The Samba-Bugzilla – Attachment 16707 Details for
Bug 14772
netr_LogonSamLogon(NetlogonNetworkInformation) fails against a real NT4 sp6a DC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backport to 4.9
tmp49.diff.txt (text/plain), 5.62 KB, created by
Stefan Metzmacher
on 2021-08-02 15:11:47 UTC
(
hide
)
Description:
Backport to 4.9
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-08-02 15:11:47 UTC
Size:
5.62 KB
patch
obsolete
>From 672488bdd19fe67ccc8df71e59dda05fe0a83cf9 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 2 Aug 2021 14:17:47 +0200 >Subject: [PATCH] winbindd_pam: add NT4 DC handling into > winbind_samlogon_retry_loop() > >Handle the case where a NT4 DC does not fill in the acct_flags in >the samlogon reply info3. Yes, in 2021, there are still admins >arround with real NT4 DCs. > >NT4 DCs reject authentication with workstation accounts with >NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if >MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified. > >We no longer call dcerpc_samr_QueryUserInfo(level=16) >to get the acct_flags, as we only ever got >ACB_NORMAL back (maybe with ACB_PWNOEXP in addition), >which is easy to calculate on our own. >This was removed in commit (for 4.15.0rc1): > > commit 73528f26eea24033a7093e5591b8f89ad2b8644e > Author: Ralph Boehme <slow@samba.org> > AuthorDate: Mon Jan 11 14:59:46 2021 +0100 > Commit: Jeremy Allison <jra@samba.org> > CommitDate: Thu Jan 21 22:56:20 2021 +0000 > > winbind: remove legacy flags fallback > > Some very old NT4 DCs might have not returned the account flags filled in. This > shouldn't be a problem anymore. Additionally, on a typical domain member server, > this request is (and can only be) send to the primary domain, so this will not > work with accounts from trusted domains. > > Signed-off-by: Ralph Boehme <slow@samba.org> > Reviewed-by: Jeremy Allison <jra@samba.org> > > Autobuild-User(master): Jeremy Allison <jra@samba.org> > Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184 > >It means one more caller of the problematic cm_connect_sam() >function is removed! SAMR connections may not be allowed for >machine accounts with modern AD DCs. > >For network logons NT4 DCs also skip the >account_name, so we have to fallback to the >one given by the client. We have code to cope >with that deeply hidden inside of netsamlogon_cache_store(). > >Up to Samba 4.7 netsamlogon_cache_store() operated on the >info3 structure that was passed to the caller of winbind_dual_SamLogon() >and pass propagated up to auth_winbind in smbd. > >But for Samba 4.8 the following commit: > > commit f153c95176b7759e10996b24b66d9917945372ed > Author: Ralph Boehme <slow@samba.org> > Date: Mon Dec 11 16:25:35 2017 +0100 > > winbindd: let winbind_dual_SamLogon return validation > > Signed-off-by: Ralph Boehme <slow@samba.org> > Reviewed-by: Stefan Metzmacher <metze@samba.org> > >actually changed the situation and only a temporary info3 structure >was passed into netsamlogon_cache_store(), which means >account_name was NULL and get propagated as "" into auth_winbind >in smbd, where getpwnam() is no longer possible and every >smb access gets NT_STATUS_LOGON_FAILURE. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/winbindd/winbindd_pam.c | 65 +++++++++++++++++++++++++++++++++ > 1 file changed, 65 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 14b4ec1c2bea..fc194b8b8b41 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -1475,6 +1475,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, > enum netr_LogonInfoClass logon_type_n; > uint16_t validation_level = UINT16_MAX; > union netr_Validation *validation = NULL; >+ TALLOC_CTX *base_ctx = NULL; >+ struct netr_SamBaseInfo *base_info = NULL; > > do { > struct rpc_pipe_client *netlogon_pipe; >@@ -1718,6 +1720,69 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, > return result; > } > >+ switch (validation_level) { >+ case 3: >+ base_ctx = validation->sam3; >+ base_info = &validation->sam3->base; >+ break; >+ case 6: >+ base_ctx = validation->sam6; >+ base_info = &validation->sam6->base; >+ break; >+ default: >+ smb_panic(__location__); >+ } >+ >+ if (base_info->acct_flags == 0 || base_info->account_name.string == NULL) { >+ struct dom_sid user_sid; >+ struct dom_sid_buf sid_buf; >+ const char *acct_flags_src = "server"; >+ const char *acct_name_src = "server"; >+ >+ /* >+ * Handle the case where a NT4 DC does not fill in the acct_flags in >+ * the samlogon reply info3. Yes, in 2021, there are still admins >+ * arround with real NT4 DCs. >+ * >+ * We used to call dcerpc_samr_QueryUserInfo(level=16) to fetch >+ * acct_flags, but as NT4 DCs reject authentication with workstation >+ * accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if >+ * MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified, we only ever got >+ * ACB_NORMAL back (maybe with ACB_PWNOEXP in addition). >+ * >+ * For network logons NT4 DCs also skip the >+ * account_name, so we have to fallback to the >+ * one given by the client. >+ */ >+ >+ if (base_info->acct_flags == 0) { >+ base_info->acct_flags = ACB_NORMAL; >+ if (base_info->force_password_change == INT64_MAX) { >+ base_info->acct_flags |= ACB_PWNOEXP; >+ } >+ acct_flags_src = "calculated"; >+ } >+ >+ if (base_info->account_name.string == NULL) { >+ base_info->account_name.string = talloc_strdup(base_ctx, >+ username); >+ if (base_info->account_name.string == NULL) { >+ TALLOC_FREE(validation); >+ return NT_STATUS_NO_MEMORY; >+ } >+ acct_name_src = "client"; >+ } >+ >+ sid_compose(&user_sid, base_info->domain_sid, base_info->rid); >+ >+ DBG_DEBUG("Fallback to %s_acct_flags[0x%x] %s_acct_name[%s] for %s\n", >+ acct_flags_src, >+ base_info->acct_flags, >+ acct_name_src, >+ base_info->account_name.string, >+ dom_sid_str_buf(&user_sid, &sid_buf)); >+ } >+ > *_validation_level = validation_level; > *_validation = validation; > return NT_STATUS_OK; >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16707">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14772
: 16707