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
25524+ }
25525+
25526+ switch (sec_channel_type) {
25527+ case SEC_CHAN_WKSTA:
25528+ pwd = secrets_fetch_machine_password(domain,
25529+ &pass_last_set_time,
25530+ NULL);
25531+ if (pwd == NULL) {
25532+ TALLOC_FREE(frame);
25533+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
25534+ }
25535+ break;
25536+ case SEC_CHAN_DOMAIN:
25537+ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
25538+ TALLOC_FREE(frame);
25539+ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
25540+ }
25541+ break;
25542+ default:
25543+ TALLOC_FREE(frame);
25544+ return NT_STATUS_NOT_SUPPORTED;
25545+ }
25546+
25547+ timeout = lp_machine_password_timeout();
25548+ if (timeout == 0) {
25549+ if (!force) {
25550+ DEBUG(10,("machine password never expires\n"));
25551+ TALLOC_FREE(frame);
25552+ return NT_STATUS_OK;
25553+ }
25554+ }
25555+
25556+ tv.tv_sec = pass_last_set_time;
25557+ DEBUG(10, ("password last changed %s\n",
25558+ timeval_string(talloc_tos(), &tv, false)));
25559+ tv.tv_sec += timeout;
25560+ DEBUGADD(10, ("password valid until %s\n",
25561+ timeval_string(talloc_tos(), &tv, false)));
25562+
25563+ if (!force && !timeval_expired(&tv)) {
25564+ TALLOC_FREE(frame);
25565+ return NT_STATUS_OK;
25566+ }
25567+
25568+ /* Create a random machine account password */
25569+ new_trust_passwd = generate_random_password(frame,
25570+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
25571+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
25572+ if (new_trust_passwd == NULL) {
25573+ DEBUG(0, ("generate_random_password failed\n"));
25574+ TALLOC_FREE(frame);
25575+ return NT_STATUS_NO_MEMORY;
25576+ }
25577+
25578+ status = netlogon_creds_cli_auth(context, b,
25579+ current_nt_hash,
25580+ previous_nt_hash);
25581+ if (!NT_STATUS_IS_OK(status)) {
25582+ TALLOC_FREE(frame);
25583+ return status;
25584+ }
25585+
25586+ status = netlogon_creds_cli_ServerPasswordSet(context, b,
25587+ new_trust_passwd, NULL);
25588+ if (!NT_STATUS_IS_OK(status)) {
25589+ TALLOC_FREE(frame);
25590+ return status;
25591+ }
25592+
25593+ DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
25594+ current_timestring(talloc_tos(), False)));
25595+
25596+ /*
25597+ * Return the result of trying to write the new password
25598+ * back into the trust account file.
25599+ */
25600+
25601+ switch (sec_channel_type) {
25602+
25603+ case SEC_CHAN_WKSTA:
25604+ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
25605+ TALLOC_FREE(frame);
25606+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
25607+ }
25608+ break;
25609+
25610+ case SEC_CHAN_DOMAIN:
25611+ /*
25612+ * we need to get the sid first for the
25613+ * pdb_set_trusteddom_pw call
25614+ */
25615+ if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
25616+ TALLOC_FREE(frame);
25617+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
25618+ }
25619+ break;
25620+
25621+ default:
25622+ break;
25623+ }
25624+
25625+ TALLOC_FREE(frame);
25626+ return NT_STATUS_OK;
25627+}
25628--
256291.9.3
25630
25631
25632From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
25633From: Stefan Metzmacher <metze@samba.org>
25634Date: Mon, 16 Sep 2013 18:33:51 +0200
25635Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()
25636
25637Signed-off-by: Stefan Metzmacher <metze@samba.org>
25638Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25639(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
25640---
25641 source3/rpcclient/cmd_netlogon.c | 10 +++++-----
25642 1 file changed, 5 insertions(+), 5 deletions(-)
25643
25644diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
25645index 59e1e4e..000d65c 100644
25646--- a/source3/rpcclient/cmd_netlogon.c
25647+++ b/source3/rpcclient/cmd_netlogon.c
25648@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
25649 return NT_STATUS_OK;
25650 }
25651
25652- /* Perform the sam logon */
25653-
25654- result = trust_pw_find_change_and_store_it(cli, mem_ctx,
25655- lp_workgroup());
25656-
25657+ result = trust_pw_change(rpcclient_netlogon_creds,
25658+ rpcclient_msg_ctx,
25659+ cli->binding_handle,
25660+ lp_workgroup(),
25661+ true); /* force */
25662 if (!NT_STATUS_IS_OK(result))
25663 goto done;
25664
25665--
256661.9.3
25667
25668
25669From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
25670From: Stefan Metzmacher <metze@samba.org>
25671Date: Mon, 16 Sep 2013 18:34:48 +0200
25672Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()
25673
25674Signed-off-by: Stefan Metzmacher <metze@samba.org>
25675Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25676(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
25677---
25678 source3/utils/net_rpc.c | 6 +++++-
25679 1 file changed, 5 insertions(+), 1 deletion(-)
25680
25681diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
25682index 3bf3f30..ba49f3e 100644
25683--- a/source3/utils/net_rpc.c
25684+++ b/source3/utils/net_rpc.c
25685@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
25686 {
25687 NTSTATUS status;
25688
25689- status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
25690+ status = trust_pw_change(c->netlogon_creds,
25691+ c->msg_ctx,
25692+ pipe_hnd->binding_handle,
25693+ c->opt_target_workgroup,
25694+ true); /* force */
25695 if (!NT_STATUS_IS_OK(status)) {
25696 d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
25697 nt_errstr(status));
25698--
256991.9.3
25700
25701
25702From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
25703From: Stefan Metzmacher <metze@samba.org>
25704Date: Mon, 16 Sep 2013 18:35:39 +0200
25705Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
25706 the netlogon connection
25707
25708Signed-off-by: Stefan Metzmacher <metze@samba.org>
25709Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25710(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
25711---
25712 source3/winbindd/winbindd_dual.c | 2 +-
25713 1 file changed, 1 insertion(+), 1 deletion(-)
25714
25715diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
25716index 64af571..b26cdca 100644
25717--- a/source3/winbindd/winbindd_dual.c
25718+++ b/source3/winbindd/winbindd_dual.c
25719@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
25720 "password was changed and we didn't know it. "
25721 "Killing connections to domain %s\n",
25722 child->domain->name));
25723- TALLOC_FREE(child->domain->conn.netlogon_pipe);
25724+ invalidate_cm_connection(&child->domain->conn);
25725 }
25726
25727 if (!calculate_next_machine_pwd_change(child->domain->name,
25728--
257291.9.3
25730
25731
25732From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
25733From: Stefan Metzmacher <metze@samba.org>
25734Date: Mon, 16 Sep 2013 18:36:43 +0200
25735Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
25736 periodic password changes
25737
25738Signed-off-by: Stefan Metzmacher <metze@samba.org>
25739Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25740(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
25741---
25742 source3/winbindd/winbindd_dual.c | 16 ++++++++--------
25743 1 file changed, 8 insertions(+), 8 deletions(-)
25744
25745diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
25746index b26cdca..1d6a5ba 100644
25747--- a/source3/winbindd/winbindd_dual.c
25748+++ b/source3/winbindd/winbindd_dual.c
25749@@ -29,6 +29,7 @@
25750
25751 #include "includes.h"
25752 #include "winbindd.h"
25753+#include "rpc_client/rpc_client.h"
25754 #include "nsswitch/wb_reqtrans.h"
25755 #include "secrets.h"
25756 #include "../lib/util/select.h"
25757@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
25758 struct timeval now,
25759 void *private_data)
25760 {
25761+ struct messaging_context *msg_ctx = winbind_messaging_context();
25762 struct winbindd_child *child =
25763 (struct winbindd_child *)private_data;
25764 struct rpc_pipe_client *netlogon_pipe = NULL;
25765- TALLOC_CTX *frame;
25766 NTSTATUS result;
25767 struct timeval next_change;
25768
25769@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
25770 return;
25771 }
25772
25773- frame = talloc_stackframe();
25774-
25775- result = trust_pw_find_change_and_store_it(netlogon_pipe,
25776- frame,
25777- child->domain->name);
25778- TALLOC_FREE(frame);
25779+ result = trust_pw_change(child->domain->conn.netlogon_creds,
25780+ msg_ctx,
25781+ netlogon_pipe->binding_handle,
25782+ child->domain->name,
25783+ false); /* force */
25784
25785 DEBUG(10, ("machine_password_change_handler: "
25786- "trust_pw_find_change_and_store_it returned %s\n",
25787+ "trust_pw_change returned %s\n",
25788 nt_errstr(result)));
25789
25790 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
25791--
257921.9.3
25793
25794
25795From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
25796From: Stefan Metzmacher <metze@samba.org>
25797Date: Mon, 16 Sep 2013 18:37:34 +0200
25798Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
25799 _wbint_ChangeMachineAccount()
25800
25801Signed-off-by: Stefan Metzmacher <metze@samba.org>
25802Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25803(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
25804---
25805 source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
25806 1 file changed, 7 insertions(+), 28 deletions(-)
25807
25808diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
25809index 001591a..f064467 100644
25810--- a/source3/winbindd/winbindd_dual_srv.c
25811+++ b/source3/winbindd/winbindd_dual_srv.c
25812@@ -622,48 +622,27 @@ again:
25813 NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
25814 struct wbint_ChangeMachineAccount *r)
25815 {
25816+ struct messaging_context *msg_ctx = winbind_messaging_context();
25817 struct winbindd_domain *domain;
25818- int num_retries = 0;
25819 NTSTATUS status;
25820 struct rpc_pipe_client *netlogon_pipe;
25821- TALLOC_CTX *tmp_ctx;
25822
25823-again:
25824 domain = wb_child_domain();
25825 if (domain == NULL) {
25826 return NT_STATUS_REQUEST_NOT_ACCEPTED;
25827 }
25828
25829- invalidate_cm_connection(&domain->conn);
25830-
25831- {
25832- status = cm_connect_netlogon(domain, &netlogon_pipe);
25833- }
25834-
25835- /* There is a race condition between fetching the trust account
25836- password and the periodic machine password change. So it's
25837- possible that the trust account password has been changed on us.
25838- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
25839-
25840-#define MAX_RETRIES 3
25841-
25842- if ((num_retries < MAX_RETRIES)
25843- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
25844- num_retries++;
25845- goto again;
25846- }
25847-
25848+ status = cm_connect_netlogon(domain, &netlogon_pipe);
25849 if (!NT_STATUS_IS_OK(status)) {
25850 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
25851 goto done;
25852 }
25853
25854- tmp_ctx = talloc_new(p->mem_ctx);
25855-
25856- status = trust_pw_find_change_and_store_it(netlogon_pipe,
25857- tmp_ctx,
25858- domain->name);
25859- talloc_destroy(tmp_ctx);
25860+ status = trust_pw_change(domain->conn.netlogon_creds,
25861+ msg_ctx,
25862+ netlogon_pipe->binding_handle,
25863+ domain->name,
25864+ true); /* force */
25865
25866 /* Pass back result code - zero for success, other values for
25867 specific failures. */
25868--
258691.9.3
25870
25871
25872From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
25873From: Stefan Metzmacher <metze@samba.org>
25874Date: Mon, 16 Sep 2013 18:39:52 +0200
25875Subject: [PATCH 200/249] s3:libsmb: remove unused
25876 trust_pw_find_change_and_store_it()
25877
25878Signed-off-by: Stefan Metzmacher <metze@samba.org>
25879Reviewed-by: Andrew Bartlett <abartlet@samba.org>
25880(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
25881---
25882 source3/include/proto.h | 3 --
25883 source3/libsmb/trusts_util.c | 81 --------------------------------------------
25884 2 files changed, 84 deletions(-)
25885
25886diff --git a/source3/include/proto.h b/source3/include/proto.h
25887index edda119..18348e5 100644
25888--- a/source3/include/proto.h
25889+++ b/source3/include/proto.h
25890@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
25891
25892 /* The following definitions come from libsmb/trusts_util.c */
25893
25894-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
25895- TALLOC_CTX *mem_ctx,
25896- const char *domain) ;
25897 struct netlogon_creds_cli_context;
25898 struct messaging_context;
25899 struct dcerpc_binding_handle;
25900diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
25901index b1bc006..b38aec6 100644
25902--- a/source3/libsmb/trusts_util.c
25903+++ b/source3/libsmb/trusts_util.c
25904@@ -36,87 +36,6 @@
25905 already setup the connection to the NETLOGON pipe
25906 **********************************************************/
25907
25908-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
25909- TALLOC_CTX *mem_ctx,
25910- const char *domain)
25911-{
25912- unsigned char old_trust_passwd_hash[16];
25913- unsigned char new_trust_passwd_hash[16];
25914- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
25915- const char *account_name;
25916- char *new_trust_passwd;
25917- NTSTATUS nt_status;
25918-
25919- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
25920- &sec_channel_type)) {
25921- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
25922- return NT_STATUS_UNSUCCESSFUL;
25923- }
25924-
25925- switch (sec_channel_type) {
25926- case SEC_CHAN_WKSTA:
25927- case SEC_CHAN_DOMAIN:
25928- break;
25929- default:
25930- return NT_STATUS_NOT_SUPPORTED;
25931- }
25932-
25933- /* Create a random machine account password */
25934- new_trust_passwd = generate_random_password(mem_ctx,
25935- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
25936- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
25937- if (new_trust_passwd == NULL) {
25938- DEBUG(0, ("generate_random_password failed\n"));
25939- return NT_STATUS_NO_MEMORY;
25940- }
25941-
25942- E_md4hash(new_trust_passwd, new_trust_passwd_hash);
25943-
25944- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
25945- account_name,
25946- old_trust_passwd_hash,
25947- new_trust_passwd,
25948- new_trust_passwd_hash,
25949- sec_channel_type);
25950-
25951- if (NT_STATUS_IS_OK(nt_status)) {
25952- DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
25953- current_timestring(talloc_tos(), False)));
25954- /*
25955- * Return the result of trying to write the new password
25956- * back into the trust account file.
25957- */
25958-
25959- switch (sec_channel_type) {
25960-
25961- case SEC_CHAN_WKSTA:
25962- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
25963- nt_status = NT_STATUS_UNSUCCESSFUL;
25964- }
25965- break;
25966-
25967- case SEC_CHAN_DOMAIN: {
25968- char *pwd;
25969- struct dom_sid sid;
25970- time_t pass_last_set_time;
25971-
25972- /* we need to get the sid first for the
25973- * pdb_set_trusteddom_pw call */
25974-
25975- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
25976- nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
25977- }
25978- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
25979- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
25980- }
25981- break;
25982- }
25983- }
25984- }
25985-
25986- return nt_status;
25987-}
25988-
25989 struct trust_pw_change_state {
25990 struct g_lock_ctx *g_ctx;
25991 char *g_lock_key;
25992--
259931.9.3
25994
25995
25996From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
25997From: Stefan Metzmacher <metze@samba.org>
25998Date: Mon, 16 Sep 2013 19:19:39 +0200
25999Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
26000 from the caller.
26001
26002Signed-off-by: Stefan Metzmacher <metze@samba.org>
26003Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26004(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
26005---
26006 source3/libnet/libnet_samsync.c | 2 +-
26007 source3/libnet/libnet_samsync.h | 1 +
26008 source3/utils/net_rpc_samsync.c | 1 +
26009 3 files changed, 3 insertions(+), 1 deletion(-)
26010
26011diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
26012index 02d3fc6..e7e1393 100644
26013--- a/source3/libnet/libnet_samsync.c
26014+++ b/source3/libnet/libnet_samsync.c
26015@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
26016 struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
26017 struct netlogon_creds_CredentialState *creds = NULL;
26018
26019- status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
26020+ status = netlogon_creds_cli_lock(ctx->netlogon_creds,
26021 mem_ctx, &creds);
26022 if (!NT_STATUS_IS_OK(status)) {
26023 return status;
26024diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
26025index efdbb37..e1d66ec 100644
26026--- a/source3/libnet/libnet_samsync.h
26027+++ b/source3/libnet/libnet_samsync.h
26028@@ -75,6 +75,7 @@ struct samsync_context {
26029 struct samsync_object *objects;
26030
26031 struct rpc_pipe_client *cli;
26032+ struct netlogon_creds_cli_context *netlogon_creds;
26033 struct messaging_context *msg_ctx;
26034
26035 const struct samsync_ops *ops;
26036diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
26037index 772651f..6377ad4 100644
26038--- a/source3/utils/net_rpc_samsync.c
26039+++ b/source3/utils/net_rpc_samsync.c
26040@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
26041
26042 ctx->mode = NET_SAMSYNC_MODE_DUMP;
26043 ctx->cli = pipe_hnd;
26044+ ctx->netlogon_creds = c->netlogon_creds;
26045 ctx->ops = &libnet_samsync_display_ops;
26046 ctx->domain_name = domain_name;
26047
26048--
260491.9.3
26050
26051
26052From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
26053From: Stefan Metzmacher <metze@samba.org>
26054Date: Mon, 16 Sep 2013 20:51:25 +0200
26055Subject: [PATCH 202/249] s3:rpcclient: make use of
26056 rpccli_{create,setup}_netlogon_creds()
26057
26058Signed-off-by: Stefan Metzmacher <metze@samba.org>
26059Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26060(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
26061---
26062 source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
26063 1 file changed, 41 insertions(+), 18 deletions(-)
26064
26065diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
26066index a875ff5..490f8df 100644
26067--- a/source3/rpcclient/rpcclient.c
26068+++ b/source3/rpcclient/rpcclient.c
26069@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26070 {
26071 NTSTATUS ntresult;
26072 WERROR wresult;
26073+ bool ok;
26074
26075 TALLOC_CTX *mem_ctx;
26076
26077@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26078 return ntresult;
26079 }
26080
26081- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
26082- &ndr_table_netlogon.syntax_id)) {
26083- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
26084- NETLOGON_NEG_SUPPORTS_AES;
26085- enum netr_SchannelType sec_channel_type;
26086- uchar trust_password[16];
26087- const char *machine_account;
26088+ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
26089+ &ndr_table_netlogon.syntax_id);
26090+ if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
26091+ const char *dc_name = cmd_entry->rpc_pipe->desthost;
26092+ const char *domain = get_cmdline_auth_info_domain(auth_info);
26093+ enum netr_SchannelType sec_chan_type = 0;
26094+ const char *_account_name = NULL;
26095+ const char *account_name = NULL;
26096+ struct samr_Password current_nt_hash;
26097+ struct samr_Password *previous_nt_hash = NULL;
26098
26099 if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
26100- trust_password, &machine_account,
26101- &sec_channel_type))
26102+ current_nt_hash.hash, &_account_name,
26103+ &sec_chan_type))
26104 {
26105 DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
26106 get_cmdline_auth_info_domain(auth_info),
26107@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26108 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
26109 }
26110
26111- ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
26112- cmd_entry->rpc_pipe->desthost, /* server name */
26113- get_cmdline_auth_info_domain(auth_info), /* domain */
26114- lp_netbios_name(), /* client name */
26115- machine_account, /* machine account name */
26116- trust_password,
26117- sec_channel_type,
26118- &neg_flags);
26119+ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
26120+ if (account_name == NULL) {
26121+ SAFE_FREE(previous_nt_hash);
26122+ TALLOC_FREE(mem_ctx);
26123+ return NT_STATUS_NO_MEMORY;
26124+ }
26125+
26126+ ntresult = rpccli_create_netlogon_creds(dc_name,
26127+ domain,
26128+ account_name,
26129+ sec_chan_type,
26130+ rpcclient_msg_ctx,
26131+ talloc_autofree_context(),
26132+ &rpcclient_netlogon_creds);
26133+ if (!NT_STATUS_IS_OK(ntresult)) {
26134+ SAFE_FREE(previous_nt_hash);
26135+ TALLOC_FREE(mem_ctx);
26136+ return ntresult;
26137+ }
26138
26139+ ntresult = rpccli_setup_netlogon_creds(cli,
26140+ rpcclient_netlogon_creds,
26141+ false, /* force_reauth */
26142+ current_nt_hash,
26143+ previous_nt_hash);
26144+ SAFE_FREE(previous_nt_hash);
26145 if (!NT_STATUS_IS_OK(ntresult)) {
26146 DEBUG(0, ("Could not initialise credentials for %s.\n",
26147 cmd_entry->table->name));
26148 TALLOC_FREE(cmd_entry->rpc_pipe);
26149- talloc_free(mem_ctx);
26150+ TALLOC_FREE(rpcclient_netlogon_creds);
26151+ TALLOC_FREE(mem_ctx);
26152 return ntresult;
26153 }
26154+ cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
26155 }
26156 }
26157
26158--
261591.9.3
26160
26161
26162From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
26163From: Garming Sam <garming@catalyst.net.nz>
26164Date: Fri, 29 Nov 2013 14:45:20 +1300
26165Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
26166 after failing to obtain secret
26167
26168Signed-off-by: Garming Sam <garming@catalyst.net.nz>
26169Reviewed-by: Stefan Metzmacher <metze@samba.org>
26170Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26171(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
26172---
26173 source3/rpcclient/rpcclient.c | 6 ++++++
26174 1 file changed, 6 insertions(+)
26175
26176diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
26177index 490f8df..fd3ebdf 100644
26178--- a/source3/rpcclient/rpcclient.c
26179+++ b/source3/rpcclient/rpcclient.c
26180@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26181
26182 account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
26183 if (account_name == NULL) {
26184+ DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
26185+ cmd_entry->table->name));
26186+ TALLOC_FREE(cmd_entry->rpc_pipe);
26187 SAFE_FREE(previous_nt_hash);
26188 TALLOC_FREE(mem_ctx);
26189 return NT_STATUS_NO_MEMORY;
26190@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26191 talloc_autofree_context(),
26192 &rpcclient_netlogon_creds);
26193 if (!NT_STATUS_IS_OK(ntresult)) {
26194+ DEBUG(0, ("Could not initialise credentials for %s.\n",
26195+ cmd_entry->table->name));
26196+ TALLOC_FREE(cmd_entry->rpc_pipe);
26197 SAFE_FREE(previous_nt_hash);
26198 TALLOC_FREE(mem_ctx);
26199 return ntresult;
26200--
262011.9.3
26202
26203
26204From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
26205From: Stefan Metzmacher <metze@samba.org>
26206Date: Tue, 17 Sep 2013 00:46:09 +0200
26207Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
26208 the 'samlogon' cmd
26209
26210Signed-off-by: Stefan Metzmacher <metze@samba.org>
26211Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26212(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
26213---
26214 source3/rpcclient/cmd_netlogon.c | 11 ++++-------
26215 1 file changed, 4 insertions(+), 7 deletions(-)
26216
26217diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
26218index 000d65c..97b79cb 100644
26219--- a/source3/rpcclient/cmd_netlogon.c
26220+++ b/source3/rpcclient/cmd_netlogon.c
26221@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
26222
26223 /* Check arguments */
26224
26225- if (argc < 3 || argc > 7) {
26226+ if (argc < 3 || argc > 6) {
26227 fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
26228- "[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
26229+ "[logon_type (1 or 2)] [logon_parameter]\n");
26230 return NT_STATUS_OK;
26231 }
26232
26233@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
26234 if (argc >= 5)
26235 sscanf(argv[4], "%i", &logon_type);
26236
26237- if (argc >= 6)
26238- validation_level = atoi(argv[5]);
26239-
26240- if (argc == 7)
26241- sscanf(argv[6], "%x", &logon_param);
26242+ if (argc == 6)
26243+ sscanf(argv[5], "%x", &logon_param);
26244
26245 /* Perform the sam logon */
26246
26247--
262481.9.3
26249
26250
26251From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
26252From: Stefan Metzmacher <metze@samba.org>
26253Date: Tue, 17 Sep 2013 00:48:31 +0200
26254Subject: [PATCH 205/249] s3:rpcclient: make use of
26255 rpccli_netlogon_password_logon() in the 'samlogon' cmd
26256
26257Signed-off-by: Stefan Metzmacher <metze@samba.org>
26258Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26259(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
26260---
26261 source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
26262 1 file changed, 8 insertions(+), 3 deletions(-)
26263
26264diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
26265index 97b79cb..b637b3e 100644
26266--- a/source3/rpcclient/cmd_netlogon.c
26267+++ b/source3/rpcclient/cmd_netlogon.c
26268@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
26269 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
26270 int logon_type = NetlogonNetworkInformation;
26271 const char *username, *password;
26272- uint16_t validation_level = 3;
26273 uint32 logon_param = 0;
26274 const char *workstation = NULL;
26275
26276@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
26277
26278 /* Perform the sam logon */
26279
26280- result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
26281-
26282+ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
26283+ cli->binding_handle,
26284+ logon_param,
26285+ lp_workgroup(),
26286+ username,
26287+ password,
26288+ workstation,
26289+ logon_type);
26290 if (!NT_STATUS_IS_OK(result))
26291 goto done;
26292
26293--
262941.9.3
26295
26296
26297From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
26298From: Stefan Metzmacher <metze@samba.org>
26299Date: Tue, 17 Sep 2013 00:56:15 +0200
26300Subject: [PATCH 206/249] s3:winbindd: make use of
26301 rpccli_netlogon_network_logon()
26302
26303Signed-off-by: Stefan Metzmacher <metze@samba.org>
26304Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26305(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
26306---
26307 source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
26308 1 file changed, 15 insertions(+), 13 deletions(-)
26309
26310diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
26311index 39483a5..3f3ec70 100644
26312--- a/source3/winbindd/winbindd_pam.c
26313+++ b/source3/winbindd/winbindd_pam.c
26314@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
26315
26316 do {
26317 struct rpc_pipe_client *netlogon_pipe;
26318+ uint8_t authoritative = 0;
26319+ uint32_t flags = 0;
26320
26321 ZERO_STRUCTP(info3);
26322 retry = false;
26323@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
26324 }
26325 netr_attempts = 0;
26326
26327- result = rpccli_netlogon_sam_network_logon(
26328- netlogon_pipe,
26329- mem_ctx,
26330- logon_parameters,
26331- server, /* server name */
26332- username, /* user name */
26333- domainname, /* target domain */
26334- workstation, /* workstation */
26335- chal,
26336- -1, /* ignored */
26337- lm_response,
26338- nt_response,
26339- info3);
26340+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
26341+ netlogon_pipe->binding_handle,
26342+ mem_ctx,
26343+ logon_parameters,
26344+ username,
26345+ domainname,
26346+ workstation,
26347+ chal,
26348+ lm_response,
26349+ nt_response,
26350+ &authoritative,
26351+ &flags,
26352+ info3);
26353
26354 /*
26355 * we increment this after the "feature negotiation"
26356--
263571.9.3
26358
26359
26360From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
26361From: Stefan Metzmacher <metze@samba.org>
26362Date: Mon, 16 Sep 2013 20:53:51 +0200
26363Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
26364 flexible
26365
26366It expects a messaging_context now
26367and returns a netlogon_creds_cli_context.
