On Sat, 2012-06-16 at 10:14 +0200, Andrew Bartlett wrote: > The branch, master has been updated > via 4edd8b8 s3-auth: Remove auth_netlogond > via 9c715da s3-passdb: Remove pdb_ads
Andrew, I would like you to revert these two commits ASAP. Simo. > via d949736 s4-classicupgrade: Also ask testparm for 'smb passwd file' > via a0a2f79 WHATSNEW: Bump the version and announce the s3fs default > via d9f7195 s4-classicupgrade: Use "samba classic" description for > samba3 NT4-like domains in samba3upgrade > via 39766b7 s4-lib/param: FLAG DAY for the default FILE SERVER > via b58dc18 s4-s3upgrade: Assert that administrator has a SID of > -500, and only skip root if it is -500 > via 61f7f01 s4-s3upgrade: Add my wins.dat and fix the parsing error > via d0b60f0 s4-s3upgrade: improve idmap import to use posixAccount > and posixGroup entries > via 3c65bac s4-idmap: Add mapping using uidNumber and gidNumber like > idmap_ad > from bbb7cbf Same fix as bug 8989 - Samba 3.5.x (and probably all > other versions of Samba) does not send correct responses to NT Transact > Secondary when no data and no params > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit 4edd8b891a90a89a84fbfa3636cc568d247b04b2 > Author: Andrew Bartlett <abart...@samba.org> > Date: Sun Jun 3 10:56:46 2012 +1000 > > s3-auth: Remove auth_netlogond > > auth_netlogond was an important module in the development of the > combined Samba 4.0, and was the first module to link smbd with the AD > authentication store, showing that it was possible for NTLM > authentication to be offloaded to the AD server components. > > We now have auth_samba4, which provides the full GENSEC stack to smbd, > which also matches exactly the group membership and privileges > assignment and which is supported and tested as part of the official > Samba 4.0 release configuration. > > Andrew Bartlett > > Autobuild-User(master): Andrew Bartlett <abart...@samba.org> > Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104 > > commit 9c715da1cbc256b9ae9298618c92807592607c9b > Author: Andrew Bartlett <abart...@samba.org> > Date: Sun Jun 3 10:54:06 2012 +1000 > > s3-passdb: Remove pdb_ads > > pdb_ads was an important module in the development of the combined Samba > 4.0, and > was the first module to show that standard samba3 tools such as smbpasswd > can be > made to operate on the sam.ldb. > > We now have pdb_samba4, which operates directly on the sam.ldb, rather > than via > ldapi://, which uses transactions and which is supported and tested as > part > of the official Samba 4.0 release configuration. > > This module is not as complete (for example, it does not honour the idmap > configuration) and requires that the samba binary be running to operate. > > Andrew Bartlett > > commit d949736f8dc02eec180723a55f4604b7b3aa83d8 > Author: Andrew Bartlett <abart...@samba.org> > Date: Sat Jun 16 15:34:50 2012 +1000 > > s4-classicupgrade: Also ask testparm for 'smb passwd file' > > commit a0a2f7999e20ab64dcbfca8299dbf0adfba0dea3 > Author: Andrew Bartlett <abart...@samba.org> > Date: Sat Jun 16 13:12:50 2012 +1000 > > WHATSNEW: Bump the version and announce the s3fs default > > commit d9f7195a1f5a12d5dc8865aa5553b61a4f770e3d > Author: Andrew Bartlett <abart...@samba.org> > Date: Sat Jun 16 13:06:44 2012 +1000 > > s4-classicupgrade: Use "samba classic" description for samba3 NT4-like > domains in samba3upgrade > > commit 39766b75a40fbab73fc23dd947de44f8349ed466 > Author: Andrew Bartlett <abart...@samba.org> > Date: Sat Jun 16 12:54:12 2012 +1000 > > s4-lib/param: FLAG DAY for the default FILE SERVER > > This commit changes the default file server to be s3fs. Existing > installs wishing to keep the ntvfs file server need to set this in > their smb.conf: > > server services = +smb -s3fs > dcerpc endpoint services = +winreg +srvsvc > > Andrew Bartlett > > commit b58dc1826e69c61a30d38b05e7f451404670baef > Author: Andrew Bartlett <abart...