The Samba-Bugzilla – Attachment 4788 Details for
Bug 6711
trusts to windows 2008 (2008 r2) not working
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
revised version of that patch for 3.3
patch-3-3-test (text/plain), 54.01 KB, created by
Guenther Deschner
on 2009-10-06 04:18:40 UTC
(
hide
)
Description:
revised version of that patch for 3.3
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2009-10-06 04:18:40 UTC
Size:
54.01 KB
patch
obsolete
>From 2de6809325112b5f705b10371530489f8d3cd46e Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Tue, 4 Nov 2008 18:40:24 +0100 >Subject: [PATCH 01/12] s3-rpc_client: add cli_rpc_pipe_open_noauth_transport. > >Guenther >(cherry picked from commit 87f61a144b8d25c90b847940ca03ced1f77b036c) >--- > source/include/proto.h | 4 ++++ > source/rpc_client/cli_pipe.c | 40 ++++++++++++++++++++++++++-------------- > 2 files changed, 30 insertions(+), 14 deletions(-) > >diff --git a/source/include/proto.h b/source/include/proto.h >index ec8637b..42fb7aa 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -6988,6 +6988,10 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path, > NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, > const struct ndr_syntax_id *interface, > struct rpc_pipe_client **presult); >+NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, >+ enum dcerpc_transport_t transport, >+ const struct ndr_syntax_id *interface, >+ struct rpc_pipe_client **presult); > NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, > const struct ndr_syntax_id *interface, > enum pipe_auth_level auth_level, >diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c >index 2e2767b..507ada3 100644 >--- a/source/rpc_client/cli_pipe.c >+++ b/source/rpc_client/cli_pipe.c >@@ -2931,34 +2931,35 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, > ****************************************************************************/ > > static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli, >+ enum dcerpc_transport_t transport, > const struct ndr_syntax_id *interface, > struct rpc_pipe_client **presult) > { >- if (ndr_syntax_id_equal(interface, &ndr_table_drsuapi.syntax_id)) { >- /* >- * We should have a better way to figure out this drsuapi >- * speciality... >- */ >+ switch (transport) { >+ case NCACN_IP_TCP: > return rpc_pipe_open_tcp(NULL, cli->desthost, interface, > presult); >+ case NCACN_NP: >+ return rpc_pipe_open_np(cli, interface, presult); >+ default: >+ return NT_STATUS_NOT_IMPLEMENTED; > } >- >- return rpc_pipe_open_np(cli, interface, presult); > } > > /**************************************************************************** > Open a named pipe to an SMB server and bind anonymously. > ****************************************************************************/ > >-NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, >- const struct ndr_syntax_id *interface, >- struct rpc_pipe_client **presult) >+NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, >+ enum dcerpc_transport_t transport, >+ const struct ndr_syntax_id *interface, >+ struct rpc_pipe_client **presult) > { > struct rpc_pipe_client *result; > struct cli_pipe_auth_data *auth; > NTSTATUS status; > >- status = cli_rpc_pipe_open(cli, interface, &result); >+ status = cli_rpc_pipe_open(cli, transport, interface, &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3015,6 +3016,17 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, > } > > /**************************************************************************** >+ ****************************************************************************/ >+ >+NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, >+ const struct ndr_syntax_id *interface, >+ struct rpc_pipe_client **presult) >+{ >+ return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP, >+ interface, presult); >+} >+ >+/**************************************************************************** > Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP > ****************************************************************************/ > >@@ -3031,7 +3043,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, > struct cli_pipe_auth_data *auth; > NTSTATUS status; > >- status = cli_rpc_pipe_open(cli, interface, &result); >+ status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3210,7 +3222,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, > struct cli_pipe_auth_data *auth; > NTSTATUS status; > >- status = cli_rpc_pipe_open(cli, interface, &result); >+ status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3386,7 +3398,7 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, > struct cli_pipe_auth_data *auth; > NTSTATUS status; > >- status = cli_rpc_pipe_open(cli, interface, &result); >+ status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >-- >1.6.2.5 > > >From 9f6cdb60a48f99ae851a08c09e7db717a900e65b Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Mon, 5 Oct 2009 17:41:06 +0200 >Subject: [PATCH 02/12] s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp and cli_rpc_pipe_open_ntlmssp. > >Guenther >--- > source/include/proto.h | 2 ++ > source/libsmb/passchange.c | 1 + > source/rpc_client/cli_pipe.c | 10 ++++++++-- > source/rpcclient/rpcclient.c | 2 ++ > source/utils/net.h | 1 + > source/utils/net_rpc.c | 2 ++ > source/utils/net_rpc_samsync.c | 2 +- > source/winbindd/winbindd_cm.c | 3 ++- > 8 files changed, 19 insertions(+), 4 deletions(-) > >diff --git a/source/include/proto.h b/source/include/proto.h >index 42fb7aa..b8a4eda 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -6994,6 +6994,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, > struct rpc_pipe_client **presult); > NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const char *username, >@@ -7001,6 +7002,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, > struct rpc_pipe_client **presult); > NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const char *username, >diff --git a/source/libsmb/passchange.c b/source/libsmb/passchange.c >index 299d98d..e202d19 100644 >--- a/source/libsmb/passchange.c >+++ b/source/libsmb/passchange.c >@@ -152,6 +152,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam > if (!pass_must_change) { > result = cli_rpc_pipe_open_ntlmssp(cli, > &ndr_table_samr.syntax_id, >+ NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, > "", /* what domain... ? */ > user_name, >diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c >index 507ada3..04bb87f 100644 >--- a/source/rpc_client/cli_pipe.c >+++ b/source/rpc_client/cli_pipe.c >@@ -3032,6 +3032,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, > > static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_type auth_type, > enum pipe_auth_level auth_level, > const char *domain, >@@ -3043,7 +3044,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, > struct cli_pipe_auth_data *auth; > NTSTATUS status; > >- status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); >+ status = cli_rpc_pipe_open(cli, transport, interface, &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3085,6 +3086,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli, > > NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const char *username, >@@ -3093,6 +3095,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, > { > return cli_rpc_pipe_open_ntlmssp_internal(cli, > interface, >+ transport, > PIPE_AUTH_TYPE_NTLMSSP, > auth_level, > domain, >@@ -3108,6 +3111,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli, > > NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const char *username, >@@ -3116,6 +3120,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, > { > return cli_rpc_pipe_open_ntlmssp_internal(cli, > interface, >+ transport, > PIPE_AUTH_TYPE_SPNEGO_NTLMSSP, > auth_level, > domain, >@@ -3282,7 +3287,8 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, > NTSTATUS status; > > status = cli_rpc_pipe_open_spnego_ntlmssp( >- cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, >+ cli, &ndr_table_netlogon.syntax_id, NCACN_NP, >+ PIPE_AUTH_LEVEL_PRIVACY, > domain, username, password, &netlogon_pipe); > if (!NT_STATUS_IS_OK(status)) { > return status; >diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c >index 421c681..0db9a79 100644 >--- a/source/rpcclient/rpcclient.c >+++ b/source/rpcclient/rpcclient.c >@@ -587,6 +587,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, > case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: > ntresult = cli_rpc_pipe_open_spnego_ntlmssp( > cli, cmd_entry->interface, >+ NCACN_NP, > pipe_default_auth_level, > lp_workgroup(), > get_cmdline_auth_info_username(), >@@ -596,6 +597,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, > case PIPE_AUTH_TYPE_NTLMSSP: > ntresult = cli_rpc_pipe_open_ntlmssp( > cli, cmd_entry->interface, >+ NCACN_NP, > pipe_default_auth_level, > lp_workgroup(), > get_cmdline_auth_info_username(), >diff --git a/source/utils/net.h b/source/utils/net.h >index d88f962..86e8b1c 100644 >--- a/source/utils/net.h >+++ b/source/utils/net.h >@@ -157,6 +157,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD }; > #define NET_FLAGS_NO_PIPE 0x00000020 /* don't open an RPC pipe */ > #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */ > #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */ >+#define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */ > > /* net share operation modes */ > #define NET_MODE_SHARE_MIGRATE 1 >diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c >index 74a610e..220c825 100644 >--- a/source/utils/net_rpc.c >+++ b/source/utils/net_rpc.c >@@ -169,6 +169,8 @@ int run_rpc_command(struct net_context *c, > if (conn_flags & NET_FLAGS_SEAL) { > nt_status = cli_rpc_pipe_open_ntlmssp( > cli, interface, >+ (conn_flags & NET_FLAGS_TCP) ? >+ NCACN_IP_TCP : NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, > lp_workgroup(), c->opt_user_name, > c->opt_password, &pipe_hnd); >diff --git a/source/utils/net_rpc_samsync.c b/source/utils/net_rpc_samsync.c >index 6b23db7..e4013ce 100644 >--- a/source/utils/net_rpc_samsync.c >+++ b/source/utils/net_rpc_samsync.c >@@ -502,7 +502,7 @@ int rpc_vampire_keytab(struct net_context *c, int argc, const char **argv) > rpc_vampire_keytab_internals, argc, argv); > } else { > ret = run_rpc_command(c, cli, &ndr_table_drsuapi.syntax_id, >- NET_FLAGS_SEAL, >+ NET_FLAGS_SEAL | NET_FLAGS_TCP, > rpc_vampire_keytab_ds_internals, argc, argv); > } > >diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c >index 0c53112..8bbe861 100644 >--- a/source/winbindd/winbindd_cm.c >+++ b/source/winbindd/winbindd_cm.c >@@ -2038,6 +2038,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > authenticated SAMR pipe with sign & seal. */ > result = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, > &ndr_table_samr.syntax_id, >+ NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, > domain_name, > machine_account, >@@ -2178,7 +2179,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > /* We have an authenticated connection. Use a NTLMSSP SPNEGO > * authenticated LSA pipe with sign & seal. */ > result = cli_rpc_pipe_open_spnego_ntlmssp >- (conn->cli, &ndr_table_lsarpc.syntax_id, >+ (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, > conn->cli->domain, conn->cli->user_name, conn_pwd, > &conn->lsa_pipe); >-- >1.6.2.5 > > >From 66588e1319b3c04b166d868687d2fe71625ddcf6 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 10 Sep 2009 22:23:21 +0200 >Subject: [PATCH 03/12] s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel(). > >Guenther >(cherry picked from commit bea8e5fa6038d5abd2ec1e12f9005c4a04abb79f) >--- > source/auth/auth_domain.c | 2 +- > source/include/proto.h | 3 +++ > source/libnet/libnet_join.c | 3 ++- > source/rpc_client/cli_pipe.c | 9 ++++++--- > source/rpcclient/rpcclient.c | 1 + > source/utils/net_rpc.c | 2 +- > source/utils/net_rpc_join.c | 5 +++-- > source/winbindd/winbindd_cm.c | 7 ++++--- > 8 files changed, 21 insertions(+), 11 deletions(-) > >diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c >index f11dbe6..45150ab 100644 >--- a/source/auth/auth_domain.c >+++ b/source/auth/auth_domain.c >@@ -175,7 +175,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, > if (lp_client_schannel()) { > /* We also setup the creds chain in the open_schannel call. */ > result = cli_rpc_pipe_open_schannel( >- *cli, &ndr_table_netlogon.syntax_id, >+ *cli, &ndr_table_netlogon.syntax_id, NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe); > } else { > result = cli_rpc_pipe_open_noauth( >diff --git a/source/include/proto.h b/source/include/proto.h >index b8a4eda..312b130 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -7014,12 +7014,14 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli, > struct rpc_pipe_client **presult); > NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const struct dcinfo *pdc, > struct rpc_pipe_client **presult); > NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const char *username, >@@ -7027,6 +7029,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, > struct rpc_pipe_client **presult); > NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > struct rpc_pipe_client **presult); >diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c >index 9029d61..915c66b 100644 >--- a/source/libnet/libnet_join.c >+++ b/source/libnet/libnet_join.c >@@ -1070,7 +1070,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, > } > > status = cli_rpc_pipe_open_schannel_with_key( >- cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, >+ cli, &ndr_table_netlogon.syntax_id, NCACN_NP, >+ PIPE_AUTH_LEVEL_PRIVACY, > netbios_domain_name, netlogon_pipe->dc, &pipe_hnd); > > cli_shutdown(cli); >diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c >index 04bb87f..8049d06 100644 >--- a/source/rpc_client/cli_pipe.c >+++ b/source/rpc_client/cli_pipe.c >@@ -3218,6 +3218,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli, > > NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const struct dcinfo *pdc, >@@ -3227,7 +3228,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, > struct cli_pipe_auth_data *auth; > NTSTATUS status; > >- status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result); >+ status = cli_rpc_pipe_open(cli, transport, interface, &result); > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -3313,6 +3314,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, > > NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > const char *username, >@@ -3334,7 +3336,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, > } > > status = cli_rpc_pipe_open_schannel_with_key( >- cli, interface, auth_level, domain, netlogon_pipe->dc, >+ cli, interface, transport, auth_level, domain, netlogon_pipe->dc, > &result); > > /* Now we've bound using the session key we can close the netlog pipe. */ >@@ -3353,6 +3355,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli, > > NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > const struct ndr_syntax_id *interface, >+ enum dcerpc_transport_t transport, > enum pipe_auth_level auth_level, > const char *domain, > struct rpc_pipe_client **presult) >@@ -3372,7 +3375,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, > } > > status = cli_rpc_pipe_open_schannel_with_key( >- cli, interface, auth_level, domain, netlogon_pipe->dc, >+ cli, interface, transport, auth_level, domain, netlogon_pipe->dc, > &result); > > /* Now we've bound using the session key we can close the netlog pipe. */ >diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c >index 0db9a79..780ad71 100644 >--- a/source/rpcclient/rpcclient.c >+++ b/source/rpcclient/rpcclient.c >@@ -607,6 +607,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, > case PIPE_AUTH_TYPE_SCHANNEL: > ntresult = cli_rpc_pipe_open_schannel( > cli, cmd_entry->interface, >+ NCACN_NP, > pipe_default_auth_level, > lp_workgroup(), > &cmd_entry->rpc_pipe); >diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c >index 220c825..60de1cb 100644 >--- a/source/utils/net_rpc.c >+++ b/source/utils/net_rpc.c >@@ -157,7 +157,7 @@ int run_rpc_command(struct net_context *c, > &ndr_table_netlogon.syntax_id))) { > /* Always try and create an schannel netlogon pipe. */ > nt_status = cli_rpc_pipe_open_schannel( >- cli, interface, >+ cli, interface, NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, domain_name, > &pipe_hnd); > if (!NT_STATUS_IS_OK(nt_status)) { >diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c >index e663cc8..0198ff6 100644 >--- a/source/utils/net_rpc_join.c >+++ b/source/utils/net_rpc_join.c >@@ -100,7 +100,8 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, > } > > ntret = cli_rpc_pipe_open_schannel_with_key( >- cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, >+ cli, &ndr_table_netlogon.syntax_id, NCACN_NP, >+ PIPE_AUTH_LEVEL_PRIVACY, > domain, netlogon_pipe->dc, &pipe_hnd); > > if (!NT_STATUS_IS_OK(ntret)) { >@@ -419,7 +420,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) > struct rpc_pipe_client *netlogon_schannel_pipe; > > result = cli_rpc_pipe_open_schannel_with_key( >- cli, &ndr_table_netlogon.syntax_id, >+ cli, &ndr_table_netlogon.syntax_id, NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, domain, pipe_hnd->dc, > &netlogon_schannel_pipe); > >diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c >index 8bbe861..176104a 100644 >--- a/source/winbindd/winbindd_cm.c >+++ b/source/winbindd/winbindd_cm.c >@@ -2082,7 +2082,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > goto anonymous; > } > result = cli_rpc_pipe_open_schannel_with_key >- (conn->cli, &ndr_table_samr.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, >+ (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP, >+ PIPE_AUTH_LEVEL_PRIVACY, > domain->name, p_dcinfo, &conn->samr_pipe); > > if (!NT_STATUS_IS_OK(result)) { >@@ -2220,7 +2221,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > goto anonymous; > } > result = cli_rpc_pipe_open_schannel_with_key >- (conn->cli, &ndr_table_lsarpc.syntax_id, >+ (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, > domain->name, p_dcinfo, &conn->lsa_pipe); > >@@ -2367,7 +2368,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, > */ > > result = cli_rpc_pipe_open_schannel_with_key( >- conn->cli, &ndr_table_netlogon.syntax_id, >+ conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP, > PIPE_AUTH_LEVEL_PRIVACY, domain->name, netlogon_pipe->dc, > &conn->netlogon_pipe); > >-- >1.6.2.5 > > >From 1ff9d8ace453ce886b48bb08c6f7a7e4f6653676 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2009 07:59:25 +0200 >Subject: [PATCH 04/12] s3-winbindd: add and use winbindd_lookup_sids(). > >Guenther >(cherry picked from commit f0b52b8c3133e3696db361d9d0e7d1fff0fab991) >--- > source/winbindd/winbindd_ads.c | 64 +++++------------------- > source/winbindd/winbindd_proto.h | 9 +++ > source/winbindd/winbindd_rpc.c | 101 ++++++++++++++++++++----------------- > 3 files changed, 78 insertions(+), 96 deletions(-) > >diff --git a/source/winbindd/winbindd_ads.c b/source/winbindd/winbindd_ads.c >index 3c45f57..7981ebc 100644 >--- a/source/winbindd/winbindd_ads.c >+++ b/source/winbindd/winbindd_ads.c >@@ -977,8 +977,6 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, > int i; > size_t num_members = 0; > ads_control args; >- struct rpc_pipe_client *cli; >- POLICY_HND lsa_policy; > DOM_SID *sid_mem_nocache = NULL; > char **names_nocache = NULL; > enum lsa_SidType *name_types_nocache = NULL; >@@ -1122,31 +1120,14 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, > > /* handle sids not resolved from cache by lsa_lookup_sids */ > if (num_nocache > 0) { >- unsigned int orig_timeout; > >- status = cm_connect_lsa(domain, tmp_ctx, &cli, &lsa_policy); >- >- if (!NT_STATUS_IS_OK(status)) { >- goto done; >- } >- >- /* >- * This call can take a long time >- * allow the server to time out. >- * 35 seconds should do it. >- */ >- orig_timeout = rpccli_set_timeout(cli, 35000); >- >- status = rpccli_lsa_lookup_sids(cli, tmp_ctx, >- &lsa_policy, >- num_nocache, >- sid_mem_nocache, >- &domains_nocache, >- &names_nocache, >- &name_types_nocache); >- >- /* And restore our original timeout. */ >- rpccli_set_timeout(cli, orig_timeout); >+ status = winbindd_lookup_sids(tmp_ctx, >+ domain, >+ num_nocache, >+ sid_mem_nocache, >+ &domains_nocache, >+ &names_nocache, >+ &name_types_nocache); > > if (!(NT_STATUS_IS_OK(status) || > NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) || >@@ -1155,30 +1136,13 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, > DEBUG(1, ("lsa_lookupsids call failed with %s " > "- retrying...\n", nt_errstr(status))); > >- status = cm_connect_lsa(domain, tmp_ctx, &cli, >- &lsa_policy); >- >- if (!NT_STATUS_IS_OK(status)) { >- goto done; >- } >- >- /* >- * This call can take a long time >- * allow the server to time out. >- * 35 seconds should do it. >- */ >- orig_timeout = rpccli_set_timeout(cli, 35000); >- >- status = rpccli_lsa_lookup_sids(cli, tmp_ctx, >- &lsa_policy, >- num_nocache, >- sid_mem_nocache, >- &domains_nocache, >- &names_nocache, >- &name_types_nocache); >- >- /* And restore our original timeout. */ >- rpccli_set_timeout(cli, orig_timeout); >+ status = winbindd_lookup_sids(tmp_ctx, >+ domain, >+ num_nocache, >+ sid_mem_nocache, >+ &domains_nocache, >+ &names_nocache, >+ &name_types_nocache); > } > > if (NT_STATUS_IS_OK(status) || >diff --git a/source/winbindd/winbindd_proto.h b/source/winbindd/winbindd_proto.h >index 3909d16..84091c4 100644 >--- a/source/winbindd/winbindd_proto.h >+++ b/source/winbindd/winbindd_proto.h >@@ -73,6 +73,15 @@ int main(int argc, char **argv, char **envp); > > /* The following definitions come from winbindd/winbindd_ads.c */ > >+/* The following definitions come from winbindd/winbindd_rpc.c */ >+ >+NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, >+ struct winbindd_domain *domain, >+ uint32_t num_sids, >+ const struct dom_sid *sids, >+ char ***domains, >+ char ***names, >+ enum lsa_SidType **types); > > /* The following definitions come from winbindd/winbindd_async.c */ > >diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c >index 5f51b5f..f1dd529 100644 >--- a/source/winbindd/winbindd_rpc.c >+++ b/source/winbindd/winbindd_rpc.c >@@ -353,42 +353,26 @@ static NTSTATUS msrpc_sid_to_name(struct winbindd_domain *domain, > char **names; > enum lsa_SidType *types = NULL; > NTSTATUS result; >- struct rpc_pipe_client *cli; >- POLICY_HND lsa_policy; > NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; > char *mapped_name = NULL; >- unsigned int orig_timeout; > > DEBUG(3,("sid_to_name [rpc] %s for domain %s\n", sid_string_dbg(sid), > domain->name )); > >- result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >+ result = winbindd_lookup_sids(mem_ctx, >+ domain, >+ 1, >+ sid, >+ &domains, >+ &names, >+ &types); > if (!NT_STATUS_IS_OK(result)) { >- DEBUG(2,("msrpc_sid_to_name: cm_connect_lsa() failed (%s)\n", >- nt_errstr(result))); >+ DEBUG(2,("msrpc_sid_to_name: failed to lookup sids: %s\n", >+ nt_errstr(result))); > return result; > } > > >- /* >- * This call can take a long time >- * allow the server to time out. >- * 35 seconds should do it. >- */ >- orig_timeout = rpccli_set_timeout(cli, 35000); >- >- result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, >- 1, sid, &domains, &names, &types); >- >- /* And restore our original timeout. */ >- rpccli_set_timeout(cli, orig_timeout); >- >- if (!NT_STATUS_IS_OK(result)) { >- DEBUG(2,("msrpc_sid_to_name: rpccli_lsa_lookup_sids() failed (%s)\n", >- nt_errstr(result))); >- return result; >- } >- > *type = (enum lsa_SidType)types[0]; > *domain_name = domains[0]; > *name = names[0]; >@@ -418,12 +402,9 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, > { > char **domains; > NTSTATUS result; >- struct rpc_pipe_client *cli; >- POLICY_HND lsa_policy; > DOM_SID *sids; > size_t i; > char **ret_names; >- unsigned int orig_timeout; > > DEBUG(3, ("rids_to_names [rpc] for domain %s\n", domain->name )); > >@@ -442,24 +423,13 @@ static NTSTATUS msrpc_rids_to_names(struct winbindd_domain *domain, > } > } > >- result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >- if (!NT_STATUS_IS_OK(result)) { >- return result; >- } >- >- /* >- * This call can take a long time >- * allow the server to time out. >- * 35 seconds should do it. >- */ >- orig_timeout = rpccli_set_timeout(cli, 35000); >- >- result = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, >- num_rids, sids, &domains, >- names, types); >- >- /* And restore our original timeout. */ >- rpccli_set_timeout(cli, orig_timeout); >+ result = winbindd_lookup_sids(mem_ctx, >+ domain, >+ num_rids, >+ sids, >+ &domains, >+ names, >+ types); > > if (!NT_STATUS_IS_OK(result) && > !