26368
26369This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
26370
26371Signed-off-by: Stefan Metzmacher <metze@samba.org>
26372Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26373(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
26374---
26375 source3/rpc_client/cli_pipe.h | 5 ++++-
26376 source3/rpc_client/cli_pipe_schannel.c | 9 +++++++--
26377 source3/rpcclient/rpcclient.c | 13 +++++++------
26378 source3/utils/net_rpc.c | 6 +++---
26379 4 files changed, 21 insertions(+), 12 deletions(-)
26380
26381diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
26382index 2a76130..b704d8a 100644
26383--- a/source3/rpc_client/cli_pipe.h
26384+++ b/source3/rpc_client/cli_pipe.h
26385@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
26386 struct rpc_pipe_client **presult);
26387
26388 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
26389+ struct messaging_context *msg_ctx,
26390 const struct ndr_interface_table *table,
26391 enum dcerpc_transport_t transport,
26392 enum dcerpc_AuthLevel auth_level,
26393 const char *domain,
26394- struct rpc_pipe_client **presult);
26395+ struct rpc_pipe_client **presult,
26396+ TALLOC_CTX *mem_ctx,
26397+ struct netlogon_creds_cli_context **pcreds);
26398
26399 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
26400 struct rpc_pipe_client *cli,
26401diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
26402index 1fcf62e..a842333 100644
26403--- a/source3/rpc_client/cli_pipe_schannel.c
26404+++ b/source3/rpc_client/cli_pipe_schannel.c
26405@@ -38,14 +38,16 @@
26406 ****************************************************************************/
26407
26408 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
26409+ struct messaging_context *msg_ctx,
26410 const struct ndr_interface_table *table,
26411 enum dcerpc_transport_t transport,
26412 enum dcerpc_AuthLevel auth_level,
26413 const char *domain,
26414- struct rpc_pipe_client **presult)
26415+ struct rpc_pipe_client **presult,
26416+ TALLOC_CTX *mem_ctx,
26417+ struct netlogon_creds_cli_context **pcreds)
26418 {
26419 TALLOC_CTX *frame = talloc_stackframe();
26420- struct messaging_context *msg_ctx = NULL;
26421 const char *dc_name = smbXcli_conn_remote_name(cli->conn);
26422 struct rpc_pipe_client *result = NULL;
26423 NTSTATUS status;
26424@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
26425
26426 if (NT_STATUS_IS_OK(status)) {
26427 *presult = result;
26428+ if (pcreds != NULL) {
26429+ *pcreds = talloc_move(mem_ctx, &netlogon_creds);
26430+ }
26431 }
26432
26433 TALLOC_FREE(frame);
26434diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
26435index fd3ebdf..43343e8 100644
26436--- a/source3/rpcclient/rpcclient.c
26437+++ b/source3/rpcclient/rpcclient.c
26438@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26439 &cmd_entry->rpc_pipe);
26440 break;
26441 case DCERPC_AUTH_TYPE_SCHANNEL:
26442+ TALLOC_FREE(rpcclient_netlogon_creds);
26443 ntresult = cli_rpc_pipe_open_schannel(
26444- cli, cmd_entry->table,
26445+ cli, rpcclient_msg_ctx,
26446+ cmd_entry->table,
26447 default_transport,
26448 pipe_default_auth_level,
26449 get_cmdline_auth_info_domain(auth_info),
26450- &cmd_entry->rpc_pipe);
26451+ &cmd_entry->rpc_pipe,
26452+ talloc_autofree_context(),
26453+ &rpcclient_netlogon_creds);
26454 break;
26455 default:
26456 DEBUG(0, ("Could not initialise %s. Invalid "
26457@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26458
26459 ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
26460 &ndr_table_netlogon.syntax_id);
26461- if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
26462+ if (rpcclient_netlogon_creds == NULL && ok) {
26463 const char *dc_name = cmd_entry->rpc_pipe->desthost;
26464 const char *domain = get_cmdline_auth_info_domain(auth_info);
26465 enum netr_SchannelType sec_chan_type = 0;
26466@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
26467 TALLOC_FREE(mem_ctx);
26468 return ntresult;
26469 }
26470- cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
26471 }
26472 }
26473
26474- rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
26475-
26476 /* Run command */
26477
26478 if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
26479diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
26480index ba49f3e..d0f699a 100644
26481--- a/source3/utils/net_rpc.c
26482+++ b/source3/utils/net_rpc.c
26483@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
26484 && (ndr_syntax_id_equal(&table->syntax_id,
26485 &ndr_table_netlogon.syntax_id))) {
26486 /* Always try and create an schannel netlogon pipe. */
26487+ TALLOC_FREE(c->netlogon_creds);
26488 nt_status = cli_rpc_pipe_open_schannel(
26489- cli, table, NCACN_NP,
26490+ cli, c->msg_ctx, table, NCACN_NP,
26491 DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
26492- &pipe_hnd);
26493+ &pipe_hnd, c, &c->netlogon_creds);
26494 if (!NT_STATUS_IS_OK(nt_status)) {
26495 DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
26496 nt_errstr(nt_status) ));
26497 goto fail;
26498 }
26499- c->netlogon_creds = pipe_hnd->netlogon_creds;
26500 } else {
26501 if (conn_flags & NET_FLAGS_SEAL) {
26502 nt_status = cli_rpc_pipe_open_generic_auth(
26503--
265041.9.3
26505
26506
26507From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
26508From: Stefan Metzmacher <metze@samba.org>
26509Date: Fri, 6 Sep 2013 13:54:30 +0200
26510Subject: [PATCH 208/249] s3:rpc_client: remove unused
26511 rpccli_netlogon_set_trust_password()
26512
26513Signed-off-by: Stefan Metzmacher <metze@samba.org>
26514Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26515(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
26516---
26517 source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
26518 source3/rpc_client/cli_netlogon.h | 7 ------
26519 2 files changed, 58 deletions(-)
26520
26521diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
26522index a9f8604..2f23d1b 100644
26523--- a/source3/rpc_client/cli_netlogon.c
26524+++ b/source3/rpc_client/cli_netlogon.c
26525@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
26526
26527 return NT_STATUS_OK;
26528 }
26529-
26530-/*********************************************************
26531- Change the domain password on the PDC.
26532-
26533- Just changes the password betwen the two values specified.
26534-
26535- Caller must have the cli connected to the netlogon pipe
26536- already.
26537-**********************************************************/
26538-
26539-NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
26540- TALLOC_CTX *mem_ctx,
26541- const char *account_name,
26542- const unsigned char orig_trust_passwd_hash[16],
26543- const char *new_trust_pwd_cleartext,
26544- const unsigned char new_trust_passwd_hash[16],
26545- enum netr_SchannelType sec_channel_type)
26546-{
26547- NTSTATUS result;
26548-
26549- if (cli->netlogon_creds == NULL) {
26550- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
26551- NETLOGON_NEG_SUPPORTS_AES;
26552- result = rpccli_netlogon_setup_creds(cli,
26553- cli->desthost, /* server name */
26554- lp_workgroup(), /* domain */
26555- lp_netbios_name(), /* client name */
26556- account_name, /* machine account name */
26557- orig_trust_passwd_hash,
26558- sec_channel_type,
26559- &neg_flags);
26560- if (!NT_STATUS_IS_OK(result)) {
26561- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
26562- nt_errstr(result)));
26563- return result;
26564- }
26565- }
26566-
26567- result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
26568- cli->binding_handle,
26569- new_trust_pwd_cleartext,
26570- NULL); /* new_version */
26571- if (!NT_STATUS_IS_OK(result)) {
26572- DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
26573- nt_errstr(result)));
26574- return result;
26575- }
26576-
26577- return NT_STATUS_OK;
26578-}
26579-
26580diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
26581index d4c6670..8547db6 100644
26582--- a/source3/rpc_client/cli_netlogon.h
26583+++ b/source3/rpc_client/cli_netlogon.h
26584@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
26585 uint8_t *authoritative,
26586 uint32_t *flags,
26587 struct netr_SamInfo3 **info3);
26588-NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
26589- TALLOC_CTX *mem_ctx,
26590- const char *account_name,
26591- const unsigned char orig_trust_passwd_hash[16],
26592- const char *new_trust_pwd_cleartext,
26593- const unsigned char new_trust_passwd_hash[16],
26594- enum netr_SchannelType sec_channel_type);
26595
26596 #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
26597--
265981.9.3
26599
26600
26601From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
26602From: Stefan Metzmacher <metze@samba.org>
26603Date: Fri, 6 Sep 2013 13:06:53 +0200
26604Subject: [PATCH 209/249] s3:rpc_client: remove unused
26605 rpccli_netlogon_setup_creds()
26606
26607Signed-off-by: Stefan Metzmacher <metze@samba.org>
26608Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26609(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
26610---
26611 source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
26612 source3/rpc_client/cli_netlogon.h | 8 ----
26613 2 files changed, 100 deletions(-)
26614
26615diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
26616index 2f23d1b..687d0c2 100644
26617--- a/source3/rpc_client/cli_netlogon.c
26618+++ b/source3/rpc_client/cli_netlogon.c
26619@@ -35,98 +35,6 @@
26620 #include "lib/param/param.h"
26621 #include "libcli/smb/smbXcli_base.h"
26622
26623-/****************************************************************************
26624- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
26625- credentials chain. Stores the credentials in the struct dcinfo in the
26626- netlogon pipe struct.
26627-****************************************************************************/
26628-
26629-NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
26630- const char *server_name,
26631- const char *domain,
26632- const char *clnt_name,
26633- const char *machine_account,
26634- const unsigned char machine_pwd[16],
26635- enum netr_SchannelType sec_chan_type,
26636- uint32_t *neg_flags_inout)
26637-{
26638- TALLOC_CTX *frame = talloc_stackframe();
26639- struct loadparm_context *lp_ctx;
26640- NTSTATUS status;
26641- struct samr_Password password;
26642- fstring mach_acct;
26643- struct dcerpc_binding_handle *b = cli->binding_handle;
26644- struct netlogon_creds_CredentialState *creds = NULL;
26645-
26646- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
26647- &ndr_table_netlogon.syntax_id)) {
26648- TALLOC_FREE(frame);
26649- return NT_STATUS_INVALID_PARAMETER;
26650- }
26651-
26652- if (!strequal(lp_netbios_name(), clnt_name)) {
26653- TALLOC_FREE(frame);
26654- return NT_STATUS_INVALID_PARAMETER;
26655- }
26656-
26657- TALLOC_FREE(cli->netlogon_creds);
26658-
26659- fstr_sprintf( mach_acct, "%s$", machine_account);
26660-
26661- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
26662- if (lp_ctx == NULL) {
26663- TALLOC_FREE(frame);
26664- return NT_STATUS_NO_MEMORY;
26665- }
26666- status = netlogon_creds_cli_context_global(lp_ctx,
26667- NULL, /* msg_ctx */
26668- mach_acct,
26669- sec_chan_type,
26670- server_name,
26671- domain,
26672- cli, &cli->netlogon_creds);
26673- talloc_unlink(frame, lp_ctx);
26674- if (!NT_STATUS_IS_OK(status)) {
26675- TALLOC_FREE(frame);
26676- return status;
26677- }
26678-
26679- status = netlogon_creds_cli_get(cli->netlogon_creds,
26680- frame, &creds);
26681- if (NT_STATUS_IS_OK(status)) {
26682- DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
26683- "cached credential\n",
26684- cli->desthost));
26685- *neg_flags_inout = creds->negotiate_flags;
26686- TALLOC_FREE(frame);
26687- return NT_STATUS_OK;
26688- }
26689-
26690- /* Store the machine account password we're going to use. */
26691- memcpy(password.hash, machine_pwd, 16);
26692-
26693- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
26694- "chain established.\n",
26695- cli->desthost ));
26696-
26697- status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
26698- password, NULL);
26699- if (!NT_STATUS_IS_OK(status)) {
26700- TALLOC_FREE(frame);
26701- return status;
26702- }
26703-
26704- status = netlogon_creds_cli_get(cli->netlogon_creds,
26705- frame, &creds);
26706- if (!NT_STATUS_IS_OK(status)) {
26707- TALLOC_FREE(frame);
26708- return NT_STATUS_INTERNAL_ERROR;
26709- }
26710-
26711- *neg_flags_inout = creds->negotiate_flags;
26712- TALLOC_FREE(frame);
26713- return NT_STATUS_OK;
26714-}
26715
26716 NTSTATUS rpccli_pre_open_netlogon_creds(void)
26717 {
26718diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
26719index 8547db6..0de836a 100644
26720--- a/source3/rpc_client/cli_netlogon.h
26721+++ b/source3/rpc_client/cli_netlogon.h
26722@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
26723
26724 /* The following definitions come from rpc_client/cli_netlogon.c */
26725
26726-NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
26727- const char *server_name,
26728- const char *domain,
26729- const char *clnt_name,
26730- const char *machine_account,
26731- const unsigned char machine_pwd[16],
26732- enum netr_SchannelType sec_chan_type,
26733- uint32_t *neg_flags_inout);
26734 NTSTATUS rpccli_pre_open_netlogon_creds(void);
26735 NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
26736 const char *server_netbios_domain,
26737--
267381.9.3
26739
26740
26741From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
26742From: Stefan Metzmacher <metze@samba.org>
26743Date: Mon, 16 Sep 2013 19:23:18 +0200
26744Subject: [PATCH 210/249] s3:rpc_client: remove unused
26745 rpccli_netlogon_sam_logon()
26746
26747Signed-off-by: Stefan Metzmacher <metze@samba.org>
26748Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26749(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
26750---
26751 source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
26752 source3/rpc_client/cli_netlogon.h | 9 ---
26753 2 files changed, 133 deletions(-)
26754
26755diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
26756index 687d0c2..171337a 100644
26757--- a/source3/rpc_client/cli_netlogon.c
26758+++ b/source3/rpc_client/cli_netlogon.c
26759@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
26760
26761 /* Logon domain user */
26762
26763-NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
26764- TALLOC_CTX *mem_ctx,
26765- uint32 logon_parameters,
26766- const char *domain,
26767- const char *username,
26768- const char *password,
26769- const char *workstation,
26770- uint16_t _ignored_validation_level,
26771- int logon_type)
26772-{
26773- NTSTATUS status;
26774- union netr_LogonLevel *logon;
26775- uint16_t validation_level = 0;
26776- union netr_Validation *validation = NULL;
26777- uint8_t authoritative = 0;
26778- uint32_t flags = 0;
26779- fstring clnt_name_slash;
26780-
26781- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
26782- if (!logon) {
26783- return NT_STATUS_NO_MEMORY;
26784- }
26785-
26786- if (workstation) {
26787- fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
26788- } else {
26789- fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
26790- }
26791-
26792- /* Initialise input parameters */
26793-
26794- switch (logon_type) {
26795- case NetlogonInteractiveInformation: {
26796-
26797- struct netr_PasswordInfo *password_info;
26798-
26799- struct samr_Password lmpassword;
26800- struct samr_Password ntpassword;
26801-
26802- password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
26803- if (!password_info) {
26804- return NT_STATUS_NO_MEMORY;
26805- }
26806-
26807- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
26808-
26809- password_info->identity_info.domain_name.string = domain;
26810- password_info->identity_info.parameter_control = logon_parameters;
26811- password_info->identity_info.logon_id_low = 0xdead;
26812- password_info->identity_info.logon_id_high = 0xbeef;
26813- password_info->identity_info.account_name.string = username;
26814- password_info->identity_info.workstation.string = clnt_name_slash;
26815-
26816- password_info->lmpassword = lmpassword;
26817- password_info->ntpassword = ntpassword;
26818-
26819- logon->password = password_info;
26820-
26821- break;
26822- }
26823- case NetlogonNetworkInformation: {
26824- struct netr_NetworkInfo *network_info;
26825- uint8 chal[8];
26826- unsigned char local_lm_response[24];
26827- unsigned char local_nt_response[24];
26828- struct netr_ChallengeResponse lm;
26829- struct netr_ChallengeResponse nt;
26830-
26831- ZERO_STRUCT(lm);
26832- ZERO_STRUCT(nt);
26833-
26834- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
26835- if (!network_info) {
26836- return NT_STATUS_NO_MEMORY;
26837- }
26838-
26839- generate_random_buffer(chal, 8);
26840-
26841- SMBencrypt(password, chal, local_lm_response);
26842- SMBNTencrypt(password, chal, local_nt_response);
26843-
26844- lm.length = 24;
26845- lm.data = local_lm_response;
26846-
26847- nt.length = 24;
26848- nt.data = local_nt_response;
26849-
26850- network_info->identity_info.domain_name.string = domain;
26851- network_info->identity_info.parameter_control = logon_parameters;
26852- network_info->identity_info.logon_id_low = 0xdead;
26853- network_info->identity_info.logon_id_high = 0xbeef;
26854- network_info->identity_info.account_name.string = username;
26855- network_info->identity_info.workstation.string = clnt_name_slash;
26856-
26857- memcpy(network_info->challenge, chal, 8);
26858- network_info->nt = nt;
26859- network_info->lm = lm;
26860-
26861- logon->network = network_info;
26862-
26863- break;
26864- }
26865- default:
26866- DEBUG(0, ("switch value %d not supported\n",
26867- logon_type));
26868- return NT_STATUS_INVALID_INFO_CLASS;
26869- }
26870-
26871- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
26872- cli->binding_handle,
26873- logon_type,
26874- logon,
26875- mem_ctx,
26876- &validation_level,
26877- &validation,
26878- &authoritative,
26879- &flags);
26880- if (!NT_STATUS_IS_OK(status)) {
26881- return status;
26882- }
26883-
26884- return NT_STATUS_OK;
26885-}
26886-
26887 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
26888 struct dcerpc_binding_handle *binding_handle,
26889 uint32_t logon_parameters,
26890diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
26891index 0de836a..eaa5b0c 100644
26892--- a/source3/rpc_client/cli_netlogon.h
26893+++ b/source3/rpc_client/cli_netlogon.h
26894@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
26895 bool force_reauth,
26896 struct samr_Password current_nt_hash,
26897 const struct samr_Password *previous_nt_hash);
26898-NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
26899- TALLOC_CTX *mem_ctx,
26900- uint32 logon_parameters,
26901- const char *domain,
26902- const char *username,
26903- const char *password,
26904- const char *workstation,
26905- uint16_t validation_level,
26906- int logon_type);
26907 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
26908 struct dcerpc_binding_handle *binding_handle,
26909 uint32_t logon_parameters,
26910--
269111.9.3
26912
26913
26914From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
26915From: Stefan Metzmacher <metze@samba.org>
26916Date: Mon, 16 Sep 2013 19:23:54 +0200
26917Subject: [PATCH 211/249] s3:rpc_client: remove unused
26918 rpccli_netlogon_sam_network_logon()
26919
26920Signed-off-by: Stefan Metzmacher <metze@samba.org>
26921Reviewed-by: Andrew Bartlett <abartlet@samba.org>
26922(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
26923---
26924 source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
26925 source3/rpc_client/cli_netlogon.h | 12 -----
26926 2 files changed, 106 deletions(-)
26927
26928diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
26929index 171337a..ca2d9bf 100644
26930--- a/source3/rpc_client/cli_netlogon.c
26931+++ b/source3/rpc_client/cli_netlogon.c
26932@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
26933 * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
26934 **/
26935
26936-NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
26937- TALLOC_CTX *mem_ctx,
26938- uint32 logon_parameters,
26939- const char *server,
26940- const char *username,
26941- const char *domain,
26942- const char *workstation,
26943- const uint8 chal[8],
26944- uint16_t _ignored_validation_level,
26945- DATA_BLOB lm_response,
26946- DATA_BLOB nt_response,
26947- struct netr_SamInfo3 **info3)
26948-{
26949- NTSTATUS status;
26950- const char *workstation_name_slash;
26951- union netr_LogonLevel *logon = NULL;
26952- struct netr_NetworkInfo *network_info;
26953- uint16_t validation_level = 0;
26954- union netr_Validation *validation = NULL;
26955- uint8_t authoritative = 0;
26956- uint32_t flags = 0;
26957- struct netr_ChallengeResponse lm;
26958- struct netr_ChallengeResponse nt;
26959-
26960- *info3 = NULL;
26961-
26962- ZERO_STRUCT(lm);
26963- ZERO_STRUCT(nt);
26964-
26965- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
26966- if (!logon) {
26967- return NT_STATUS_NO_MEMORY;
26968- }
26969-
26970- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
26971- if (!network_info) {
26972- return NT_STATUS_NO_MEMORY;
26973- }
26974-
26975- if (workstation[0] != '\\' && workstation[1] != '\\') {
26976- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
26977- } else {
26978- workstation_name_slash = workstation;
26979- }
26980-
26981- if (!workstation_name_slash) {
26982- DEBUG(0, ("talloc_asprintf failed!\n"));
26983- return NT_STATUS_NO_MEMORY;
26984- }
26985-
26986- /* Initialise input parameters */
26987-
26988- lm.data = lm_response.data;
26989- lm.length = lm_response.length;
26990- nt.data = nt_response.data;
26991- nt.length = nt_response.length;
26992-
26993- network_info->identity_info.domain_name.string = domain;
26994- network_info->identity_info.parameter_control = logon_parameters;
26995- network_info->identity_info.logon_id_low = 0xdead;
26996- network_info->identity_info.logon_id_high = 0xbeef;
26997- network_info->identity_info.account_name.string = username;
26998- network_info->identity_info.workstation.string = workstation_name_slash;
26999-
27000- memcpy(network_info->challenge, chal, 8);
27001- network_info->nt = nt;
27002- network_info->lm = lm;
27003-
27004- logon->network = network_info;
27005-
27006- /* Marshall data and send request */
27007-
27008- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
27009- cli->binding_handle,
27010- NetlogonNetworkInformation,
27011- logon,
27012- mem_ctx,
27013- &validation_level,
27014- &validation,
27015- &authoritative,
27016- &flags);
27017- if (!NT_STATUS_IS_OK(status)) {
27018- return status;
27019- }
27020-
27021- status = map_validation_to_info3(mem_ctx,
27022- validation_level, validation,
27023- info3);
27024- if (!NT_STATUS_IS_OK(status)) {
27025- return status;
27026- }
27027-
27028- return NT_STATUS_OK;
27029-}
27030
27031 NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
27032 struct dcerpc_binding_handle *binding_handle,
27033diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
27034index eaa5b0c..61fed4a 100644
27035--- a/source3/rpc_client/cli_netlogon.h
27036+++ b/source3/rpc_client/cli_netlogon.h
27037@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
27038 const char *password,
27039 const char *workstation,
27040 enum netr_LogonInfoClass logon_type);
27041-NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
27042- TALLOC_CTX *mem_ctx,
27043- uint32 logon_parameters,
27044- const char *server,
27045- const char *username,
27046- const char *domain,
27047- const char *workstation,
27048- const uint8 chal[8],
27049- uint16_t validation_level,
27050- DATA_BLOB lm_response,
27051- DATA_BLOB nt_response,
27052- struct netr_SamInfo3 **info3);
27053 NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
27054 struct dcerpc_binding_handle *binding_handle,
27055 TALLOC_CTX *mem_ctx,
27056--
270571.9.3
27058
27059
27060From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
27061From: Stefan Metzmacher <metze@samba.org>
27062Date: Mon, 16 Sep 2013 19:25:27 +0200
27063Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
27064 rpc_pipe_client->netlogon_creds
27065
27066Signed-off-by: Stefan Metzmacher <metze@samba.org>
27067Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27068(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
27069---
27070 source3/rpc_client/cli_pipe.c | 9 ---------
27071 source3/rpc_client/rpc_client.h | 3 ---
27072 2 files changed, 12 deletions(-)
27073
27074diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
27075index 31cd7f5..8613a21 100644
27076--- a/source3/rpc_client/cli_pipe.c
27077+++ b/source3/rpc_client/cli_pipe.c
27078@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
27079 return status;
27080 }
27081
27082- status = netlogon_creds_cli_context_copy(netlogon_creds,
27083- rpccli,
27084- &rpccli->netlogon_creds);
27085- if (!NT_STATUS_IS_OK(status)) {
27086- DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
27087- nt_errstr(status)));
27088- TALLOC_FREE(rpccli);
27089- return status;
27090- }
27091
27092 done:
27093 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
27094diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
27095index 7c4cceb..7c5ff0e 100644
27096--- a/source3/rpc_client/rpc_client.h
27097+++ b/source3/rpc_client/rpc_client.h
27098@@ -48,9 +48,6 @@ struct rpc_pipe_client {
27099 uint16 max_recv_frag;
27100
27101 struct pipe_auth_data *auth;
27102-
27103- /* The following is only non-null on a netlogon client pipe. */
27104- struct netlogon_creds_cli_context *netlogon_creds;
27105 };
27106
27107 #endif /* _RPC_CLIENT_H */
27108--
271091.9.3
27110
27111
27112From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
27113From: Stefan Metzmacher <metze@samba.org>
27114Date: Thu, 17 Oct 2013 19:17:12 +0200
27115Subject: [PATCH 213/249] libcli/auth: remove unused
27116 netlogon_creds_cli_context_copy()
27117
27118Signed-off-by: Stefan Metzmacher <metze@samba.org>
27119Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27120(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
27121---
27122 libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
27123 libcli/auth/netlogon_creds_cli.h | 4 ----
27124 2 files changed, 51 deletions(-)
27125
27126diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
27127index 6590b21..1724064 100644
27128--- a/libcli/auth/netlogon_creds_cli.c
27129+++ b/libcli/auth/netlogon_creds_cli.c
27130@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
27131 return NT_STATUS_OK;
27132 }
27133
27134-NTSTATUS netlogon_creds_cli_context_copy(
27135- const struct netlogon_creds_cli_context *src,
27136- TALLOC_CTX *mem_ctx,
27137- struct netlogon_creds_cli_context **_dst)
27138-{
27139- struct netlogon_creds_cli_context *dst;
27140-
27141- dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
27142- if (dst == NULL) {
27143- return NT_STATUS_NO_MEMORY;
27144- }
27145-
27146- *dst = *src;
27147-
27148- dst->client.computer = talloc_strdup(dst, src->client.computer);
27149- if (dst->client.computer == NULL) {
27150- TALLOC_FREE(dst);
27151- return NT_STATUS_NO_MEMORY;
27152- }
27153- dst->client.account = talloc_strdup(dst, src->client.account);
27154- if (dst->client.account == NULL) {
27155- TALLOC_FREE(dst);
27156- return NT_STATUS_NO_MEMORY;
27157- }
27158- dst->server.computer = talloc_strdup(dst, src->server.computer);
27159- if (dst->server.computer == NULL) {
27160- TALLOC_FREE(dst);
27161- return NT_STATUS_NO_MEMORY;
27162- }
27163- dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
27164- if (dst->server.netbios_domain == NULL) {
27165- TALLOC_FREE(dst);
27166- return NT_STATUS_NO_MEMORY;
27167- }
27168-
27169- dst->db.key_name = talloc_strdup(dst, src->db.key_name);
27170- if (dst->db.key_name == NULL) {
27171- TALLOC_FREE(dst);
27172- return NT_STATUS_NO_MEMORY;
27173- }
27174-
27175- dst->db.key_data = string_term_tdb_data(dst->db.key_name);
27176-
27177- *_dst = dst;
27178- return NT_STATUS_OK;
27179-}
27180-
27181 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
27182 struct netlogon_creds_cli_context *context)
27183 {
27184diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
27185index f8f2bef..5bd8bd3 100644
27186--- a/libcli/auth/netlogon_creds_cli.h
27187+++ b/libcli/auth/netlogon_creds_cli.h
27188@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
27189 const char *server_netbios_domain,
27190 TALLOC_CTX *mem_ctx,
27191 struct netlogon_creds_cli_context **_context);
27192-NTSTATUS netlogon_creds_cli_context_copy(
27193- const struct netlogon_creds_cli_context *src,
27194- TALLOC_CTX *mem_ctx,
27195- struct netlogon_creds_cli_context **_dst);
27196
27197 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
27198 struct netlogon_creds_cli_context *context);
27199--
272001.9.3
27201
27202
27203From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
27204From: Stefan Metzmacher <metze@samba.org>
27205Date: Fri, 6 Dec 2013 11:38:21 +0100
27206Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
27207 to false
27208
27209Signed-off-by: Stefan Metzmacher <metze@samba.org>
27210Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27211(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
27212---
27213 docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
27214 lib/param/param_functions.c | 1 +
27215 lib/param/param_table.c | 9 +++++++++
27216 3 files changed, 36 insertions(+)
27217 create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
27218
27219diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
27220new file mode 100644
27221index 0000000..4d417c7
27222--- /dev/null
27223+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
27224@@ -0,0 +1,26 @@
27225+<samba:parameter name="allow nt4 crypto"
27226+ context="G"
27227+ type="boolean"
27228+ advanced="1"
27229+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
27230+<description>
27231+ <para>This option controls whether the netlogon server (currently
27232+ only in 'active directory domain controller' mode), will
27233+ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
27234+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
27235+
27236+ <para>This option was added with Samba 4.2.0. It may lock out clients
27237+ which worked fine with Samba versions up to 4.1.x. as the effective default
27238+ was "yes" there, while it is "no" now.</para>
27239+
27240+ <para>If you have clients without RequireStrongKey = 1 in the registry,
27241+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
27242+ </para>
27243+
27244+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
27245+
27246+ <para>This option yields precedence to the 'reject md5 clients' option.</para>
27247+</description>
27248+
27249+<value type="default">no</value>
27250+</samba:parameter>
27251diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
27252index 41b137f..bf931c6 100644
27253--- a/lib/param/param_functions.c
27254+++ b/lib/param/param_functions.c
27255@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
27256 FN_LOCAL_BOOL(durable_handles, bDurableHandles)
27257
27258 FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
27259+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
27260 FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
27261 FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
27262 FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
27263diff --git a/lib/param/param_table.c b/lib/param/param_table.c
27264index 36e8554..5ef78de 100644
27265--- a/lib/param/param_table.c
27266+++ b/lib/param/param_table.c
27267@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
27268 .special = NULL,
27269 .enum_list = NULL
27270 },
27271+ {
27272+ .label = "allow nt4 crypto",
27273+ .type = P_BOOL,
27274+ .p_class = P_GLOBAL,
27275+ .offset = GLOBAL_VAR(bAllowNT4Crypto),
27276+ .special = NULL,
27277+ .enum_list = NULL,
27278+ .flags = FLAG_ADVANCED,
27279+ },
27280
27281 {N_("TLS options"), P_SEP, P_SEPARATOR},
27282
27283--
272841.9.3
27285
27286
27287From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
27288From: Stefan Metzmacher <metze@samba.org>
27289Date: Fri, 6 Dec 2013 11:39:15 +0100
27290Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
27291 to false
27292
27293Signed-off-by: Stefan Metzmacher <metze@samba.org>
27294Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27295(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
27296---
27297 docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
27298 lib/param/param_functions.c | 1 +
27299 lib/param/param_table.c | 9 +++++++++
27300 3 files changed, 28 insertions(+)
27301 create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
27302
27303diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
27304new file mode 100644
27305index 0000000..04a5b4d
27306--- /dev/null
27307+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
27308@@ -0,0 +1,18 @@
27309+<samba:parameter name="reject md5 clients"
27310+ context="G"
27311+ type="boolean"
27312+ advanced="1"
27313+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
27314+<description>
27315+ <para>This option controls whether the netlogon server (currently
27316+ only in 'active directory domain controller' mode), will
27317+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
27318+
27319+ <para>You can set this to yes if all domain members support aes.
