The Samba-Bugzilla – Bug 8548
winbind_samlogon_retry_loop ignores logon_parameters flags
Last modified: 2011-11-07 06:48:17 UTC
Prevents NTLM machine authentication.
Regression introduced by:
source3/winbindd_pam.c:winbind_samlogon_retry_loop() does not pass logon_parameters as the third argument to SAM network logon routines. This causes WINBINDD_PAM_AUTH_CRAP to return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT or NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT despite MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT or MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT being specified in winbindd_request.data.auth_crap.logon_parameters when authenticating machine accounts.
Ok, I'll look into this asap.
Do you know if this has been fixed in 3.6.x ?
(In reply to comment #1)
> Ok, I'll look into this asap.
> Do you know if this has been fixed in 3.6.x ?
I downloaded 3.6.1; the regression remains there as well.
Thanks for checking. I'll see what fix we need.
Ah, ok - this code only exists in 3.6.x - I'll re-catagorize as 3.6.x.
Created attachment 7041 [details]
Raw patch for 3.6.x.
Can you test this fix and confirm it fixes your issue ? Once you do I'll submit to master and get a back-ported git-am patch ready for 3.6.2.
Rebuilding to test now.
Sorry about the versioning; I traced the original commit and assumed it first appeared in 3.5.8 based on dates and release notes. I was trying to be as helpful as possible. :)
Fixed verified. Machine authentication successful. Workstation trust flags now present in SAM logon request:
process_request: Handling async request 3365:PAM_AUTH_CRAP
[ 3365]: pam auth crap domain: [nin.asglab.juniper.net] user: MA$
child daemon request 14
child_process_request: request fn AUTH_CRAP
[ 3265]: pam auth crap domain: nin.asglab.juniper.net user: MA$
netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
in: struct netr_LogonSamLogonEx
server_name : *
server_name : '\\root.nin.asglab.juniper.net'
computer_name : *
computer_name : '0271MM50F5B0IZ'
logon_level : NetlogonNetworkInformation (2)
logon : *
logon : union netr_LogonLevel(case 2)
network : *
network: struct netr_NetworkInfo
identity_info: struct netr_IdentityInfo
domain_name: struct lsa_String
length : 0x002c (44)
size : 0x002c (44)
string : *
string : 'nin.asglab.juniper.net'
parameter_control : 0x00000820 (2080)
Karolin - please cherry-pick git ref f30f71c14a0b89dea296910ac9b92d3ae4016613
Fix bug #8548 - winbind_samlogon_retry_loop ignores logon_parameters flags.
Fix confirmed by reporter.
from master to v3-6-test. This is the same as the raw patch in attachment 7041 [details] that has been confirmed by the reporter and +reviewed by Guenther.
Pushed to v3-6-test.
Will be included in Samba 3.6.2.
Closing out bug report.