Changeset 596 for trunk/server/source3/winbindd/winbindd_pam.c
- Timestamp:
- Jul 2, 2011, 3:35:33 PM (14 years ago)
- File:
-
- 1 edited
-
trunk/server/source3/winbindd/winbindd_pam.c (modified) (10 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server/source3/winbindd/winbindd_pam.c
r590 r596 1186 1186 const char *workstation, 1187 1187 const uint8 chal[8], 1188 uint16_t validation_level, 1188 1189 DATA_BLOB lm_response, 1189 1190 DATA_BLOB nt_response, … … 1297 1298 do { 1298 1299 netlogon_fn_t logon_fn; 1300 const struct cli_pipe_auth_data *auth; 1301 uint32_t neg_flags = 0; 1299 1302 1300 1303 ZERO_STRUCTP(my_info3); … … 1306 1309 DEBUG(3, ("could not open handle to NETLOGON pipe\n")); 1307 1310 goto done; 1311 } 1312 auth = netlogon_pipe->auth; 1313 if (netlogon_pipe->dc) { 1314 neg_flags = netlogon_pipe->dc->negotiate_flags; 1308 1315 } 1309 1316 … … 1327 1334 * 1328 1335 * -- abartlet 21 April 2008 1336 * 1337 * It's also important to use NetlogonValidationSamInfo4 (6), 1338 * because it relies on the rpc transport encryption 1339 * and avoids using the global netlogon schannel 1340 * session key to en/decrypt secret information 1341 * like the user_session_key for network logons. 1342 * 1343 * [MS-APDS] 3.1.5.2 NTLM Network Logon 1344 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and 1345 * NETLOGON_NEG_AUTHENTICATED_RPC set together 1346 * are the indication that the server supports 1347 * NetlogonValidationSamInfo4 (6). And must only 1348 * be used if "SealSecureChannel" is used. 1349 * 1350 * -- metze 4 February 2011 1329 1351 */ 1352 1353 if (auth == NULL) { 1354 domain->can_do_validation6 = false; 1355 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) { 1356 domain->can_do_validation6 = false; 1357 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { 1358 domain->can_do_validation6 = false; 1359 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) { 1360 domain->can_do_validation6 = false; 1361 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { 1362 domain->can_do_validation6 = false; 1363 } 1330 1364 1331 1365 logon_fn = contact_domain->can_do_samlogon_ex … … 1341 1375 global_myname(), /* workstation */ 1342 1376 chal, 1377 domain->can_do_validation6 ? 6 : 3, 1343 1378 lm_resp, 1344 1379 nt_resp, 1345 1380 &my_info3); 1346 attempts += 1;1347 1381 1348 1382 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) … … 1351 1385 "retrying with NetSamLogon\n")); 1352 1386 contact_domain->can_do_samlogon_ex = false; 1387 /* 1388 * It's likely that the server also does not support 1389 * validation level 6 1390 */ 1391 domain->can_do_validation6 = false; 1353 1392 retry = true; 1354 1393 continue; 1355 1394 } 1395 1396 if (domain->can_do_validation6 && 1397 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) || 1398 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) || 1399 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) { 1400 DEBUG(3,("Got a DC that can not do validation level 6, " 1401 "retrying with level 3\n")); 1402 domain->can_do_validation6 = false; 1403 retry = true; 1404 continue; 1405 } 1406 1407 /* 1408 * we increment this after the "feature negotiation" 1409 * for can_do_samlogon_ex and can_do_validation6 1410 */ 1411 attempts += 1; 1356 1412 1357 1413 /* We have to try a second time as cm_connect_netlogon … … 1890 1946 do { 1891 1947 netlogon_fn_t logon_fn; 1948 const struct cli_pipe_auth_data *auth; 1949 uint32_t neg_flags = 0; 1892 1950 1893 1951 retry = false; … … 1900 1958 nt_errstr(result))); 1901 1959 goto done; 1960 } 1961 auth = netlogon_pipe->auth; 1962 if (netlogon_pipe->dc) { 1963 neg_flags = netlogon_pipe->dc->negotiate_flags; 1964 } 1965 1966 if (auth == NULL) { 1967 domain->can_do_validation6 = false; 1968 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) { 1969 domain->can_do_validation6 = false; 1970 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) { 1971 domain->can_do_validation6 = false; 1972 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) { 1973 domain->can_do_validation6 = false; 1974 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { 1975 domain->can_do_validation6 = false; 1902 1976 } 1903 1977 … … 1915 1989 workstation, /* We carefully set this above so use it... */ 1916 1990 state->request->data.auth_crap.chal, 1991 domain->can_do_validation6 ? 6 : 3, 1917 1992 lm_resp, 1918 1993 nt_resp, … … 1924 1999 "retrying with NetSamLogon\n")); 1925 2000 contact_domain->can_do_samlogon_ex = false; 2001 /* 2002 * It's likely that the server also does not support 2003 * validation level 6 2004 */ 2005 domain->can_do_validation6 = false; 1926 2006 retry = true; 1927 2007 continue; 1928 2008 } 1929 2009 2010 if (domain->can_do_validation6 && 2011 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) || 2012 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) || 2013 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) { 2014 DEBUG(3,("Got a DC that can not do validation level 6, " 2015 "retrying with level 3\n")); 2016 domain->can_do_validation6 = false; 2017 retry = true; 2018 continue; 2019 } 2020 2021 /* 2022 * we increment this after the "feature negotiation" 2023 * for can_do_samlogon_ex and can_do_validation6 2024 */ 1930 2025 attempts += 1; 1931 2026
Note:
See TracChangeset
for help on using the changeset viewer.