27320+ This will prevent downgrade attacks.</para>
27321+
27322+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
27323+</description>
27324+
27325+<value type="default">no</value>
27326+</samba:parameter>
27327diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
27328index bf931c6..99f0b7f 100644
27329--- a/lib/param/param_functions.c
27330+++ b/lib/param/param_functions.c
27331@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
27332 FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
27333 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
27334 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
27335+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
27336 FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
27337 FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
27338 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
27339diff --git a/lib/param/param_table.c b/lib/param/param_table.c
27340index 5ef78de..4850324 100644
27341--- a/lib/param/param_table.c
27342+++ b/lib/param/param_table.c
27343@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
27344 .enum_list = NULL,
27345 .flags = FLAG_ADVANCED,
27346 },
27347+ {
27348+ .label = "reject md5 clients",
27349+ .type = P_BOOL,
27350+ .p_class = P_GLOBAL,
27351+ .offset = GLOBAL_VAR(bRejectMD5Clients),
27352+ .special = NULL,
27353+ .enum_list = NULL,
27354+ .flags = FLAG_ADVANCED,
27355+ },
27356
27357 {N_("TLS options"), P_SEP, P_SEPARATOR},
27358
27359--
273601.9.3
27361
27362
27363From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
27364From: Stefan Metzmacher <metze@samba.org>
27365Date: Fri, 6 Dec 2013 13:41:43 +0100
27366Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
27367 testing
27368
27369Signed-off-by: Stefan Metzmacher <metze@samba.org>
27370Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27371(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
27372---
27373 selftest/target/Samba4.pm | 1 +
27374 1 file changed, 1 insertion(+)
27375
27376diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
27377index ac2fdd9..ee6a365 100644
27378--- a/selftest/target/Samba4.pm
27379+++ b/selftest/target/Samba4.pm
27380@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
27381 server max protocol = SMB2
27382 host msdfs = $msdfs
27383 lanman auth = yes
27384+ allow nt4 crypto = yes
27385
27386 $extra_smbconf_options
27387
27388--
273891.9.3
27390
27391
27392From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
27393From: Stefan Metzmacher <metze@samba.org>
27394Date: Mon, 23 Dec 2013 10:12:24 +0100
27395Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags
27396
27397We need to bit-wise AND the client and server flags.
27398
27399Signed-off-by: Stefan Metzmacher <metze@samba.org>
27400Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27401(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
27402---
27403 source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
27404 1 file changed, 28 insertions(+), 31 deletions(-)
27405
27406diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27407index c41cd02..b001cb5 100644
27408--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
27409+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27410@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27411
27412 const char *trust_dom_attrs[] = {"flatname", NULL};
27413 const char *account_name;
27414+ uint32_t server_flags = 0;
27415 uint32_t negotiate_flags = 0;
27416
27417 ZERO_STRUCTP(r->out.return_credentials);
27418@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27419 memcache_delete(global_challenge_table,
27420 SINGLETON_CACHE, challenge_key);
27421
27422- negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
27423- NETLOGON_NEG_PERSISTENT_SAMREPL |
27424- NETLOGON_NEG_ARCFOUR |
27425- NETLOGON_NEG_PROMOTION_COUNT |
27426- NETLOGON_NEG_CHANGELOG_BDC |
27427- NETLOGON_NEG_FULL_SYNC_REPL |
27428- NETLOGON_NEG_MULTIPLE_SIDS |
27429- NETLOGON_NEG_REDO |
27430- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
27431- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
27432- NETLOGON_NEG_GENERIC_PASSTHROUGH |
27433- NETLOGON_NEG_CONCURRENT_RPC |
27434- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
27435- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
27436- NETLOGON_NEG_TRANSITIVE_TRUSTS |
27437- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
27438- NETLOGON_NEG_PASSWORD_SET2 |
27439- NETLOGON_NEG_GETDOMAININFO |
27440- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
27441- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
27442- NETLOGON_NEG_RODC_PASSTHROUGH |
27443- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
27444- NETLOGON_NEG_AUTHENTICATED_RPC;
27445-
27446- if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
27447- negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
27448- }
27449-
27450- if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
27451- negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
27452- }
27453+ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
27454+ NETLOGON_NEG_PERSISTENT_SAMREPL |
27455+ NETLOGON_NEG_ARCFOUR |
27456+ NETLOGON_NEG_PROMOTION_COUNT |
27457+ NETLOGON_NEG_CHANGELOG_BDC |
27458+ NETLOGON_NEG_FULL_SYNC_REPL |
27459+ NETLOGON_NEG_MULTIPLE_SIDS |
27460+ NETLOGON_NEG_REDO |
27461+ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
27462+ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
27463+ NETLOGON_NEG_GENERIC_PASSTHROUGH |
27464+ NETLOGON_NEG_CONCURRENT_RPC |
27465+ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
27466+ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
27467+ NETLOGON_NEG_STRONG_KEYS |
27468+ NETLOGON_NEG_TRANSITIVE_TRUSTS |
27469+ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
27470+ NETLOGON_NEG_PASSWORD_SET2 |
27471+ NETLOGON_NEG_GETDOMAININFO |
27472+ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
27473+ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
27474+ NETLOGON_NEG_RODC_PASSTHROUGH |
27475+ NETLOGON_NEG_SUPPORTS_AES |
27476+ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
27477+ NETLOGON_NEG_AUTHENTICATED_RPC;
27478+
27479+ negotiate_flags = *r->in.negotiate_flags & server_flags;
27480
27481 /*
27482 * According to Microsoft (see bugid #6099)
27483--
274841.9.3
27485
27486
27487From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
27488From: Stefan Metzmacher <metze@samba.org>
27489Date: Mon, 23 Dec 2013 10:10:17 +0100
27490Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
27491 SEC_CHAN_NULL.
27492
27493Signed-off-by: Stefan Metzmacher <metze@samba.org>
27494Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27495(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
27496---
27497 source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
27498 1 file changed, 2 insertions(+)
27499
27500diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27501index b001cb5..45a7262 100644
27502--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
27503+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27504@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27505 case SEC_CHAN_BDC:
27506 case SEC_CHAN_RODC:
27507 break;
27508+ case SEC_CHAN_NULL:
27509+ return NT_STATUS_INVALID_PARAMETER;
27510 default:
27511 DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
27512 r->in.secure_channel_type));
27513--
275141.9.3
27515
27516
27517From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
27518From: Stefan Metzmacher <metze@samba.org>
27519Date: Fri, 6 Dec 2013 12:08:50 +0100
27520Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
27521 md5 clients" features.
27522
27523Signed-off-by: Stefan Metzmacher <metze@samba.org>
27524Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27525
27526Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
27527Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
27528(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
27529---
27530 source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
27531 1 file changed, 20 insertions(+)
27532
27533diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27534index 45a7262..6b57cda 100644
27535--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
27536+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27537@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27538 const char *account_name;
27539 uint32_t server_flags = 0;
27540 uint32_t negotiate_flags = 0;
27541+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
27542+ bool reject_des_client = !allow_nt4_crypto;
27543+ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
27544
27545 ZERO_STRUCTP(r->out.return_credentials);
27546 *r->out.rid = 0;
27547@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27548
27549 negotiate_flags = *r->in.negotiate_flags & server_flags;
27550
27551+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
27552+ reject_des_client = false;
27553+ }
27554+
27555+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
27556+ reject_des_client = false;
27557+ reject_md5_client = false;
27558+ }
27559+
27560+ if (reject_des_client || reject_md5_client) {
27561+ /*
27562+ * Here we match Windows 2012 and return no flags.
27563+ */
27564+ *r->out.negotiate_flags = 0;
27565+ return NT_STATUS_DOWNGRADE_DETECTED;
27566+ }
27567+
27568 /*
27569 * According to Microsoft (see bugid #6099)
27570 * Windows 7 looks at the negotiate_flags
27571--
275721.9.3
27573
27574
27575From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
27576From: Stefan Metzmacher <metze@samba.org>
27577Date: Wed, 8 Jan 2014 12:04:22 +0100
27578Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
27579 in netlogon_creds_cli_check_caps()
27580MIME-Version: 1.0
27581Content-Type: text/plain; charset=UTF-8
27582Content-Transfer-Encoding: 8bit
27583
27584If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
27585
27586Signed-off-by: Stefan Metzmacher <metze@samba.org>
27587Reviewed-by: Andreas Schneider <asn@samba.org>
27588Reviewed-by: Günther Deschner <gd@samba.org>
27589(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
27590---
27591 libcli/auth/netlogon_creds_cli.c | 4 ++--
27592 1 file changed, 2 insertions(+), 2 deletions(-)
27593
27594diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
27595index 1724064..51b30a1 100644
27596--- a/libcli/auth/netlogon_creds_cli.c
27597+++ b/libcli/auth/netlogon_creds_cli.c
27598@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
27599 };
27600
27601 static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
27602- NTSTATUS status);
27603+ NTSTATUS status);
27604 static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
27605
27606 struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
27607@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
27608 * with the next request as the sequence number processing
27609 * gets out of sync.
27610 */
27611- netlogon_creds_cli_check_cleanup(req, result);
27612+ netlogon_creds_cli_check_cleanup(req, status);
27613 tevent_req_done(req);
27614 return;
27615 }
27616--
276171.9.3
27618
27619
27620From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
27621From: Stefan Metzmacher <metze@samba.org>
27622Date: Fri, 17 Jan 2014 14:00:27 +0100
27623Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()
27624
27625This can be used to inject a db_context from dbwrap_ctdb.
27626
27627Signed-off-by: Stefan Metzmacher <metze@samba.org>
27628Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27629(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
27630---
27631 libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
27632 libcli/auth/netlogon_creds_cli.h | 2 ++
27633 2 files changed, 12 insertions(+)
27634
27635diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
27636index 51b30a1..37bdf74 100644
27637--- a/libcli/auth/netlogon_creds_cli.c
27638+++ b/libcli/auth/netlogon_creds_cli.c
27639@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
27640
27641 static struct db_context *netlogon_creds_cli_global_db;
27642
27643+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
27644+{
27645+ if (netlogon_creds_cli_global_db != NULL) {
27646+ return NT_STATUS_INVALID_PARAMETER_MIX;
27647+ }
27648+
27649+ netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
27650+ return NT_STATUS_OK;
27651+}
27652+
27653 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
27654 {
27655 char *fname;
27656diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
27657index 5bd8bd3..90d0182 100644
27658--- a/libcli/auth/netlogon_creds_cli.h
27659+++ b/libcli/auth/netlogon_creds_cli.h
27660@@ -28,7 +28,9 @@
27661 struct netlogon_creds_cli_context;
27662 struct messaging_context;
27663 struct dcerpc_binding_handle;
27664+struct db_context;
27665
27666+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
27667 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
27668
27669 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
27670--
276711.9.3
27672
27673
27674From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
27675From: Stefan Metzmacher <metze@samba.org>
27676Date: Fri, 17 Jan 2014 14:07:37 +0100
27677Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
27678 "netlogon_creds_cli.tdb"
27679
27680This uses dbwrap_ctdb if running in a cluster.
27681
27682Signed-off-by: Stefan Metzmacher <metze@samba.org>
27683Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27684(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
27685---
27686 source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
27687 1 file changed, 36 insertions(+), 2 deletions(-)
27688
27689diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
27690index ca2d9bf..b7b490f 100644
27691--- a/source3/rpc_client/cli_netlogon.c
27692+++ b/source3/rpc_client/cli_netlogon.c
27693@@ -21,6 +21,7 @@
27694 */
27695
27696 #include "includes.h"
27697+#include "system/filesys.h"
27698 #include "libsmb/libsmb.h"
27699 #include "rpc_client/rpc_client.h"
27700 #include "rpc_client/cli_pipe.h"
27701@@ -34,26 +35,53 @@
27702 #include "../libcli/security/security.h"
27703 #include "lib/param/param.h"
27704 #include "libcli/smb/smbXcli_base.h"
27705+#include "dbwrap/dbwrap.h"
27706+#include "dbwrap/dbwrap_open.h"
27707+#include "util_tdb.h"
27708
27709
27710 NTSTATUS rpccli_pre_open_netlogon_creds(void)
27711 {
27712- TALLOC_CTX *frame = talloc_stackframe();
27713+ static bool already_open = false;
27714+ TALLOC_CTX *frame;
27715 struct loadparm_context *lp_ctx;
27716+ char *fname;
27717+ struct db_context *global_db;
27718 NTSTATUS status;
27719
27720+ if (already_open) {
27721+ return NT_STATUS_OK;
27722+ }
27723+
27724+ frame = talloc_stackframe();
27725+
27726 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
27727 if (lp_ctx == NULL) {
27728 TALLOC_FREE(frame);
27729 return NT_STATUS_NO_MEMORY;
27730 }
27731
27732- status = netlogon_creds_cli_open_global_db(lp_ctx);
27733+ fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
27734+ if (fname == NULL) {
27735+ TALLOC_FREE(frame);
27736+ return NT_STATUS_NO_MEMORY;
27737+ }
27738+
27739+ global_db = db_open(talloc_autofree_context(), fname,
27740+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
27741+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
27742+ if (global_db == NULL) {
27743+ TALLOC_FREE(frame);
27744+ return NT_STATUS_NO_MEMORY;
27745+ }
27746+
27747+ status = netlogon_creds_cli_set_global_db(&global_db);
27748 TALLOC_FREE(frame);
27749 if (!NT_STATUS_IS_OK(status)) {
27750 return status;
27751 }
27752
27753+ already_open = true;
27754 return NT_STATUS_OK;
27755 }
27756
27757@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
27758 struct loadparm_context *lp_ctx;
27759 NTSTATUS status;
27760
27761+ status = rpccli_pre_open_netlogon_creds();
27762+ if (!NT_STATUS_IS_OK(status)) {
27763+ TALLOC_FREE(frame);
27764+ return status;
27765+ }
27766+
27767 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
27768 if (lp_ctx == NULL) {
27769 TALLOC_FREE(frame);
27770--
277711.9.3
27772
27773
27774From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
27775From: Stefan Metzmacher <metze@samba.org>
27776Date: Fri, 17 Jan 2014 14:08:59 +0100
27777Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
27778 mode.
27779
27780This breaks NTLMv2 authentication.
27781
27782Signed-off-by: Stefan Metzmacher <metze@samba.org>
27783Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27784(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
27785---
27786 libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
27787 1 file changed, 3 insertions(+), 19 deletions(-)
27788
27789diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
27790index 37bdf74..88893ad 100644
27791--- a/libcli/auth/netlogon_creds_cli.c
27792+++ b/libcli/auth/netlogon_creds_cli.c
27793@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
27794 bool seal_secure_channel = true;
27795 enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
27796 bool neutralize_nt4_emulation = false;
27797- struct server_id self = {
27798- .vnn = NONCLUSTER_VNN,
27799- .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
27800- };
27801-
27802- if (msg_ctx != NULL) {
27803- self = messaging_server_id(msg_ctx);
27804- }
27805
27806 *_context = NULL;
27807
27808- if (self.vnn != NONCLUSTER_VNN) {
27809- client_computer = talloc_asprintf(frame,
27810- "%s_cluster_vnn_%u",
27811- lpcfg_netbios_name(lp_ctx),
27812- (unsigned)self.vnn);
27813- if (client_computer == NULL) {
27814- TALLOC_FREE(frame);
27815- return NT_STATUS_NO_MEMORY;
27816- }
27817- } else {
27818- client_computer = lpcfg_netbios_name(lp_ctx);
27819+ client_computer = lpcfg_netbios_name(lp_ctx);
27820+ if (strlen(client_computer) > 15) {
27821+ return NT_STATUS_INVALID_PARAMETER_MIX;
27822 }
27823
27824 /*
27825--
278261.9.3
27827
27828
27829From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
27830From: Stefan Metzmacher <metze@samba.org>
27831Date: Fri, 10 Jan 2014 13:13:40 +0100
27832Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
27833 chars
27834
27835This matches Windows, it seems they use a fixed size field to store
27836netlogon_creds_CredentialState.
27837
27838Signed-off-by: Stefan Metzmacher <metze@samba.org>
27839Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27840(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
27841---
27842 libcli/auth/schannel_state_tdb.c | 8 ++++++++
27843 1 file changed, 8 insertions(+)
27844
27845diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
27846index 8f9c1f0..b91e242 100644
27847--- a/libcli/auth/schannel_state_tdb.c
27848+++ b/libcli/auth/schannel_state_tdb.c
27849@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
27850 char *name_upper;
27851 NTSTATUS status;
27852
27853+ if (strlen(creds->computer_name) > 15) {
27854+ /*
27855+ * We may want to check for a completely
27856+ * valid netbios name.
27857+ */
27858+ return STATUS_BUFFER_OVERFLOW;
27859+ }
27860+
27861 name_upper = strupper_talloc(mem_ctx, creds->computer_name);
27862 if (!name_upper) {
27863 return NT_STATUS_NO_MEMORY;
27864--
278651.9.3
27866
27867
27868From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
27869From: Stefan Metzmacher <metze@samba.org>
27870Date: Sat, 11 Jan 2014 17:13:04 +0100
27871Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
27872 return_authenticator on error
27873
27874Signed-off-by: Stefan Metzmacher <metze@samba.org>
27875Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27876(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
27877---
27878 source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
27879 1 file changed, 1 insertion(+)
27880
27881diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
27882index 09857b6..7bb9dd6 100644
27883--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
27884+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
27885@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
27886 talloc_unlink(p->mem_ctx, lp_ctx);
27887
27888 if (!NT_STATUS_IS_OK(status)) {
27889+ ZERO_STRUCTP(r->out.return_credentials);
27890 goto out;
27891 }
27892
27893--
278941.9.3
27895
27896
27897From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
27898From: Stefan Metzmacher <metze@samba.org>
27899Date: Sat, 11 Jan 2014 17:13:04 +0100
27900Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
27901 return_authenticator and rid on error
27902
27903Signed-off-by: Stefan Metzmacher <metze@samba.org>
27904Reviewed-by: Andrew Bartlett <abartlet@samba.org>
27905(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
27906---
27907 source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
27908 1 file changed, 8 insertions(+), 4 deletions(-)
27909
27910diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27911index 6b57cda..afa15d8 100644
27912--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
27913+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
27914@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27915 return NT_STATUS_INTERNAL_ERROR;
27916 }
27917
27918- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
27919- "objectSid", 0);
27920-
27921 mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
27922 if (mach_pwd == NULL) {
27923 return NT_STATUS_ACCESS_DENIED;
27924@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
27925 nt_status = schannel_save_creds_state(mem_ctx,
27926 dce_call->conn->dce_ctx->lp_ctx,
27927 creds);
27928+ if (!NT_STATUS_IS_OK(nt_status)) {
27929+ ZERO_STRUCTP(r->out.return_credentials);
27930+ return nt_status;
27931+ }
27932
27933- return nt_status;
27934+ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
27935+ "objectSid", 0);
27936+
27937+ return NT_STATUS_OK;
27938 }
27939
27940 static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
27941--
279421.9.3
27943
27944
27945From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
27946From: Michael Adam <obnox@samba.org>
27947Date: Wed, 29 Jan 2014 16:58:37 +0100
27948Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
27949 "--persistent"
27950
27951Signed-off-by: Michael Adam <obnox@samba.org>
27952Reviewed-by: Stefan Metzmacher <metze@samba.org>
27953(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
27954---
27955 source3/utils/dbwrap_tool.c | 2 +-
27956 1 file changed, 1 insertion(+), 1 deletion(-)
27957
27958diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
27959index 79b40d2..406e89e 100644
27960--- a/source3/utils/dbwrap_tool.c
27961+++ b/source3/utils/dbwrap_tool.c
27962@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
27963 struct poptOption popt_options[] = {
27964 POPT_AUTOHELP
27965 POPT_COMMON_SAMBA
27966- { "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
27967+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
27968 POPT_TABLEEND
27969 };
27970 int opt;
27971--
279721.9.3
27973
27974
27975From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
27976From: Michael Adam <obnox@samba.org>
27977Date: Thu, 30 Jan 2014 10:33:00 +0100
27978Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
27979 dbwrap_tool manpage
27980
27981Signed-off-by: Michael Adam <obnox@samba.org>
27982Reviewed-by: Stefan Metzmacher <metze@samba.org>
27983(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
27984---
27985 docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
27986 1 file changed, 2 insertions(+), 2 deletions(-)
27987
27988diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
27989index 074d819..94ae281 100644
27990--- a/docs-xml/manpages/dbwrap_tool.1.xml
27991+++ b/docs-xml/manpages/dbwrap_tool.1.xml
27992@@ -19,7 +19,7 @@
27993 <refsynopsisdiv>
27994 <cmdsynopsis>
27995 <command>dbwrap_tool</command>
27996- <arg choice="opt">-p|--persistent</arg>
27997+ <arg choice="opt">--persistent</arg>
27998 <arg choice="opt">-d &lt;debug level&gt;</arg>
27999 <arg choice="opt">-s &lt;config file&gt;</arg>
28000 <arg choice="opt">-l &lt;log file base&gt;</arg>
28001@@ -70,7 +70,7 @@
28002
28003 <variablelist>
28004 <varlistentry>
28005- <term>-p|--persistent</term>
28006+ <term>--persistent</term>
28007 <listitem><para>Open the database as a persistent database.
28008 If this option is not specified, the database is opened as
28009 non-persistent.
28010--
280111.9.3
28012
28013
28014From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
28015From: Michael Adam <obnox@samba.org>
28016Date: Thu, 30 Jan 2014 10:29:49 +0100
28017Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
28018 excatly one of "--[non-]persistent"
28019
28020We want to force users of dbwrap_tool to explicitly specify
28021persistent or non-persistent. Otherwise, one could easily
28022by accident wipe a whole database that is actually persistent
28023but not currently opened by a samba process, just by openeing
28024the DB with the default non-persistent mode...
