samba-cvs.cvs
[Top] [All Lists]

svn commit: samba r13557 - in branches/SAMBA_3_0/source/rpc_server: .

Subject: svn commit: samba r13557 - in branches/SAMBA_3_0/source/rpc_server: .
From:
Date: Sat, 18 Feb 2006 01:21:20 +0000 GMT
Author: jra
Date: 2006-02-18 01:21:18 +0000 (Sat, 18 Feb 2006)
New Revision: 13557

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13557

Log:
(Hopefully) get the creds store/restore key right from
the correct part of the netlogon and schannel packets.
Jeremy.

Modified:
   branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
   branches/SAMBA_3_0/source/rpc_server/srv_pipe.c


Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c        2006-02-18 
00:39:31 UTC (rev 13556)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c        2006-02-18 
01:21:18 UTC (rev 13557)
@@ -385,6 +385,8 @@
 
        rpcstr_pull(mach_acct, 
q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),
                                q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
+
+       /* We use this as the key to store the creds. */
        rpcstr_pull(remote_machine, 
q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring),
                                q_u->clnt_id.uni_comp_name.uni_str_len*2,0);
 
@@ -445,7 +447,7 @@
        /* Store off the state so we can continue after client disconnect. */
        become_root();
        secrets_store_schannel_session_info(p->mem_ctx,
-                                       get_remote_machine_name(),
+                                       remote_machine,
                                        p->dc);
        unbecome_root();
 
@@ -459,7 +461,7 @@
 NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET 
*r_u)
 {
        NTSTATUS status = NT_STATUS_ACCESS_DENIED;
-       fstring workstation;
+       fstring remote_machine;
        SAM_ACCOUNT *sampass=NULL;
        BOOL ret = False;
        unsigned char pwd[16];
@@ -470,16 +472,16 @@
 
        DEBUG(5,("_net_srv_pwset: %d\n", __LINE__));
 
-       /* We need the workstation name for the creds lookup. */
-       rpcstr_pull(workstation,q_u->clnt_id.login.uni_comp_name.buffer,
-                   
sizeof(workstation),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0);
+       /* We need the remote machine name for the creds lookup. */
+       rpcstr_pull(remote_machine,q_u->clnt_id.login.uni_comp_name.buffer,
+                   
sizeof(remote_machine),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0);
 
        if ( (lp_server_schannel() == True) && (p->auth.auth_type != 
PIPE_AUTH_TYPE_SCHANNEL) ) {
                /* 'server schannel = yes' should enforce use of
                   schannel, the client did offer it in auth2, but
                   obviously did not use it. */
                DEBUG(0,("_net_srv_pwset: client %s not using schannel for 
netlogon\n",
-                       get_remote_machine_name() ));
+                       remote_machine ));
                return NT_STATUS_ACCESS_DENIED;
        }
 
@@ -487,7 +489,7 @@
                /* Restore the saved state of the netlogon creds. */
                become_root();
                ret = 
secrets_restore_schannel_session_info(p->pipe_state_mem_ctx,
-                                                       
get_remote_machine_name(),
+                                                       remote_machine,
                                                        &p->dc);
                unbecome_root();
                if (!ret) {
@@ -499,21 +501,21 @@
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       DEBUG(3,("_net_srv_pwset: Server Password Set by Wksta:[%s] on account 
[%s]\n",
-                       workstation, p->dc->mach_acct));
+       DEBUG(3,("_net_srv_pwset: Server Password Set by remote machine:[%s] on 
account [%s]\n",
+                       remote_machine, p->dc->mach_acct));
        
        /* Step the creds chain forward. */
        if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) {
                DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting 
auth "
                        "request from client %s machine account %s\n",
-                       p->dc->remote_machine, p->dc->mach_acct ));
+                       remote_machine, p->dc->mach_acct ));
                return NT_STATUS_INVALID_PARAMETER;
        }
 
        /* We must store the creds state after an update. */
        become_root();
        secrets_store_schannel_session_info(p->pipe_state_mem_ctx,
-                                               get_remote_machine_name(),
+                                               remote_machine,
                                                p->dc);
        pdb_init_sam(&sampass);
        ret=pdb_getsampwnam(sampass, p->dc->mach_acct);
@@ -588,6 +590,8 @@
 
 NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, 
NET_R_SAM_LOGOFF *r_u)
 {
+       fstring remote_machine;
+
        if ( (lp_server_schannel() == True) && (p->auth.auth_type != 
PIPE_AUTH_TYPE_SCHANNEL) ) {
                /* 'server schannel = yes' should enforce use of
                   schannel, the client did offer it in auth2, but
@@ -601,13 +605,17 @@
        if (!get_valid_user_struct(p->vuid))
                return NT_STATUS_NO_SUCH_USER;
 
