The branch, v4-5-stable has been updated via 3c9bc04 VERSION: Disable GIT_SNAPSHOTS for the 4.5.13 release. via 0247ece WHATSNEW: Add release notes for Samba 4.5.13. via 2339d4b vfs_fruit: factor out common code from ad_get() and ad_fget() via b559efc vfs_fruit: return fake pipe fd in fruit_open_meta_netatalk() via 379dbb5 vfs_fruit: don't open basefile in ad_open() and simplify API via d6c9916 vfs_fruit: use path based setxattr call in ad_fset() via 12c818b s4/torture: additional tests for kernel-oplocks via c03af9f s4/torture: reproducer for kernel oplocks issue with streams via 38d8b62 vfs_streams_xattr: return a fake fd in streams_xattr_open() via f7e96ae vfs_streams_xattr: implement all missing handle based VFS functions via 62c9719 vfs_streams_xattr: always pass NULL as fsp arg to get_ea_value() via 10b04e9 vfs_streams_xattr: remove fsp argument from get_xattr_size() via c642283 vfs_streams_xattr: remove all uses of fd, use name based functions via da22be9 vfs_streams_xattr: invalidate stat info if xattr was not found via 715e1c9 s3: torture: Add a test for cli_setpathinfo_basic() to smbtorture3. via 57f129b s3: libsmb: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo(). via a6f4924 s3: libsmb: Add cli_smb2_setpathinfo(), to be called by cli_setpathinfo_basic(). via bfa7ac0 s3: libsmbclient: Fix cli_setpathinfo_basic() to treat mode == -1 as no change. via ad113e0 vfs_gpfs: handle EACCES when fetching DOS attributes from xattr via c493d8e s3/smbd: handle EACCES when fetching DOS attributes from xattr via 5b3f031 s3/smbd: handling of failed DOS attributes reading via 9792ec2 s3: libsmb: Reverse sense of 'clear all attributes', ignore attribute change in SMB2 to match SMB1. via 3475d11 vfs_ceph: fix cephwrap_chdir() via cfa8c18 s3: smbd: Fix a read after free if a chained SMB1 call goes async. via 5d740e4 s3: libsmb: Fix use-after-free when accessing pointer *p. via 5659328 s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init via dbb2814 vfs_fruit: don't use MS NFS ACEs with Windows clients via 35cba47 vfs_fruit: add fruit:model = <modelname> parametric option via 6512059 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join via 6c728cc s3:secrets: remove unused secrets_store_[prev_]machine_password() via ad1e456 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password() via 7d86014 net: make use of secrets_*_password_change() for "net changesecretpw" via ab5109f s3:trusts_util: make use the workstation password change more robust via 75a05ad s3:libnet: make use of secrets_store_JoinCtx() via d9a2394 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust via f3da295 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials via 97b72e3 secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts via 4d66652 netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension via 19addd1 netlogon.idl: make netr_TrustFlags [public] via e635a4f lsa.idl: make lsa_DnsDomainInfo [public] via 1e5489d s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth() via 399945b libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*() via 0c7de3c libcli/auth: add const to set_pw_in_buffer() via 09461fe libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*() via c1d6f18 s3:trusts_util: pass dcname to trust_pw_change() via 9afd00e s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex() via 3c3765f s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key via 64b3919 s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too via 04384a4 s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables via a920733 s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete() via fdbf0de s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value via 96319f6 s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync() via 1bbefc1 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys via f5dc61c s3:secrets: rename secrets_delete() to secrets_delete_entry() via f30adda s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync() via 0a36325 s3:secrets: add some const to secrets_store_domain_guid() via ec6b939 s3:secrets: split out a domain_guid_keystr() function via de0f730 s3:secrets: rework des_salt_key() to take the realm as argument via fd161f1 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c via 701361c