1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

137839 Commits

Author SHA1 Message Date
Stefan Metzmacher
f4f31236c4 s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c0edd3406b s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
0470cc385d s3:lib/netapi: add libnetapi_get_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
bd53e20764 libgpo/pygpo: make use of ads_connect_{creds,machine}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
87e7a9488a s3:printing: make use of ads_connect_machine()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f9496bfdf4 s3:libads: add ads_connect_machine() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
353abcb4d3 s3:libads: add ads_simple_creds() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c36b044224 s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
7bfbea4c3c s3:libads: add ads_connect_simple_anon() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
c95a2785e2 lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
5807689f96 s3:utils: let net_update_dns_internal() set status before goto done in all cases
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
28af082926 s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ed75331f52 s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
16bbb407fa s3:winbindd: make use of samba_sockaddr to avoid compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f903d80769 s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
8166642e1b s3:winbindd: make winbindd_get_trust_credentials() public
We'll use it outside of winbindd_cm.c soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
81a6c54fdd s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
31e4614ee3 s3:libads: add ads_connect_creds() helper
In future ads_connect_creds() will be used by callers directly instead
of using ads_connect().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
76e0d348dd s3:libads: fix compiler warning in ads_mod_ber()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
bac243442a s3:libads: move ads->auth.time_offset to ads->config.time_offset
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!

Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ea97abd545 s3:libads: we only need to gensec_expire_time()...
The lifetime of a service ticket is never longer than
the lifetime of the TGT...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ce1ad21ce6 s3:libads: remove unused ads->auth.renewable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fcd47a4966 s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect()
There's really no need to get a reneable ticket for an ldap connection,
we currently always do a kinit for each connection anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
bb8b7be74a s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp
For now we still do the ads_kinit_password() in ads_legacy_creds()
for callers that rely on the global krb5ccache to be filled.

E.g. the dns update code and the kpasswd code.

But at least ads_connect_internal() and ads_sasl_spnego_bind()
will allow to do the kinit in the gensec layer only if needed...

We'll remove ads_legacy_creds() during the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
1474f9c5de testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh
This makes it easier to adjust the expected output when it changes in
the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
cff7656e66 s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
We don't need a real ldap connection here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f024063aec s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
e8250f1624 s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fdd34b57c4 s3:libsmb: make use of ads_connect_cldap_only()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f34e64baf6 s3:libads: add ads_connect_cldap_only() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
36748002f0 s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND
For anonymous binds we don't need a krb5.conf.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
9ea1ea1629 s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
b3110ec049 s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
be771670eb s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name()
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
4d42574c54 s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end
In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
f7ab92ea7e s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state()
We should only operate on the creds structure and avoid ads->auth.flags

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
b98f9a341f s3:libads: split out ads_legacy_creds()
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
6f33e46c19 s3:libads: remove unused LIBADS_CCACHE_NAME define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
a70c62a78e s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
d26e4c6e27 s3:libsmb: remove unused cli_session_creds_prepare_krb5()
Kinit will be done within gensec if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
ef205f6b52 s3:gse: get an explicit ccache_name from creds and kinit if required
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
98ee5ca7e8 s3:gse: Pass down the mech to gse_context_init()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
bc2a2399e5 s3:gse: Implement gensec_gse_security_by_oid()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
2ec3e59f58 s3:gse: Use smb_gss_mech_import_cred() in gse_init_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Andreas Schneider
ca90f213a2 lib:krb5_wrap: Implement smb_gss_mech_import_cred()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
2fd2d28b8f s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
fb7e19826a s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.

If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:

 samba3.blackbox.krbsmbspool
 samba3.blackbox.smbget

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
2dc76cc84c s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
52715b461a tests/ntlm_auth: Do not set a client_password
This fixes test_ntlmssp_gss_spnego_cached_creds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
a6b94a690b tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username
This test is useless and won't work anymore in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00