Bug 8548 - winbind_samlogon_retry_loop ignores logon_parameters flags
winbind_samlogon_retry_loop ignores logon_parameters flags
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.1
All All
: P5 regression
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-27 20:28 UTC by Jeff Venable
Modified: 2011-11-07 06:48 UTC (History)
2 users (show)

See Also:


Attachments
Raw patch for 3.6.x. (824 bytes, patch)
2011-10-27 22:15 UTC, Jeremy Allison
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Venable 2011-10-27 20:28:18 UTC
Prevents NTLM machine authentication.

Regression introduced by:
http://git.samba.org/?p=samba.git;a=commit;h=abb7c07de5d07d5378dafbfdf0d0213a2b0e0b05.

source3/winbindd_pam.c:winbind_samlogon_retry_loop() does not pass logon_parameters as the third argument to SAM network logon routines.  This causes WINBINDD_PAM_AUTH_CRAP to return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT or NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT despite MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT or MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT being specified in winbindd_request.data.auth_crap.logon_parameters when authenticating machine accounts.
Comment 1 Jeremy Allison 2011-10-27 20:54:54 UTC
Ok, I'll look into this asap.

Do you know if this has been fixed in 3.6.x ?

Jeremy.
Comment 2 Jeff Venable 2011-10-27 20:58:16 UTC
(In reply to comment #1)
> Ok, I'll look into this asap.
> 
> Do you know if this has been fixed in 3.6.x ?
> 
> Jeremy.

I downloaded 3.6.1; the regression remains there as well.
Comment 3 Jeremy Allison 2011-10-27 21:02:00 UTC
Thanks for checking. I'll see what fix we need.
Comment 4 Jeremy Allison 2011-10-27 22:13:59 UTC
Ah, ok - this code only exists in 3.6.x - I'll re-catagorize as 3.6.x.
Jeremy.
Comment 5 Jeremy Allison 2011-10-27 22:15:12 UTC
Created attachment 7041 [details]
Raw patch for 3.6.x.

Can you test this fix and confirm it fixes your issue ? Once you do I'll submit to master and get a back-ported git-am patch ready for 3.6.2.

Thanks !

Jeremy.
Comment 6 Jeff Venable 2011-10-27 22:45:19 UTC
Rebuilding to test now.

Sorry about the versioning; I traced the original commit and assumed it first appeared in 3.5.8 based on dates and release notes.  I was trying to be as helpful as possible. :)
Comment 7 Jeff Venable 2011-10-28 00:43:54 UTC
Fixed verified.  Machine authentication successful.  Workstation trust flags now present in SAM logon request:

process_request: Handling async request 3365:PAM_AUTH_CRAP
[ 3365]: pam auth crap domain: [nin.asglab.juniper.net] user: MA$
child daemon request 14
child_process_request: request fn AUTH_CRAP
[ 3265]: pam auth crap domain: nin.asglab.juniper.net user: MA$
     netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
        in: struct netr_LogonSamLogonEx
            server_name              : *
                server_name              : '\\root.nin.asglab.juniper.net'
            computer_name            : *
                computer_name            : '0271MM50F5B0IZ'
            logon_level              : NetlogonNetworkInformation (2)
            logon                    : *
                logon                    : union netr_LogonLevel(case 2)
                network                  : *
                    network: struct netr_NetworkInfo
                        identity_info: struct netr_IdentityInfo
                            domain_name: struct lsa_String
                                length                   : 0x002c (44)
                                size                     : 0x002c (44)
                                string                   : *
                                    string                   : 'nin.asglab.juniper.net'
                            parameter_control        : 0x00000820 (2080)
                                   0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED
                                   0: MSV1_0_UPDATE_LOGON_STATISTICS
                                   0: MSV1_0_RETURN_USER_PARAMETERS
                                   0: MSV1_0_DONT_TRY_GUEST_ACCOUNT
                                   1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
                                   0: MSV1_0_RETURN_PASSWORD_EXPIRY
                                   0: MSV1_0_USE_CLIENT_CHALLENGE
                                   0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY
                                   0: MSV1_0_RETURN_PROFILE_PATH
                                   0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY
                                   1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
                                   0: MSV1_0_DISABLE_PERSONAL_FALLBACK
                                   0: MSV1_0_ALLOW_FORCE_GUEST
                                   0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED
                                   0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY
                                   0: MSV1_0_ALLOW_MSVCHAPV2
                                   0: MSV1_0_S4U2SELF
                                   0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U
                                   0: MSV1_0_SUBAUTHENTICATION_DLL_EX
Comment 8 Jeremy Allison 2011-10-28 21:09:55 UTC
Karolin - please cherry-pick git ref f30f71c14a0b89dea296910ac9b92d3ae4016613

    Fix bug #8548 - winbind_samlogon_retry_loop ignores logon_parameters flags.

    Fix confirmed by reporter.

from master to v3-6-test. This is the same as the raw patch in attachment 7041 [details] that has been confirmed by the reporter and +reviewed by Guenther.

Thanks,

Jeremy.
Comment 9 Karolin Seeger 2011-11-01 19:03:17 UTC
Pushed to v3-6-test.
Will be included in Samba 3.6.2.
Closing out bug report.

Thanks!