Changeset 594 for vendor/current/source3/winbindd
- Timestamp:
- Jul 1, 2011, 4:02:23 PM (14 years ago)
- Location:
- vendor/current/source3/winbindd
- Files:
-
- 11 edited
-
idmap.c (modified) (1 diff)
-
idmap_util.c (modified) (3 diffs)
-
wb_dsgetdcname.c (modified) (1 diff)
-
wb_gettoken.c (modified) (2 diffs)
-
winbindd.h (modified) (1 diff)
-
winbindd_cm.c (modified) (6 diffs)
-
winbindd_dual_srv.c (modified) (1 diff)
-
winbindd_getgrent.c (modified) (1 diff)
-
winbindd_lookuprids.c (modified) (2 diffs)
-
winbindd_pam.c (modified) (10 diffs)
-
winbindd_rpc.c (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/winbindd/idmap.c
r414 r594 429 429 static struct idmap_domain *idmap_init_passdb_domain(TALLOC_CTX *mem_ctx) 430 430 { 431 /* 432 * Always init the default domain, we can't go without one 433 */ 434 if (default_idmap_domain == NULL) { 435 default_idmap_domain = idmap_init_default_domain(NULL); 436 } 437 if (default_idmap_domain == NULL) { 438 return NULL; 439 } 440 431 441 if (passdb_idmap_domain != NULL) { 432 442 return passdb_idmap_domain; -
vendor/current/source3/winbindd/idmap_util.c
r414 r594 24 24 #undef DBGC_CLASS 25 25 #define DBGC_CLASS DBGC_IDMAP 26 27 /***************************************************************** 28 Returns true if the request was for a specific domain, or 29 for a sid we are authoritative for - BUILTIN, or our own domain. 30 *****************************************************************/ 31 32 static bool is_specific_domain_request(const char *dom_name, DOM_SID *sid) 33 { 34 if (dom_name && dom_name[0] != '\0') { 35 return true; 36 } 37 if (sid_check_is_in_builtin(sid) || 38 sid_check_is_in_our_domain(sid)) { 39 return true; 40 } 41 return false; 42 } 26 43 27 44 /***************************************************************** … … 195 212 } 196 213 197 if ( dom_name[0] != '\0') {214 if (is_specific_domain_request(dom_name, sid)) { 198 215 /* 199 * We had the task to go to a specific domain which 200 * could not answer our request. Fail. 216 * We had the task to go to a specific domain or 217 * a domain for which we are authoritative for and 218 * it could not answer our request. Fail. 201 219 */ 202 220 if (winbindd_use_idmap_cache()) { … … 276 294 } 277 295 278 if ( domname[0] != '\0') {296 if (is_specific_domain_request(domname, sid)) { 279 297 /* 280 * We had the task to go to a specific domain which 281 * could not answer our request. Fail. 298 * We had the task to go to a specific domain or 299 * a domain for which we are authoritative for and 300 * it could not answer our request. Fail. 282 301 */ 283 302 if (winbindd_use_idmap_cache()) { -
vendor/current/source3/winbindd/wb_dsgetdcname.c
r414 r594 98 98 return; 99 99 } 100 if (!NT_STATUS_IS_OK(result)) { 101 tevent_req_nterror(req, result); 102 return; 103 } 100 104 tevent_req_done(req); 101 105 } -
vendor/current/source3/winbindd/wb_gettoken.c
r414 r594 107 107 * Expand our domain's aliases 108 108 */ 109 domain = find_ our_domain();109 domain = find_domain_from_sid_noinit(get_global_sam_sid()); 110 110 if (domain == NULL) { 111 111 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); … … 138 138 return; 139 139 } 140 domain = find_ our_domain();140 domain = find_domain_from_sid_noinit(get_global_sam_sid()); 141 141 if (!wb_add_rids_to_sids(state, &state->num_sids, &state->sids, 142 142 &domain->sid, num_rids, rids)) { -
vendor/current/source3/winbindd/winbindd.h