28025
28026Signed-off-by: Michael Adam <obnox@samba.org>
28027Reviewed-by: Stefan Metzmacher <metze@samba.org>
28028(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
28029---
28030 source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
28031 1 file changed, 18 insertions(+), 5 deletions(-)
28032
28033diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
28034index 406e89e..ffca6b6 100644
28035--- a/source3/utils/dbwrap_tool.c
28036+++ b/source3/utils/dbwrap_tool.c
28037@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
28038 enum dbwrap_type type;
28039 const char *valuestr = "0";
28040 int persistent = 0;
28041+ int non_persistent = 0;
28042 int tdb_flags = TDB_DEFAULT;
28043
28044 TALLOC_CTX *mem_ctx = talloc_stackframe();
28045@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
28046 struct poptOption popt_options[] = {
28047 POPT_AUTOHELP
28048 POPT_COMMON_SAMBA
28049- { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
28050+ { "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
28051+ "treat the database as non-persistent "
28052+ "(CAVEAT: This mode might wipe your database!)",
28053+ NULL },
28054+ { "persistent", 0, POPT_ARG_NONE, &persistent, 0,
28055+ "treat the database as persistent",
28056+ NULL },
28057 POPT_TABLEEND
28058 };
28059 int opt;
28060@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
28061 goto done;
28062 }
28063
28064+ if ((persistent == 0 && non_persistent == 0) ||
28065+ (persistent == 1 && non_persistent == 1))
28066+ {
28067+ d_fprintf(stderr, "ERROR: you must specify exactly one "
28068+ "of --persistent and --non-persistent\n");
28069+ goto done;
28070+ } else if (non_persistent == 1) {
28071+ tdb_flags |= TDB_CLEAR_IF_FIRST;
28072+ }
28073+
28074 dbname = extra_argv[0];
28075 opname = extra_argv[1];
28076
28077@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
28078 goto done;
28079 }
28080
28081- if (persistent == 0) {
28082- tdb_flags |= TDB_CLEAR_IF_FIRST;
28083- }
28084-
28085 switch (op) {
28086 case OP_FETCH:
28087 case OP_STORE:
28088--
280891.9.3
28090
28091
28092From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
28093From: Michael Adam <obnox@samba.org>
28094Date: Thu, 30 Jan 2014 10:36:46 +0100
28095Subject: [PATCH 230/249] docs: document new --non-persistent option to
28096 dbwrap_tool
28097
28098Signed-off-by: Michael Adam <obnox@samba.org>
28099Reviewed-by: Stefan Metzmacher <metze@samba.org>
28100(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
28101---
28102 docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
28103 1 file changed, 18 insertions(+), 2 deletions(-)
28104
28105diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
28106index 94ae281..ff0e478 100644
28107--- a/docs-xml/manpages/dbwrap_tool.1.xml
28108+++ b/docs-xml/manpages/dbwrap_tool.1.xml
28109@@ -20,6 +20,7 @@
28110 <cmdsynopsis>
28111 <command>dbwrap_tool</command>
28112 <arg choice="opt">--persistent</arg>
28113+ <arg choice="opt">--non-persistent</arg>
28114 <arg choice="opt">-d &lt;debug level&gt;</arg>
28115 <arg choice="opt">-s &lt;config file&gt;</arg>
28116 <arg choice="opt">-l &lt;log file base&gt;</arg>
28117@@ -72,8 +73,23 @@
28118 <varlistentry>
28119 <term>--persistent</term>
28120 <listitem><para>Open the database as a persistent database.
28121- If this option is not specified, the database is opened as
28122- non-persistent.
28123+ </para>
28124+ <para>
28125+ Exactly one of --persistent and --non-persistent must be
28126+ specified.
28127+ </para></listitem>
28128+ </varlistentry>
28129+ <varlistentry>
28130+ <term>--non-persistent</term>
28131+ <listitem><para>Open the database as a non-persistent database.
28132+ </para>
28133+ <para>
28134+ Caveat: opening a database as non-persistent when there
28135+ is currently no other opener will wipe the database.
28136+ </para>
28137+ <para>
28138+ Exactly one of --persistent and --non-persistent must be
28139+ specified.
28140 </para></listitem>
28141 </varlistentry>
28142 &popt.common.samba.client;
28143--
281441.9.3
28145
28146
28147From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
28148From: Michael Adam <obnox@samba.org>
28149Date: Thu, 30 Jan 2014 10:47:15 +0100
28150Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool
28151
28152Signed-off-by: Michael Adam <obnox@samba.org>
28153Reviewed-by: Stefan Metzmacher <metze@samba.org>
28154(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
28155---
28156 docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
28157 1 file changed, 1 insertion(+), 3 deletions(-)
28158
28159diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
28160index ff0e478..68a88df 100644
28161--- a/docs-xml/manpages/dbwrap_tool.1.xml
28162+++ b/docs-xml/manpages/dbwrap_tool.1.xml
28163@@ -30,9 +30,7 @@
28164 <arg choice="req">&lt;operation&gt;</arg>
28165 <arg choice="opt">&lt;key&gt;
28166 <arg choice="opt">&lt;type&gt;
28167- <arg choice="opt">&lt;value&gt;</arg>
28168- </arg>
28169- </arg>
28170+ <arg choice="opt">&lt;value&gt;</arg></arg></arg>
28171 </cmdsynopsis>
28172 </refsynopsisdiv>
28173
28174--
281751.9.3
28176
28177
28178From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
28179From: Michael Adam <obnox@samba.org>
28180Date: Fri, 24 Jan 2014 00:09:50 +0100
28181Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
28182 the smbXsrv_open->local_id
28183
28184Originally, fsp->fnum was left at the INVALID fnum value.
28185
28186Signed-off-by: Michael Adam <obnox@samba.org>
28187Reviewed-by: Stefan Metzmacher <metze@samba.org>
28188(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
28189---
28190 source3/smbd/durable.c | 1 +
28191 1 file changed, 1 insertion(+)
28192
28193diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
28194index c3d0a6f..471c5b9 100644
28195--- a/source3/smbd/durable.c
28196+++ b/source3/smbd/durable.c
28197@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
28198 fsp->share_access = e->share_access;
28199 fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
28200 fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
28201+ fsp->fnum = op->local_id;
28202
28203 /*
28204 * TODO:
28205--
282061.9.3
28207
28208
28209From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
28210From: Stefan Metzmacher <metze@samba.org>
28211Date: Tue, 24 Dec 2013 09:00:01 +0100
28212Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()
28213
28214This should avoid scary ndr_pull errors, if there's
28215a cleanup race.
28216
28217Signed-off-by: Stefan Metzmacher <metze@samba.org>
28218Reviewed-by: Michael Adam <obnox@samba.org>
28219
28220Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
28221Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
28222(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
28223---
28224 source3/smbd/smbXsrv_open.c | 9 +++++++++
28225 1 file changed, 9 insertions(+)
28226
28227diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
28228index 27dd50c..29c172c 100644
28229--- a/source3/smbd/smbXsrv_open.c
28230+++ b/source3/smbd/smbXsrv_open.c
28231@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
28232 struct smbXsrv_open_global0 *op = NULL;
28233 uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
28234 TDB_DATA key;
28235+ TDB_DATA val;
28236 struct db_record *rec;
28237 bool delete_open = false;
28238 uint32_t global_id = persistent_id & UINT32_MAX;
28239@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
28240 goto done;
28241 }
28242
28243+ val = dbwrap_record_get_value(rec);
28244+ if (val.dsize == 0) {
28245+ DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
28246+ "empty record in %s, skipping...\n",
28247+ global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
28248+ goto done;
28249+ }
28250+
28251 status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
28252 if (!NT_STATUS_IS_OK(status)) {
28253 DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
28254--
282551.9.3
28256
28257
28258From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
28259From: Michael Adam <obnox@samba.org>
28260Date: Mon, 27 Jan 2014 13:38:51 +0100
28261Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE
28262
28263This is in preparation of adding a dbwrap_flags argument to db_open
28264and firends.
28265
28266Signed-off-by: Michael Adam <obnox@samba.org>
28267Reviewed-by: Stefan Metzmacher <metze@samba.org>
28268(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
28269---
28270 lib/dbwrap/dbwrap.h | 2 ++
28271 1 file changed, 2 insertions(+)
28272
28273diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
28274index 8bf3286..4064ba2 100644
28275--- a/lib/dbwrap/dbwrap.h
28276+++ b/lib/dbwrap/dbwrap.h
28277@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
28278 };
28279 #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
28280
28281+#define DBWRAP_FLAG_NONE 0x0000000000000000ULL
28282+
28283 /* The following definitions come from lib/dbwrap.c */
28284
28285 TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
28286--
282871.9.3
28288
28289
28290From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
28291From: Michael Adam <obnox@samba.org>
28292Date: Mon, 27 Jan 2014 14:49:12 +0100
28293Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()
28294
28295This is in preparation to support handing flags to backends,
28296in particular activating read only record support for ctdb
28297databases. For a start, this does nothing but adding the
28298parameter, and all databases use DBWRAP_FLAG_NONE.
28299
28300Signed-off-by: Michael Adam <obnox@samba.org>
28301(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
28302---
28303 source3/groupdb/mapping_tdb.c | 2 +-
28304 source3/lib/dbwrap/dbwrap_open.c | 3 ++-
28305 source3/lib/dbwrap/dbwrap_open.h | 3 ++-
28306 source3/lib/dbwrap/dbwrap_watch.c | 3 ++-
28307 source3/lib/g_lock.c | 3 ++-
28308 source3/lib/serverid.c | 3 ++-
28309 source3/lib/sharesec.c | 2 +-
28310 source3/locking/brlock.c | 2 +-
28311 source3/locking/share_mode_lock.c | 2 +-
28312 source3/modules/vfs_acl_tdb.c | 2 +-
28313 source3/modules/vfs_xattr_tdb.c | 2 +-
28314 source3/passdb/account_pol.c | 4 ++--
28315 source3/passdb/pdb_tdb.c | 6 +++---
28316 source3/passdb/secrets.c | 2 +-
28317 source3/printing/printer_list.c | 3 ++-
28318 source3/registry/reg_backend_db.c | 6 +++---
28319 source3/rpc_client/cli_netlogon.c | 3 ++-
28320 source3/smbd/notify_internal.c | 2 +-
28321 source3/smbd/smbXsrv_open.c | 3 ++-
28322 source3/smbd/smbXsrv_session.c | 3 ++-
28323 source3/smbd/smbXsrv_tcon.c | 3 ++-
28324 source3/smbd/smbXsrv_version.c | 3 ++-
28325 source3/torture/test_dbwrap_watch.c | 3 ++-
28326 source3/torture/test_idmap_tdb_common.c | 2 +-
28327 source3/torture/torture.c | 3 ++-
28328 source3/utils/dbwrap_tool.c | 2 +-
28329 source3/utils/dbwrap_torture.c | 2 +-
28330 source3/utils/net_idmap.c | 6 +++---
28331 source3/utils/net_idmap_check.c | 2 +-
28332 source3/utils/net_registry_check.c | 4 ++--
28333 source3/utils/status.c | 2 +-
28334 source3/winbindd/idmap_autorid.c | 2 +-
28335 source3/winbindd/idmap_tdb.c | 2 +-
28336 source3/winbindd/idmap_tdb2.c | 2 +-
28337 34 files changed, 55 insertions(+), 42 deletions(-)
28338
28339diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
28340index 088874f..0863187 100644
28341--- a/source3/groupdb/mapping_tdb.c
28342+++ b/source3/groupdb/mapping_tdb.c
28343@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
28344
28345 db = db_open(NULL, state_path("group_mapping.tdb"), 0,
28346 TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
28347- DBWRAP_LOCK_ORDER_1);
28348+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28349 if (db == NULL) {
28350 DEBUG(0, ("Failed to open group mapping database: %s\n",
28351 strerror(errno)));
28352diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
28353index 515b4bf..6c9280c 100644
28354--- a/source3/lib/dbwrap/dbwrap_open.c
28355+++ b/source3/lib/dbwrap/dbwrap_open.c
28356@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
28357 const char *name,
28358 int hash_size, int tdb_flags,
28359 int open_flags, mode_t mode,
28360- enum dbwrap_lock_order lock_order)
28361+ enum dbwrap_lock_order lock_order,
28362+ uint64_t dbwrap_flags)
28363 {
28364 struct db_context *result = NULL;
28365 #ifdef CLUSTER_SUPPORT
28366diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
28367index 51c7dfd..d14794e 100644
28368--- a/source3/lib/dbwrap/dbwrap_open.h
28369+++ b/source3/lib/dbwrap/dbwrap_open.h
28370@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
28371 const char *name,
28372 int hash_size, int tdb_flags,
28373 int open_flags, mode_t mode,
28374- enum dbwrap_lock_order lock_order);
28375+ enum dbwrap_lock_order lock_order,
28376+ uint64_t dbwrap_flags);
28377
28378 #endif /* __DBWRAP_OPEN_H__ */
28379diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
28380index 7bdcd99..5f3d17d 100644
28381--- a/source3/lib/dbwrap/dbwrap_watch.c
28382+++ b/source3/lib/dbwrap/dbwrap_watch.c
28383@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
28384 watchers_db = db_open(
28385 NULL, lock_path("dbwrap_watchers.tdb"), 0,
28386 TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
28387- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
28388+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
28389+ DBWRAP_FLAG_NONE);
28390 }
28391 return watchers_db;
28392 }
28393diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
28394index 8c7a6c2..6813f06 100644
28395--- a/source3/lib/g_lock.c
28396+++ b/source3/lib/g_lock.c
28397@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
28398 result->db = db_open(result, lock_path("g_lock.tdb"), 0,
28399 TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
28400 O_RDWR|O_CREAT, 0600,
28401- DBWRAP_LOCK_ORDER_2);
28402+ DBWRAP_LOCK_ORDER_2,
28403+ DBWRAP_FLAG_NONE);
28404 if (result->db == NULL) {
28405 DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
28406 TALLOC_FREE(result);
28407diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
28408index cb49520..4259887 100644
28409--- a/source3/lib/serverid.c
28410+++ b/source3/lib/serverid.c
28411@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
28412 }
28413 db = db_open(NULL, lock_path("serverid.tdb"), 0,
28414 TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
28415- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
28416+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
28417+ DBWRAP_FLAG_NONE);
28418 return db;
28419 }
28420
28421diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
28422index c7a8e51..095c851 100644
28423--- a/source3/lib/sharesec.c
28424+++ b/source3/lib/sharesec.c
28425@@ -149,7 +149,7 @@ bool share_info_db_init(void)
28426
28427 share_db = db_open(NULL, state_path("share_info.tdb"), 0,
28428 TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
28429- DBWRAP_LOCK_ORDER_1);
28430+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28431 if (share_db == NULL) {
28432 DEBUG(0,("Failed to open share info database %s (%s)\n",
28433 state_path("share_info.tdb"), strerror(errno) ));
28434diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
28435index 5d683dd..d88aa2d 100644
28436--- a/source3/locking/brlock.c
28437+++ b/source3/locking/brlock.c
28438@@ -292,7 +292,7 @@ void brl_init(bool read_only)
28439 brlock_db = db_open(NULL, lock_path("brlock.tdb"),
28440 lp_open_files_db_hash_size(), tdb_flags,
28441 read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
28442- DBWRAP_LOCK_ORDER_2);
28443+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
28444 if (!brlock_db) {
28445 DEBUG(0,("Failed to open byte range locking database %s\n",
28446 lock_path("brlock.tdb")));
28447diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
28448index 4f049bd..22f8d9a 100644
28449--- a/source3/locking/share_mode_lock.c
28450+++ b/source3/locking/share_mode_lock.c
28451@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
28452 lp_open_files_db_hash_size(),
28453 TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
28454 read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
28455- DBWRAP_LOCK_ORDER_1);
28456+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28457
28458 if (!lock_db) {
28459 DEBUG(0,("ERROR: Failed to initialise locking database\n"));
28460diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
28461index 80839e3..8ee4bd5 100644
28462--- a/source3/modules/vfs_acl_tdb.c
28463+++ b/source3/modules/vfs_acl_tdb.c
28464@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
28465
28466 become_root();
28467 acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
28468- DBWRAP_LOCK_ORDER_1);
28469+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28470 unbecome_root();
28471
28472 if (acl_db == NULL) {
28473diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
28474index 43456cf..63a12fd 100644
28475--- a/source3/modules/vfs_xattr_tdb.c
28476+++ b/source3/modules/vfs_xattr_tdb.c
28477@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
28478
28479 become_root();
28480 db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
28481- DBWRAP_LOCK_ORDER_2);
28482+ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
28483 unbecome_root();
28484
28485 if (db == NULL) {
28486diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
28487index c94df29..09a2d20 100644
28488--- a/source3/passdb/account_pol.c
28489+++ b/source3/passdb/account_pol.c
28490@@ -220,13 +220,13 @@ bool init_account_policy(void)
28491 }
28492
28493 db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
28494- O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
28495+ O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28496
28497 if (db == NULL) { /* the account policies files does not exist or open
28498 * failed, try to create a new one */
28499 db = db_open(NULL, state_path("account_policy.tdb"), 0,
28500 TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
28501- DBWRAP_LOCK_ORDER_1);
28502+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28503 if (db == NULL) {
28504 DEBUG(0,("Failed to open account policy database\n"));
28505 return False;
28506diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
28507index f256e6c..162083f 100644
28508--- a/source3/passdb/pdb_tdb.c
28509+++ b/source3/passdb/pdb_tdb.c
28510@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
28511
28512 tmp_db = db_open(NULL, tmp_fname, 0,
28513 TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
28514- DBWRAP_LOCK_ORDER_1);
28515+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28516 if (tmp_db == NULL) {
28517 DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
28518 "[%s]\n", tmp_fname));
28519@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
28520
28521 orig_db = db_open(NULL, dbname, 0,
28522 TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
28523- DBWRAP_LOCK_ORDER_1);
28524+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28525 if (orig_db == NULL) {
28526 DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
28527 "converted passdb TDB [%s]\n", dbname));
28528@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
28529 /* Try to open tdb passwd. Create a new one if necessary */
28530
28531 db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
28532- DBWRAP_LOCK_ORDER_1);
28533+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28534 if (db_sam == NULL) {
28535 DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
28536 "[%s]\n", name));
28537diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
28538index 548b030..bff9a0d 100644
28539--- a/source3/passdb/secrets.c
28540+++ b/source3/passdb/secrets.c
28541@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
28542
28543 db_ctx = db_open(NULL, fname, 0,
28544 TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
28545- DBWRAP_LOCK_ORDER_1);
28546+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28547
28548 if (db_ctx == NULL) {
28549 DEBUG(0,("Failed to open %s\n", fname));
28550diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
28551index 815f89f..9a9fa0b 100644
28552--- a/source3/printing/printer_list.c
28553+++ b/source3/printing/printer_list.c
28554@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
28555 }
28556 db = db_open(NULL, PL_DB_NAME(), 0,
28557 TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
28558- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
28559+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
28560+ DBWRAP_FLAG_NONE);
28561 return db;
28562 }
28563
28564diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
28565index 3e561eb..fdaf576 100644
28566--- a/source3/registry/reg_backend_db.c
28567+++ b/source3/registry/reg_backend_db.c
28568@@ -732,11 +732,11 @@ WERROR regdb_init(void)
28569
28570 regdb = db_open(NULL, state_path("registry.tdb"), 0,
28571 REG_TDB_FLAGS, O_RDWR, 0600,
28572- DBWRAP_LOCK_ORDER_1);
28573+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28574 if (!regdb) {
28575 regdb = db_open(NULL, state_path("registry.tdb"), 0,
28576 REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
28577- DBWRAP_LOCK_ORDER_1);
28578+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28579 if (!regdb) {
28580 werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
28581 DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
28582@@ -852,7 +852,7 @@ WERROR regdb_open( void )
28583
28584 regdb = db_open(NULL, state_path("registry.tdb"), 0,
28585 REG_TDB_FLAGS, O_RDWR, 0600,
28586- DBWRAP_LOCK_ORDER_1);
28587+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28588 if ( !regdb ) {
28589 result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
28590 DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
28591diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
28592index b7b490f..9e3c1bd 100644
28593--- a/source3/rpc_client/cli_netlogon.c
28594+++ b/source3/rpc_client/cli_netlogon.c
28595@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
28596
28597 global_db = db_open(talloc_autofree_context(), fname,
28598 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
28599- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
28600+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
28601+ DBWRAP_FLAG_NONE);
28602 if (global_db == NULL) {
28603 TALLOC_FREE(frame);
28604 return NT_STATUS_NO_MEMORY;
28605diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
28606index 2dc8674..67d8774 100644
28607--- a/source3/smbd/notify_internal.c
28608+++ b/source3/smbd/notify_internal.c
28609@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
28610 notify->db_index = db_open(
28611 notify, lock_path("notify_index.tdb"),
28612 0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
28613- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
28614+ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
28615 if (notify->db_index == NULL) {
28616 goto fail;
28617 }
28618diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
28619index 29c172c..830c7aa 100644
28620--- a/source3/smbd/smbXsrv_open.c
28621+++ b/source3/smbd/smbXsrv_open.c
28622@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
28623 TDB_CLEAR_IF_FIRST |
28624 TDB_INCOMPATIBLE_HASH,
28625 O_RDWR | O_CREAT, 0600,
28626- DBWRAP_LOCK_ORDER_1);
28627+ DBWRAP_LOCK_ORDER_1,
28628+ DBWRAP_FLAG_NONE);
28629 if (db_ctx == NULL) {
28630 NTSTATUS status;
28631
28632diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
28633index 017880c..a1ba52d 100644
28634--- a/source3/smbd/smbXsrv_session.c
28635+++ b/source3/smbd/smbXsrv_session.c
28636@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
28637 TDB_CLEAR_IF_FIRST |
28638 TDB_INCOMPATIBLE_HASH,
28639 O_RDWR | O_CREAT, 0600,
28640- DBWRAP_LOCK_ORDER_1);
28641+ DBWRAP_LOCK_ORDER_1,
28642+ DBWRAP_FLAG_NONE);
28643 if (db_ctx == NULL) {
28644 NTSTATUS status;
28645
28646diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
28647index b6e2058..2cbd761 100644
28648--- a/source3/smbd/smbXsrv_tcon.c
28649+++ b/source3/smbd/smbXsrv_tcon.c
28650@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
28651 TDB_CLEAR_IF_FIRST |
28652 TDB_INCOMPATIBLE_HASH,
28653 O_RDWR | O_CREAT, 0600,
28654- DBWRAP_LOCK_ORDER_1);
28655+ DBWRAP_LOCK_ORDER_1,
28656+ DBWRAP_FLAG_NONE);
28657 if (db_ctx == NULL) {
28658 NTSTATUS status;
28659
28660diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
28661index 8ba5e1f..b24dae9 100644
28662--- a/source3/smbd/smbXsrv_version.c
28663+++ b/source3/smbd/smbXsrv_version.c
28664@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
28665 TDB_CLEAR_IF_FIRST |
28666 TDB_INCOMPATIBLE_HASH,
28667 O_RDWR | O_CREAT, 0600,
28668- DBWRAP_LOCK_ORDER_1);
28669+ DBWRAP_LOCK_ORDER_1,
28670+ DBWRAP_FLAG_NONE);
28671 if (db_ctx == NULL) {
28672 status = map_nt_error_from_unix_common(errno);
28673 DEBUG(0,("smbXsrv_version_global_init: "
28674diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
28675index 9c2a679..4e699fe 100644
28676--- a/source3/torture/test_dbwrap_watch.c
28677+++ b/source3/torture/test_dbwrap_watch.c
28678@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
28679 goto fail;
28680 }
28681 db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
28682- O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
28683+ O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
28684+ DBWRAP_FLAG_NONE);
28685 if (db == NULL) {
28686 fprintf(stderr, "db_open failed: %s\n", strerror(errno));
28687 goto fail;
28688diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
28689index 6f5f3c5..f7262a2 100644
28690--- a/source3/torture/test_idmap_tdb_common.c
28691+++ b/source3/torture/test_idmap_tdb_common.c
28692@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
28693
28694 ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
28695 O_RDWR | O_CREAT, 0600,
28696- DBWRAP_LOCK_ORDER_1);
28697+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28698
28699 if(!ctx->db) {
28700 DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
28701diff --git a/source3/torture/torture.c b/source3/torture/torture.c
28702index 2e66912..1dc3eaf 100644
28703--- a/source3/torture/torture.c
28704+++ b/source3/torture/torture.c
28705@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
28706 TDB_DATA value;
28707
28708 db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
28709- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
28710+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
28711+ DBWRAP_FLAG_NONE);
28712 if (db == NULL) {
28713 printf("Could not open transtest.db\n");
28714 return false;
28715diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
28716index ffca6b6..b56e07a 100644
28717--- a/source3/utils/dbwrap_tool.c
28718+++ b/source3/utils/dbwrap_tool.c
28719@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
28720 case OP_LISTKEYS:
28721 case OP_EXISTS:
28722 db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
28723- 0644, DBWRAP_LOCK_ORDER_1);
28724+ 0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28725 if (db == NULL) {
28726 d_fprintf(stderr, "ERROR: could not open dbname\n");
28727 goto done;
28728diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
28729index 2741820..f748ac2 100644
28730--- a/source3/utils/dbwrap_torture.c
28731+++ b/source3/utils/dbwrap_torture.c
28732@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
28733 }
28734
28735 db = db_open(mem_ctx, db_name, 0, tdb_flags, O_RDWR | O_CREAT, 0644,
28736- DBWRAP_LOCK_ORDER_1);
28737+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28738
28739 if (db == NULL) {
28740 d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
28741diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
28742index fbeca3e..6fc07e7 100644
28743--- a/source3/utils/net_idmap.c
28744+++ b/source3/utils/net_idmap.c
28745@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
28746 d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
28747
28748 db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
28749- DBWRAP_LOCK_ORDER_1);
28750+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28751 if (db == NULL) {
28752 d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
28753 dbfile, strerror(errno));
28754@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
28755 }
28756
28757 db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
28758- DBWRAP_LOCK_ORDER_1);
28759+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28760 if (db == NULL) {
28761 d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
28762 dbfile, strerror(errno));
28763@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
28764 d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
28765
28766 db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
28767- DBWRAP_LOCK_ORDER_1);
28768+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28769 if (db == NULL) {
28770 d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
28771 dbfile, strerror(errno));
28772diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
28773index e75c890..4b82871 100644
28774--- a/source3/utils/net_idmap_check.c
28775+++ b/source3/utils/net_idmap_check.c
28776@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
28777 }
28778
28779 ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
28780- DBWRAP_LOCK_ORDER_1);
28781+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28782 if (ctx->db == NULL) {
28783 d_fprintf(stderr,
28784 _("Could not open idmap db (%s) for writing: %s\n"),
28785diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
28786index 8cdb8fa..d57c2aa 100644
28787--- a/source3/utils/net_registry_check.c
28788+++ b/source3/utils/net_registry_check.c
28789@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
28790 }
28791
28792 ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
28793- DBWRAP_LOCK_ORDER_1);
28794+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28795 if (ctx->odb == NULL) {
28796 d_fprintf(stderr,
28797 _("Could not open db (%s) for writing: %s\n"),
28798@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
28799
28800 static bool check_ctx_open_input(struct check_ctx *ctx) {
28801 ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
28802- DBWRAP_LOCK_ORDER_1);
28803+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28804 if (ctx->idb == NULL) {
28805 d_fprintf(stderr,
28806 _("Could not open db (%s) for reading: %s\n"),
28807diff --git a/source3/utils/status.c b/source3/utils/status.c
28808index be7c52f..1ff0e36 100644
28809--- a/source3/utils/status.c
28810+++ b/source3/utils/status.c
28811@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
28812 struct db_context *db;
28813 db = db_open(NULL, lock_path("locking.tdb"), 0,
28814 TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
28815- DBWRAP_LOCK_ORDER_1);
28816+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28817
28818 if (!db) {
28819 d_printf("%s not initialised\n",
28820diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
28821index 57d952e..0bd2938 100644
28822--- a/source3/winbindd/idmap_autorid.c
28823+++ b/source3/winbindd/idmap_autorid.c
28824@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
28825 /* Open idmap repository */
28826 autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
28827 TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
28828- DBWRAP_LOCK_ORDER_1);
28829+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28830
28831 if (!autorid_db) {
28832 DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
28833diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
28834index cc930ff..ebff347 100644
28835--- a/source3/winbindd/idmap_tdb.c
28836+++ b/source3/winbindd/idmap_tdb.c
28837@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
28838
28839 /* Open idmap repository */
28840 db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
28841- DBWRAP_LOCK_ORDER_1);
28842+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28843 if (!db) {
28844 DEBUG(0, ("Unable to open idmap database\n"));
28845 ret = NT_STATUS_UNSUCCESSFUL;
28846diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
28847index 4a9c2fe..942490d 100644
28848--- a/source3/winbindd/idmap_tdb2.c
28849+++ b/source3/winbindd/idmap_tdb2.c
28850@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
28851
28852 /* Open idmap repository */
28853 ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
28854- DBWRAP_LOCK_ORDER_1);
28855+ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28856 TALLOC_FREE(db_path);
28857
28858 if (ctx->db == NULL) {
28859--
288601.9.3
28861
28862
28863From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
28864From: Michael Adam <obnox@samba.org>
28865Date: Tue, 28 Jan 2014 12:53:24 +0100
28866Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()
28867
28868This is in preparation of directly supporting ctdb read only
28869record copies when opening a ctdb database from samba.
