time_t startup_time; /* When we set "startup" true. */
BOOL startup; /* are we in the first 30 seconds after startup_time ? */
+ BOOL can_do_samlogon_ex; /* Due to the lack of finer control what type
+ * of DC we have, let us try to do a
+ * credential-chain less samlogon_ex call
+ * with AD and schannel. If this fails with
+ * DCERPC_FAULT_OP_RNG_ERROR, then set this
+ * to False. This variable is around so that
+ * we don't have to try _ex every time. */
+
/* Lookup methods for this domain (LDAP or RPC) */
struct winbindd_methods *methods;
no_schannel:
if ((lp_client_schannel() == False) ||
((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+
+ /*
+ * NetSamLogonEx only works for schannel
+ */
+ domain->can_do_samlogon_ex = False;
+
/* We're done - just keep the existing connection to NETLOGON
* open */
conn->netlogon_pipe = netlogon_pipe;
return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
}
+ /*
+ * Try NetSamLogonEx for AD domains
+ */
+ domain->can_do_samlogon_ex = domain->active_directory;
+
*cli = conn->netlogon_pipe;
return NT_STATUS_OK;
}
/* check authentication loop */
do {
+ NTSTATUS (*logon_fn)(struct rpc_pipe_client
+ *cli, TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *server,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ NET_USER_INFO_3 *info3);
ZERO_STRUCTP(my_info3);
retry = False;
goto done;
}
- result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
+ logon_fn = contact_domain->can_do_samlogon_ex
+ ? rpccli_netlogon_sam_network_logon_ex
+ : rpccli_netlogon_sam_network_logon;
+
+ result = logon_fn(netlogon_pipe,
state->mem_ctx,
0,
contact_domain->dcname, /* server name */
lm_resp,
nt_resp,
my_info3);
+
+ if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+ && contact_domain->can_do_samlogon_ex) {
+ DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+ "retrying with NetSamLogon\n"));
+ contact_domain->can_do_samlogon_ex = False;
+ retry = True;
+ continue;
+ }
+
attempts += 1;
/* We have to try a second time as cm_connect_netlogon
}
do {
+ NTSTATUS (*logon_fn)(struct rpc_pipe_client
+ *cli, TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *server,
+ const char *username,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ NET_USER_INFO_3 *info3);
+
ZERO_STRUCT(info3);
retry = False;
goto done;
}
- result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
+ logon_fn = contact_domain->can_do_samlogon_ex
+ ? rpccli_netlogon_sam_network_logon_ex
+ : rpccli_netlogon_sam_network_logon;
+
+ result = logon_fn(netlogon_pipe,
state->mem_ctx,
state->request.data.auth_crap.logon_parameters,
contact_domain->dcname,
nt_resp,
&info3);
+ if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
+ && contact_domain->can_do_samlogon_ex) {
+ DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+ "retrying with NetSamLogon\n"));
+ contact_domain->can_do_samlogon_ex = False;
+ retry = True;
+ continue;
+ }
+
attempts += 1;
/* We have to try a second time as cm_connect_netlogon
git.samba.org / tprouty / samba.git / commitdiff