s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ() via 24478a5 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry() via aa2f79b s3:libnet: make use of kerberos_secrets_fetch_salt_princ() via 0aa6bfd s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ() via 2ef7d5a s3:libads: provide a simpler kerberos_fetch_salt_princ() function via 0f4d181 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback via 87b27a5 s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets() via 00a2ce6 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing() via a210289 s3:libnet_join: call do_JoinConfig() after we did remote changes on the server via 7110ea3 s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync via 4765cb4 s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal() via 9d818ce s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal() via 18cd978 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx via f18c0ca s3:libnet_join: remember the domain_guid for AD domains via d68b34b s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx via 35b6d50 s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing() via 77980ad s3:libnet_join: remove dead code from libnet_join_connect_ads() via cef8c67 krb5_wrap: add smb_krb5_salt_principal2data() via 5b96252 krb5_wrap: add smb_krb5_salt_principal() via 88abba9 s3:libads: remove unused kerberos_secrets_store_salting_principal() via 208c771 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY via 899c0d5 idl_types.h: add NDR_SECRET shortcut via 9bbacf5 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling via 7b3bfd5 librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags via 0c8ae83 pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint() via 941aaa9 werror: replace WERR_SETUP_NOT_JOINED with WERR_NERR_SETUPNOTJOINED in source3/libnet/libnet_join.c via 3a491cd krb5_wrap: add smb_krb5_free_data_contents() compat define (for v4-5) via 82f9cba s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface() via 2cae38b selftest: add a test for accessing previous version of directories with snapdirseverywhere via 911e3ab s3/smbd: let non_widelink_open() chdir() to directories directly via 3de773e VERSION: Bump version up to 4.5.13... from 6e6361e VERSION: Release Samba 4.5.12 for CVE-2017-11103
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 70 +- docs-xml/manpages/vfs_fruit.8.xml | 9 + lib/krb5_wrap/krb5_samba.c | 187 ++++ lib/krb5_wrap/krb5_samba.h | 12 + libcli/auth/netlogon_creds_cli.c | 78 +- libcli/auth/netlogon_creds_cli.h | 16 +- libcli/auth/proto.h | 2 +- libcli/auth/smbencrypt.c | 2 +- librpc/idl/idl_types.h | 6 + librpc/idl/lsa.idl | 2 +- librpc/idl/netlogon.idl | 6 +- librpc/ndr/libndr.h | 24 +- librpc/ndr/ndr.c | 23 + librpc/ndr/ndr_basic.c | 44 + pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 + selftest/target/Samba3.pm | 10 + source3/include/proto.h | 1 + source3/include/secrets.h | 38 +- source3/libads/kerberos.c | 200 ---- source3/libads/kerberos_keytab.c | 14 +- source3/libads/kerberos_proto.h | 8 - source3/libads/util.c | 106 +- source3/libnet/libnet_join.c | 133 ++- source3/libnet/libnet_keytab.c | 5 +- source3/librpc/crypto/gse_krb5.c | 40 +- source3/librpc/idl/libnet_join.idl | 4 +- source3/librpc/idl/secrets.idl | 92 +- source3/librpc/wscript_build | 2 +- source3/libsmb/cli_smb2_fnum.c | 94 +- source3/libsmb/cli_smb2_fnum.h | 5 + source3/libsmb/clirap.c | 27 +- source3/libsmb/libsmb_dir.c | 6 +- source3/libsmb/trusts_util.c | 276 ++++- source3/modules/vfs_ceph.c | 7 - source3/modules/vfs_fruit.c | 270 ++--- source3/modules/vfs_gpfs.c | 69 +- source3/modules/vfs_streams_xattr.c | 574 +++++++++-- source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++++++++++++-- source3/passdb/secrets.c | 25 +- source3/passdb/secrets_lsa.c | 2 +- source3/rpc_client/cli_netlogon.c | 15 +- source3/rpcclient/cmd_netlogon.c | 2 + source3/script/tests/test_shadow_copy.sh | 23 + source3/smbd/dosmode.c | 43 +- source3/smbd/lanman.c | 20 +- source3/smbd/open.c | 30 +- source3/smbd/process.c | 2 +- source3/smbd/reply.c | 2 +- source3/smbd/server.c | 8 +- source3/torture/torture.c | 137 +++ source3/utils/net.c | 142 ++- source3/utils/net_rpc.c | 8 + source3/winbindd/winbindd_dual.c | 1 + source3/winbindd/winbindd_dual_srv.c | 2 + source4/torture/smb2/oplock.c | 346 +++++++ source4/torture/vfs/fruit.c | 8 +- 57 files changed, 4113 insertions(+), 832 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b5eaa03..6c1c849 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a519b6c..f3fccf7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,70 @@ ============================== + Release Notes for Samba 4.5.13 + August 31, 2017 + ============================== + + +This is the latest stable release of the Samba 4.5 release series. + + +Changes since 4.5.12: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes + async. + * BUG 12899: 'smbclient setmode' no longer works to clear attribute bits due + to dialect upgrade. + * BUG 12913: SMBC_setatr() initially uses an SMB1 call before falling back. + +o Ralph Boehme <s...@samba.org> + * BUG 12791: Fix kernel oplock issues with named streams. + * BUG 12897: vfs_fruit: Don't use MS NFS ACEs with Windows clients. + * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from + smbd_notifyd_init. + * BUG 12944: vfs_gpfs: handle EACCES when fetching DOS attributes from xattr. + * BUG 12885: Let non_widelink_open() chdir() to directories directly. + +o Günther Deschner <g...@samba.org> + * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option. + +o David Disseldorp <dd...@samba.org> + * BUG 12911: vfs_ceph: fix cephwrap_chdir(). + +o Thomas Jarosch <thomas.jaro...@intra2net.com> + * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p. + +o Stefan Metzmacher <me...@samba.org> + * BUG 12782: winbindd changes the local password and gets + NT_STATUS_WRONG_PASSWORD for the remote change. + * BUG 12890: s3:smbd: consistently use talloc_tos() memory for + rpc_pipe_open_interface(). + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================== Release Notes for Samba 4.5.12 July 12, 2017 ============================== @@ -48,8 +114,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.5.11 diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml index e2e696c..08b8700 100644 --- a/docs-xml/manpages/vfs_fruit.8.xml +++ b/docs-xml/manpages/vfs_fruit.8.xml @@ -162,6 +162,15 @@ </listitem> </varlistentry> + <varlistentry> + <term>fruit:model = MacSamba</term> + <listitem> + <para>This option defines the model string inside the AAPL + extension and will determine the appearance of the icon representing the + Samba server in the Finder window.</para> + <para>The default is <emphasis>MacSamba</emphasis>.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 76e8795..fe29386 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -324,6 +324,193 @@ int smb_krb5_get_pw_salt(krb5_context context, #error UNKNOWN_SALT_FUNCTIONS #endif +/** + * @brief This constructs the salt principal used by active directory + * + * Most Kerberos encryption types require a salt in order to + * calculate the long term private key for user/computer object + * based on a password. + * + * The returned _salt_principal is a string in forms like this: + * - host/somehost.example....@example.com + * - someacco...@example.com + * - someprinci...@example.com + * + * This is not the form that's used as salt, it's just + * the human readable form. It needs to be converted by + * smb_krb5_salt_principal2data(). + * + * @param[in] realm The realm the user/computer is added too. + * + * @param[in] sAMAccountName The sAMAccountName attribute of the object. + * + * @param[in] userPrincipalName The userPrincipalName attribute of the object + * or NULL is not available. + * + * @param[in] is_computer The indication of the object includes + * objectClass=computer. + * + * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal. + * + * @param[out] _salt_principal The resulting principal as string. + * + * @retval 0 Success; otherwise - Kerberos error codes + * + * @see smb_krb5_salt_principal2data + */ +int smb_krb5_salt_principal(const char *realm, + const char *sAMAccountName, + const char *userPrincipalName, + bool is_computer, + TALLOC_CTX *mem_ctx, + char **_salt_principal) +{ + TALLOC_CTX *frame = talloc_stackframe(); + char *upper_realm = NULL; + const char *principal = NULL; + int principal_len = 0; + + *_salt_principal = NULL; + + if (sAMAccountName == NULL) { + TALLOC_FREE(frame); + return EINVAL; + } + + if (realm == NULL) { + TALLOC_FREE(frame); + return EINVAL; + } + + upper_realm = strupper_talloc(frame, realm); + if (upper_realm == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + + /* Many, many thanks to lu...