winbindd: Do not run SAM auth stack in winbind SamLogon

pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 3cc945b4a31128e999f1f3fb4d8fa02bb6418281..c6047c854455802db1e5110d7c0c49142d809345 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -244,6 +244,10 @@
 ^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
 ^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
 #
+# This test is no longer valid given s4winbind needs a live NETLOGON server
+#
+^samba.blackbox.pdbtest.s4winbind\(ad_dc_ntvfs\).pdbtest
+#
 # Differences in our KDC compared to windows
 #
 ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 02b1adb2117feeccfd22a1c4e427d7f5d40bf9e9..8007c7d38d1673e8f653766faa67c05e3fd6c3cc 100644 (file)
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -890,7 +890,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
                                       r->in.logon.network->identity_info.workstation.string,
                                       r->in.logon.network->challenge,
                                       lm_response, nt_response,
-                                      &r->out.authoritative, &flags,
+                                      &r->out.authoritative,
+                                      true,
+                                      &flags,
                                       &r->out.validation.sam3);
        return status;
 }

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c792cfe704fdd6b0ed2b76585e1c201d60e5e08b..4d3a7eeb1ba9e7ea0a43afd7ec352e2843d6af6f 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2003,6 +2003,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
                               DATA_BLOB lm_response,
                               DATA_BLOB nt_response,
                               uint8_t *authoritative,
+                              bool skip_sam,
                               uint32_t *flags,
                               struct netr_SamInfo3 **info3)
 {
@@ -2017,7 +2018,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
         * name_domain can also be lp_realm()
         * we need to check against domain->name.
         */
-       if (strequal(domain->name, get_global_sam_name())) {
+       if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
                DATA_BLOB chal_blob = data_blob_const(
                        chal, 8);
 
@@ -2172,6 +2173,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
                                       lm_resp,
                                       nt_resp,
                                       &authoritative,
+                                      false,
                                       &flags,
                                       &info3);
        if (!NT_STATUS_IS_OK(result)) {

diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 57b363a7bd84034df001eeec87b480d9219487c1..6d6fafcb72f254dbae65036e6811263a38bae46d 100644 (file)
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -454,6 +454,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
                               DATA_BLOB lm_response,
                               DATA_BLOB nt_response,
                               uint8_t *authoritative,
+                              bool skip_sam,
                               uint32_t *flags,
                               struct netr_SamInfo3 **info3);