From 8c3ea92776009d63d820994e530d273e927f356f Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 27 Nov 2017 15:28:38 +0100 Subject: [PATCH 1/2] winbindd: restore SEC_CHAN_NULL fallback in cm_connect_netlogon_transport This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20 "winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL. Without this we fail to enumerate domains in trusted forests so users from any child-domain (or tree-root) in the trusted forest can't login via eg SMB. This is a temporary hack that will go away once we get rid of the trusted domain list. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- source3/winbindd/winbindd_cm.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index f88c704c014..16836bd05b5 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, struct messaging_context *msg_ctx = server_messaging_context(); struct winbindd_cm_conn *conn; NTSTATUS result; + enum netr_SchannelType sec_chan_type; struct cli_credentials *creds = NULL; *cli = NULL; @@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } + if (cli_credentials_is_anonymous(creds)) { + DBG_WARNING("get_trust_credential only gave anonymous for %s, " + "unable to make get NETLOGON credentials\n", + domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + sec_chan_type = cli_credentials_get_secure_channel_type(creds); + if (sec_chan_type == SEC_CHAN_NULL) { + if (transport == NCACN_IP_TCP) { + DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL " + "for %s, deny NCACN_IP_TCP and let the " + "caller fallback to NCACN_NP.\n", + domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " + "fallback to noauth on NCACN_NP.\n", + domain->name); + + result = cli_rpc_pipe_open_noauth_transport( + conn->cli, + transport, + &ndr_table_netlogon, + &conn->netlogon_pipe); + if (!NT_STATUS_IS_OK(result)) { + invalidate_cm_connection(domain); + return result; + } + + *cli = conn->netlogon_pipe; + return NT_STATUS_OK; + } + result = rpccli_create_netlogon_creds_ctx(creds, domain->dcname, msg_ctx, -- 2.13.6 From b1facdab329d16ab03ec9077f2e1a3bf0e4c7ceb Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sun, 26 Nov 2017 19:04:19 +0100 Subject: [PATCH 2/2] s3/cli_netlogon: remove SEC_CHAN_NULL fallback from rpccli_connect_netlogon() The caller should handle secure-channel-type SEC_CHAN_NULL. The previous commit already added handling of SEC_CHAN_NULL to cm_connect_netlogon_transport. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- source3/rpc_client/cli_netlogon.c | 38 ++++++++------------------------------ 1 file changed, 8 insertions(+), 30 deletions(-) diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index a7676efb055..a67b6928ebf 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -285,7 +285,7 @@ NTSTATUS rpccli_connect_netlogon( struct netlogon_creds_CredentialState *creds = NULL; enum netlogon_creds_cli_lck_type lck_type; enum netr_SchannelType sec_chan_type; - struct netlogon_creds_cli_lck *lck; + struct netlogon_creds_cli_lck *lck = NULL; uint32_t negotiate_flags; uint8_t found_session_key[16] = {0}; bool found_existing_creds = false; @@ -294,6 +294,13 @@ NTSTATUS rpccli_connect_netlogon( NTSTATUS status; bool retry = false; + sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds); + if (sec_chan_type == SEC_CHAN_NULL) { + DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n"); + status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + goto fail; + } + again: /* @@ -378,35 +385,6 @@ again: goto fail; } - sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds); - if (sec_chan_type == SEC_CHAN_NULL) { - if (transport == NCACN_IP_TCP) { - DBG_NOTICE("secure_channel_type gave SEC_CHAN_NULL " - "for %s, deny NCACN_IP_TCP and let the " - "caller fallback to NCACN_NP.\n", - netlogon_creds_cli_debug_string( - creds_ctx, frame)); - status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - goto fail; - } - - DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL " - "for %s, fallback to noauth on NCACN_NP.\n", - netlogon_creds_cli_debug_string( - creds_ctx, frame)); - - TALLOC_FREE(lck); - - status = cli_rpc_pipe_open_noauth_transport( - cli, transport, &ndr_table_netlogon, &rpccli); - if (!NT_STATUS_IS_OK(status)) { - DBG_DEBUG("cli_rpc_pipe_open_noauth_transport " - "failed: %s\n", nt_errstr(status)); - goto fail; - } - goto done; - } - status = rpccli_setup_netlogon_creds_locked( cli, transport, creds_ctx, true, trust_creds, &negotiate_flags); -- 2.13.6