@samba.org> > Date: Sat Jun 16 14:19:42 2012 +1000 > > s4-s3upgrade: Assert that administrator has a SID of -500, and only skip > root if it is -500 > > Many upgraded installations have root as -1000, and so that account needs > to be kept. > > Andrew Bartlett > > commit 61f7f0155465b14612f7ac29a12c442ff25031b4 > Author: Andrew Bartlett <abart...@samba.org> > Date: Sat Jun 16 13:58:06 2012 +1000 > > s4-s3upgrade: Add my wins.dat and fix the parsing error > > The issue was that the numbers at the end of the lines are space > padded. > > Andrew Bartlett > > commit d0b60f02dd3c324d4c990dae7334b228dddba075 > Author: Andrew Bartlett <abart...@samba.org> > Date: Sun Jun 10 20:42:25 2012 +1000 > > s4-s3upgrade: improve idmap import to use posixAccount and posixGroup > entries > > commit 3c65bac0b6fc104f4bdf86beed775d13da00aaab > Author: Andrew Bartlett <abart...@samba.org> > Date: Sun Jun 10 15:52:14 2012 +1000 > > s4-idmap: Add mapping using uidNumber and gidNumber like idmap_ad > > This is a solution for users who are upgrading from Samba 3.x in > particuar, or have clients that will be using idmap_ad. This avoids > needing to have duplicate values in idmap.ldb and in the directory. > > No check for conflicts is made with the idmap.ldb - the AD store always > wins. > > Andrew Bartlett > > ----------------------------------------------------------------------- > > Summary of changes: > WHATSNEW.txt | 51 +- > lib/param/loadparm.c | 4 +- > selftest/target/Samba4.pm | 3 +- > source3/Makefile.in | 9 - > source3/auth/auth_netlogond.c | 448 ---- > source3/auth/proto.h | 2 - > source3/auth/wscript_build | 9 - > source3/configure.in | 4 - > source3/passdb/pdb_ads.c | 2693 > -------------------- > source3/passdb/wscript_build | 9 - > source3/wscript | 2 +- > source4/scripting/python/samba/netcmd/domain.py | 19 +- > .../scripting/python/samba/provision/__init__.py | 8 +- > source4/scripting/python/samba/samba3/__init__.py | 3 +- > source4/scripting/python/samba/upgrade.py | 45 +- > source4/setup/tests/blackbox_s3upgrade.sh | 9 +- > source4/winbind/idmap.c | 124 +- > source4/winbind/idmap.h | 1 + > testdata/samba3/wins.dat2 | 23 + > 19 files changed, 243 insertions(+), 3223 deletions(-) > delete mode 100644 source3/auth/auth_netlogond.c > delete mode 100644 source3/passdb/pdb_ads.c > create mode 100644 testdata/samba3/wins.dat2 > > > Changeset truncated at 500 lines: > > diff --git a/WHATSNEW.txt b/WHATSNEW.txt > index cb35f08..b6c9523 100644 > --- a/WHATSNEW.txt > +++ b/WHATSNEW.txt > @@ -1,4 +1,4 @@ > -What's new in Samba 4 beta1 > +What's new in Samba 4 beta2 > ============================= > > Samba 4.0 will be the next version of the Samba suite and incorporates > @@ -11,7 +11,7 @@ and above. > WARNINGS > ======== > > -Samba4 beta1 is not a final Samba release, however we are now making > +Samba4 beta2 is not a final Samba release, however we are now making > good progress towards a Samba 4.0 release, of which this is a preview. > Be aware the this release contains the best of all of Samba's > technology parts, both a file server (that you can reasonably expect > @@ -28,13 +28,26 @@ different stability characteristics compared with our > previous default > file server. We are making this release so that we can find and fix > any of these issues that arise in the real world. New AD DC > installations can provision or join with --use-ntvfs to obtain the > -previous default file server. Existing installations will be > -unaffected at this stage. > +previous default file server. See below how to continue using ntvfs > +in an existing installation. > > If you are upgrading, or looking to develop, test or deploy Samba 4.0 > beta releases, you should backup all configuration and data. > > > +UPGRADING > +========= > + > +Users upgrading from Samba 3.x domain controllers and wanting to use > +Samba 4.0 as an AD DC should use the 'samba-tool domain > +classicupgrade' command. See the wiki for more details: > +https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO > + > +Users upgrading from Samba 4.0 alpha and beta releases since alpha15 > +should run 'samba-tool dbcheck --cross-ncs --fix'. Users upgrading > +from earlier alpha releases should contact the team for advice. > + > + > NEW FEATURES > ============ > > @@ -81,41 +94,33 @@ Python programs to interface to Samba's internals, and > many tools and > internal workings of the DC code is now implemented in python. > > > -CHANGES SINCE alpha21 > +CHANGES SINCE beta1 > ===================== > > -For a list of changes since alpha21, please see the git log. > +For a list of changes since beta1, please see the git log. > > $ git clone git://git.samba.org/samba.git > $ cd samba.git > -$ git log samba-4.0.0alpha21..samba-4.0.0beta1 > +$ git log samba-4.0.0beta1..samba-4.0.0beta2 > > Some major user-visible changes include: > > -The internal DNS server has had some stability improvements, and > -now handles forwarded DNS replies in an async manner. > - > -The build of libtdb.so and libtalloc.so has been removed from the > -autoconf build. Use the build in lib/talloc and lib/tdb to build > -this software for use across the system. > - > -The smbclient and nmblookup binaries have been renamed in the top > -level build, so smbclient/nmblookup are now the implementations from > -the Samba 3.x heritage. > +The default file server for EXISTING USERS has changed to s3fs. To > +continue to use ntvfs, you must set in your smb.conf: > > -Improved handling of the cleanup of smbd child processes (removing a > -number of scary warnings from our log output). > + server services = +smb -s3fs > + dcerpc endpoint services = +winreg +srvsvc > > -Much improved support for FreeBSD, including extended attribute > -support on the filesystem for the AD DC. > +samba-tool dbcheck will now upgrade older databases that are missing > +GUIDs in the schema partition. > > > KNOWN ISSUES > ============ > > -- We are making this beta release to gain real-world use of the 's3fs' > +- This release makes the s3fs file server the default, as this is the > file server combination we will use for the Samba 4.0 release. > - Users should expect some rough edges: in particular, there are > + Users should still expect some rough edges: in particular, there are > warnings about invalid parameters from the two respective parameter > parsing engines. > > diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c > index 5749c34..41c8cc6 100644 > --- a/lib/param/loadparm.c > +++ b/lib/param/loadparm.c > @@ -3312,8 +3312,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX > *mem_ctx) > lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); > lpcfg_do_global_parameter(lp_ctx, "max connections", "-1"); > > - lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper > srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup > unixinfo browser eventlog6 backupkey dnsserver"); > - lpcfg_do_global_parameter(lp_ctx, "server services", "smb rpc nbt wrepl > ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate"); > + lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper > wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser > eventlog6 backupkey dnsserver"); > + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt > wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate"); > lpcfg_do_global_parameter(lp_ctx, "ntptr providor", "simple_ldb"); > /* the winbind method for domain controllers is for both RODC > auth forwarding and for trusted domains */ > diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm > index 954cf9c..2c26ffc 100644 > --- a/selftest/target/Samba4.pm > +++ b/selftest/target/Samba4.pm > @@ -580,7 +580,8 @@ sub provision_raw_step1($$) > panic action = $RealBin/gdb_backtrace \%d > wins support = yes > server role = $ctx->{server_role} > - server services = +echo +dns > + server services = +echo +dns +smb -s3fs > + dcerpc endpoint servers = +winreg +srvsvc > notify:inotify = false > ldb:nosync = true > #We don't want to pass our self-tests if the PAC code is wrong > diff --git a/source3/Makefile.in b/source3/Makefile.in > index 43dfb94..e7a0a7d 100644 > --- a/source3/Makefile.in > +++ b/source3/Makefile.in > @@ -906,7 +906,6 @@ AUTH_UNIX_OBJ = auth/auth_unix.o > AUTH_WINBIND_OBJ = auth/auth_winbind.o > AUTH_WBC_OBJ = auth/auth_wbc.o > AUTH_SCRIPT_OBJ = auth/auth_script.o > -AUTH_NETLOGOND_OBJ = auth/auth_netlogond.o > > AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \ > auth/server_info.o \ > @@ -2656,10 +2655,6 @@ bin/script.@SHLIBEXT@: $(BINARY_PREREQS) > $(AUTH_SCRIPT_OBJ) > @echo "Building plugin $@" > @$(SHLD_MODULE) $(AUTH_SCRIPT_OBJ) > > -bin/netlogond.@SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_NETLOGOND_OBJ) > - @echo "Building plugin $@" > - @$(SHLD_MODULE) $(AUTH_NETLOGOND_OBJ) > - > bin/winbind.@SHLIBEXT@: $(BINARY_PREREQS) $(AUTH_WINBIND_OBJ) > @echo "Building plugin $@" > @$(SHLD_MODULE) $(AUTH_WINBIND_OBJ) > @@ -2682,10 +2677,6 @@ bin/ldapsam.@SHLIBEXT@: $(BINARY_PREREQS) > passdb/pdb_ldap.o passdb/pdb_nds.o \ > @$(SHLD_MODULE) passdb/pdb_ldap.o passdb/pdb_nds.o passdb/pdb_ipa.o \ > passdb/pdb_ldap_util.o $(LDAP_LIBS) > > -bin/ads.@SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_ads.o > - @echo "Building plugin $@" > - @$(SHLD_MODULE) passdb/pdb_ads.o > - > bin/tdbsam.@SHLIBEXT@: $(BINARY_PREREQS) passdb/pdb_tdb.o > @echo "Building plugin $@" > @$(SHLD_MODULE) passdb/pdb_tdb.o > diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c > deleted file mode 100644 > index 7fb0374..0000000 > --- a/source3/auth/auth_netlogond.c > +++ /dev/null > @@ -1,448 +0,0 @@ > -/* > - Unix SMB/CIFS implementation. > - Authenticate against a netlogon pipe listening on a unix domain socket > - Copyright (C) Volker Lendecke 2008 > - > - This program is free software; you can redistribute it and/or modify > - it under the terms of the GNU General Public License as published by > - the Free Software Foundation; either version 3 of the License, or > - (at your option) any later version. > - > - This program is distributed in the hope that it will be useful, > - but WITHOUT ANY WARRANTY; without even the implied warranty of > - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > - GNU General Public License for more details. > - > - You should have received a copy of the GNU General Public License > - along with this program. If not, see <http://www.gnu.org/licenses/>. > -*/ > - > -#include "includes.h" > -#include "auth.h" > -#include "../libcli/auth/libcli_auth.h" > -#include "../librpc/gen_ndr/ndr_netlogon.h" > -#include "librpc/gen_ndr/ndr_schannel.h" > -#include "rpc_client/cli_pipe.h" > -#include "rpc_client/cli_netlogon.h" > -#include "secrets.h" > -#include "tldap.h" > -#include "tldap_util.h" > - > -#undef DBGC_CLASS > -#define DBGC_CLASS DBGC_AUTH > - > -static bool secrets_store_local_schannel_creds( > - const struct netlogon_creds_CredentialState *creds) > -{ > - DATA_BLOB blob; > - enum ndr_err_code ndr_err; > - bool ret; > - > - ndr_err = ndr_push_struct_blob( > - &blob, talloc_tos(), creds, > - (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState); > - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { > - DEBUG(10, ("ndr_push_netlogon_creds_CredentialState failed: " > - "%s\n", ndr_errstr(ndr_err))); > - return false; > - } > - ret = secrets_store(SECRETS_LOCAL_SCHANNEL_KEY, > - blob.data, blob.length); > - data_blob_free(&blob); > - return ret; > -} > - > -static struct netlogon_creds_CredentialState * > -secrets_fetch_local_schannel_creds(TALLOC_CTX *mem_ctx) > -{ > - struct netlogon_creds_CredentialState *creds; > - enum ndr_err_code ndr_err; > - DATA_BLOB blob; > - > - blob.data = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY, > - &blob.length); > - if (blob.data == NULL) { > - DEBUG(10, ("secrets_fetch failed\n")); > - return NULL; > - } > - > - creds = talloc(mem_ctx, struct netlogon_creds_CredentialState); > - if (creds == NULL) { > - DEBUG(10, ("talloc failed\n")); > - SAFE_FREE(blob.data); > - return NULL; > - } > - ndr_err = ndr_pull_struct_blob( > - &blob, creds, creds, > - (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState); > - SAFE_FREE(blob.data); > - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { > - DEBUG(10, ("ndr_pull_netlogon_creds_CredentialState failed: " > - "%s\n", ndr_errstr(ndr_err))); > - TALLOC_FREE(creds); > - return NULL; > - } > - > - return creds; > -} > - > -static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx, > - const struct auth_context *auth_context, > - const char *ncalrpc_sockname, > - struct netlogon_creds_CredentialState *creds, > - const struct auth_usersupplied_info > *user_info, > - struct netr_SamInfo3 **pinfo3, > - NTSTATUS *schannel_bind_result) > -{ > - struct rpc_pipe_client *p = NULL; > - struct pipe_auth_data *auth = NULL; > - struct netr_SamInfo3 *info3 = NULL; > - NTSTATUS status; > - > - *schannel_bind_result = NT_STATUS_OK; > - > - status = rpc_pipe_open_ncalrpc(talloc_tos(), ncalrpc_sockname, > - &ndr_table_netlogon.syntax_id, &p); > - if (!NT_STATUS_IS_OK(status)) { > - DEBUG(10, ("rpc_pipe_open_ncalrpc failed: %s\n", > - nt_errstr(status))); > - return status; > - } > - > - p->dc = creds; > - > - status = rpccli_schannel_bind_data(p, lp_workgroup(), > - DCERPC_AUTH_LEVEL_PRIVACY, > - p->dc, &auth); > - if (!NT_STATUS_IS_OK(status)) { > - DEBUG(10, ("rpccli_schannel_bind_data failed: %s\n", > - nt_errstr(status))); > - TALLOC_FREE(p); > - return status; > - } > - > - status = rpc_pipe_bind(p, auth); > - if (!NT_STATUS_IS_OK(status)) { > - DEBUG(10, ("rpc_pipe_bind failed: %s\n", nt_errstr(status))); > - TALLOC_FREE(p); > - *schannel_bind_result = status; > - return status; > - } > - > - status = rpccli_netlogon_sam_network_logon_ex( > - p, p, > - user_info->logon_parameters, /* flags such as 'allow > - * workstation logon' */ > - lp_netbios_name(), /* server name */ > - user_info->client.account_name, /* user name logging on. > */ > - user_info->client.domain_name, /* domain name */ > - user_info->workstation_name, /* workstation name */ > - (uchar *)auth_context->challenge.data, /* 8 byte challenge. */ > - 3, /* validation level */ > - user_info->password.response.lanman, /* lanman 24 byte > response */ > - user_info->password.response.nt, /* nt 24 byte response */ > - &info3); /* info3 out */ > - > - DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n", > - nt_errstr(status))); > - > - if (!NT_STATUS_IS_OK(status)) { > - TALLOC_FREE(p); > - return status; > - } > - > - *pinfo3 = talloc_move(mem_ctx, &info3); > - > - TALLOC_FREE(p); > - return NT_STATUS_OK; > -} > - > -static NTSTATUS get_ldapi_ctx(TALLOC_CTX *mem_ctx, struct tldap_context > **pld) > -{ > - struct tldap_context *ld; > - struct sockaddr_un addr; > - char *sockaddr; > - int fd; > - NTSTATUS status; > - int res; > - > - sockaddr = talloc_asprintf(talloc_tos(), "/%s/ldap_priv/ldapi", > - lp_private_dir()); > - if (sockaddr == NULL) { > - DEBUG(10, ("talloc failed\n")); > - return NT_STATUS_NO_MEMORY; > - } > - > - ZERO_STRUCT(addr); > - addr.sun_family = AF_UNIX; > - strncpy(addr.sun_path, sockaddr, sizeof(addr.sun_path)); > - TALLOC_FREE(sockaddr); > - > - status = open_socket_out((struct sockaddr_storage *)(void *)&addr, > - 0, 0, &fd); > - if (!NT_STATUS_IS_OK(status)) { > - DEBUG(10, ("Could not connect to %s: %s\n", addr.sun_path, > - nt_errstr(status))); > - return status; > - } > - set_blocking(fd, false); > - > - ld = tldap_context_create(mem_ctx, fd); > - if (ld == NULL) { > - close(fd); > - return NT_STATUS_NO_MEMORY; > - } > - res = tldap_fetch_rootdse(ld); > - if (res != TLDAP_SUCCESS) { > - DEBUG(10, ("tldap_fetch_rootdse failed: %s\n", > - tldap_errstr(talloc_tos(), ld, res))); > - TALLOC_FREE(ld); > - return NT_STATUS_LDAP(res); > - } > - *pld = ld; > - return NT_STATUS_OK;; > -} > - > -static NTSTATUS mymachinepw(uint8_t pwd[16]) > -{ > - TALLOC_CTX *frame = talloc_stackframe(); > - struct tldap_context *ld = NULL; > - struct tldap_message *rootdse, **msg; > - const char *attrs[1] = { "unicodePwd" }; > - char *default_nc, *myname; > - int rc, num_msg; > - DATA_BLOB pwdblob; > - NTSTATUS status; > - > - status = get_ldapi_ctx(talloc_tos(), &ld); > - if (!NT_STATUS_IS_OK(status)) { > - goto fail; > - } > - rootdse = tldap_rootdse(ld); > - if (rootdse == NULL) { > - DEBUG(10, ("Could not get rootdse\n")); > - status = NT_STATUS_INTERNAL_ERROR; > - goto fail; > - } > - default_nc = tldap_talloc_single_attribute( > - rootdse, "defaultNamingContext", talloc_tos()); > - if (default_nc == NULL) { > - DEBUG(10, ("Could not get defaultNamingContext\n")); > - status = NT_STATUS_NO_MEMORY; > - goto fail; > - } > - DEBUG(10, ("default_nc = %s\n", default_nc)); > - > - myname = talloc_asprintf_strupper_m(talloc_tos(), "%s$", > - lp_netbios_name()); > - if (myname == NULL) { > - DEBUG(10, ("talloc failed\n")); > - status = NT_STATUS_NO_MEMORY; > - goto fail; > - } > - > - rc = tldap_search_fmt( > - ld, default_nc, TLDAP_SCOPE_SUB, attrs, ARRAY_SIZE(attrs), 0, > - talloc_tos(), &msg, > - "(&(sAMAccountName=%s)(objectClass=computer))", myname); > - if (rc != TLDAP_SUCCESS) { > - DEBUG(10, ("Could not retrieve our account: %s\n", > - tldap_errstr(talloc_tos(), ld, rc))); > - status = NT_STATUS_LDAP(rc); > - goto fail; > - } > - num_msg = talloc_array_length(msg); > - if (num_msg != 1) { > - DEBUG(10, ("Got %d accounts, expected one\n", num_msg)); > - status = NT_STATUS_INTERNAL_DB_CORRUPTION; > - goto fail; > - } > - if (!tldap_get_single_valueblob(msg[0], "unicodePwd", &pwdblob)) { > - char *dn = NULL; > - tldap_entry_dn(msg[0], &dn); > - DEBUG(10, ("No unicodePwd attribute in %s\n", > - dn ? dn : "<unknown DN>")); > - status = NT_STATUS_INTERNAL_DB_CORRUPTION; > - goto fail; > - } > - if (pwdblob.length != 16) { > - DEBUG(10, ("Password hash hash has length %d, expected 16\n", > - (int)pwdblob.length)); > - status = NT_STATUS_INTERNAL_DB_CORRUPTION; > - goto fail; > - } > - memcpy(pwd, pwdblob.data, 16); > - > -fail: > - TALLOC_FREE(frame); > - return status; > -} > - > -static NTSTATUS check_netlogond_security(const struct auth_context > *auth_context, > - void *my_private_data, > - TALLOC_CTX *mem_ctx, > - const struct auth_usersupplied_info > *user_info, > - struct auth_serversupplied_info > **server_info) > -{ > - TALLOC_CTX *frame = talloc_stackframe(); > - struct netr_SamInfo3 *info3 = NULL; > - struct rpc_pipe_client *p = NULL; > - struct pipe_auth_data *auth = NULL; > - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; > - uint8_t machine_password[16]; > - struct netlogon_creds_CredentialState *creds; > - NTSTATUS schannel_bind_result, status; > - struct named_mutex *mutex = NULL; > - const char *ncalrpcsock; > - > - DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); > - > - ncalrpcsock = lp_parm_const_string( > - GLOBAL_SECTION_SNUM, "auth_netlogond", "socket", NULL); > - > - if (ncalrpcsock == NULL) { > - ncalrpcsock = talloc_asprintf(talloc_tos(), "%s/%s", > - get_dyn_NCALRPCDIR(), "DEFAULT"); > - } > - > - if (ncalrpcsock == NULL) { > - status = NT_STATUS_NO_MEMORY; > - goto done; > - } > - > - creds = secrets_fetch_local_schannel_creds(talloc_tos()); > - if (creds == NULL) { > - goto new_key; > - } > - > - status = netlogond_validate(talloc_tos(), auth_context, ncalrpcsock, > - creds, user_info, &info3, > - &schannel_bind_result); > - > - DEBUG(10, ("netlogond_validate returned %s\n", nt_errstr(status))); > - > - if (NT_STATUS_IS_OK(status)) { > - goto okay; > - } > - > - if (NT_STATUS_IS_OK(schannel_bind_result)) { > - /* > - * This is a real failure from the DC > > -- Simo Sorce Samba Team GPL Compliance Officer <s...@samba.org> Principal Software Engineer at Red Hat, Inc. <s...@redhat.com>
