IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This can never have been tested....
Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We don't need to change the protocol version because:
1. An old client may provide the "initial_blob"
(which was and is still ignored when going
via the wbcCredentialCache() function)
and the new winbindd won't use new_spnego.
2. A new client will just get a zero byte
from an old winbindd. As it uses talloc_zero() to
create struct winbindd_response.
3. Changing the version number would introduce problems
with backports to older Samba versions.
New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
pam_winbind depends on talloc, which depends on libreplace, so we have asprintf
available.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
PAM sessions are long running. If we create a pam session a connection
to winbind is established and only closed by the destructor of the
libwbclient library. If we create a wbcContext, we will free it in the
end of the PAM function being called and the socket will be closed. This
decreases the amount of allocated 'winbindd_cli_state' structures in
winbind for every logged in user.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 17:45:24 CET 2016 on sn-devel-144
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Mar 22 07:59:35 CET 2016 on sn-devel-144
The previous use was safe, but having *any* use of strcpy inside
our code sets off security flags. Replace with an explicit length
calculation and memcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).
It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.
It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).
After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
Logon failure (0xc000006d)
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 22 23:39:13 CET 2016 on sn-devel-144
To do a proper xids2sids conversion I need a build environment.
Everyone who needs this and can build AIX please speak up!
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 11 04:43:53 CET 2016 on sn-devel-144
These functions were meant as a standard interface before libwbclient was
developed.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
...instead of using "if (ret)" or similar.
This is just a code cleanup, no changes in behaviour.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
The test gets handed a name, so we first need
to resolve the name to an IP before we can
pass that on to ResolveWinsByIp.
Bug uncovered by the new nss_wrapper code (1.1.2).
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 6 13:43:45 CET 2015 on sn-devel-104
This avoids that we run into use after free issues when we access memory
allocated on the globals and the global being reinitialized.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11563
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This allows us to use them in talloc as well.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
The problem with large groups on Solaris in the the NSS winbind module is
Solaris wants the return value to be NSS_UNAVAIL if the buffer given is too
small for getgrnam_r. The current code return NSS_TRYAGAIN which causes
Solaris/Illumos to loop without trying to resize the buffer.
Thanks to Nathan Huff <nhuff@acm.org> for finding this out.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10365
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
Thanks to Timur Bakeyev <timur@FreeBSD.org> for the patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11493
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11502
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Sep 8 21:39:21 CEST 2015 on sn-devel-104
This patch cancels the retry policy of the winbind client.
When winbindd fails to respond to a request within 30 seconds,
the winbind client closes the connection and retries up to 10
times.
In some cases, delayed response is a result of multiple
requests from multiple clients piling up on the winbind domain
child process. Retrying just piles more and more requests,
creating a vicious cycle.
Even in the case of a single request taking long to complete,
there's no point in retrying because the retry request would just
wait for the current request to complete. Better to wait patiently.
There's one possible benefit in the retry, namely that winbindd typically
caches the results, and therefore a retry might take a cached result, so
the net effect of the retry may be to increase the timeout to 300 seconds.
But a more straightforward way to have a 300 second timeout is to modify the
timeout. Therefore the timeout is modified from 30 seconds to 300 seconds
(IMHO 300 seconds is too much, but we have "winbind rquest timeout"
with a default of 60 to make sure the request completes or fails
within 60 seconds)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 8 19:48:18 CEST 2015 on sn-devel-104
Also test the codepaths to map UID and GID back to SID and names. Use
different user and group to avoid returning results cached from the
previous lookups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11313
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 5 01:24:32 CEST 2015 on sn-devel-104
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stops segfault when a context is passed. Internal Samba code will
currently always call this with NULL so won't trigger the bug.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 18 01:41:32 CET 2015 on sn-devel-104
Increment the minor version of the libwbclient library after new
context functions added. (Major version increase not required as
the only two functions with changed parameters are private to the
library.)
