The branch, master has been updated
via 74b91490ddd s3:winbindd: split our wb_gettoken_trybuiltins() helper
via 940effb410e s3:winbindd: split out wb_gettoken_trylocalgroups()
function
via 9e7025834fd s3:winbindd: add winbindd_domain_verify_sid() helper
via 79b1934ad41 s3:winbindd: consistently use add_sid_to_array_unique()
in winbindd_ads.c
via 0098073ddfd s3:winbindd: use struct initializers for all struct
winbindd_methods cases
via 10f38aff7c2 s3:auth: let check_sam_security() add
NETLOGON_NTLMV2_ENABLED
via 1414004ee95 s4:auth/ntlm: let authsam_check_password_internals()
add NETLOGON_NTLMV2_ENABLED
via 9bab6426b9f python:tests/krb5: let netlogon.py check for
NETLOGON_NTLMV2_ENABLED
from 74f10bab066 selftest: force 'client use krb5 netlogon = yes' for
admem_idmap_autorid
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 74b91490dddfdbaf7f945976de94c0387462fce2
Author: Stefan Metzmacher <[email protected]>
Date: Sun Jul 24 00:46:06 2022 +0200
s3:winbindd: split our wb_gettoken_trybuiltins() helper
This makes the logical steps a bit cleaner and future changes easier.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Wed Jan 15 14:00:28 UTC 2025 on atb-devel-224
commit 940effb410ed0a03955902af64acc80df217d2de
Author: Stefan Metzmacher <[email protected]>
Date: Sun Jul 24 00:44:07 2022 +0200
s3:winbindd: split out wb_gettoken_trylocalgroups() function
This makes the logical steps a bit cleaner and future changes easier.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 9e7025834fd58df9d986e0b52cb28c76962be124
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jul 22 15:15:56 2022 +0200
s3:winbindd: add winbindd_domain_verify_sid() helper
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 79b1934ad41a7f9c0374345bb93136fed59dc65f
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jul 22 15:15:02 2022 +0200
s3:winbindd: consistently use add_sid_to_array_unique() in winbindd_ads.c
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 0098073ddfd4c9cf3b5377cc7114c4ce5f62ac54
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jul 26 10:52:19 2022 +0200
s3:winbindd: use struct initializers for all struct winbindd_methods cases
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 10f38aff7c23dc20bc98cf0e02a430f8b0d7b1ad
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 15 12:41:21 2025 +0100
s3:auth: let check_sam_security() add NETLOGON_NTLMV2_ENABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 1414004ee953975c50e0ee374684ff8e01246946
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 15 11:57:12 2025 +0100
s4:auth/ntlm: let authsam_check_password_internals() add
NETLOGON_NTLMV2_ENABLED
Windows returns NETLOGON_NTLMV2_ENABLED in all
netr_LogonSamLogon* response messages.
Even if NTLMv1 was actually used and also
for password authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 9bab6426b9fc4d2464597fdfa3085ea259b77710
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 15 12:22:34 2025 +0100
python:tests/krb5: let netlogon.py check for NETLOGON_NTLMV2_ENABLED
It's there for network_samlogon and interactive_samlogon,
but not in ticket_samlogon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/netlogon.py | 22 ++++++++
source3/auth/check_samsec.c | 2 +
source3/winbindd/wb_gettoken.c | 24 ++++++++-
source3/winbindd/winbindd_ads.c | 88 ++++++++++++++++++++-----------
source3/winbindd/winbindd_msrpc.c | 29 +++++-----
source3/winbindd/winbindd_reconnect.c | 29 +++++-----
