From 0346e6b3f07f33ec849da28d595224b1f029f9f4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 17 Nov 2021 11:46:04 +0100 Subject: [PATCH 01/10] testprogs: Add rpcclient schannel tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 492fd5b00fe9d62f53b96e3a7588a7f2848a571d) --- selftest/knownfail.d/rpcclient_schannel | 3 + source4/selftest/tests.py | 27 ++++++ testprogs/blackbox/test_rpcclient_schannel.sh | 94 +++++++++++++++++++ 3 files changed, 124 insertions(+) create mode 100644 selftest/knownfail.d/rpcclient_schannel create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel new file mode 100644 index 00000000000..9881cc3c0cd --- /dev/null +++ b/selftest/knownfail.d/rpcclient_schannel @@ -0,0 +1,3 @@ +^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\) +^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member:local\) +^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member_fips:local\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 616682c355f..a16b2879bd2 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -553,6 +553,33 @@ else: plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH']) +env="ad_member:local" +plantestsuite("samba.blackbox.rpcclient_schannel", + env, + [os.path.join(bbdir, "test_rpcclient_schannel.sh"), + '$DOMAIN', + '$REALM', + '$DC_USERNAME', + '$DC_PASSWORD', + '$DC_SERVER', + '$PREFIX_ABS', + '$SMB_CONF_PATH', + env]) +env="ad_member_fips:local" +plantestsuite("samba.blackbox.rpcclient_schannel", + env, + [os.path.join(bbdir, "test_rpcclient_schannel.sh"), + '$DOMAIN', + '$REALM', + '$DC_USERNAME', + '$DC_PASSWORD', + '$DC_SERVER', + '$PREFIX_ABS', + '$SMB_CONF_PATH', + env], + environ={'GNUTLS_FORCE_FIPS_MODE': '1', + 'OPENSSL_FORCE_FIPS_MODE': '1'}) + plantestsuite("samba4.blackbox.trust_ntlm", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'forest', 'auto', 'NT_STATUS_LOGON_FAILURE']) plantestsuite("samba4.blackbox.trust_ntlm", "fl2003dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE']) plantestsuite("samba4.blackbox.trust_ntlm", "fl2000dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE']) diff --git a/testprogs/blackbox/test_rpcclient_schannel.sh b/testprogs/blackbox/test_rpcclient_schannel.sh new file mode 100755 index 00000000000..9981d4dab5f --- /dev/null +++ b/testprogs/blackbox/test_rpcclient_schannel.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Blackbox tests rpcclient with schannel +# Copyright (c) 2021 Andreas Schneider + +if [ $# -lt 8 ]; then + cat << EOF +Usage: test_rpcclient_schannel.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION TESTENV +EOF + exit 1 +fi + +DOMAIN=$1 +REALM=$2 +USERNAME=$3 +PASSWORD=$4 +SERVER=$5 +PREFIX=$6 +CONFIGURATION=$7 +TESTENV=$8 +shift 8 + +failed=0 + +samba_subunit_dir=$(dirname "$0") +. "${samba_subunit_dir}/subunit.sh" +. "${samba_subunit_dir}/common_test_fns.inc" + +samba_bindir="${BINDIR}" +samba_rpcclient="${samba_bindir}/rpcclient" + +test_rpc_getusername() +{ + cmd="$samba_rpcclient ncacn_np:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c getusername 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +test_rpc_lookupsids() +{ + cmd="$samba_rpcclient ncacn_ip_tcp:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c 'lookupsids3 S-1-1-0' 2>&1" + out=$(eval "$cmd") + ret=$? + if [ $ret -ne 0 ]; then + echo "Failed to connect! Error: $ret" + echo "$out" + return 1 + fi + + echo "$out" | grep -q "S-1-1-0 Everyone" + ret=$? + if [ $ret -ne 0 ]; then + echo "Incorrect account/authority name! Error: $ret" + echo "$out" + return 1 + fi + + return 0 +} + +testit "ncacn_np.getusername" \ + test_rpc_getusername || \ + failed=$((failed + 1)) + +if [[ "$TESTENV" == "ad_member_fips"* ]]; then + unset GNUTLS_FORCE_FIPS_MODE + + testit "ncacn_np.getusername.fips" \ + test_rpc_getusername || \ + failed=$((failed + 1)) + + GNUTLS_FORCE_FIPS_MODE=1 + export GNUTLS_FORCE_FIPS_MODE +fi + +testit "ncacn_ip_tcp.lookupsids" \ + test_rpc_lookupsids || \ + failed=$((failed + 1)) + +exit ${failed} -- 2.34.1 From bf3e6a240aea02f4b3528220199cb90b661e435a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 18 Nov 2021 11:14:16 +0100 Subject: [PATCH 02/10] s3:rpc_client: Remove trailing white spaces from cli_pipe.