Changeset 124 for branches/samba-3.0/source/nsswitch/winbindd_cm.c
- Timestamp:
- Mar 12, 2008, 9:08:18 AM (17 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/nsswitch/winbindd_cm.c
r71 r124 586 586 } 587 587 588 /** 589 * Helper function to assemble trust password and account name 590 */ 591 static NTSTATUS get_trust_creds(const struct winbindd_domain *domain, 592 char **machine_password, 593 char **machine_account, 594 char **machine_krb5_principal) 595 { 596 const char *account_name; 597 598 if (!get_trust_pw_clear(domain->name, machine_password, 599 &account_name, NULL)) 600 { 601 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 602 } 603 604 if ((machine_account != NULL) && 605 (asprintf(machine_account, "%s$", account_name) == -1)) 606 { 607 return NT_STATUS_NO_MEMORY; 608 } 609 610 /* this is at least correct when domain is our domain, 611 * which is the only case, when this is currently used: */ 612 if (machine_krb5_principal != NULL) 613 { 614 if (asprintf(machine_krb5_principal, "%s$@%s", 615 account_name, domain->alt_name) == -1) 616 { 617 return NT_STATUS_NO_MEMORY; 618 } 619 620 strupper_m(*machine_krb5_principal); 621 } 622 623 return NT_STATUS_OK; 624 } 625 588 626 /************************************************************************ 589 627 Given a fd with a just-connected TCP connection to a DC, open a connection … … 597 635 BOOL *retry) 598 636 { 599 char *machine_password, *machine_krb5_principal, *machine_account; 600 char *ipc_username, *ipc_domain, *ipc_password; 637 char *machine_password = NULL; 638 char *machine_krb5_principal = NULL; 639 char *machine_account = NULL; 640 char *ipc_username = NULL; 641 char *ipc_domain = NULL; 642 char *ipc_password = NULL; 601 643 602 644 BOOL got_mutex; … … 611 653 DEBUG(10,("cm_prepare_connection: connecting to DC %s for domain %s\n", 612 654 controller, domain->name )); 613 614 machine_password = secrets_fetch_machine_password(lp_workgroup(), NULL,615 NULL);616 617 if (asprintf(&machine_account, "%s$", global_myname()) == -1) {618 SAFE_FREE(machine_password);619 return NT_STATUS_NO_MEMORY;620 }621 622 if (asprintf(&machine_krb5_principal, "%s$@%s", global_myname(),623 lp_realm()) == -1) {624 SAFE_FREE(machine_account);625 SAFE_FREE(machine_password);626 return NT_STATUS_NO_MEMORY;627 }628 629 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password);630 655 631 656 *retry = True; … … 685 710 goto done; 686 711 } 687 688 if ((*cli)->protocol >= PROTOCOL_NT1 && (*cli)->capabilities & CAP_EXTENDED_SECURITY) { 712 713 if (!is_trusted_domain_situation(domain->name) && 714 (*cli)->protocol >= PROTOCOL_NT1 && 715 (*cli)->capabilities & CAP_EXTENDED_SECURITY) 716 { 689 717 ADS_STATUS ads_status; 718 719 result = get_trust_creds(domain, &machine_password, 720 &machine_account, 721 &machine_krb5_principal); 722 if (!NT_STATUS_IS_OK(result)) { 723 goto done; 724 } 690 725 691 726 if (lp_security() == SEC_ADS) { … … 701 736 machine_krb5_principal, 702 737 machine_password, 703 lp_workgroup());738 domain->name); 704 739 705 740 if (!ADS_ERR_OK(ads_status)) { … … 711 746 if (NT_STATUS_IS_OK(result)) { 712 747 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */ 713 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);748 cli_init_creds(*cli, machine_account, domain->name, machine_password); 714 749 goto session_setup_done; 715 750 } … … 721 756 DEBUG(5, ("connecting to %s from %s with username " 722 757 "[%s]\\[%s]\n", controller, global_myname(), 723 lp_workgroup(), machine_account));758 domain->name, machine_account)); 724 759 725 760 ads_status = cli_session_setup_spnego(*cli, 726 761 machine_account, 727 762 machine_password, 728 lp_workgroup());763 domain->name); 729 764 if (!ADS_ERR_OK(ads_status)) { 730 765 DEBUG(4, ("authenticated session setup failed with %s\n", … … 735 770 if (NT_STATUS_IS_OK(result)) { 736 771 /* Ensure creds are stored for NTLMSSP authenticated pipe access. */ 737 cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);772 cli_init_creds(*cli, machine_account, domain->name, machine_password); 738 773 goto session_setup_done; 739 774 } 740 775 } 741 776 742 /* Fall back to non-kerberos session setup */777 /* Fall back to non-kerberos session setup with auth_user */ 743 778 744 779 (*cli)->use_kerberos = False; 780 781 cm_get_ipc_userpass(&ipc_username, &ipc_domain, &ipc_password); 745 782 746 783 if ((((*cli)->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) != 0) && … … 908 945 p += 2; 909 946 910 p += dos_PutUniCode(p, global_myname(), sizeof(pstring), True); 947 p += dos_PutUniCode(p, global_myname(), 948 sizeof(outbuf) - PTR_DIFF(p, outbuf), True); 911 949 fstr_sprintf(my_acct_name, "%s$", global_myname()); 912 p += dos_PutUniCode(p, my_acct_name, sizeof(pstring), True); 950 p += dos_PutUniCode(p, my_acct_name, 951 sizeof(outbuf) - PTR_DIFF(p, outbuf), True); 952 953 if (strlen(my_mailslot)+1 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { 954 return False; 955 } 913 956 914 957 memcpy(p, my_mailslot, strlen(my_mailslot)+1); 915 958 p += strlen(my_mailslot)+1; 916 959 960 if (sizeof(outbuf) - PTR_DIFF(p, outbuf) < 8) { 961 return False; 962 } 917 963 SIVAL(p, 0, 0x80); 918 964 p+=4; … … 923 969 p = ALIGN4(p, outbuf); 924 970 925 sid_linearize(p, sid_size(sid), sid); 971 if (PTR_DIFF(p, outbuf) > sizeof(outbuf)) { 972 return False; 973 } 974 975 if (sid_size(sid) + 8 > sizeof(outbuf) - PTR_DIFF(p, outbuf)) { 976 return False; 977 } 978 979 sid_linearize(p, sizeof(outbuf) - PTR_DIFF(p, outbuf), sid); 926 980 p += sid_size(sid); 927 981 … … 1690 1744 fstring conn_pwd; 1691 1745 struct dcinfo *p_dcinfo; 1746 char *machine_password = NULL; 1747 char *machine_account = NULL; 1748 char *domain_name = NULL; 1692 1749 1693 1750 result = init_dc_connection(domain); … … 1712 1769 if ((conn->cli->user_name[0] == '\0') || 1713 1770 (conn->cli->domain[0] == '\0') || 1714 (conn_pwd[0] == '\0')) { 1715 DEBUG(10, ("cm_connect_sam: No no user available for " 1716 "domain %s, trying schannel\n", conn->cli->domain)); 1717 goto schannel; 1771 (conn_pwd[0] == '\0')) 1772 { 1773 result = get_trust_creds(domain, &machine_password, 1774 &machine_account, NULL); 1775 if (!NT_STATUS_IS_OK(result)) { 1776 DEBUG(10, ("cm_connect_sam: No no user available for " 1777 "domain %s, trying schannel\n", conn->cli->domain)); 1778 goto schannel; 1779 } 1780 domain_name = domain->name; 1781 } else { 1782 machine_password = SMB_STRDUP(conn_pwd); 1783 machine_account = SMB_STRDUP(conn->cli->user_name); 1784 domain_name = conn->cli->domain; 1785 } 1786 1787 if (!machine_password || !machine_account) { 1788 result = NT_STATUS_NO_MEMORY; 1789 goto done; 1718 1790 } 1719 1791 … … 1723 1795 cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR, 1724 1796 PIPE_AUTH_LEVEL_PRIVACY, 1725 conn->cli->domain,1726 conn->cli->user_name,1727 conn_pwd, &result);1797 domain_name, 1798 machine_account, 1799 machine_password, &result); 1728 1800 1729 1801 if (conn->samr_pipe == NULL) { … … 1731 1803 "pipe for domain %s using NTLMSSP " 1732 1804 "authenticated pipe: user %s\\%s. Error was " 1733 "%s\n", domain->name, conn->cli->domain,1734 conn->cli->user_name, nt_errstr(result)));1805 "%s\n", domain->name, domain_name, 1806 machine_account, nt_errstr(result))); 1735 1807 goto schannel; 1736 1808 } … … 1739 1811 "domain %s using NTLMSSP authenticated " 1740 1812 "pipe: user %s\\%s\n", domain->name, 1741 conn->cli->domain, conn->cli->user_name));1813 domain_name, machine_account)); 1742 1814 1743 1815 result = rpccli_samr_connect(conn->samr_pipe, mem_ctx, … … 1824 1896 *cli = conn->samr_pipe; 1825 1897 *sam_handle = conn->sam_domain_handle; 1898 SAFE_FREE(machine_password); 1899 SAFE_FREE(machine_account); 1826 1900 return result; 1827 1901 } … … 1954 2028 NTSTATUS result; 1955 2029 1956 uint32 neg_flags = NETLOGON_NEG_ AUTH2_FLAGS;2030 uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; 1957 2031 uint8 mach_pwd[16]; 1958 2032 uint32 sec_chan_type; … … 1974 2048 } 1975 2049 1976 if (!get_trust_pw(domain->name, mach_pwd, &sec_chan_type)) {1977 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;1978 }1979 1980 2050 netlogon_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_NETLOGON, 1981 2051 &result); … … 1984 2054 } 1985 2055 2056 if ((!IS_DC) && (!domain->primary)) { 2057 /* Clear the schannel request bit and drop down */ 2058 neg_flags &= ~NETLOGON_NEG_SCHANNEL; 2059 goto no_schannel; 2060 } 2061 1986 2062 if (lp_client_schannel() != False) { 1987 2063 neg_flags |= NETLOGON_NEG_SCHANNEL; 1988 2064 } 1989 2065 1990 /* if we are a DC and this is a trusted domain, then we need to use our 1991 domain name in the net_req_auth2() request */ 1992 1993 if ( IS_DC 1994 && !strequal(domain->name, lp_workgroup()) 1995 && lp_allow_trusted_domains() ) 2066 if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name, 2067 &sec_chan_type)) 1996 2068 { 1997 account_name = lp_workgroup();1998 } else {1999 account_name = domain->primary ?2000 global_myname() : domain->name;2001 }2002 2003 if (account_name == NULL) {2004 2069 cli_rpc_pipe_close(netlogon_pipe); 2005 return NT_STATUS_ NO_MEMORY;2070 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; 2006 2071 } 2007 2072 … … 2028 2093 } 2029 2094 2095 no_schannel: 2030 2096 if ((lp_client_schannel() == False) || 2031 2097 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
Note:
See TracChangeset
for help on using the changeset viewer.