r427 r594 168 168 169 169 bool can_do_ncacn_ip_tcp; 170 bool can_do_validation6; 170 171 171 172 /* Lookup methods for this domain (LDAP or RPC) */ -
vendor/current/source3/winbindd/winbindd_cm.c
r587 r594 836 836 } 837 837 838 if (ntohs(peeraddr_in->sin_port) == 139) {839 struct nmb_name calling;840 struct nmb_name called;841 842 make_nmb_name(&calling, global_myname(), 0x0);843 make_nmb_name(&called, "*SMBSERVER", 0x20);844 845 if (!cli_session_request(*cli, &calling, &called)) {846 DEBUG(8, ("cli_session_request failed for %s\n",847 controller));848 result = NT_STATUS_UNSUCCESSFUL;849 goto done;850 }851 }852 853 838 result = cli_negprot(*cli); 854 839 … … 1355 1340 int num_addrs = 0; 1356 1341 1357 int i, fd_index; 1342 int i; 1343 size_t fd_index; 1344 1345 NTSTATUS status; 1358 1346 1359 1347 *fd = -1; … … 1373 1361 return False; 1374 1362 } 1375 1376 if (!add_string_to_array(mem_ctx, dcs[i].name,1377 &dcnames, &num_dcnames)) {1378 return False;1379 }1380 if (!add_sockaddr_to_array(mem_ctx, &dcs[i].ss, 139,1381 &addrs, &num_addrs)) {1382 return False;1383 }1384 1363 } 1385 1364 … … 1390 1369 return False; 1391 1370 1392 /* 5 second timeout. */ 1393 if (!open_any_socket_out(addrs, num_addrs, 5000, &fd_index, fd) ) { 1371 status = smbsock_any_connect(addrs, dcnames, num_addrs, 1372 fd, &fd_index, NULL); 1373 if (!NT_STATUS_IS_OK(status)) { 1394 1374 for (i=0; i<num_dcs; i++) { 1395 1375 char ab[INET6_ADDRSTRLEN]; 1396 1376 print_sockaddr(ab, sizeof(ab), &dcs[i].ss); 1397 DEBUG(10, ("find_new_dc: open_any_socket_out failed for "1377 DEBUG(10, ("find_new_dc: smbsock_any_connect failed for " 1398 1378 "domain %s address %s. Error was %s\n", 1399 domain->name, ab, strerror(errno) ));1379 domain->name, ab, nt_errstr(status) )); 1400 1380 winbind_add_failed_connection_entry(domain, 1401 1381 dcs[i].name, NT_STATUS_UNSUCCESSFUL); … … 1499 1479 && (resolve_name(domain->dcname, &domain->dcaddr, 0x20, true))) 1500 1480 { 1501 struct sockaddr_storage *addrs = NULL; 1502 int num_addrs = 0; 1503 int dummy = 0; 1504 1505 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 445, &addrs, &num_addrs)) { 1506 set_domain_offline(domain); 1507 talloc_destroy(mem_ctx); 1508 return NT_STATUS_NO_MEMORY; 1509 } 1510 if (!add_sockaddr_to_array(mem_ctx, &domain->dcaddr, 139, &addrs, &num_addrs)) { 1511 set_domain_offline(domain); 1512 talloc_destroy(mem_ctx); 1513 return NT_STATUS_NO_MEMORY; 1514 } 1515 1516 /* 5 second timeout. */ 1517 if (!open_any_socket_out(addrs, num_addrs, 5000, &dummy, &fd)) { 1481 NTSTATUS status; 1482 1483 status = smbsock_connect(&domain->dcaddr, NULL, NULL, 1484 &fd, NULL); 1485 if (!NT_STATUS_IS_OK(status)) { 1518 1486 fd = -1; 1519 1487 } … … 1978 1946 1979 1947 domain->can_do_ncacn_ip_tcp = domain->active_directory; 1948 domain->can_do_validation6 = domain->active_directory; 1980 1949 1981 1950 TALLOC_FREE(cli); -
vendor/current/source3/winbindd/winbindd_dual_srv.c
r587 r594 379 379 return status; 380 380 } 381 382 *r->out.domain_name = talloc_move(r->out.domain_name, &domain_name); 381 383 382 384 result = talloc_array(p->mem_ctx, struct wbint_Principal, -
vendor/current/source3/winbindd/winbindd_getgrent.c
r414 r594 188 188 return NT_STATUS_NO_MEMORY; 189 189 } 190 state->groups = (struct winbindd_gr *)result; 190 191 191 192 for (i=0; i<state->num_groups; i++) { -
vendor/current/source3/winbindd/winbindd_lookuprids.c
