This patch does 2 things:

It extends the 'server mutex' to conver security=server, becouse the connection
race condition exists here too, and while people *should* use security=domain,
some sites don't....

(This probably should be done in 2.2 as well).

Also, start to actually extract and use the information that the remote
server returns in the info3 struct.

The server mutex code is now in a new file.

Andrew Bartlett
(This used to be commit 9b0dabdf4ec3bb45879caae76e03b57ccdad8b4b)

1 files changed, 12 insertions, 89 deletions

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index b41848076d..8c6bb8908f 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -29,32 +29,6 @@ BOOL global_machine_password_needs_changing = False;
 extern pstring global_myname;
 extern userdom_struct current_user_info;
 
-static char *mutex_server_name;
-
-static BOOL grab_server_mutex(const char *name)
-{
-	mutex_server_name = strdup(name);
-	if (!mutex_server_name) {
-		DEBUG(0,("grab_server_mutex: malloc failed for %s\n", name));
-		return False;
-	}
-	if (!message_named_mutex(name, 20)) {
-		DEBUG(10,("grab_server_mutex: failed for %s\n", name));
-		SAFE_FREE(mutex_server_name);
-		return False;
-	}
-
-	return True;
-}
-
-static void release_server_mutex(void)
-{
-	if (mutex_server_name) {
-		message_named_mutex_release(mutex_server_name);
-		SAFE_FREE(mutex_server_name);
-	}
-}
-
 /**
  * Connect to a remote server for domain security authenticaion.
  *
@@ -113,9 +87,10 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 	   logonserver.  We can avoid a 30-second timeout if the DC is down
 	   if the SAMLOGON request fails as it is only over UDP. */
 
-	/* we use a mutex to prevent two connections at once - when a NT PDC gets
-	   two connections where one hasn't completed a negprot yet it will send a 
-	   TCP reset to the first connection (tridge) */
+	/* we use a mutex to prevent two connections at once - when a 
+	   Win2k PDC get two connections where one hasn't completed a 
+	   session setup yet it will send a TCP reset to the first 
+	   connection (tridge) */
 
 	/*
 	 * With NT4.x DC's *all* authentication must be serialized to avoid
@@ -307,14 +282,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 				       auth_serversupplied_info **server_info, 
 				       char *server, char *setup_creds_as,
 				       uint16 sec_chan,
-				       unsigned char *trust_passwd,
+				       unsigned char trust_passwd[16],
 				       time_t last_change_time)
 {
 	fstring remote_machine;
 	NET_USER_INFO_3 info3;
 	struct cli_state *cli = NULL;
 	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-	struct passwd *pass;
 
 	/*
 	 * At this point, smb_apasswd points to the lanman response to
@@ -358,63 +332,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
                          user_info->domain.str, cli->srv_name_slash, 
                          nt_errstr(nt_status)));
 	} else {
-                char *dom_user;
-
-                /* Check DOMAIN\username first to catch winbind users, then
-                   just the username for local users. */
+		nt_status = make_server_info_info3(mem_ctx, domain, server_info, &info3);
+#if 0 
+		/* The stuff doesn't work right yet */
+		SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); 
+		memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */);
+		SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key));
+#endif		
 
-                dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str,
-					   lp_winbind_separator(),
-					   user_info->internal_username.str);
-		
-		if (!dom_user) {
-			DEBUG(0, ("talloc_asprintf failed!\n"));
-			nt_status = NT_STATUS_NO_MEMORY;
-		} else { 
-
-			if (!(pass = Get_Pwnam(dom_user)))
-				pass = Get_Pwnam(user_info->internal_username.str);
-			
-			if (pass) {
-				make_server_info_pw(server_info, pass);
-				if (!server_info) {
-					nt_status = NT_STATUS_NO_MEMORY;
-				}
-			} else {
-				nt_status = NT_STATUS_NO_SUCH_USER;
-			}
-		}
-	}
-
-	/* Store the user group information in the server_info returned to the caller. */
-	
-	if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) {
-		int i;
-		NT_USER_TOKEN *ptok;
-		auth_serversupplied_info *pserver_info = *server_info;
-
-		if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
-			DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n"));
-			nt_status = NT_STATUS_NO_MEMORY;
-			free_server_info(server_info);
-			goto done;
-		}
-
-		ptok = pserver_info->ptok;
-		ptok->num_sids = (size_t)info3.num_groups2;
-
-		if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) {
-			DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
-			nt_status = NT_STATUS_NO_MEMORY;
-			free_server_info(server_info);
-			goto done;
-		}
- 
-		for (i = 0; i < ptok->num_sids; i++) {
-			sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid);
-			sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid);
-		}
-		
 		uni_group_cache_store_netlogon(mem_ctx, &info3);
 	}
 
@@ -434,8 +359,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 	}
 #endif /* 0 */
 
-  done:
-
 	/* Note - once the cli stream is shutdown the mem_ctx used
 	   to allocate the other_sids and gids structures has been deleted - so
 	   these pointers are no longer valid..... */