From 2de232ae2a187941f8114ff0948ca50082007761 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 10 Nov 2011 17:41:28 +1100 Subject: s3-nmbd Remove AD netlogon response from s3 nmbd server I do not want users with misconfigurations to have nmbd respond with this partially correct packet. For example, it hardcodes the site as Default-First-Site-Name. If nmbd wishes to return this information, it would need to query the AD database using the same APIs that the source4/ nbt server does. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Thu Nov 17 02:10:54 CET 2011 on sn-devel-104 --- source3/nmbd/nmbd_processlogon.c | 107 ++++++--------------------------------- 1 file changed, 15 insertions(+), 92 deletions(-) (limited to 'source3/nmbd') diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c index 4fe5d0ee87..76864e640e 100644 --- a/source3/nmbd/nmbd_processlogon.c +++ b/source3/nmbd/nmbd_processlogon.c @@ -455,6 +455,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); bool user_unknown = false; struct netlogon_samlogon_response samlogon; + struct NETLOGON_SAM_LOGON_RESPONSE_NT40 nt4; if (global_nmbd_proxy_logon) { nmbd_proxy_logon(global_nmbd_proxy_logon, @@ -482,99 +483,21 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); user_unknown = true; } - /* we want the simple version unless we are an ADS PDC..which means */ - /* never, at least for now */ - - if ((request.req.logon.nt_version < (NETLOGON_NT_VERSION_1 | NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX_WITH_IP)) || - (SEC_ADS != lp_security()) || (ROLE_DOMAIN_PDC != lp_server_role())) { - - struct NETLOGON_SAM_LOGON_RESPONSE_NT40 nt4; - - nt4.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN : - LOGON_SAM_LOGON_RESPONSE; - nt4.pdc_name = pdc_name; - nt4.user_name = request.req.logon.user_name; - nt4.domain_name = lp_workgroup(); - nt4.nt_version = NETLOGON_NT_VERSION_1; - nt4.lmnt_token = 0xffff; - nt4.lm20_token = 0xffff; - - samlogon.ntver = NETLOGON_NT_VERSION_1; - samlogon.data.nt4 = nt4; - - if (DEBUGLEVEL >= 10) { - NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_NT40, &nt4); - } - } -#ifdef HAVE_ADS - else { - - struct NETLOGON_SAM_LOGON_RESPONSE_EX nt5_ex; - struct GUID domain_guid; - struct nbt_sockaddr saddr; - char *domain; - const char *hostname; - - saddr.sockaddr_family = 2; /* AF_INET */ - saddr.pdc_ip = inet_ntoa(ip); - saddr.remaining = data_blob_talloc_zero(talloc_tos(), 8); /* ??? */ - - domain = get_mydnsdomname(talloc_tos()); - if (!domain) { - DEBUG(2,("get_mydnsdomname failed.\n")); - return; - } - - hostname = get_mydnsfullname(); - if (!hostname) { - DEBUG(2,("get_mydnsfullname failed.\n")); - return; - } - - if (!secrets_fetch_domain_guid(domain, &domain_guid)) { - DEBUG(2,("Could not fetch DomainGUID for %s\n", domain)); - return; - } - - nt5_ex.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN_EX : - LOGON_SAM_LOGON_RESPONSE_EX; - nt5_ex.sbz = 0; - nt5_ex.server_type = NBT_SERVER_PDC | - NBT_SERVER_GC | - NBT_SERVER_LDAP | - NBT_SERVER_DS | - NBT_SERVER_KDC | - NBT_SERVER_TIMESERV | - NBT_SERVER_CLOSEST | - NBT_SERVER_WRITABLE; - nt5_ex.domain_uuid = domain_guid; - nt5_ex.forest = domain; - nt5_ex.dns_domain = domain; - nt5_ex.pdc_dns_name = hostname; - nt5_ex.domain_name = lp_workgroup(); - nt5_ex.pdc_name = lp_netbios_name(); - nt5_ex.user_name = request.req.logon.user_name; - nt5_ex.server_site = "Default-First-Site-Name"; - nt5_ex.client_site = "Default-First-Site-Name"; - nt5_ex.sockaddr_size = 0x10; /* the w32 winsock addr size */ - nt5_ex.sockaddr = saddr; - nt5_ex.next_closest_site= NULL; - nt5_ex.nt_version = NETLOGON_NT_VERSION_1 | - NETLOGON_NT_VERSION_5EX | - NETLOGON_NT_VERSION_5EX_WITH_IP; - nt5_ex.lmnt_token = 0xffff; - nt5_ex.lm20_token = 0xffff; - - samlogon.ntver = NETLOGON_NT_VERSION_1 | - NETLOGON_NT_VERSION_5EX | - NETLOGON_NT_VERSION_5EX_WITH_IP; - samlogon.data.nt5_ex = nt5_ex; - - if (DEBUGLEVEL >= 10) { - NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX, &nt5_ex); - } + nt4.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN : + LOGON_SAM_LOGON_RESPONSE; + nt4.pdc_name = pdc_name; + nt4.user_name = request.req.logon.user_name; + nt4.domain_name = lp_workgroup(); + nt4.nt_version = NETLOGON_NT_VERSION_1; + nt4.lmnt_token = 0xffff; + nt4.lm20_token = 0xffff; + + samlogon.ntver = NETLOGON_NT_VERSION_1; + samlogon.data.nt4 = nt4; + + if (DEBUGLEVEL >= 10) { + NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_NT40, &nt4); } -#endif /* HAVE_ADS */ response.response_type = NETLOGON_SAMLOGON; response.data.samlogon = samlogon; -- cgit