The branch, v3-5-test has been updated via 4e64865... s3-winbindd: NDR_WBINT_CHECKMACHINEACCOUNT should not be cacheable. via 8716c4a... s3-winbindd: libwbclient: implement secure channel verification for specific domains in wbcCheckTrustCredentials(). via 69ba747... wbinfo: allow to check trusts via "wbinfo -t --domain DOMAINNAME". via 63acae3... libwbclient: implement secure channel verification for specific domains in wbcCheckTrustCredentials(). via 5ba5b5e... s3-netlogon: pure cosmetic indent fixes in _netr_LogonControl2Ex(). from abdadc2... s3: make linking of libwbclient --as-needed safe
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log ----------------------------------------------------------------- commit 4e64865f522506b5b92b7ce0f05bac7ca7de6de3 Author: Günther Deschner <g...@samba.org> Date: Thu Oct 8 10:35:02 2009 +0200 s3-winbindd: NDR_WBINT_CHECKMACHINEACCOUNT should not be cacheable. Guenther (cherry picked from commit efaa98e82438688ca178dc7d0622965933abc95c) commit 8716c4ae193a49ea8494e04296f6d95126c0e265 Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 17:46:25 2009 +0200 s3-winbindd: libwbclient: implement secure channel verification for specific domains in wbcCheckTrustCredentials(). Guenther (cherry picked from commit 3c3725a340ffe20ab679cf2f9d41ccd0b51b4b3a) commit 69ba747df1b861da70da6682e36b095ac565f83e Author: Günther Deschner <g...@samba.org> Date: Wed Oct 7 10:43:53 2009 +0200 wbinfo: allow to check trusts via "wbinfo -t --domain DOMAINNAME". Guenther (cherry picked from commit 7b3501200c55d7844c4d697456dbfa2b86cfdcc8) commit 63acae34cfe65577437b75e668d22400eb47a88c Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 17:45:24 2009 +0200 libwbclient: implement secure channel verification for specific domains in wbcCheckTrustCredentials(). Guenther (cherry picked from commit 2df47b0a54ad0a973b81911ee507ab50555b24a6) commit 5ba5b5e7a1a66472505b3a3fb3d83db5180da3ee Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 17:50:15 2009 +0200 s3-netlogon: pure cosmetic indent fixes in _netr_LogonControl2Ex(). Guenther (cherry picked from commit 3d3134a7d6a4d49b891a446f6cc7b38fd953739a) ----------------------------------------------------------------------- Summary of changes: nsswitch/libwbclient/wbc_pam.c | 14 +-- nsswitch/libwbclient/wbclient.h | 4 +- nsswitch/wbinfo.c | 18 ++- source3/rpc_server/srv_netlog_nt.c | 140 ++++++++++++------------ source3/winbindd/winbindd_cache.c | 1 + source3/winbindd/winbindd_check_machine_acct.c | 11 ++- source3/winbindd/winbindd_dual_srv.c | 8 +- 7 files changed, 105 insertions(+), 91 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c index 33044b2..4cd212a 100644 --- a/nsswitch/libwbclient/wbc_pam.c +++ b/nsswitch/libwbclient/wbc_pam.c @@ -502,18 +502,14 @@ wbcErr wbcCheckTrustCredentials(const char *domain, struct winbindd_response response; wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; - if (domain) { - /* - * the current protocol doesn't support - * specifying a domain - */ - wbc_status = WBC_ERR_NOT_IMPLEMENTED; - BAIL_ON_WBC_ERROR(wbc_status); - } - ZERO_STRUCT(request); ZERO_STRUCT(response); + if (domain) { + strncpy(request.domain_name, domain, + sizeof(request.domain_name)-1); + } + /* Send request */ wbc_status = wbcRequestResponse(WINBINDD_CHECK_MACHACC, diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h index a87cad3..4dc6d23 100644 --- a/nsswitch/libwbclient/wbclient.h +++ b/nsswitch/libwbclient/wbclient.h @@ -1183,9 +1183,7 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name); /** * @brief Trigger a verification of the trust credentials of a specific domain * - * @param *domain The name of the domain, only NULL for the default domain is - * supported yet. Other values than NULL will