@padl.com for this + * algorithm, described in his Nov 10 2004 mail to + * samba-techni...@lists.samba.org */ + + /* + * Determine a salting principal + */ + if (is_computer) { + int computer_len = 0; + char *tmp = NULL; + + computer_len = strlen(sAMAccountName); + if (sAMAccountName[computer_len-1] == '$') { + computer_len -= 1; + } + + tmp = talloc_asprintf(frame, "host/%*.*s.%s", + computer_len, computer_len, + sAMAccountName, realm); + if (tmp == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + + principal = strlower_talloc(frame, tmp); + TALLOC_FREE(tmp); + if (principal == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + principal_len = strlen(principal); + + } else if (userPrincipalName != NULL) { + char *p; + + principal = userPrincipalName; + p = strchr(principal, '@'); + if (p != NULL) { + principal_len = PTR_DIFF(p, principal); + } else { + principal_len = strlen(principal); + } + } else { + principal = sAMAccountName; + principal_len = strlen(principal); + } + + *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s", + principal_len, principal_len, + principal, upper_realm); + if (*_salt_principal == NULL) { + TALLOC_FREE(frame); + return ENOMEM; + } + + TALLOC_FREE(frame); + return 0; +} + +/** + * @brief Converts the salt principal string into the salt data blob + * + * This function takes a salt_principal as string in forms like this: + * - host/somehost.example....@example.com + * - someacco...@example.com + * - someprinci...@example.com + * + * It generates values like: + * - EXAMPLE.COMhost/somehost.example.com + * - EXAMPLE.COMSomeAccount + * - EXAMPLE.COMSomePrincipal + * + * @param[in] realm The realm the user/computer is added too. + * + * @param[in] sAMAccountName The sAMAccountName attribute of the object. + * + * @param[in] userPrincipalName The userPrincipalName attribute of the object + * or NULL is not available. + * + * @param[in] is_computer The indication of the object includes + * objectClass=computer. + * + * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal. + * + * @param[out] _salt_principal The resulting principal as string. + * + * @retval 0 Success; otherwise - Kerberos error codes + * + * @see smb_krb5_salt_principal + */ +int smb_krb5_salt_principal2data(krb5_context context, + const char *salt_principal, + TALLOC_CTX *mem_ctx, + char **_salt_data) +{ + krb5_error_code ret; + krb5_principal salt_princ = NULL; + krb5_data salt; + + *_salt_data = NULL; + + ret = krb5_parse_name(context, salt_principal, &salt_princ); + if (ret != 0) { + return ret; + } + + ret = smb_krb5_get_pw_salt(context, salt_princ, &salt); + krb5_free_principal(context, salt_princ); + if (ret != 0) { + return ret; + } + + *_salt_data = talloc_strndup(mem_ctx, + (char *)salt.data, + salt.length); + smb_krb5_free_data_contents(context, &salt); + if (*_salt_data == NULL) { + return ENOMEM; + } + + return 0; +} + #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes) diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index 2d31619..116bffc 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -362,6 +362,16 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx, int smb_krb5_get_pw_salt(krb5_context context, krb5_const_principal host_princ, krb5_data *psalt); +int smb_krb5_salt_principal(const char *realm, + const char *sAMAccountName, + const char *userPrincipalName, + bool is_computer, + TALLOC_CTX *mem_ctx, + char **_salt_principal); +int smb_krb5_salt_principal2data(krb5_context context, + const char *salt_principal, + TALLOC_CTX *mem_ctx, + char **_salt_data); int smb_krb5_create_key_from_string(krb5_context context, krb5_const_principal host_princ, @@ -408,4 +418,6 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, time_t *tgs_expire, const char *impersonate_princ_s); +#define smb_krb5_free_data_contents(a, b) kerberos_free_data_contents(a, b) + #endif /* _KRB5_SAMBA_H */ diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index d55142e..29baae4 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -36,6 +36,7 @@ #include "source3/include/messages.h" #include "source3/include/g_lock.h" #include "libds/common/roles.h" +#include "lib/crypto/crypto.h" struct