Author: jra Date: 2005-09-22 05:36:50 +0000 (Thu, 22 Sep 2005) New Revision: 10412
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10412 Log: Added code to cause winbindd to use a NTLMSSP SPNEGO authenticated pipe for SAMR queries by preference, falling back to schannel then anonymous on failure. This is template for for the changes I'll be making in the lsa and netlogon winbindd pipe setup. Jeremy. Modified: trunk/source/nsswitch/winbindd_cm.c Changeset: Modified: trunk/source/nsswitch/winbindd_cm.c =================================================================== --- trunk/source/nsswitch/winbindd_cm.c 2005-09-22 05:31:16 UTC (rev 10411) +++ trunk/source/nsswitch/winbindd_cm.c 2005-09-22 05:36:50 UTC (rev 10412) @@ -336,8 +336,12 @@ ipc_password, strlen(ipc_password)+1, ipc_password, strlen(ipc_password)+1, ipc_domain)) { - DEBUG(5, ("authenticated session setup failed\n")); + /* Successful logon with given username. */ + cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password); goto session_setup_done; + } else { + DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n", + ipc_domain, ipc_username )); } } @@ -1030,25 +1034,72 @@ NTSTATUS result; result = init_dc_connection(domain); - if (!NT_STATUS_IS_OK(result)) + if (!NT_STATUS_IS_OK(result)) { return result; + } conn = &domain->conn; if (conn->samr_pipe == NULL) { -#ifndef DISABLE_SCHANNEL_WIN2K3_SP1 - struct dcinfo *p_dcinfo; + /* + * No SAMR pipe yet. Attempt to get an NTLMSSP SPNEGO authenticated + * sign and sealed pipe using the machine account password by + * preference. If we can't - try schannel, if that fails, try anonymous. + */ - if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) { - conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key(conn->cli, + fstring conn_pwd; + pwd_get_cleartext(&conn->cli->pwd, conn_pwd); + if (conn->cli->user_name[0] && conn->cli->domain[0] && conn_pwd[0]) { + /* We have an authenticated connection. Use + a NTLMSSP SPNEGO authenticated SAMR pipe with + sign & seal. */ + conn->samr_pipe = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, PI_SAMR, PIPE_AUTH_LEVEL_PRIVACY, - domain->name, - p_dcinfo, + conn->cli->domain, + conn->cli->user_name, + conn_pwd, &result); - } else + if (conn->samr_pipe == NULL) { + DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for domain %s " + "using NTLMSSP authenticated pipe: user %s\\%s. Error was %s\n", + domain->name, conn->cli->domain, conn->cli->user_name, nt_errstr(result) )); + } else { + DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s " + "using NTLMSSP authenticated pipe: user %s\\%s\n", + domain->name, conn->cli->domain, conn->cli->user_name )); + } + } + +#ifndef DISABLE_SCHANNEL_WIN2K3_SP1 + /* Fall back to schannel if it's a W2K pre-SP1 box. */ + if (conn->samr_pipe == NULL) { + struct dcinfo *p_dcinfo; + + if (cm_get_schannel_dcinfo(domain, &p_dcinfo)) { + conn->samr_pipe = cli_rpc_pipe_open_schannel_with_key(conn->cli, + PI_SAMR, + PIPE_AUTH_LEVEL_PRIVACY, + domain->name, + p_dcinfo, + &result); + } + if (conn->samr_pipe == NULL) { + DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for domain %s " + "using schannel authenticated. Error was %s\n", + domain->name, nt_errstr(result) )); + } else { + DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s " + "using schannel.\n", + domain->name )); + } + } #endif /* DISABLE_SCHANNEL_WIN2K3_SP1 */ + + /* Finally fall back to anonymous. */ + if (conn->samr_pipe == NULL) { conn->samr_pipe = cli_rpc_pipe_open_noauth(conn->cli, PI_SAMR, &result); + } if (conn->samr_pipe == NULL) { result = NT_STATUS_PIPE_NOT_AVAILABLE; @@ -1058,8 +1109,12 @@ result = rpccli_samr_connect(conn->samr_pipe, mem_ctx, SEC_RIGHTS_MAXIMUM_ALLOWED, &conn->sam_connect_handle); - if (!NT_STATUS_IS_OK(result)) + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("cm_connect_sam: rpccli_samr_connect failed for domain %s " + "Error was %s\n", + domain->name, nt_errstr(result) )); goto done; + } result = rpccli_samr_open_domain(conn->samr_pipe, mem_ctx, @@ -1073,7 +1128,7 @@ if (!NT_STATUS_IS_OK(result)) { invalidate_cm_connection(conn); - return NT_STATUS_UNSUCCESSFUL; + return result; } *cli = conn->samr_pipe;
