The branch, v3-5-test has been updated
via 4e64865... s3-winbindd: NDR_WBINT_CHECKMACHINEACCOUNT should not be
cacheable.
via 8716c4a... s3-winbindd: libwbclient: implement secure channel
verification for specific domains in wbcCheckTrustCredentials().
via 69ba747... wbinfo: allow to check trusts via "wbinfo -t --domain
DOMAINNAME".
via 63acae3... libwbclient: implement secure channel verification for
specific domains in wbcCheckTrustCredentials().
via 5ba5b5e... s3-netlogon: pure cosmetic indent fixes in
_netr_LogonControl2Ex().
from abdadc2... s3: make linking of libwbclient --as-needed safe
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 4e64865f522506b5b92b7ce0f05bac7ca7de6de3
Author: Günther Deschner <g...@samba.org>
Date: Thu Oct 8 10:35:02 2009 +0200
s3-winbindd: NDR_WBINT_CHECKMACHINEACCOUNT should not be cacheable.
Guenther
(cherry picked from commit efaa98e82438688ca178dc7d0622965933abc95c)
commit 8716c4ae193a49ea8494e04296f6d95126c0e265
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 6 17:46:25 2009 +0200
s3-winbindd: libwbclient: implement secure channel verification for
specific domains in wbcCheckTrustCredentials().
Guenther
(cherry picked from commit 3c3725a340ffe20ab679cf2f9d41ccd0b51b4b3a)
commit 69ba747df1b861da70da6682e36b095ac565f83e
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 7 10:43:53 2009 +0200
wbinfo: allow to check trusts via "wbinfo -t --domain DOMAINNAME".
Guenther
(cherry picked from commit 7b3501200c55d7844c4d697456dbfa2b86cfdcc8)
commit 63acae34cfe65577437b75e668d22400eb47a88c
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 6 17:45:24 2009 +0200
libwbclient: implement secure channel verification for specific domains in
wbcCheckTrustCredentials().
Guenther
(cherry picked from commit 2df47b0a54ad0a973b81911ee507ab50555b24a6)
commit 5ba5b5e7a1a66472505b3a3fb3d83db5180da3ee
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 6 17:50:15 2009 +0200
s3-netlogon: pure cosmetic indent fixes in _netr_LogonControl2Ex().
Guenther
(cherry picked from commit 3d3134a7d6a4d49b891a446f6cc7b38fd953739a)
-----------------------------------------------------------------------
Summary of changes:
nsswitch/libwbclient/wbc_pam.c | 14 +--
nsswitch/libwbclient/wbclient.h | 4 +-
nsswitch/wbinfo.c | 18 ++-
source3/rpc_server/srv_netlog_nt.c | 140 ++++++++++++------------
source3/winbindd/winbindd_cache.c | 1 +
source3/winbindd/winbindd_check_machine_acct.c | 11 ++-
source3/winbindd/winbindd_dual_srv.c | 8 +-
7 files changed, 105 insertions(+), 91 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index 33044b2..4cd212a 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -502,18 +502,14 @@ wbcErr wbcCheckTrustCredentials(const char *domain,
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
- if (domain) {
- /*
- * the current protocol doesn't support
- * specifying a domain
- */
- wbc_status = WBC_ERR_NOT_IMPLEMENTED;
- BAIL_ON_WBC_ERROR(wbc_status);
- }
-
ZERO_STRUCT(request);
ZERO_STRUCT(response);
+ if (domain) {
+ strncpy(request.domain_name, domain,
+ sizeof(request.domain_name)-1);
+ }
+
/* Send request */
wbc_status = wbcRequestResponse(WINBINDD_CHECK_MACHACC,
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index a87cad3..4dc6d23 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -1183,9 +1183,7 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name);
/**
* @brief Trigger a verification of the trust credentials of a specific domain
*
- * @param *domain The name of the domain, only NULL for the default
domain is
- * supported yet. Other values than NULL will result in
- * WBC_ERR_NOT_IMPLEMENTED.
+ * @param *domain The name of the domain.
