The branch, v4-15-test has been updated via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c via fea324d9cc4 testprogs: Add rpcclient schannel tests via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression from 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log ----------------------------------------------------------------- commit 5e846fcf74edb883e8aa7756ee51ef8bfbfb6026 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 (cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44) Autobuild-User(v4-15-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-15-test): Wed Dec 8 10:46:08 UTC 2021 on sn-devel-184 commit 18c7681358775b079d95cc44c4146b715ffb54cd Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 13:46:26 2021 +0100 libcli:auth: Allow to connect to netlogon server offering only AES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 (cherry picked from commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93) commit b1f0aa5c22fdf65114540d4bb15ac6980f194abf Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:52:18 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e) commit aca47d48f516b43ef20f44f85d50993ca25eb3fa Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:47:26 2021 +0100 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 62aa769667464451cda672fc073e52a8e52ae4c1) commit 16d886511f158a56fb0ebb71df91fea127bed606 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:43:08 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd) commit 2b9882a4c2fb94653982d3d4ab9a53d84d658226 Author: Andreas Schneider <a...@samba.org> Date: Wed Nov 24 13:21:28 2021 +0100 s3:libsmb: Remove trailing white spaces from passchange.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0) commit 460cf672e65432d79512ceca2212572c470865f3 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:31:00 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit bb3e0ce8fc932f5146044c548730f454a0119800) commit 1b5b96d5a2453a7ffc374c3d10ef4ed890cc68ba Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:38:42 2021 +0100 s3:libnet: Remove tailing whitespaces in libnet_join.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 34c57ebee04bb770174fab31edd9bfe2f88a84eb) commit 0801cae3df8492c9576b46b67572961e07d3241c Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:32:42 2021 +0100 s3:rpcclient: Remove trailing white spaces in rpcclient.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 33eb7a1bc9c21463dc699d6daaa6a1e19f668268) commit ea845570516f330720c3bbdd6efda307f0c0fef0 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 18 11:18:59 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 016429acaf76bde53bd4ab81b48be23c2bcc28e3) commit e72d611c78dcf5fb9776a5957dd099b3a973947d Author: Andreas Schneider <a...@samba.org> Date: Thu Nov 18 11:14:16 2021 +0100 s3:rpc_client: Remove trailing white spaces from cli_pipe.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit b3bf5bbaf81de369c8f9415d903816a2d7424ffc) commit fea324d9cc4122c2fb2118d4cf4e2d7c408292e5 Author: Andreas Schneider <a...@samba.org> Date: Wed Nov 17 11:46:04 2021 +0100 testprogs: Add rpcclient schannel tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 492fd5b00fe9d62f53b96e3a7588a7f2848a571d) commit cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 12 12:44:44 2021 +1300 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object This may allow further processing when the DN normalisation has changed which changes the indexing, such as seen after fixes for bug 14656. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7) commit 5db0cb09e94ad249282b94dea5f21201ed3a1c95 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 26 10:57:17 2021 +0100 CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) ----------------------------------------------------------------------- Summary of changes: examples/winexe/winexe.c | 14 +++- libcli/auth/netlogon_creds_cli.c | 48 ++++++++++--- source3/auth/user_krb5.c | 9 +++ source3/libnet/libnet_join.c | 43 +++++++---- source3/libsmb/dsgetdcname.c | 4 ++ source3/libsmb/passchange.c | 16 +++-- source3/rpc_client/cli_netlogon.c | 51 +++++++++++--- source3/rpc_client/cli_pipe.c | 54 +++++++++++--- source3/rpc_client/cli_pipe.h | 9 +++ source3/rpc_client/cli_pipe_schannel.c | 7 +- source3/rpcclient/rpcclient.c | 53 ++++++++++++-- source3/utils/net_rpc.c | 8 +++ source3/winbindd/winbindd_cm.c | 45 ++++++++++-- source4/dsdb/samdb/ldb_modules/operational.c | 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +++- source4/selftest/tests.py | 27 +++++++ testprogs/blackbox/test_rpcclient_schannel.sh | 94 +++++++++++++++++++++++++ 17 files changed, 429 insertions(+), 68 deletions(-) create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh Changeset truncated at 500 lines: diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c index 59fb9dbdebb..8a17107617c 100644 --- a/examples/winexe/winexe.c +++ b/examples/winexe/winexe.c @@ -401,11 +401,16 @@ static NTSTATUS winexe_svc_install( bool need_conf = false; NTSTATUS status; WERROR werr; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open_noauth_transport( cli, NCACN_NP, &ndr_table_svcctl, + remote_name, + remote_sockaddr, &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", @@ -416,7 +421,7 @@ static NTSTATUS winexe_svc_install( status = dcerpc_svcctl_OpenSCManagerW( rpccli->binding_handle, frame, - smbXcli_conn_remote_name(cli->conn), + remote_name, NULL, SEC_FLAG_MAXIMUM_ALLOWED, &scmanager_handle, @@ -717,11 +722,16 @@ static NTSTATUS winexe_svc_uninstall( struct SERVICE_STATUS service_status; NTSTATUS status; WERROR werr; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open_noauth_transport( cli, NCACN_NP, &ndr_table_svcctl, + remote_name, + remote_sockaddr, &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", @@ -732,7 +742,7 @@ static NTSTATUS winexe_svc_uninstall( status = dcerpc_svcctl_OpenSCManagerW( rpccli->binding_handle, frame, - smbXcli_conn_remote_name(cli->conn), + remote_name, NULL, SEC_FLAG_MAXIMUM_ALLOWED, &scmanager_handle, diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 12cb3149ff6..b23dddc21be 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -504,9 +504,33 @@ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( return context->client.auth_level; } +static bool netlogon_creds_cli_downgraded(uint32_t negotiated_flags, + uint32_t proposed_flags, + uint32_t required_flags) +{ + uint32_t req_flags = required_flags; + uint32_t tmp_flags; + + req_flags = required_flags; + if ((negotiated_flags & NETLOGON_NEG_SUPPORTS_AES) && + (proposed_flags & NETLOGON_NEG_SUPPORTS_AES)) + { + req_flags &= ~NETLOGON_NEG_ARCFOUR|NETLOGON_NEG_STRONG_KEYS; + } + + tmp_flags = negotiated_flags; + tmp_flags &= req_flags; + if (tmp_flags != req_flags) { + return true; + } + + return false; +} + struct netlogon_creds_cli_fetch_state { TALLOC_CTX *mem_ctx; struct netlogon_creds_CredentialState *creds; + uint32_t proposed_flags; uint32_t required_flags; NTSTATUS status; }; @@ -518,7 +542,7 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, (struct netlogon_creds_cli_fetch_state *)private_data; enum ndr_err_code ndr_err; DATA_BLOB blob; - uint32_t tmp_flags; + bool downgraded; state->creds = talloc_zero(state->mem_ctx, struct netlogon_creds_CredentialState); @@ -542,9 +566,11 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data, NDR_PRINT_DEBUG(netlogon_creds_CredentialState, state->creds); } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->required_flags; - if (tmp_flags != state->required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->proposed_flags, + state->required_flags); + if (downgraded) { TALLOC_FREE(state->creds); state->status = NT_STATUS_DOWNGRADE_DETECTED; return; @@ -815,6 +841,7 @@ static NTSTATUS netlogon_creds_cli_get_internal( { struct netlogon_creds_cli_fetch_state fstate = { .status = NT_STATUS_INTERNAL_ERROR, + .proposed_flags = context->client.proposed_flags, .required_flags = context->client.required_flags, }; NTSTATUS status; @@ -1297,7 +1324,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) enum ndr_err_code ndr_err; DATA_BLOB blob; TDB_DATA data; - uint32_t tmp_flags; + bool downgraded; if (state->try_auth3) { status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state, @@ -1344,9 +1371,11 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) return; } - tmp_flags = state->creds->negotiate_flags; - tmp_flags &= state->context->client.required_flags; - if (tmp_flags != state->context->client.required_flags) { + downgraded = netlogon_creds_cli_downgraded( + state->creds->negotiate_flags, + state->context->client.proposed_flags, + state->context->client.required_flags); + if (downgraded) { if (NT_STATUS_IS_OK(result)) { tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED); return; @@ -1356,8 +1385,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq) } if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) { - - tmp_flags = state->context->client.proposed_flags; + uint32_t tmp_flags = state->context->client.proposed_flags; if ((state->current_flags == tmp_flags) && (state->creds->negotiate_flags != tmp_flags)) { diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index b8f37cbeee0..169bf563368 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, char *fuser = NULL; char *unixuser = NULL; struct passwd *pw = NULL; + bool may_retry = false; DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, domain = realm; } else { domain = lp_workgroup(); + may_retry = true; } fuser = talloc_asprintf(mem_ctx, @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, *mapped_to_guest = false; pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + if (may_retry && pw == NULL && !