diff options
| -rw-r--r-- | source3/Makefile.in | 13 | ||||
| -rw-r--r-- | source3/auth/auth_domain.c | 260 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 11 | ||||
| -rw-r--r-- | source3/libsmb/namequery_dc.c | 71 | ||||
| -rw-r--r-- | source3/libsmb/trusts_util.c | 10 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_cm.c | 70 | ||||
| -rw-r--r-- | source3/passdb/passdb.c | 11 | ||||
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 27 |
8 files changed, 167 insertions, 306 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 95a0968be0..ab3693146e 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -230,7 +230,7 @@ LIBMSRPC_OBJ = rpc_client/cli_lsarpc.o rpc_client/cli_samr.o \ rpc_client/cli_wkssvc.o rpc_client/cli_dfs.o \ rpc_client/cli_reg.o rpc_client/cli_pipe.o \ rpc_client/cli_spoolss.o rpc_client/cli_spoolss_notify.o \ - rpc_client/cli_ds.o rpc_client/cli_echo.o libsmb/namequery_dc.o + rpc_client/cli_ds.o rpc_client/cli_echo.o LIBMSRPC_SERVER_OBJ = libsmb/trusts_util.o @@ -309,7 +309,7 @@ VFS_NETATALK_OBJ = modules/vfs_netatalk.o PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o -UNIGRP_OBJ = libsmb/samlogon_cache.o +SLCACHE_OBJ = libsmb/samlogon_cache.o AUTH_BUILTIN_OBJ = auth/auth_builtin.o AUTH_DOMAIN_OBJ = auth/auth_domain.o @@ -320,8 +320,8 @@ AUTH_UNIX_OBJ = auth/auth_unix.o AUTH_WINBIND_OBJ = auth/auth_winbind.o AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/auth_compat.o \ - auth/auth_ntlmssp.o \ - $(PLAINTEXT_AUTH_OBJ) $(UNIGRP_OBJ) + auth/auth_ntlmssp.o libsmb/namequery_dc.o \ + $(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_map.o smbd/mangle_hash2.o @@ -595,13 +595,14 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_rpc.o \ nsswitch/winbindd_ads.o \ nsswitch/winbindd_dual.o \ - nsswitch/winbindd_passdb.o + nsswitch/winbindd_passdb.o \ + libsmb/namequery_dc.o WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ - $(PROFILE_OBJ) $(UNIGRP_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ) \ + $(PROFILE_OBJ) $(SLCACHE_OBJ) $(IDMAP_OBJ) $(SMBLDAP_OBJ) \ $(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 39ec864f75..80320d8266 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,86 +29,6 @@ extern BOOL global_machine_password_needs_changing; extern userdom_struct current_user_info; -/* - resolve the name of a DC in ways appropriate for an ADS domain mode - an ADS domain may not have Netbios enabled at all, so this is - quite different from the RPC case - Note that we ignore the 'server' parameter here. That has the effect of using - the 'ADS server' smb.conf parameter, which is what we really want anyway - */ -static NTSTATUS ads_resolve_dc(fstring remote_machine, - struct in_addr *dest_ip) -{ - ADS_STRUCT *ads; - ads = ads_init_simple(); - if (!ads) { - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); - - ads->auth.flags |= ADS_AUTH_NO_BIND; - -#ifdef HAVE_ADS - /* a full ads_connect() is actually overkill, as we don't srictly need - to do the SASL auth in order to get the info we need, but libads - doesn't offer a better way right now */ - ads_connect(ads); -#endif - - fstrcpy(remote_machine, ads->config.ldap_server_name); - strupper(remote_machine); - *dest_ip = ads->ldap_ip; - ads_destroy(&ads); - - if (!*remote_machine || is_zero_ip(*dest_ip)) { - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("ads_resolve_dc: using server='%s' IP=%s\n", - remote_machine, inet_ntoa(*dest_ip))); - - return NT_STATUS_OK; -} - -/* - resolve the name of a DC in ways appropriate for RPC domain mode - this relies on the server supporting netbios and port 137 not being - firewalled - */ -static NTSTATUS rpc_resolve_dc(const char *server, - fstring remote_machine, - struct in_addr *dest_ip) -{ - if (is_ipaddress(server)) { - struct in_addr to_ip = *interpret_addr2(server); - - /* we need to know the machines netbios name - this is a lousy - way to find it, but until we have a RPC call that does this - it will have to do */ - if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(2, ("rpc_resolve_dc: Can't resolve name for IP %s\n", server)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - *dest_ip = to_ip; - return NT_STATUS_OK; - } - - fstrcpy(remote_machine, server); - strupper(remote_machine); - if (!resolve_name(remote_machine, dest_ip, 0x20)) { - DEBUG(1,("rpc_resolve_dc: Can't resolve address for %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("rpc_resolve_dc: using server='%s' IP=%s\n", - remote_machine, inet_ntoa(*dest_ip))); - - return