The Samba-Bugzilla – Attachment 17039 Details for
Bug 14767
rpcclient cannot connect to ncacn_ip_tcp services anymore
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.15
net-fix-segfault.patch (text/plain), 48.65 KB, created by
Andreas Schneider
on 2021-12-02 15:08:45 UTC
(
hide
)
Description:
patch for 4.15
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2021-12-02 15:08:45 UTC
Size:
48.65 KB
patch
obsolete
>From 0346e6b3f07f33ec849da28d595224b1f029f9f4 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 17 Nov 2021 11:46:04 +0100 >Subject: [PATCH 01/10] testprogs: Add rpcclient schannel tests > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 492fd5b00fe9d62f53b96e3a7588a7f2848a571d) >--- > selftest/knownfail.d/rpcclient_schannel | 3 + > source4/selftest/tests.py | 27 ++++++ > testprogs/blackbox/test_rpcclient_schannel.sh | 94 +++++++++++++++++++ > 3 files changed, 124 insertions(+) > create mode 100644 selftest/knownfail.d/rpcclient_schannel > create mode 100755 testprogs/blackbox/test_rpcclient_schannel.sh > >diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel >new file mode 100644 >index 00000000000..9881cc3c0cd >--- /dev/null >+++ b/selftest/knownfail.d/rpcclient_schannel >@@ -0,0 +1,3 @@ >+^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\) >+^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member:local\) >+^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member_fips:local\) >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 616682c355f..a16b2879bd2 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -553,6 +553,33 @@ else: > > plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH']) > >+env="ad_member:local" >+plantestsuite("samba.blackbox.rpcclient_schannel", >+ env, >+ [os.path.join(bbdir, "test_rpcclient_schannel.sh"), >+ '$DOMAIN', >+ '$REALM', >+ '$DC_USERNAME', >+ '$DC_PASSWORD', >+ '$DC_SERVER', >+ '$PREFIX_ABS', >+ '$SMB_CONF_PATH', >+ env]) >+env="ad_member_fips:local" >+plantestsuite("samba.blackbox.rpcclient_schannel", >+ env, >+ [os.path.join(bbdir, "test_rpcclient_schannel.sh"), >+ '$DOMAIN', >+ '$REALM', >+ '$DC_USERNAME', >+ '$DC_PASSWORD', >+ '$DC_SERVER', >+ '$PREFIX_ABS', >+ '$SMB_CONF_PATH', >+ env], >+ environ={'GNUTLS_FORCE_FIPS_MODE': '1', >+ 'OPENSSL_FORCE_FIPS_MODE': '1'}) >+ > plantestsuite("samba4.blackbox.trust_ntlm", "fl2008r2dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'forest', 'auto', 'NT_STATUS_LOGON_FAILURE']) > plantestsuite("samba4.blackbox.trust_ntlm", "fl2003dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE']) > plantestsuite("samba4.blackbox.trust_ntlm", "fl2000dc:local", [os.path.join(bbdir, "test_trust_ntlm.sh"), '$SERVER_IP', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', 'external', 'auto', 'NT_STATUS_LOGON_FAILURE']) >diff --git a/testprogs/blackbox/test_rpcclient_schannel.sh b/testprogs/blackbox/test_rpcclient_schannel.sh >new file mode 100755 >index 00000000000..9981d4dab5f >--- /dev/null >+++ b/testprogs/blackbox/test_rpcclient_schannel.sh >@@ -0,0 +1,94 @@ >+#!/bin/bash >+# Blackbox tests rpcclient with schannel >+# Copyright (c) 2021 Andreas Schneider <asn@samba.org> >+ >+if [ $# -lt 8 ]; then >+ cat << EOF >+Usage: test_rpcclient_schannel.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION TESTENV >+EOF >+ exit 1 >+fi >+ >+DOMAIN=$1 >+REALM=$2 >+USERNAME=$3 >+PASSWORD=$4 >+SERVER=$5 >+PREFIX=$6 >+CONFIGURATION=$7 >+TESTENV=$8 >+shift 8 >+ >+failed=0 >+ >+samba_subunit_dir=$(dirname "$0") >+. "${samba_subunit_dir}/subunit.sh" >+. "${samba_subunit_dir}/common_test_fns.inc" >+ >+samba_bindir="${BINDIR}" >+samba_rpcclient="${samba_bindir}/rpcclient" >+ >+test_rpc_getusername() >+{ >+ cmd="$samba_rpcclient ncacn_np:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c getusername 2>&1" >+ out=$(eval "$cmd") >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "Failed to connect! Error: $ret" >+ echo "$out" >+ return 1 >+ fi >+ >+ echo "$out" | grep -q "Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY" >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "Incorrect account/authority name! Error: $ret" >+ echo "$out" >+ return 1 >+ fi >+ >+ return 0 >+} >+ >+test_rpc_lookupsids() >+{ >+ cmd="$samba_rpcclient ncacn_ip_tcp:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c 'lookupsids3 S-1-1-0' 2>&1" >+ out=$(eval "$cmd") >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "Failed to connect! Error: $ret" >+ echo "$out" >+ return 1 >+ fi >+ >+ echo "$out" | grep -q "S-1-1-0 Everyone" >+ ret=$? >+ if [ $ret -ne 0 ]; then >+ echo "Incorrect account/authority name! Error: $ret" >+ echo "$out" >+ return 1 >+ fi >+ >+ return 0 >+} >+ >+testit "ncacn_np.getusername" \ >+ test_rpc_getusername || \ >+ failed=$((failed + 1)) >+ >+if [[ "$TESTENV" == "ad_member_fips"* ]]; then >+ unset GNUTLS_FORCE_FIPS_MODE >+ >+ testit "ncacn_np.getusername.fips" \ >+ test_rpc_getusername || \ >+ failed=$((failed + 1)) >+ >+ GNUTLS_FORCE_FIPS_MODE=1 >+ export GNUTLS_FORCE_FIPS_MODE >+fi >+ >+testit "ncacn_ip_tcp.lookupsids" \ >+ test_rpc_lookupsids || \ >+ failed=$((failed + 1)) >+ >+exit ${failed} >-- >2.34.1 > > >From bf3e6a240aea02f4b3528220199cb90b661e435a Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 18 Nov 2021 11:14:16 +0100 >Subject: [PATCH 02/10] s3:rpc_client: Remove trailing white spaces from > cli_pipe.c > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit b3bf5bbaf81de369c8f9415d903816a2d7424ffc) >--- > source3/rpc_client/cli_pipe.