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) { >@@ -1220,6 +1190,45 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, > return result; > } > >+NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, >+ struct winbindd_domain *domain, >+ uint32_t num_sids, >+ const struct dom_sid *sids, >+ char ***domains, >+ char ***names, >+ enum lsa_SidType **types) >+{ >+ NTSTATUS status; >+ struct rpc_pipe_client *cli = NULL; >+ struct policy_handle lsa_policy; >+ unsigned int orig_timeout; >+ >+ status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ /* >+ * This call can take a long time >+ * allow the server to time out. >+ * 35 seconds should do it. >+ */ >+ orig_timeout = rpccli_set_timeout(cli, 35000); >+ >+ status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, >+ num_sids, sids, domains, >+ names, types); >+ >+ /* And restore our original timeout. */ >+ rpccli_set_timeout(cli, orig_timeout); >+ >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ return status; >+} >+ > > /* the rpc backend methods are exposed via this structure */ > struct winbindd_methods msrpc_methods = { >-- >1.6.2.5 > > >From 8fdb74ae59f7cc50a63b944ce97ec3bb33773137 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2009 08:06:34 +0200 >Subject: [PATCH 05/12] s3-winbindd: add and use winbindd_lookup_names(). > >Guenther >(cherry picked from commit 99c3fc19587431efda1ae6161453d84673b32071) >--- > source/winbindd/winbindd_proto.h | 7 ++++ > source/winbindd/winbindd_rpc.c | 60 +++++++++++++++++++++++++------------ > 2 files changed, 47 insertions(+), 20 deletions(-) > >diff --git a/source/winbindd/winbindd_proto.h b/source/winbindd/winbindd_proto.h >index 84091c4..9203c5a 100644 >--- a/source/winbindd/winbindd_proto.h >+++ b/source/winbindd/winbindd_proto.h >@@ -82,6 +82,13 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > char ***domains, > char ***names, > enum lsa_SidType **types); >+NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, >+ struct winbindd_domain *domain, >+ uint32_t num_names, >+ const char **names, >+ const char ***domains, >+ struct dom_sid **sids, >+ enum lsa_SidType **types); > > /* The following definitions come from winbindd/winbindd_async.c */ > >diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c >index f1dd529..c1f1a64 100644 >--- a/source/winbindd/winbindd_rpc.c >+++ b/source/winbindd/winbindd_rpc.c >@@ -277,11 +277,8 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, > DOM_SID *sids = NULL; > enum lsa_SidType *types = NULL; > char *full_name = NULL; >- struct rpc_pipe_client *cli; >- POLICY_HND lsa_policy; > NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL; > char *mapped_name = NULL; >- unsigned int orig_timeout; > > if (name == NULL || *name=='\0') { > full_name = talloc_asprintf(mem_ctx, "%s", domain_name); >@@ -311,23 +308,9 @@ static NTSTATUS msrpc_name_to_sid(struct winbindd_domain *domain, > DEBUG(3,("name_to_sid [rpc] %s for domain %s\n", > full_name?full_name:"", domain_name )); > >- result = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >- if (!NT_STATUS_IS_OK(result)) >- return result; >- >- /* >- * This call can take a long time >- * allow the server to time out. >- * 35 seconds should do it. >- */ >- orig_timeout = rpccli_set_timeout(cli, 35000); >- >- result = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, 1, >- (const char**) &full_name, NULL, 1, &sids, &types); >- >- /* And restore our original timeout. */ >- rpccli_set_timeout(cli, orig_timeout); >- >+ result = winbindd_lookup_names(mem_ctx, domain, 1, >+ (const char **)&full_name, NULL, >+ &sids, &types); > if (!NT_STATUS_IS_OK(result)) > return result; > >@@ -1229,6 +1212,43 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > return status; > } > >+NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, >+ struct winbindd_domain *domain, >+ uint32_t num_names, >+ const char **names, >+ const char ***domains, >+ struct dom_sid **sids, >+ enum lsa_SidType **types) >+{ >+ NTSTATUS status; >+ struct rpc_pipe_client *cli = NULL; >+ struct policy_handle lsa_policy; >+ unsigned int orig_timeout; >+ >+ status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ /* >+ * This call can take a long time >+ * allow the server to time out. >+ * 35 seconds should do it. >+ */ >+ orig_timeout = rpccli_set_timeout(cli, 35000); >+ >+ status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names, >+ names, domains, 1, sids, types); >+ >+ /* And restore our original timeout. */ >+ rpccli_set_timeout(cli, orig_timeout); >+ >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ return status; >+} > > /* the rpc backend methods are exposed via this structure */ > struct winbindd_methods msrpc_methods = { >-- >1.6.2.5 > > >From c23709203d1d8fe607d24eda14bff040ab9e81e7 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 11 Sep 2009 19:35:14 +0200 >Subject: [PATCH 06/12] s3-rpc_client: add rpccli_lsa_lookup_names4 wrapper. > >Guenther >(cherry picked from commit ff968712bab6c2635ef74723c6f52b0fdac4b424) >--- > source/include/proto.h | 9 ++++ > source/rpc_client/cli_lsarpc.c | 98 ++++++++++++++++++++++++++++++--------- > 2 files changed, 84 insertions(+), 23 deletions(-) > >diff --git a/source/include/proto.h b/source/include/proto.h >index 312b130..b6c6db7 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -6899,6 +6899,15 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, > int level, > DOM_SID **sids, > enum lsa_SidType **types); >+NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, int num_names, >+ const char **names, >+ const char ***dom_names, >+ int level, >+ DOM_SID **sids, >+ enum lsa_SidType **types); >+ > bool fetch_domain_sid( char *domain, char *remote_machine, DOM_SID *psid); > > /* The following definitions come from rpc_client/cli_netlogon.c */ >diff --git a/source/rpc_client/cli_lsarpc.c b/source/rpc_client/cli_lsarpc.c >index 577df64..a5daa9e 100644 >--- a/source/rpc_client/cli_lsarpc.c >+++ b/source/rpc_client/cli_lsarpc.c >@@ -354,23 +354,26 @@ fail: > > /** Lookup a list of names */ > >-NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, >- TALLOC_CTX *mem_ctx, >- POLICY_HND *pol, int num_names, >- const char **names, >- const char ***dom_names, >- int level, >- DOM_SID **sids, >- enum lsa_SidType **types) >+static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, int num_names, >+ const char **names, >+ const char ***dom_names, >+ int level, >+ DOM_SID **sids, >+ enum lsa_SidType **types, >+ bool use_lookupnames4) > { > NTSTATUS result; > int