netlogon_creds_cli_locked_state; @@ -942,9 +943,10 @@ struct netlogon_creds_cli_auth_state { struct tevent_context *ev; struct netlogon_creds_cli_context *context; struct dcerpc_binding_handle *binding_handle; - struct samr_Password current_nt_hash; - struct samr_Password previous_nt_hash; - struct samr_Password used_nt_hash; + uint8_t num_nt_hashes; + uint8_t idx_nt_hashes; + const struct samr_Password * const *nt_hashes; + const struct samr_Password *used_nt_hash; char *srv_name_slash; uint32_t current_flags; struct netr_Credential client_challenge; @@ -956,7 +958,6 @@ struct netlogon_creds_cli_auth_state { bool try_auth3; bool try_auth2; bool require_auth2; - bool try_previous_nt_hash; struct netlogon_creds_cli_locked_state *locked_state; }; @@ -967,8 +968,8 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct netlogon_creds_cli_context *context, struct dcerpc_binding_handle *b, - struct samr_Password current_nt_hash, - const struct samr_Password *previous_nt_hash) + uint8_t num_nt_hashes, + const struct samr_Password * const *nt_hashes) { struct tevent_req *req; struct netlogon_creds_cli_auth_state *state; @@ -984,12 +985,19 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->context = context; state->binding_handle = b; - state->current_nt_hash = current_nt_hash; - if (previous_nt_hash != NULL) { - state->previous_nt_hash = *previous_nt_hash; - state->try_previous_nt_hash = true; + if (num_nt_hashes < 1) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); + } + if (num_nt_hashes > 4) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); } + state->num_nt_hashes = num_nt_hashes; + state->idx_nt_hashes = 0; + state->nt_hashes = nt_hashes; + if (context->db.locked_state != NULL) { tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED); return tevent_req_post(req, ev); @@ -1019,7 +1027,7 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx, state->require_auth2 = true; } - state->used_nt_hash = state->current_nt_hash; + state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes]; state->current_flags = context->client.proposed_flags; if (context->db.g_ctx != NULL) { @@ -1141,7 +1149,7 @@ static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq) state->context->client.type, &state->client_challenge, &state->server_challenge, - &state->used_nt_hash, + state->used_nt_hash, &state->client_credential, state->current_flags); if (tevent_req_nomem(state->creds, req)) { @@ -1283,7 +1291,8 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) return; } - if (!state->try_previous_nt_hash) { + state->idx_nt_hashes += 1; + if (state->idx_nt_hashes >= state->num_nt_hashes) { /* * we already retried, giving up... */ @@ -1294,8 +1303,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) /* * lets retry with the old nt hash. */ - state->try_previous_nt_hash = false; - state->used_nt_hash = state->previous_nt_hash; + state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes]; state->current_flags = state->context->client.proposed_flags; netlogon_creds_cli_auth_challenge_start(req); return; @@ -1330,43 +1338,52 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) tevent_req_done(req); } -NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req) +NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req, + uint8_t *idx_nt_hashes) { + struct netlogon_creds_cli_auth_state *state = + tevent_req_data(req, + struct netlogon_creds_cli_auth_state); NTSTATUS status; + *idx_nt_hashes = 0; + if (tevent_req_is_nterror(req, &status)) { tevent_req_received(req); return status; } + *idx_nt_hashes = state->idx_nt_hashes; tevent_req_received(req); return NT_STATUS_OK; } NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context, struct dcerpc_binding_handle *b, - struct samr_Password current_nt_hash, - const struct samr_Password *previous_nt_hash) + uint8_t num_nt_hashes, + const struct samr_Password * const *nt_hashes, + uint8_t *idx_nt_hashes) { TALLOC_CTX *frame = talloc_stackframe(); struct tevent_context *ev; struct tevent_req *req; NTSTATUS status = NT_STATUS_NO_MEMORY; + *idx_nt_hashes = 0; + ev = samba_tevent_context_init(frame); if (ev == NULL) { goto fail; } req = netlogon_creds_cli_auth_send(frame, ev, context, b, - current_nt_hash, - previous_nt_hash); + num_nt_hashes, nt_hashes); -- Samba Shared Repository