28870
28871Signed-off-by: Michael Adam <obnox@samba.org>
28872Reviewed-by: Stefan Metzmacher <metze@samba.org>
28873(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
28874---
28875 source3/lib/dbwrap/dbwrap_ctdb.c | 6 ++++--
28876 source3/lib/dbwrap/dbwrap_ctdb.h | 3 ++-
28877 source3/lib/dbwrap/dbwrap_open.c | 2 +-
28878 source3/torture/test_dbwrap_ctdb.c | 2 +-
28879 4 files changed, 8 insertions(+), 5 deletions(-)
28880
28881diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
28882index 5a473f9..af7a72f 100644
28883--- a/source3/lib/dbwrap/dbwrap_ctdb.c
28884+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
28885@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
28886 const char *name,
28887 int hash_size, int tdb_flags,
28888 int open_flags, mode_t mode,
28889- enum dbwrap_lock_order lock_order)
28890+ enum dbwrap_lock_order lock_order,
28891+ uint64_t dbwrap_flags)
28892 {
28893 struct db_context *result;
28894 struct db_ctdb_ctx *db_ctdb;
28895@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
28896 const char *name,
28897 int hash_size, int tdb_flags,
28898 int open_flags, mode_t mode,
28899- enum dbwrap_lock_order lock_order)
28900+ enum dbwrap_lock_order lock_order,
28901+ uint64_t dbwrap_flags)
28902 {
28903 DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
28904 errno = ENOSYS;
28905diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
28906index bfbe3bd..3196b91 100644
28907--- a/source3/lib/dbwrap/dbwrap_ctdb.h
28908+++ b/source3/lib/dbwrap/dbwrap_ctdb.h
28909@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
28910 const char *name,
28911 int hash_size, int tdb_flags,
28912 int open_flags, mode_t mode,
28913- enum dbwrap_lock_order lock_order);
28914+ enum dbwrap_lock_order lock_order,
28915+ uint64_t dbwrap_flags);
28916
28917 #endif /* __DBWRAP_CTDB_H__ */
28918diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
28919index 6c9280c..61324f7 100644
28920--- a/source3/lib/dbwrap/dbwrap_open.c
28921+++ b/source3/lib/dbwrap/dbwrap_open.c
28922@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
28923 if (lp_parm_bool(-1, "ctdb", partname, True)) {
28924 result = db_open_ctdb(mem_ctx, partname, hash_size,
28925 tdb_flags, open_flags, mode,
28926- lock_order);
28927+ lock_order, dbwrap_flags);
28928 if (result == NULL) {
28929 DEBUG(0,("failed to attach to ctdb %s\n",
28930 partname));
28931diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
28932index f7672ba..d7380b1 100644
28933--- a/source3/torture/test_dbwrap_ctdb.c
28934+++ b/source3/torture/test_dbwrap_ctdb.c
28935@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
28936 uint32_t val;
28937
28938 db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
28939- O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
28940+ O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
28941 if (db == NULL) {
28942 perror("db_open_ctdb failed");
28943 goto fail;
28944--
289451.9.3
28946
28947
28948From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
28949From: Michael Adam <obnox@samba.org>
28950Date: Tue, 28 Jan 2014 11:31:44 +0100
28951Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
28952
28953Signed-off-by: Michael Adam <obnox@samba.org>
28954Reviewed-by: Stefan Metzmacher <metze@samba.org>
28955(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
28956---
28957 lib/dbwrap/dbwrap.h | 1 +
28958 1 file changed, 1 insertion(+)
28959
28960diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
28961index 4064ba2..02b4405 100644
28962--- a/lib/dbwrap/dbwrap.h
28963+++ b/lib/dbwrap/dbwrap.h
28964@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
28965 #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
28966
28967 #define DBWRAP_FLAG_NONE 0x0000000000000000ULL
28968+#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
28969
28970 /* The following definitions come from lib/dbwrap.c */
28971
28972--
289731.9.3
28974
28975
28976From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
28977From: Stefan Metzmacher <metze@samba.org>
28978Date: Tue, 28 Jan 2014 21:24:22 +0100
28979Subject: [PATCH 238/249] dbwrap_ctdb: implement
28980 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
28981
28982For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
28983in order to make use of readonly records.
28984
28985Pair-Programmed-With: Michael Adam <obnox@samba.org>
28986
28987Signed-off-by: Stefan Metzmacher <metze@samba.org>
28988Signed-off-by: Michael Adam <obnox@samba.org>
28989(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
28990---
28991 source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
28992 1 file changed, 21 insertions(+)
28993
28994diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
28995index af7a72f..3dc86d1 100644
28996--- a/source3/lib/dbwrap/dbwrap_ctdb.c
28997+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
28998@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
28999 return NULL;
29000 }
29001
29002+#ifdef HAVE_CTDB_WANT_READONLY_DECL
29003+ if (!result->persistent &&
29004+ (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
29005+ {
29006+ TDB_DATA indata;
29007+
29008+ indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
29009+ sizeof(db_ctdb->db_id));
29010+
29011+ status = ctdbd_control_local(
29012+ conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
29013+ NULL, NULL, &cstatus);
29014+ if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
29015+ DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
29016+ "%s, %d\n", nt_errstr(status), cstatus));
29017+ TALLOC_FREE(result);
29018+ return NULL;
29019+ }
29020+ }
29021+#endif
29022+
29023 lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
29024
29025 db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
29026--
290271.9.3
29028
29029
29030From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
29031From: Stefan Metzmacher <metze@samba.org>
29032Date: Tue, 28 Jan 2014 21:31:17 +0100
29033Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
29034 option
29035
29036Signed-off-by: Stefan Metzmacher <metze@samba.org>
29037Reviewed-by: Michael Adam <obnox@samba.org>
29038(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
29039---
29040 source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
29041 1 file changed, 25 insertions(+)
29042
29043diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
29044index 61324f7..7f3cddf 100644
29045--- a/source3/lib/dbwrap/dbwrap_open.c
29046+++ b/source3/lib/dbwrap/dbwrap_open.c
29047@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
29048 return NULL;
29049 }
29050
29051+ if (tdb_flags & TDB_CLEAR_IF_FIRST) {
29052+ const char *base;
29053+ bool try_readonly = false;
29054+
29055+ base = strrchr_m(name, '/');
29056+ if (base != NULL) {
29057+ base += 1;
29058+ } else {
29059+ base = name;
29060+ }
29061+
29062+ if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
29063+ try_readonly = true;
29064+ }
29065+
29066+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
29067+ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
29068+
29069+ if (try_readonly) {
29070+ dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
29071+ } else {
29072+ dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
29073+ }
29074+ }
29075+
29076 #ifdef CLUSTER_SUPPORT
29077 sockname = lp_ctdbd_socket();
29078
29079--
290801.9.3
29081
29082
29083From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
29084From: Michael Adam <obnox@samba.org>
29085Date: Mon, 27 Jan 2014 16:21:14 +0100
29086Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
29087 for read-only access
29088
29089Usually a record in this DB will be written once and then read
29090many times by winbindd processes on multiple nodes (when run in
29091a cluster). In order not to introduce a big performance penalty
29092with the increased correctness achieved by storing the netlogon
29093creds, in a cluster setup, we should activate ctdb's read only
29094record copies on this db.
29095
29096Signed-off-by: Michael Adam <obnox@samba.org>
29097Reviewed-by: Stefan Metzmacher <metze@samba.org>
29098(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
29099---
29100 source3/rpc_client/cli_netlogon.c | 2 +-
29101 1 file changed, 1 insertion(+), 1 deletion(-)
29102
29103diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
29104index 9e3c1bd..746c7b6 100644
29105--- a/source3/rpc_client/cli_netlogon.c
29106+++ b/source3/rpc_client/cli_netlogon.c
29107@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
29108 global_db = db_open(talloc_autofree_context(), fname,
29109 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
29110 O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
29111- DBWRAP_FLAG_NONE);
29112+ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
29113 if (global_db == NULL) {
29114 TALLOC_FREE(frame);
29115 return NT_STATUS_NO_MEMORY;
29116--
291171.9.3
29118
29119
29120From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
29121From: Ira Cooper <ira@samba.org>
29122Date: Thu, 13 Feb 2014 14:45:23 -0500
29123Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
29124 code.
29125
29126Changed the if condtion to detect when we'd improperly overflow.
29127
29128Coverity-Id: 1167990
29129Signed-off-by: Ira Cooper <ira@samba.org>
29130Reviewed-by: Stefan Metzmacher <metze@samba.org>
29131
29132Autobuild-User(master): Ira Cooper <ira@samba.org>
29133Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
29134
29135(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
29136---
29137 libcli/auth/netlogon_creds_cli.c | 2 +-
29138 1 file changed, 1 insertion(+), 1 deletion(-)
29139
29140diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
29141index 88893ad..e3cf91c 100644
29142--- a/libcli/auth/netlogon_creds_cli.c
29143+++ b/libcli/auth/netlogon_creds_cli.c
29144@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
29145 uint32_t ofs = 512 - len;
29146 uint8_t *p;
29147
29148- if (ofs < 12) {
29149+ if (len > 500) {
29150 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
29151 return tevent_req_post(req, ev);
29152 }
29153--
291541.9.3
29155
29156
29157From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
29158From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
29159Date: Tue, 15 Jul 2014 08:28:42 +0200
29160Subject: [PATCH 242/249] s3-rpc_client: return info3 in
29161 rpccli_netlogon_password_logon().
29162MIME-Version: 1.0
29163Content-Type: text/plain; charset=UTF-8
29164Content-Transfer-Encoding: 8bit
29165
29166Guenther
29167
29168Signed-off-by: Günther Deschner <gd@samba.org>
29169Pair-Programmed-With: Andreas Schneider <asn@samba.org>
29170Reviewed-by: Andreas Schneider <asn@samba.org>
29171---
29172 source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
29173 source3/rpc_client/cli_netlogon.h | 4 +-
29174 source3/rpcclient/cmd_netlogon.c | 5 +-
29175 3 files changed, 64 insertions(+), 48 deletions(-)
29176
29177diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
29178index 746c7b6..7063351 100644
29179--- a/source3/rpc_client/cli_netlogon.c
29180+++ b/source3/rpc_client/cli_netlogon.c
29181@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
29182 return NT_STATUS_OK;
29183 }
29184
29185+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
29186+ uint16_t validation_level,
29187+ union netr_Validation *validation,
29188+ struct netr_SamInfo3 **info3_p)
29189+{
29190+ struct netr_SamInfo3 *info3;
29191+ NTSTATUS status;
29192+
29193+ if (validation == NULL) {
29194+ return NT_STATUS_INVALID_PARAMETER;
29195+ }
29196+
29197+ switch (validation_level) {
29198+ case 3:
29199+ if (validation->sam3 == NULL) {
29200+ return NT_STATUS_INVALID_PARAMETER;
29201+ }
29202+
29203+ info3 = talloc_move(mem_ctx, &validation->sam3);
29204+ break;
29205+ case 6:
29206+ if (validation->sam6 == NULL) {
29207+ return NT_STATUS_INVALID_PARAMETER;
29208+ }
29209+
29210+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
29211+ if (info3 == NULL) {
29212+ return NT_STATUS_NO_MEMORY;
29213+ }
29214+ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
29215+ if (!NT_STATUS_IS_OK(status)) {
29216+ TALLOC_FREE(info3);
29217+ return status;
29218+ }
29219+
29220+ info3->sidcount = validation->sam6->sidcount;
29221+ info3->sids = talloc_move(info3, &validation->sam6->sids);
29222+ break;
29223+ default:
29224+ return NT_STATUS_BAD_VALIDATION_CLASS;
29225+ }
29226+
29227+ *info3_p = info3;
29228+
29229+ return NT_STATUS_OK;
29230+}
29231+
29232 /* Logon domain user */
29233
29234 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
29235 struct dcerpc_binding_handle *binding_handle,
29236+ TALLOC_CTX *mem_ctx,
29237 uint32_t logon_parameters,
29238 const char *domain,
29239 const char *username,
29240 const char *password,
29241 const char *workstation,
29242- enum netr_LogonInfoClass logon_type)
29243+ enum netr_LogonInfoClass logon_type,
29244+ struct netr_SamInfo3 **info3)
29245 {
29246 TALLOC_CTX *frame = talloc_stackframe();
29247 NTSTATUS status;
29248@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
29249 &validation,
29250 &authoritative,
29251 &flags);
29252- TALLOC_FREE(frame);
29253 if (!NT_STATUS_IS_OK(status)) {
29254+ TALLOC_FREE(frame);
29255 return status;
29256 }
29257
29258- return NT_STATUS_OK;
29259-}
29260-
29261-static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
29262- uint16_t validation_level,
29263- union netr_Validation *validation,
29264- struct netr_SamInfo3 **info3_p)
29265-{
29266- struct netr_SamInfo3 *info3;
29267- NTSTATUS status;
29268-
29269- if (validation == NULL) {
29270- return NT_STATUS_INVALID_PARAMETER;
29271- }
29272-
29273- switch (validation_level) {
29274- case 3:
29275- if (validation->sam3 == NULL) {
29276- return NT_STATUS_INVALID_PARAMETER;
29277- }
29278-
29279- info3 = talloc_move(mem_ctx, &validation->sam3);
29280- break;
29281- case 6:
29282- if (validation->sam6 == NULL) {
29283- return NT_STATUS_INVALID_PARAMETER;
29284- }
29285-
29286- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
29287- if (info3 == NULL) {
29288- return NT_STATUS_NO_MEMORY;
29289- }
29290- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
29291- if (!NT_STATUS_IS_OK(status)) {
29292- TALLOC_FREE(info3);
29293- return status;
29294- }
29295-
29296- info3->sidcount = validation->sam6->sidcount;
29297- info3->sids = talloc_move(info3, &validation->sam6->sids);
29298- break;
29299- default:
29300- return NT_STATUS_BAD_VALIDATION_CLASS;
29301+ status = map_validation_to_info3(mem_ctx,
29302+ validation_level, validation,
29303+ info3);
29304+ TALLOC_FREE(frame);
29305+ if (!NT_STATUS_IS_OK(status)) {
29306+ return status;
29307 }
29308
29309- *info3_p = info3;
29310
29311 return NT_STATUS_OK;
29312 }
29313diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
29314index 61fed4a..fee0801 100644
29315--- a/source3/rpc_client/cli_netlogon.h
29316+++ b/source3/rpc_client/cli_netlogon.h
29317@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
29318 const struct samr_Password *previous_nt_hash);
29319 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
29320 struct dcerpc_binding_handle *binding_handle,
29321+ TALLOC_CTX *mem_ctx,
29322 uint32_t logon_parameters,
29323 const char *domain,
29324 const char *username,
29325 const char *password,
29326 const char *workstation,
29327- enum netr_LogonInfoClass logon_type);
29328+ enum netr_LogonInfoClass logon_type,
29329+ struct netr_SamInfo3 **info3);
29330 NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
29331 struct dcerpc_binding_handle *binding_handle,
29332 TALLOC_CTX *mem_ctx,
29333diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
29334index b637b3e..2d1c351 100644
29335--- a/source3/rpcclient/cmd_netlogon.c
29336+++ b/source3/rpcclient/cmd_netlogon.c
29337@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
29338 const char *username, *password;
29339 uint32 logon_param = 0;
29340 const char *workstation = NULL;
29341+ struct netr_SamInfo3 *info3 = NULL;
29342
29343 /* Check arguments */
29344
29345@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
29346
29347 result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
29348 cli->binding_handle,
29349+ mem_ctx,
29350 logon_param,
29351 lp_workgroup(),
29352 username,
29353 password,
29354 workstation,
29355- logon_type);
29356+ logon_type,
29357+ &info3);
29358 if (!NT_STATUS_IS_OK(result))
29359 goto done;
29360
29361--
293621.9.3
29363
29364
29365From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
29366From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
29367Date: Tue, 15 Jul 2014 08:29:55 +0200
29368Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
29369 rpccli_netlogon_password_logon.
29370
29371Guenther
29372
29373Signed-off-by: Guenther Deschner <gd@samba.org>
29374Pair-Programmed-With: Andreas Schneider <asn@samba.org>
29375Reviewed-by: Andreas Schneider <asn@samba.org>
29376
29377Conflicts:
29378 source3/winbindd/winbindd_pam.c
29379---
29380 source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
29381 1 file changed, 32 insertions(+), 13 deletions(-)
29382
29383diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
29384index 3f3ec70..2a1b74a 100644
29385--- a/source3/winbindd/winbindd_pam.c
29386+++ b/source3/winbindd/winbindd_pam.c
29387@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
29388 uint32_t logon_parameters,
29389 const char *server,
29390 const char *username,
29391+ const char *password,
29392 const char *domainname,
29393 const char *workstation,
29394 const uint8_t chal[8],
29395 DATA_BLOB lm_response,
29396 DATA_BLOB nt_response,
29397+ bool interactive,
29398 struct netr_SamInfo3 **info3)
29399 {
29400 int attempts = 0;
29401@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
29402 }
29403 netr_attempts = 0;
29404
29405- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
29406- netlogon_pipe->binding_handle,
29407- mem_ctx,
29408- logon_parameters,
29409- username,
29410- domainname,
29411- workstation,
29412- chal,
29413- lm_response,
29414- nt_response,
29415- &authoritative,
29416- &flags,
29417- info3);
29418+ if (interactive && username != NULL && password != NULL) {
29419+ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
29420+ netlogon_pipe->binding_handle,
29421+ mem_ctx,
29422+ logon_parameters,
29423+ domainname,
29424+ username,
29425+ password,
29426+ workstation,
29427+ NetlogonInteractiveInformation,
29428+ info3);
29429+ } else {
29430+ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
29431+ netlogon_pipe->binding_handle,
29432+ mem_ctx,
29433+ logon_parameters,
29434+ username,
29435+ domainname,
29436+ workstation,
29437+ chal,
29438+ lm_response,
29439+ nt_response,
29440+ &authoritative,
29441+ &flags,
29442+ info3);
29443+ }
29444
29445 /*
29446 * we increment this after the "feature negotiation"
29447@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
29448 0,
29449 domain->dcname,
29450 name_user,
29451+ pass,
29452 name_domain,
29453 lp_netbios_name(),
29454 chal,
29455 lm_resp,
29456 nt_resp,
29457+ true, /* interactive */
29458 &my_info3);
29459 if (!NT_STATUS_IS_OK(result)) {
29460 goto done;
29461@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
29462 state->request->data.auth_crap.logon_parameters,
29463 domain->dcname,
29464 name_user,
29465+ NULL, /* password */
29466 name_domain,
29467 /* Bug #3248 - found by Stefan Burkei. */
29468 workstation, /* We carefully set this above so use it... */
29469 state->request->data.auth_crap.chal,
29470 lm_resp,
29471 nt_resp,
29472+ false, /* interactive */
29473 &info3);
29474 if (!NT_STATUS_IS_OK(result)) {
29475 goto done;
29476--
294771.9.3
29478
29479
29480From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
29481From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
29482Date: Mon, 7 Jul 2014 17:14:37 +0200
29483Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
29484MIME-Version: 1.0
29485Content-Type: text/plain; charset=UTF-8
29486Content-Transfer-Encoding: 8bit
29487
29488This helper function is used to query the full name of a cached user object (for
29489further gecos processing).
29490
29491Thanks to Matt Rogers <mrogers@redhat.com>.
29492
29493BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
29494
29495Guenther
29496
29497Pair-Programmed-With: Andreas Schneider <asn@samba.org>
29498Signed-off-by: Günther Deschner <gd@samba.org>
29499Reviewed-by: Andreas Schneider <asn@samba.org>
29500---
29501 source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
29502 source3/winbindd/winbindd_proto.h | 4 ++++
29503 2 files changed, 38 insertions(+)
29504
29505diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
29506index 59ce515..d1e10e6c 100644
29507--- a/source3/winbindd/winbindd_cache.c
29508+++ b/source3/winbindd/winbindd_cache.c
29509@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
29510 return status;
29511 }
29512
29513+
29514+/**
29515+* @brief Query a fullname from the username cache (for further gecos processing)
29516+*
29517+* @param domain A pointer to the winbindd_domain struct.
29518+* @param mem_ctx The talloc context.
29519+* @param user_sid The user sid.
29520+* @param full_name A pointer to the full_name string.
29521+*
29522+* @return NTSTATUS code
29523+*/
29524+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
29525+ TALLOC_CTX *mem_ctx,
29526+ const struct dom_sid *user_sid,
29527+ const char **full_name)
29528+{
29529+ NTSTATUS status;
29530+ struct wbint_userinfo info;
29531+
29532+ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
29533+ if (!NT_STATUS_IS_OK(status)) {
29534+ return status;
29535+ }
29536+
29537+ if (info.full_name != NULL) {
29538+ *full_name = talloc_strdup(mem_ctx, info.full_name);
29539+ if (*full_name == NULL) {
29540+ return NT_STATUS_NO_MEMORY;
29541+ }
29542+ }
29543+
29544+ return NT_STATUS_OK;
29545+}
29546+
29547 /* Lookup user information from a rid */
29548 static NTSTATUS query_user(struct winbindd_domain *domain,
29549 TALLOC_CTX *mem_ctx,
29550diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
29551index cfc19d0..cfb7812 100644
29552--- a/source3/winbindd/winbindd_proto.h
29553+++ b/source3/winbindd/winbindd_proto.h
29554@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
29555 TALLOC_CTX *mem_ctx,
29556 const struct dom_sid *user_sid,
29557 struct wbint_userinfo *info);
29558+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
29559+ TALLOC_CTX *mem_ctx,
29560+ const struct dom_sid *user_sid,
29561+ const char **full_name);
29562 NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
29563 TALLOC_CTX *mem_ctx,
29564 uint32 num_sids, const struct dom_sid *sids,
29565--
295661.9.3
29567
29568
29569From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
29570From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
29571Date: Mon, 7 Jul 2014 17:16:32 +0200
29572Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
29573 inspecting samlogon cache.
29574
29575The reason for this followup query is that very often the samlogon cache only
29576contains a info3 netlogon user structure that has been retrieved during a
29577netlogon samlogon authentication using "network" logon level. With that logon
29578level only a few info3 fields are filled in; the user's fullname is never filled
29579in that case. This is problematic when the cache is used to fill in the user's
29580gecos field (for NSS queries). When we have retrieved the user's fullname during
29581other queries, reuse it from the other caches.
29582
29583Thanks to Matt Rogers <mrogers@redhat.com>.
29584
29585BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
29586
29587Guenther
29588
29589Pair-Programmed-With: Andreas Schneider <asn@samba.org>
29590Signed-off-by: Guenther Deschner <gd@samba.org>
29591Reviewed-by: Andreas Schneider <asn@samba.org>
29592---
29593 source3/winbindd/winbindd_ads.c | 8 ++++++++
29594 source3/winbindd/winbindd_msrpc.c | 8 ++++++++
29595 source3/winbindd/winbindd_pam.c | 20 ++++++++++++++++++++
29596 3 files changed, 36 insertions(+)
29597
29598diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
29599index 4c26389..a20fba5 100644
29600--- a/source3/winbindd/winbindd_ads.c
29601+++ b/source3/winbindd/winbindd_ads.c
29602@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
29603
29604 TALLOC_FREE(user);
29605
29606+ if (info->full_name == NULL) {
29607+ /* this might fail so we dont check the return code */
29608+ wcache_query_user_fullname(domain,
29609+ mem_ctx,
29610+ sid,
29611+ &info->full_name);
29612+ }
29613+
29614 return NT_STATUS_OK;
29615 }
29616
29617diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
29618index 426d64c..c097bf3 100644
29619--- a/source3/winbindd/winbindd_msrpc.c
29620+++ b/source3/winbindd/winbindd_msrpc.c
29621@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
29622 user_info->full_name = talloc_strdup(user_info,
29623 user->base.full_name.string);
29624
29625+ if (user_info->full_name == NULL) {
29626+ /* this might fail so we dont check the return code */
29627+ wcache_query_user_fullname(domain,
29628+ mem_ctx,
29629+ user_sid,
29630+ &user_info->full_name);
29631+ }
29632+
29633 status = NT_STATUS_OK;
29634 goto done;
29635 }
29636diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
29637index 2a1b74a..bf71d97 100644
29638--- a/source3/winbindd/winbindd_pam.c
29639+++ b/source3/winbindd/winbindd_pam.c
29640@@ -1720,6 +1720,26 @@ process_result:
29641 sid_compose(&user_sid, info3->base.domain_sid,
29642 info3->base.rid);
29643
29644+ if (info3->base.full_name.string == NULL) {
29645+ struct netr_SamInfo3 *cached_info3;
29646+
29647+ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
29648+ &user_sid);
29649+ if (cached_info3 != NULL &&
29650+ cached_info3->base.full_name.string != NULL) {
29651+ info3->base.full_name.string =
29652+ talloc_strdup(info3,
29653+ cached_info3->base.full_name.string);
29654+ } else {
29655+
29656+ /* this might fail so we dont check the return code */
29657+ wcache_query_user_fullname(domain,
29658+ info3,
29659+ &user_sid,
29660+ &info3->base.full_name.string);
29661+ }
29662+ }
29663+
29664 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
29665 &user_sid);
29666 netsamlogon_cache_store(name_user, info3);
29667--
296681.9.3
29669
29670
29671From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
29672From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
29673Date: Wed, 9 Jul 2014 13:36:06 +0200
29674Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
29675 netsamlogon_cache_store.
29676MIME-Version: 1.0
29677Content-Type: text/plain; charset=UTF-8
29678Content-Transfer-Encoding: 8bit
29679
29680Guenther
29681
29682Signed-off-by: Günther Deschner <gd@samba.org>
29683Reviewed-by: Andreas Schneider <asn@samba.org>
29684---
29685 source3/libsmb/samlogon_cache.c | 13 ++++---------
29686 1 file changed, 4 insertions(+), 9 deletions(-)
29687
29688diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
29689index b04cf0a..f7457ae 100644
29690--- a/source3/libsmb/samlogon_cache.c
29691+++ b/source3/libsmb/samlogon_cache.c
29692@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
29693 bool result = false;
29694 struct dom_sid user_sid;
29695 time_t t = time(NULL);
29696- TALLOC_CTX *mem_ctx;
29697+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
29698 DATA_BLOB blob;
29699 enum ndr_err_code ndr_err;
29700 struct netsamlogoncache_entry r;
29701@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
29702
29703 /* Prepare data */
29704
29705- if (!(mem_ctx = talloc( NULL, int))) {
29706- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
29707- return false;
29708- }
29709-
29710 /* only Samba fills in the username, not sure why NT doesn't */
29711 /* so we fill it in since winbindd_getpwnam() makes use of it */
29712
29713@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
29714 NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
29715 }
29716
29717- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
29718+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
29719 (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
29720 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
29721 DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
29722- TALLOC_FREE(mem_ctx);
29723+ TALLOC_FREE(tmp_ctx);
29724 return false;
29725 }
29726
29727@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
29728 result = true;
29729 }
29730
29731- TALLOC_FREE(mem_ctx);
29732+ TALLOC_FREE(tmp_ctx);
29733
29734 return result;
29735 }
29736--
297371.9.3
29738
29739
29740From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
29741From: Andreas Schneider <asn@samba.org>
29742Date: Thu, 3 Jul 2014 16:17:46 +0200
29743Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
29744 info3->base.full_name.string.