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit b3bf5bbaf81de369c8f9415d903816a2d7424ffc) --- source3/rpc_client/cli_pipe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 4ed74ae52b0..21e86066dd3 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3163,7 +3163,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r * assignments of cli, which invalidates the data in the returned * rpc_pipe_client if this function is called before the structure assignment * of cli. - * + * ****************************************************************************/ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, -- 2.34.1 From 291445d7580d3db1c7041e0f778f4111911c2e5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 18 Nov 2021 11:18:59 +0100 Subject: [PATCH 03/10] s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 016429acaf76bde53bd4ab81b48be23c2bcc28e3) --- source3/rpc_client/cli_pipe.c | 38 +++++++++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 21e86066dd3..cce7b3c7b6f 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3241,13 +3241,15 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, enum dcerpc_transport_t transport, const struct ndr_interface_table *table, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **presult) { switch (transport) { case NCACN_IP_TCP: return rpc_pipe_open_tcp(NULL, - smbXcli_conn_remote_name(cli->conn), - smbXcli_conn_remote_sockaddr(cli->conn), + remote_name, + remote_sockaddr, table, presult); case NCACN_NP: return rpc_pipe_open_np(cli, table, presult); @@ -3268,8 +3270,17 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, struct rpc_pipe_client *result; struct pipe_auth_data *auth; NTSTATUS status; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); - status = cli_rpc_pipe_open(cli, transport, table, &result); + + status = cli_rpc_pipe_open(cli, + transport, + table, + remote_name, + remote_sockaddr, + &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3360,8 +3371,15 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, struct pipe_auth_data *auth = NULL; const char *target_service = table->authservices->names[0]; NTSTATUS status; + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); - status = cli_rpc_pipe_open(cli, transport, table, &result); + status = cli_rpc_pipe_open(cli, + transport, + table, + server, + remote_sockaddr, + &result); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -3411,8 +3429,16 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( struct cli_credentials *cli_creds; enum dcerpc_AuthLevel auth_level; NTSTATUS status; - - status = cli_rpc_pipe_open(cli, transport, table, &rpccli); + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + + status = cli_rpc_pipe_open(cli, + transport, + table, + remote_name, + remote_sockaddr, + &rpccli); if (!NT_STATUS_IS_OK(status)) { return status; } -- 2.34.1 From 346298694ca418101a541347a82aea56ae0e11dd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 18 Nov 2021 11:32:42 +0100 Subject: [PATCH 04/10] s3:rpcclient: Remove trailing white spaces in rpcclient.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 33eb7a1bc9c21463dc699d6daaa6a1e19f668268) --- source3/rpcclient/rpcclient.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 99220e3549e..7c8e1667b6b 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. RPC pipe client @@ -73,9 +73,9 @@ static char **completion_fn(const char *text, int start, int end) #if 0 /* JERRY */ /* FIXME!!! -- what to do when completing argument? */ - /* for words not at the start of the line fallback + /* for words not at the start of the line fallback to filename completion */ - if (start) + if (start) return NULL; #endif @@ -103,7 +103,7 @@ static char **completion_fn(const char *text, int start, int end) for (i=0; commands->cmd_set[i].name; i++) { if ((strncmp(text, commands->cmd_set[i].name, strlen(text)) == 0) && (( commands->cmd_set[i].returntype == RPC_RTYPE_NTSTATUS && - commands->cmd_set[i].ntfn ) || + commands->cmd_set[i].ntfn ) || ( commands->cmd_set[i].returntype == RPC_RTYPE_WERROR && commands->cmd_set[i].wfn))) { matches[count] = SMB_STRDUP(commands->cmd_set[i].name); @@ -233,7 +233,7 @@ static NTSTATUS cmd_listcommands(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ct /* Help on one command */ - for (tmp = cmd_list; tmp; tmp = tmp->next) + for (tmp = cmd_list; tmp; tmp = tmp->next) { tmp_set = tmp->cmd_set; -- 2.34.1 From 1c411be066a6455304885568d9a2a5bf8f037e19 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 18 Nov 2021 11:38:42 +0100 Subject: [PATCH 05/10] s3:libnet: Remove tailing whitespaces in libnet_join.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 34c57ebee04bb770174fab31edd9bfe2f88a84eb) --- source3/libnet/libnet_join.