source3/winbindd/winbindd_reconnect_ads.c | 29 +++++-----
source4/auth/ntlm/auth_sam.c | 1 +
8 files changed, 150 insertions(+), 74 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/netlogon.py
b/python/samba/tests/krb5/netlogon.py
index 7ada1a01d52..6320a2bd542 100755
--- a/python/samba/tests/krb5/netlogon.py
+++ b/python/samba/tests/krb5/netlogon.py
@@ -1556,6 +1556,9 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertNotEqual(validationRef_n6.base.rid, 0)
+ self.assertEqual(validationRef_n6.base.user_flags &
+ netlogon.NETLOGON_NTLMV2_ENABLED,
+ netlogon.NETLOGON_NTLMV2_ENABLED)
self.assertNotEqual(validationRef_n6.base.key.key, list(b'\x00' *16))
self.assertEqual(validationRef_n6.base.LMSessKey.key, list(b'\x00' *8))
@@ -1567,6 +1570,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationWF_n2.base.rid, validationRef_n6.base.rid)
+ self.assertEqual(validationWF_n2.base.user_flags,
validationRef_n6.base.user_flags)
if expect_broken_nt_crypto:
self.assertNotEqual(validationWF_n2.base.key.key, list(b'\x00'
*16))
self.assertNotEqual(validationWF_n2.base.key.key,
validationRef_n6.base.key.key)
@@ -1583,6 +1587,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationEx_n2.base.rid, validationRef_n6.base.rid)
+ self.assertEqual(validationEx_n2.base.user_flags,
validationRef_n6.base.user_flags)
if expect_broken_nt_crypto:
self.assertNotEqual(validationEx_n2.base.key.key, list(b'\x00'
*16))
self.assertNotEqual(validationEx_n2.base.key.key,
validationRef_n6.base.key.key)
@@ -1602,6 +1607,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationWF_n3.base.rid, validationRef_n6.base.rid)
+ self.assertEqual(validationWF_n3.base.user_flags,
validationRef_n6.base.user_flags)
if expect_broken_nt_crypto:
self.assertNotEqual(validationWF_n3.base.key.key, list(b'\x00'
*16))
self.assertNotEqual(validationWF_n3.base.key.key,
validationRef_n6.base.key.key)
@@ -1618,6 +1624,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationEx_n3.base.rid, validationRef_n6.base.rid)
+ self.assertEqual(validationEx_n3.base.user_flags,
validationRef_n6.base.user_flags)
if expect_broken_nt_crypto:
self.assertNotEqual(validationEx_n3.base.key.key, list(b'\x00'
*16))
self.assertNotEqual(validationEx_n3.base.key.key,
validationRef_n6.base.key.key)
@@ -1637,6 +1644,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationWF_n6.base.rid, validationRef_n6.base.rid)
+ self.assertEqual(validationWF_n6.base.user_flags,
validationRef_n6.base.user_flags)
self.assertEqual(validationWF_n6.base.key.key,
validationRef_n6.base.key.key)
validationEx_n6 = self.do_LogonEx(ncreds, conn,
logon_type_n, logon_info_n,
@@ -1644,6 +1652,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationEx_n6.base.rid, validationRef_n6.base.rid)
+ self.assertEqual(validationEx_n6.base.user_flags,
validationRef_n6.base.user_flags)
self.assertEqual(validationEx_n6.base.key.key,
validationRef_n6.base.key.key)
self.do_CheckCapabilities(ncreds, conn)
@@ -1703,6 +1712,9 @@ class NetlogonSchannel(KDCBaseTest):
self.do_CheckCapabilities(ncreds, conn)
return
self.assertNotEqual(validationRef_i6.base.rid, 0)
+ self.assertEqual(validationRef_i6.base.user_flags &
+ netlogon.NETLOGON_NTLMV2_ENABLED,
+ netlogon.NETLOGON_NTLMV2_ENABLED)
self.assertEqual(validationRef_i6.base.key.key, list(b'\x00' *16))
self.assertEqual(validationRef_i6.base.LMSessKey.key, list(b'\x00' *8))
@@ -1714,6 +1726,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationWF_i2.base.rid, validationRef_i6.base.rid)