*is_mapped) { + fuser = talloc_strdup(mem_ctx, user); + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + } if (pw) { if (!unixuser) { return NT_STATUS_NO_MEMORY; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 263420a2159..02705f1c70c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1297,11 +1297,18 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, TALLOC_FREE(creds); if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { - status = cli_rpc_pipe_open_schannel_with_creds(cli, - &ndr_table_netlogon, - NCACN_NP, - netlogon_creds, - &passwordset_pipe); + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + + status = cli_rpc_pipe_open_schannel_with_creds( + cli, + &ndr_table_netlogon, + NCACN_NP, + netlogon_creds, + remote_name, + remote_sockaddr, + &passwordset_pipe); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; @@ -1700,6 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, uint32_t netlogon_flags = 0; NTSTATUS status; int flags = CLI_FULL_CONNECTION_IPC; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; if (!dc_name) { TALLOC_FREE(frame); @@ -1800,9 +1809,15 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, return NT_STATUS_OK; } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + status = cli_rpc_pipe_open_schannel_with_creds( cli, &ndr_table_netlogon, NCACN_NP, - netlogon_creds, &netlogon_pipe); + netlogon_creds, + remote_name, + remote_sockaddr, + &netlogon_pipe); TALLOC_FREE(netlogon_pipe); @@ -1810,7 +1825,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, DEBUG(0,("libnet_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. " "Error was %s\n", - smbXcli_conn_remote_name(cli->conn), + remote_name, netbios_domain_name, nt_errstr(status))); cli_shutdown(cli); TALLOC_FREE(frame); @@ -3045,7 +3060,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid); } - if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && + if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && !r->in.delete_machine_account) { libnet_join_unjoindomain_remove_secrets(mem_ctx, r); return WERR_OK; @@ -3077,8 +3092,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } #ifdef HAVE_ADS - /* for net ads leave, try to delete the account. If it works, - no sense in disabling. If it fails, we can still try to + /* for net ads leave, try to delete the account. If it works, + no sense in disabling. If it fails, we can still try to disable it. jmcd */ if (r->in.delete_machine_account) { @@ -3086,10 +3101,10 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, ads_status = libnet_unjoin_connect_ads(mem_ctx, r); if (ADS_ERR_OK(ads_status)) { /* dirty hack */ - r->out.dns_domain_name = + r->out.dns_domain_name = talloc_strdup(mem_ctx, r->in.ads->server.realm); - ads_status = + ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r); } if (!ADS_ERR_OK(ads_status)) { @@ -3105,7 +3120,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } #endif /* HAVE_ADS */ - /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means + /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means "disable". */ if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) { status = libnet_join_unjoindomain_rpc(mem_ctx, r); @@ -3124,7 +3139,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, r->out.disabled_machine_account = true; } - /* If disable succeeded or was not requested at all, we + /* If disable succeeded or was not requested at all, we should be getting rid of our end of things */ libnet_join_unjoindomain_remove_secrets(mem_ctx, r); diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index f8ae96109b7..5954e48d747 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx, for (i = 0; i < numdcs; i++) { size_t j; + if (dcs[i].num_ips == 0) { + continue; + } + dclist[ret_count].hostname = talloc_move(dclist, &dcs[i].hostname); diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index f60e3079975..2137c183f0e 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. SMB client password change routine Copyright (C) Andrew Tridgell 1994-1998 @@ -79,7 +79,7 @@ NTSTATUS remote_password_change(const char *remote_machine, if (!NT_STATUS_IS_OK(result)) { if (asprintf(err_str, "machine %s rejected the negotiate " - "protocol. Error was : %s.