r414 r594 62 62 } 63 63 64 domain = find_ domain_from_sid_noinit(&sid);64 domain = find_lookup_domain_from_sid(&sid); 65 65 if (domain == NULL) { 66 66 DEBUG(5, ("Domain for sid %s not found\n", … … 84 84 85 85 subreq = rpccli_wbint_LookupRids_send( 86 state, ev, domain->child.rpccli, &state->rids, &state->names); 86 state, ev, domain->child.rpccli, &state->rids, 87 &state->domain_name, &state->names); 87 88 if (tevent_req_nomem(subreq, req)) { 88 89 return tevent_req_post(req, ev); -
vendor/current/source3/winbindd/winbindd_pam.c
r587 r594 1186 1186 const char *workstation, 1187 1187 const uint8 chal[8], 1188 uint16_t validation_level, 1188 1189 DATA_BLOB lm_response, 1189 1190 DATA_BLOB nt_response, … … 1297 1298 do { 1298 1299 netlogon_fn_t logon_fn; 1300 const struct cli_pipe_auth_data *auth; 1301 uint32_t neg_flags = 0; 1299 1302 1300 1303 ZERO_STRUCTP(my_info3); … … 1306 1309 DEBUG(3, ("could not open handle to NETLOGON pipe\n")); 1307 1310 goto done; 1311 } 1312 auth = netlogon_pipe->auth; 1313 if (netlogon_pipe->dc) { 1314 neg_flags = netlogon_pipe->dc->negotiate_flags; 1308 1315 } 1309 1316 … … 1327 1334 * 1328 1335 * -- abartlet 21 April 2008 1336 * 1337 * It's also important to use NetlogonValidationSamInfo4 (6), 1338 * because it relies on the rpc transport encryption 1339 * and avoids using the global netlogon schannel 1340 * session key to en/decrypt secret information 1341 * like the user_session_key for network logons. 1342 * 1343 * [MS-APDS] 3.1.5.2 NTLM Network Logon 1344 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and 1345 * NETLOGON_NEG_AUTHENTICATED_RPC set together 1346 * are the indication that the server supports 1347 * NetlogonValidationSamInfo4 (6). And must only 1348 * be used if "SealSecureChannel" is used. 1349 * 1350 * -- metze 4 February 2011 1329 1351 */ 1352 1353 if (auth == NULL) { 1354 domain->can_do_validation6 = false; 1355 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) { 1356 domain->can_do_validation6 = false; 1357 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { 1358 domain->can_do_validation6 = false; 1359 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) { 1360 domain->can_do_validation6 = false; 1361 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { 1362 domain->can_do_validation6 = false; 1363 } 1330 1364 1331 1365 logon_fn = contact_domain->can_do_samlogon_ex … … 1341 1375 global_myname(), /* workstation */ 1342 1376 chal, 1377 domain->can_do_validation6 ? 6 : 3, 1343 1378 lm_resp, 1344 1379 nt_resp, 1345 1380 &my_info3); 1346 attempts += 1;1347 1381 1348 1382 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) … … 1351 1385 "retrying with NetSamLogon\n")); 1352 1386 contact_domain->can_do_samlogon_ex = false; 1387 /* 1388 * It's likely that the server also does not support 1389 * validation level 6 1390 */ 1391 domain->can_do_validation6 = false; 1353 1392 retry = true; 1354 1393 continue; 1355 1394 } 1395 1396 if (domain->can_do_validation6 && 1397 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) || 1398 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) || 1399 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) { 1400 DEBUG(3,("Got a DC that can not do validation level 6, " 1401 "retrying with level 3\n")); 1402 domain->can_do_validation6 = false; 1403 retry = true; 1404 continue; 1405 } 1406 1407 /* 1408 * we increment this after the "feature negotiation" 1409 * for can_do_samlogon_ex and can_do_validation6 1410 */ 1411 attempts += 1; 1356 1412 1357 1413 /* We have to try a second time as