NT_STATUS_OK; -} - /** * Connect to a remote server for domain security authenticaion. * @@ -121,35 +41,14 @@ static NTSTATUS rpc_resolve_dc(const char *server, **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *server, + const char *dc_name, struct in_addr dc_ip, const char *setup_creds_as, uint16 sec_chan, const unsigned char *trust_passwd, BOOL *retry) { - struct in_addr dest_ip; - fstring remote_machine; NTSTATUS result; - *retry = False; - - if (lp_security() == SEC_ADS) - result = ads_resolve_dc(remote_machine, &dest_ip); - else - result = rpc_resolve_dc(server, remote_machine, &dest_ip); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", - nt_errstr(result))); - return result; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } - /* TODO: Send a SAMLOGON request to determine whether this is a valid logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ @@ -164,14 +63,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - *retry = True; - - if (!grab_server_mutex(server)) + if (!grab_server_mutex(dc_name)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname(), remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); + *retry = True; + result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, + "IPC$", "IPC", "", "", "", 0, retry); if (!NT_STATUS_IS_OK(result)) { /* map to something more useful */ @@ -198,7 +96,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); +machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -217,7 +115,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ -%s. Error was : %s.\n", remote_machine, nt_errstr(result))); +%s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -231,61 +129,6 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); } /*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, - const char *domain, - struct in_addr *ip, - const char *setup_creds_as, - uint16 sec_chan, - const unsigned char *trust_passwd) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - BOOL retry = True; - fstring dc_name; - int i; - - /* - * Ignore addresses we have already tried. - */ - - if (is_zero_ip(*ip)) - return NT_STATUS_NO_LOGON_SERVERS; - - if ( !name_status_find( domain, 0x1b, 0x20, *ip, dc_name) ) - return NT_STATUS_NO_LOGON_SERVERS; - - for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) - ret = connect_to_domain_password_server(cli, dc_name, setup_creds_as, - sec_chan, trust_passwd, &retry); - return ret; -} - -/*********************************************************************** - We have been asked to dynamically determine the IP addresses of - the PDC and BDC's for DOMAIN, and query them in turn. -************************************************************************/ -static NTSTATUS find_connect_dc(struct cli_state **cli, - const char *domain, - const char *setup_creds_as, - uint16 sec_chan, - unsigned char *trust_passwd, - time_t last_change_time) -{ - struct in_addr dc_ip; - fstring srv_name; - - if (!rpc_dc_name(domain, srv_name, &dc_ip)) { - DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); - return NT_STATUS_NO_LOGON_SERVERS; - } - - return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, - sec_chan, trust_passwd ); -} - -/*********************************************************************** Do the same as security=server, but using NT Domain calls and a session key from the machine password. If the server parameter is specified use it, otherwise figure out a server from the 'password server' param. @@ -296,15 +139,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - const char *server, const char *setup_creds_as, + const char *dc_name, struct in_addr dc_ip, + const char *setup_creds_as, uint16 sec_chan, unsigned char trust_passwd[16], time_t last_change_time) { - fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; + int i; + BOOL retry = True; /* * At this point, smb_apasswd points to the lanman response to @@ -314,20 +159,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, * see if they were valid. */ - while (!NT_STATUS_IS_OK(nt_status) && - next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { - nt_status = find_connect_dc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); - } else { - int i; - BOOL retry = True; - for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) - nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, - sec_chan, trust_passwd, &retry); - } + /* rety loop for robustness */ + + for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { + nt_status = connect_to_domain_password_server(&cli, dc_name, dc_ip, setup_creds_as, + sec_chan, trust_passwd, &retry); } - if (!NT_STATUS_IS_OK(nt_status)) { + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); return nt_status; } @@ -340,12 +179,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - NULL, - user_info->smb_name.str, user_info->domain.str, - user_info->wksta_name.str, chal, - user_info->lm_resp, user_info->nt_resp, - &info3); + NULL, user_info->smb_name.str, user_info->domain.str, + user_info->wksta_name.str, chal, user_info->lm_resp, + user_info->nt_resp, &info3); + /* let go as soon as possible so we avoid any potential deadlocks + with winbind lookup up users or groups */ + release_server_mutex(); if (!NT_STATUS_IS_OK(nt_status)) { @@ -375,7 +215,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(status)) { if(cli_nt_logoff(&cli, &ctr) == False) { DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); +%s to Domain controller %s. Error was %s.\n", user, domain, dc_name, cli_errstr(&cli))); nt_status = NT_STATUS_LOGON_FAILURE; } } @@ -409,6 +249,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, fstring dc_name; struct in_addr dc_ip; + if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) { + DEBUG(0,("check_ntdomain_security: Configuration error! Cannot use " + "ntdomain auth method when not a member of a domain.\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); return NT_STATUS_INVALID_PARAMETER; @@ -422,7 +268,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if(is_myname(user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NOT_IMPLEMENTED; } /* @@ -445,15 +291,18 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } } - if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + /* we need our DC to send the net_sam_logon() request to */ + + if ( !get_dc_name(domain, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, domain, - (uchar *)auth_context->challenge.data, - server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time); + (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, + global_myname(), sec_channel_type,trust_passwd, last_change_time); + return nt_status; } @@ -494,28 +343,19 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(is_myname(user_info->domain.str)) { - DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - - /* - * Check that the requested domain is not our own domain, - * If it is, we should use our own local password file. + * Check that the requested domain is not our own machine name or domain name. */ - if(strequal(lp_workgroup(), (user_info->domain.str))) { - DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); + if( is_myname(user_info->domain.str) || strequal(lp_workgroup(), user_info->domain.str) ) { + DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", + user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; } - /* no point is bothering if this is not a trusted domain */ - /* this return makes "map to guest = bad user" work again */ + /* No point is bothering if this is not a trusted domain. + This return makes "map to guest = bad user" work again. + The logic is that if we know nothing about the domain, that + user is known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) return NT_STATUS_NO_SUCH_USER; @@ -545,16 +385,18 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } #endif - if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + /* use get_dc_name() for consistency even through we know that it will be + a netbios name */ + + if ( !get_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, - (uchar *)auth_context->challenge.data, - server_info, dc_name, lp_workgroup(), - SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, + lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1538fc50a1..30510c1bfa 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,6 +216,9 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ + /* FIXME!!!! grr...this is a broken check currently since is_trusted_domain() + is useless without winbindd --jerry */ + if ( !is_trusted_domain(domain) ) domain = get_global_sam_name(); @@ -869,10 +872,12 @@ static NTSTATUS fill_sam_account(const char *domain, passwd = Get_Pwnam(dom_user); - if ( (passwd == NULL) && is_myworkgroup(domain) ) { - /* For our own domain also try unqualified */ + /* if the lookup for DOMAIN\username failed, try again + with just 'username'. This is need for accessing the server + as a trust user