The Samba-Bugzilla – Attachment 13794 Details for
Bug 13149
net rpc oldjoin doesn't work anymore
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible patches for master
tmp.diff.txt (text/plain), 7.39 KB, created by
Stefan Metzmacher
on 2017-11-17 15:09:15 UTC
(
hide
)
Description:
Possible patches for master
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-11-17 15:09:15 UTC
Size:
7.39 KB
patch
obsolete
>From db6cece45d2e197434c0ce93c9aa5cd98d51a3a4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 17 Nov 2017 15:51:36 +0100 >Subject: [PATCH 1/2] s3:selftest: add samba3.blackbox.net_rpc_oldjoin test > >This demonstrates that "net rpc oldjoin" is currently broken. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/knownfail.d/oldjoin | 1 + > source3/script/tests/test_net_rpc_oldjoin.sh | 32 ++++++++++++++++++++++++++++ > source3/selftest/tests.py | 4 ++++ > 3 files changed, 37 insertions(+) > create mode 100644 selftest/knownfail.d/oldjoin > create mode 100755 source3/script/tests/test_net_rpc_oldjoin.sh > >diff --git a/selftest/knownfail.d/oldjoin b/selftest/knownfail.d/oldjoin >new file mode 100644 >index 0000000..86fca85 >--- /dev/null >+++ b/selftest/knownfail.d/oldjoin >@@ -0,0 +1 @@ >+^samba3.blackbox.net_rpc_oldjoin.net.* >diff --git a/source3/script/tests/test_net_rpc_oldjoin.sh b/source3/script/tests/test_net_rpc_oldjoin.sh >new file mode 100755 >index 0000000..070fcc1 >--- /dev/null >+++ b/source3/script/tests/test_net_rpc_oldjoin.sh >@@ -0,0 +1,32 @@ >+#!/bin/sh >+ >+if [ $# -lt 3 ]; then >+cat <<EOF >+Usage: test_net_rpc_oldjoin.sh SERVER PREFIX SMB_CONF_PATH >+EOF >+exit 1; >+fi >+ >+SERVER="$1" >+PREFIX="$2" >+SMB_CONF_PATH="$3" >+shift 3 >+ >+incdir=`dirname $0`/../../../testprogs/blackbox >+. $incdir/subunit.sh >+maccount="OLDJOINTEST" >+privatedir="$PREFIX/private" >+ >+UID_WRAPPER_ROOT=1 >+export UID_WRAPPER_ROOT >+ >+OPTIONS="--configfile $SMB_CONF_PATH --option=netbiosname=$maccount --option=security=domain --option=domainlogons=no --option=privatedir=$privatedir" >+ >+testit "mkdir -p $privatedir" mkdir -p $privatedir || failed=`expr $failed + 1` >+testit "smbpasswd -a -m" $VALGRIND $BINDIR/smbpasswd -L -c $SMB_CONF_PATH -a -m "$maccount" || failed=`expr $failed + 1` >+testit "net_rpc_oldjoin" $VALGRIND $BINDIR/net rpc oldjoin -S $SERVER $OPTIONS || failed=`expr $failed + 1` >+testit "net_rpc_testjoin1" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER $OPTIONS || failed=`expr $failed + 1` >+testit "net_rpc_changetrustpw" $VALGRIND $BINDIR/net rpc changetrustpw -S $SERVER $OPTIONS || failed=`expr $failed + 1` >+testit "net_rpc_testjoin2" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER $OPTIONS || failed=`expr $failed + 1` >+ >+testok $0 $failed >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 5b12355..3e5cffd 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -588,6 +588,10 @@ plantestsuite("samba3.blackbox.net_rpc_join", "nt4_dc", > [os.path.join(samba3srcdir, "script/tests/test_net_rpc_join.sh"), > "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_rpc_join", > configuration]) >+plantestsuite("samba3.blackbox.net_rpc_oldjoin", "nt4_dc:local", >+ [os.path.join(samba3srcdir, "script/tests/test_net_rpc_oldjoin.sh"), >+ "$SERVER", "$PREFIX/net_rpc_oldjoin", >+ "$SMB_CONF_PATH"]) > > plantestsuite("samba3.blackbox.rpcclient_srvsvc", "simpleserver", > [os.path.join(samba3srcdir, "script/tests/test_rpcclientsrvsvc.sh"), >-- >1.9.1 > > >From b146c0c7c6d99cc30376503b8d8153d46196371e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 16 Nov 2017 21:09:20 +0000 >Subject: [PATCH 2/2] libnet_join: fix "net rpc oldjoin" > >We need to open the ncacn_np (smb) transport connection with >anonymous credentials. > >In order to do netr_ServerPasswordSet*() we need to >establish a 2nd netlogon connection using dcerpc schannel >authentication. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/knownfail.d/oldjoin | 1 - > source3/libnet/libnet_join.c | 53 +++++++++++++++++++++++++++++++++++++------- > 2 files changed, 45 insertions(+), 9 deletions(-) > delete mode 100644 selftest/knownfail.d/oldjoin > >diff --git a/selftest/knownfail.d/oldjoin b/selftest/knownfail.d/oldjoin >deleted file mode 100644 >index 86fca85..0000000 >--- a/selftest/knownfail.d/oldjoin >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.blackbox.net_rpc_oldjoin.net.* >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index eb6b894..0595cfe 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -1044,12 +1044,23 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, > NTSTATUS status, result; > union lsa_PolicyInformation *info = NULL; > struct dcerpc_binding_handle *b; >+ const char *account = r->in.admin_account; >+ const char *domain = r->in.admin_domain; >+ const char *password = r->in.admin_password; >+ bool use_kerberos = r->in.use_kerberos; >+ >+ if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) { >+ account = ""; >+ domain = ""; >+ password = NULL; >+ use_kerberos = false; >+ } > > status = libnet_join_connect_dc_ipc(r->in.dc_name, >- r->in.admin_account, >- r->in.admin_domain, >- r->in.admin_password, >- r->in.use_kerberos, >+ account, >+ domain, >+ password, >+ use_kerberos, > cli); > if (!NT_STATUS_IS_OK(status)) { > goto done; >@@ -1121,16 +1132,19 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, > struct cli_state *cli) > { > TALLOC_CTX *frame = talloc_stackframe(); >- struct rpc_pipe_client *netlogon_pipe = NULL; >+ struct rpc_pipe_client *authenticate_pipe = NULL; >+ struct rpc_pipe_client *passwordset_pipe = NULL; > struct cli_credentials *cli_creds; > struct netlogon_creds_cli_context *netlogon_creds = NULL; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ uint32_t netlogon_flags = 0; > size_t len = 0; > bool ok; > DATA_BLOB new_trust_blob = data_blob_null; > NTSTATUS status; > > status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon, >- &netlogon_pipe); >+ &authenticate_pipe); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); > return status; >@@ -1167,7 +1181,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, > CRED_SPECIFIED); > > status = rpccli_create_netlogon_creds_ctx( >- cli_creds, netlogon_pipe->desthost, r->in.msg_ctx, >+ cli_creds, authenticate_pipe->desthost, r->in.msg_ctx, > frame, &netlogon_creds); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); >@@ -1182,6 +1196,29 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, > return status; > } > >+ status = netlogon_creds_cli_get(netlogon_creds, frame, &creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ >+ netlogon_flags = creds->negotiate_flags; >+ TALLOC_FREE(creds); >+ >+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { >+ status = cli_rpc_pipe_open_schannel_with_creds(cli, >+ &ndr_table_netlogon, >+ NCACN_NP, >+ netlogon_creds, >+ &passwordset_pipe); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(frame); >+ return status; >+ } >+ } else { >+ passwordset_pipe = authenticate_pipe; >+ } >+ > len = strlen(r->in.machine_password); > ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16, > r->in.machine_password, len, >@@ -1197,7 +1234,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, > } > > status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds, >- netlogon_pipe->binding_handle, >+ passwordset_pipe->binding_handle, > &new_trust_blob, > NULL); /* new_version */ > if (!NT_STATUS_IS_OK(status)) { >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13794">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13149
: 13794 |
13806
|
13807