The branch, v4-6-test has been updated
via 3af01bd libnet_join: fix "net rpc oldjoin"
via b9d0fce s3:selftest: add samba3.blackbox.net_rpc_oldjoin test
from eea9b63 ctdb-common: Call missing tevent_wakeup_recv() in
sock_daemon
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
- Log -----------------------------------------------------------------
commit 3af01bd9c80624889dec2bed1016fd4baa4cde4b
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 16 21:09:20 2017 +0000
libnet_join: fix "net rpc oldjoin"
We need to open the ncacn_np (smb) transport connection with
anonymous credentials.
In order to do netr_ServerPasswordSet*() we need to
establish a 2nd netlogon connection using dcerpc schannel
authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(similar to commit d27f38d35bf111a5c0a898a5ef8b7dd0b320da0d)
Autobuild-User(v4-6-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-6-test): Wed Nov 29 12:59:34 CET 2017 on sn-devel-144
commit b9d0fce671883cabf1eb32fbc200ff31f1ad0ed4
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 17 15:51:36 2017 +0100
s3:selftest: add samba3.blackbox.net_rpc_oldjoin test
This demonstrates that "net rpc oldjoin" is currently broken.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 9466796c87cc4ca8d32da553421cd8ecef1bb8e4)
-----------------------------------------------------------------------
Summary of changes:
source3/libnet/libnet_join.c | 94 +++++++++++++++++++++-------
source3/script/tests/test_net_rpc_oldjoin.sh | 32 ++++++++++
source3/selftest/tests.py | 4 ++
3 files changed, 108 insertions(+), 22 deletions(-)
create mode 100755 source3/script/tests/test_net_rpc_oldjoin.sh
Changeset truncated at 500 lines:
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 591c177..903c93b 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1044,12 +1044,23 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX
*mem_ctx,
NTSTATUS status, result;
union lsa_PolicyInformation *info = NULL;
struct dcerpc_binding_handle *b;
+ const char *account = r->in.admin_account;
+ const char *domain = r->in.admin_domain;
+ const char *password = r->in.admin_password;
+ bool use_kerberos = r->in.use_kerberos;
+
+ if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) {
+ account = "";
+ domain = "";
+ password = NULL;
+ use_kerberos = false;
+ }
status = libnet_join_connect_dc_ipc(r->in.dc_name,
- r->in.admin_account,
- r->in.admin_domain,
- r->in.admin_password,
- r->in.use_kerberos,
+ account,
+ domain,
+ password,
+ use_kerberos,
cli);
if (!NT_STATUS_IS_OK(status)) {
goto done;
@@ -1121,16 +1132,19 @@ static NTSTATUS
libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
struct cli_state *cli)
{
TALLOC_CTX *frame = talloc_stackframe();
- struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct rpc_pipe_client *authenticate_pipe = NULL;
+ struct rpc_pipe_client *passwordset_pipe = NULL;
struct netlogon_creds_cli_context *netlogon_creds = NULL;
- struct samr_Password current_nt_hash;
+ struct cli_credentials *cli_creds = NULL;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ uint32_t netlogon_flags = 0;
size_t len = 0;
bool ok;
DATA_BLOB new_trust_blob = data_blob_null;
NTSTATUS status;
status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
- &netlogon_pipe);
+ &authenticate_pipe);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
@@ -1148,31 +1162,67 @@ static NTSTATUS
libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
}
}
+ cli_creds = cli_credentials_init(talloc_tos());
+ if (cli_creds == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ cli_credentials_set_username(cli_creds, r->out.account_name,
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(cli_creds, r->in.domain_name,
+ CRED_SPECIFIED);
+ cli_credentials_set_realm(cli_creds, "", CRED_SPECIFIED);
+ cli_credentials_set_secure_channel_type(cli_creds,
+ r->in.secure_channel_type);
+
/* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
