git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0084500)
Added :
authorJeremy Allison <jra@samba.org>
Wed, 23 Jan 2008 23:24:57 +0000 (15:24 -0800)
committerJeremy Allison <jra@samba.org>
Wed, 23 Jan 2008 23:24:57 +0000 (15:24 -0800)
Author: Jeremy Allison <jra@samba.org>
Date:   Wed Jan 23 15:23:16 2008 -0800

    Don't leak memory in error path.
    Jeremy.

Author: Jeremy Allison <jra@samba.org>
Date:   Wed Jan 23 15:00:40 2008 -0800

    Use strchr_m in seaching for '.' in the hostname to make sure we're mb safe.
    Jeremy.

Author: Andreas Schneider <anschneider@suse.de>
Date:   Thu Jan 17 11:35:40 2008 +0100

    Fix Windows 2008 (Longhorn) join.

    During 'net ads join' the cli->desthost is a hostname (e.g.
    rupert.galaxy.site). Check if we have a hostname and use only the
    first part, the machine name, of the string.

Author: Andreas Schneider <anschneider@suse.de>
Date:   Thu Jan 17 10:11:11 2008 +0100

    Windows 2008 (Longhorn) auth2 flag fixes.

    Interop fixes for AD specific flags. Original patch from Todd Stetcher.

source/auth/auth_domain.c patch | blob | history
source/include/rpc_dce.h patch | blob | history
source/libsmb/cliconnect.c patch | blob | history
source/libsmb/trusts_util.c patch | blob | history
source/nsswitch/winbindd_cm.c patch | blob | history
source/rpc_client/cli_pipe.c patch | blob | history
source/rpcclient/rpcclient.c patch | blob | history
source/utils/net_rpc_join.c patch | blob | history
source/utils/net_rpc_samsync.c patch | blob | history

diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
index 3fae8b46c96e55d42ab80e7eae723409c9a3ea16..115c57fbe09d27380e04e2c795fe6aaacd72d56c 100644 (file)
--- a/source/auth/auth_domain.c
+++ b/source/auth/auth_domain.c
@@ -125,7 +125,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 
        if (!lp_client_schannel()) {
                /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
-               uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+               uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
                uint32 sec_chan_type = 0;
                unsigned char machine_pwd[16];
                const char *account_name;
diff --git a/source/include/rpc_dce.h b/source/include/rpc_dce.h
index 09e5f25da8c5a90c53b6904f829f438ae4a57033..8a7934c04ae48599078869f7b39137740fa0aa33 100644 (file)
--- a/source/include/rpc_dce.h
+++ b/source/include/rpc_dce.h
@@ -112,6 +112,8 @@ enum RPC_PKT_TYPE {
 /* these are the flags that ADS clients use */
 #define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
 
+#define NETLOGON_NEG_SELECT_AUTH2_FLAGS ((lp_security() == SEC_ADS) ? NETLOGON_NEG_AUTH2_ADS_FLAGS : NETLOGON_NEG_AUTH2_FLAGS)
+
 enum schannel_direction {
        SENDER_IS_INITIATOR,
        SENDER_IS_ACCEPTOR
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index fb94ff8ae7bfe8cb991e252ad2f5aa1bfe389f78..3168dd19e24da2e4c7ff8353d574f2e511084d98 100644 (file)
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -875,13 +875,27 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
                        !strequal(star_smbserver_name,
                                cli->desthost)) {
                        char *realm = NULL;
+                       char *machine = NULL;
+                       char *host = NULL;
                        DEBUG(3,("cli_session_setup_spnego: got a "
                                "bad server principal, trying to guess ...\n"));
 