+       /* Get the remote machine name for the creds store. */
+       
rpcstr_pull(remote_machine,q_u->sam_id.client.login.uni_comp_name.buffer,
+                   
sizeof(remote_machine),q_u->sam_id.client.login.uni_comp_name.uni_str_len*2,0);
+
        if (!p->dc) {
                /* Restore the saved state of the netlogon creds. */
                BOOL ret;
 
                become_root();
                ret = 
secrets_restore_schannel_session_info(p->pipe_state_mem_ctx,
-                                               get_remote_machine_name(),
+                                               remote_machine,
                                                &p->dc);
                unbecome_root();
                if (!ret) {
@@ -625,14 +633,14 @@
        if (!creds_server_step(p->dc, &q_u->sam_id.client.cred, 
&r_u->srv_creds)) {
                DEBUG(2,("_net_sam_logoff: creds_server_step failed. Rejecting 
auth "
                        "request from client %s machine account %s\n",
-                       p->dc->remote_machine, p->dc->mach_acct ));
+                       remote_machine, p->dc->mach_acct ));
                return NT_STATUS_INVALID_PARAMETER;
        }
 
        /* We must store the creds state after an update. */
        become_root();
        secrets_store_schannel_session_info(p->pipe_state_mem_ctx,
-                                       get_remote_machine_name(),
+                                       remote_machine,
                                        p->dc);
        unbecome_root();
 
@@ -640,10 +648,10 @@
        return r_u->status;
 }
 
-
 /*******************************************************************
  gets a domain user's groups from their already-calculated NT_USER_TOKEN
  ********************************************************************/
+
 static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx,
                                       const DOM_SID *domain_sid,
                                       size_t num_sids,
@@ -722,13 +730,22 @@
                return NT_STATUS_NO_SUCH_USER;
 
        if (process_creds) {
+               fstring remote_machine;
+
+               /* Get the remote machine name for the creds store. */
+               /* Note this is the remote machine this request is coming from 
(member server),
+                  not neccessarily the workstation name the user is logging 
onto.
+               */
+               
rpcstr_pull(remote_machine,q_u->sam_id.client.login.uni_comp_name.buffer,
+                   
sizeof(remote_machine),q_u->sam_id.client.login.uni_comp_name.uni_str_len*2,0);
+
                if (!p->dc) {
                        /* Restore the saved state of the netlogon creds. */
                        BOOL ret;
 
                        become_root();
                        ret = 
secrets_restore_schannel_session_info(p->pipe_state_mem_ctx,
-                                       get_remote_machine_name(),
+                                       remote_machine,
                                        &p->dc);
                        unbecome_root();
                        if (!ret) {
@@ -744,14 +761,14 @@
                if (!creds_server_step(p->dc, &q_u->sam_id.client.cred,  
&r_u->srv_creds)) {
                        DEBUG(2,("_net_sam_logon: creds_server_step failed. 
Rejecting auth "
                                "request from client %s machine account %s\n",
-                               p->dc->remote_machine, p->dc->mach_acct ));
+                               remote_machine, p->dc->mach_acct ));
                        return NT_STATUS_INVALID_PARAMETER;
                }
 
                /* We must store the creds state after an update. */
                become_root();
                secrets_store_schannel_session_info(p->pipe_state_mem_ctx,
-                                       get_remote_machine_name(),
+                                       remote_machine,
                                        p->dc);
                unbecome_root();
        }

Modified: branches/SAMBA_3_0/source/rpc_server/srv_pipe.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_pipe.c     2006-02-18 00:39:31 UTC 
(rev 13556)
+++ branches/SAMBA_3_0/source/rpc_server/srv_pipe.c     2006-02-18 01:21:18 UTC 
(rev 13557)
@@ -1292,8 +1292,14 @@
                return False;
        }
 
+       /*
+        * The neg.myname key here must match the remote computer name
+        * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
+        * operations that use credentials.
+        */
+
        become_root();
-       ret = secrets_restore_schannel_session_info(p->mem_ctx, 
get_remote_machine_name(), &pdcinfo);
+       ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, 
&pdcinfo);
        unbecome_root();
 
        if (!ret) {

<Prev in Thread] Current Thread [Next in Thread>
  • svn commit: samba r13557 - in branches/SAMBA_3_0/source/rpc_server: ., jra <=