trying to get HEAD building again. If you want the code

prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)

1 files changed, 189 insertions, 83 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 2998372bd2..8df0f621c0 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1,4 +1,4 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
 
    Winbind daemon - pam auth funcions
@@ -53,7 +53,58 @@ static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-/* Return a password structure from a username.  */
+/*******************************************************************
+ wrapper around retreiving the trsut account password 
+*******************************************************************/
+
+static BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
+                          time_t *pass_last_set_time, uint32 *channel)
+{
+	DOM_SID sid;
+	char *pwd;
+
+	/* if we are a DC and this is not our domain, then lookup an account
+	   for the domain trust */
+	   
+	if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) 
+	{
+		if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid, 
+			pass_last_set_time) ) 
+		{
+			DEBUG(0, ("get_trust_pw: could not fetch trust account "
+				  "password for trusted domain %s\n", domain));
+			return False;
+		}
+		
+		*channel = SEC_CHAN_DOMAIN;
+		E_md4hash(pwd, ret_pwd);
+		SAFE_FREE(pwd);
+
+		return True;
+	}
+	else 	/* just get the account for our domain (covers 
+		   ROLE_DOMAIN_MEMBER as well */
+	{
+		/* get the machine trust account for our domain */
+
+		if ( !secrets_fetch_trust_account_password (lp_workgroup(), ret_pwd,
+			pass_last_set_time, channel) ) 
+		{
+			DEBUG(0, ("get_trust_pw: could not fetch trust account "
+				  "password for my domain %s\n", domain));
+			return False;
+		}
+		
+		return True;
+	}
+	
+	/* Failure */
+	return False;
+}
+
+/**********************************************************************
+ Authenticate a user with a clear test password
+**********************************************************************/
 
 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
 {
@@ -68,6 +119,11 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 	TALLOC_CTX *mem_ctx = NULL;
 	DATA_BLOB lm_resp;
 	DATA_BLOB nt_resp;
+	DOM_CRED ret_creds;
+	int attempts = 0;
+	unsigned char local_lm_response[24];
+	unsigned char local_nt_response[24];
+	const char *contact_domain;
 
 	/* Ensure null termination */
 	state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
@@ -86,58 +142,85 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 
 	/* Parse domain and username */
 	
-	if (!parse_domain_user(state->request.data.auth.user, name_domain, 
-			       name_user)) {
+	parse_domain_user(state->request.data.auth.user, name_domain, name_user);
+	if ( !name_domain ) {
 		DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
 		result = NT_STATUS_INVALID_PARAMETER;
 		goto done;
 	}
 
-	{
-		unsigned char local_lm_response[24];
-		unsigned char local_nt_response[24];
-		
-		generate_random_buffer(chal, 8, False);
-		SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
+	/* do password magic */
+	
+	generate_random_buffer(chal, 8, False);
+	SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
 		
-		SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
+	SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
 
-		lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
-		nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
-	}
+	lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
+	nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
 	
-	/*
-	 * Get the machine account password for our primary domain
-	 */
-
-	if (!secrets_fetch_trust_account_password(
-                lp_workgroup(), trust_passwd, &last_change_time,
-		&sec_channel_type)) {
-		DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
-                          "password for domain %s\n", lp_workgroup()));
+	if ( !get_trust_pw(name_domain, trust_passwd, &last_change_time, &sec_channel_type) ) {
 		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		goto done;
 	}
 
-	ZERO_STRUCT(info3);
+	/* what domain should we contact? */
+	
+	if ( IS_DC )
+		contact_domain = name_domain;
+	else
+		contact_domain = lp_workgroup();
+		
+	/* check authentication loop */
+
+	do {
+		ZERO_STRUCT(info3);
+		ZERO_STRUCT(ret_creds);
+	
+		/* Don't shut this down - it belongs to the connection cache code */
+		result = cm_get_netlogon_cli(contact_domain, trust_passwd, 
+					     sec_channel_type, False, &cli);
+
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+			goto done;
+		}
+
+		result = cli_netlogon_sam_network_logon(cli, mem_ctx,
+							&ret_creds,
+							name_user, name_domain, 
+							global_myname(), chal, 
+							lm_resp, nt_resp,
+							&info3);
+		attempts += 1;
+		
+		/* if we get access denied, a possible cuase was that we had and open
+		   connection to the DC, but someone changed our machine accoutn password
+		   out from underneath us using 'net rpc changetrustpw' */
+		   
+		if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
+			DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED.  Maybe the trust account "
+				"password was changed and we didn't know it.  Killing connections to domain %s\n",
+				name_domain));
+			winbindd_cm_flush();
+			cli->fd = -1;
+		} 
+		
+		/* We have to try a second time as cm_get_netlogon_cli
+		   might not yet have noticed that the DC has killed
+		   our connection. */
+
+	} while ( (attempts < 2) && (cli->fd == -1) );
+
+        
+	clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
+	
+	if (NT_STATUS_IS_OK(result)) {
+		netsamlogon_cache_store( cli->mem_ctx, &info3 );
+		wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
+	}
 	
-	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, 
-				     sec_channel_type, 
-				     &cli);
-
-        if (!NT_STATUS_IS_OK(result)) {
-                DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
-                goto done;
-        }
-
-	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						name_user, name_domain, 
-						global_myname(), chal, 
-						lm_resp, nt_resp, 
-						&info3);
         