* @param error Output details on WBC_ERR_AUTH_ERROR
*
* @return #wbcErr
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index a80b69f..7410a74 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -724,15 +724,23 @@ static bool wbinfo_dsgetdcname(const char *domain_name,
uint32_t flags)
/* Check trust account password */
-static bool wbinfo_check_secret(void)
+static bool wbinfo_check_secret(const char *domain)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcAuthErrorInfo *error = NULL;
+ const char *domain_name;
- wbc_status = wbcCheckTrustCredentials(NULL, &error);
+ if (domain) {
+ domain_name = domain;
+ } else {
+ domain_name = get_winbind_domain();
+ }
- d_printf("checking the trust secret via RPC calls %s\n",
- WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
+ wbc_status = wbcCheckTrustCredentials(domain_name, &error);
+
+ d_printf("checking the trust secret for domain %s via RPC calls %s\n",
+ domain_name,
+ WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
if (wbc_status == WBC_ERR_AUTH_ERROR) {
d_fprintf(stderr, "error code was %s (0x%x)\n",
@@ -1950,7 +1958,7 @@ int main(int argc, char **argv, char **envp)
}
break;
case 't':
- if (!wbinfo_check_secret()) {
+ if (!wbinfo_check_secret(opt_domain_name)) {
d_fprintf(stderr, "Could not check secret\n");
goto done;
}
diff --git a/source3/rpc_server/srv_netlog_nt.c
b/source3/rpc_server/srv_netlog_nt.c
index 2aee005..fd90bf8 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -116,103 +116,105 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
const char *fn;
switch (p->hdr_req.opnum) {
- case NDR_NETR_LOGONCONTROL:
- fn = "_netr_LogonControl";
- break;
- case NDR_NETR_LOGONCONTROL2:
- fn = "_netr_LogonControl2";
- break;
- case NDR_NETR_LOGONCONTROL2EX:
- fn = "_netr_LogonControl2Ex";
- break;
- default:
- return WERR_INVALID_PARAM;
+ case NDR_NETR_LOGONCONTROL:
+ fn = "_netr_LogonControl";
+ break;
+ case NDR_NETR_LOGONCONTROL2:
+ fn = "_netr_LogonControl2";
+ break;
+ case NDR_NETR_LOGONCONTROL2EX:
+ fn = "_netr_LogonControl2Ex";
+ break;
+ default:
+ return WERR_INVALID_PARAM;
}
tc_status = WERR_NO_SUCH_DOMAIN;
switch (r->in.function_code) {
- case NETLOGON_CONTROL_TC_QUERY:
- domain = r->in.data->domain;
+ case NETLOGON_CONTROL_TC_QUERY:
+ domain = r->in.data->domain;
- if ( !is_trusted_domain( domain ) )
- break;
+ if (!is_trusted_domain(domain)) {
+ break;
+ }
- if ( !get_dc_name( domain, NULL, dc_name2, &dc_ss ) ) {
- tc_status = WERR_NO_LOGON_SERVERS;
- break;
- }
+ if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
+ tc_status = WERR_NO_LOGON_SERVERS;
+ break;
+ }
- dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s",
dc_name2);
- if (!dc_name) {
- return WERR_NOMEM;
- }
+ dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
+ if (!dc_name) {
+ return WERR_NOMEM;
+ }
- tc_status = WERR_OK;
+ tc_status = WERR_OK;
- break;
+ break;
- case NETLOGON_CONTROL_REDISCOVER:
- domain = r->in.data->domain;
+ case NETLOGON_CONTROL_REDISCOVER:
+ domain = r->in.data->domain;
- if ( !is_trusted_domain( domain ) )
- break;
+ if (!is_trusted_domain(domain)) {
+ break;
+ }
- if ( !get_dc_name( domain, NULL, dc_name2, &dc_ss ) ) {
- tc_status = WERR_NO_LOGON_SERVERS;
- break;
- }
+ if (!get_dc_name(domain, NULL, dc_name2, &dc_ss)) {
+ tc_status = WERR_NO_LOGON_SERVERS;
+ break;
+ }
- dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s",
dc_name2);
- if (!dc_name) {
- return WERR_NOMEM;
- }
+ dc_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dc_name2);
+ if (!dc_name) {
+ return WERR_NOMEM;
+ }
- tc_status = WERR_OK;
+ tc_status = WERR_OK;
- break;
+ break;
- default:
- /* no idea what this should be */
- DEBUG(0,("%s: unimplemented function level [%d]\n",
- fn, r->in.function_code));