result in - * WBC_ERR_NOT_IMPLEMENTED. + * @param *domain The name of the domain. * @param error Output details on WBC_ERR_AUTH_ERROR * * @return #wbcErr diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index a80b69f..7410a74 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -724,15 +724,23 @@ static bool wbinfo_dsgetdcname(const char *domain_name, uint32_t flags) /* Check trust account password */ -static bool wbinfo_check_secret(void) +static bool wbinfo_check_secret(const char *domain) { wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; struct wbcAuthErrorInfo *error = NULL; + const char *domain_name; - wbc_status = wbcCheckTrustCredentials(NULL, &error); + if (domain) { + domain_name = domain; + } else { + domain_name = get_winbind_domain(); + } - d_printf("checking the trust secret via RPC calls %s\n", - WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed"); + wbc_status = wbcCheckTrustCredentials(domain_name, &error); + + d_printf("checking the trust secret for domain %s via RPC calls %s\n", + domain_name, + WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed"); if (wbc_status == WBC_ERR_AUTH_ERROR) { d_fprintf(stderr, "error code was %s (0x%x)\n", @@ -1950,7 +1958,7 @@ int main(int argc, char **argv, char **envp) } break; case 't': - if (!wbinfo_check_secret()) { + if (!wbinfo_check_secret(opt_domain_name)) { d_fprintf(stderr, "Could not check secret\n"); goto done; } diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 2aee005..fd90bf8 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -116,103 +116,105 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p, const char *fn; switch (p->hdr_req.opnum) { - case NDR_NETR_LOGONCONTROL: - fn = "_netr_LogonControl"; - break; - case NDR_NETR_LOGONCONTROL2: - fn = "_netr_LogonControl2"; - break; - case NDR_NETR_LOGONCONTROL2EX: - fn = "_netr_LogonControl2Ex"; - break; - default: - return WERR_INVALID_PARAM; + case NDR_NETR_LOGONCONTROL: + fn = "_netr_LogonControl"; + break; + case NDR_NETR_LOGONCONTROL2: + fn = "_netr_LogonControl2"; + break; + case NDR_NETR_LOGONCONTROL2EX: + fn = "_netr_LogonControl2Ex"; + break; + default: + return WERR_INVALID_PARAM; } tc_status = WERR_NO_SUCH_DOMAIN; switch (r->in.function_code) { - case NETLOGON_CONTROL_TC_QUERY: - domain = r->in.data->domain; + case NETLOGON_CONTROL_TC_QUERY: + domain = r->in.data->domain; - if ( !is_trusted_domain( domain ) ) - break; + if (!is_trusted_domain(domain)) { + break; + } - if ( !get_dc_name( domain, NULL, dc_name2, &dc_ss ) ) { - tc_status = WERR_NO_LOGON_SERVERS; - break; - } + if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) { + tc_status = WERR_NO_LOGON_SERVERS; + break; + } - dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2); - if (!dc_name) { - return WERR_NOMEM; - } + dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2); + if (!dc_name) { + return WERR_NOMEM; + } - tc_status = WERR_OK; + tc_status = WERR_OK; - break; + break; - case NETLOGON_CONTROL_REDISCOVER: - domain = r->in.data->domain; + case NETLOGON_CONTROL_REDISCOVER: + domain = r->in.data->domain; - if ( !is_trusted_domain( domain ) ) - break; + if (!is_trusted_domain(domain)) { + break; + } - if ( !get_dc_name( domain, NULL, dc_name2, &dc_ss ) ) { - tc_status = WERR_NO_LOGON_SERVERS; - break; - } + if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) { + tc_status = WERR_NO_LOGON_SERVERS; + break; + } - dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2); - if (!dc_name) { - return WERR_NOMEM; - } + dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2); + if (!dc_name) { + return WERR_NOMEM; + } - tc_status = WERR_OK; + tc_status = WERR_OK; - break; + break; - default: - /* no idea what this should be */ - DEBUG(0,("%s: unimplemented function