The branch, master has been updated via ba4467c s3-winbindd: Implement SamLogon IRPC call via eabe7d7 s3-winbind: Transparently forward IRPC messages to the winbind_dual child via faa4452 s3-winbind rename winbindd_update_rodc_dns to be for more generic irpc via f4ab082 librpc/idl: Merge wbint.idl with winbind.idl so we can forward IRPC requests to internal winbind calls via 223fbda s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC via cb79cc3 s3-winbindd: Register winbindd with irpc via 597d2a7 auth: Provide a way to use the auth stack for winbindd authentication via 2e961bf winbindd: Call set_dc_type_and_flags on the internal domain via 791c382 dsdb: Do not refresh the schema using the wrong event context via 8327321 dsdb: Do not store a struct ldb_dn in struct schema_data via cda32d4 passdb: Do not routinely clear the global memory returned by get_global_sam_sid() from 6da8126 ctdb-eventscripts: New configuration variable CTDB_GANESHA_REC_SUBDIR
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ba4467ca65d5f85a2732da27d88760b684c6e30d Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 8 16:49:13 2014 +1200 s3-winbindd: Implement SamLogon IRPC call We do this by lifting parts of the winbindd_dual_pam_auth_crap() code into a new helper function winbind_dual_SamLogon(). This allows us to implement the semantics we need for IRPC, without the artifacts of the winbindd pipe protocol. Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Kamen Mazdrashki <kame...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104 commit eabe7d732e6d9b64004bbb477384a1eae999815f Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 8 15:33:11 2014 +1200 s3-winbind: Transparently forward IRPC messages to the winbind_dual child Change-Id: I8b336e2365e10ef9ea04d0957eb0829d3766b11e Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit faa4452df7f2add0b4b583a25365b43da8ec1305 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 8 14:46:06 2014 +1200 s3-winbind rename winbindd_update_rodc_dns to be for more generic irpc Change-Id: I385ef8bd766848becc42e58694207dc94cd07a89 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f4ab082d2b984b7deb3afbc7a26e238aa5b3b8c3 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 8 12:17:32 2014 +1200 librpc/idl: Merge wbint.idl with winbind.idl so we can forward IRPC requests to internal winbind calls Change-Id: Iba3913d5a1c7f851b93f37e9beb6dbb20fbf7e55 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 223fbdaf3872fe71a75fec62813b91612af73a2b Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 6 17:00:09 2014 +1200 s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC Change-Id: Ib87933c318f510d95f7008e122216d73803ede68 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit cb79cc342e30bb2bbac33868836ea13d2d594c30 Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 6 13:39:12 2014 +1200 s3-winbindd: Register winbindd with irpc Change-Id: Ie3c7109fef6982d95e8cad06870334565352e329 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 597d2a7a29f768f51cbcbc13de56a4dc349e20e4 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 27 12:58:05 2014 +1300 auth: Provide a way to use the auth stack for winbindd authentication This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2e961bf598e58178ce0d4ed5e35553acd882e436 Author: Andrew Bartlett <abart...@samba.org> Date: Fri May 16 18:10:23 2014 +1200 winbindd: Call set_dc_type_and_flags on the internal domain This allows the AD DC to be picked up correctly and gives the correct DNS name. To ensure no confusion, we also always init it with the full DNS name. It also means that, aside from the BUILTIN domain the initialized flag is set only in one place, which will help when we add more details to the domain structure in the future. This in turn allows kerberos authentication against winbindd on the AD DC. Andrew Bartlett Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 791c38282d681c60eaedb47803b9043991f5950d Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 14 20:12:03 2014 +1200 dsdb: Do not refresh the schema using the wrong event context What we now do is have the refresh function and module be on a seperate object to the schema, only referring to the data and not excuting on the original ldb and event loop. That is, we never use another ldb context when calling the refresh function, by binding the refresh handler to the ldb and not the schema. Andrew Bartlett Change-Id: I5c323dda743cf5858badd01147fda6227599bc16 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8327321225251e312ccbd06bbefa5ebf98099f34 Author: Andrew Bartlett <abart...