+                       host = strchr_m(cli->desthost, '.');
+                       if (host) {
+                               machine = SMB_STRNDUP(cli->desthost,
+                                       host - cli->desthost);
+                       } else {
+                               machine = SMB_STRDUP(cli->desthost);
+                       }
+                       if (machine == NULL) {
+                               return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+                       }
+
                        realm = kerberos_get_default_realm_from_ccache();
                        if (realm && *realm) {
                                if (asprintf(&principal, "%s$@%s",
-                                               cli->desthost, realm) < 0) {
+                                               machine, realm) < 0) {
+                                       SAFE_FREE(machine);
                                        SAFE_FREE(realm);
                                        return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
                                }
@@ -889,6 +903,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
                                        "server principal=%s\n",
                                        principal ? principal : "<null>"));
                        }
+                       SAFE_FREE(machine);
                        SAFE_FREE(realm);
                }
 
diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
index e4061883eb1f96c3064040e8e4412298b11a37ff..2580b500542a1d1bbb82463ae34af1707bcba630 100644 (file)
--- a/source/libsmb/trusts_util.c
+++ b/source/libsmb/trusts_util.c
@@ -41,7 +41,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX
           already have valid creds. If not we must set them up. */
 
        if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
-               uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+               uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
 
                result = rpccli_netlogon_setup_creds(cli, 
                                        cli->cli->desthost, /* server name */
diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c
index 3ca625e351dc6a5355769471b6431b27a82a3518..14c3fc1fde7cef54b315e22f954b63ed3f4b5fa8 100644 (file)
--- a/source/nsswitch/winbindd_cm.c
+++ b/source/nsswitch/winbindd_cm.c
@@ -2027,7 +2027,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
        struct winbindd_cm_conn *conn;
        NTSTATUS result;
 
-       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+       uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
        uint8  mach_pwd[16];
        uint32  sec_chan_type;
        const char *account_name;
diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c
index baf3f8c99178dc2a8809e80fa96c4ee69a7053d8..bfcc20bcc1f532483721e33987774f0f3ec14189 100644 (file)
--- a/source/rpc_client/cli_pipe.c
+++ b/source/rpc_client/cli_pipe.c
@@ -2595,7 +2595,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state
                                                const char *password,
                                                NTSTATUS *perr)
 {
-       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+       uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
        struct rpc_pipe_client *result = NULL;
 
@@ -2629,7 +2629,7 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
                                                 const char *domain,
                                                NTSTATUS *perr)
 {
-       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+       uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
        struct rpc_pipe_client *result = NULL;
 
diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c
index f671e892a0f2808724e213af5b2a65ec9552709a..0f7ff63aa0e075700a7156cb50876357112ee23d 100644 (file)
--- a/source/rpcclient/rpcclient.c
+++ b/source/rpcclient/rpcclient.c
@@ -568,7 +568,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
                }
 
                if (cmd_entry->pipe_idx == PI_NETLOGON) {
-                       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+                       uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
                        uint32 sec_channel_type;
                        uchar trust_password[16];
        
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index d2c25eb54e5754ba7754a99180920e2f4b9f951c..1780535ae54ca7b9fe50d0474ee9596ccb8a966e 100644 (file)
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -114,7 +114,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
        struct cli_state *cli;
        TALLOC_CTX *mem_ctx;
         uint32 acb_info = ACB_WSTRUST;
-       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
+       uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
        uint32 sec_channel_type;
        struct rpc_pipe_client *pipe_hnd = NULL;
 
diff --git a/source/utils/net_rpc_samsync.c b/source/utils/net_rpc_samsync.c
index d8ddff20bc643723fbc3b77b43a522cc34eeaaae..bd209de0c16e4b1c36142b37c3c3caeb2128eb1b 100644 (file)
--- a/source/utils/net_rpc_samsync.c
+++ b/source/utils/net_rpc_samsync.c
@@ -238,7 +238,7 @@ NTSTATUS rpc_samdump_internals(const DOM_SID *domain_sid,
 
        NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
        uchar trust_password[16];
-       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+       uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS;
        uint32 sec_channel_type = 0;
 
        if (!secrets_fetch_trust_account_password(domain_name,
Samba Shared Repository