diff options
author | Gerald Carter <jerry@samba.org> | 2007-09-28 18:15:34 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:31:03 -0500 |
commit | 5221ebb299081da6a806362212c6a8ceb9cc70a8 (patch) | |
tree | 40822494127c0bebd85a6db2c27115e923e91ae8 | |
parent | 58a9621904f0334d8f5a1f34e2dfd95409e7c68d (diff) | |
download | samba-5221ebb299081da6a806362212c6a8ceb9cc70a8.tar.gz samba-5221ebb299081da6a806362212c6a8ceb9cc70a8.tar.bz2 samba-5221ebb299081da6a806362212c6a8ceb9cc70a8.zip |
r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
-rw-r--r-- | source3/auth/auth_domain.c | 2 | ||||
-rw-r--r-- | source3/include/rpc_dce.h | 2 | ||||
-rw-r--r-- | source3/libads/sasl.c | 4 | ||||
-rw-r--r-- | source3/libads/util.c | 54 | ||||
-rw-r--r-- | source3/libsmb/cliconnect.c | 38 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 19 | ||||
-rw-r--r-- | source3/libsmb/namequery.c | 29 | ||||
-rw-r--r-- | source3/libsmb/trusts_util.c | 2 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 4 | ||||
-rw-r--r-- | source3/rpcclient/rpcclient.c | 2 | ||||
-rw-r--r-- | source3/utils/net_rpc_join.c | 4 | ||||
-rw-r--r-- | source3/utils/net_rpc_samsync.c | 2 | ||||
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 2 |
13 files changed, 53 insertions, 111 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0010d8bc26..1e6857230f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h index 3b315b7ef8..7ea3fcbc23 100644 --- a/source3/include/rpc_dce.h +++ b/source3/include/rpc_dce.h @@ -111,8 +111,6 @@ enum RPC_PKT_TYPE { /* these are the flags that ADS clients use */ #define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL) -#define NETLOGON_NEG_SELECT_AUTH2_FLAGS ((lp_security() == SEC_ADS) ? NETLOGON_NEG_AUTH2_ADS_FLAGS : NETLOGON_NEG_AUTH2_FLAGS) - enum schannel_direction { SENDER_IS_INITIATOR, SENDER_IS_ACCEPTOR diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 590052ec85..dec8756a86 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -747,7 +747,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) char *OIDs[ASN1_MAX_OIDS]; #ifdef HAVE_KRB5 BOOL got_kerberos_mechanism = False; - BOOL try_kerberos = True; #endif rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); @@ -785,8 +784,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) #endif free(OIDs[i]); } - DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", - (given_principal ? given_principal : NULL))); + DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", given_principal)); #ifdef HAVE_KRB5 if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && diff --git a/source3/libads/util.c b/source3/libads/util.c index 472fe4a214..af96c3e10a 100644 --- a/source3/libads/util.c +++ b/source3/libads/util.c @@ -55,45 +55,57 @@ failed: ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads, char **returned_principal) { - ADS_STATUS status; char *princ = NULL; - char *server = NULL; - char *server_realm = NULL; if (ads->server.realm && ads->server.ldap_server) { + char *server, *server_realm; + server = SMB_STRDUP(ads->server.ldap_server); server_realm = SMB_STRDUP(ads->server.realm); - if (!server || !server_realm) { - status = ADS_ERROR(LDAP_NO_MEMORY); - goto fail; + if (!server || !server_realm) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + strlower_m(server); + strupper_m(server_realm); + asprintf(&princ, "ldap/%s@%s", server, server_realm); + + SAFE_FREE(server); + SAFE_FREE(server_realm); + + if (!princ) { + return ADS_ERROR(LDAP_NO_MEMORY); } } else if (ads->config.realm && ads->config.ldap_server_name) { + char *server, *server_realm; + server = SMB_STRDUP(ads->config.ldap_server_name); server_realm = SMB_STRDUP(ads->config.realm); - if (!server || !server_realm) { - status = ADS_ERROR(LDAP_NO_MEMORY); - goto fail; - } - } + if (!server || !server_realm) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + strlower_m(server); + strupper_m(server_realm); + asprintf(&princ, "ldap/%s@%s", server, server_realm); - strlower_m(server); - strupper_m(server_realm); - asprintf(&princ, "ldap/%s@%s", server, server_realm); + SAFE_FREE(server); + SAFE_FREE(server_realm); + + if (!princ) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } if (!princ) { - status = ADS_ERROR(LDAP_PARAM_ERROR); + return ADS_ERROR(LDAP_PARAM_ERROR); } *returned_principal = princ; - status = ADS_SUCCESS; - -fail: - SAFE_FREE(server); - SAFE_FREE(server_realm); - return status; + return ADS_SUCCESS; } #endif diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a4bbf9a6ec..820a904ea4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -822,36 +822,20 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, free(OIDs[i]); } + DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); if (got_kerberos_mechanism && (principal == NULL)) { - fstring dns_name; - fstring nb_name; - /* - * We didn't get a valid principal in the negTokenInit. Fake - * it, or fall back on NTLM. We prefer to fake it, and hit the - * translate_name cache to get a REAL realm name. - */ - if (!