that actually maps to a local account */ + + if ( !passwd ) passwd = Get_Pwnam(username); - } if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c index fc383d9a6b..8bfb00b9ad 100644 --- a/source3/libsmb/namequery_dc.c +++ b/source3/libsmb/namequery_dc.c @@ -5,6 +5,7 @@ Copyright (C) Tim Potter 2001 Copyright (C) Andrew Bartlett 2002 + Copyright (C) Gerald Carter 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,12 +25,54 @@ #include "includes.h" +/************************************************************************** + Find the name and IP address for a server in he realm/domain + *************************************************************************/ + +static BOOL ads_dc_name(const char *domain, struct in_addr *dc_ip, fstring srv_name) +{ + ADS_STRUCT *ads; + const char *realm = domain; + + if (strcasecmp(realm, lp_workgroup()) == 0) + realm = lp_realm(); + + ads = ads_init(realm, domain, NULL); + if (!ads) + return False; + + /* we don't need to bind, just connect */ + ads->auth.flags |= ADS_AUTH_NO_BIND; + + DEBUG(4,("ads_dc_name: domain=%s\n", domain)); + +#ifdef HAVE_ADS + /* a full ads_connect() is actually overkill, as we don't srictly need + to do the SASL auth in order to get the info we need, but libads + doesn't offer a better way right now */ + ads_connect(ads); +#endif + + if (!ads->config.realm) + return False; + + fstrcpy(srv_name, ads->config.ldap_server_name); + strupper(srv_name); + *dc_ip = ads->ldap_ip; + ads_destroy(&ads); + + DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n", + srv_name, inet_ntoa(*dc_ip))); + + return True; +} + /**************************************************************************** Utility function to return the name of a DC. The name is guaranteed to be valid since we have already done a name_status_find on it ***************************************************************************/ -BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out) +static BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out) { struct ip_service *ip_list = NULL; struct in_addr dc_ip, exclude_ip; @@ -109,3 +152,29 @@ BOOL rpc_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out) return True; } + +/********************************************************************** + wrapper around ads and rpc methods of finds DC's +**********************************************************************/ + +BOOL get_dc_name(const char *domain, fstring srv_name, struct in_addr *ip_out) +{ + struct in_addr dc_ip; + BOOL ret; + + zero_ip(&dc_ip); + + ret = False; + if (lp_security() == SEC_ADS) + ret = ads_dc_name(domain, &dc_ip, srv_name); + + if (!ret) { + /* fall back on rpc methods if the ADS methods fail */ + ret = rpc_dc_name(domain, srv_name, &dc_ip); + } + + *ip_out = dc_ip; + + return ret; +} + diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index e0c5e79595..569b0521be 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -153,8 +153,16 @@ BOOL is_trusted_domain(const char* dom_name) /* * Query the trustdom_cache updated periodically. The only * way for domain member server. + * + * Sure...it's all fun and games until someone gets hurt... + * This call cannot work without winbindd running since it + * is the only process updating the cache currently. + * + * FIXME!!! make this always true for now until I figure + * out what to do --jerry */ - if (trustdom_cache_fetch(dom_name, &trustdom_sid)) { + + if (True || trustdom_cache_fetch(dom_name, &trustdom_sid)) { return True; } diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index 0cb0f0cb99..7f35167778 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -76,72 +76,6 @@ struct winbindd_cm_conn { static struct winbindd_cm_conn *cm_conns = NULL; -/* - find the DC for a domain using methods appropriate for a ADS domain -*/ -static BOOL ads_dc_name(const char *domain, struct in_addr *dc_ip, fstring srv_name) -{ - ADS_STRUCT *ads; - const char *realm = domain; - - if (strcasecmp(realm, lp_workgroup()) == 0) - realm = lp_realm(); - - ads = ads_init(realm, domain, NULL); - if (!ads) - return False; - - /* we don't need to bind, just connect */ - ads->auth.flags |= ADS_AUTH_NO_BIND; - - DEBUG(4,("ads_dc_name: domain=%s\n", domain)); - -#ifdef HAVE_ADS - /* a full ads_connect() is actually overkill, as we don't srictly need - to do the SASL auth in order to get the info we need, but libads - doesn't offer a better way right now */ - ads_connect(ads); -#endif - - if (!ads->config.realm) - return