i; > struct lsa_String *lsa_names = NULL; > struct lsa_RefDomainList *domains = NULL; > struct lsa_TransSidArray sid_array; >+ struct lsa_TransSidArray3 sid_array3; > uint32_t count = 0; > > ZERO_STRUCT(sid_array); >+ ZERO_STRUCT(sid_array3); > > lsa_names = TALLOC_ARRAY(mem_ctx, struct lsa_String, num_names); > if (!lsa_names) { >@@ -381,14 +384,26 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, > init_lsa_String(&lsa_names[i], names[i]); > } > >- result = rpccli_lsa_LookupNames(cli, mem_ctx, >- pol, >- num_names, >- lsa_names, >- &domains, >- &sid_array, >- level, >- &count); >+ if (use_lookupnames4) { >+ result = rpccli_lsa_LookupNames4(cli, mem_ctx, >+ num_names, >+ lsa_names, >+ &domains, >+ &sid_array3, >+ level, >+ &count, >+ 0, >+ 0); >+ } else { >+ result = rpccli_lsa_LookupNames(cli, mem_ctx, >+ pol, >+ num_names, >+ lsa_names, >+ &domains, >+ &sid_array, >+ level, >+ &count); >+ } > > if (!NT_STATUS_IS_OK(result) && NT_STATUS_V(result) != > NT_STATUS_V(STATUS_SOME_UNMAPPED)) { >@@ -435,10 +450,17 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, > } > > for (i = 0; i < num_names; i++) { >- uint32_t dom_idx = sid_array.sids[i].sid_index; >- uint32_t dom_rid = sid_array.sids[i].rid; >+ uint32_t dom_idx; > DOM_SID *sid = &(*sids)[i]; > >+ if (use_lookupnames4) { >+ dom_idx = sid_array3.sids[i].sid_index; >+ (*types)[i] = sid_array3.sids[i].sid_type; >+ } else { >+ dom_idx = sid_array.sids[i].sid_index; >+ (*types)[i] = sid_array.sids[i].sid_type; >+ } >+ > /* Translate optimised sid through domain index array */ > > if (dom_idx == 0xffffffff) { >@@ -448,14 +470,16 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, > continue; > } > >- sid_copy(sid, domains->domains[dom_idx].sid); >+ if (use_lookupnames4) { >+ sid_copy(sid, sid_array3.sids[i].sid); >+ } else { >+ sid_copy(sid, domains->domains[dom_idx].sid); > >- if (dom_rid != 0xffffffff) { >- sid_append_rid(sid, dom_rid); >+ if (sid_array.sids[i].rid != 0xffffffff) { >+ sid_append_rid(sid, sid_array.sids[i].rid); >+ } > } > >- (*types)[i] = sid_array.sids[i].sid_type; >- > if (dom_names == NULL) { > continue; > } >@@ -467,3 +491,31 @@ NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, > > return result; > } >+ >+NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, int num_names, >+ const char **names, >+ const char ***dom_names, >+ int level, >+ DOM_SID **sids, >+ enum lsa_SidType **types) >+{ >+ return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, >+ names, dom_names, level, sids, >+ types, false); >+} >+ >+NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, int num_names, >+ const char **names, >+ const char ***dom_names, >+ int level, >+ DOM_SID **sids, >+ enum lsa_SidType **types) >+{ >+ return rpccli_lsa_lookup_names_generic(cli, mem_ctx, pol, num_names, >+ names, dom_names, level, sids, >+ types, true); >+} >-- >1.6.2.5 > > >From 3516e7be8665fbf6151ebad8cc2bf9eeb2495c08 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Sun, 13 Sep 2009 00:28:49 +0200 >Subject: [PATCH 07/12] s3-rpc_client: add rpccli_lsa_lookup_sids3 wrapper. > >Guenther >(cherry picked from commit 2f9adf04e4b3e16c046cb371a428a8a70d5de041) >--- > source/include/proto.h | 8 ++++ > source/rpc_client/cli_lsarpc.c | 91 ++++++++++++++++++++++++++++++++------- > 2 files changed, 82 insertions(+), 17 deletions(-) > >diff --git a/source/include/proto.h b/source/include/proto.h >index b6c6db7..8dbab9a 100644 >--- a/source/include/proto.h >+++ b/source/include/proto.h >@@ -6891,6 +6891,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, > char ***pdomains, > char ***pnames, > enum lsa_SidType **ptypes); >+NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, >+ int num_sids, >+ const DOM_SID *sids, >+ char ***pdomains, >+ char ***pnames, >+ enum lsa_SidType **ptypes); > NTSTATUS rpccli_lsa_lookup_names(struct rpc_pipe_client *cli, > TALLOC_CTX *mem_ctx, > POLICY_HND *pol, int num_names, >diff --git a/source/rpc_client/cli_lsarpc.c b/source/rpc_client/cli_lsarpc.c >index a5daa9e..00412bc 100644 >--- a/source/rpc_client/cli_lsarpc.c >+++ b/source/rpc_client/cli_lsarpc.c >@@ -126,7 +126,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, > const DOM_SID *sids, > char **domains, > char **names, >- enum lsa_SidType *types) >+ enum lsa_SidType *types, >+ bool use_lookupsids3) > { > NTSTATUS result = NT_STATUS_OK; > TALLOC_CTX *tmp_ctx = NULL; >@@ -159,13 +160,41 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, > } > } > >- result = rpccli_lsa_LookupSids(cli, mem_ctx, >- pol, >- &sid_array, >- &ref_domains, >- &lsa_names, >- level, >- &count); >+ if (use_lookupsids3) { >+ struct lsa_TransNameArray2 lsa_names2; >+ uint32_t n; >+ >+ result = rpccli_lsa_LookupSids3(cli, mem_ctx, >+ &sid_array, >+ &ref_domains, >+ &lsa_names2, >+ level, >+ &count, >+ 0, >+ 0); >+ >+ if (!NT_STATUS_IS_ERR(result)) { >+ lsa_names.count = lsa_names2.count; >+ lsa_names.names = talloc_array(mem_ctx, struct lsa_TranslatedName, lsa_names.count); >+ if (!lsa_names.names) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ for (n=0; n < lsa_names.count; n++) { >+ lsa_names.names[n].sid_type = lsa_names2.names[n].sid_type; >+ lsa_names.names[n].name = lsa_names2.names[n].name; >+ lsa_names.names[n].sid_index = lsa_names2.names[n].sid_index; >+ } >+ } >+ >+ } else { >+ result = rpccli_lsa_LookupSids(cli, mem_ctx, >+ pol, >+ &sid_array, >+ &ref_domains, >+ &lsa_names, >+ level, >+ &count); >+ } > > DEBUG(10, ("LSA_LOOKUPSIDS returned '%s', mapped count = %d'\n", > nt_errstr(result), count)); >@@ -245,14 +274,15 @@ done: > * at 20480 for win2k3, but we keep it at a save 1000 for now. */ > #define LOOKUP_SIDS_HUNK_SIZE 1000 > >-NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, >- TALLOC_CTX *mem_ctx, >- POLICY_HND *pol, >- int num_sids, >- const DOM_SID *sids, >- char ***pdomains, >- char ***pnames, >- enum lsa_SidType **ptypes) >+static NTSTATUS rpccli_lsa_lookup_sids_generic(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, >+ int num_sids, >+ const DOM_SID *sids, >+ char ***pdomains, >+ char ***pnames, >+ enum lsa_SidType **ptypes, >+ bool use_lookupsids3) > { > NTSTATUS result = NT_STATUS_OK; > int sids_left = 0; >@@ -311,7 +341,8 