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 263420a2159..025190cb860 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -3045,7 +3045,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid); } - if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && + if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && !r->in.delete_machine_account) { libnet_join_unjoindomain_remove_secrets(mem_ctx, r); return WERR_OK; @@ -3077,8 +3077,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } #ifdef HAVE_ADS - /* for net ads leave, try to delete the account. If it works, - no sense in disabling. If it fails, we can still try to + /* for net ads leave, try to delete the account. If it works, + no sense in disabling. If it fails, we can still try to disable it. jmcd */ if (r->in.delete_machine_account) { @@ -3086,10 +3086,10 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, ads_status = libnet_unjoin_connect_ads(mem_ctx, r); if (ADS_ERR_OK(ads_status)) { /* dirty hack */ - r->out.dns_domain_name = + r->out.dns_domain_name = talloc_strdup(mem_ctx, r->in.ads->server.realm); - ads_status = + ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r); } if (!ADS_ERR_OK(ads_status)) { @@ -3105,7 +3105,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } #endif /* HAVE_ADS */ - /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means + /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means "disable". */ if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) { status = libnet_join_unjoindomain_rpc(mem_ctx, r); @@ -3124,7 +3124,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, r->out.disabled_machine_account = true; } - /* If disable succeeded or was not requested at all, we + /* If disable succeeded or was not requested at all, we should be getting rid of our end of things */ libnet_join_unjoindomain_remove_secrets(mem_ctx, r); -- 2.34.1 From 91723289a85232e6d5592004e422d0e2d8475e10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 18 Nov 2021 11:31:00 +0100 Subject: [PATCH 06/10] s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit bb3e0ce8fc932f5146044c548730f454a0119800) --- examples/winexe/winexe.c | 14 ++++++++++-- source3/rpc_client/cli_netlogon.c | 32 ++++++++++++++++++++++---- source3/rpc_client/cli_pipe.c | 15 ++++++++---- source3/rpc_client/cli_pipe.h | 2 ++ source3/rpcclient/rpcclient.c | 38 +++++++++++++++++++++++++++++++ source3/winbindd/winbindd_cm.c | 7 ++++++ 6 files changed, 96 insertions(+), 12 deletions(-) diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c index 59fb9dbdebb..8a17107617c 100644 --- a/examples/winexe/winexe.c +++ b/examples/winexe/winexe.c @@ -401,11 +401,16 @@ static NTSTATUS winexe_svc_install( bool need_conf = false; NTSTATUS status; WERROR werr; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open_noauth_transport( cli, NCACN_NP, &ndr_table_svcctl, + remote_name, + remote_sockaddr, &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", @@ -416,7 +421,7 @@ static NTSTATUS winexe_svc_install( status = dcerpc_svcctl_OpenSCManagerW( rpccli->binding_handle, frame, - smbXcli_conn_remote_name(cli->conn), + remote_name, NULL, SEC_FLAG_MAXIMUM_ALLOWED, &scmanager_handle, @@ -717,11 +722,16 @@ static NTSTATUS winexe_svc_uninstall( struct SERVICE_STATUS service_status; NTSTATUS status; WERROR werr; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open_noauth_transport( cli, NCACN_NP, &ndr_table_svcctl, + remote_name, + remote_sockaddr, &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", @@ -732,7 +742,7 @@ static NTSTATUS winexe_svc_uninstall( status = dcerpc_svcctl_OpenSCManagerW( rpccli->binding_handle, frame, - smbXcli_conn_remote_name(cli->conn), + remote_name, NULL, SEC_FLAG_MAXIMUM_ALLOWED, &scmanager_handle, diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 175f83d6750..c5a967a64a4 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -168,6 +168,8 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( const struct samr_Password *nt_hashes[2] = { NULL, NULL }; uint8_t idx_nt_hashes = 0; NTSTATUS status; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; status = netlogon_creds_cli_get(creds_ctx, frame, &creds); if (NT_STATUS_IS_OK(status)) { @@ -177,10 +179,16 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( action = "overwrite"; } + if (cli != NULL) { + remote_name = smbXcli_conn_remote_name(cli->conn); + } else { + remote_name = ""; + } + DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n", __FUNCTION__, action, creds->account_name, creds->computer_name, - smbXcli_conn_remote_name(cli->conn))); + remote_name)); if (!force_reauth) { goto done; } @@ -200,14 +208,19 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( num_nt_hashes = 2; } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + status = cli_rpc_pipe_open_noauth_transport(cli, transport, &ndr_table_netlogon, + remote_name, + remote_sockaddr, &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n", __FUNCTION__, - smbXcli_conn_remote_name(cli->conn), + remote_name, nt_errstr(status))); TALLOC_FREE(frame); return