diff options
author | Garming Sam <garming@catalyst.net.nz> | 2017-04-11 15:51:50 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-05-30 08:06:07 +0200 |
commit | fd29e28d5231a4e576979c0b116564b751be8831 (patch) | |
tree | 30b1dcba3607e5a502ab6335a5cebe665e04b979 /source4/auth/ntlm | |
parent | 8ae968193b7084af8bb0ccf7d624ff10e39d5715 (diff) | |
download | samba-fd29e28d5231a4e576979c0b116564b751be8831.tar.gz |
netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).
(further patches still need to address forcing a RWDC contact)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth/ntlm')
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 56 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_winbind.c | 3 |
2 files changed, 57 insertions, 2 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index fed5dd3f308..ee4a054c8c7 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -32,6 +32,7 @@ #include "dsdb/common/util.h" #include "param/param.h" #include "librpc/gen_ndr/ndr_irpc_c.h" +#include "librpc/gen_ndr/ndr_winbind_c.h" #include "lib/messaging/irpc.h" #include "libcli/auth/libcli_auth.h" #include "libds/common/roles.h" @@ -103,6 +104,49 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, return NT_STATUS_OK; } +static void auth_sam_trigger_zero_password(TALLOC_CTX *mem_ctx, + struct imessaging_context *msg_ctx, + struct tevent_context *event_ctx, + struct netr_SendToSamBase *send_to_sam) +{ + struct dcerpc_binding_handle *irpc_handle; + struct winbind_SendToSam r; + struct tevent_req *req; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return; + } + + irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg_ctx, + "winbind_server", + &ndr_table_winbind); + if (irpc_handle == NULL) { + DEBUG(1,(__location__ ": Unable to get binding handle for winbind\n")); + TALLOC_FREE(tmp_ctx); + return; + } + + r.in.message = *send_to_sam; + + /* + * This seem to rely on the current IRPC implementation, + * which delivers the message in the _send function. + * + * TODO: we need a ONE_WAY IRPC handle and register + * a callback and wait for it to be triggered! + */ + req = dcerpc_winbind_SendToSam_r_send(tmp_ctx, + event_ctx, + irpc_handle, + &r); + + /* we aren't interested in a reply */ + talloc_free(req); + TALLOC_FREE(tmp_ctx); + +} /* send a message to the drepl server telling it to initiate a @@ -482,6 +526,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, NTSTATUS nt_status; bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH); uint32_t acct_flags = samdb_result_acct_flags(msg, NULL); + struct netr_SendToSamBase *send_to_sam = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; @@ -533,7 +578,16 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, nt_status = authsam_logon_success_accounting(auth_context->sam_ctx, msg, domain_dn, - interactive); + interactive, + &send_to_sam); + + if (send_to_sam != NULL) { + auth_sam_trigger_zero_password(tmp_ctx, + auth_context->msg_ctx, + auth_context->event_ctx, + send_to_sam); + } + if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index 41819dca605..84f278ddd85 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -225,7 +225,8 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, if (NT_STATUS_IS_OK(status)) { authsam_logon_success_accounting(ctx->auth_ctx->sam_ctx, msg, domain_dn, - user_info->flags & USER_INFO_INTERACTIVE_LOGON); + user_info->flags & USER_INFO_INTERACTIVE_LOGON, + NULL); } } } |