The branch, master has been updated via d1ea9c5aaba libcli:auth: Allow to connect to netlogon server offering only AES via 6bf3a39b118 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via 62aa7696674 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via c7ead129285 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via be1520d2058 s3:libsmb: Remove trailing white spaces from passchange.c via bb3e0ce8fc9 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 34c57ebee04 s3:libnet: Remove tailing whitespaces in libnet_join.c via 33eb7a1bc9c s3:rpcclient: Remove trailing white spaces in rpcclient.c via 016429acaf7 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via b3bf5bbaf81 s3:rpc_client: Remove trailing white spaces from cli_pipe.c via 492fd5b00fe testprogs: Add rpcclient schannel tests from f4d0bb164f0 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93 Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 13:46:26 2021 +0100 libcli:auth: Allow to connect to netlogon server offering only AES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:52:18 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 62aa769667464451cda672fc073e52a8e52ae4c1 Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:47:26 2021 +0100 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:43:08 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0 Author: Andreas Schneider <a...@samba.org> Date: Wed Nov 24 13:21:28 2021 +0100 s3:libsmb: Remove trailing white spaces from passchange.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit bb3e0ce8fc932f5146044c548730f454a0119800 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:31:00 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 34c57ebee04bb770174fab31edd9bfe2f88a84eb Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:38:42 2021 +0100 s3:libnet: Remove tailing whitespaces in libnet_join.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 33eb7a1bc9c21463dc699d6daaa6a1e19f668268 Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:32:42 2021 +0100 s3:rpcclient: Remove trailing white spaces in rpcclient.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 016429acaf76bde53bd4ab81b48be23c2bcc28e3 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:18:59 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b3bf5bbaf81de369c8f9415d903816a2d7424ffc Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:14:16 2021 +0100 s3:rpc_client: Remove trailing white spaces from cli_pipe.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 492fd5b00fe9d62f53b96e3a7588a7f2848a571d Author: Andreas Schneider <a...@samba.org> Date: Wed Nov 17 11:46:04 2021 +0100 testprogs: Add rpcclient schannel tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: examples/winexe/winexe.c | 14 +++- libcli/auth/netlogon_creds_cli.c | 48 +++++++++++--- source3/libnet/libnet_join.c | 43 ++++++++---- source3/libsmb/passchange.c | 16 +++-- source3/rpc_client/cli_netlogon.c | 51 ++++++++++++--- source3/rpc_client/cli_pipe.c | 54 ++++++++++++--- source3/rpc_client/cli_pipe.h | 9 +++ source3/rpc_client/cli_pipe_schannel.c | 7 +- source3/rpcclient/rpcclient.c | 53 +++++++++++++-- source3/utils/net_rpc.c | 8 +++ source3/winbindd/winbindd_cm.c | 45 +++++++++++-- source4/selftest/tests.py | 27 ++++++++ testprogs/blackbox/test_rpcclient_schannel.sh | 94 +++++++++++++++++++++++++++ 13 files changed, 403 insertions(+), 66 deletions(-) create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh Changeset truncated at 500 lines: diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c index 59fb9dbdebb..8a17107617c 100644 --- a/examples/winexe/winexe.c +++ b/examples/winexe/winexe.c @@ -401,11 +401,16 @@ static NTSTATUS winexe_svc_install( bool need_conf = false; NTSTATUS status; WERROR werr; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open_noauth_transport( cli, NCACN_NP, &ndr_table_svcctl, + remote_name, + remote_sockaddr, &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", @@ -416,7 +421,7 @@ static NTSTATUS winexe_svc_install( status = dcerpc_svcctl_OpenSCManagerW( rpccli->binding_handle, frame, - smbXcli_conn_remote_name(cli->conn), + remote_name, NULL, SEC_FLAG_MAXIMUM_ALLOWED, &scmanager_handle, @@ -717,11 +722,16 @@ static NTSTATUS winexe_svc_uninstall( struct SERVICE_STATUS service_status; NTSTATUS status; WERROR