+ self.assertEqual(validationWF_i2.base.user_flags,
validationRef_i6.base.user_flags)
self.assertEqual(validationWF_i2.base.key.key,
validationRef_i6.base.key.key)
self.assertEqual(validationWF_i2.base.LMSessKey.key,
validationRef_i6.base.LMSessKey.key)
validationEx_i2 = self.do_LogonEx(ncreds, conn,
@@ -1722,6 +1735,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationEx_i2.base.rid, validationRef_i6.base.rid)
+ self.assertEqual(validationEx_i2.base.user_flags,
validationRef_i6.base.user_flags)
self.assertEqual(validationEx_i2.base.key.key,
validationRef_i6.base.key.key)
self.assertEqual(validationEx_i2.base.LMSessKey.key,
validationRef_i6.base.LMSessKey.key)
@@ -1733,6 +1747,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationWF_i3.base.rid, validationRef_i6.base.rid)
+ self.assertEqual(validationWF_i3.base.user_flags,
validationRef_i6.base.user_flags)
self.assertEqual(validationWF_i3.base.key.key,
validationRef_i6.base.key.key)
self.assertEqual(validationWF_i3.base.LMSessKey.key,
validationRef_i6.base.LMSessKey.key)
validationEx_i3 = self.do_LogonEx(ncreds, conn,
@@ -1741,6 +1756,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationEx_i3.base.rid, validationRef_i6.base.rid)
+ self.assertEqual(validationEx_i3.base.user_flags,
validationRef_i6.base.user_flags)
self.assertEqual(validationEx_i3.base.key.key,
validationRef_i6.base.key.key)
self.assertEqual(validationEx_i3.base.LMSessKey.key,
validationRef_i6.base.LMSessKey.key)
@@ -1752,6 +1768,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationWF_i6.base.rid, validationRef_i6.base.rid)
+ self.assertEqual(validationWF_i6.base.user_flags,
validationRef_i6.base.user_flags)
self.assertEqual(validationWF_i6.base.key.key,
validationRef_i6.base.key.key)
self.assertEqual(validationWF_i6.base.LMSessKey.key,
validationRef_i6.base.LMSessKey.key)
validationEx_i6 = self.do_LogonEx(ncreds, conn,
@@ -1760,6 +1777,7 @@ class NetlogonSchannel(KDCBaseTest):
expect_send_encrypted,
expect_recv_encrypted)
self.assertEqual(validationEx_i6.base.rid, validationRef_i6.base.rid)
+ self.assertEqual(validationEx_i6.base.user_flags,
validationRef_i6.base.user_flags)
self.assertEqual(validationEx_i6.base.key.key,
validationRef_i6.base.key.key)
self.assertEqual(validationEx_i6.base.LMSessKey.key,
validationRef_i6.base.LMSessKey.key)
@@ -1911,6 +1929,8 @@ class NetlogonSchannel(KDCBaseTest):
self.assertIsNotNone(validationEx.user_information)
self.assertNotEqual(validationEx.user_information.base.rid, 0)
self.assertEqual(validationEx.user_information.base.key.key,
list(b'\x00' *16))
+ self.assertEqual(validationEx.user_information.base.user_flags &
+ netlogon.NETLOGON_NTLMV2_ENABLED, 0)
self.assertIsNone(validationEx.device_information)
expect_send_encrypted = False
@@ -1939,6 +1959,8 @@ class NetlogonSchannel(KDCBaseTest):
self.assertEqual(validationWF.user_information.base.rid,
validationEx.user_information.base.rid)
self.assertEqual(validationWF.user_information.base.key.key,
list(b'\x00' *16))
+ self.assertEqual(validationWF.user_information.base.user_flags,
+ validationEx.user_information.base.user_flags)
self.assertIsNone(validationWF.device_information)
self.do_CheckCapabilities(ncreds, conn)
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 1e55fedb615..cfaf413eba0 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -575,6 +575,8 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
goto done;
}