-	uni_group_cache_store_netlogon(mem_ctx, &info3);
 done:
 	
 	/* give us a more useful (more correct?) error code */
@@ -160,8 +243,10 @@ done:
 	
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
-	
-/* Challenge Response Authentication Protocol */
+
+/**********************************************************************
+ Challenge Response Authentication Protocol 
+**********************************************************************/
 
 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
 {
@@ -174,8 +259,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	TALLOC_CTX *mem_ctx = NULL;
 	char *user = NULL;
 	const char *domain = NULL;
-	const char *contact_domain;
 	const char *workstation;
+	const char *contact_domain;
+	DOM_CRED ret_creds;
+	int attempts = 0;
 
 	DATA_BLOB lm_resp, nt_resp;
 
@@ -220,11 +307,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
 	DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
 		  domain, user));
-
-	if (lp_allow_trusted_domains() && (state->request.data.auth_crap.flags & WINBIND_PAM_CONTACT_TRUSTDOM)) {
-		contact_domain = domain;
-	} else {
-		contact_domain = lp_workgroup();
+	   
+	if ( !get_trust_pw(domain, trust_passwd, &last_change_time, &sec_channel_type) ) {
+		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		goto done;
 	}
 
 	if (*state->request.data.auth_crap.workstation) {
@@ -249,47 +335,68 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
 	nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
 	
-	/*
-	 * Get the machine account password for the domain to contact.
-	 * This is either our own domain for a workstation, or possibly
-	 * any domain for a PDC with trusted domains.
-	 */
-
-	if (!secrets_fetch_trust_account_password (
-                contact_domain, trust_passwd, &last_change_time,
-		&sec_channel_type)) {
-		DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
-                          "password for domain %s\n", contact_domain));
-		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-		goto done;
-	}
+	/* what domain should we contact? */
+	
+	if ( IS_DC )
+		contact_domain = domain;
+	else
+		contact_domain = lp_workgroup();
+	
+	do {
+		ZERO_STRUCT(info3);
+		ZERO_STRUCT(ret_creds);
+
+		/* Don't shut this down - it belongs to the connection cache code */
+		result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli);
 
-	ZERO_STRUCT(info3);
+		if (!NT_STATUS_IS_OK(result)) {
+			DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
+				  nt_errstr(result)));
+			goto done;
+		}
 
-	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, &cli);
+		result = cli_netlogon_sam_network_logon(cli, mem_ctx,
+							&ret_creds,
+							user, domain,
+							workstation,
+							state->request.data.auth_crap.chal, 
+							lm_resp, nt_resp, 
+							&info3);
+
+		attempts += 1;
+
+		/* if we get access denied, a possible cuase was that we had and open
+		   connection to the DC, but someone changed our machine accoutn password
+		   out from underneath us using 'net rpc changetrustpw' */
+		   
+		if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
+			DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED.  Maybe the trust account "
+				"password was changed and we didn't know it.  Killing connections to domain %s\n",
+				domain));
+			winbindd_cm_flush();
+			cli->fd = -1;
+		} 
+		
+		/* We have to try a second time as cm_get_netlogon_cli
+		   might not yet have noticed that the DC has killed
+		   our connection. */
 
-        if (!NT_STATUS_IS_OK(result)) {
-                DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", nt_errstr(result)));
-                goto done;
-        }
+	} while ( (attempts < 2) && (cli->fd == -1) );
 
-	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						user, domain,
-						workstation, state->request.data.auth_crap.chal, 
-						lm_resp, nt_resp, 
-						&info3);
+	clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
         
 	if (NT_STATUS_IS_OK(result)) {
-		uni_group_cache_store_netlogon(mem_ctx, &info3);
-		if (state->request.data.auth_crap.flags & WINBIND_PAM_INFO3_NDR) {
+		netsamlogon_cache_store( cli->mem_ctx, &info3 );
+		wcache_invalidate_samlogon(find_domain_from_name(domain), &info3);
+		
+		if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
 			result = append_info3_as_ndr(mem_ctx, state, &info3);
 		}
-
-		if (state->request.data.auth_crap.flags & WINBIND_PAM_NTKEY) {
+		
+		if (state->request.flags & WBFLAG_PAM_NTKEY) {
 			memcpy(state->response.data.auth.nt_session_key, info3.user_sess_key, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
 		}
-		if (state->request.data.auth_crap.flags & WINBIND_PAM_LMKEY) {
+		if (state->request.flags & WBFLAG_PAM_LMKEY) {
 			memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
 		}
 	}
@@ -337,8 +444,8 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
 	if (state == NULL)
 		return WINBINDD_ERROR;
 
-	if (!parse_domain_user(state->request.data.chauthtok.user, domain, 
-			       user)) {
+	parse_domain_user(state->request.data.chauthtok.user, domain, user);
+	if ( !*domain ) {
 		result = NT_STATUS_INVALID_PARAMETER;
 		goto done;
 	}
@@ -350,9 +457,8 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
 
 	/* Get sam handle */
 
-	if (!(hnd = cm_get_sam_handle(domain))) {
+	if ( NT_STATUS_IS_ERR(result = cm_get_sam_handle(domain, &hnd)) ) {
 		DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
-		result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 		goto done;
 	}