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c >index 4ed74ae52b0..21e86066dd3 100644 >--- a/source3/rpc_client/cli_pipe.c >+++ b/source3/rpc_client/cli_pipe.c >@@ -3163,7 +3163,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r > * assignments of cli, which invalidates the data in the returned > * rpc_pipe_client if this function is called before the structure assignment > * of cli. >- * >+ * > ****************************************************************************/ > > static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, >-- >2.34.1 > > >From 291445d7580d3db1c7041e0f778f4111911c2e5c Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 18 Nov 2021 11:18:59 +0100 >Subject: [PATCH 03/10] s3:rpc_client: Pass remote name and socket to > cli_rpc_pipe_open() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 016429acaf76bde53bd4ab81b48be23c2bcc28e3) >--- > source3/rpc_client/cli_pipe.c | 38 +++++++++++++++++++++++++++++------ > 1 file changed, 32 insertions(+), 6 deletions(-) > >diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c >index 21e86066dd3..cce7b3c7b6f 100644 >--- a/source3/rpc_client/cli_pipe.c >+++ b/source3/rpc_client/cli_pipe.c >@@ -3241,13 +3241,15 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, > static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, > enum dcerpc_transport_t transport, > const struct ndr_interface_table *table, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **presult) > { > switch (transport) { > case NCACN_IP_TCP: > return rpc_pipe_open_tcp(NULL, >- smbXcli_conn_remote_name(cli->conn), >- smbXcli_conn_remote_sockaddr(cli->conn), >+ remote_name, >+ remote_sockaddr, > table, presult); > case NCACN_NP: > return rpc_pipe_open_np(cli, table, presult); >@@ -3268,8 +3270,17 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, > struct rpc_pipe_client *result; > struct pipe_auth_data *auth; > NTSTATUS status; >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); > >- status = cli_rpc_pipe_open(cli, transport, table, &result); >+ >+ status = cli_rpc_pipe_open(cli, >+ transport, >+ table, >+ remote_name, >+ remote_sockaddr, >+ &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3360,8 +3371,15 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, > struct pipe_auth_data *auth = NULL; > const char *target_service = table->authservices->names[0]; > NTSTATUS status; >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); > >- status = cli_rpc_pipe_open(cli, transport, table, &result); >+ status = cli_rpc_pipe_open(cli, >+ transport, >+ table, >+ server, >+ remote_sockaddr, >+ &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3411,8 +3429,16 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( > struct cli_credentials *cli_creds; > enum dcerpc_AuthLevel auth_level; > NTSTATUS status; >- >- status = cli_rpc_pipe_open(cli, transport, table, &rpccli); >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); >+ >+ status = cli_rpc_pipe_open(cli, >+ transport, >+ table, >+ remote_name, >+ remote_sockaddr, >+ &rpccli); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >-- >2.34.1 > > >From 346298694ca418101a541347a82aea56ae0e11dd Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 18 Nov 2021 11:32:42 +0100 >Subject: [PATCH 04/10] s3:rpcclient: Remove trailing white spaces in > rpcclient.c > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 33eb7a1bc9c21463dc699d6daaa6a1e19f668268) >--- > source3/rpcclient/rpcclient.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > >diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c >index 99220e3549e..7c8e1667b6b 100644 >--- a/source3/rpcclient/rpcclient.c >+++ b/source3/rpcclient/rpcclient.c >@@ -1,4 +1,4 @@ >-/* >+/* > Unix SMB/CIFS implementation. > RPC pipe client > >@@ -73,9 +73,9 @@ static char **completion_fn(const char *text, int start, int end) > > #if 0 /* JERRY */ > /* FIXME!!! -- what to do when completing argument? */ >- /* for words not at the start of the line fallback >+ /* for words not at the start of the line fallback > to filename completion */ >- if (start) >+ if (start) > return NULL; > #endif > >@@ -103,7 +103,7 @@ static char **completion_fn(const char *text, int start, int end) > for (i=0; commands->cmd_set[i].name; i++) { > if ((strncmp(text, commands->cmd_set[i].name, strlen(text)) == 0) && > (( commands->cmd_set[i].returntype == RPC_RTYPE_NTSTATUS && >- commands->cmd_set[i].ntfn ) || >+ commands->cmd_set[i].ntfn ) || > ( commands->cmd_set[i].returntype == RPC_RTYPE_WERROR && > commands->cmd_set[i].wfn))) { > matches[count] = SMB_STRDUP(commands->cmd_set[i].name); >@@ -233,7 +233,7 @@ static NTSTATUS cmd_listcommands(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ct > > /* Help on one command */ > >- for (tmp = cmd_list; tmp; tmp = tmp->next) >+ for (tmp = cmd_list; tmp; tmp = tmp->next) > { > tmp_set = tmp->cmd_set; > >-- >2.34.1 > > >From 1c411be066a6455304885568d9a2a5bf8f037e19 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 18 Nov 2021 11:38:42 +0100 >Subject: [PATCH 05/10] s3:libnet: Remove tailing whitespaces in libnet_join.c > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 34c57ebee04bb770174fab31edd9bfe2f88a84eb) >--- > source3/libnet/libnet_join.