werr; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open_noauth_transport( cli, NCACN_NP, &ndr_table_svcctl, + remote_name, + remote_sockaddr, &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", @@ -732,7 +742,7 @@ static NTSTATUS winexe_svc_uninstall( status = dcerpc_svcctl_OpenSCManagerW( rpccli->binding_handle, frame, - smbXcli_conn_remote_name(cli->conn), + remote_name, NULL, SEC_FLAG_MAXIMUM_ALLOWED, &scmanager_handle, diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index beab2fae53a..e92a042c012 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -516,9 +516,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( return context->client.auth_level; } +static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags, + uint32_t proposed_flags, + uint32_t required_flags) +{ + uint32_t req_flags = required_flags; + uint32_t tmp_flags; + + req_flags = required_flags; + if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) && + (proposed_flags & NETLOGON_NEG_SUPPORTS_AES)) + { + req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS; + } + + tmp_flags = negotiated_flags; + tmp_flags &= req_flags; + if (tmp_flags != req_flags) { + return true; + } + + return false; +} + struct netlogon_creds_cli_fetch_state { TALLOC_CTX *mem_ctx; struct netlogon_creds_CredentialState *creds; + uint32_t proposed_flags; uint32_t required_flags; NTSTATUS status; }; @@ -530,7 +554,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, (struct netlogon_creds_cli_fetch_state *)private_data; enum ndr_err_code ndr_err; DATA_BLOB blob; - uint32_t tmp_flags; + bool downgraded; state->creds = talloc_zero(state->mem_ctx, struct netlogon_creds_CredentialState); @@ -554,9 +578,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds); } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->required_flags; - if (tmp_flags != state->required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->proposed_flags, + state->required_flags); + if (downgraded) { TALLOC_FREE(state->creds); state->status = NT_STATUS_DOWNGRADE_DETECTED; return; @@ -827,6 +853,7 @@ static NTSTATUS netlogon_creds_cli_get_internal( { struct netlogon_creds_cli_fetch_state fstate = { .status = NT_STATUS_INTERNAL_ERROR, + .proposed_flags = context->client.proposed_flags, .required_flags = context->client.required_flags, }; NTSTATUS status; @@ -1309,7 +1336,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) enum ndr_err_code ndr_err; DATA_BLOB blob; TDB_DATA data; - uint32_t tmp_flags; + bool downgraded; if (state->try_auth3) { status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state, @@ -1356,9 +1383,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) return; } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->context->client.required_flags; - if (tmp_flags != state->context->client.required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->context->client.proposed_flags, + state->context->client.required_flags); + if (downgraded) { if (NT_STATUS_IS_OK(result)) { tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED); return; @@ -1368,8 +1397,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) } if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) { - - tmp_flags = state->context->client.proposed_flags; + uint32_t tmp_flags = state->context->client.proposed_flags; if ((state->current_flags == tmp_flags) && (state->creds->negotiate_flags != tmp_flags)) { diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 263420a2159..02705f1c70c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1297,11 +1297,18 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, TALLOC_FREE(creds); if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { - status = cli_rpc_pipe_open_schannel_with_creds(cli, - &ndr_table_netlogon, - NCACN_NP, - netlogon_creds, - &passwordset_pipe); + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + + status = cli_rpc_pipe_open_schannel_with_creds( + cli, + &ndr_table_netlogon, + NCACN_NP, + netlogon_creds, + remote_name, + remote_sockaddr, + &passwordset_pipe); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; @@ -1700,6 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, uint32_t netlogon_flags = 0; NTSTATUS status; int flags = CLI_FULL_CONNECTION_IPC; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; if (!dc_name) { TALLOC_FREE(frame); @@ -1800,9 +1809,15 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, return NT_STATUS_OK; } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + status = cli_rpc_pipe_open_schannel_with_creds( cli, &ndr_table_netlogon, NCACN_NP, - netlogon_creds, &netlogon_pipe); + netlogon_creds, + remote_name, + remote_sockaddr, + &netlogon_pipe); TALLOC_FREE(netlogon_pipe); @@ -1810,7 +1825,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, DEBUG(0,("libnet_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. " "Error was %s\n", - smbXcli_conn_remote_name(cli->conn), + remote_name, netbios_domain_name, nt_errstr(status))); cli_shutdown(cli); TALLOC_FREE(frame); @@ -3045,7 +3060,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid); } - if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && + if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && !r->in.delete_machine_account) { libnet_join_unjoindomain_remove_secrets(mem_ctx, r); return WERR_OK; @@ -3077,8 +3092,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } #ifdef HAVE_ADS - /* for net ads leave, try to delete the account. If it works, - no sense in disabling. If it fails, we can still try to + /* for net ads leave, try to delete the account. If it works, + no sense in disabling. If it fails, we can still try to disable it. jmcd */ if (r->in.delete_machine_account) { @@ -3086,10 +3101,10 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, ads_status = libnet_unjoin_connect_ads(mem_ctx, r); if (ADS_ERR_OK(ads_status)) { /* dirty hack */ - r->out.dns_domain_name = + r->out.dns_domain_name = talloc_strdup(mem_ctx, r->in.ads->server.realm); - ads_status = + ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r); } if (!ADS_ERR_OK(ads_status)) { @@ -3105,7 +3120,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } #endif /* HAVE_ADS */ - /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means + /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means "disable". */ if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) { status = libnet_join_unjoindomain_rpc(mem_ctx, r); @@ -3124,7 +3139,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, r->out.disabled_machine_account = true; } - /* If disable succeeded or was not requested at all, we + /* If disable succeeded or was not requested at all, we should be getting rid of our end of things */ libnet_join_unjoindomain_remove_secrets(mem_ctx, r); diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index f60e3079975..2137c183f0e 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. SMB client password change routine Copyright (C) Andrew Tridgell 1994-1998 @@ -79,7 +79,7 @@ NTSTATUS remote_password_change(const char *remote_machine, if (!NT_STATUS_IS_OK(result)) { if (asprintf(err_str, "machine %s rejected the negotiate " - "protocol. Error was : %s.\n", + "protocol. Error was : %s.\n", remote_machine, nt_errstr(result)) == -1) { *err_str = NULL; } @@ -87,7 +87,7 @@ NTSTATUS remote_password_change(const char *remote_machine, return result; } - /* Given things like SMB signing, restrict anonymous and the like, + /* Given things like SMB signing, restrict anonymous and the like, try an authenticated connection first */ result = cli_session_setup_creds(cli, creds); @@ -120,7 +120,7 @@ NTSTATUS remote_password_change(const char *remote_machine, if (!NT_STATUS_IS_OK(result)) { if (asprintf(err_str, "machine %s rejected the session " - "setup. Error was : %s.\n", + "setup. Error was : %s.\n", remote_machine, nt_errstr(result)) == -1) { *err_str = NULL; } @@ -143,12 +143,16 @@ NTSTATUS remote_password_change(const char *remote_machine, /* Try not to give the password away too easily */ if (!pass_must_change) { + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + result = cli_rpc_pipe_open_with_creds(cli, &ndr_table_samr, NCACN_NP, DCERPC_AUTH_TYPE_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, remote_machine, + remote_sockaddr, creds, &pipe_hnd); } else { @@ -196,7 +200,7 @@ NTSTATUS remote_password_change(const char *remote_machine, cli_shutdown(cli); return NT_STATUS_OK; - } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) + } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { /* it failed, but for reasons such as wrong password, too short etc ... */ @@ -227,7 +231,7 @@ NTSTATUS remote_password_change(const char *remote_machine, cli_shutdown(cli); return NT_STATUS_OK; } else { - if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) + if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { /* it failed, but again it was due to things like new password too short */ diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 175f83d6750..049186e5a51 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -168,6 +168,8 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( const struct samr_Password *nt_hashes[2] = { NULL, NULL }; uint8_t idx_nt_hashes = 0; NTSTATUS status; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; status = netlogon_creds_cli_get(creds_ctx, frame, &creds); if (NT_STATUS_IS_OK(status)) { @@ -177,10 +179,16 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( action = "overwrite"; } + if (cli != NULL) { + remote_name = smbXcli_conn_remote_name(cli->conn); + } else { + remote_name = "<UNKNOWN>"; + } + DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n", __FUNCTION__, action, creds->account_name, creds->computer_name, - smbXcli_conn_remote_name(cli->conn))); + remote_name)); if (!force_reauth) { goto done; } @@ -200,14 +208,19 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( num_nt_hashes = 2; } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + status = cli_rpc_pipe_open_noauth_transport(cli, transport, &ndr_table_netlogon, + remote_name, + remote_sockaddr, &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n", __FUNCTION__, - smbXcli_conn_remote_name(cli->conn), + remote_name, nt_errstr(status))); TALLOC_FREE(frame); return status; @@ -233,7 +246,7 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n", __FUNCTION__, creds->account_name, creds->computer_name, - smbXcli_conn_remote_name(cli->conn))); + remote_name)); done: if (negotiate_flags != NULL) { @@ -293,6 +306,8 @@ NTSTATUS rpccli_connect_netlogon( struct rpc_pipe_client *rpccli; NTSTATUS status; bool retry = false; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds); if (sec_chan_type == SEC_CHAN_NULL) { @@ -353,15 +368,22 @@ again: } } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + do_serverauth = force_reauth || !found_existing_creds; if (!do_serverauth) { /* * Do the quick schannel bind without a reauth */ - status = cli_rpc_pipe_open_bind_schannel( - cli, &ndr_table_netlogon, transport, creds_ctx, - &rpccli); + status = cli_rpc_pipe_open_bind_schannel(cli, + &ndr_table_netlogon, + transport, + creds_ctx, + remote_name, + remote_sockaddr, + &rpccli); if (!retry && NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { DBG_DEBUG("Retrying with serverauthenticate\n"); TALLOC_FREE(lck); @@ -411,8 +433,12 @@ again: goto fail; } - status = cli_rpc_pipe_open_noauth_transport( - cli, transport, &ndr_table_netlogon, &rpccli); + status = cli_rpc_pipe_open_noauth_transport(cli, + transport, + &ndr_table_netlogon, + remote_name, + remote_sockaddr, + &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_DEBUG("cli_rpc_pipe_open_noauth_transport " "failed: %s\n", nt_errstr(status)); @@ -421,8 +447,13 @@ again: goto done; } - status = cli_rpc_pipe_open_bind_schannel( - cli, &ndr_table_netlogon, transport, creds_ctx, &rpccli); + status = cli_rpc_pipe_open_bind_schannel(cli, + &ndr_table_netlogon, + transport, + creds_ctx, + remote_name, + remote_sockaddr, + &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_DEBUG("cli_rpc_pipe_open_bind_schannel " "failed: %s\n", nt_errstr(status)); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 2ceef482c64..8dca089bbf5 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3058,7 +3058,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r * assignments of cli, which invalidates the data in the returned * rpc_pipe_client if this function is called before the structure assignment * of cli. - * + * ****************************************************************************/ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, @@ -3136,13 +3136,15 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, enum dcerpc_transport_t transport, const struct ndr_interface_table *table, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **presult) { switch (transport) { case NCACN_IP_TCP: return rpc_pipe_open_tcp(NULL, - smbXcli_conn_remote_name(cli->conn), - smbXcli_conn_remote_sockaddr(cli->conn), + remote_name, -- Samba Shared Repository