Merge dd9e0bea31751 from 3-0-ctdb -- use NetSamLogonEx when possible

NetSamLogonEx has the advantage that it does not use the credential chain (This used to be commit cfceb063f559f8549b8f24ce347be213c89303b0)
author: Volker Lendecke <vl@samba.org> 2008-03-19 16:09:37 +0100
committer: Volker Lendecke <vl@samba.org> 2008-03-19 17:00:53 +0100
commit: ca63c6e0796454c18a1d580df99cbd6d05f60672 (patch)
tree: a1bd1ae5736b89a59263115adb15896638f0dfef /source3/winbindd/winbindd_pam.c
parent: bf10e7f93960f18739a9110d59d0ca09bfaf6c03 (diff)
download: samba-ca63c6e0796454c18a1d580df99cbd6d05f60672.tar.gz
samba-ca63c6e0796454c18a1d580df99cbd6d05f60672.tar.bz2
samba-ca63c6e0796454c18a1d580df99cbd6d05f60672.zip
1 files changed, 72 insertions, 23 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index ef5a312eea..c56eb1b3f8 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1283,6 +1283,17 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 	/* check authentication loop */
 
 	do {
+		NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
+				     TALLOC_CTX *mem_ctx,
+				     uint32 logon_parameters,
+				     const char *server,
+				     const char *username,
+				     const char *domain,
+				     const char *workstation,
+				     const uint8 chal[8],
+				     DATA_BLOB lm_response,
+				     DATA_BLOB nt_response,
+				     struct netr_SamInfo3 **info3);
 
 		ZERO_STRUCTP(my_info3);
 		retry = False;
@@ -1294,19 +1305,32 @@ NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 			goto done;
 		}
 
-		result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-							   state->mem_ctx,
-							   0,
-							   contact_domain->dcname, /* server name */
-							   name_user,              /* user name */
-							   name_domain,            /* target domain */
-							   global_myname(),        /* workstation */
-							   chal,
-							   lm_resp,
-							   nt_resp,
-							   &my_info3);
+		logon_fn = contact_domain->can_do_samlogon_ex
+			? rpccli_netlogon_sam_network_logon_ex
+			: rpccli_netlogon_sam_network_logon;
+
+		result = logon_fn(netlogon_pipe,
+				  state->mem_ctx,
+				  0,
+				  contact_domain->dcname, /* server name */
+				  name_user,              /* user name */
+				  name_domain,            /* target domain */
+				  global_myname(),        /* workstation */
+				  chal,
+				  lm_resp,
+				  nt_resp,
+				  &my_info3);
 		attempts += 1;
 
+		if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+		    && contact_domain->can_do_samlogon_ex) {
+			DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+				  "retrying with NetSamLogon\n"));
+			contact_domain->can_do_samlogon_ex = False;
+			retry = True;
+			continue;
+		}
+
 		/* We have to try a second time as cm_connect_netlogon
 		   might not yet have noticed that the DC has killed
 		   our connection. */
@@ -1804,6 +1828,18 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 	}
 
 	do {
+		NTSTATUS (*logon_fn)(struct rpc_pipe_client *cli,
+				     TALLOC_CTX *mem_ctx,
+				     uint32 logon_parameters,
+				     const char *server,
+				     const char *username,
+				     const char *domain,
+				     const char *workstation,
+				     const uint8 chal[8],
+				     DATA_BLOB lm_response,
+				     DATA_BLOB nt_response,
+				     struct netr_SamInfo3 **info3);
+
 		retry = False;
 
 		netlogon_pipe = NULL;
@@ -1815,18 +1851,31 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 			goto done;
 		}
 
-		result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-							   state->mem_ctx,
-							   state->request.data.auth_crap.logon_parameters,
-							   contact_domain->dcname,
-							   name_user,
-							   name_domain, 
-									/* Bug #3248 - found by Stefan Burkei. */
-							   workstation, /* We carefully set this above so use it... */
-							   state->request.data.auth_crap.chal,
-							   lm_resp,
-							   nt_resp,
-							   &info3);
+		logon_fn = contact_domain->can_do_samlogon_ex
+			? rpccli_netlogon_sam_network_logon_ex
+			: rpccli_netlogon_sam_network_logon;
+
+		result = logon_fn(netlogon_pipe,
+				  state->mem_ctx,
+				  state->request.data.auth_crap.logon_parameters,
+				  contact_domain->dcname,
+				  name_user,
+				  name_domain, 
+				  /* Bug #3248 - found by Stefan Burkei. */
+				  workstation, /* We carefully set this above so use it... */
+				  state->request.data.auth_crap.chal,
+				  lm_resp,
+				  nt_resp,
+				  &info3);
+
+		if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+		    && contact_domain->can_do_samlogon_ex) {
+			DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+				  "retrying with NetSamLogon\n"));
+			contact_domain->can_do_samlogon_ex = False;
+			retry = True;
+			continue;
+		}
 
 		attempts += 1;
author	Volker Lendecke <vl@samba.org>	2008-03-19 16:09:37 +0100
committer	Volker Lendecke <vl@samba.org>	2008-03-19 17:00:53 +0100
commit	ca63c6e0796454c18a1d580df99cbd6d05f60672 (patch)
tree	a1bd1ae5736b89a59263115adb15896638f0dfef /source3/winbindd/winbindd_pam.c
parent	bf10e7f93960f18739a9110d59d0ca09bfaf6c03 (diff)
download	samba-ca63c6e0796454c18a1d580df99cbd6d05f60672.tar.gz samba-ca63c6e0796454c18a1d580df99cbd6d05f60672.tar.bz2 samba-ca63c6e0796454c18a1d580df99cbd6d05f60672.zip