status; @@ -233,7 +246,7 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n", __FUNCTION__, creds->account_name, creds->computer_name, - smbXcli_conn_remote_name(cli->conn))); + remote_name)); done: if (negotiate_flags != NULL) { @@ -293,6 +306,8 @@ NTSTATUS rpccli_connect_netlogon( struct rpc_pipe_client *rpccli; NTSTATUS status; bool retry = false; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds); if (sec_chan_type == SEC_CHAN_NULL) { @@ -411,8 +426,15 @@ again: goto fail; } - status = cli_rpc_pipe_open_noauth_transport( - cli, transport, &ndr_table_netlogon, &rpccli); + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + + status = cli_rpc_pipe_open_noauth_transport(cli, + transport, + &ndr_table_netlogon, + remote_name, + remote_sockaddr, + &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_DEBUG("cli_rpc_pipe_open_noauth_transport " "failed: %s\n", nt_errstr(status)); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index cce7b3c7b6f..50daf478f3c 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3265,15 +3265,13 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, enum dcerpc_transport_t transport, const struct ndr_interface_table *table, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; struct pipe_auth_data *auth; NTSTATUS status; - const char *remote_name = smbXcli_conn_remote_name(cli->conn); - const struct sockaddr_storage *remote_sockaddr = - smbXcli_conn_remote_sockaddr(cli->conn); - status = cli_rpc_pipe_open(cli, transport, @@ -3348,8 +3346,15 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, const struct ndr_interface_table *table, struct rpc_pipe_client **presult) { + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP, - table, presult); + table, + remote_name, + remote_sockaddr, + presult); } /**************************************************************************** diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index d7fed6bed88..20116ee50c0 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -70,6 +70,8 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, enum dcerpc_transport_t transport, const struct ndr_interface_table *table, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **presult); /**************************************************************************** diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 7c8e1667b6b..8d73339b9e8 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -877,9 +877,45 @@ static NTSTATUS do_cmd(struct cli_state *cli, enum dcerpc_transport_t transport; TALLOC_CTX *mem_ctx = talloc_stackframe(); + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; + struct sockaddr_storage remote_ss = { + .ss_family = AF_UNSPEC, + }; transport = dcerpc_binding_get_transport(binding); + if (cli != NULL) { + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + } else { + const char *remote_host = + dcerpc_binding_get_string_option(binding, "host"); + remote_name = dcerpc_binding_get_string_option( + binding, "target_hostname"); + + if (remote_host != NULL) { + int af = AF_UNSPEC; + + if (remote_name == NULL) { + remote_name = dcerpc_binding_get_string_option( + binding, "host"); + } + + if (is_ipaddress_v4(remote_host)) { + af = AF_INET; + } else if (is_ipaddress_v6(remote_host)) { + af = AF_INET6; + } + if (af != AF_UNSPEC) { + int ok = inet_pton(af, remote_host, &remote_ss); + if (ok) { + remote_sockaddr = &remote_ss; + } + } + } + } + /* Open pipe */ if ((cmd_entry->table != NULL) && (cmd_entry->rpc_pipe == NULL)) { @@ -904,6 +940,8 @@ static NTSTATUS do_cmd(struct cli_state *cli, ntresult = cli_rpc_pipe_open_noauth_transport( cli, transport, cmd_entry->table, + remote_name, + remote_sockaddr, &cmd_entry->rpc_pipe); break; case DCERPC_AUTH_TYPE_SPNEGO: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 7381495e155..c30da8bb09d 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -3070,6 +3070,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, sec_chan_type = cli_credentials_get_secure_channel_type(creds); if (sec_chan_type == SEC_CHAN_NULL) { + const char *remote_name = + smbXcli_conn_remote_name(conn->cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(conn->cli->conn); + if (transport == NCACN_IP_TCP) { DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL " "for %s, deny NCACN_IP_TCP and let the " @@ -3086,6 +3091,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, conn->cli, transport, &ndr_table_netlogon, + remote_name, + remote_sockaddr, &conn->netlogon_pipe); if (!NT_STATUS_IS_OK(result)) { invalidate_cm_connection(domain); -- 2.34.1 From 90ba8c39784c0954b28da1d412bdf13acae6b99b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 24 Nov 2021 13:21:28 +0100 Subject: [PATCH 07/10] s3:libsmb: Remove trailing white spaces from passchange.c Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0) --- source3/libsmb/passchange.