diff options
author | Volker Lendecke <vl@samba.org> | 2017-09-13 11:51:47 -0700 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2017-09-25 09:43:13 +0200 |
commit | 4d19f8b4b957814b11d096acc75e670878bc8240 (patch) | |
tree | fe9b4d19d5e1862e2a947e0dd96a8a207951e176 /source3/libsmb | |
parent | f6e39450f539e2014854debb485023e46a8f16d2 (diff) | |
download | samba-4d19f8b4b957814b11d096acc75e670878bc8240.tar.gz |
netlogon_creds_cli: Protect netlogon_creds_cli_auth by _lck
This widens the lock range to cover the check for established
credentials. Before this patch it could happen that more than one
winbind finds no credentials and does the auth3. This can pile up.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3/libsmb')
-rw-r--r-- | source3/libsmb/trusts_util.c | 46 |
1 files changed, 38 insertions, 8 deletions
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 57cd542e08a..27e77e6cc60 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -104,6 +104,36 @@ char *trust_pw_new_value(TALLOC_CTX *mem_ctx, return generate_random_machine_password(mem_ctx, min, max); } +/* + * Temporary function to wrap cli_auth in a lck + */ + +static NTSTATUS netlogon_creds_cli_lck_auth( + struct netlogon_creds_cli_context *context, + struct dcerpc_binding_handle *b, + uint8_t num_nt_hashes, + const struct samr_Password * const *nt_hashes, + uint8_t *idx_nt_hashes) +{ + struct netlogon_creds_cli_lck *lck; + NTSTATUS status; + + status = netlogon_creds_cli_lck( + context, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE, + talloc_tos(), &lck); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netlogon_creds_cli_lck failed: %s\n", + nt_errstr(status)); + return status; + } + + status = netlogon_creds_cli_auth(context, b, num_nt_hashes, nt_hashes, + idx_nt_hashes); + TALLOC_FREE(lck); + + return status; +} + NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, struct messaging_context *msg_ctx, struct dcerpc_binding_handle *b, @@ -358,10 +388,10 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, * ServerTrustPasswordsGet() or netr_ServerGetTrustInfo() to fix our * local secrets before doing the change. */ - status = netlogon_creds_cli_auth(context, b, - num_nt_hashes, - nt_hashes, - &idx_nt_hashes); + status = netlogon_creds_cli_lck_auth(context, b, + num_nt_hashes, + nt_hashes, + &idx_nt_hashes); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for old passwords (%u) - %s!\n", context_name, num_nt_hashes, nt_errstr(status))); @@ -571,10 +601,10 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, idx_current = idx; nt_hashes[idx++] = current_nt_hash; num_nt_hashes = idx; - status = netlogon_creds_cli_auth(context, b, - num_nt_hashes, - nt_hashes, - &idx_nt_hashes); + status = netlogon_creds_cli_lck_auth(context, b, + num_nt_hashes, + nt_hashes, + &idx_nt_hashes); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for new password - %s!\n", context_name, nt_errstr(status))); |