@samba.org> Date: Fri May 23 16:06:17 2014 +1200 dsdb: Do not store a struct ldb_dn in struct schema_data The issue is that the DN contains a pointer to the ldb it belongs to, and if this is not kept around long enough, we might reference memory after it is de-allocated. Andrew Bartlett Change-Id: I040a6c37a3164b3309f370e32e598dd56b1a1bbb Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit cda32d4e47aa3efb040eb60f1a0332ea8dd58417 Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 13 17:47:03 2014 +1200 passdb: Do not routinely clear the global memory returned by get_global_sam_sid() This avoids use-after-free errors and tdb database churn. Andrew Bartlett Change-Id: If7ab2e24556d9dffc7ad22c0489d665dd75a0cab Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Kamen Mazdrashki <kame...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/common_auth.h | 6 +- libcli/auth/netlogon_creds_cli.c | 265 ++++++++++++++++++++ libcli/auth/netlogon_creds_cli.h | 14 + .../librpc/idl/wbint.idl => librpc/idl/winbind.idl | 27 ++- librpc/idl/wscript_build | 5 + librpc/wscript_build | 15 ++ source3/auth/auth.c | 10 +- source3/auth/auth_sam.c | 2 +- source3/auth/auth_samba4.c | 26 ++- source3/include/auth.h | 5 +- source3/librpc/idl/wscript_build | 5 - source3/librpc/wscript_build | 14 - source3/passdb/machine_account_secrets.c | 10 +- source3/passdb/pdb_samba_dsdb.c | 46 +++- source3/winbindd/wb_dsgetdcname.c | 2 +- source3/winbindd/wb_fill_pwent.c | 2 +- source3/winbindd/wb_getgrsid.c | 2 +- source3/winbindd/wb_getpwsid.c | 2 +- source3/winbindd/wb_gettoken.c | 2 +- source3/winbindd/wb_gid2sid.c | 2 +- source3/winbindd/wb_group_members.c | 2 +- source3/winbindd/wb_lookupname.c | 2 +- source3/winbindd/wb_lookupsid.c | 2 +- source3/winbindd/wb_lookupsids.c | 2 +- source3/winbindd/wb_lookupuseraliases.c | 2 +- source3/winbindd/wb_lookupusergroups.c | 2 +- source3/winbindd/wb_next_grent.c | 2 +- source3/winbindd/wb_next_pwent.c | 2 +- source3/winbindd/wb_query_user_list.c | 2 +- source3/winbindd/wb_queryuser.c | 2 +- source3/winbindd/wb_seqnum.c | 2 +- source3/winbindd/wb_seqnums.c | 2 +- source3/winbindd/wb_sids2xids.c | 2 +- source3/winbindd/wb_uid2sid.c | 2 +- source3/winbindd/winbindd.c | 39 +++ source3/winbindd/winbindd.h | 2 +- source3/winbindd/winbindd_allocate_gid.c | 2 +- source3/winbindd/winbindd_allocate_uid.c | 2 +- source3/winbindd/winbindd_cache.c | 8 +- source3/winbindd/winbindd_change_machine_acct.c | 2 +- source3/winbindd/winbindd_check_machine_acct.c | 2 +- source3/winbindd/winbindd_cm.c | 82 +++++- source3/winbindd/winbindd_dsgetdcname.c | 2 +- source3/winbindd/winbindd_dual_ndr.c | 6 +- source3/winbindd/winbindd_dual_srv.c | 74 ++++++- source3/winbindd/winbindd_getdcname.c | 2 +- source3/winbindd/winbindd_irpc.c | 166 ++++++++++++ source3/winbindd/winbindd_list_groups.c | 2 +- source3/winbindd/winbindd_list_users.c | 2 +- source3/winbindd/winbindd_lookuprids.c | 2 +- source3/winbindd/winbindd_pam.c | 174 +++++++++---- source3/winbindd/winbindd_ping_dc.c | 2 +- source3/winbindd/winbindd_proto.h | 19 ++ source3/winbindd/winbindd_samr.c | 91 +------- source3/winbindd/winbindd_util.c | 16 +- source3/winbindd/winbindd_wins_byip.c | 2 +- source3/winbindd/winbindd_wins_byname.c | 2 +- source3/wscript_build | 6 +- source4/auth/auth.h | 1 + source4/auth/ntlm/auth.c | 5 + source4/auth/ntlm/auth_sam.c | 6 +- source4/dsdb/repl/drepl_out_helpers.c | 35 ++-- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 11 +- source4/dsdb/samdb/ldb_modules/samldb.c | 3 +- source4/dsdb/samdb/ldb_modules/schema_data.c | 16 +- source4/dsdb/samdb/ldb_modules/schema_load.c | 196 +++++++++------ source4/dsdb/samdb/samdb.c | 7 - source4/dsdb/schema/schema.h | 9 +- source4/dsdb/schema/schema_init.c | 10 - source4/dsdb/schema/schema_set.c | 98 +++++--- source4/libnet/libnet_vampire.c | 5 - source4/librpc/idl/wscript_build | 2 +- source4/librpc/wscript_build | 15 +- 73 files changed, 1190 insertions(+), 426 deletions(-) rename source3/librpc/idl/wbint.idl => librpc/idl/winbind.idl (82%) create mode 100644 source3/winbindd/winbindd_irpc.c Changeset truncated at 500 lines: diff --git a/auth/common_auth.h b/auth/common_auth.h index a40f7c2..d9bde01 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -25,7 +25,9 @@ #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */ -#define USER_INFO_INTERACTIVE_LOGON 0x08 /* don't check unix account status */ +#define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */ +#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM */ +#define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */ enum auth_password_state { AUTH_PASSWORD_PLAIN = 1, @@ -77,6 +79,8 @@ struct loadparm_context; struct ldb_context; struct smb_krb5_context; +#define AUTH_METHOD_LOCAL_SAM 0x01 + struct auth4_context { struct { /* Who set this up in the first place? */ diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 472a452..05a30da 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -2568,3 +2568,268 @@ NTSTATUS netlogon_creds_cli_LogonSamLogon( TALLOC_FREE(frame); return status; } + +struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state { + struct tevent_context *ev; + struct netlogon_creds_cli_context *context; + struct dcerpc_binding_handle *binding_handle; + + char *srv_name_slash; + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; + + const char *site_name; + uint32_t dns_ttl; + struct NL_DNS_NAME_INFO_ARRAY *dns_names; + + struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState tmp_creds; + struct netr_Authenticator req_auth; + struct netr_Authenticator rep_auth; +}; + +static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(struct tevent_req *req, + NTSTATUS status); +static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct tevent_req *subreq); + +struct tevent_req *netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct netlogon_creds_cli_context *context, + struct dcerpc_binding_handle *b, + const char *site_name, + uint32_t dns_ttl, + struct NL_DNS_NAME_INFO_ARRAY *dns_names) +{ + struct tevent_req *req; + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state; + struct tevent_req *subreq; + bool ok; + + req = tevent_req_create(mem_ctx, &state, + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->context = context; + state->binding_handle = b; + + state->srv_name_slash = talloc_asprintf(state, "\\\\%s", + context->server.computer); + if (tevent_req_nomem(state->srv_name_slash, req)) { + return tevent_req_post(req, ev); + } + + state->site_name = site_name; + state->dns_ttl = dns_ttl; + state->dns_names = dns_names; + + dcerpc_binding_handle_auth_info(state->binding_handle, + &state->auth_type, + &state->auth_level); + + subreq = netlogon_creds_cli_lock_send(state, state->ev, + state->context); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + + tevent_req_set_callback(subreq, + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked, + req); + + return req; +} + +static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(struct tevent_req *req, + NTSTATUS status) +{ + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state = + tevent_req_data(req, + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state); + + if (state->creds == NULL) { + return; + } + + if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) && + !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) && + !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) && + !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) && + !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { + TALLOC_FREE(state->creds); + return; + } + + netlogon_creds_cli_delete(state->context, &state->creds); +} + +static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tevent_req *subreq); + +static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_locked(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state = + tevent_req_data(req, + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state); + NTSTATUS status; + + status = netlogon_creds_cli_lock_recv(subreq, state, + &state->creds); + TALLOC_FREE(subreq); + if (tevent_req_nterror(req, status)) { + return; + } + + if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + switch (state->auth_level) { + case DCERPC_AUTH_LEVEL_INTEGRITY: + case DCERPC_AUTH_LEVEL_PRIVACY: + break; + default: + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return; + } + } else { + uint32_t tmp = state->creds->negotiate_flags; + + if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) { + /* + * if DCERPC_AUTH_TYPE_SCHANNEL is supported + * it should be used, which means + * we had a chance to verify no downgrade + * happened. + * + * This relies on netlogon_creds_cli_check* + * being called before, as first request after + * the DCERPC bind. + */ + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return; + } + } + + /* + * we defer all callbacks in order to cleanup + * the database record. + */ + tevent_req_defer_callback(req, state->ev); + + state->tmp_creds = *state->creds; + netlogon_creds_client_authenticator(&state->tmp_creds, + &state->req_auth); + ZERO_STRUCT(state->rep_auth); + + subreq = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_send(state, state->ev, + state->binding_handle, + state->srv_name_slash, + state->tmp_creds.computer_name, + &state->req_auth, + &state->rep_auth, + state->site_name, + state->dns_ttl, + state->dns_names); + if (tevent_req_nomem(subreq, req)) { + status = NT_STATUS_NO_MEMORY; + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status); + return; + } + + tevent_req_set_callback(subreq, + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done, + req); +} + +static void netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, + struct tevent_req); + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state *state = + tevent_req_data(req, + struct netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_state); + NTSTATUS status; + NTSTATUS result; + bool ok; + + status = dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords_recv(subreq, state, + &result); + TALLOC_FREE(subreq); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status); + return; + } + + ok = netlogon_creds_client_check(&state->tmp_creds, + &state->rep_auth.cred); + if (!ok) { + status = NT_STATUS_ACCESS_DENIED; + tevent_req_nterror(req, status); + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status); + return; + } + + if (tevent_req_nterror(req, result)) { + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, result); + return; + } + + *state->creds = state->tmp_creds; + status = netlogon_creds_cli_store(state->context, + &state->creds); + if (tevent_req_nterror(req, status)) { + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status); + return; + } + + tevent_req_done(req); +} + +NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(struct tevent_req *req) +{ + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_cleanup(req, status); + tevent_req_received(req); + return status; + } + + tevent_req_received(req); + return NT_STATUS_OK; +} + +NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords( + struct netlogon_creds_cli_context *context, + struct dcerpc_binding_handle *b, + const char *site_name, + uint32_t dns_ttl, + struct NL_DNS_NAME_INFO_ARRAY *dns_names) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct tevent_context *ev; + struct tevent_req *req; + NTSTATUS status = NT_STATUS_NO_MEMORY; + + ev = samba_tevent_context_init(frame); + if (ev == NULL) { + goto fail; + } + req = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(frame, ev, context, b, + site_name, + dns_ttl, + dns_names); + if (req == NULL) { + goto fail; + } + if (!tevent_req_poll_ntstatus(req, ev, &status)) { + goto fail; + } + status = netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(req); + fail: + TALLOC_FREE(frame); + return status; +} diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h index 90d0182..a910259 100644 --- a/libcli/auth/netlogon_creds_cli.h +++ b/libcli/auth/netlogon_creds_cli.h @@ -132,5 +132,19 @@ NTSTATUS netlogon_creds_cli_LogonSamLogon( union netr_Validation **validation, uint8_t *authoritative, uint32_t *flags); +struct tevent_req *netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct netlogon_creds_cli_context *context, + struct dcerpc_binding_handle *b, + const char *site_name, + uint32_t dns_ttl, + struct NL_DNS_NAME_INFO_ARRAY *dns_names); +NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords_recv(struct tevent_req *req); +NTSTATUS netlogon_creds_cli_DsrUpdateReadOnlyServerDnsRecords( + struct netlogon_creds_cli_context *context, + struct dcerpc_binding_handle *b, + const char *site_name, + uint32_t dns_ttl, + struct NL_DNS_NAME_INFO_ARRAY *dns_names); #endif /* NETLOGON_CREDS_CLI_H */ diff --git a/source3/librpc/idl/wbint.idl b/librpc/idl/winbind.idl similarity index 82% rename from source3/librpc/idl/wbint.idl rename to librpc/idl/winbind.idl index f05107a..39e89c3 100644 --- a/source3/librpc/idl/wbint.idl +++ b/librpc/idl/winbind.idl @@ -9,8 +9,10 @@ import "lsa.idl", "netlogon.idl", "misc.idl", "security.idl", "idmap.idl"; helpstring("winbind parent-child protocol"), no_srv_register ] -interface wbint +interface winbind { + /* Private methods */ + void wbint_Ping( [in] uint32 in_data, [out] uint32 *out_data @@ -167,4 +169,27 @@ interface wbint NTSTATUS wbint_PingDc( [out,string,charset(UTF8)] char **dcname ); + + /* Public methods available via IRPC */ + + typedef [switch_type(uint16)] union netr_LogonLevel netr_LogonLevel; + typedef [switch_type(uint16)] union netr_Validation netr_Validation; + + /* + * do a netr_LogonSamLogon() against the right DC + */ + NTSTATUS winbind_SamLogon( + [in] uint16 logon_level, + [in] [switch_is(logon_level)] netr_LogonLevel logon, + [in] uint16 validation_level, + [out] [switch_is(validation_level)] netr_Validation validation, + [out] uint8 authoritative + ); + + NTSTATUS winbind_DsrUpdateReadOnlyServerDnsRecords( + [in,unique] [string,charset(UTF16)] uint16 *site_name, + [in] uint32 dns_ttl, + [in,out,ref] NL_DNS_NAME_INFO_ARRAY *dns_names + ); + } diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build index f181786..d1484af 100644 --- a/librpc/idl/wscript_build +++ b/librpc/idl/wscript_build @@ -35,3 +35,8 @@ bld.SAMBA_PIDL_LIST('PIDL', 'dnsp.idl nfs4acl.idl', options='--header --ndr-parser --client --python', output_dir='../gen_ndr') + +bld.SAMBA_PIDL_LIST('PIDL', + 'winbind.idl', + options='--header --ndr-parser --samba3-ndr-server --client --python', + output_dir='../gen_ndr') diff --git a/librpc/wscript_build b/librpc/wscript_build index 1c2062f..393f579 100644 --- a/librpc/wscript_build +++ b/librpc/wscript_build @@ -663,3 +663,18 @@ bld.SAMBA_LIBRARY('dcerpc-binding', pc_files=[], public_headers='rpc/rpc_common.h', vnum='0.0.1') + +bld.SAMBA_SUBSYSTEM('NDR_WINBIND', + source='gen_ndr/ndr_winbind.c', + public_deps='ndr' + ) + +bld.SAMBA_SUBSYSTEM('RPC_NDR_WINBIND', + source='gen_ndr/ndr_winbind_c.c', + public_deps='dcerpc NDR_WINBIND' + ) + +bld.SAMBA3_SUBSYSTEM('SRV_NDR_WINBIND', + source='gen_ndr/srv_winbind.c', + public_deps='NDR_WINBIND' + ) diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 7718142..6d1192e 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -210,6 +210,11 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, TALLOC_CTX *tmp_ctx; NTSTATUS result; + if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY + && !(auth_method->flags & AUTH_METHOD_LOCAL_SAM)) { + continue; + } + tmp_ctx = talloc_named(mem_ctx, 0, "%s authentication for user %s\\%s", @@ -253,7 +258,10 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(nt_status)) { unix_username = (*pserver_info)->unix_name; - if (!(*pserver_info)->guest) { + + /* We skip doing this step if the caller asked us not to */ + if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) + && !(*pserver_info)->guest) { const char *rhost; if (tsocket_address_is_inet(user_info->remote_host, "ip")) { diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index a34f9a5..c4100d5 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -121,7 +121,7 @@ static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *par } result->auth = auth_samstrict_auth; result->name = "sam"; - + result->flags = AUTH_METHOD_LOCAL_SAM; *auth_method = result; return NT_STATUS_OK; } diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c index d9d7151..284a91f 100644 --- a/source3/auth/auth_samba4.c +++ b/source3/auth/auth_samba4.c @@ -145,14 +145,23 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, goto done; } - nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name, - user_info->mapped.domain_name, server_info, - info3); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("make_server_info_info3 failed: %s\n", - nt_errstr(nt_status))); - TALLOC_FREE(frame); - return nt_status; + if (user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) { + *server_info = make_server_info(mem_ctx); + if (*server_info == NULL) { + nt_status = NT_STATUS_NO_MEMORY; + goto done; + } + (*server_info)->info3 = talloc_steal(*server_info, info3); + + } else { + nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name, + user_info->mapped.domain_name, server_info, + info3); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("make_server_info_info3 failed: %s\n", + nt_errstr(nt_status))); + goto done; + } } nt_status = NT_STATUS_OK; @@ -356,6 +365,7 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context, result->auth = check_samba4_security; result->prepare_gensec = prepare_gensec; result->make_auth4_context = make_auth4_context_s4; + result->flags = AUTH_METHOD_LOCAL_SAM; if (param && *param) { auth_context->forced_samba4_methods = talloc_strdup(result, param); diff --git a/source3/include/auth.h b/source3/include/auth.h index acae5a8..d35936b 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -107,6 +107,8 @@ typedef struct auth_methods /* Used to keep tabs on things like the cli for SMB server authentication */ void *private_data; + uint32_t flags; + } auth_methods; -- Samba Shared Repository