level [%d]\n", - fn, r->in.function_code)); - return WERR_UNKNOWN_LEVEL; + default: + /* no idea what this should be */ + DEBUG(0,("%s: unimplemented function level [%d]\n", + fn, r->in.function_code)); + return WERR_UNKNOWN_LEVEL; } /* prepare the response */ switch (r->in.level) { - case 1: - info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1); - W_ERROR_HAVE_NO_MEMORY(info1); + case 1: + info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1); + W_ERROR_HAVE_NO_MEMORY(info1); - info1->flags = flags; - info1->pdc_connection_status = pdc_connection_status; + info1->flags = flags; + info1->pdc_connection_status = pdc_connection_status; - r->out.query->info1 = info1; - break; - case 2: - info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2); - W_ERROR_HAVE_NO_MEMORY(info2); + r->out.query->info1 = info1; + break; + case 2: + info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2); + W_ERROR_HAVE_NO_MEMORY(info2); - info2->flags = flags; - info2->pdc_connection_status = pdc_connection_status; - info2->trusted_dc_name = dc_name; - info2->tc_connection_status = tc_status; + info2->flags = flags; + info2->pdc_connection_status = pdc_connection_status; + info2->trusted_dc_name = dc_name; + info2->tc_connection_status = tc_status; - r->out.query->info2 = info2; - break; - case 3: - info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3); - W_ERROR_HAVE_NO_MEMORY(info3); + r->out.query->info2 = info2; + break; + case 3: + info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3); + W_ERROR_HAVE_NO_MEMORY(info3); - info3->flags = flags; - info3->logon_attempts = logon_attempts; + info3->flags = flags; + info3->logon_attempts = logon_attempts; - r->out.query->info3 = info3; - break; - default: - return WERR_UNKNOWN_LEVEL; + r->out.query->info3 = info3; + break; + default: + return WERR_UNKNOWN_LEVEL; } if (lp_server_role() == ROLE_DOMAIN_BDC) { diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index 6d48fe5..543b8b1 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -4359,6 +4359,7 @@ static bool wcache_opnum_cacheable(uint32_t opnum) case NDR_WBINT_QUERYSEQUENCENUMBER: case NDR_WBINT_ALLOCATEUID: case NDR_WBINT_ALLOCATEGID: + case NDR_WBINT_CHECKMACHINEACCOUNT: return false; } return true; diff --git a/source3/winbindd/winbindd_check_machine_acct.c b/source3/winbindd/winbindd_check_machine_acct.c index e3505cb..610e9ed 100644 --- a/source3/winbindd/winbindd_check_machine_acct.c +++ b/source3/winbindd/winbindd_check_machine_acct.c @@ -42,7 +42,16 @@ struct tevent_req *winbindd_check_machine_acct_send(TALLOC_CTX *mem_ctx, return NULL; } - domain = find_our_domain(); + if (request->domain_name[0] == '0') { + /* preserve old behavior, when no domain name is given */ + domain = find_our_domain(); + } else { + domain = find_domain_from_name(request->domain_name); + } + if (domain == NULL) { + tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN); + return tevent_req_post(req, ev); + } if (domain->internal) { /* * Internal domains are passdb based, we can always diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index 179a771..3374861 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -437,13 +437,13 @@ again: /* Pass back result code - zero for success, other values for specific failures. */ - DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(status) ? - "good" : "bad")); + DEBUG(3,("domain %s secret is %s\n", domain->name, + NT_STATUS_IS_OK(status) ? "good" : "bad")); done: DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2, - ("Checking the trust account password returned %s\n", - nt_errstr(status))); + ("Checking the trust account password for domain %s returned %s\n", + domain->name, nt_errstr(status))); return status; } -- Samba Shared Repository