Attachment 13822 Details for Bug 13167 – Patch that went into master

[patch] Patch that went into master

bug13167-master.patch (text/plain), 5.27 KB, created by Ralph Böhme on 2017-11-29 15:09:15 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ralph Böhme

Created: 2017-11-29 15:09:15 UTC

Size: 5.27 KB

patch

obsolete

>From 8c3ea92776009d63d820994e530d273e927f356f Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Mon, 27 Nov 2017 15:28:38 +0100
>Subject: [PATCH 1/2] winbindd: restore SEC_CHAN_NULL fallback in
> cm_connect_netlogon_transport
>
>This partially reverts commit d7e31d9f4d9ce7395e458ac341dd83ac06255a20
>"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.
>
>Without this we fail to enumerate domains in trusted forests so users
>from any child-domain (or tree-root) in the trusted forest can't login
>via eg SMB.
>
>This is a temporary hack that will go away once we get rid of the trusted domain
>list.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>---
> source3/winbindd/winbindd_cm.c | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
>
>diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
>index f88c704c014..16836bd05b5 100644
>--- a/source3/winbindd/winbindd_cm.c
>+++ b/source3/winbindd/winbindd_cm.c
>@@ -3214,6 +3214,7 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
> 	struct messaging_context *msg_ctx = server_messaging_context();
> 	struct winbindd_cm_conn *conn;
> 	NTSTATUS result;
>+	enum netr_SchannelType sec_chan_type;
> 	struct cli_credentials *creds = NULL;
> 
> 	*cli = NULL;
>@@ -3241,6 +3242,41 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
> 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
> 	}
> 
>+	if (cli_credentials_is_anonymous(creds)) {
>+		DBG_WARNING("get_trust_credential only gave anonymous for %s, "
>+			    "unable to make get NETLOGON credentials\n",
>+			    domain->name);
>+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
>+	}
>+
>+	sec_chan_type = cli_credentials_get_secure_channel_type(creds);
>+	if (sec_chan_type == SEC_CHAN_NULL) {
>+		if (transport == NCACN_IP_TCP) {
>+			DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
>+				   "for %s, deny NCACN_IP_TCP and let the "
>+				   "caller fallback to NCACN_NP.\n",
>+				   domain->name);
>+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
>+		}
>+
>+		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, "
>+			   "fallback to noauth on NCACN_NP.\n",
>+			   domain->name);
>+
>+		result = cli_rpc_pipe_open_noauth_transport(
>+			conn->cli,
>+			transport,
>+			&ndr_table_netlogon,
>+			&conn->netlogon_pipe);
>+		if (!NT_STATUS_IS_OK(result)) {
>+			invalidate_cm_connection(domain);
>+			return result;
>+		}
>+
>+		*cli = conn->netlogon_pipe;
>+		return NT_STATUS_OK;
>+	}
>+
> 	result = rpccli_create_netlogon_creds_ctx(creds,
> 						  domain->dcname,
> 						  msg_ctx,
>-- 
>2.13.6
>
>
>From b1facdab329d16ab03ec9077f2e1a3bf0e4c7ceb Mon Sep 17 00:00:00 2001
>From: Ralph Boehme <slow@samba.org>
>Date: Sun, 26 Nov 2017 19:04:19 +0100
>Subject: [PATCH 2/2] s3/cli_netlogon: remove SEC_CHAN_NULL fallback from
> rpccli_connect_netlogon()
>
>The caller should handle secure-channel-type SEC_CHAN_NULL. The previous
>commit already added handling of SEC_CHAN_NULL to
>cm_connect_netlogon_transport.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
>
>Signed-off-by: Ralph Boehme <slow@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>---
> source3/rpc_client/cli_netlogon.c | 38 ++++++++------------------------------
> 1 file changed, 8 insertions(+), 30 deletions(-)
>
>diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
>index a7676efb055..a67b6928ebf 100644
>--- a/source3/rpc_client/cli_netlogon.c
>+++ b/source3/rpc_client/cli_netlogon.c
>@@ -285,7 +285,7 @@ NTSTATUS rpccli_connect_netlogon(
> 	struct netlogon_creds_CredentialState *creds = NULL;
> 	enum netlogon_creds_cli_lck_type lck_type;
> 	enum netr_SchannelType sec_chan_type;
>-	struct netlogon_creds_cli_lck *lck;
>+	struct netlogon_creds_cli_lck *lck = NULL;
> 	uint32_t negotiate_flags;
> 	uint8_t found_session_key[16] = {0};
> 	bool found_existing_creds = false;
>@@ -294,6 +294,13 @@ NTSTATUS rpccli_connect_netlogon(
> 	NTSTATUS status;
> 	bool retry = false;
> 
>+	sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
>+	if (sec_chan_type == SEC_CHAN_NULL) {
>+		DBG_ERR("secure_channel_type gave SEC_CHAN_NULL\n");
>+		status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
>+		goto fail;
>+	}
>+
> again:
> 
> 	/*
>@@ -378,35 +385,6 @@ again:
> 		goto fail;
> 	}
> 
>-	sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds);
>-	if (sec_chan_type == SEC_CHAN_NULL) {
>-		if (transport == NCACN_IP_TCP) {
>-			DBG_NOTICE("secure_channel_type gave SEC_CHAN_NULL "
>-				   "for %s, deny NCACN_IP_TCP and let the "
>-				   "caller fallback to NCACN_NP.\n",
>-				   netlogon_creds_cli_debug_string(
>-					   creds_ctx, frame));
>-			status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
>-			goto fail;
>-		}
>-
>-		DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL "
>-			   "for %s, fallback to noauth on NCACN_NP.\n",
>-			   netlogon_creds_cli_debug_string(
>-				   creds_ctx, frame));
>-
>-		TALLOC_FREE(lck);
>-
>-		status = cli_rpc_pipe_open_noauth_transport(
>-			cli, transport, &ndr_table_netlogon, &rpccli);
>-		if (!NT_STATUS_IS_OK(status)) {
>-			DBG_DEBUG("cli_rpc_pipe_open_noauth_transport "
>-				  "failed: %s\n", nt_errstr(status));
>-			goto fail;
>-		}
>-		goto done;
>-	}
>-
> 	status = rpccli_setup_netlogon_creds_locked(
> 		cli, transport, creds_ctx, true, trust_creds,
> 		&negotiate_flags);
>-- 
>2.13.6
>

Actions: View

Attachments on bug 13167: 13822