+ (*server_info)->info3->base.user_flags |= NETLOGON_NTLMV2_ENABLED;
+
(*server_info)->session_key =
data_blob_talloc(*server_info, user_sess_key.data,
user_sess_key.length);
diff --git a/source3/winbindd/wb_gettoken.c b/source3/winbindd/wb_gettoken.c
index 3930f71d98d..4e29691802d 100644
--- a/source3/winbindd/wb_gettoken.c
+++ b/source3/winbindd/wb_gettoken.c
@@ -40,7 +40,9 @@ static NTSTATUS wb_add_rids_to_sids(TALLOC_CTX *mem_ctx,
static void wb_gettoken_gotuser(struct tevent_req *subreq);
static void wb_gettoken_gotgroups(struct tevent_req *subreq);
+static void wb_gettoken_trylocalgroups(struct tevent_req *req);
static void wb_gettoken_gotlocalgroups(struct tevent_req *subreq);
+static void wb_gettoken_trybuiltins(struct tevent_req *req);
static void wb_gettoken_gotbuiltins(struct tevent_req *subreq);
struct tevent_req *wb_gettoken_send(TALLOC_CTX *mem_ctx,
@@ -116,7 +118,6 @@ static void wb_gettoken_gotgroups(struct tevent_req *subreq)
req, struct wb_gettoken_state);
uint32_t i, num_groups;
struct dom_sid *groups;
- struct winbindd_domain *domain;
NTSTATUS status;
struct dom_sid_buf buf;
@@ -138,6 +139,16 @@ static void wb_gettoken_gotgroups(struct tevent_req
*subreq)
}
}
+ wb_gettoken_trylocalgroups(req);
+}
+
+static void wb_gettoken_trylocalgroups(struct tevent_req *req)
+{
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ struct winbindd_domain *domain = NULL;
+ struct tevent_req *subreq = NULL;
+
if (!state->expand_local_aliases) {
D_DEBUG("Done. Not asked to expand local aliases.\n");
tevent_req_done(req);
@@ -171,7 +182,6 @@ static void wb_gettoken_gotlocalgroups(struct tevent_req
*subreq)
req, struct wb_gettoken_state);
uint32_t num_rids;
uint32_t *rids;
- struct winbindd_domain *domain;
NTSTATUS status;
status = wb_lookupuseraliases_recv(subreq, state, &num_rids, &rids);
@@ -188,6 +198,16 @@ static void wb_gettoken_gotlocalgroups(struct tevent_req
*subreq)
}
TALLOC_FREE(rids);
+ wb_gettoken_trybuiltins(req);
+}
+
+static void wb_gettoken_trybuiltins(struct tevent_req *req)
+{
+ struct wb_gettoken_state *state = tevent_req_data(
+ req, struct wb_gettoken_state);
+ struct winbindd_domain *domain = NULL;
+ struct tevent_req *subreq = NULL;
+
/*
* Now expand the builtin groups
*/
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 90f1fbf15ff..42b8df2623d 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -568,6 +568,20 @@ static NTSTATUS rids_to_names(struct winbindd_domain
*domain,
domain_name, names, types);
}
+static NTSTATUS winbindd_domain_verify_sid(struct winbindd_domain *domain,
+ const struct dom_sid *extra_sid)
+{
+ bool ret;
+
+ ret = sid_check_is_in_builtin(extra_sid);
+ if (ret) {
+ /* don't allow Builtin groups from ADS */
+ return NT_STATUS_INVALID_SUB_AUTHORITY;
+ }
+
+ return NT_STATUS_OK;
+}
+
/* Lookup groups a user is a member of - alternate method, for when
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
@@ -637,8 +651,10 @@ static NTSTATUS lookup_usergroups_member(struct
winbindd_domain *domain,
num_groups = 0;
/* always add the primary group to the sid array */
- status = add_sid_to_array(mem_ctx, primary_group, user_sids,
- &num_groups);
+ status = add_sid_to_array_unique(mem_ctx,
+ primary_group,
+ user_sids,
+ &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -653,13 +669,16 @@ static NTSTATUS lookup_usergroups_member(struct
winbindd_domain *domain,
continue;
}
- /* ignore Builtin groups from ADS - Guenther */
- if (sid_check_is_in_builtin(&group_sid)) {