(cli->desthost && translate_name(domain, dns_name, - nb_name) && - asprintf(&principal, "host/%s@%s", cli->desthost, - dns_name))) { - - /* - * It is WRONG to depend on the principal sent in the - * negprot reply, but right now we do it. So for safety - * (don't segfault later) disable Kerberos when no - * principal was sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; - } - + * It is WRONG to depend on the principal sent in the negprot + * reply, but right now we do it. So for safety (don't + * segfault later) disable Kerberos when no principal was + * sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); + cli->use_kerberos = False; } - DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); - fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -888,9 +872,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - /* NTLM is sensitive to adding a domain with a UPN */ - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, - (strchr(user, '@') ? NULL : domain))); + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); } /**************************************************************************** diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index c45883d890..9432ce81d3 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -52,18 +52,7 @@ DATA_BLOB spnego_gen_negTokenInit(char guid[16], asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); asn1_push_tag(&data, ASN1_CONTEXT(0)); - - /* - * @todo - * Windows 2008 sends a bogus principal, since this - * is not truly supported in the SPNEGO protocol. - * - * We should do the same, but I'm worried this will break things, - * such as DFS. - * todd.stecher@isilon.com - */ asn1_write_GeneralString(&data,principal); - asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); @@ -165,14 +154,6 @@ BOOL spnego_parse_negTokenInit(DATA_BLOB blob, asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_read_GeneralString(&data,principal); - /* - * Windows 2008 sends a bogus principal, since this - * is not truly supported in the SPNEGO protocol. - * todd.stecher@isilon.com - */ - if (strcmp(ADS_IGNORE_PRINCIPAL, *principal) == 0) - SAFE_FREE(*principal); - asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c index 4a7ae0c2e5..49e3375f50 100644 --- a/source3/libsmb/namequery.c +++ b/source3/libsmb/namequery.c @@ -1714,32 +1714,3 @@ NTSTATUS get_kdc_list( const char *realm, const char *sitename, struct ip_servic return NT_STATUS_OK; } - - -BOOL translate_name(const char *realm, fstring dns_domain_name, - fstring nb_domain_name) -{ - struct winbindd_request request; - struct winbindd_response response; - NSS_STATUS wb_result; - - /* Call winbindd */ - - ZERO_STRUCT(request); - ZERO_STRUCT(response); - - fstrcpy(request.domain_name, realm); - wb_result = winbindd_request_response(WINBINDD_DOMAIN_INFO, - &request, &response); - - if (wb_result != NSS_STATUS_SUCCESS) { - DEBUG(0, ("Failed to translate %s\n", realm)); - return False; - } - - fstrcpy(dns_domain_name, response.data.domain_info.alt_name); - fstrcpy(nb_domain_name, response.data.domain_info.name); - - return True; - -} diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 4a231dcd15..0922f9f41e 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 314a694369..db696edae5 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2633,7 +2633,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state const char *password, NTSTATUS *perr) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *result = NULL; @@ -2667,7 +2667,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli, const char *domain, NTSTATUS *perr) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *result = NULL; diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index d2fa409fff..b43ce09f46 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -605,7 +605,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, } if (cmd_entry->pipe_idx == PI_NETLOGON) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_channel_type; uchar trust_password[16]; diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 0561548c8f..b32fa27284 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -45,7 +45,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -132,7 +132,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); uint32 sec_channel_type; struct rpc_pipe_client *pipe_hnd = NULL; diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index 3959015dbb..72b7f63cc4 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -237,7 +237,7 @@ NTSTATUS rpc_samdump_internals(const DOM_SID *domain_sid, NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; uchar trust_password[16]; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_channel_type = 0; if (!secrets_fetch_trust_account_password(domain_name, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index f08789052d..9ffb3dfb23 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2141,7 +2141,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, struct winbindd_cm_conn *conn; NTSTATUS result; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint8 mach_pwd[16]; uint32 sec_chan_type; const char *account_name; |