1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Merge dd9e0bea31751 from 3-0-ctdb -- use NetSamLogonEx when possible

NetSamLogonEx has the advantage that it does not use the credential chain
(This used to be commit cfceb063f5)
This commit is contained in:
Volker Lendecke 2008-03-19 16:09:37 +01:00
parent bf10e7f939
commit ca63c6e079
3 changed files with 90 additions and 23 deletions

View File

@ -176,6 +176,14 @@ struct winbindd_domain {
time_t startup_time; /* When we set "startup" true. */
bool startup; /* are we in the first 30 seconds after startup_time ? */
bool can_do_samlogon_ex; /* Due to the lack of finer control what type
* of DC we have, let us try to do a
* credential-chain less samlogon_ex call
* with AD and schannel. If this fails with
* DCERPC_FAULT_OP_RNG_ERROR, then set this
* to False. This variable is around so that
* we don't have to try _ex every time. */
/* Lookup methods for this domain (LDAP or RPC) */
struct winbindd_methods *methods;

View File

@ -2403,6 +2403,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
no_schannel:
if ((lp_client_schannel() == False) ||
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
/*
* NetSamLogonEx only works for schannel
*/
domain->can_do_samlogon_ex = False;
/* We're done - just keep the existing connection to NETLOGON
* open */
conn->netlogon_pipe = netlogon_pipe;
@ -2434,6 +2439,11 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
}
/*
* Try NetSamLogonEx for AD domains
*/
domain->can_do_samlogon_ex = domain->active_directory;
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}

View File

@ -1283,6 +1283,17 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
/* check authentication loop */
do {
NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
uint32 logon_parameters,
const char *server,
const char *username,
const char *domain,
const char *workstation,
const uint8 chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
struct netr_SamInfo3 **info3);
ZERO_STRUCTP(my_info3);
retry = False;
@ -1294,19 +1305,32 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
goto done;
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
state->mem_ctx,
0,
contact_domain->dcname, /* server name */
name_user, /* user name */
name_domain, /* target domain */
global_myname(), /* workstation */
chal,
lm_resp,
nt_resp,
&my_info3);
logon_fn = contact_domain->can_do_samlogon_ex
? rpccli_netlogon_sam_network_logon_ex
: rpccli_netlogon_sam_network_logon;
result = logon_fn(netlogon_pipe,
state->mem_ctx,
0,
contact_domain->dcname, /* server name */
name_user, /* user name */
name_domain, /* target domain */
global_myname(), /* workstation */
chal,
lm_resp,
nt_resp,
&my_info3);
attempts += 1;
if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
&& contact_domain->can_do_samlogon_ex) {
DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
"retrying with NetSamLogon\n"));
contact_domain->can_do_samlogon_ex = False;
retry = True;
continue;
}
/* We have to try a second time as cm_connect_netlogon
might not yet have noticed that the DC has killed
our connection. */
@ -1804,6 +1828,18 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
}
do {
NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
uint32 logon_parameters,
const char *server,
const char *username,
const char *domain,
const char *workstation,
const uint8 chal[8],
DATA_BLOB lm_response,
DATA_BLOB nt_response,
struct netr_SamInfo3 **info3);
retry = False;
netlogon_pipe = NULL;
@ -1815,18 +1851,31 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
goto done;
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
state->mem_ctx,
state->request.data.auth_crap.logon_parameters,
contact_domain->dcname,
name_user,
name_domain,
/* Bug #3248 - found by Stefan Burkei. */
workstation, /* We carefully set this above so use it... */
state->request.data.auth_crap.chal,
lm_resp,
nt_resp,
&info3);
logon_fn = contact_domain->can_do_samlogon_ex
? rpccli_netlogon_sam_network_logon_ex
: rpccli_netlogon_sam_network_logon;
result = logon_fn(netlogon_pipe,
state->mem_ctx,
state->request.data.auth_crap.logon_parameters,
contact_domain->dcname,
name_user,
name_domain,
/* Bug #3248 - found by Stefan Burkei. */
workstation, /* We carefully set this above so use it... */
state->request.data.auth_crap.chal,
lm_resp,
nt_resp,
&info3);
if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
&& contact_domain->can_do_samlogon_ex) {
DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
"retrying with NetSamLogon\n"));
contact_domain->can_do_samlogon_ex = False;
retry = True;
continue;
}
attempts += 1;