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 263420a2159..025190cb860 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -3045,7 +3045,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, > W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid); > } > >- if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && >+ if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && > !r->in.delete_machine_account) { > libnet_join_unjoindomain_remove_secrets(mem_ctx, r); > return WERR_OK; >@@ -3077,8 +3077,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, > } > > #ifdef HAVE_ADS >- /* for net ads leave, try to delete the account. If it works, >- no sense in disabling. If it fails, we can still try to >+ /* for net ads leave, try to delete the account. If it works, >+ no sense in disabling. If it fails, we can still try to > disable it. jmcd */ > > if (r->in.delete_machine_account) { >@@ -3086,10 +3086,10 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, > ads_status = libnet_unjoin_connect_ads(mem_ctx, r); > if (ADS_ERR_OK(ads_status)) { > /* dirty hack */ >- r->out.dns_domain_name = >+ r->out.dns_domain_name = > talloc_strdup(mem_ctx, > r->in.ads->server.realm); >- ads_status = >+ ads_status = > libnet_unjoin_remove_machine_acct(mem_ctx, r); > } > if (!ADS_ERR_OK(ads_status)) { >@@ -3105,7 +3105,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, > } > #endif /* HAVE_ADS */ > >- /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means >+ /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means > "disable". */ > if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) { > status = libnet_join_unjoindomain_rpc(mem_ctx, r); >@@ -3124,7 +3124,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, > r->out.disabled_machine_account = true; > } > >- /* If disable succeeded or was not requested at all, we >+ /* If disable succeeded or was not requested at all, we > should be getting rid of our end of things */ > > libnet_join_unjoindomain_remove_secrets(mem_ctx, r); >-- >2.34.1 > > >From 91723289a85232e6d5592004e422d0e2d8475e10 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 18 Nov 2021 11:31:00 +0100 >Subject: [PATCH 06/10] s3:rpc_client: Pass remote name and socket to > cli_rpc_pipe_open_noauth_transport() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit bb3e0ce8fc932f5146044c548730f454a0119800) >--- > examples/winexe/winexe.c | 14 ++++++++++-- > source3/rpc_client/cli_netlogon.c | 32 ++++++++++++++++++++++---- > source3/rpc_client/cli_pipe.c | 15 ++++++++---- > source3/rpc_client/cli_pipe.h | 2 ++ > source3/rpcclient/rpcclient.c | 38 +++++++++++++++++++++++++++++++ > source3/winbindd/winbindd_cm.c | 7 ++++++ > 6 files changed, 96 insertions(+), 12 deletions(-) > >diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c >index 59fb9dbdebb..8a17107617c 100644 >--- a/examples/winexe/winexe.c >+++ b/examples/winexe/winexe.c >@@ -401,11 +401,16 @@ static NTSTATUS winexe_svc_install( > bool need_conf = false; > NTSTATUS status; > WERROR werr; >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); > > status = cli_rpc_pipe_open_noauth_transport( > cli, > NCACN_NP, > &ndr_table_svcctl, >+ remote_name, >+ remote_sockaddr, > &rpccli); > if (!NT_STATUS_IS_OK(status)) { > DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", >@@ -416,7 +421,7 @@ static NTSTATUS winexe_svc_install( > status = dcerpc_svcctl_OpenSCManagerW( > rpccli->binding_handle, > frame, >- smbXcli_conn_remote_name(cli->conn), >+ remote_name, > NULL, > SEC_FLAG_MAXIMUM_ALLOWED, > &scmanager_handle, >@@ -717,11 +722,16 @@ static NTSTATUS winexe_svc_uninstall( > struct SERVICE_STATUS service_status; > NTSTATUS status; > WERROR werr; >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); > > status = cli_rpc_pipe_open_noauth_transport( > cli, > NCACN_NP, > &ndr_table_svcctl, >+ remote_name, >+ remote_sockaddr, > &rpccli); > if (!NT_STATUS_IS_OK(status)) { > DBG_WARNING("cli_rpc_pipe_open_noauth_transport failed: %s\n", >@@ -732,7 +742,7 @@ static NTSTATUS winexe_svc_uninstall( > status = dcerpc_svcctl_OpenSCManagerW( > rpccli->binding_handle, > frame, >- smbXcli_conn_remote_name(cli->conn), >+ remote_name, > NULL, > SEC_FLAG_MAXIMUM_ALLOWED, > &scmanager_handle, >diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c >index 175f83d6750..c5a967a64a4 100644 >--- a/source3/rpc_client/cli_netlogon.c >+++ b/source3/rpc_client/cli_netlogon.c >@@ -168,6 +168,8 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( > const struct samr_Password *nt_hashes[2] = { NULL, NULL }; > uint8_t idx_nt_hashes = 0; > NTSTATUS status; >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; > > status = netlogon_creds_cli_get(creds_ctx, frame, &creds); > if (NT_STATUS_IS_OK(status)) { >@@ -177,10 +179,16 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( > action = "overwrite"; > } > >+ if (cli != NULL) { >+ remote_name = smbXcli_conn_remote_name(cli->conn); >+ } else { >+ remote_name = "<UNKNOWN>"; >+ } >+ > DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n", > __FUNCTION__, action, > creds->account_name, creds->computer_name, >- smbXcli_conn_remote_name(cli->conn))); >+ remote_name)); > if (!force_reauth) { > goto done; > } >@@ -200,14 +208,19 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( > num_nt_hashes = 2; > } > >+ remote_name = smbXcli_conn_remote_name(cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); >+ > status = cli_rpc_pipe_open_noauth_transport(cli, > transport, > &ndr_table_netlogon, >+ remote_name, >+ remote_sockaddr, > &netlogon_pipe); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n", > __FUNCTION__, >- smbXcli_conn_remote_name(cli->conn), >+ remote_name, > nt_errstr(status))); > TALLOC_FREE(frame); > return status; >@@ -233,7 +246,7 @@ NTSTATUS rpccli_setup_netlogon_creds_locked( > DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n", > __FUNCTION__, > creds->account_name, creds->computer_name, >- smbXcli_conn_remote_name(cli->conn))); >+ remote_name)); > > done: > if (negotiate_flags != NULL) { >@@ -293,6 +306,8 @@ NTSTATUS rpccli_connect_netlogon( > struct rpc_pipe_client *rpccli; > NTSTATUS status; > bool retry = false; >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; > > sec_chan_type = cli_credentials_get_secure_channel_type(trust_creds); > if (sec_chan_type == SEC_CHAN_NULL) { >@@ -411,8 +426,15 @@ again: > goto fail; > } > >- status = cli_rpc_pipe_open_noauth_transport( >- cli, transport, &ndr_table_netlogon, &rpccli); >+ remote_name = smbXcli_conn_remote_name(cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); >+ >+ status = cli_rpc_pipe_open_noauth_transport(cli, >+ transport, >+ &ndr_table_netlogon, >+ remote_name, >+ remote_sockaddr, >+ &rpccli); > if (!NT_STATUS_IS_OK(status)) { > DBG_DEBUG("cli_rpc_pipe_open_noauth_transport " > "failed: %s\n", nt_errstr(status)); >diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c >index cce7b3c7b6f..50daf478f3c 100644 >--- a/source3/rpc_client/cli_pipe.c >+++ b/source3/rpc_client/cli_pipe.c >@@ -3265,15 +3265,13 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, > NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, > enum dcerpc_transport_t transport, > const struct ndr_interface_table *table, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **presult) > { > struct rpc_pipe_client *result; > struct pipe_auth_data *auth; > NTSTATUS status; >- const char *remote_name = smbXcli_conn_remote_name(cli->conn); >- const struct sockaddr_storage *remote_sockaddr = >- smbXcli_conn_remote_sockaddr(cli->conn); >- > > status = cli_rpc_pipe_open(cli, > transport, >@@ -3348,8 +3346,15 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, > const struct ndr_interface_table *table, > struct rpc_pipe_client **presult) > { >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); >+ > return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP, >- table, presult); >+ table, >+ remote_name, >+ remote_sockaddr, >+ presult); > } > > /**************************************************************************** >diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h >index d7fed6bed88..20116ee50c0 100644 >--- a/source3/rpc_client/cli_pipe.h >+++ b/source3/rpc_client/cli_pipe.h >@@ -70,6 +70,8 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, > NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, > enum dcerpc_transport_t transport, > const struct ndr_interface_table *table, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **presult); > > /**************************************************************************** >diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c >index 7c8e1667b6b..8d73339b9e8 100644 >--- a/source3/rpcclient/rpcclient.c >+++ b/source3/rpcclient/rpcclient.c >@@ -877,9 +877,45 @@ static NTSTATUS do_cmd(struct cli_state *cli, > enum dcerpc_transport_t transport; > > TALLOC_CTX *mem_ctx = talloc_stackframe(); >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; >+ struct sockaddr_storage remote_ss = { >+ .ss_family = AF_UNSPEC, >+ }; > > transport = dcerpc_binding_get_transport(binding); > >+ if (cli != NULL) { >+ remote_name = smbXcli_conn_remote_name(cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); >+ } else { >+ const char *remote_host = >+ dcerpc_binding_get_string_option(binding, "host"); >+ remote_name = dcerpc_binding_get_string_option( >+ binding, "target_hostname"); >+ >+ if (remote_host != NULL) { >+ int af = AF_UNSPEC; >+ >+ if (remote_name == NULL) { >+ remote_name = dcerpc_binding_get_string_option( >+ binding, "host"); >+ } >+ >+ if (is_ipaddress_v4(remote_host)) { >+ af = AF_INET; >+ } else if (is_ipaddress_v6(remote_host)) { >+ af = AF_INET6; >+ } >+ if (af != AF_UNSPEC) { >+ int ok = inet_pton(af, remote_host, &remote_ss); >+ if (ok) { >+ remote_sockaddr = &remote_ss; >+ } >+ } >+ } >+ } >+ > /* Open pipe */ > > if ((cmd_entry->table != NULL) && (cmd_entry->rpc_pipe == NULL)) { >@@ -904,6 +940,8 @@ static NTSTATUS do_cmd(struct cli_state *cli, > ntresult = cli_rpc_pipe_open_noauth_transport( > cli, transport, > cmd_entry->table, >+ remote_name, >+ remote_sockaddr, > &cmd_entry->rpc_pipe); > break; > case DCERPC_AUTH_TYPE_SPNEGO: >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 7381495e155..c30da8bb09d 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -3070,6 +3070,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > > sec_chan_type = cli_credentials_get_secure_channel_type(creds); > if (sec_chan_type == SEC_CHAN_NULL) { >+ const char *remote_name = >+ smbXcli_conn_remote_name(conn->cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(conn->cli->conn); >+ > if (transport == NCACN_IP_TCP) { > DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL " > "for %s, deny NCACN_IP_TCP and let the " >@@ -3086,6 +3091,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, > conn->cli, > transport, > &ndr_table_netlogon, >+ remote_name, >+ remote_sockaddr, > &conn->netlogon_pipe); > if (!NT_STATUS_IS_OK(result)) { > invalidate_cm_connection(domain); >-- >2.34.1 > > >From 90ba8c39784c0954b28da1d412bdf13acae6b99b Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 24 Nov 2021 13:21:28 +0100 >Subject: [PATCH 07/10] s3:libsmb: Remove trailing white spaces from > passchange.c > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0) >--- > source3/libsmb/passchange.