summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2002-08-05 02:47:46 +0000
committerAndrew Tridgell <tridge@samba.org>2002-08-05 02:47:46 +0000
commitab9ff0fa73f33c064a39859e39fa79af77cc088f (patch)
treed0bc61c7cb39446415e1c1a0f9a04972c251aee8 /source3/smbd
parentdd93ff381dff192f4e790df5078438497e2c36e8 (diff)
downloadsamba-ab9ff0fa73f33c064a39859e39fa79af77cc088f.tar.gz
samba-ab9ff0fa73f33c064a39859e39fa79af77cc088f.tar.bz2
samba-ab9ff0fa73f33c064a39859e39fa79af77cc088f.zip
This fixes a number of ADS problems, particularly with netbiosless
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/negprot.c5
-rw-r--r--source3/smbd/server.c4
-rw-r--r--source3/smbd/sesssetup.c14
3 files changed, 18 insertions, 5 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index d8aea624be..1d79cbd5d0 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -200,14 +200,11 @@ static int negprot_spnego(char *p)
if (lp_security() != SEC_ADS) {
blob = spnego_gen_negTokenInit(guid, OIDs_plain, "NONE");
} else {
- ADS_STRUCT *ads;
- ads = ads_init_simple();
/* win2000 uses host$@REALM, which we will probably use eventually,
but for now this works */
- asprintf(&principal, "HOST/%s@%s", guid, ads->realm);
+ asprintf(&principal, "HOST/%s@%s", guid, lp_realm());
blob = spnego_gen_negTokenInit(guid, OIDs_krb5, principal);
free(principal);
- ads_destroy(&ads);
}
memcpy(p, blob.data, blob.length);
len = blob.length;
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 1eef3d98e8..d173fec00e 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -364,6 +364,10 @@ static BOOL open_sockets_smbd(BOOL is_daemon,const char *smb_ports)
set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
set_socket_options(smbd_server_fd(),user_socket_options);
+ /* this is needed so that we get decent entries
+ in smbstatus for port 445 connects */
+ fstrcpy(remote_machine, get_socket_addr(smbd_server_fd()));
+
/* Reset global variables in util.c so
that client substitutions will be
done correctly in the process. */
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a00554e638..2e9e54b8d9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -122,6 +122,12 @@ static int reply_spnego_kerberos(connection_struct *conn,
ads = ads_init_simple();
+ if (!ads) {
+ return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
+ ads->auth.realm = strdup(lp_realm());
+
ret = ads_verify_ticket(ads, &ticket, &client, &auth_data);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1,("Failed to verify incoming ticket!\n"));
@@ -139,7 +145,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
}
*p = 0;
- if (strcasecmp(p+1, ads->realm) != 0) {
+ if (strcasecmp(p+1, ads->auth.realm) != 0) {
DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
if (!lp_allow_trusted_domains()) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
@@ -379,6 +385,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
uint32 auth_flags = AUTH_FLAG_NONE;
auth_usersupplied_info *user_info = NULL;
auth_serversupplied_info *server_info = NULL;
+ extern fstring remote_machine;
/* we must have setup the auth context by now */
if (!ntlmssp_auth_context) {
@@ -413,6 +420,11 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n",
user, workgroup, machine, lmhash.length, nthash.length));
+ /* the client has given us its machine name (which we otherwise would not get on port 445).
+ we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
+ fstrcpy(remote_machine, machine);
+ reload_services(True);
+
#if 0
file_save("nthash1.dat", nthash.data, nthash.length);
file_save("lmhash1.dat", lmhash.data, lmhash.length);