- E_md4hash(r->in.admin_password, current_nt_hash.hash);
-
- status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
- r->in.domain_name,
- r->out.account_name,
- r->in.secure_channel_type,
- r->in.msg_ctx,
- frame,
- &netlogon_creds);
+ cli_credentials_set_password(cli_creds, r->in.admin_password,
+ CRED_SPECIFIED);
+
+ status = rpccli_create_netlogon_creds_with_creds(cli_creds,
+
authenticate_pipe->desthost,
+ r->in.msg_ctx,
+ frame,
+ &netlogon_creds);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
}
- status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
- netlogon_creds,
- true, /* force_reauth */
- current_nt_hash,
- NULL); /* previous_nt_hash */
+ status = rpccli_setup_netlogon_creds_with_creds(cli, NCACN_NP,
+ netlogon_creds,
+ true, /* force_reauth */
+ cli_creds);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
return status;
}
+ status = netlogon_creds_cli_get(netlogon_creds, frame, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ netlogon_flags = creds->negotiate_flags;
+ TALLOC_FREE(creds);
+
+ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
+ status = cli_rpc_pipe_open_schannel_with_creds(cli,
+
&ndr_table_netlogon,
+ NCACN_NP,
+ cli_creds,
+ netlogon_creds,
+
&passwordset_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+ } else {
+ passwordset_pipe = authenticate_pipe;
+ }
+
len = strlen(r->in.machine_password);
ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16,
r->in.machine_password, len,
@@ -1188,7 +1238,7 @@ static NTSTATUS
libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
}
status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
-
netlogon_pipe->binding_handle,
+
passwordset_pipe->binding_handle,
&new_trust_blob,
NULL); /* new_version */
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/script/tests/test_net_rpc_oldjoin.sh
b/source3/script/tests/test_net_rpc_oldjoin.sh
new file mode 100755
index 0000000..070fcc1
--- /dev/null
+++ b/source3/script/tests/test_net_rpc_oldjoin.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+if [ $# -lt 3 ]; then
+cat <<EOF
+Usage: test_net_rpc_oldjoin.sh SERVER PREFIX SMB_CONF_PATH
+EOF
+exit 1;
+fi
+
+SERVER="$1"
+PREFIX="$2"
+SMB_CONF_PATH="$3"
+shift 3
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+maccount="OLDJOINTEST"
+privatedir="$PREFIX/private"
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+OPTIONS="--configfile $SMB_CONF_PATH --option=netbiosname=$maccount
--option=security=domain --option=domainlogons=no
--option=privatedir=$privatedir"
+
+testit "mkdir -p $privatedir" mkdir -p $privatedir || failed=`expr $failed + 1`
+testit "smbpasswd -a -m" $VALGRIND $BINDIR/smbpasswd -L -c $SMB_CONF_PATH -a
-m "$maccount" || failed=`expr $failed + 1`
+testit "net_rpc_oldjoin" $VALGRIND $BINDIR/net rpc oldjoin -S $SERVER $OPTIONS
|| failed=`expr $failed + 1`
+testit "net_rpc_testjoin1" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER
$OPTIONS || failed=`expr $failed + 1`
+testit "net_rpc_changetrustpw" $VALGRIND $BINDIR/net rpc changetrustpw -S
$SERVER $OPTIONS || failed=`expr $failed + 1`
+testit "net_rpc_testjoin2" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER
$OPTIONS || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index ec10de9..9a0eac1 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -521,6 +521,10 @@ plantestsuite("samba3.blackbox.net_rpc_join", "nt4_dc",
[os.path.join(samba3srcdir, "script/tests/test_net_rpc_join.sh"),
"$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_rpc_join",
configuration])
+plantestsuite("samba3.blackbox.net_rpc_oldjoin", "nt4_dc:local",
+ [os.path.join(samba3srcdir,
"script/tests/test_net_rpc_oldjoin.sh"),
+ "$SERVER", "$PREFIX/net_rpc_oldjoin",
+ "$SMB_CONF_PATH"])
plantestsuite("samba3.blackbox.rpcclient_srvsvc", "simpleserver",
[os.path.join(samba3srcdir,
"script/tests/test_rpcclientsrvsvc.sh"),
--
Samba Shared Repository