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c >index f60e3079975..e62d49d085c 100644 >--- a/source3/libsmb/passchange.c >+++ b/source3/libsmb/passchange.c >@@ -1,4 +1,4 @@ >-/* >+/* > Unix SMB/CIFS implementation. > SMB client password change routine > Copyright (C) Andrew Tridgell 1994-1998 >@@ -79,7 +79,7 @@ NTSTATUS remote_password_change(const char *remote_machine, > > if (!NT_STATUS_IS_OK(result)) { > if (asprintf(err_str, "machine %s rejected the negotiate " >- "protocol. Error was : %s.\n", >+ "protocol. Error was : %s.\n", > remote_machine, nt_errstr(result)) == -1) { > *err_str = NULL; > } >@@ -87,7 +87,7 @@ NTSTATUS remote_password_change(const char *remote_machine, > return result; > } > >- /* Given things like SMB signing, restrict anonymous and the like, >+ /* Given things like SMB signing, restrict anonymous and the like, > try an authenticated connection first */ > result = cli_session_setup_creds(cli, creds); > >@@ -120,7 +120,7 @@ NTSTATUS remote_password_change(const char *remote_machine, > > if (!NT_STATUS_IS_OK(result)) { > if (asprintf(err_str, "machine %s rejected the session " >- "setup. Error was : %s.\n", >+ "setup. Error was : %s.\n", > remote_machine, nt_errstr(result)) == -1) { > *err_str = NULL; > } >@@ -196,7 +196,7 @@ NTSTATUS remote_password_change(const char *remote_machine, > cli_shutdown(cli); > return NT_STATUS_OK; > >- } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) >+ } else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) > || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { > /* it failed, but for reasons such as wrong password, too short etc ... */ > >@@ -227,7 +227,7 @@ NTSTATUS remote_password_change(const char *remote_machine, > cli_shutdown(cli); > return NT_STATUS_OK; > } else { >- if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) >+ if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) > || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { > /* it failed, but again it was due to things like new password too short */ > >-- >2.34.1 > > >From dd02e9818ffcacc039a14c85c34d0bc633f8ee3c Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 18 Nov 2021 11:43:08 +0100 >Subject: [PATCH 08/10] s3:rpc_client: Pass remote name and socket to > cli_rpc_pipe_open_with_creds() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd) >--- > source3/libsmb/passchange.c | 4 ++++ > source3/rpc_client/cli_pipe.c | 3 +-- > source3/rpc_client/cli_pipe.h | 1 + > source3/rpcclient/rpcclient.c | 3 ++- > source3/utils/net_rpc.c | 1 + > source3/winbindd/winbindd_cm.c | 16 ++++++++++++++-- > 6 files changed, 23 insertions(+), 5 deletions(-) > >diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c >index e62d49d085c..2137c183f0e 100644 >--- a/source3/libsmb/passchange.c >+++ b/source3/libsmb/passchange.c >@@ -143,12 +143,16 @@ NTSTATUS remote_password_change(const char *remote_machine, > /* Try not to give the password away too easily */ > > if (!pass_must_change) { >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); >+ > result = cli_rpc_pipe_open_with_creds(cli, > &ndr_table_samr, > NCACN_NP, > DCERPC_AUTH_TYPE_NTLMSSP, > DCERPC_AUTH_LEVEL_PRIVACY, > remote_machine, >+ remote_sockaddr, > creds, > &pipe_hnd); > } else { >diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c >index 50daf478f3c..ffc1df07d97 100644 >--- a/source3/rpc_client/cli_pipe.c >+++ b/source3/rpc_client/cli_pipe.c >@@ -3369,6 +3369,7 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, > enum dcerpc_AuthType auth_type, > enum dcerpc_AuthLevel auth_level, > const char *server, >+ const struct sockaddr_storage *remote_sockaddr, > struct cli_credentials *creds, > struct rpc_pipe_client **presult) > { >@@ -3376,8 +3377,6 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, > struct pipe_auth_data *auth = NULL; > const char *target_service = table->authservices->names[0]; > NTSTATUS status; >- const struct sockaddr_storage *remote_sockaddr = >- smbXcli_conn_remote_sockaddr(cli->conn); > > status = cli_rpc_pipe_open(cli, > transport, >diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h >index 20116ee50c0..4ca9a85b3e5 100644 >--- a/source3/rpc_client/cli_pipe.h >+++ b/source3/rpc_client/cli_pipe.h >@@ -86,6 +86,7 @@ NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, > enum dcerpc_AuthType auth_type, > enum dcerpc_AuthLevel auth_level, > const char *server, >+ const struct sockaddr_storage *remote_sockaddr, > struct cli_credentials *creds, > struct rpc_pipe_client **presult); > >diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c >index 8d73339b9e8..b9861bc8fc0 100644 >--- a/source3/rpcclient/rpcclient.c >+++ b/source3/rpcclient/rpcclient.c >@@ -956,7 +956,8 @@ static NTSTATUS do_cmd(struct cli_state *cli, > transport, > auth_type, > auth_level, >- smbXcli_conn_remote_name(cli->conn), >+ remote_name, >+ remote_sockaddr, > creds, > &cmd_entry->rpc_pipe); > break; >diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c >index 1306dccd5a6..6902fa75ecc 100644 >--- a/source3/utils/net_rpc.c >+++ b/source3/utils/net_rpc.c >@@ -214,6 +214,7 @@ int run_rpc_command(struct net_context *c, > DCERPC_AUTH_TYPE_NTLMSSP, > DCERPC_AUTH_LEVEL_PRIVACY, > smbXcli_conn_remote_name(cli->conn), >+ smbXcli_conn_remote_sockaddr(cli->conn), > c->creds, &pipe_hnd); > } else { > nt_status = cli_rpc_pipe_open_noauth( >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index c30da8bb09d..53d3370931a 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -2445,6 +2445,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > struct netlogon_creds_cli_context *p_creds; > struct cli_credentials *creds = NULL; > bool retry = false; /* allow one retry attempt for expired session */ >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; > > if (sid_check_is_our_sam(&domain->sid)) { > if (domain->rodc == false || need_rw_dc == false) { >@@ -2498,6 +2500,9 @@ retry: > goto anonymous; > } > >+ remote_name = smbXcli_conn_remote_name(conn->cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn); >+ > /* > * We have an authenticated connection. Use a SPNEGO > * authenticated SAMR pipe with sign & seal. >@@ -2507,7 +2512,8 @@ retry: > NCACN_NP, > DCERPC_AUTH_TYPE_SPNEGO, > conn->auth_level, >- smbXcli_conn_remote_name(conn->cli->conn), >+ remote_name, >+ remote_sockaddr, > creds, > &conn->samr_pipe); > >@@ -2772,6 +2778,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > struct netlogon_creds_cli_context *p_creds; > struct cli_credentials *creds = NULL; > bool retry = false; /* allow one retry attempt for expired session */ >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; > > retry: > result = init_dc_connection_rpc(domain, false); >@@ -2804,6 +2812,9 @@ retry: > goto anonymous; > } > >+ remote_name = smbXcli_conn_remote_name(conn->cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn); >+ > /* > * We have an authenticated connection. Use a SPNEGO > * authenticated LSA pipe with sign & seal. >@@ -2812,7 +2823,8 @@ retry: > (conn->cli, &ndr_table_lsarpc, NCACN_NP, > DCERPC_AUTH_TYPE_SPNEGO, > conn->auth_level, >- smbXcli_conn_remote_name(conn->cli->conn), >+ remote_name, >+ remote_sockaddr, > creds, > &conn->lsa_pipe); > >-- >2.34.1 > > >From 1301a5ba6ab72403770123705fe3f51fdb7173a2 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 18 Nov 2021 11:47:26 +0100 >Subject: [PATCH 09/10] s3:rpc_client: Add remote name and socket to > cli_rpc_pipe_open_bind_schannel() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 62aa769667464451cda672fc073e52a8e52ae4c1) >--- > source3/rpc_client/cli_netlogon.c | 25 +++++++++++++++++-------- > source3/rpc_client/cli_pipe.c | 17 ++++++++++++----- > source3/rpc_client/cli_pipe.h | 4 ++++ > source3/rpc_client/cli_pipe_schannel.c | 5 +++-- > source3/rpcclient/rpcclient.c | 2 ++ > source3/utils/net_rpc.c | 7 +++++++ > 6 files changed, 45 insertions(+), 15 deletions(-) > >diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c >index c5a967a64a4..049186e5a51 100644 >--- a/source3/rpc_client/cli_netlogon.c >+++ b/source3/rpc_client/cli_netlogon.c >@@ -368,15 +368,22 @@ again: > } > } > >+ remote_name = smbXcli_conn_remote_name(cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); >+ > do_serverauth = force_reauth || !found_existing_creds; > > if (!do_serverauth) { > /* > * Do the quick schannel bind without a reauth > */ >- status = cli_rpc_pipe_open_bind_schannel( >- cli, &ndr_table_netlogon, transport, creds_ctx, >- &rpccli); >+ status = cli_rpc_pipe_open_bind_schannel(cli, >+ &ndr_table_netlogon, >+ transport, >+ creds_ctx, >+ remote_name, >+ remote_sockaddr, >+ &rpccli); > if (!retry && NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { > DBG_DEBUG("Retrying with serverauthenticate\n"); > TALLOC_FREE(lck); >@@ -426,9 +433,6 @@ again: > goto fail; > } > >- remote_name = smbXcli_conn_remote_name(cli->conn); >- remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); >- > status = cli_rpc_pipe_open_noauth_transport(cli, > transport, > &ndr_table_netlogon, >@@ -443,8 +447,13 @@ again: > goto done; > } > >- status = cli_rpc_pipe_open_bind_schannel( >- cli, &ndr_table_netlogon, transport, creds_ctx, &rpccli); >+ status = cli_rpc_pipe_open_bind_schannel(cli, >+ &ndr_table_netlogon, >+ transport, >+ creds_ctx, >+ remote_name, >+ remote_sockaddr, >+ &rpccli); > if (!NT_STATUS_IS_OK(status)) { > DBG_DEBUG("cli_rpc_pipe_open_bind_schannel " > "failed: %s\n", nt_errstr(status)); >diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c >index ffc1df07d97..81a906db43a 100644 >--- a/source3/rpc_client/cli_pipe.c >+++ b/source3/rpc_client/cli_pipe.c >@@ -3425,6 +3425,8 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( > const struct ndr_interface_table *table, > enum dcerpc_transport_t transport, > struct netlogon_creds_cli_context *netlogon_creds, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **_rpccli) > { > struct rpc_pipe_client *rpccli; >@@ -3433,9 +3435,6 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( > struct cli_credentials *cli_creds; > enum dcerpc_AuthLevel auth_level; > NTSTATUS status; >- const char *remote_name = smbXcli_conn_remote_name(cli->conn); >- const