cm_connect_netlogon … … 1890 1946 do { 1891 1947 netlogon_fn_t logon_fn; 1948 const struct cli_pipe_auth_data *auth; 1949 uint32_t neg_flags = 0; 1892 1950 1893 1951 retry = false; … … 1900 1958 nt_errstr(result))); 1901 1959 goto done; 1960 } 1961 auth = netlogon_pipe->auth; 1962 if (netlogon_pipe->dc) { 1963 neg_flags = netlogon_pipe->dc->negotiate_flags; 1964 } 1965 1966 if (auth == NULL) { 1967 domain->can_do_validation6 = false; 1968 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) { 1969 domain->can_do_validation6 = false; 1970 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { 1971 domain->can_do_validation6 = false; 1972 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) { 1973 domain->can_do_validation6 = false; 1974 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { 1975 domain->can_do_validation6 = false; 1902 1976 } 1903 1977 … … 1915 1989 workstation, /* We carefully set this above so use it... */ 1916 1990 state->request->data.auth_crap.chal, 1991 domain->can_do_validation6 ? 6 : 3, 1917 1992 lm_resp, 1918 1993 nt_resp, … … 1924 1999 "retrying with NetSamLogon\n")); 1925 2000 contact_domain->can_do_samlogon_ex = false; 2001 /* 2002 * It's likely that the server also does not support 2003 * validation level 6 2004 */ 2005 domain->can_do_validation6 = false; 1926 2006 retry = true; 1927 2007 continue; 1928 2008 } 1929 2009 2010 if (domain->can_do_validation6 && 2011 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) || 2012 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) || 2013 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) { 2014 DEBUG(3,("Got a DC that can not do validation level 6, " 2015 "retrying with level 3\n")); 2016 domain->can_do_validation6 = false; 2017 retry = true; 2018 continue; 2019 } 2020 2021 /* 2022 * we increment this after the "feature negotiation" 2023 * for can_do_samlogon_ex and can_do_validation6 2024 */ 1930 2025 attempts += 1; 1931 2026 -
vendor/current/source3/winbindd/winbindd_rpc.c
r414 r594 85 85 &returned_size, 86 86 &disp_info); 87 88 if (!NT_STATUS_IS_OK(result)) { 89 if (!NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)) { 90 return result; 91 } 92 } 93 87 94 num_dom_users = disp_info.info1.count; 88 95 start_idx += disp_info.info1.count; … … 1231 1238 rpccli_set_timeout(cli, orig_timeout); 1232 1239 1240 if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED || 1241 NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) { 1242 /* 1243 * This can happen if the schannel key is not 1244 * valid anymore, we need to invalidate the 1245 * all connections to the dc and reestablish 1246 * a netlogon connection first. 1247 */ 1248 invalidate_cm_connection(&domain->conn); 1249 status = NT_STATUS_ACCESS_DENIED; 1250 } 1251 1233 1252 if (!NT_STATUS_IS_OK(status)) { 1234 1253 return status; … … 1297 1316 /* And restore our original timeout. */ 1298 1317 rpccli_set_timeout(cli, orig_timeout); 1318 1319 if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED || 1320 NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) { 1321 /* 1322 * This can happen if the schannel key is not 1323 * valid anymore, we need to invalidate the 1324 * all connections to the dc and reestablish 1325 * a netlogon connection first. 1326 */ 1327 invalidate_cm_connection(&domain->conn); 1328 status = NT_STATUS_ACCESS_DENIED; 1329 } 1299 1330 1300 1331 if (!NT_STATUS_IS_OK(status)) {
Note:
See TracChangeset
for help on using the changeset viewer.
