s3-winbindd: route samr chgpwd ops for own domain over internal samr pipe as well.

Guenther

4 files changed, 45 insertions, 69 deletions

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index fa1b78cb4f2..b3003571907 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2078,6 +2078,14 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	char *machine_account = NULL;
 	char *domain_name = NULL;
 
+	if (strequal(domain->name, get_global_sam_name())) {
+		result = open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
+		if (!NT_STATUS_IS_OK(result)) {
+			return result;
+		}
+		return NT_STATUS_OK;
+	}
+
 	result = init_dc_connection_rpc(domain);
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index ef8d464008d..bf113e8cce9 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -31,7 +31,6 @@
 #include "rpc_client/cli_netlogon.h"
 #include "smb_krb5.h"
 #include "../lib/crypto/arcfour.h"
-#include "rpc_server/srv_samr_util.h"
 #include "../libcli/security/dom_sid.h"
 
 #undef DBGC_CLASS
@@ -1896,13 +1895,15 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 	char *oldpass;
 	char *newpass = NULL;
 	struct policy_handle dom_pol;
-	struct rpc_pipe_client *cli;
+	struct rpc_pipe_client *cli = NULL;
 	bool got_info = false;
 	struct samr_DomInfo1 *info = NULL;
 	struct userPwdChangeFailureInformation *reject = NULL;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	fstring domain, user;
 
+	ZERO_STRUCT(dom_pol);
+
 	DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
 		  state->request->data.auth.user));
 
@@ -1918,53 +1919,6 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 	/* Initialize reject reason */
 	state->response->data.auth.reject_reason = Undefined;
 
-	if (strequal(domain, get_global_sam_name())) {
-		struct samr_CryptPassword new_nt_password;
-		struct samr_CryptPassword new_lm_password;
-		struct samr_Password old_nt_hash_enc;
-		struct samr_Password old_lanman_hash_enc;
-		enum samPwdChangeReason rejectReason;
-
-		uchar old_nt_hash[16];
-		uchar old_lanman_hash[16];
-		uchar new_nt_hash[16];
-		uchar new_lanman_hash[16];
-
-		contact_domain = NULL;
-
-		E_md4hash(oldpass, old_nt_hash);
-		E_md4hash(newpass, new_nt_hash);
-
-		if (lp_client_lanman_auth() &&
-		    E_deshash(newpass, new_lanman_hash) &&
-		    E_deshash(oldpass, old_lanman_hash)) {
-
-			/* E_deshash returns false for 'long' passwords (> 14
-			   DOS chars).  This allows us to match Win2k, which
-			   does not store a LM hash for these passwords (which
-			   would reduce the effective password length to 14) */
-
-			encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE);
-			arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
-			E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
-		} else {
-			ZERO_STRUCT(new_lm_password);
-			ZERO_STRUCT(old_lanman_hash_enc);
-		}
-
-		encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE);
-
-		arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
-		E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
-
-		result = pass_oem_change(
-			user,
-			new_lm_password.data, old_lanman_hash_enc.hash,
-			new_nt_password.data, old_nt_hash_enc.hash,
-			&rejectReason);
-		goto done;
-	}
-
 	/* Get sam handle */
 
 	result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
@@ -2060,6 +2014,16 @@ done:
 
 process_result:
 
+	if (strequal(contact_domain->name, get_global_sam_name())) {
+		/* FIXME: internal rpc pipe does not cache handles yet */
+		if (cli) {
+			if (is_valid_policy_hnd(&dom_pol)) {
+				rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
+			}
+			TALLOC_FREE(cli);
+		}
+	}
+
 	set_auth_errors(state->response, result);
 
 	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
@@ -2144,7 +2108,9 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 	fstring  domain,user;
 	struct policy_handle dom_pol;
 	struct winbindd_domain *contact_domain = domainSt;
-	struct rpc_pipe_client *cli;
+	struct rpc_pipe_client *cli = NULL;
+
+	ZERO_STRUCT(dom_pol);
 
 	/* Ensure null termination */
 	state->request->data.chng_pswd_auth_crap.user[
@@ -2192,21 +2158,6 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 	DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
 		  (unsigned long)state->pid, domain, user));
 
-	if (strequal(domain, get_global_sam_name())) {
-		enum samPwdChangeReason reject_reason;
-
-		result = pass_oem_change(
-			user,
-			state->request->data.chng_pswd_auth_crap.new_lm_pswd,
-			state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
-			state->request->data.chng_pswd_auth_crap.new_nt_pswd,
-			state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
-			&reject_reason);
-		DEBUG(10, ("pass_oem_change returned %s\n",
-			   nt_errstr(result)));
-		goto done;
-	}
-
 	/* Change password */
 	new_nt_password = data_blob_const(
 		state->request->data.chng_pswd_auth_crap.new_nt_pswd,
@@ -2243,6 +2194,16 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 
  done:
 
+	if (strequal(contact_domain->name, get_global_sam_name())) {
+		/* FIXME: internal rpc pipe does not cache handles yet */
+		if (cli) {
+			if (is_valid_policy_hnd(&dom_pol)) {
+				rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
+			}
+			TALLOC_FREE(cli);
+		}
+	}
+
 	set_auth_errors(state->response, result);
 
 	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index caa1cac0eff..a26a9df889e 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -875,4 +875,11 @@ NTSTATUS winbindd_pam_chng_pswd_auth_crap_recv(
 	struct tevent_req *req,
 	struct winbindd_response *response);
 
+/* The following definitions come from winbindd/winbindd_samr.c  */
+
+NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
+				 struct winbindd_domain *domain,
+				 struct rpc_pipe_client **samr_pipe,
+				 struct policy_handle *samr_domain_hnd);
+
 #endif /*  _WINBINDD_PROTO_H_  */
diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
index 0c077aa32d2..f8004d976f5 100644
--- a/source3/winbindd/winbindd_samr.c
+++ b/source3/winbindd/winbindd_samr.c
@@ -77,10 +77,10 @@ done:
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
-				        struct winbindd_domain *domain,
-				        struct rpc_pipe_client **samr_pipe,
-				        struct policy_handle *samr_domain_hnd)
+NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
+				 struct winbindd_domain *domain,
+				 struct rpc_pipe_client **samr_pipe,
+				 struct policy_handle *samr_domain_hnd)
 {
 	NTSTATUS status;
 	struct policy_handle samr_connect_hnd;