29745MIME-Version: 1.0
29746Content-Type: text/plain; charset=UTF-8
29747Content-Transfer-Encoding: 8bit
29748
29749This field servers as a source for the gecos field. We should not overwrite it
29750when a info3 struct from a samlogon network level gets saved in which case this
29751field is always NULL.
29752
29753BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
29754
29755Signed-off-by: Andreas Schneider <asn@samba.org>
29756Reviewed-by: Guenther Deschner <gd@samba.org>
29757
29758Autobuild-User(master): Günther Deschner <gd@samba.org>
29759Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
29760---
29761 source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
29762 1 file changed, 14 insertions(+)
29763
29764diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
29765index f7457ae..0a157d4 100644
29766--- a/source3/libsmb/samlogon_cache.c
29767+++ b/source3/libsmb/samlogon_cache.c
29768@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
29769
29770 /* Prepare data */
29771
29772+ if (info3->base.full_name.string == NULL) {
29773+ struct netr_SamInfo3 *cached_info3;
29774+ const char *full_name = NULL;
29775+
29776+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
29777+ if (cached_info3 != NULL) {
29778+ full_name = cached_info3->base.full_name.string;
29779+ }
29780+
29781+ if (full_name != NULL) {
29782+ info3->base.full_name.string = talloc_strdup(info3, full_name);
29783+ }
29784+ }
29785+
29786 /* only Samba fills in the username, not sure why NT doesn't */
29787 /* so we fill it in since winbindd_getpwnam() makes use of it */
29788
29789--
297901.9.3
29791
29792
29793From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
29794From: Andreas Schneider <asn@samba.org>
29795Date: Thu, 3 Jul 2014 16:19:42 +0200
29796Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.
29797
29798The value is loaded from the cache anyway. So it will be set to NULL if
29799it is not available.
29800
29801BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
29802
29803Signed-off-by: Andreas Schneider <asn@samba.org>
29804Reviewed-by: Guenther Deschner <gd@samba.org>
29805---
29806 source3/winbindd/nss_info_template.c | 1 -
29807 1 file changed, 1 deletion(-)
29808
29809diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
29810index 5fdfd9b..de93803 100644
29811--- a/source3/winbindd/nss_info_template.c
29812+++ b/source3/winbindd/nss_info_template.c
29813@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
29814 username */
29815 *homedir = talloc_strdup( ctx, lp_template_homedir() );
29816 *shell = talloc_strdup( ctx, lp_template_shell() );
29817- *gecos = NULL;
29818
29819 if ( !*homedir || !*shell ) {
29820 return NT_STATUS_NO_MEMORY;
29821--
298221.9.3
29823
29824
29825From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
29826From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
29827Date: Mon, 14 Jul 2014 18:22:26 +0200
29828Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
29829 user queries for the fullname.
29830
29831This makes use more consistent with security=domain as well where the gecos
29832field is also filled using the displayName field.
29833
29834Guenther
29835
29836Signed-off-by: Guenther Deschner <gd@samba.org>
29837Pair-Programmed-With: Andreas Schneider <asn@samba.org>
29838Reviewed-by: Andreas Schneider <asn@samba.org>
29839---
29840 source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
29841 1 file changed, 11 insertions(+), 5 deletions(-)
29842
29843diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
29844index a20fba5..4b5b2fa 100644
29845--- a/source3/winbindd/winbindd_ads.c
29846+++ b/source3/winbindd/winbindd_ads.c
29847@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
29848 }
29849
29850 info->acct_name = ads_pull_username(ads, mem_ctx, msg);
29851- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
29852+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
29853+ if (info->full_name == NULL) {
29854+ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
29855+ }
29856 info->homedir = NULL;
29857 info->shell = NULL;
29858 info->primary_gid = (gid_t)-1;
29859@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
29860 struct netr_SamInfo3 *user = NULL;
29861 gid_t gid = -1;
29862 int ret;
29863- char *ads_name;
29864+ char *full_name;
29865
29866 DEBUG(3,("ads: query_user\n"));
29867
29868@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
29869 * nss_get_info_cached call. nss_get_info_cached might destroy
29870 * the ads struct, potentially invalidating the ldap message.
29871 */
29872- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
29873+ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
29874+ if (full_name == NULL) {
29875+ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
29876+ }
29877
29878 ads_msgfree(ads, msg);
29879 msg = NULL;
29880@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
29881 }
29882
29883 if (info->full_name == NULL) {
29884- info->full_name = ads_name;
29885+ info->full_name = full_name;
29886 } else {
29887- TALLOC_FREE(ads_name);
29888+ TALLOC_FREE(full_name);
29889 }
29890
29891 status = NT_STATUS_OK;
29892--
298931.9.3
29894
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
deleted file mode 100644
index 7a7bdf53c..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
+++ /dev/null
@@ -1,97 +0,0 @@
1From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Tue, 16 Sep 2014 18:02:30 +0200
4Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
5
6BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
7
8Signed-off-by: Andreas Schneider <asn@samba.org>
9Reviewed-by: Alexander Bokovoy <ab@samba.org>
10(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
11---
12 lib/util/become_daemon.c | 11 +++++++++++
13 lib/util/samba_util.h | 6 ++++++
14 2 files changed, 17 insertions(+)
15
16diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
17index 35c8b32..688bedd 100644
18--- a/lib/util/become_daemon.c
19+++ b/lib/util/become_daemon.c
20@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
21 #endif
22 DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
23 }
24+
25+_PUBLIC_ void daemon_status(const char *name, const char *msg)
26+{
27+ if (name == NULL) {
28+ name = "Samba";
29+ }
30+#ifdef HAVE_SYSTEMD
31+ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
32+#endif
33+ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
34+}
35diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
36index e3fe6a6..f4216d8 100644
37--- a/lib/util/samba_util.h
38+++ b/lib/util/samba_util.h
39@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
40 **/
41 _PUBLIC_ void daemon_ready(const char *daemon);
42
43+/*
44+ * Report the daemon status. For example if it is not ready to serve connections
45+ * and is waiting for some event to happen.
46+ */
47+_PUBLIC_ void daemon_status(const char *name, const char *msg);
48+
49 /**
50 * @brief Get a password from the console.
51 *
52--
532.1.0
54
55
56From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
57From: Andreas Schneider <asn@samba.org>
58Date: Tue, 16 Sep 2014 18:03:51 +0200
59Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
60
61This tells the Administrator what's going on and we should log that IPv6
62is not supported.
63
64BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
65
66Signed-off-by: Andreas Schneider <asn@samba.org>
67Reviewed-by: Alexander Bokovoy <ab@samba.org>
68
69Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
70Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
71
72(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
73---
74 source3/nmbd/nmbd_subnetdb.c | 7 +++++--
75 1 file changed, 5 insertions(+), 2 deletions(-)
76
77diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
78index 311a240..6c483af 100644
79--- a/source3/nmbd/nmbd_subnetdb.c
80+++ b/source3/nmbd/nmbd_subnetdb.c
81@@ -247,8 +247,11 @@ bool create_subnets(void)
82
83 /* Only count IPv4, non-loopback interfaces. */
84 if (iface_count_v4_nl() == 0) {
85- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
86- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
87+ daemon_status("nmbd",
88+ "No local IPv4 non-loopback interfaces "
89+ "available, waiting for interface ...");
90+ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
91+ "Internet Protocol Version 6 (IPv6).\n"));
92 }
93
94 /* We only count IPv4, non-loopback interfaces here. */
95--
962.1.0
97
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
deleted file mode 100644
index 3215f2c87..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Fri, 19 Sep 2014 13:33:10 +0200
4Subject: [PATCH] nsswitch: Skip groups we were not able to map.
5
6If we have configured the idmap_ad backend it is possible that the user
7is in a group without a gid set. This will result in (uid_t)-1 as the
8gid. We return this invalid gid to NSS which is wrong.
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
11
12Signed-off-by: Andreas Schneider <asn@samba.org>
13Reviewed-by: David Disseldorp <ddiss@samba.org>
14
15Autobuild-User(master): David Disseldorp <ddiss@samba.org>
16Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
17
18(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
19Signed-off-by: Andreas Schneider <asn@samba.org>
20---
21 nsswitch/winbind_nss_linux.c | 5 +++++
22 1 file changed, 5 insertions(+)
23
24diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
25index 8d66a74..70ede3e 100644
26--- a/nsswitch/winbind_nss_linux.c
27+++ b/nsswitch/winbind_nss_linux.c
28@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
29 continue;
30 }
31
32+ /* Skip groups without a mapping */
33+ if (gid_list[i] == (uid_t)-1) {
34+ continue;
35+ }
36+
37 /* Filled buffer ? If so, resize. */
38
39 if (*start == *size) {
40--
412.1.0
42
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
deleted file mode 100644
index 394a64008..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
2From: Christof Schmitt <cs@samba.org>
3Date: Fri, 22 Aug 2014 09:15:59 -0700
4Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
5
6When authenticating users in a trusted domain, the idmap_ad module
7always connects to a local DC instead of one in the trusted domain.
8
9Fix this by passing the correct realm to connect to.
10
11Also Comment parameters passed to ads_cached_connection_connect
12
13Signed-off-by: Christof Schmitt <cs@samba.org>
14Reviewed-by: Jeremy Allison <jra@samba.org>
15(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
16---
17 source3/winbindd/winbindd_ads.c | 11 +++++++++--
18 1 files changed, 9 insertions(+), 2 deletions(-)
19
20diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
21index 4c26389..e47613e 100644
22--- a/source3/winbindd/winbindd_ads.c
23+++ b/source3/winbindd/winbindd_ads.c
24@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
25 }
26 }
27
28- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
29- password, realm, 0);
30+ status = ads_cached_connection_connect(
31+ adsp, /* Returns ads struct. */
32+ wb_dom->alt_name, /* realm to connect to. */
33+ dom_name, /* 'workgroup' name for ads_init */
34+ ldap_server, /* DNS name to connect to. */
35+ password, /* password for auth realm. */
36+ realm, /* realm used for krb5 ticket. */
37+ 0); /* renewable ticket time. */
38+
39 SAFE_FREE(realm);
40
41 return status;
42--
431.7.1
44
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
deleted file mode 100644
index a1b05b8c9..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
+++ /dev/null
@@ -1,35 +0,0 @@
1From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Wed, 17 Sep 2014 15:17:50 +0200
4Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
5 on NULL.
6
7BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
8
9Signed-off-by: Andreas Schneider <asn@samba.org>
10Reviewed-by: Jeremy Allison <jra@samba.org>
11
12Autobuild-User(master): Jeremy Allison <jra@samba.org>
13Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
14
15(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
16Signed-off-by: Andreas Schneider <asn@samba.org>
17---
18 libcli/smb/smb1cli_echo.c | 1 -
19 1 file changed, 1 deletion(-)
20
21diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
22index 4fb7c60..10dff2d 100644
23--- a/libcli/smb/smb1cli_echo.c
24+++ b/libcli/smb/smb1cli_echo.c
25@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
26 NULL, /* pbytes_offset */
27 NULL, /* pinbuf */
28 expected, ARRAY_SIZE(expected));
29- TALLOC_FREE(subreq);
30 if (!NT_STATUS_IS_OK(status)) {
31 tevent_req_nterror(req, status);
32 return;
33--
342.1.0
35
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
deleted file mode 100644
index 35f4d8c4f..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
+++ /dev/null
@@ -1,180 +0,0 @@
1From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Tue, 23 Sep 2014 14:09:41 +0200
4Subject: [PATCH] s3-libads: Improve service principle guessing.
5
6If the name passed to the net command with the -S options is the long
7hostname of the domaincontroller and not the 15 char NetBIOS name we
8should construct a FQDN with the realm to get a Kerberos ticket.
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
11
12Signed-off-by: Andreas Schneider <asn@samba.org>
13Reviewed-by: Guenther Deschner <gd@samba.org>
14(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
15---
16 source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
17 1 file changed, 66 insertions(+), 58 deletions(-)
18
19diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
20index 33f4e24..1450ff1 100644
21--- a/source3/libads/sasl.c
22+++ b/source3/libads/sasl.c
23@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
24 static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
25 char **returned_principal)
26 {
27+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
28 char *princ = NULL;
29+ TALLOC_CTX *frame;
30+ char *server = NULL;
31+ char *realm = NULL;
32+ int rc;
33
34- if (ads->server.realm && ads->server.ldap_server) {
35- char *server, *server_realm;
36-
37- server = SMB_STRDUP(ads->server.ldap_server);
38- server_realm = SMB_STRDUP(ads->server.realm);
39-
40- if (!server || !server_realm) {
41- SAFE_FREE(server);
42- SAFE_FREE(server_realm);
43- return ADS_ERROR(LDAP_NO_MEMORY);
44- }
45+ frame = talloc_stackframe();
46+ if (frame == NULL) {
47+ return ADS_ERROR(LDAP_NO_MEMORY);
48+ }
49
50- if (!strlower_m(server)) {
51- SAFE_FREE(server);
52- SAFE_FREE(server_realm);
53- return ADS_ERROR(LDAP_NO_MEMORY);
54+ if (ads->server.realm && ads->server.ldap_server) {
55+ server = strlower_talloc(frame, ads->server.ldap_server);
56+ if (server == NULL) {
57+ goto out;
58 }
59
60- if (!strupper_m(server_realm)) {
61- SAFE_FREE(server);
62- SAFE_FREE(server_realm);
63- return ADS_ERROR(LDAP_NO_MEMORY);
64+ realm = strupper_talloc(frame, ads->server.realm);
65+ if (realm == NULL) {
66+ goto out;
67 }
68
69- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
70- SAFE_FREE(server);
71- SAFE_FREE(server_realm);
72- return ADS_ERROR(LDAP_NO_MEMORY);
73- }
74+ /*
75+ * If we got a name which is bigger than a NetBIOS name,
76+ * but isn't a FQDN, create one.
77+ */
78+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
79+ char *dnsdomain;
80
81- SAFE_FREE(server);
82- SAFE_FREE(server_realm);
83+ dnsdomain = strlower_talloc(frame, ads->server.realm);
84+ if (dnsdomain == NULL) {
85+ goto out;
86+ }
87
88- if (!princ) {
89- return ADS_ERROR(LDAP_NO_MEMORY);
90+ server = talloc_asprintf(frame,
91+ "%s.%s",
92+ server, dnsdomain);
93+ if (server == NULL) {
94+ goto out;
95+ }
96 }
97 } else if (ads->config.realm && ads->config.ldap_server_name) {
98- char *server, *server_realm;
99-
100- server = SMB_STRDUP(ads->config.ldap_server_name);
101- server_realm = SMB_STRDUP(ads->config.realm);
102-
103- if (!server || !server_realm) {
104- SAFE_FREE(server);
105- SAFE_FREE(server_realm);
106- return ADS_ERROR(LDAP_NO_MEMORY);
107+ server = strlower_talloc(frame, ads->config.ldap_server_name);
108+ if (server == NULL) {
109+ goto out;
110 }
111
112- if (!strlower_m(server)) {
113- SAFE_FREE(server);
114- SAFE_FREE(server_realm);
115- return ADS_ERROR(LDAP_NO_MEMORY);
116+ realm = strupper_talloc(frame, ads->config.realm);
117+ if (realm == NULL) {
118+ goto out;
119 }
120
121- if (!strupper_m(server_realm)) {
122- SAFE_FREE(server);
123- SAFE_FREE(server_realm);
124- return ADS_ERROR(LDAP_NO_MEMORY);
125- }
126- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
127- SAFE_FREE(server);
128- SAFE_FREE(server_realm);
129- return ADS_ERROR(LDAP_NO_MEMORY);
130- }
131+ /*
132+ * If we got a name which is bigger than a NetBIOS name,
133+ * but isn't a FQDN, create one.
134+ */
135+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
136+ char *dnsdomain;
137
138- SAFE_FREE(server);
139- SAFE_FREE(server_realm);
140+ dnsdomain = strlower_talloc(frame, ads->server.realm);
141+ if (dnsdomain == NULL) {
142+ goto out;
143+ }
144
145- if (!princ) {
146- return ADS_ERROR(LDAP_NO_MEMORY);
147+ server = talloc_asprintf(frame,
148+ "%s.%s",
149+ server, dnsdomain);
150+ if (server == NULL) {
151+ goto out;
152+ }
153 }
154 }
155
156- if (!princ) {
157- return ADS_ERROR(LDAP_PARAM_ERROR);
158+ if (server == NULL || realm == NULL) {
159+ goto out;
160+ }
161+
162+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
163+ if (rc == -1 || princ == NULL) {
164+ status = ADS_ERROR(LDAP_PARAM_ERROR);
165+ goto out;
166 }
167
168 *returned_principal = princ;
169
170- return ADS_SUCCESS;
171+ status = ADS_SUCCESS;
172+out:
173+ TALLOC_FREE(frame);
174+ return status;
175 }
176
177 static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
178--
1792.1.0
180
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
deleted file mode 100644
index 5d309f111..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
+++ /dev/null
@@ -1,329 +0,0 @@
1From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Wed, 24 Sep 2014 09:22:03 +0200
4Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
5 computer account.
6
7BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
8
9Signed-off-by: Andreas Schneider <asn@samba.org>
10Reviewed-by: Guenther Deschner <gd@samba.org>
11(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
12---
13 source3/libads/ads_proto.h | 6 +++++
14 source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
15 2 files changed, 66 insertions(+)
16
17diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
18index 17a84d1..6a22807 100644
19--- a/source3/libads/ads_proto.h
20+++ b/source3/libads/ads_proto.h
21@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
22 const char *name, const char **vals);
23 uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
24 uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
25+
26+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
27+ ADS_STRUCT *ads,
28+ const char *machine_name,
29+ char ***spn_array,
30+ size_t *num_spns);
31 ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
32 ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
33 const char *my_fqdn, const char *spn);
34diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
35index fb99132..51a0883 100644
36--- a/source3/libads/ldap.c
37+++ b/source3/libads/ldap.c
38@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
39 }
40
41 /**
42+ * @brief This gets the service principal names of an existing computer account.
43+ *
44+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
45+ *
46+ * @param[in] ads The ADS context to use.
47+ *
48+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
49+ * identify the computer account.
50+ *
51+ * @param[in] spn_array A pointer to store the array for SPNs.
52+ *
53+ * @param[in] num_spns The number of principals stored in the array.
54+ *
55+ * @return 0 on success, or a ADS error if a failure occured.
56+ */
57+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
58+ ADS_STRUCT *ads,
59+ const char *machine_name,
60+ char ***spn_array,
61+ size_t *num_spns)
62+{
63+ ADS_STATUS status;
64+ LDAPMessage *res = NULL;
65+ char *dn;
66+ int count;
67+
68+ status = ads_find_machine_acct(ads,
69+ &res,
70+ machine_name);
71+ if (!ADS_ERR_OK(status)) {
72+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
73+ machine_name));
74+ return status;
75+ }
76+
77+ count = ads_count_replies(ads, res);
78+ if (count != 1) {
79+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
80+ goto done;
81+ }
82+
83+ dn = ads_get_dn(ads, mem_ctx, res);
84+ if (dn == NULL) {
85+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
86+ goto done;
87+ }
88+
89+ *spn_array = ads_pull_strings(ads,
90+ mem_ctx,
91+ res,
92+ "servicePrincipalName",
93+ num_spns);
94+
95+done:
96+ ads_msgfree(ads, res);
97+
98+ return status;
99+}
100+
101+/**
102 * This adds a service principal name to an existing computer account
103 * (found by hostname) in AD.
104 * @param ads An initialized ADS_STRUCT
105--
1062.1.0
107
108
109From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
110From: Andreas Schneider <asn@samba.org>
111Date: Wed, 24 Sep 2014 09:23:58 +0200
112Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
113 array.
114
115BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
116
117Signed-off-by: Andreas Schneider <asn@samba.org>
118Reviewed-by: Guenther Deschner <gd@samba.org>
119(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
120---
121 source3/libads/ads_proto.h | 2 ++
122 source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
123 2 files changed, 33 insertions(+)
124
125diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
126index 6a22807..1e34247 100644
127--- a/source3/libads/ads_proto.h
128+++ b/source3/libads/ads_proto.h
129@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
130 uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
131 uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
132
133+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
134+
135 ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
136 ADS_STRUCT *ads,
137 const char *machine_name,
138diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
139index 51a0883..8d104c2 100644
140--- a/source3/libads/ldap.c
141+++ b/source3/libads/ldap.c
142@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
143 }
144
145 /**
146+ * @brief Search for an element in a string array.
147+ *
148+ * @param[in] el_array The string array to search.
149+ *
150+ * @param[in] num_el The number of elements in the string array.
151+ *
152+ * @param[in] el The string to search.
153+ *
154+ * @return True if found, false if not.
155+ */
156+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
157+{
158+ size_t i;
159+
160+ if (el_array == NULL || num_el == 0 || el == NULL) {
161+ return false;
162+ }
163+
164+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
165+ int cmp;
166+
167+ cmp = strcasecmp_m(el_array[i], el);
168+ if (cmp == 0) {
169+ return true;
170+ }
171+ }
172+
173+ return false;
174+}
175+
176+/**
177 * @brief This gets the service principal names of an existing computer account.
178 *
179 * @param[in] mem_ctx The memory context to use to allocate the spn array.
180--
1812.1.0
182
183
184From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
185From: Andreas Schneider <asn@samba.org>
186Date: Fri, 26 Sep 2014 03:09:08 +0200
187Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
188
189BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
190
191Signed-off-by: Andreas Schneider <asn@samba.org>
192Reviewed-by: Guenther Deschner <gd@samba.org>
193(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
194---
195 source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
196 1 file changed, 20 insertions(+)
197
198diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
199index 1418385..3611cc7 100644
200--- a/source3/libnet/libnet_join.c
201+++ b/source3/libnet/libnet_join.c
202@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
203 return status;
204 }
205
206+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
207+ struct libnet_JoinCtx *r,
208+ char ***spn_array,
209+ size_t *num_spns)
210+{
211+ ADS_STATUS status;
212+
213+ if (r->in.machine_name == NULL) {
214+ return ADS_ERROR_SYSTEM(EINVAL);
215+ }
216+
217+ status = ads_get_service_principal_names(mem_ctx,
218+ r->in.ads,
219+ r->in.machine_name,
220+ spn_array,
221+ num_spns);
222+
223+ return status;
224+}
225+
226 /****************************************************************
227 Set a machines dNSHostName and servicePrincipalName attributes
228 ****************************************************************/
229--
2302.1.0
231
232
233From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
234From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
235Date: Fri, 26 Sep 2014 03:35:43 +0200
236Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
237MIME-Version: 1.0
238Content-Type: text/plain; charset=UTF-8
239Content-Transfer-Encoding: 8bit
240
241BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
242
243Signed-off-by: Günther Deschner <gd@samba.org>
244Reviewed-by: Andreas Schneider <asn@samba.org>
245
246Autobuild-User(master): Günther Deschner <gd@samba.org>
247Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
248
249(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
250---
251 source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
252 1 file changed, 36 insertions(+), 3 deletions(-)
253
254diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
255index 3611cc7..aa7b5cb 100644
256--- a/source3/libnet/libnet_join.c
257+++ b/source3/libnet/libnet_join.c
258@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
259 ADS_STATUS status;
260 ADS_MODLIST mods;
261 fstring my_fqdn;
262- const char *spn_array[3] = {NULL, NULL, NULL};
263+ const char **spn_array = NULL;
264+ size_t num_spns = 0;
265 char *spn = NULL;
266+ bool ok;
267
268 /* Find our DN */
269
270@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
271 return status;
272 }
273
274+ status = libnet_join_get_machine_spns(mem_ctx,
275+ r,
276+ discard_const_p(char **, &spn_array),
277+ &num_spns);
278+ if (!ADS_ERR_OK(status)) {
279+ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
280+ }
281+
282 /* Windows only creates HOST/shortname & HOST/fqdn. */
283
284 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
285@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
286 if (!strupper_m(spn)) {
287 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
288 }
289- spn_array[0] = spn;
290+
291+ ok = ads_element_in_array(spn_array, num_spns, spn);
292+ if (!ok) {
293+ ok = add_string_to_array(spn_array, spn,
294+ &spn_array, (int *)&num_spns);
295+ if (!ok) {
296+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
297+ }
298+ }
299
300 if (!name_to_fqdn(my_fqdn, r->in.machine_name)
301 || (strchr(my_fqdn, '.') == NULL)) {
302@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
303 if (!spn) {
304 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
305 }
306- spn_array[1] = spn;
307+
308+ ok = ads_element_in_array(spn_array, num_spns, spn);
309+ if (!ok) {
310+ ok = add_string_to_array(spn_array, spn,
311+ &spn_array, (int *)&num_spns);
312+ if (!ok) {
313+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
314+ }
315+ }
316+ }
317+
318+ /* make sure to NULL terminate the array */
319+ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
320+ if (spn_array == NULL) {
321+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
322 }
323+ spn_array[num_spns] = NULL;
324
325 mods = ads_init_mods(mem_ctx);
326 if (!mods) {
327--
3282.1.0
329
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
deleted file mode 100644
index 2174e153a..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
+++ /dev/null
@@ -1,159 +0,0 @@
1From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
2From: Andreas Schneider <asn@samba.org>
3Date: Wed, 24 Sep 2014 10:51:33 +0200
4Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
5
6This adds all SPNs defined in the DC for the computer account to the
7keytab using 'net ads keytab create -P'.