struct sockaddr_storage *remote_sockaddr = >- smbXcli_conn_remote_sockaddr(cli->conn); > > status = cli_rpc_pipe_open(cli, > transport, >@@ -3500,6 +3499,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, > struct rpc_pipe_client *rpccli; > struct netlogon_creds_cli_lck *lck; > NTSTATUS status; >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); > > status = netlogon_creds_cli_lck( > netlogon_creds, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE, >@@ -3511,8 +3513,13 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, > return status; > } > >- status = cli_rpc_pipe_open_bind_schannel( >- cli, table, transport, netlogon_creds, &rpccli); >+ status = cli_rpc_pipe_open_bind_schannel(cli, >+ table, >+ transport, >+ netlogon_creds, >+ remote_name, >+ remote_sockaddr, >+ &rpccli); > if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { > netlogon_creds_cli_delete_lck(netlogon_creds); > } >diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h >index 4ca9a85b3e5..cb0757eb954 100644 >--- a/source3/rpc_client/cli_pipe.h >+++ b/source3/rpc_client/cli_pipe.h >@@ -95,6 +95,8 @@ NTSTATUS cli_rpc_pipe_open_bind_schannel( > const struct ndr_interface_table *table, > enum dcerpc_transport_t transport, > struct netlogon_creds_cli_context *netlogon_creds, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **_rpccli); > NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, > const struct ndr_interface_table *table, >@@ -107,6 +109,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > const struct ndr_interface_table *table, > enum dcerpc_transport_t transport, > const char *domain, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **presult, > TALLOC_CTX *mem_ctx, > struct netlogon_creds_cli_context **pcreds); >diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c >index 8a8177be2e5..9877ea6c542 100644 >--- a/source3/rpc_client/cli_pipe_schannel.c >+++ b/source3/rpc_client/cli_pipe_schannel.c >@@ -42,12 +42,13 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > const struct ndr_interface_table *table, > enum dcerpc_transport_t transport, > const char *domain, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **presult, > TALLOC_CTX *mem_ctx, > struct netlogon_creds_cli_context **pcreds) > { > TALLOC_CTX *frame = talloc_stackframe(); >- const char *dc_name = smbXcli_conn_remote_name(cli->conn); > struct rpc_pipe_client *result = NULL; > NTSTATUS status; > struct cli_credentials *cli_creds = NULL; >@@ -63,7 +64,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > } > > status = rpccli_create_netlogon_creds_ctx(cli_creds, >- dc_name, >+ remote_name, > msg_ctx, > frame, > &netlogon_creds); >diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c >index b9861bc8fc0..c5edfaf95f6 100644 >--- a/source3/rpcclient/rpcclient.c >+++ b/source3/rpcclient/rpcclient.c >@@ -968,6 +968,8 @@ static NTSTATUS do_cmd(struct cli_state *cli, > cmd_entry->table, > transport, > rpcclient_netlogon_domain, >+ remote_name, >+ remote_sockaddr, > &cmd_entry->rpc_pipe, > rpcclient_msg_ctx, > &rpcclient_netlogon_creds); >diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c >index 6902fa75ecc..279b831f148 100644 >--- a/source3/utils/net_rpc.c >+++ b/source3/utils/net_rpc.c >@@ -194,11 +194,18 @@ int run_rpc_command(struct net_context *c, > if (lp_client_schannel() > && (ndr_syntax_id_equal(&table->syntax_id, > &ndr_table_netlogon.syntax_id))) { >+ const char *remote_name = >+ smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); >+ > /* Always try and create an schannel netlogon pipe. */ > TALLOC_FREE(c->netlogon_creds); > nt_status = cli_rpc_pipe_open_schannel( > cli, c->msg_ctx, table, NCACN_NP, > domain_name, >+ remote_name, >+ remote_sockaddr, > &pipe_hnd, c, &c->netlogon_creds); > if (!NT_STATUS_IS_OK(nt_status)) { > DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n", >-- >2.34.1 > > >From 9521ee85850973831ae0b82752d976e946296156 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 18 Nov 2021 11:52:18 +0100 >Subject: [PATCH 10/10] s3:rpc_client: Pass remote name and socket to > cli_rpc_pipe_open_schannel_with_creds() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 > >Pair-Programmed-With: Andreas Schneider <asn@samba.org> >Signed-off-by: Guenther Deschner <gd@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e) >--- > selftest/knownfail.d/rpcclient_schannel | 2 -- > source3/libnet/libnet_join.c | 29 +++++++++++++++++++------ > source3/rpc_client/cli_pipe.c | 5 ++--- > source3/rpc_client/cli_pipe.h | 2 ++ > source3/rpc_client/cli_pipe_schannel.c | 2 ++ > source3/winbindd/winbindd_cm.c | 22 ++++++++++++++----- > 6 files changed, 45 insertions(+), 17 deletions(-) > >diff --git a/selftest/knownfail.d/rpcclient_schannel b/selftest/knownfail.d/rpcclient_schannel >index 9881cc3c0cd..5498837ee29 100644 >--- a/selftest/knownfail.d/rpcclient_schannel >+++ b/selftest/knownfail.d/rpcclient_schannel >@@ -1,3 +1 @@ > ^samba.blackbox.rpcclient_schannel.ncacn_np.getusername.fips\(ad_member_fips:local\) >-^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member:local\) >-^samba.blackbox.rpcclient_schannel.ncacn_ip_tcp.lookupsids\(ad_member_fips:local\) >diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c >index 025190cb860..02705f1c70c 100644 >--- a/source3/libnet/libnet_join.c >+++ b/source3/libnet/libnet_join.c >@@ -1297,11 +1297,18 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, > TALLOC_FREE(creds); > > if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { >- status = cli_rpc_pipe_open_schannel_with_creds(cli, >- &ndr_table_netlogon, >- NCACN_NP, >- netlogon_creds, >- &passwordset_pipe); >+ const char *remote_name = smbXcli_conn_remote_name(cli->conn); >+ const struct sockaddr_storage *remote_sockaddr = >+ smbXcli_conn_remote_sockaddr(cli->conn); >+ >+ status = cli_rpc_pipe_open_schannel_with_creds( >+ cli, >+ &ndr_table_netlogon, >+ NCACN_NP, >+ netlogon_creds, >+ remote_name, >+ remote_sockaddr, >+ &passwordset_pipe); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); > return status; >@@ -1700,6 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, > uint32_t netlogon_flags = 0; > NTSTATUS status; > int flags = CLI_FULL_CONNECTION_IPC; >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; > > if (!dc_name) { > TALLOC_FREE(frame); >@@ -1800,9 +1809,15 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, > return NT_STATUS_OK; > } > >+ remote_name = smbXcli_conn_remote_name(cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(cli->conn); >+ > status = cli_rpc_pipe_open_schannel_with_creds( > cli, &ndr_table_netlogon, NCACN_NP, >- netlogon_creds, &netlogon_pipe); >+ netlogon_creds, >+ remote_name, >+ remote_sockaddr, >+ &netlogon_pipe); > > TALLOC_FREE(netlogon_pipe); > >@@ -1810,7 +1825,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, > DEBUG(0,("libnet_join_ok: failed to open schannel session " > "on netlogon pipe to server %s for domain %s. " > "Error was %s\n", >- smbXcli_conn_remote_name(cli->conn), >+ remote_name, > netbios_domain_name, nt_errstr(status))); > cli_shutdown(cli); > TALLOC_FREE(frame); >diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c >index 81a906db43a..17a0251450a 100644 >--- a/source3/rpc_client/cli_pipe.c >+++ b/source3/rpc_client/cli_pipe.c >@@ -3493,15 +3493,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, > const struct ndr_interface_table *table, > enum dcerpc_transport_t transport, > struct netlogon_creds_cli_context *netlogon_creds, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **_rpccli) > { > TALLOC_CTX *frame = talloc_stackframe(); > struct rpc_pipe_client *rpccli; > struct netlogon_creds_cli_lck *lck; > NTSTATUS status; >- const char *remote_name = smbXcli_conn_remote_name(cli->conn); >- const struct sockaddr_storage *remote_sockaddr = >- smbXcli_conn_remote_sockaddr(cli->conn); > > status = netlogon_creds_cli_lck( > netlogon_creds, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE, >diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h >index cb0757eb954..c5a2c0442db 100644 >--- a/source3/rpc_client/cli_pipe.h >+++ b/source3/rpc_client/cli_pipe.h >@@ -102,6 +102,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, > const struct ndr_interface_table *table, > enum dcerpc_transport_t transport, > struct netlogon_creds_cli_context *netlogon_creds, >+ const char *remote_name, >+ const struct sockaddr_storage *remote_sockaddr, > struct rpc_pipe_client **_rpccli); > > NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, >diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c >index 9877ea6c542..c33fc5baa17 100644 >--- a/source3/rpc_client/cli_pipe_schannel.c >+++ b/source3/rpc_client/cli_pipe_schannel.c >@@ -95,6 +95,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > status = cli_rpc_pipe_open_schannel_with_creds(cli, table, > transport, > netlogon_creds, >+ remote_name, >+ remote_sockaddr, > &result); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 53d3370931a..0c4a3cc3593 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -2580,6 +2580,8 @@ retry: > TALLOC_FREE(creds); > status = cli_rpc_pipe_open_schannel_with_creds( > conn->cli, &ndr_table_samr, NCACN_NP, p_creds, >+ remote_name, >+ remote_sockaddr, > &conn->samr_pipe); > > if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) >@@ -2722,6 +2724,8 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, > struct winbindd_cm_conn *conn; > struct netlogon_creds_cli_context *p_creds = NULL; > NTSTATUS status; >+ const char *remote_name = NULL; >+ const struct sockaddr_storage *remote_sockaddr = NULL; > > DEBUG(10,("cm_connect_lsa_tcp\n")); > >@@ -2748,11 +2752,17 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, > goto done; > } > >- status = cli_rpc_pipe_open_schannel_with_creds(conn->cli, >- &ndr_table_lsarpc, >- NCACN_IP_TCP, >- p_creds, >- &conn->lsa_pipe_tcp); >+ remote_name = smbXcli_conn_remote_name(conn->cli->conn); >+ remote_sockaddr = smbXcli_conn_remote_sockaddr(conn->cli->conn); >+ >+ status = cli_rpc_pipe_open_schannel_with_creds( >+ conn->cli, >+ &ndr_table_lsarpc, >+ NCACN_IP_TCP, >+ p_creds, >+ remote_name, >+ remote_sockaddr, >+ &conn->lsa_pipe_tcp); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n", > nt_errstr(status))); >@@ -2885,6 +2895,8 @@ retry: > TALLOC_FREE(creds); > result = cli_rpc_pipe_open_schannel_with_creds( > conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds, >+ remote_name, >+ remote_sockaddr, > &conn->lsa_pipe); > > if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED) >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17039">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gd
:
review+
asn
:
review?
(
metze
)
Actions:
View
Attachments on
bug 14767
: 17039