False; - - fstrcpy(srv_name, ads->config.ldap_server_name); - strupper(srv_name); - *dc_ip = ads->ldap_ip; - ads_destroy(&ads); - - DEBUG(4,("ads_dc_name: using server='%s' IP=%s\n", - srv_name, inet_ntoa(*dc_ip))); - - return True; -} - -/********************************************************************** - wrapper around ads and rpc methods of finds DC's -**********************************************************************/ - -static BOOL cm_get_dc_name(const char *domain, fstring srv_name, - struct in_addr *ip_out) -{ - struct in_addr dc_ip; - BOOL ret; - - zero_ip(&dc_ip); - - ret = False; - if (lp_security() == SEC_ADS) - ret = ads_dc_name(domain, &dc_ip, srv_name); - - if (!ret) { - /* fall back on rpc methods if the ADS methods fail */ - ret = rpc_dc_name(domain, srv_name, &dc_ip); - } - - *ip_out = dc_ip; - - return ret; -} /* Choose between anonymous or authenticated connections. We need to use an authenticated connection if DCs have the RestrictAnonymous registry @@ -192,10 +126,10 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index, fstrcpy(new_conn->domain, domain); fstrcpy(new_conn->pipe_name, get_pipe_name_from_index(pipe_index)); - /* connection failure cache has been moved inside of rpc_dc_name + /* connection failure cache has been moved inside of get_dc_name so we can deal with half dead DC's --jerry */ - if (!cm_get_dc_name(domain, new_conn->controller, &dc_ip)) { + if (!get_dc_name(domain, new_conn->controller, &dc_ip)) { result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; add_failed_connection_entry(domain, "", result); return result; diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index ac3875e181..ee8ce64cf5 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -29,10 +29,13 @@ const char *get_global_sam_name(void) { - if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { - return lp_workgroup(); - } - return global_myname(); + /* standalone servers can only use the local netbios name */ + if ( lp_server_role() == ROLE_STANDALONE ) + return global_myname(); + + /* Windows domain members default to the DOMAIN + name when not specified */ + return lp_workgroup(); } /************************************************************ diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 738ededde1..fa19708773 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -524,6 +524,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * auth_serversupplied_info *server_info = NULL; extern userdom_struct current_user_info; SAM_ACCOUNT *sampw; + struct auth_context *auth_context = NULL; usr_info = (NET_USER_INFO_3 *)talloc(p->mem_ctx, sizeof(NET_USER_INFO_3)); if (!usr_info) @@ -598,10 +599,11 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * DEBUG(5,("Attempting validation level %d for unmapped username %s.\n", q_u->sam_id.ctr->switch_value, nt_username)); + status = NT_STATUS_OK; + switch (ctr->switch_value) { case NET_LOGON_TYPE: { - struct auth_context *auth_context = NULL; if (!NT_STATUS_IS_OK(status = make_auth_context_fixed(&auth_context, ctr->auth.id2.lm_chal))) { return status; } @@ -615,11 +617,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * ctr->auth.id2.nt_chal_resp.buffer, ctr->auth.id2.nt_chal_resp.str_str_len)) { status = NT_STATUS_NO_MEMORY; - } else { - status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); - } - (auth_context->free)(&auth_context); - + } break; } case INTERACTIVE_LOGON_TYPE: @@ -628,8 +626,8 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * convert this to chellange/responce for the auth subsystem to chew on */ { - struct auth_context *auth_context = NULL; const uint8 *chal; + if (!NT_STATUS_IS_OK(status = make_auth_context_subsystem(&auth_context))) { return status; } @@ -643,14 +641,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * ctr->auth.id1.nt_owf.data, p->dc.sess_key)) { status = NT_STATUS_NO_MEMORY; - } else { - become_root(); - status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); - unbecome_root(); } - - (auth_context->free)(&auth_context); - break; } default: @@ -658,6 +649,14 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * return NT_STATUS_INVALID_INFO_CLASS; } /* end switch */ + if ( NT_STATUS_IS_OK(status) ) { + become_root(); + status = auth_context->check_ntlm_password(auth_context, + user_info, &server_info); + unbecome_root(); + } + + (auth_context->free)(&auth_context); free_user_info(&user_info); DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", |