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, > hunk_sids, > hunk_domains, > hunk_names, >- hunk_types); >+ hunk_types, >+ use_lookupsids3); > > if (!NT_STATUS_IS_OK(hunk_result) && > !NT_STATUS_EQUAL(hunk_result, STATUS_SOME_UNMAPPED) && >@@ -352,6 +383,32 @@ fail: > return result; > } > >+NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, >+ int num_sids, >+ const DOM_SID *sids, >+ char ***pdomains, >+ char ***pnames, >+ enum lsa_SidType **ptypes) >+{ >+ return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, >+ pdomains, pnames, ptypes, false); >+} >+ >+NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, >+ int num_sids, >+ const DOM_SID *sids, >+ char ***pdomains, >+ char ***pnames, >+ enum lsa_SidType **ptypes) >+{ >+ return rpccli_lsa_lookup_sids_generic(cli, mem_ctx, pol, num_sids, sids, >+ pdomains, pnames, ptypes, true); >+} >+ > /** Lookup a list of names */ > > static NTSTATUS rpccli_lsa_lookup_names_generic(struct rpc_pipe_client *cli, >-- >1.6.2.5 > > >From af3483d306618a14e084a522d04d87992308147d Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2009 09:42:49 +0200 >Subject: [PATCH 08/12] s3-rpc_client: fix non initialized structure in rpccli_lsa_lookup_sids_noalloc. > >Guenther >(cherry picked from commit a4b5c792c55ef90648a528d279beec32f86a9b22) >--- > source/rpc_client/cli_lsarpc.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > >diff --git a/source/rpc_client/cli_lsarpc.c b/source/rpc_client/cli_lsarpc.c >index 00412bc..b2ae167 100644 >--- a/source/rpc_client/cli_lsarpc.c >+++ b/source/rpc_client/cli_lsarpc.c >@@ -164,6 +164,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli, > struct lsa_TransNameArray2 lsa_names2; > uint32_t n; > >+ ZERO_STRUCT(lsa_names2); >+ > result = rpccli_lsa_LookupSids3(cli, mem_ctx, > &sid_array, > &ref_domains, >-- >1.6.2.5 > > >From 20eca0f1f2ccfbf4621680d0a47f0614906ab652 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Sat, 12 Sep 2009 23:30:39 +0200 >Subject: [PATCH 09/12] s3-winbindd: add cm_connect_lsa_tcp(). > >Guenther >(cherry picked from commit 58f2deb94024f002e3c3df47f45454edc97f47e1) >--- > source/winbindd/winbindd.h | 1 + > source/winbindd/winbindd_cm.c | 59 ++++++++++++++++++++++++++++++++++++++ > source/winbindd/winbindd_proto.h | 3 ++ > 3 files changed, 63 insertions(+), 0 deletions(-) > >diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h >index d8e6ec4..f97eed0 100644 >--- a/source/winbindd/winbindd.h >+++ b/source/winbindd/winbindd.h >@@ -122,6 +122,7 @@ struct winbindd_cm_conn { > POLICY_HND sam_connect_handle, sam_domain_handle; > > struct rpc_pipe_client *lsa_pipe; >+ struct rpc_pipe_client *lsa_pipe_tcp; > POLICY_HND lsa_policy; > > struct rpc_pipe_client *netlogon_pipe; >diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c >index 176104a..2f823cb 100644 >--- a/source/winbindd/winbindd_cm.c >+++ b/source/winbindd/winbindd_cm.c >@@ -1542,6 +1542,14 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn) > } > } > >+ if (conn->lsa_pipe_tcp != NULL) { >+ TALLOC_FREE(conn->lsa_pipe_tcp); >+ /* Ok, it must be dead. Drop timeout to 0.5 sec. */ >+ if (conn->cli) { >+ cli_set_timeout(conn->cli, 500); >+ } >+ } >+ > if (conn->netlogon_pipe != NULL) { > TALLOC_FREE(conn->netlogon_pipe); > /* Ok, it must be dead. Drop timeout to 0.5 sec. */ >@@ -2150,6 +2158,57 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > return result; > } > >+/********************************************************************** >+ open an schanneld ncacn_ip_tcp connection to LSA >+***********************************************************************/ >+ >+NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, >+ TALLOC_CTX *mem_ctx, >+ struct rpc_pipe_client **cli) >+{ >+ struct winbindd_cm_conn *conn; >+ NTSTATUS status; >+ >+ DEBUG(10,("cm_connect_lsa_tcp\n")); >+ >+ status = init_dc_connection(domain); >+ if (!NT_STATUS_IS_OK(status)) { >+ goto done; >+ } >+ >+ conn = &domain->conn; >+ >+ if (conn->lsa_pipe_tcp && >+ conn->lsa_pipe_tcp->transport_type == NCACN_IP_TCP && >+ conn->lsa_pipe_tcp->auth->auth_level == PIPE_AUTH_LEVEL_PRIVACY) { >+ goto done; >+ } >+ >+ TALLOC_FREE(conn->lsa_pipe_tcp); >+ >+ status = cli_rpc_pipe_open_schannel(conn->cli, >+ &ndr_table_lsarpc.syntax_id, >+ NCACN_IP_TCP, >+ PIPE_AUTH_LEVEL_PRIVACY, >+ domain->name, >+ &conn->lsa_pipe_tcp); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n", >+ nt_errstr(status))); >+ goto done; >+ } >+ >+ done: >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(conn->lsa_pipe_tcp); >+ return status; >+ } >+ >+ *cli = conn->lsa_pipe_tcp; >+ >+ return status; >+} >+ > NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > struct rpc_pipe_client **cli, POLICY_HND *lsa_policy) > { >diff --git a/source/winbindd/winbindd_proto.h b/source/winbindd/winbindd_proto.h >index 9203c5a..53d424b 100644 >--- a/source/winbindd/winbindd_proto.h >+++ b/source/winbindd/winbindd_proto.h >@@ -233,6 +233,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > struct rpc_pipe_client **cli, POLICY_HND *sam_handle); > NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > struct rpc_pipe_client **cli, POLICY_HND *lsa_policy); >+NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, >+ TALLOC_CTX *mem_ctx, >+ struct rpc_pipe_client **cli); > NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, > struct rpc_pipe_client **cli); > >-- >1.6.2.5 > > >From 492e57d4a6cabdaed7300b270f6a6f624f670fd8 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 17 Sep 2009 09:43:36 +0200 >Subject: [PATCH 10/12] s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working. > >Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp >connection when talking to AD for LSA lookup calls. > >In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an >schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve >sids and names. > >Guenther >(cherry picked from commit 6a8ef6c424c52be861ed2a9806f917a64ec892a6) >--- > source/winbindd/winbindd.h | 2 + > source/winbindd/winbindd_cm.c | 2 + > source/winbindd/winbindd_rpc.c | 64 ++++++++++++++++++++++++++++++++++++--- > 3 files changed, 63 insertions(+), 5 deletions(-) > >diff --git a/source/winbindd/winbindd.h b/source/winbindd/winbindd.h >index f97eed0..63b7269 100644 >--- a/source/winbindd/winbindd.h >+++ b/source/winbindd/winbindd.h >@@ -183,6 +183,8 @@ struct winbindd_domain { > * to False. This variable is around so that > * we don't have to try _ex every time. */ > >+ bool can_do_ncacn_ip_tcp; >+ > /* Lookup methods for this domain (LDAP or RPC) */ > struct winbindd_methods *methods; > >diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c >index 2f823cb..9ea3e75 100644 >--- a/source/winbindd/winbindd_cm.c >+++ b/source/winbindd/winbindd_cm.c >@@ -1924,6 +1924,8 @@ done: > DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n", > domain->name, domain->active_directory ? "" : "NOT ")); > >+ domain->can_do_ncacn_ip_tcp = domain->active_directory; >+ > TALLOC_FREE(cli); > > TALLOC_FREE(mem_ctx); >diff --git a/source/winbindd/winbindd_rpc.c b/source/winbindd/winbindd_rpc.c >index c1f1a64..db43559 100644 >--- a/source/winbindd/winbindd_rpc.c >+++ b/source/winbindd/winbindd_rpc.c >@@ -1173,6 +1173,15 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, > return result; > } > >+typedef NTSTATUS (*lookup_sids_fn_t)(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, >+ int num_sids, >+ const DOM_SID *sids, >+ char ***pdomains, >+ char ***pnames, >+ enum lsa_SidType **ptypes); >+ > NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > struct winbindd_domain *domain, > uint32_t num_sids, >@@ -1185,12 +1194,23 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > struct rpc_pipe_client *cli = NULL; > struct policy_handle lsa_policy; > unsigned int orig_timeout; >+ lookup_sids_fn_t lookup_sids_fn = rpccli_lsa_lookup_sids; > >+ if (domain->can_do_ncacn_ip_tcp) { >+ status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); >+ if (NT_STATUS_IS_OK(status)) { >+ lookup_sids_fn = rpccli_lsa_lookup_sids3; >+ goto lookup; >+ } >+ domain->can_do_ncacn_ip_tcp = false; >+ } > status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >+ > if (!NT_STATUS_IS_OK(status)) { > return status; > } > >+ lookup: > /* > * This call can take a long time > * allow the server to time out. >@@ -1198,9 +1218,14 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > */ > orig_timeout = rpccli_set_timeout(cli, 35000); > >- status = rpccli_lsa_lookup_sids(cli, mem_ctx, &lsa_policy, >- num_sids, sids, domains, >- names, types); >+ status = lookup_sids_fn(cli, >+ mem_ctx, >+ &lsa_policy, >+ num_sids, >+ sids, >+ domains, >+ names, >+ types); > > /* And restore our original timeout. */ > rpccli_set_timeout(cli, orig_timeout); >@@ -1212,6 +1237,16 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > return status; > } > >+typedef NTSTATUS (*lookup_names_fn_t)(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ struct policy_handle *pol, >+ int num_names, >+ const char **names, >+ const char ***dom_names, >+ int level, >+ struct dom_sid **sids, >+ enum lsa_SidType **types); >+ > NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, > struct winbindd_domain *domain, > uint32_t num_names, >@@ -1224,12 +1259,24 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, > struct rpc_pipe_client *cli = NULL; > struct policy_handle lsa_policy; > unsigned int orig_timeout; >+ lookup_names_fn_t lookup_names_fn = rpccli_lsa_lookup_names; > >+ if (domain->can_do_ncacn_ip_tcp) { >+ status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); >+ if (NT_STATUS_IS_OK(status)) { >+ lookup_names_fn = rpccli_lsa_lookup_names4; >+ goto lookup; >+ } >+ domain->can_do_ncacn_ip_tcp = false; >+ } > status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); >+ > if (!NT_STATUS_IS_OK(status)) { > return status; > } > >+ lookup: >+ > /* > * This call can take a long time > * allow the server to time out. >@@ -1237,8 +1284,15 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, > */ > orig_timeout = rpccli_set_timeout(cli, 35000); > >- status = rpccli_lsa_lookup_names(cli, mem_ctx, &lsa_policy, num_names, >- names, domains, 1, sids, types); >+ status = lookup_names_fn(cli, >+ mem_ctx, >+ &lsa_policy, >+ num_names, >+ (const char **) names, >+ domains, >+ 1, >+ sids, >+ types); > > /* And restore our original timeout. */ > rpccli_set_timeout(cli, orig_timeout); >-- >1.6.2.5 > > >From 9a10cd35c307a4c82676ab0dd10e814500ca55fc Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 23 Sep 2009 06:23:50 +0200 >Subject: [PATCH 11/12] s3:winbind: Fix an uninitialized variable (cherry picked from commit 0724649a8a7c04d015317d9dc2ae43ee87c1bd25) > >--- > source/winbindd/winbindd_cm.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > >diff --git a/source/winbindd/winbindd_cm.c b/source/winbindd/winbindd_cm.c >index 9ea3e75..bf8490e 100644 >--- a/source/winbindd/winbindd_cm.c >+++ b/source/winbindd/winbindd_cm.c >@@ -2175,7 +2175,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, > > status = init_dc_connection(domain); > if (!NT_STATUS_IS_OK(status)) { >- goto done; >+ return status; > } > > conn = &domain->conn; >-- >1.6.2.5 > > >From c670199440f2c073b3fb9e160fbca51dcc3bbb44 Mon Sep 17 00:00:00 2001 >From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Tue, 6 Oct 2009 11:10:47 +0200 >Subject: [PATCH 12/12] s3-rpc_client: fix rpccli_set_timeout to cope with abstract transport. > >taken from: b7094c0b804984de8e0b50c17e7908a2685df557 > >Guenther >--- > source/rpc_client/cli_pipe.c | 10 +++++++--- > 1 files changed, 7 insertions(+), 3 deletions(-) > >diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c >index 8049d06..be84c39 100644 >--- a/source/rpc_client/cli_pipe.c >+++ b/source/rpc_client/cli_pipe.c >@@ -2319,11 +2319,15 @@ NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli, > prs_mem_free(&rbuf); > return NT_STATUS_OK; > } >- >-unsigned int rpccli_set_timeout(struct rpc_pipe_client *cli, >+unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli, > unsigned int timeout) > { >- return cli_set_timeout(cli->trans.np.cli, timeout); >+ struct cli_state *cli = rpc_pipe_np_smb_conn(rpc_cli); >+ >+ if (cli == NULL) { >+ return 0; >+ } >+ return cli_set_timeout(cli, timeout); > } > > bool rpccli_get_pwd_hash(struct rpc_pipe_client *cli, uint8_t nt_hash[16]) >-- >1.6.2.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4788">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 6711
:
4731
|
4734
|
4746
|
4784
| 4788 |
4800