8
9BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
10
11Signed-off-by: Andreas Schneider <asn@samba.org>
12Reviewed-by: Guenther Deschner <gd@samba.org>
13(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
14---
15 source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
16 1 file changed, 52 insertions(+), 22 deletions(-)
17
18diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
19index 83df088..d13625b 100644
20--- a/source3/libads/kerberos_keytab.c
21+++ b/source3/libads/kerberos_keytab.c
22@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
23 krb5_kt_cursor cursor;
24 krb5_keytab_entry kt_entry;
25 krb5_kvno kvno;
26- int i, found = 0;
27+ size_t found = 0;
28 char *sam_account_name, *upn;
29 char **oldEntries = NULL, *princ_s[26];
30- TALLOC_CTX *tmpctx = NULL;
31+ TALLOC_CTX *frame;
32 char *machine_name;
33+ char **spn_array;
34+ size_t num_spns;
35+ size_t i;
36+ ADS_STATUS status;
37
38- /* these are the main ones we need */
39- ret = ads_keytab_add_entry(ads, "host");
40- if (ret != 0) {
41- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
42- "adding 'host' principal.\n"));
43- return ret;
44+ frame = talloc_stackframe();
45+ if (frame == NULL) {
46+ ret = -1;
47+ goto done;
48+ }
49+
50+ status = ads_get_service_principal_names(frame,
51+ ads,
52+ lp_netbios_name(),
53+ &spn_array,
54+ &num_spns);
55+ if (!ADS_ERR_OK(status)) {
56+ ret = -1;
57+ goto done;
58 }
59
60+ for (i = 0; i < num_spns; i++) {
61+ char *srv_princ;
62+ char *p;
63+
64+ srv_princ = strlower_talloc(frame, spn_array[i]);
65+ if (srv_princ == NULL) {
66+ ret = -1;
67+ goto done;
68+ }
69+
70+ p = strchr_m(srv_princ, '/');
71+ if (p == NULL) {
72+ continue;
73+ }
74+ p[0] = '\0';
75+
76+ /* Add the SPNs found on the DC */
77+ ret = ads_keytab_add_entry(ads, srv_princ);
78+ if (ret != 0) {
79+ DEBUG(1, ("ads_keytab_add_entry failed while "
80+ "adding '%s' principal.\n",
81+ spn_array[i]));
82+ goto done;
83+ }
84+ }
85
86 #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
87 really needs them and we will fall back to verifying against
88@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
89 if (ret) {
90 DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
91 error_message(ret)));
92- return ret;
93- }
94-
95- tmpctx = talloc_init(__location__);
96- if (!tmpctx) {
97- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
98- ret = -1;
99 goto done;
100 }
101
102- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
103+ machine_name = talloc_strdup(frame, lp_netbios_name());
104 if (!machine_name) {
105 ret = -1;
106 goto done;
107 }
108
109 /* now add the userPrincipalName and sAMAccountName entries */
110- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
111+ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
112 if (!sam_account_name) {
113 DEBUG(0, (__location__ ": unable to determine machine "
114 "account's name in AD!\n"));
115@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
116 }
117
118 /* remember that not every machine account will have a upn */
119- upn = ads_get_upn(ads, tmpctx, machine_name);
120+ upn = ads_get_upn(ads, frame, machine_name);
121 if (upn) {
122 ret = ads_keytab_add_entry(ads, upn);
123 if (ret != 0) {
124@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
125
126 /* Now loop through the keytab and update any other existing entries */
127 kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
128- if (kvno == -1) {
129+ if (kvno == (krb5_kvno)-1) {
130 DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
131 "determine the system's kvno.\n"));
132 goto done;
133@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
134 * have a race condition where someone else could add entries after
135 * we've counted them. Re-open asap to minimise the race. JRA.
136 */
137- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
138+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
139 if (!found) {
140 goto done;
141 }
142
143- oldEntries = talloc_array(tmpctx, char *, found);
144+ oldEntries = talloc_array(frame, char *, found);
145 if (!oldEntries) {
146 DEBUG(1, (__location__ ": Failed to allocate space to store "
147 "the old keytab entries (talloc failed?).\n"));
148@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
149
150 done:
151 TALLOC_FREE(oldEntries);
152- TALLOC_FREE(tmpctx);
153+ TALLOC_FREE(frame);
154
155 {
156 krb5_keytab_entry zero_kt_entry;
157--
1582.1.0
159
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
deleted file mode 100644
index a939e7066..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
+++ /dev/null
@@ -1,988 +0,0 @@
1From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Wed, 24 Sep 2014 22:16:20 +0200
4Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Guenther
10
11Signed-off-by: Günther Deschner <gd@samba.org>
12Reviewed-by: Andreas Schneider <asn@samba.org>
13Reviewed-by: Stefan Metzmacher <metze@samba.org>
14---
15 source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
16 1 file changed, 308 insertions(+)
17
18diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
19index 8b8e719..5f18bf4 100644
20--- a/source3/utils/net_ads.c
21+++ b/source3/utils/net_ads.c
22@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
23 return net_run_function(c, argc, argv, "net ads kerberos", func);
24 }
25
26+static int net_ads_enctype_lookup_account(struct net_context *c,
27+ ADS_STRUCT *ads,
28+ const char *account,
29+ LDAPMessage **res,
30+ const char **enctype_str)
31+{
32+ const char *filter;
33+ const char *attrs[] = {
34+ "msDS-SupportedEncryptionTypes",
35+ NULL
36+ };
37+ int count;
38+ int ret = -1;
39+ ADS_STATUS status;
40+
41+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
42+ account);
43+ if (filter == NULL) {
44+ goto done;
45+ }
46+
47+ status = ads_search(ads, res, filter, attrs);
48+ if (!ADS_ERR_OK(status)) {
49+ d_printf(_("no account found with filter: %s\n"), filter);
50+ goto done;
51+ }
52+
53+ count = ads_count_replies(ads, *res);
54+ switch (count) {
55+ case 1:
56+ break;
57+ case 0:
58+ d_printf(_("no account found with filter: %s\n"), filter);
59+ goto done;
60+ default:
61+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
62+ goto done;
63+ }
64+
65+ if (enctype_str) {
66+ *enctype_str = ads_pull_string(ads, c, *res,
67+ "msDS-SupportedEncryptionTypes");
68+ if (*enctype_str == NULL) {
69+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
70+ goto done;
71+ }
72+ }
73+
74+ ret = 0;
75+ done:
76+ return ret;
77+}
78+
79+static void net_ads_enctype_dump_enctypes(const char *username,
80+ const char *enctype_str)
81+{
82+ int enctypes;
83+
84+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
85+
86+ enctypes = atoi(enctype_str);
87+
88+ printf("[%s] 0x%08x DES-CBC-CRC\n",
89+ enctypes & ENC_CRC32 ? "X" : " ",
90+ ENC_CRC32);
91+ printf("[%s] 0x%08x DES-CBC-MD5\n",
92+ enctypes & ENC_RSA_MD5 ? "X" : " ",
93+ ENC_RSA_MD5);
94+ printf("[%s] 0x%08x RC4-HMAC\n",
95+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
96+ ENC_RC4_HMAC_MD5);
97+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
98+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
99+ ENC_HMAC_SHA1_96_AES128);
100+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
101+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
102+ ENC_HMAC_SHA1_96_AES256);
103+}
104+
105+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
106+{
107+ int ret = -1;
108+ ADS_STATUS status;
109+ ADS_STRUCT *ads = NULL;
110+ LDAPMessage *res = NULL;
111+ const char *str = NULL;
112+
113+ if (c->display_usage || (argc < 1)) {
114+ d_printf( "%s\n"
115+ "net ads enctypes list\n"
116+ " %s\n",
117+ _("Usage:"),
118+ _("List supported enctypes"));
119+ return 0;
120+ }
121+
122+ status = ads_startup(c, false, &ads);
123+ if (!ADS_ERR_OK(status)) {
124+ printf("startup failed\n");
125+ return ret;
126+ }
127+
128+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
129+ if (ret) {
130+ goto done;
131+ }
132+
133+ net_ads_enctype_dump_enctypes(argv[0], str);
134+
135+ ret = 0;
136+ done:
137+ ads_msgfree(ads, res);
138+ ads_destroy(&ads);
139+
140+ return ret;
141+}
142+
143+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
144+{
145+ int ret = -1;
146+ ADS_STATUS status;
147+ ADS_STRUCT *ads;
148+ LDAPMessage *res = NULL;
149+ const char *etype_list_str;
150+ const char *dn;
151+ ADS_MODLIST mods;
152+ uint32_t etype_list;
153+ const char *str;
154+
155+ if (c->display_usage || argc < 1) {
156+ d_printf( "%s\n"
157+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
158+ " %s\n",
159+ _("Usage:"),
160+ _("Set supported enctypes"));
161+ return 0;
162+ }
163+
164+ status = ads_startup(c, false, &ads);
165+ if (!ADS_ERR_OK(status)) {
166+ printf("startup failed\n");
167+ return ret;
168+ }
169+
170+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
171+ if (ret) {
172+ goto done;
173+ }
174+
175+ dn = ads_get_dn(ads, c, res);
176+ if (dn == NULL) {
177+ goto done;
178+ }
179+
180+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
181+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
182+ etype_list |= ENC_HMAC_SHA1_96_AES128;
183+#endif
184+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
185+ etype_list |= ENC_HMAC_SHA1_96_AES256;
186+#endif
187+
188+ if (argv[1] != NULL) {
189+ sscanf(argv[1], "%i", &etype_list);
190+ }
191+
192+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
193+ if (!etype_list_str) {
194+ goto done;
195+ }
196+
197+ mods = ads_init_mods(c);
198+ if (!mods) {
199+ goto done;
200+ }
201+
202+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
203+ etype_list_str);
204+ if (!ADS_ERR_OK(status)) {
205+ goto done;
206+ }
207+
208+ status = ads_gen_mod(ads, dn, mods);
209+ if (!ADS_ERR_OK(status)) {
210+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
211+ ads_errstr(status));
212+ goto done;
213+ }
214+
215+ ads_msgfree(ads, res);
216+
217+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
218+ if (ret) {
219+ goto done;
220+ }
221+
222+ net_ads_enctype_dump_enctypes(argv[0], str);
223+
224+ ret = 0;
225+ done:
226+ ads_msgfree(ads, res);
227+ ads_destroy(&ads);
228+
229+ return ret;
230+}
231+
232+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
233+{
234+ int ret = -1;
235+ ADS_STATUS status;
236+ ADS_STRUCT *ads;
237+ LDAPMessage *res = NULL;
238+ const char *dn;
239+ ADS_MODLIST mods;
240+
241+ if (c->display_usage || argc < 1) {
242+ d_printf( "%s\n"
243+ "net ads enctypes delete <sAMAccountName>\n"
244+ " %s\n",
245+ _("Usage:"),
246+ _("Delete supported enctypes"));
247+ return 0;
248+ }
249+
250+ status = ads_startup(c, false, &ads);
251+ if (!ADS_ERR_OK(status)) {
252+ printf("startup failed\n");
253+ return ret;
254+ }
255+
256+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
257+ if (ret) {
258+ goto done;
259+ }
260+
261+ dn = ads_get_dn(ads, c, res);
262+ if (dn == NULL) {
263+ goto done;
264+ }
265+
266+ mods = ads_init_mods(c);
267+ if (!mods) {
268+ goto done;
269+ }
270+
271+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
272+ if (!ADS_ERR_OK(status)) {
273+ goto done;
274+ }
275+
276+ status = ads_gen_mod(ads, dn, mods);
277+ if (!ADS_ERR_OK(status)) {
278+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
279+ ads_errstr(status));
280+ goto done;
281+ }
282+
283+ ret = 0;
284+
285+ done:
286+ ads_msgfree(ads, res);
287+ ads_destroy(&ads);
288+ return ret;
289+}
290+
291+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
292+{
293+ struct functable func[] = {
294+ {
295+ "list",
296+ net_ads_enctypes_list,
297+ NET_TRANSPORT_ADS,
298+ N_("List the supported encryption types"),
299+ N_("net ads enctypes list\n"
300+ " List the supported encryption types")
301+ },
302+ {
303+ "set",
304+ net_ads_enctypes_set,
305+ NET_TRANSPORT_ADS,
306+ N_("Set the supported encryption types"),
307+ N_("net ads enctypes set\n"
308+ " Set the supported encryption types")
309+ },
310+ {
311+ "delete",
312+ net_ads_enctypes_delete,
313+ NET_TRANSPORT_ADS,
314+ N_("Delete the supported encryption types"),
315+ N_("net ads enctypes delete\n"
316+ " Delete the supported encryption types")
317+ },
318+
319+ {NULL, NULL, 0, NULL, NULL}
320+ };
321+
322+ return net_run_function(c, argc, argv, "net ads enctypes", func);
323+}
324+
325+
326 int net_ads(struct net_context *c, int argc, const char **argv)
327 {
328 struct functable func[] = {
329@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
330 N_("net ads kerberos\n"
331 " Manage kerberos keytab")
332 },
333+ {
334+ "enctypes",
335+ net_ads_enctypes,
336+ NET_TRANSPORT_ADS,
337+ N_("List/modify supported encryption types"),
338+ N_("net ads enctypes\n"
339+ " List/modify enctypes")
340+ },
341 {NULL, NULL, 0, NULL, NULL}
342 };
343
344--
3451.9.3
346
347
348From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
349From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
350Date: Wed, 24 Sep 2014 23:36:19 +0200
351Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
352MIME-Version: 1.0
353Content-Type: text/plain; charset=UTF-8
354Content-Transfer-Encoding: 8bit
355
356Guenther
357
358Signed-off-by: Günther Deschner <gd@samba.org>
359Reviewed-by: Andreas Schneider <asn@samba.org>
360Reviewed-by: Stefan Metzmacher <metze@samba.org>
361---
362 docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
363 1 file changed, 53 insertions(+)
364
365diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
366index f39b420..9e982e3 100644
367--- a/docs-xml/manpages/net.8.xml
368+++ b/docs-xml/manpages/net.8.xml
369@@ -1339,6 +1339,59 @@ to show in the result.
370 </refsect2>
371
372 <refsect2>
373+ <title>ADS ENCTYPES</title>
374+
375+<para>
376+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
377+</para>
378+
379+<para>
380+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
381+</para>
382+
383+<para>0x00000001 DES-CBC-CRC</para>
384+<para>0x00000002 DES-CBC-MD5</para>
385+<para>0x00000004 RC4-HMAC</para>
386+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
387+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
388+
389+</refsect2>
390+
391+<refsect2>
392+ <title>ADS ENCTYPES LIST <replaceable>&lt;ACCOUNTNAME&gt;</replaceable></title>
393+
394+<para>
395+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
396+</para>
397+
398+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
399+
400+</refsect2>
401+
402+<refsect2>
403+ <title>ADS ENCTYPES SET <replaceable>&lt;ACCOUNTNAME&gt;</replaceable> <replaceable>[enctypes]</replaceable></title>
404+
405+<para>
406+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
407+</para>
408+
409+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
410+
411+</refsect2>
412+
413+<refsect2>
414+ <title>ADS ENCTYPES DELETE <replaceable>&lt;ACCOUNTNAME&gt;</replaceable></title>
415+
416+<para>
417+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
418+</para>
419+
420+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
421+
422+</refsect2>
423+
424+
425+<refsect2>
426 <title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
427
428 <para>
429--
4301.9.3
431
432
433From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
434From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
435Date: Fri, 23 Nov 2012 12:34:27 +0100
436Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
437 AD >= 2008.
438MIME-Version: 1.0
439Content-Type: text/plain; charset=UTF-8
440Content-Transfer-Encoding: 8bit
441
442Guenther
443
444Signed-off-by: Günther Deschner <gd@samba.org>
445Reviewed-by: Andreas Schneider <asn@samba.org>
446Reviewed-by: Stefan Metzmacher <metze@samba.org>
447---
448 source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
449 1 file changed, 65 insertions(+)
450
451diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
452index 381a59c..e70e11a 100644
453--- a/source3/libnet/libnet_join.c
454+++ b/source3/libnet/libnet_join.c
455@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
456 /****************************************************************
457 ****************************************************************/
458
459+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
460+ struct libnet_JoinCtx *r)
461+{
462+ ADS_STATUS status;
463+ ADS_MODLIST mods;
464+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
465+ const char *etype_list_str;
466+
467+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
468+ etype_list |= ENC_HMAC_SHA1_96_AES128;
469+#endif
470+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
471+ etype_list |= ENC_HMAC_SHA1_96_AES256;
472+#endif
473+
474+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
475+ if (!etype_list_str) {
476+ return ADS_ERROR(LDAP_NO_MEMORY);
477+ }
478+
479+ /* Find our DN */
480+
481+ status = libnet_join_find_machine_acct(mem_ctx, r);
482+ if (!ADS_ERR_OK(status)) {
483+ return status;
484+ }
485+
486+ /* now do the mods */
487+
488+ mods = ads_init_mods(mem_ctx);
489+ if (!mods) {
490+ return ADS_ERROR(LDAP_NO_MEMORY);
491+ }
492+
493+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
494+ etype_list_str);
495+ if (!ADS_ERR_OK(status)) {
496+ return status;
497+ }
498+
499+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
500+}
501+
502+/****************************************************************
503+****************************************************************/
504+
505 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
506 struct libnet_JoinCtx *r)
507 {
508@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
509 struct libnet_JoinCtx *r)
510 {
511 ADS_STATUS status;
512+ uint32_t func_level = 0;
513
514 if (!r->in.ads) {
515 status = libnet_join_connect_ads(mem_ctx, r);
516@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
517 return status;
518 }
519
520+ status = ads_domain_func_level(r->in.ads, &func_level);
521+ if (!ADS_ERR_OK(status)) {
522+ libnet_join_set_error_string(mem_ctx, r,
523+ "failed to query domain controller functional level: %s",
524+ ads_errstr(status));
525+ return status;
526+ }
527+
528+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
529+ status = libnet_join_set_etypes(mem_ctx, r);
530+ if (!ADS_ERR_OK(status)) {
531+ libnet_join_set_error_string(mem_ctx, r,
532+ "failed to set machine kerberos encryption types: %s",
533+ ads_errstr(status));
534+ return status;
535+ }
536+ }
537+
538 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
539 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
540 }
541--
5421.9.3
543
544
545From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
546From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
547Date: Fri, 26 Sep 2014 21:06:38 +0200
548Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
549 hostname is lowercase.
550MIME-Version: 1.0
551Content-Type: text/plain; charset=UTF-8
552Content-Transfer-Encoding: 8bit
553
554Found at MS interop event while working on AES kerberos key support.
555
556Guenther
557
558Signed-off-by: Günther Deschner <gd@samba.org>
559Reviewed-by: Andrew Bartlett <abartlet@samba.org>
560---
561 source4/auth/kerberos/srv_keytab.c | 2 +-
562 1 file changed, 1 insertion(+), 1 deletion(-)
563
564diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
565index d81e27d..3baba14 100644
566--- a/source4/auth/kerberos/srv_keytab.c
567+++ b/source4/auth/kerberos/srv_keytab.c
568@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
569 return ENOMEM;
570 }
571
572- machine_username = talloc_strdup(tmp_ctx, samAccountName);
573+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
574 if (!machine_username) {
575 *error_string = "Cannot duplicate samAccountName";
576 talloc_free(tmp_ctx);
577--
5781.9.3
579
580From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
581From: Jeremy Allison <jra@samba.org>
582Date: Mon, 16 Jun 2014 22:49:29 -0700
583Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
584 arguments of copy_netr_SamInfo3() and make_server_info_info3()
585
586Both functions only read from the struct netr_SamInfo3 * argument.
587
588Signed-off-by: Jeremy Allison <jra@samba.org>
589Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
590Reviewed-by: Simo Sorce <idra@samba.org>
591
592Conflicts:
593 source3/auth/proto.h
594 source3/auth/server_info.c
595---
596 source3/auth/auth_util.c | 2 +-
597 source3/auth/proto.h | 4 ++--
598 source3/auth/server_info.c | 2 +-
599 3 files changed, 4 insertions(+), 4 deletions(-)
600
601diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
602index ceaa706..afa78ec 100644
603--- a/source3/auth/auth_util.c
604+++ b/source3/auth/auth_util.c
605@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
606 const char *sent_nt_username,
607 const char *domain,
608 struct auth_serversupplied_info **server_info,
609- struct netr_SamInfo3 *info3)
610+ const struct netr_SamInfo3 *info3)
611 {
612 static const char zeros[16] = {0, };
613
614diff --git a/source3/auth/proto.h b/source3/auth/proto.h
615index 76661fc..6ec206e 100644
616--- a/source3/auth/proto.h
617+++ b/source3/auth/proto.h
618@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
619 const char *sent_nt_username,
620 const char *domain,
621 struct auth_serversupplied_info **server_info,
622- struct netr_SamInfo3 *info3);
623+ const struct netr_SamInfo3 *info3);
624 struct wbcAuthUserInfo;
625 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
626 const char *sent_nt_username,
627@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
628 const struct passwd *pwd,
629 struct netr_SamInfo3 **pinfo3);
630 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
631- struct netr_SamInfo3 *orig);
632+ const struct netr_SamInfo3 *orig);
633 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
634 const struct wbcAuthUserInfo *info);
635
636diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
637index d2b7d6e..066b9a8 100644
638--- a/source3/auth/server_info.c
639+++ b/source3/auth/server_info.c
640@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
641 } } while(0)
642
643 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
644- struct netr_SamInfo3 *orig)
645+ const struct netr_SamInfo3 *orig)
646 {
647 struct netr_SamInfo3 *info3;
648 unsigned int i;
649--
6501.9.3
651
652
653From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
654From: Jeremy Allison <jra@samba.org>
655Date: Mon, 16 Jun 2014 22:54:45 -0700
656Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
657 struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
658
659make_server_info_info3() only reads from the info3 pointer.
660
661Signed-off-by: Jeremy Allison <jra@samba.org>
662Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
663Reviewed-by: Simo Sorce <idra@samba.org>
664---
665 source3/auth/auth_generic.c | 2 +-
666 source3/auth/proto.h | 2 +-
667 source3/auth/user_krb5.c | 8 ++++----
668 3 files changed, 6 insertions(+), 6 deletions(-)
669
670diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
671index a2ba4e3..2880bc9 100644
672--- a/source3/auth/auth_generic.c
673+++ b/source3/auth/auth_generic.c
674@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
675
676 status = make_session_info_krb5(mem_ctx,
677 ntuser, ntdomain, username, pw,
678- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
679+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
680 session_info);
681 if (!NT_STATUS_IS_OK(status)) {
682 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
683diff --git a/source3/auth/proto.h b/source3/auth/proto.h
684index 6ec206e..75d1097 100644
685--- a/source3/auth/proto.h
686+++ b/source3/auth/proto.h
687@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
688 char *ntdomain,
689 char *username,
690 struct passwd *pw,
691- struct PAC_LOGON_INFO *logon_info,
692+ const struct netr_SamInfo3 *info3,
693 bool mapped_to_guest, bool username_was_mapped,
694 DATA_BLOB *session_key,
695 struct auth_session_info **session_info);
696diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
697index 974a8aa..0a538b4 100644
698--- a/source3/auth/user_krb5.c
699+++ b/source3/auth/user_krb5.c
700@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
701 char *ntdomain,
702 char *username,
703 struct passwd *pw,
704- struct PAC_LOGON_INFO *logon_info,
705+ const struct netr_SamInfo3 *info3,
706 bool mapped_to_guest, bool username_was_mapped,
707 DATA_BLOB *session_key,
708 struct auth_session_info **session_info)
709@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
710 return status;
711 }
712
713- } else if (logon_info) {
714+ } else if (info3) {
715 /* pass the unmapped username here since map_username()
716 will be called again in make_server_info_info3() */
717
718 status = make_server_info_info3(mem_ctx,
719 ntuser, ntdomain,
720 &server_info,
721- &logon_info->info3);
722+ info3);
723 if (!NT_STATUS_IS_OK(status)) {
724 DEBUG(1, ("make_server_info_info3 failed: %s!\n",
725 nt_errstr(status)));
726@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
727 char *ntdomain,
728 char *username,
729 struct passwd *pw,
730- struct PAC_LOGON_INFO *logon_info,
731+ const struct netr_SamInfo3 *info3,
732 bool mapped_to_guest, bool username_was_mapped,
733 DATA_BLOB *session_key,
734 struct auth_session_info **session_info)
735--
7361.9.3
737
738
739From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
740From: Jeremy Allison <jra@samba.org>
741Date: Mon, 16 Jun 2014 23:11:58 -0700
742Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
743 create a new info3 and merge resource group SIDs into it.
744
745Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
746
747Signed-off-by: Jeremy Allison <jra@samba.org>
748Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
749Reviewed-by: Simo Sorce <idra@samba.org>
750---
751 source3/auth/proto.h | 3 ++
752 source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
753 2 files changed, 80 insertions(+)
754
755diff --git a/source3/auth/proto.h b/source3/auth/proto.h
756index 75d1097..cc51698 100644
757--- a/source3/auth/proto.h
758+++ b/source3/auth/proto.h
759@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
760 struct netr_SamInfo3 *sam3);
761 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
762 struct netr_SamInfo6 *sam6);
763+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
764+ const struct PAC_LOGON_INFO *logon_info,
765+ struct netr_SamInfo3 **pp_info3);
766 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
767 struct samu *samu,
768 const char *login_server,
769diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
770index 066b9a8..dc84794 100644
771--- a/source3/auth/server_info.c
772+++ b/source3/auth/server_info.c
773@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
774 return NT_STATUS_OK;
775 }
776
777+/*
778+ * Merge resource SIDs, if any, into the passed in info3 structure.
779+ */
780+
781+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
782+ struct netr_SamInfo3 *info3)
783+{
784+ uint32_t i = 0;
785+
786+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
787+ return NT_STATUS_OK;
788+ }
789+
790+ /*
791+ * If there are any resource groups (SID Compression) add
792+ * them to the extra sids portion of the info3 in the PAC.
793+ *
794+ * This makes the info3 look like it would if we got the info
795+ * from the DC rather than the PAC.
796+ */
797+
798+ /*
799+ * Construct a SID for each RID in the list and then append it
800+ * to the info3.
801+ */
802+ for (i = 0; i < logon_info->res_groups.count; i++) {
803+ NTSTATUS status;
804+ struct dom_sid new_sid;
805+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
806+
807+ sid_compose(&new_sid,
808+ logon_info->res_group_dom_sid,
809+ logon_info->res_groups.rids[i].rid);
810+
811+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
812+ sid_string_dbg(&new_sid)));
813+
814+ status = append_netr_SidAttr(info3, &info3->sids,
815+ &info3->sidcount,
816+ &new_sid,
817+ attributes);
818+ if (!NT_STATUS_IS_OK(status)) {
819+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
820+ sid_string_dbg(&new_sid),
821+ nt_errstr(status)));
822+ return status;
823+ }
824+ }
825+
826+ return NT_STATUS_OK;
827+}
828+
829+/*
830+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
831+ * then merge resource SIDs, if any, into it. If successful return
832+ * the created info3 struct.
833+ */
834+
835+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
836+ const struct PAC_LOGON_INFO *logon_info,
837+ struct netr_SamInfo3 **pp_info3)
838+{
839+ NTSTATUS status;
840+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
841+ &logon_info->info3);
842+ if (info3 == NULL) {
843+ return NT_STATUS_NO_MEMORY;
844+ }
845+ status = merge_resource_sids(logon_info, info3);
846+ if (!NT_STATUS_IS_OK(status)) {
847+ TALLOC_FREE(info3);
848+ return status;
849+ }
850+ *pp_info3 = info3;
851+ return NT_STATUS_OK;
852+}
853+
854 #define RET_NOMEM(ptr) do { \
855 if (!ptr) { \
856 TALLOC_FREE(info3); \
857--
8581.9.3
859
860
861From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
862From: Jeremy Allison <jra@samba.org>
863Date: Mon, 16 Jun 2014 23:15:21 -0700
864Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
865 a copy of the info3 struct from the struct PAC_LOGON_INFO.
866
867Call create_info3_from_pac_logon_info() to add in any resource SIDs
868from the struct PAC_LOGON_INFO to the info3.