+ /* filter unexpected sids */
+ status = winbindd_domain_verify_sid(domain, &group_sid);
+ if (!NT_STATUS_IS_OK(status)) {
continue;
}
- status = add_sid_to_array(mem_ctx, &group_sid,
- user_sids, &num_groups);
+ status = add_sid_to_array_unique(mem_ctx,
+ &group_sid,
+ user_sids,
+ &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -726,8 +745,10 @@ static NTSTATUS lookup_usergroups_memberof(struct
winbindd_domain *domain,
num_groups = 0;
/* always add the primary group to the sid array */
- status = add_sid_to_array(mem_ctx, primary_group, user_sids,
- &num_groups);
+ status = add_sid_to_array_unique(mem_ctx,
+ primary_group,
+ user_sids,
+ &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -764,13 +785,16 @@ static NTSTATUS lookup_usergroups_memberof(struct
winbindd_domain *domain,
for (i=0; i<num_sids; i++) {
- /* ignore Builtin groups from ADS - Guenther */
- if (sid_check_is_in_builtin(&group_sids[i])) {
+ /* filter unexpected sids */
+ status = winbindd_domain_verify_sid(domain, &group_sids[i]);
+ if (!NT_STATUS_IS_OK(status)) {
continue;
}
- status = add_sid_to_array(mem_ctx, &group_sids[i], user_sids,
- &num_groups);
+ status = add_sid_to_array_unique(mem_ctx,
+ &group_sids[i],
+ user_sids,
+ &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -915,16 +939,19 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain
*domain,
*user_sids = NULL;
num_groups = 0;
- status = add_sid_to_array(mem_ctx, &primary_group, user_sids,
- &num_groups);
+ status = add_sid_to_array_unique(mem_ctx,
+ &primary_group,
+ user_sids,
+ &num_groups);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
for (i=0;i<count;i++) {
- /* ignore Builtin groups from ADS - Guenther */
- if (sid_check_is_in_builtin(&sids[i])) {
+ /* filter unexpected sids */
+ status = winbindd_domain_verify_sid(domain, &sids[i]);
+ if (!NT_STATUS_IS_OK(status)) {
continue;
}
@@ -1506,20 +1533,21 @@ static NTSTATUS trusted_domains(struct winbindd_domain
*domain,
/* the ADS backend methods are exposed via this structure */
struct winbindd_methods ads_methods = {
- True,
- query_user_list,
- enum_dom_groups,
- enum_local_groups,
- name_to_sid,
- sid_to_name,
- rids_to_names,
- lookup_usergroups,
- lookup_useraliases,
- lookup_groupmem,
- lookup_aliasmem,
- lockout_policy,
- password_policy,
- trusted_domains,
+ .consistent = true,
+
+ .query_user_list = query_user_list,
+ .enum_dom_groups = enum_dom_groups,
+ .enum_local_groups = enum_local_groups,
+ .name_to_sid = name_to_sid,
+ .sid_to_name = sid_to_name,
+ .rids_to_names = rids_to_names,
+ .lookup_usergroups = lookup_usergroups,
+ .lookup_useraliases = lookup_useraliases,
+ .lookup_groupmem = lookup_groupmem,
+ .lookup_aliasmem = lookup_aliasmem,
+ .lockout_policy = lockout_policy,
+ .password_policy = password_policy,
+ .trusted_domains = trusted_domains,
};
#endif
diff --git a/source3/winbindd/winbindd_msrpc.c
b/source3/winbindd/winbindd_msrpc.c
index 9324633aa14..a522172bd2d 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -1160,18 +1160,19 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX
*mem_ctx,
/* the rpc backend methods are exposed via this structure */
struct winbindd_methods msrpc_methods = {
- False,
- msrpc_query_user_list,
- msrpc_enum_dom_groups,
- msrpc_enum_local_groups,
- msrpc_name_to_sid,
- msrpc_sid_to_name,
- msrpc_rids_to_names,
- msrpc_lookup_usergroups,
- msrpc_lookup_useraliases,
- msrpc_lookup_groupmem,
- msrpc_lookup_aliasmem,
- msrpc_lockout_policy,