\n", + "protocol. Error was : %s.\n", remote_machine, nt_errstr(result)) == -1) { *err_str = NULL; } @@ -87,7 +87,7 @@ NTSTATUS remote_password_change(const char *remote_machine, return result; } - /* Given things like SMB signing, restrict anonymous and the like, + /* Given things like SMB signing, restrict anonymous and the like, try an authenticated connection first */ result = cli_session_setup_creds(cli, creds); @@ -120,7 +120,7 @@ NTSTATUS remote_password_change(const char *remote_machine, if (!NT_STATUS_IS_OK(result)) { if (asprintf(err_str, "machine %s rejected the session " - "setup. Error was : %s.\n", + "setup. Error was : %s.\n", remote_machine, nt_errstr(result)) == -1) { *err_str = NULL; } @@ -143,12 +143,16 @@ NTSTATUS remote_password_change(const char *remote_machine, /* Try not to give the password away too easily */ if (!pass_must_change) { + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + result = cli_rpc_pipe_open_with_creds(cli, &ndr_table_samr, NCACN_NP, DCERPC_AUTH_TYPE_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, remote_machine, + remote_sockaddr, creds, &pipe_hnd); } else { @@ -196,7 +200,7 @@ NTSTATUS remote_password_change(const char *remote_machine, cli_shutdown(cli); return NT_STATUS_OK; - } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) + } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { /* it failed, but for reasons such as wrong password, too short etc ... */ @@ -227,7 +231,7 @@ NTSTATUS remote_password_change(const char *remote_machine, cli_shutdown(cli); return NT_STATUS_OK; } else { - if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) + if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { /* it failed, but again it was due to things like new password too short */ diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 175f83d6750..049186e5a51 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -168,6 +168,8 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( const struct samr_Password *nt_hashes[2] = { NULL, NULL }; uint8_t idx_nt_hashes = 0; NTSTATUS status; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; status = netlogon_creds_cli_get(creds_ctx, frame, &creds); if (NT_STATUS_IS_OK(status)) { @@ -177,10 +179,16 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( action = "overwrite"; } + if (cli != NULL) { + remote_name = smbXcli_conn_remote_name(cli->conn); + } else { + remote_name = "<UNKNOWN>"; + } + DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n", __FUNCTION__, action, creds->account_name, creds->computer_name, - smbXcli_conn_remote_name(cli->conn))); + remote_name)); if (!force_reauth) { goto done; } @@ -200,14 +208,19 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( num_nt_hashes = 2; } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + status = cli_rpc_pipe_open_noauth_transport(cli, transport, &ndr_table_netlogon, + remote_name, + remote_sockaddr, &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n", __FUNCTION__, - smbXcli_conn_remote_name(cli->conn), + remote_name, nt_errstr(status))); TALLOC_FREE(frame); return status; @@ -233,7 +246,7 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n", __FUNCTION__, creds->account_name, creds->computer_name, - smbXcli_conn_remote_name(cli->conn))); + remote_name)); done: if (negotiate_flags != NULL) { @@ -293,6 +306,8 @@ NTSTATUS rpccli_connect_netlogon( struct rpc_pipe_client *rpccli; NTSTATUS status; bool retry = false; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds); if (sec_chan_type == SEC_CHAN_NULL) { @@ -353,15 +368,22 @@ again: } } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + do_serverauth = force_reauth || !found_existing_creds; if (!do_serverauth) { /* * Do the quick schannel bind without a reauth */ - status = cli_rpc_pipe_open_bind_schannel( - cli, &ndr_table_netlogon, transport, creds_ctx, - &rpccli); + status = cli_rpc_pipe_open_bind_schannel(cli, + &ndr_table_netlogon, + transport, + creds_ctx, + remote_name, + remote_sockaddr, + &rpccli); if (!retry && NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { DBG_DEBUG("Retrying with serverauthenticate\n"); TALLOC_FREE(lck); @@ -411,8 +433,12 @@ again: goto fail; } - status = cli_rpc_pipe_open_noauth_transport( - cli, transport, &ndr_table_netlogon, &rpccli); + status = cli_rpc_pipe_open_noauth_transport(cli, + transport, + &ndr_table_netlogon, -- Samba Shared Repository