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index f60e3079975..e62d49d085c 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. SMB client password change routine Copyright (C) Andrew Tridgell 1994-1998 @@ -79,7 +79,7 @@ NTSTATUS remote_password_change(const char *remote_machine, if (!NT_STATUS_IS_OK(result)) { if (asprintf(err_str, "machine %s rejected the negotiate " - "protocol. Error was : %s.\n", + "protocol. Error was : %s.\n", remote_machine, nt_errstr(result)) == -1) { *err_str = NULL; } @@ -87,7 +87,7 @@ NTSTATUS remote_password_change(const char *remote_machine, return result; } - /* Given things like SMB signing, restrict anonymous and the like, + /* Given things like SMB signing, restrict anonymous and the like, try an authenticated connection first */ result = cli_session_setup_creds(cli, creds); @@ -120,7 +120,7 @@ NTSTATUS remote_password_change(const char *remote_machine, if (!NT_STATUS_IS_OK(result)) { if (asprintf(err_str, "machine %s rejected the session " - "setup. Error was : %s.\n", + "setup. Error was : %s.\n", remote_machine, nt_errstr(result)) == -1) { *err_str = NULL; } @@ -196,7 +196,7 @@ NTSTATUS remote_password_change(const char *remote_machine, cli_shutdown(cli); return NT_STATUS_OK; - } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) + } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { /* it failed, but for reasons such as wrong password, too short etc ... */ @@ -227,7 +227,7 @@ NTSTATUS remote_password_change(const char *remote_machine, cli_shutdown(cli); return NT_STATUS_OK; } else { - if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) + if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { /* it failed, but again it was due to things like new password too short */ -- 2.34.1 From dd02e9818ffcacc039a14c85c34d0bc633f8ee3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 18 Nov 2021 11:43:08 +0100 Subject: [PATCH 08/10] s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Andreas Schneider Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd) --- source3/libsmb/passchange.c | 4 ++++ source3/rpc_client/cli_pipe.c | 3 +-- source3/rpc_client/cli_pipe.h | 1 + source3/rpcclient/rpcclient.c | 3 ++- source3/utils/net_rpc.c | 1 + source3/winbindd/winbindd_cm.c | 16 ++++++++++++++-- 6 files changed, 23 insertions(+), 5 deletions(-) diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index e62d49d085c..2137c183f0e 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -143,12 +143,16 @@ NTSTATUS remote_password_change(const char *remote_machine, /* Try not to give the password away too easily */ if (!pass_must_change) { + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + result = cli_rpc_pipe_open_with_creds(cli, &ndr_table_samr, NCACN_NP, DCERPC_AUTH_TYPE_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, remote_machine, + remote_sockaddr, creds, &pipe_hnd); } else { diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 50daf478f3c..ffc1df07d97 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3369,6 +3369,7 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, enum dcerpc_AuthType auth_type, enum dcerpc_AuthLevel auth_level, const char *server, + const struct sockaddr_storage *remote_sockaddr, struct cli_credentials *creds, struct rpc_pipe_client **presult) { @@ -3376,8 +3377,6 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, struct pipe_auth_data *auth = NULL; const char *target_service = table->authservices->names[0]; NTSTATUS status; - const struct sockaddr_storage *remote_sockaddr = - smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open(cli, transport, diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index 20116ee50c0..4ca9a85b3e5 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -86,6 +86,7 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, enum dcerpc_AuthType auth_type, enum dcerpc_AuthLevel auth_level, const char *server, + const struct sockaddr_storage *remote_sockaddr, struct cli_credentials *creds, struct rpc_pipe_client **presult); diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 8d73339b9e8..b9861bc8fc0 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -956,7 +956,8 @@ static NTSTATUS do_cmd(struct cli_state *cli, transport, auth_type, auth_level, - smbXcli_conn_remote_name(cli->conn), + remote_name, + remote_sockaddr, creds, &cmd_entry->rpc_pipe); break; diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 