#include "dsdb/samdb/samdb.h"
#include "param/param.h"
#include "../lib/tsocket/tsocket.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/messaging/irpc.h"
static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
{
return ret;
}
+static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ struct auth_usersupplied_info *user_info)
+{
+ struct dcerpc_binding_handle *irpc_handle;
+ struct winbind_SamLogon req;
+ struct netr_IdentityInfo *identity_info;
+ struct netr_NetworkInfo *network_info;
+
+ irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
+ "winbind_server",
+ &ndr_table_winbind);
+ if (irpc_handle == NULL) {
+ DEBUG(0, ("Winbind fowarding for [%s]\\[%s] failed, "
+ "no winbind_server running!\n",
+ user_info->mapped.domain_name, user_info->mapped.account_name));
+ return;
+ }
+
+ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
+ if (network_info == NULL) {
+ DEBUG(0, ("Winbind forwarding failed: No memory\n"));
+ return;
+ }
+
+ identity_info = &network_info->identity_info;
+ req.in.logon_level = 2;
+ req.in.logon.network = network_info;
+
+ identity_info->domain_name.string = user_info->mapped.domain_name;
+ identity_info->parameter_control = user_info->logon_parameters; /* TODO */
+ identity_info->logon_id_low = 0;
+ identity_info->logon_id_high = 0;
+ identity_info->account_name.string = user_info->mapped.account_name;
+ identity_info->workstation.string
+ = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s",
+ tsocket_address_string(user_info->remote_host,
+ identity_info));
+ if (identity_info->workstation.string == NULL) {
+ DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n"));
+ return;
+ }
+
+ req.in.validation_level = 3;
+
+ /*
+ * The memory in identity_info and user_info only needs to be
+ * valid until the end of this function call, as it will be
+ * pushed to NDR during this call
+ */
+
+ dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
+ irpc_handle, &req);
+}
+
static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
hdb_entry_ex *entry,
struct sockaddr *from_addr,
NTSTATUS status;
int ret;
- if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
- authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
- status = NT_STATUS_WRONG_PASSWORD;
- } else {
- status = NT_STATUS_OK;
- }
-
ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
sa_socklen,
&remote_host);
ui.mapped.account_name = account_name;
ui.mapped.domain_name = domain_name;
+ if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
+ authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
+ status = NT_STATUS_WRONG_PASSWORD;
+ /*
+ * TODO We currently send a bad password via NETLOGON,
+ * however, it should probably forward the ticket to
+ * another KDC to allow login after password changes.
+ */
+ if (kdc_db_ctx->rodc) {
+ send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
+ }
+ } else {
+ status = NT_STATUS_OK;
+ }
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
&ui,
git.samba.org / garming / samba-autobuild / .git / commitdiff