- return WERR_UNKNOWN_LEVEL;
+ default:
+ /* no idea what this should be */
+ DEBUG(0,("%s: unimplemented function level [%d]\n",
+ fn, r->in.function_code));
+ return WERR_UNKNOWN_LEVEL;
}
/* prepare the response */
switch (r->in.level) {
- case 1:
- info1 = TALLOC_ZERO_P(p->mem_ctx, struct
netr_NETLOGON_INFO_1);
- W_ERROR_HAVE_NO_MEMORY(info1);
+ case 1:
+ info1 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_1);
+ W_ERROR_HAVE_NO_MEMORY(info1);
- info1->flags = flags;
- info1->pdc_connection_status = pdc_connection_status;
+ info1->flags = flags;
+ info1->pdc_connection_status = pdc_connection_status;
- r->out.query->info1 = info1;
- break;
- case 2:
- info2 = TALLOC_ZERO_P(p->mem_ctx, struct
netr_NETLOGON_INFO_2);
- W_ERROR_HAVE_NO_MEMORY(info2);
+ r->out.query->info1 = info1;
+ break;
+ case 2:
+ info2 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_2);
+ W_ERROR_HAVE_NO_MEMORY(info2);
- info2->flags = flags;
- info2->pdc_connection_status = pdc_connection_status;
- info2->trusted_dc_name = dc_name;
- info2->tc_connection_status = tc_status;
+ info2->flags = flags;
+ info2->pdc_connection_status = pdc_connection_status;
+ info2->trusted_dc_name = dc_name;
+ info2->tc_connection_status = tc_status;
- r->out.query->info2 = info2;
- break;
- case 3:
- info3 = TALLOC_ZERO_P(p->mem_ctx, struct
netr_NETLOGON_INFO_3);
- W_ERROR_HAVE_NO_MEMORY(info3);
+ r->out.query->info2 = info2;
+ break;
+ case 3:
+ info3 = TALLOC_ZERO_P(p->mem_ctx, struct netr_NETLOGON_INFO_3);
+ W_ERROR_HAVE_NO_MEMORY(info3);
- info3->flags = flags;
- info3->logon_attempts = logon_attempts;
+ info3->flags = flags;
+ info3->logon_attempts = logon_attempts;
- r->out.query->info3 = info3;
- break;
- default:
- return WERR_UNKNOWN_LEVEL;
+ r->out.query->info3 = info3;
+ break;
+ default:
+ return WERR_UNKNOWN_LEVEL;
}
if (lp_server_role() == ROLE_DOMAIN_BDC) {
diff --git a/source3/winbindd/winbindd_cache.c
b/source3/winbindd/winbindd_cache.c
index 6d48fe5..543b8b1 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -4359,6 +4359,7 @@ static bool wcache_opnum_cacheable(uint32_t opnum)
case NDR_WBINT_QUERYSEQUENCENUMBER:
case NDR_WBINT_ALLOCATEUID:
case NDR_WBINT_ALLOCATEGID:
+ case NDR_WBINT_CHECKMACHINEACCOUNT:
return false;
}
return true;
diff --git a/source3/winbindd/winbindd_check_machine_acct.c
b/source3/winbindd/winbindd_check_machine_acct.c
index e3505cb..610e9ed 100644
--- a/source3/winbindd/winbindd_check_machine_acct.c
+++ b/source3/winbindd/winbindd_check_machine_acct.c
@@ -42,7 +42,16 @@ struct tevent_req
*winbindd_check_machine_acct_send(TALLOC_CTX *mem_ctx,
return NULL;
}
- domain = find_our_domain();
+ if (request->domain_name[0] == '0') {
+ /* preserve old behavior, when no domain name is given */
+ domain = find_our_domain();
+ } else {
+ domain = find_domain_from_name(request->domain_name);
+ }
+ if (domain == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_DOMAIN);
+ return tevent_req_post(req, ev);
+ }
if (domain->internal) {
/*
* Internal domains are passdb based, we can always
diff --git a/source3/winbindd/winbindd_dual_srv.c
b/source3/winbindd/winbindd_dual_srv.c
index 179a771..3374861 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -437,13 +437,13 @@ again:
/* Pass back result code - zero for success, other values for
specific failures. */
- DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(status) ?
- "good" : "bad"));
+ DEBUG(3,("domain %s secret is %s\n", domain->name,
+ NT_STATUS_IS_OK(status) ? "good" : "bad"));
done:
DEBUG(NT_STATUS_IS_OK(status) ? 5 : 2,
- ("Checking the trust account password returned %s\n",
- nt_errstr(status)));
+ ("Checking the trust account password for domain %s returned
%s\n",
+ domain->name, nt_errstr(status)));
return status;
}
--
Samba Shared Repository
