summaryrefslogtreecommitdiffstats
path: root/source3/nmbd
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-11-10 17:41:28 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-11-17 02:10:54 +0100
commit2de232ae2a187941f8114ff0948ca50082007761 (patch)
treeef55ac8ae9121a8b83edb3ef495f43c20ee2dce7 /source3/nmbd
parent47d34997e84e8f9c05be7b95b9ae4dbd6ea7298e (diff)
downloadsamba-2de232ae2a187941f8114ff0948ca50082007761.tar.gz
samba-2de232ae2a187941f8114ff0948ca50082007761.tar.xz
samba-2de232ae2a187941f8114ff0948ca50082007761.zip
s3-nmbd Remove AD netlogon response from s3 nmbd server
I do not want users with misconfigurations to have nmbd respond with this partially correct packet. For example, it hardcodes the site as Default-First-Site-Name. If nmbd wishes to return this information, it would need to query the AD database using the same APIs that the source4/ nbt server does. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Nov 17 02:10:54 CET 2011 on sn-devel-104
Diffstat (limited to 'source3/nmbd')
-rw-r--r--source3/nmbd/nmbd_processlogon.c107
1 files changed, 15 insertions, 92 deletions
diff --git a/source3/nmbd/nmbd_processlogon.c b/source3/nmbd/nmbd_processlogon.c
index 4fe5d0ee87..76864e640e 100644
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -455,6 +455,7 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
bool user_unknown = false;
struct netlogon_samlogon_response samlogon;
+ struct NETLOGON_SAM_LOGON_RESPONSE_NT40 nt4;
if (global_nmbd_proxy_logon) {
nmbd_proxy_logon(global_nmbd_proxy_logon,
@@ -482,99 +483,21 @@ logons are not enabled.\n", inet_ntoa(p->ip) ));
user_unknown = true;
}
- /* we want the simple version unless we are an ADS PDC..which means */
- /* never, at least for now */
-
- if ((request.req.logon.nt_version < (NETLOGON_NT_VERSION_1 | NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX_WITH_IP)) ||
- (SEC_ADS != lp_security()) || (ROLE_DOMAIN_PDC != lp_server_role())) {
-
- struct NETLOGON_SAM_LOGON_RESPONSE_NT40 nt4;
-
- nt4.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN :
- LOGON_SAM_LOGON_RESPONSE;
- nt4.pdc_name = pdc_name;
- nt4.user_name = request.req.logon.user_name;
- nt4.domain_name = lp_workgroup();
- nt4.nt_version = NETLOGON_NT_VERSION_1;
- nt4.lmnt_token = 0xffff;
- nt4.lm20_token = 0xffff;
-
- samlogon.ntver = NETLOGON_NT_VERSION_1;
- samlogon.data.nt4 = nt4;
-
- if (DEBUGLEVEL >= 10) {
- NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_NT40, &nt4);
- }
- }
-#ifdef HAVE_ADS
- else {
-
- struct NETLOGON_SAM_LOGON_RESPONSE_EX nt5_ex;
- struct GUID domain_guid;
- struct nbt_sockaddr saddr;
- char *domain;
- const char *hostname;
-
- saddr.sockaddr_family = 2; /* AF_INET */
- saddr.pdc_ip = inet_ntoa(ip);
- saddr.remaining = data_blob_talloc_zero(talloc_tos(), 8); /* ??? */
-
- domain = get_mydnsdomname(talloc_tos());
- if (!domain) {
- DEBUG(2,("get_mydnsdomname failed.\n"));
- return;
- }
-
- hostname = get_mydnsfullname();
- if (!hostname) {
- DEBUG(2,("get_mydnsfullname failed.\n"));
- return;
- }
-
- if (!secrets_fetch_domain_guid(domain, &domain_guid)) {
- DEBUG(2,("Could not fetch DomainGUID for %s\n", domain));
- return;
- }
-
- nt5_ex.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN_EX :
- LOGON_SAM_LOGON_RESPONSE_EX;
- nt5_ex.sbz = 0;
- nt5_ex.server_type = NBT_SERVER_PDC |
- NBT_SERVER_GC |
- NBT_SERVER_LDAP |
- NBT_SERVER_DS |
- NBT_SERVER_KDC |
- NBT_SERVER_TIMESERV |
- NBT_SERVER_CLOSEST |
- NBT_SERVER_WRITABLE;
- nt5_ex.domain_uuid = domain_guid;
- nt5_ex.forest = domain;
- nt5_ex.dns_domain = domain;
- nt5_ex.pdc_dns_name = hostname;
- nt5_ex.domain_name = lp_workgroup();
- nt5_ex.pdc_name = lp_netbios_name();
- nt5_ex.user_name = request.req.logon.user_name;
- nt5_ex.server_site = "Default-First-Site-Name";
- nt5_ex.client_site = "Default-First-Site-Name";
- nt5_ex.sockaddr_size = 0x10; /* the w32 winsock addr size */
- nt5_ex.sockaddr = saddr;
- nt5_ex.next_closest_site= NULL;
- nt5_ex.nt_version = NETLOGON_NT_VERSION_1 |
- NETLOGON_NT_VERSION_5EX |
- NETLOGON_NT_VERSION_5EX_WITH_IP;
- nt5_ex.lmnt_token = 0xffff;
- nt5_ex.lm20_token = 0xffff;
-
- samlogon.ntver = NETLOGON_NT_VERSION_1 |
- NETLOGON_NT_VERSION_5EX |
- NETLOGON_NT_VERSION_5EX_WITH_IP;
- samlogon.data.nt5_ex = nt5_ex;
-
- if (DEBUGLEVEL >= 10) {
- NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_EX, &nt5_ex);
- }
+ nt4.command = user_unknown ? LOGON_SAM_LOGON_USER_UNKNOWN :
+ LOGON_SAM_LOGON_RESPONSE;
+ nt4.pdc_name = pdc_name;
+ nt4.user_name = request.req.logon.user_name;
+ nt4.domain_name = lp_workgroup();
+ nt4.nt_version = NETLOGON_NT_VERSION_1;
+ nt4.lmnt_token = 0xffff;
+ nt4.lm20_token = 0xffff;
+
+ samlogon.ntver = NETLOGON_NT_VERSION_1;
+ samlogon.data.nt4 = nt4;
+
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(NETLOGON_SAM_LOGON_RESPONSE_NT40, &nt4);
}
-#endif /* HAVE_ADS */
response.response_type = NETLOGON_SAMLOGON;
response.data.samlogon = samlogon;