The Samba-Bugzilla – Attachment 18262 Details for
Bug 15588
samba-gpupdate: Correctly implement site support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.20
v4-20-fix-gpupdate-site-support.patch (text/plain), 7.44 KB, created by
Andreas Schneider
on 2024-02-27 06:52:05 UTC
(
hide
)
Description:
patch for 4.20
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2024-02-27 06:52:05 UTC
Size:
7.44 KB
patch
obsolete
>From 1fc87494fda40aaefceeb6b3bab12936cdc8b6b3 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 21 Feb 2024 08:56:06 +0100 >Subject: [PATCH 1/2] librpc:idl: Make netlogon_samlogon_response public > >This is required that we can use it with ndrdump or in python to decode >a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Pair-Programmed-With: Guenther Deschner <gd@samba.org> > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit e758425869729a43136ae51e6baecb2061d1525b) >--- > librpc/idl/nbt.idl | 2 +- > librpc/ndr/ndr_nbt.c | 2 +- > librpc/ndr/ndr_nbt.h | 2 +- > 3 files changed, 3 insertions(+), 3 deletions(-) > >diff --git a/librpc/idl/nbt.idl b/librpc/idl/nbt.idl >index 11814e7970e..46be2eae7e2 100644 >--- a/librpc/idl/nbt.idl >+++ b/librpc/idl/nbt.idl >@@ -490,7 +490,7 @@ interface nbt > [case(NETLOGON_NT_VERSION_5EX)] NETLOGON_SAM_LOGON_RESPONSE_EX nt5_ex; > } netlogon_samlogon_response_union; > >- typedef [nopush,nopull] struct { >+ typedef [nopush,nopull,noprint,public] struct { > uint32 ntver; > [switch_is(ntver)] netlogon_samlogon_response_union data; > } netlogon_samlogon_response; >diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c >index eb186810785..6f54198ffbc 100644 >--- a/librpc/ndr/ndr_nbt.c >+++ b/librpc/ndr/ndr_nbt.c >@@ -392,7 +392,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_netlogon_samlogon_response(struct ndr_pull * > return NDR_ERR_SUCCESS; > } > >-_PUBLIC_ void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, struct netlogon_samlogon_response *r) >+_PUBLIC_ void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, const struct netlogon_samlogon_response *r) > { > ndr_print_struct(ndr, name, "netlogon_samlogon_response"); > if (r == NULL) { ndr_print_null(ndr); return; } >diff --git a/librpc/ndr/ndr_nbt.h b/librpc/ndr/ndr_nbt.h >index c38422fff6b..00ee8a17364 100644 >--- a/librpc/ndr/ndr_nbt.h >+++ b/librpc/ndr/ndr_nbt.h >@@ -37,6 +37,6 @@ enum ndr_err_code ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags(struct ndr_ > uint32_t nt_version_flags); > enum ndr_err_code ndr_push_netlogon_samlogon_response(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct netlogon_samlogon_response *r); > enum ndr_err_code ndr_pull_netlogon_samlogon_response(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct netlogon_samlogon_response *r); >-void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, struct netlogon_samlogon_response *r); >+void ndr_print_netlogon_samlogon_response(struct ndr_print *ndr, const char *name, const struct netlogon_samlogon_response *r); > > #endif /* _LIBRPC_NDR_NDR_NBT_H */ >-- >2.43.2 > > >From fb07584bbac20e0a4fc9999c2cce88c3221c3524 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 21 Feb 2024 09:10:47 +0100 >Subject: [PATCH 2/2] python:gp: Implement client site lookup in > site_dn_for_machine() > >This is [MS-GPOL] 3.2.5.1.4 Site Search. > >The netr_DsRGetSiteName() needs to run over local rpc, however we do not >have the call implemented in our rpc_server. What netr_DsRGetSiteName() >actually does is an ldap query to get the sitename, we can just do the >same. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit e4c3c61302b12419f041867b58350f11dc800318) >--- > python/samba/gp/gpclass.py | 68 +++++++++++++++++++++++++------------- > 1 file changed, 45 insertions(+), 23 deletions(-) > >diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py >index 26c2386847e..08be472e707 100644 >--- a/python/samba/gp/gpclass.py >+++ b/python/samba/gp/gpclass.py >@@ -49,7 +49,7 @@ from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT, GP > from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES > from samba.dcerpc import security > import samba.security >-from samba.dcerpc import netlogon >+from samba.dcerpc import nbt > from datetime import datetime > > >@@ -611,12 +611,6 @@ def get_dc_hostname(creds, lp): > nbt.NBT_SERVER_DS)) > return cldap_ret.pdc_dns_name > >-def get_dc_netbios_hostname(creds, lp): >- net = Net(creds=creds, lp=lp) >- cldap_ret = net.finddc(domain=lp.get('realm'), flags=(nbt.NBT_SERVER_LDAP | >- nbt.NBT_SERVER_DS)) >- return cldap_ret.pdc_name >- > > """ Fetch a list of GUIDs for applicable GPOs """ > >@@ -787,24 +781,52 @@ def merge_with_system_token(token_1): > # There are no claims in the system token, so it is safe not to merge the claims > return token_1 > >+ > def site_dn_for_machine(samdb, dc_hostname, lp, creds, hostname): > # [MS-GPOL] 3.2.5.1.4 Site Search >- config_context = samdb.get_config_basedn() >- try: >- c = netlogon.netlogon("ncacn_np:%s[seal]" % dc_hostname, lp, creds) >- site_name = c.netr_DsRGetSiteName(hostname) >- return 'CN={},CN=Sites,{}'.format(site_name, config_context) >- except WERRORError: >- # Fallback to the old method found in ads_site_dn_for_machine >- nb_hostname = get_dc_netbios_hostname(creds, lp) >- res = samdb.search(config_context, ldb.SCOPE_SUBTREE, >- "(cn=%s)" % nb_hostname, ['dn']) >- if res.count != 1: >- raise ldb.LdbError(ldb.ERR_NO_SUCH_OBJECT, >- 'site_dn_for_machine: no result') >- dn = res.msgs[0]['dn'] >- site_dn = dn.parent().parent() >- return site_dn >+ >+ # The netr_DsRGetSiteName() needs to run over local rpc, however we do not >+ # have the call implemented in our rpc_server. >+ # What netr_DsRGetSiteName() actually does is an ldap query to get >+ # the sitename, we can do the same. >+ >+ # NtVer=(NETLOGON_NT_VERSION_IP|NETLOGON_NT_VERSION_WITH_CLOSEST_SITE| >+ # NETLOGON_NT_VERSION_5EX) [0x20000014] >+ expr = "(&(DnsDomain=%s.)(User=%s)(NtVer=\\14\\00\\00\\20))" % ( >+ samdb.domain_dns_name(), >+ hostname) >+ res = samdb.search( >+ base='', >+ scope=ldb.SCOPE_BASE, >+ expression=expr, >+ attrs=["Netlogon"]) >+ if res.count != 1: >+ raise RuntimeError('site_dn_for_machine: No result') >+ >+ samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response, >+ bytes(res.msgs[0]['Netlogon'][0])) >+ if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX, >+ (nbt.NETLOGON_NT_VERSION_1 >+ | nbt.NETLOGON_NT_VERSION_5EX)]: >+ raise RuntimeError('site_dn_for_machine: Invalid NtVer in ' >+ + 'netlogon_samlogon_response') >+ >+ # We want NETLOGON_NT_VERSION_5EX out of the union! >+ samlogon_response.ntver = nbt.NETLOGON_NT_VERSION_5EX >+ samlogon_response_ex = samlogon_response.data >+ >+ client_site = "Default-First-Site-Name" >+ if (samlogon_response_ex.client_site >+ and len(samlogon_response_ex.client_site) > 1): >+ client_site = samlogon_response_ex.client_site >+ >+ site_dn = samdb.get_config_basedn() >+ site_dn.add_child("CN=Sites") >+ site_dn.add_child("CN=%s" % (client_site)) >+ >+ return site_dn >+ >+ > > def get_gpo_list(dc_hostname, creds, lp, username): > """Get the full list of GROUP_POLICY_OBJECTs for a given username. >-- >2.43.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18262">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
ab
:
review+
Actions:
View
Attachments on
bug 15588
:
18261
| 18262