- msrpc_password_policy,
- msrpc_trusted_domains,
+ .consistent = false,
+
+ .query_user_list = msrpc_query_user_list,
+ .enum_dom_groups = msrpc_enum_dom_groups,
+ .enum_local_groups = msrpc_enum_local_groups,
+ .name_to_sid = msrpc_name_to_sid,
+ .sid_to_name = msrpc_sid_to_name,
+ .rids_to_names = msrpc_rids_to_names,
+ .lookup_usergroups = msrpc_lookup_usergroups,
+ .lookup_useraliases = msrpc_lookup_useraliases,
+ .lookup_groupmem = msrpc_lookup_groupmem,
+ .lookup_aliasmem = msrpc_lookup_aliasmem,
+ .lockout_policy = msrpc_lockout_policy,
+ .password_policy = msrpc_password_policy,
+ .trusted_domains = msrpc_trusted_domains,
};
diff --git a/source3/winbindd/winbindd_reconnect.c
b/source3/winbindd/winbindd_reconnect.c
index c49831b3c13..76255a79707 100644
--- a/source3/winbindd/winbindd_reconnect.c
+++ b/source3/winbindd/winbindd_reconnect.c
@@ -337,18 +337,19 @@ static NTSTATUS trusted_domains(struct winbindd_domain
*domain,
/* the rpc backend methods are exposed via this structure */
struct winbindd_methods reconnect_methods = {
- False,
- query_user_list,
- enum_dom_groups,
- enum_local_groups,
- name_to_sid,
- sid_to_name,
- rids_to_names,
- lookup_usergroups,
- lookup_useraliases,
- lookup_groupmem,
- lookup_aliasmem,
- lockout_policy,
- password_policy,
- trusted_domains,
+ .consistent = false,
+
+ .query_user_list = query_user_list,
+ .enum_dom_groups = enum_dom_groups,
+ .enum_local_groups = enum_local_groups,
+ .name_to_sid = name_to_sid,
+ .sid_to_name = sid_to_name,
+ .rids_to_names = rids_to_names,
+ .lookup_usergroups = lookup_usergroups,
+ .lookup_useraliases = lookup_useraliases,
+ .lookup_groupmem = lookup_groupmem,
+ .lookup_aliasmem = lookup_aliasmem,
+ .lockout_policy = lockout_policy,
+ .password_policy = password_policy,
+ .trusted_domains = trusted_domains,
};
diff --git a/source3/winbindd/winbindd_reconnect_ads.c
b/source3/winbindd/winbindd_reconnect_ads.c
index 367f4c68e88..c013836595a 100644
--- a/source3/winbindd/winbindd_reconnect_ads.c
+++ b/source3/winbindd/winbindd_reconnect_ads.c
@@ -343,20 +343,21 @@ static NTSTATUS trusted_domains(struct winbindd_domain
*domain,
/* the rpc backend methods are exposed via this structure */
struct winbindd_methods reconnect_ads_methods = {
- true,
- query_user_list,
- enum_dom_groups,
- enum_local_groups,
- name_to_sid,
- sid_to_name,
- rids_to_names,
- lookup_usergroups,
- lookup_useraliases,
- lookup_groupmem,
- lookup_aliasmem,
- lockout_policy,
- password_policy,
- trusted_domains,
+ .consistent = true,
+
+ .query_user_list = query_user_list,
+ .enum_dom_groups = enum_dom_groups,
+ .enum_local_groups = enum_local_groups,
+ .name_to_sid = name_to_sid,
+ .sid_to_name = sid_to_name,
+ .rids_to_names = rids_to_names,
+ .lookup_usergroups = lookup_usergroups,
+ .lookup_useraliases = lookup_useraliases,
+ .lookup_groupmem = lookup_groupmem,
+ .lookup_aliasmem = lookup_aliasmem,
+ .lockout_policy = lockout_policy,
+ .password_policy = password_policy,
+ .trusted_domains = trusted_domains,
};
#endif
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index e3eef793cd1..4657720316a 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -1124,6 +1124,7 @@ static NTSTATUS authsam_check_password_internals(struct
auth_method_context *ctx
talloc_free(tmp_ctx);
return nt_status;
}
+ (*user_info_dc)->info->user_flags |= NETLOGON_NTLMV2_ENABLED;
result = dsdb_is_protected_user(ctx->auth_ctx->sam_ctx,
(*user_info_dc)->sids,
--
Samba Shared Repository