869
870Signed-off-by: Jeremy Allison <jra@samba.org>
871Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
872Reviewed-by: Simo Sorce <idra@samba.org>
873---
874 source3/auth/auth_generic.c | 11 +++++++++--
875 1 file changed, 9 insertions(+), 2 deletions(-)
876
877diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
878index 2880bc9..f841f0c 100644
879--- a/source3/auth/auth_generic.c
880+++ b/source3/auth/auth_generic.c
881@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
882 {
883 TALLOC_CTX *tmp_ctx;
884 struct PAC_LOGON_INFO *logon_info = NULL;
885+ struct netr_SamInfo3 *info3_copy = NULL;
886 bool is_mapped;
887 bool is_guest;
888 char *ntuser;
889@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
890
891 /* save the PAC data if we have it */
892 if (logon_info) {
893- netsamlogon_cache_store(ntuser, &logon_info->info3);
894+ status = create_info3_from_pac_logon_info(tmp_ctx,
895+ logon_info,
896+ &info3_copy);
897+ if (!NT_STATUS_IS_OK(status)) {
898+ goto done;
899+ }
900+ netsamlogon_cache_store(ntuser, info3_copy);
901 }
902
903 /* setup the string used by %U */
904@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
905
906 status = make_session_info_krb5(mem_ctx,
907 ntuser, ntdomain, username, pw,
908- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
909+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
910 session_info);
911 if (!NT_STATUS_IS_OK(status)) {
912 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
913--
9141.9.3
915
916
917From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
918From: Jeremy Allison <jra@samba.org>
919Date: Mon, 16 Jun 2014 23:27:35 -0700
920Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
921 new info3 and merge in resource groups from a trusted PAC.
922
923Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
924
925Signed-off-by: Jeremy Allison <jra@samba.org>
926Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
927Reviewed-by: Simo Sorce <idra@samba.org>
928
929Autobuild-User(master): Jeremy Allison <jra@samba.org>
930Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
931---
932 source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
933 1 file changed, 22 insertions(+), 2 deletions(-)
934
935diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
936index c356686..0f1ca28 100644
937--- a/source3/winbindd/winbindd_pam.c
938+++ b/source3/winbindd/winbindd_pam.c
939@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
940 struct winbindd_request *req = state->request;
941 DATA_BLOB pac_blob;
942 struct PAC_LOGON_INFO *logon_info = NULL;
943+ struct netr_SamInfo3 *info3_copy = NULL;
944 NTSTATUS result;
945
946 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
947@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
948
949 if (logon_info) {
950 /* Signature verification succeeded, trust the PAC */
951- netsamlogon_cache_store(NULL, &logon_info->info3);
952+ result = create_info3_from_pac_logon_info(state->mem_ctx,
953+ logon_info,
954+ &info3_copy);
955+ if (!NT_STATUS_IS_OK(result)) {
956+ return result;
957+ }
958+ netsamlogon_cache_store(NULL, info3_copy);
959
960 } else {
961 /* Try without signature verification */
962@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
963 nt_errstr(result)));
964 return result;
965 }
966+ if (logon_info) {
967+ /*
968+ * Don't strictly need to copy here,
969+ * but it makes it explicit we're
970+ * returning a copy talloc'ed off
971+ * the state->mem_ctx.
972+ */
973+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
974+ &logon_info->info3);
975+ if (info3_copy == NULL) {
976+ return NT_STATUS_NO_MEMORY;
977+ }
978+ }
979 }
980
981- *info3 = &logon_info->info3;
982+ *info3 = info3_copy;
983
984 return NT_STATUS_OK;
985 }
986--
9871.9.3
988
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
deleted file mode 100644
index 071069b9d..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3Date: Mon, 29 Sep 2014 17:16:15 +0200
4Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
5 and DNS update.
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Guenther
11
12Signed-off-by: Günther Deschner <gd@samba.org>
13---
14 source3/utils/net_ads.c | 21 +++++++++++++++++++++
15 1 file changed, 21 insertions(+)
16
17diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
18index e96377f..efbc3d2 100644
19--- a/source3/utils/net_ads.c
20+++ b/source3/utils/net_ads.c
21@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
22 * If the dns update fails, we still consider the join
23 * operation as succeeded if we came this far.
24 */
25+
26+ if (r->out.dns_domain_name != NULL) {
27+
28+ /* Avoid potential libkrb5 issues finding a good KDC when we
29+ * already found one during the join. When the locator plugin is
30+ * installed (but winbind is not yet running) make sure we can
31+ * force libkrb5 to reuse that KDC. - gd */
32+
33+ char *env;
34+
35+ env = talloc_asprintf_strupper_m(r,
36+ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
37+ r->out.dns_domain_name);
38+ if (env == NULL) {
39+ return -1;
40+ }
41+
42+ setenv(env, r->in.ads->auth.kdc_server, 0);
43+ setenv("_NO_WINBINDD", "1", 0);
44+ }
45+
46 _net_ads_join_dns_updates(c, ctx, r);
47
48 TALLOC_FREE(r);
49--
501.9.3
51
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
deleted file mode 100644
index 9721afa17..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
+++ /dev/null
@@ -1,154 +0,0 @@
1From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
2From: Jeremy Allison <jra@samba.org>
3Date: Tue, 28 Oct 2014 11:55:30 -0700
4Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
5
6Try and cope with truncation more intelligently.
7
8BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
9
10Signed-off-by: Jeremy Allison <jra@samba.org>
11Reviewed-by: Andreas Schneider <asn@samba.org>
12(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
13Signed-off-by: Andreas Schneider <asn@samba.org>
14---
15 source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
16 1 file changed, 68 insertions(+), 8 deletions(-)
17
18diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
19index 71c4751..8b078e6 100644
20--- a/source3/nmbd/nmbd_nameregister.c
21+++ b/source3/nmbd/nmbd_nameregister.c
22@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
23 {
24 struct nmb_name nmbname;
25 nstring nname;
26+ size_t converted_size;
27
28 errno = 0;
29- push_ascii_nstring(nname, name);
30- if (errno == E2BIG) {
31- unstring tname;
32- pull_ascii_nstring(tname, sizeof(tname), nname);
33- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
34- name, tname));
35- make_nmb_name(&nmbname, tname, type);
36- } else {
37+ converted_size = push_ascii_nstring(nname, name);
38+ if (converted_size != (size_t)-1) {
39+ /* Success. */
40 make_nmb_name(&nmbname, name, type);
41+ } else if (errno == E2BIG) {
42+ /*
43+ * Name converted to CH_DOS is too large.
44+ * try to truncate.
45+ */
46+ char *converted_str_dos = NULL;
47+ char *converted_str_unix = NULL;
48+ bool ok;
49+
50+ converted_size = 0;
51+
52+ ok = convert_string_talloc(talloc_tos(),
53+ CH_UNIX,
54+ CH_DOS,
55+ name,
56+ strlen(name)+1,
57+ &converted_str_dos,
58+ &converted_size);
59+ if (!ok) {
60+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
61+ "converted. Failing to register name.\n",
62+ name));
63+ return;
64+ }
65+
66+ /*
67+ * As it's now CH_DOS codepage
68+ * we truncate by writing '\0' at
69+ * MAX_NETBIOSNAME_LEN-1 and then
70+ * convert back to CH_UNIX which we
71+ * need for the make_nmb_name() call.
72+ */
73+ if (converted_size >= MAX_NETBIOSNAME_LEN) {
74+ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
75+ }
76+
77+ ok = convert_string_talloc(talloc_tos(),
78+ CH_DOS,
79+ CH_UNIX,
80+ converted_str_dos,
81+ strlen(converted_str_dos)+1,
82+ &converted_str_unix,
83+ &converted_size);
84+ if (!ok) {
85+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
86+ "converted back to CH_UNIX. "
87+ "Failing to register name.\n",
88+ converted_str_dos));
89+ TALLOC_FREE(converted_str_dos);
90+ return;
91+ }
92+
93+ make_nmb_name(&nmbname, converted_str_unix, type);
94+
95+ TALLOC_FREE(converted_str_dos);
96+ TALLOC_FREE(converted_str_unix);
97+ } else {
98+ /*
99+ * Generic conversion error. Fail to register.
100+ */
101+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
102+ "converted (%s). Failing to register name.\n",
103+ name, strerror(errno)));
104+ return;
105 }
106
107 /* Always set the NB_ACTIVE flag on the name we are
108--
1092.1.2
110
111From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
112From: Jeremy Allison <jra@samba.org>
113Date: Fri, 31 Oct 2014 11:01:26 -0700
114Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
115
116This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
117unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
118charset, but this is so old we have to live with that.
119
120BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
121
122Signed-off-by: Jeremy Allison <jra@samba.org>
123Reviewed-by: Andreas Schneider <asn@samba.org>
124
125(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
126Signed-off-by: Andreas Schneider <asn@samba.org>
127---
128 source3/lib/util_names.c | 10 +++++++++-
129 1 file changed, 9 insertions(+), 1 deletion(-)
130
131diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
132index cf54a0e..1392b48 100644
133--- a/source3/lib/util_names.c
134+++ b/source3/lib/util_names.c
135@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
136 {
137 SAFE_FREE(smb_my_netbios_names[i]);
138
139- smb_my_netbios_names[i] = SMB_STRDUP(name);
140+ /*
141+ * Don't include space for terminating '\0' in strndup,
142+ * it is automatically added. This screws up if the name
143+ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
144+ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
145+ * in the DOS charset, but this is so old we have to live
146+ * with that.
147+ */
148+ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
149 if (!smb_my_netbios_names[i])
150 return False;
151 return strupper_m(smb_my_netbios_names[i]);
152--
1532.1.2
154
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
deleted file mode 100644
index 447e243b1..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
+++ /dev/null
@@ -1,52 +0,0 @@
1Don't check xsltproc manpages
2
3Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
4
5diff -Nurp samba-4.1.12.orig/lib/ldb/wscript samba-4.1.12/lib/ldb/wscript
6--- samba-4.1.12.orig/lib/ldb/wscript 2014-07-28 16:13:45.000000000 +0900
7+++ samba-4.1.12/lib/ldb/wscript 2015-04-23 17:08:45.277000225 +0900
8@@ -56,7 +56,7 @@ def configure(conf):
9 conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
10
11 if conf.env.standalone_ldb:
12- conf.CHECK_XSLTPROC_MANPAGES()
13+ #conf.CHECK_XSLTPROC_MANPAGES()
14
15 # we need this for the ldap backend
16 if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
17diff -Nurp samba-4.1.12.orig/lib/ntdb/wscript samba-4.1.12/lib/ntdb/wscript
18--- samba-4.1.12.orig/lib/ntdb/wscript 2013-12-05 18:16:48.000000000 +0900
19+++ samba-4.1.12/lib/ntdb/wscript 2015-04-23 17:09:17.680000274 +0900
20@@ -121,7 +121,7 @@ def configure(conf):
21 Logs.warn('Disabling pyntdb as python devel libs not found')
22 conf.env.disable_python = True
23
24- conf.CHECK_XSLTPROC_MANPAGES()
25+ #conf.CHECK_XSLTPROC_MANPAGES()
26
27 # This make #include <ccan/...> work.
28 conf.ADD_EXTRA_INCLUDES('''#lib''')
29diff -Nurp samba-4.1.12.orig/lib/talloc/wscript samba-4.1.12/lib/talloc/wscript
30--- samba-4.1.12.orig/lib/talloc/wscript 2013-12-05 18:16:48.000000000 +0900
31+++ samba-4.1.12/lib/talloc/wscript 2015-04-23 17:08:21.781000339 +0900
32@@ -55,7 +55,7 @@ def configure(conf):
33 if conf.env.standalone_talloc:
34 conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
35
36- conf.CHECK_XSLTPROC_MANPAGES()
37+ #conf.CHECK_XSLTPROC_MANPAGES()
38
39 if not conf.env.disable_python:
40 # also disable if we don't have the python libs installed
41diff -Nurp samba-4.1.12.orig/lib/tdb/wscript samba-4.1.12/lib/tdb/wscript
42--- samba-4.1.12.orig/lib/tdb/wscript 2013-12-05 18:16:48.000000000 +0900
43+++ samba-4.1.12/lib/tdb/wscript 2015-04-23 17:09:02.538000343 +0900
44@@ -43,7 +43,7 @@ def configure(conf):
45
46 conf.env.disable_python = getattr(Options.options, 'disable_python', False)
47
48- conf.CHECK_XSLTPROC_MANPAGES()
49+ #conf.CHECK_XSLTPROC_MANPAGES()
50
51 if not conf.env.disable_python:
52 # also disable if we don't have the python libs installed
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
deleted file mode 100644
index 1a31e0d0e..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
+++ /dev/null
@@ -1,22 +0,0 @@
1samba: execute prog on target directly is impossible.
2
3Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
4
5diff -Nurp samba-4.1.12.orig/lib/ccan/wscript samba-4.1.12/lib/ccan/wscript
6--- samba-4.1.12.orig/lib/ccan/wscript 2013-06-13 18:21:02.000000000 +0900
7+++ samba-4.1.12/lib/ccan/wscript 2015-04-27 14:26:25.123000238 +0900
8@@ -127,10 +127,10 @@ def configure(conf):
9 # Only check for FILE_OFFSET_BITS=64 if off_t is normally small:
10 # use raw routines because wrappers include previous _GNU_SOURCE
11 # or _FILE_OFFSET_BITS defines.
12- conf.check(fragment="""#include <sys/types.h>
13- int main(void) { return !(sizeof(off_t) < 8); }""",
14- execute=True, msg='Checking for small off_t',
15- define_name='SMALL_OFF_T')
16+ conf.CHECK_CODE("""#include <sys/types.h>
17+ int main(void) { return !(sizeof(off_t) < 8); }""",
18+ link=True, execute=True, addmain=False, msg='Checking for small off_t',
19+ define='HAVE_SMALL_OFF_T')
20 # Unreliable return value above, hence use define.
21 if conf.CONFIG_SET('SMALL_OFF_T'):
22 conf.check(fragment="""#include <sys/types.h>
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
deleted file mode 100644
index 83c42eb65..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
+++ /dev/null
@@ -1,22 +0,0 @@
1waf trys to get package's configuration by native ncurses6-config.
2it will make native header files and library be used.
3
4Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
5
6--- samba-4.1.12.orig/source3/wscript_configure_system_ncurses 2013-12-05 18:16:48.000000000 +0900
7+++ samba-4.1.12/source3/wscript_configure_system_ncurses 2015-04-29 16:12:22.619000250 +0900
8@@ -2,14 +2,6 @@ import Logs, Options, sys
9
10 Logs.info("Looking for ncurses features")
11
12-conf.find_program('ncurses5-config', var='NCURSES_CONFIG')
13-if not conf.env.NCURSES_CONFIG:
14- conf.find_program('ncurses6-config', var='NCURSES_CONFIG')
15-
16-if conf.env.NCURSES_CONFIG:
17- conf.check_cfg(path=conf.env.NCURSES_CONFIG, args="--cflags --libs",
18- package="", uselib_store="NCURSES")
19-
20 conf.CHECK_HEADERS('ncurses.h menu.h panel.h form.h', lib='ncurses')
21
22 conf.CHECK_FUNCS_IN('initscr', 'ncurses')
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
deleted file mode 100644
index 8c4e2ad53..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1systemd-daemon is contained by libsystemd, so we just need link libsystemd to
2obtain the implementation of systemd-daemon's function.
3
4Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
5
6diff -Nurp samba-4.1.12.orig/lib/util/wscript_build samba-4.1.12/lib/util/wscript_build
7--- samba-4.1.12.orig/lib/util/wscript_build 2014-09-08 18:26:14.000000000 +0900
8+++ samba-4.1.12/lib/util/wscript_build 2015-04-29 16:16:58.303000207 +0900
9@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
10 server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
11 tevent_debug.c util_process.c memcache.c''',
12 deps='DYNCONFIG',
13- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
14+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd',
15 public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
16 header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
17 local_include=False,
18diff -Nurp samba-4.1.12.orig/wscript samba-4.1.12/wscript
19--- samba-4.1.12.orig/wscript 2014-07-28 16:13:45.000000000 +0900
20+++ samba-4.1.12/wscript 2015-04-29 16:17:52.338000264 +0900
21@@ -183,16 +183,16 @@ def configure(conf):
22 conf.env['ENABLE_PIE'] = True
23
24 if Options.options.enable_systemd != False:
25- conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
26- msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
27- conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
28- conf.CHECK_LIB('systemd-daemon', shlib=True)
29+ conf.check_cfg(package='libsystemd', args='--cflags --libs',
30+ msg='Checking for libsystemd', uselib_store="SYSTEMD-DAEMON")
31+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd')
32+ conf.CHECK_LIB('systemd', shlib=True)
33
34 if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
35 conf.DEFINE('HAVE_SYSTEMD', '1')
36 conf.env['ENABLE_SYSTEMD'] = True
37 else:
38- conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
39+ conf.SET_TARGET_TYPE('systemd', 'EMPTY')
40 conf.undefine('HAVE_SYSTEMD')
41
42 conf.SAMBA_CONFIG_H('include/config.h')
diff --git a/meta-oe/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch b/meta-oe/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
deleted file mode 100755
index 5c20d315e..000000000
--- a/meta-oe/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch
+++ /dev/null
@@ -1,57 +0,0 @@
1Some modules such as dynamic library maybe cann't be imported while cross compile,
2we just check whether does the module exist.
3
4Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
5
6--- samba-4.1.12.orig/buildtools/wafsamba/samba_bundled.py 2013-06-13 17:21:02.000000000 +0800
7+++ samba-4.1.12/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:57:06.649092158 +0800
8@@ -1,7 +1,7 @@
9 # functions to support bundled libraries
10
11 from Configure import conf
12-import sys, Logs
13+import sys, Logs, imp
14 from samba_utils import *
15
16 def PRIVATE_NAME(bld, name, private_extension, private_library):
17@@ -228,17 +228,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
18 # versions
19 minversion = minimum_library_version(conf, libname, minversion)
20
21- try:
22- m = __import__(modulename)
23- except ImportError:
24- found = False
25- else:
26+ # Find module in PYTHONPATH
27+ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]])
28+ if stuff:
29 try:
30- version = m.__version__
31- except AttributeError:
32+ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2])
33+ except ImportError:
34 found = False
35+
36+ if conf.env.CROSS_COMPILE:
37+ # Some modules such as dynamic library maybe cann't be imported
38+ # while cross compile, we just check whether the module exist
39+ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1]))
40+ found = True
41 else:
42- found = tuplize_version(version) >= tuplize_version(minversion)
43+ try:
44+ version = m.__version__
45+ except AttributeError:
46+ found = False
47+ else:
48+ found = tuplize_version(version) >= tuplize_version(minversion)
49+ finally:
50+ if stuff[0]:
51+ stuff[0].close()
52+ else:
53+ found = False
54+
55 if not found and not conf.LIB_MAY_BE_BUNDLED(libname):
56 Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion))
57 sys.exit(1)
diff --git a/meta-oe/recipes-connectivity/samba/samba_4.1.12.bb b/meta-oe/recipes-connectivity/samba/samba_4.1.12.bb
deleted file mode 100644
index 04df8a3ce..000000000
--- a/meta-oe/recipes-connectivity/samba/samba_4.1.12.bb
+++ /dev/null
@@ -1,182 +0,0 @@
1SECTION = "console/network"
2
3LICENSE = "GPL-3.0+ & LGPL-3.0+ & GPL-2.0+"
4LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
5 file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=bfccfe952269fff2b407dd11f2f3083b \
6 file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6 "
7
8SAMBA_MIRROR = "http://samba.org/samba/ftp"
9MIRRORS += "\
10${SAMBA_MIRROR} http://mirror.internode.on.net/pub/samba \n \
11${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \
12"
13
14SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
15 file://00-fix-typos-in-man-pages.patch \
16 file://01-fix-force-user-sec-ads.patch \
17 file://02-fix-ipv6-join.patch \
18 file://03-net-ads-kerberos-pac.patch \
19 file://04-ipv6-workaround.patch \
20 file://05-fix-gecos-field-with-samlogon.patch \
21 file://06-fix-nmbd-systemd-status-update.patch \
22 file://07-fix-idmap-ad-getgroups-without-gid.patch \
23 file://08-fix-idmap-ad-sfu-with-trusted-domains.patch \
24 file://09-fix-smbclient-echo-cmd-segfault.patch \
25 file://10-improve-service-principal-guessing-in-net.patch \
26 file://11-fix-overwriting-of-spns-during-net-ads-join.patch \
27 file://12-add-precreated-spns-from-AD-during-keytab-generation.patch \
28 file://13-fix-aes-enctype.patch \
29 file://14-fix-dnsupdate.patch \
30 file://15-fix-netbios-name-truncation.patch \
31 file://16-do-not-check-xsltproc-manpages.patch \
32 file://17-execute-prog-by-qemu.patch \
33 file://18-avoid-get-config-by-native-ncurses.patch \
34 file://19-systemd-daemon-is-contained-by-libsystemd.patch \
35 file://20-do-not-import-target-module-while-cross-compile.patch \
36 "
37
38SRC_URI[md5sum] = "232016d7581a1ba11e991ec2674553c4"
39SRC_URI[sha256sum] = "033604674936bf5c77d7df299b0626052b84a41505a6a6afe902f6274fc29898"
40
41inherit systemd waf-samba cpan-base perlnative
42
43DEPENDS += "readline virtual/libiconv zlib popt talloc libtdb libtevent libldb krb5 ctdb"
44
45SYSVINITTYPE_linuxstdbase = "lsb"
46SYSVINITTYPE = "sysv"
47
48PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \
49 ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SYSVINITTYPE}', '', d)} \
50 ${@base_contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
51 ${@base_contains('DISTRO_FEATURES', 'zeroconf', 'zeroconf', '', d)} \
52 acl aio cups ldap \
53"
54
55RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'lsb', '', d)}"
56
57PACKAGECONFIG[acl] = "--with-acl-support,---without-acl-support,acl"
58PACKAGECONFIG[aio] = "--with-aio-support,---without-aio-support,libaio"
59PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin"
60PACKAGECONFIG[pam] = "--with-pam,--without-pam,libpam"
61PACKAGECONFIG[lsb] = ",,lsb"
62PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups"
63PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
64PACKAGECONFIG[systemd] = "--with-systemd,--without-systemd,systemd"
65PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi"
66
67SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2"
68SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4"
69SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4"
70SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODULES}"
71
72SAMBA4_LIBS="heimdal,!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb"
73
74PERL_VERNDORLIB="${libdir}/perl5/vendor_perl/${PERLVERSION}"
75
76EXTRA_OECONF += "--enable-fhs \
77 --with-piddir=${localstatedir}/run \
78 --with-sockets-dir=${localstatedir}/run/samba \
79 --with-modulesdir=${libdir}/samba \
80 --with-pammodulesdir=${base_libdir}/security \
81 --with-lockdir=${localstatedir}/lib/samba \
82 --with-cachedir=${localstatedir}/lib/samba \
83 --with-perl-lib-install-dir=${PERL_VERNDORLIB} \
84 --disable-gnutls \
85 --disable-rpath-install \
86 --with-shared-modules=${SAMBA4_MODULES} \
87 --bundled-libraries=${SAMBA4_LIBS} \
88 --with-system-mitkrb5 \
89 --without-ad-dc \
90 ${@base_conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \
91 --with-cluster-support \
92 --enable-old-ctdb \
93 --with-profiling-data \
94 --with-libiconv=${STAGING_DIR_HOST}${prefix} \
95 "
96
97LDFLAGS += "-Wl,-z,relro,-z,now"
98
99do_install_append() {
100 rmdir --ignore-fail-on-non-empty "${D}/${localstatedir}/run"
101
102 if ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'true', 'false', d)}; then
103 install -d ${D}${systemd_unitdir}/system
104 for i in nmb smb winbind; do
105 install -m 0644 packaging/systemd/$i.service ${D}${systemd_unitdir}/system
106 done
107 sed -e 's,@BASE_BINDIR@,${base_bindir},g' \
108 -e 's,@SBINDIR@,${sbindir},g' \
109 -i ${D}${systemd_unitdir}/system/*.service
110
111 install -d ${D}${sysconfdir}/tmpfiles.d
112 echo "d ${localstatedir}/log/samba 0755 root root -" \
113 > ${D}${sysconfdir}/tmpfiles.d/99-${BPN}.conf
114 elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
115 install -d ${D}${sysconfdir}/init.d
116 install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
117 update-rc.d -r ${D} samba.sh start 20 3 5 .
118 update-rc.d -r ${D} samba.sh start 20 0 1 6 .
119 elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
120 install -d ${D}${sysconfdir}/init.d
121 install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
122 update-rc.d -r ${D} samba.sh start 20 3 5 .
123 update-rc.d -r ${D} samba.sh start 20 0 1 6 .
124 fi
125
126 install -d ${D}${sysconfdir}/samba
127 echo "127.0.0.1 localhost" > ${D}${sysconfdir}/samba/lmhosts
128 install -m644 packaging/LSB/smb.conf ${D}${sysconfdir}/samba/smb.conf
129
130 install -d ${D}${libdir}/tmpfiles.d
131 install -m644 packaging/systemd/samba.conf.tmp ${D}${libdir}/tmpfiles.d/samba.conf
132
133 install -d ${D}${sysconfdir}/sysconfig/
134 install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/sysconfig/samba
135}
136
137PACKAGES += "${PN}-python ${PN}-python-dbg ${PN}-pidl libwinbind libwinbind-dbg libwinbind-krb5-locator"
138
139FILES_${PN} += "/run \
140 ${base_libdir}/security/pam_smbpass.so \
141 ${libdir}/tmpfiles.d/* \
142 "
143
144SMB_SERVICE="${systemd_unitdir}/system/nmb.service ${systemd_unitdir}/system/smb.service"
145SMB_SYSV="${sysconfdir}/init.d ${sysconfdir}/rc?.d"
146FILES_${PN} +="${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${SMB_SERVICE}', '', d)}"
147FILES_${PN} +="${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SMB_SYSV}', '', d)}"
148
149FILES_${PN}-dbg += "${libdir}/samba/idmap/.debug/* \
150 ${libdir}/samba/pdb/.debug/* \
151 ${libdir}/samba/auth/.debug/* \
152 ${libdir}/samba/nss_info/.debug/* \
153 ${libdir}/samba/ldb/.debug/* \
154 ${libdir}/samba/vfs/.debug/* \
155 ${base_libdir}/security/.debug/pam_smbpass.so \
156 "
157
158FILES_libwinbind = "${base_libdir}/security/pam_winbind.so"
159FILES_libwinbind += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/winbind.service', '', d)}"
160FILES_libwinbind-dbg = "${base_libdir}/security/.debug/pam_winbind.so"
161FILES_libwinbind-krb5-locator = "${libdir}/winbind_krb5_locator.so"
162
163FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.so \
164 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.py \
165 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.so \
166 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.so \
167 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.py \
168 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/external/* \
169 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/netcmd/*.py \
170 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/provision/*.py \
171 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.py \
172 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.so \
173 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/tests/* \
174 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/web_server/* \
175 "
176FILES_${PN}-python-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/* \
177 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/.debug/* \
178 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/.debug/* \
179 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/.debug/* \
180 "
181
182FILES_${PN}-pidl = "${bindir}/pidl ${PERL_VERNDORLIB}/*"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-15 05:29:54 +0000