1306dccd5a6..6902fa75ecc 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -214,6 +214,7 @@ int run_rpc_command(struct net_context *c, DCERPC_AUTH_TYPE_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, smbXcli_conn_remote_name(cli->conn), + smbXcli_conn_remote_sockaddr(cli->conn), c->creds, &pipe_hnd); } else { nt_status = cli_rpc_pipe_open_noauth( diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index c30da8bb09d..53d3370931a 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2445,6 +2445,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context *p_creds; struct cli_credentials *creds = NULL; bool retry = false; /* allow one retry attempt for expired session */ + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; if (sid_check_is_our_sam(&domain->sid)) { if (domain->rodc == false || need_rw_dc == false) { @@ -2498,6 +2500,9 @@ retry: goto anonymous; } + remote_name = smbXcli_conn_remote_name(conn->cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn); + /* * We have an authenticated connection. Use a SPNEGO * authenticated SAMR pipe with sign & seal. @@ -2507,7 +2512,8 @@ retry: NCACN_NP, DCERPC_AUTH_TYPE_SPNEGO, conn->auth_level, - smbXcli_conn_remote_name(conn->cli->conn), + remote_name, + remote_sockaddr, creds, &conn->samr_pipe); @@ -2772,6 +2778,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context *p_creds; struct cli_credentials *creds = NULL; bool retry = false; /* allow one retry attempt for expired session */ + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; retry: result = init_dc_connection_rpc(domain, false); @@ -2804,6 +2812,9 @@ retry: goto anonymous; } + remote_name = smbXcli_conn_remote_name(conn->cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn); + /* * We have an authenticated connection. Use a SPNEGO * authenticated LSA pipe with sign & seal. @@ -2812,7 +2823,8 @@ retry: (conn->cli, &ndr_table_lsarpc, NCACN_NP, DCERPC_AUTH_TYPE_SPNEGO, conn->auth_level, - smbXcli_conn_remote_name(conn->cli->conn), + remote_name, + remote_sockaddr, creds, &conn->lsa_pipe); -- 2.34.1 From 1301a5ba6ab72403770123705fe3f51fdb7173a2 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 18 Nov 2021 11:47:26 +0100 Subject: [PATCH 09/10] s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 62aa769667464451cda672fc073e52a8e52ae4c1) --- source3/rpc_client/cli_netlogon.c | 25 +++++++++++++++++-------- source3/rpc_client/cli_pipe.c | 17 ++++++++++++----- source3/rpc_client/cli_pipe.h | 4 ++++ source3/rpc_client/cli_pipe_schannel.c | 5 +++-- source3/rpcclient/rpcclient.c | 2 ++ source3/utils/net_rpc.c | 7 +++++++ 6 files changed, 45 insertions(+), 15 deletions(-) diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index c5a967a64a4..049186e5a51 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -368,15 +368,22 @@ again: } } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + do_serverauth = force_reauth || !found_existing_creds; if (!do_serverauth) { /* * Do the quick schannel bind without a reauth */ - status = cli_rpc_pipe_open_bind_schannel( - cli, &ndr_table_netlogon, transport, creds_ctx, - &rpccli); + status = cli_rpc_pipe_open_bind_schannel(cli, + &ndr_table_netlogon, + transport, + creds_ctx, + remote_name, + remote_sockaddr, + &rpccli); if (!retry && NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { DBG_DEBUG("Retrying with serverauthenticate\n"); TALLOC_FREE(lck); @@ -426,9 +433,6 @@ again: goto fail; } - remote_name = smbXcli_conn_remote_name(cli->conn); - remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); - status = cli_rpc_pipe_open_noauth_transport(cli, transport, &ndr_table_netlogon, @@ -443,8 +447,13 @@ again: goto done; } - status = cli_rpc_pipe_open_bind_schannel( - cli, &ndr_table_netlogon, transport, creds_ctx, &rpccli); + status = cli_rpc_pipe_open_bind_schannel(cli, + &ndr_table_netlogon, + transport, + creds_ctx, + remote_name, + remote_sockaddr, + &rpccli); if (!NT_STATUS_IS_OK(status)) { DBG_DEBUG("cli_rpc_pipe_open_bind_schannel " "failed: %s\n", nt_errstr(status)); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index ffc1df07d97..81a906db43a 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3425,6 +3425,8 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( const struct ndr_interface_table *table, enum dcerpc_transport_t transport, struct netlogon_creds_cli_context *netlogon_creds, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **_rpccli) { struct rpc_pipe_client *rpccli; @@ -3433,9 +3435,6 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( struct cli_credentials *cli_creds; enum dcerpc_AuthLevel auth_level; NTSTATUS status; - const char *remote_name = smbXcli_conn_remote_name(cli->conn); - const struct sockaddr_storage *remote_sockaddr = - smbXcli_conn_remote_sockaddr(cli->conn); status = cli_rpc_pipe_open(cli, transport, @@ -3500,6 +3499,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, struct rpc_pipe_client *rpccli; struct netlogon_creds_cli_lck *lck; NTSTATUS status; + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); status = netlogon_creds_cli_lck( netlogon_creds, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE, @@ -3511,8 +3513,13 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, return status; } - status = cli_rpc_pipe_open_bind_schannel( - cli, table, transport, netlogon_creds, &rpccli); + status = cli_rpc_pipe_open_bind_schannel(cli, + table, + transport, + netlogon_creds, + remote_name, + remote_sockaddr, + &rpccli); if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { netlogon_creds_cli_delete_lck(netlogon_creds); } diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index 4ca9a85b3e5..cb0757eb954 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -95,6 +95,8 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( const struct ndr_interface_table *table, enum dcerpc_transport_t transport, struct netlogon_creds_cli_context *netlogon_creds, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **_rpccli); NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, const struct ndr_interface_table *table, @@ -107,6 +109,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport, const char *domain, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **presult, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **pcreds); diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c index 8a8177be2e5..9877ea6c542 100644 --- a/source3/rpc_client/cli_pipe_schannel.c +++ b/source3/rpc_client/cli_pipe_schannel.c @@ -42,12 +42,13 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport, const char *domain, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **presult, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **pcreds) { TALLOC_CTX *frame = talloc_stackframe(); - const char *dc_name = smbXcli_conn_remote_name(cli->conn); struct rpc_pipe_client *result = NULL; NTSTATUS status; struct cli_credentials *cli_creds = NULL; @@ -63,7 +64,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, } status = rpccli_create_netlogon_creds_ctx(cli_creds, - dc_name, + remote_name, msg_ctx, frame, &netlogon_creds); diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index b9861bc8fc0..c5edfaf95f6 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -968,6 +968,8 @@ static NTSTATUS do_cmd(struct cli_state *cli, cmd_entry->table, transport, rpcclient_netlogon_domain, + remote_name, + remote_sockaddr, &cmd_entry->rpc_pipe, rpcclient_msg_ctx, &rpcclient_netlogon_creds); diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 6902fa75ecc..279b831f148 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -194,11 +194,18 @@ int run_rpc_command(struct net_context *c, if (lp_client_schannel() && (ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id))) { + const char *remote_name = + smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + /* Always try and create an schannel netlogon pipe. */ TALLOC_FREE(c->netlogon_creds); nt_status = cli_rpc_pipe_open_schannel( cli, c->msg_ctx, table, NCACN_NP, domain_name, + remote_name, + remote_sockaddr, &pipe_hnd, c, &c->netlogon_creds); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n", -- 2.34.1 From 9521ee85850973831ae0b82752d976e946296156 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 18 Nov 2021 11:52:18 +0100 Subject: [PATCH 10/10] s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e) --- selftest/knownfail.d/rpcclient_schannel | 2 -- source3/libnet/libnet_join.c | 29 +++++++++++++++++++------ source3/rpc_client/cli_pipe.c | 5 ++--- source3/rpc_client/cli_pipe.h | 2 ++ source3/rpc_client/cli_pipe_schannel.c | 2 ++ source3/winbindd/winbindd_cm.c | 22 ++++++++++++++----- 6 files changed, 45 insertions(+), 17 deletions(-) diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel index 9881cc3c0cd..5498837ee29 100644 --- a/selftest/knownfail.d/rpcclient_schannel +++ b/selftest/knownfail.d/rpcclient_schannel @@ -1,3 +1 @@ ^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\) -^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member:local\) -^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member_fips:local\) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 025190cb860..02705f1c70c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1297,11 +1297,18 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, TALLOC_FREE(creds); if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { - status = cli_rpc_pipe_open_schannel_with_creds(cli, - &ndr_table_netlogon, - NCACN_NP, - netlogon_creds, - &passwordset_pipe); + const char *remote_name = smbXcli_conn_remote_name(cli->conn); + const struct sockaddr_storage *remote_sockaddr = + smbXcli_conn_remote_sockaddr(cli->conn); + + status = cli_rpc_pipe_open_schannel_with_creds( + cli, + &ndr_table_netlogon, + NCACN_NP, + netlogon_creds, + remote_name, + remote_sockaddr, + &passwordset_pipe); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; @@ -1700,6 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, uint32_t netlogon_flags = 0; NTSTATUS status; int flags = CLI_FULL_CONNECTION_IPC; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; if (!dc_name) { TALLOC_FREE(frame); @@ -1800,9 +1809,15 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, return NT_STATUS_OK; } + remote_name = smbXcli_conn_remote_name(cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); + status = cli_rpc_pipe_open_schannel_with_creds( cli, &ndr_table_netlogon, NCACN_NP, - netlogon_creds, &netlogon_pipe); + netlogon_creds, + remote_name, + remote_sockaddr, + &netlogon_pipe); TALLOC_FREE(netlogon_pipe); @@ -1810,7 +1825,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, DEBUG(0,("libnet_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. " "Error was %s\n", - smbXcli_conn_remote_name(cli->conn), + remote_name, netbios_domain_name, nt_errstr(status))); cli_shutdown(cli); TALLOC_FREE(frame); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 81a906db43a..17a0251450a 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3493,15 +3493,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport, struct netlogon_creds_cli_context *netlogon_creds, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **_rpccli) { TALLOC_CTX *frame = talloc_stackframe(); struct rpc_pipe_client *rpccli; struct netlogon_creds_cli_lck *lck; NTSTATUS status; - const char *remote_name = smbXcli_conn_remote_name(cli->conn); - const struct sockaddr_storage *remote_sockaddr = - smbXcli_conn_remote_sockaddr(cli->conn); status = netlogon_creds_cli_lck( netlogon_creds, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE, diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index cb0757eb954..c5a2c0442db 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -102,6 +102,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport, struct netlogon_creds_cli_context *netlogon_creds, + const char *remote_name, + const struct sockaddr_storage *remote_sockaddr, struct rpc_pipe_client **_rpccli); NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c index 9877ea6c542..c33fc5baa17 100644 --- a/source3/rpc_client/cli_pipe_schannel.c +++ b/source3/rpc_client/cli_pipe_schannel.c @@ -95,6 +95,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, status = cli_rpc_pipe_open_schannel_with_creds(cli, table, transport, netlogon_creds, + remote_name, + remote_sockaddr, &result); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 53d3370931a..0c4a3cc3593 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2580,6 +2580,8 @@ retry: TALLOC_FREE(creds); status = cli_rpc_pipe_open_schannel_with_creds( conn->cli, &ndr_table_samr, NCACN_NP, p_creds, + remote_name, + remote_sockaddr, &conn->samr_pipe); if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) @@ -2722,6 +2724,8 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, struct winbindd_cm_conn *conn; struct netlogon_creds_cli_context *p_creds = NULL; NTSTATUS status; + const char *remote_name = NULL; + const struct sockaddr_storage *remote_sockaddr = NULL; DEBUG(10,("cm_connect_lsa_tcp\n")); @@ -2748,11 +2752,17 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, goto done; } - status = cli_rpc_pipe_open_schannel_with_creds(conn->cli, - &ndr_table_lsarpc, - NCACN_IP_TCP, - p_creds, - &conn->lsa_pipe_tcp); + remote_name = smbXcli_conn_remote_name(conn->cli->conn); + remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn); + + status = cli_rpc_pipe_open_schannel_with_creds( + conn->cli, + &ndr_table_lsarpc, + NCACN_IP_TCP, + p_creds, + remote_name, + remote_sockaddr, + &conn->lsa_pipe_tcp); if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n", nt_errstr(status))); @@ -2885,6 +2895,8 @@ retry: TALLOC_FREE(creds); result = cli_rpc_pipe_open_schannel_with_creds( conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds, + remote_name, + remote_sockaddr, &conn->lsa_pipe); if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED) -- 2.34.1