uid = request->data.auth.uid;
- if (uid < 0) {
+ if (uid == (uid_t)-1) {
DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
return -1;
}
const DATA_BLOB *challenge,
const DATA_BLOB *lm_resp,
const DATA_BLOB *nt_resp,
+ bool interactive,
struct netr_SamInfo3 **pinfo3)
{
struct auth_context *auth_context;
/* We don't want to come back to winbindd or to do PAM account checks */
user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ;
+ if (interactive) {
+ user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
+ }
+
status = make_auth_context_fixed(frame, &auth_context, challenge->data);
if (!NT_STATUS_IS_OK(status)) {
return result;
}
netr_attempts = 0;
-
- if (interactive && username != NULL && password != NULL) {
+ if (domain->conn.netlogon_creds == NULL) {
+ DBG_NOTICE("No security credentials available for "
+ "domain [%s]\n", domainname);
+ result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ } else if (interactive && username != NULL && password != NULL) {
result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
netlogon_pipe->binding_handle,
mem_ctx,
rpc changetrustpw' */
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
- DEBUG(3,("winbind_samlogon_retry_loop: sam_logon returned "
- "ACCESS_DENIED. Maybe the trust account "
+ DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
+ "ACCESS_DENIED. Maybe the DC has Restrict "
+ "NTLM set or the trust account "
"password was changed and we didn't know it. "
"Killing connections to domain %s\n",
domainname));
result = winbindd_dual_auth_passdb(
mem_ctx, 0, name_domain, name_user,
- &chal_blob, &lm_resp, &nt_resp, info3);
+ &chal_blob, &lm_resp, &nt_resp,
+ true, /* interactive */
+ info3);
/*
* We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
cached_info3->base.full_name.string);
} else {
- /* this might fail so we dont check the return code */
+ /* this might fail so we don't check the return code */
wcache_query_user_fullname(domain,
info3,
&user_sid,
mem_ctx,
logon_parameters,
name_domain, name_user,
- &chal_blob, &lm_response, &nt_response, info3);
+ &chal_blob, &lm_response, &nt_response,
+ false, /* interactive */
+ info3);
/*
* We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
cached_info3->base.full_name.string);
} else {
- /* this might fail so we dont check the return code */
+ /* this might fail so we don't check the return code */
wcache_query_user_fullname(domain,
*info3,
&user_sid,
#ifdef HAVE_KRB5
- if (state->request->data.logoff.uid < 0) {
+ if (state->request->data.logoff.uid == (uid_t)-1) {
DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
goto process_result;
}
}
if (logon_info) {
- /* Signature verification succeeded, trust the PAC */
+ /*
+ * Signature verification succeeded, we can
+ * trust the PAC and prime the netsamlogon
+ * and name2sid caches. DO NOT DO THIS
+ * in the signature verification failed
+ * code path.
+ */
+ struct winbindd_domain *domain = NULL;
+
result = create_info3_from_pac_logon_info(state->mem_ctx,
logon_info,
&info3_copy);
}
netsamlogon_cache_store(NULL, info3_copy);
+ /*
+ * We're in the parent here, so find the child
+ * pointer from the PAC domain name.
+ */
+ domain = find_domain_from_name_noinit(
+ info3_copy->base.logon_domain.string);
+ if (domain && domain->primary ) {
+ struct dom_sid user_sid;
+
+ sid_compose(&user_sid,
+ info3_copy->base.domain_sid,
+ info3_copy->base.rid);
+
+ cache_name2sid(domain,
+ info3_copy->base.logon_domain.string,
+ info3_copy->base.account_name.string,
+ SID_NAME_USER,
+ &user_sid);
+
+ DBG_INFO("PAC for user %s\%s SID %s primed cache\n",
+ info3_copy->base.logon_domain.string,
+ info3_copy->base.account_name.string,
+ sid_string_dbg(&user_sid));
+ }
+
} else {
/* Try without signature verification */
result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
git.samba.org / metze / samba / wip.git / blobdiff