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 10 03:24:45 CET 2015 on sn-devel-104
There are some global variables in use in the libwbclient
library. Now that we have a context, move these into it so that
they are thread-safe when the wbcCtx* functions are used.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
To make the libwbclient library thread-safe, all functions
that call through to wb_common winbindd_request_response need
to have context that they can use. This commit adds all the
necessary functions.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
To enable libwbclient to pass winbindd context through
to the winbind client library in wb_common.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The basic context structure and functions for libwbclient so that
libwbclient can be made thread-safe.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Updating API call in libwbclient, wbinfo, ntlm_auth and
winbind_nss_* as per previous commit to wb_common.c.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Rather than keep state in global variables, store the current
context such as the winbind file descriptor in a struct that is
passed in. This makes the winbind client library thread-safe.
Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 3 20:03:25 CET 2015 on sn-devel-104
Otherwise a bad read can sometimes cause the function to return -1 with
an invalid pointer in extra_data.data, which is attempted to be freed
by the caller (e.g. libwbclient/wbc_pam.c wbcAuthenticateUserEx())
by calling winbindd_free_response().
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9056
warn_pwd_expire parameter is not working as documented in pam_winbind manual
page. This patch adds missing bit and allows disabling warning message fully,
i.e. setting warn time to zero days.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec 3 21:36:49 CET 2014 on sn-devel-104
Fixes this test when bin/ldbmodify isn't built because we're using the
system ldbmodify.
Change-Id: I2ff0d9808245353006c6be4989976a3edad8f98e
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The getgroupmembership call on FreeBSD is needed for "winbind expand groups=0"
(the new default in 4.2) to work.
Thanks to Timur I. Bakeyev for the enhancement patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10835
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Oct 18 12:41:07 CEST 2014 on sn-devel-104
If we have configured the idmap_ad backend it is possible that the user
is in a group without a gid set. This will result in (uid_t)-1 as the
gid. We return this invalid gid to NSS which is wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
We are not allowed to reach around behind the system's back and
include the wrong headerfiles.
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
https://bugzilla.samba.org/show_bug.cgi?id=10692
Revert "libwbclient: reject unknown named blobs in wbcCredentialCache()"
This reverts commit 740d12d1e7.
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 14 21:54:08 CEST 2014 on sn-devel-104
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 10 22:30:45 CEST 2014 on sn-devel-104
on AIX this is actually not called NSS and PAM, this is combined im LAM (loadable
authentication module)
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 12 13:32:28 CEST 2014 on sn-devel-104
Change-Id: I41ed850b6424eac3fb8b6603d5b87c66bb77dd51
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The password is made more complex, and the test domain is made to
use the command line options.
Andrew Bartlett
Change-Id: Ia1ec24a9fc393e7f7b210f845bcf32dbc933d48f
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This avoids a pile of shell-script escape pain, and fixes some tests.
Andrew Bartlett
Change-Id: Ie1d0e32ab484a5b0ddbc4073831fe6de27e38e92
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Change-Id: I8f23ecc8444c3b25d5be2a7fdbf51ba7fe4a5ed9
Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Prior to asking for a winbindd private pipe we need to initialize
response structure to deal with a possible response failure.
winbind_open_pipe_sock() issues two winbindd requests:
- asks for interface version
- asks for a private pipe
The first call returns interface version in a response structure (which
is a union). The second call might fail -- in this case response
structure will not be initialized or filled in with any information.
As result, if the second call failed, response structure will have data
from an interface string interpreted as a pointer to a string during
SAFE_FREE() at the end of the winbind_open_pipe_sock().
To avoid that, ensure response struct is initialized before asking for
a private pipe.
https://bugzilla.samba.org/show_bug.cgi?id=10596
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 8 04:24:53 CEST 2014 on sn-devel-104
It is very confusing if the env var uses the same name as the define in
the source code. So prefix it with SELFTEST.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Ic2e06e448fce1d91422b711abf663b9253009a53
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Apr 2 13:07:24 CEST 2014 on sn-devel-104
This is the original cause of the wbc NT_STATUS_OBJECT_NAME_NOT_FOUND issues in recent git master, as the
build was able to progress without the correct path being set as an override.
Andrew Bartlett
Change-Id: I1dbc7350695756356e869199b589eb781eb5c673
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 5 18:34:48 CET 2014 on sn-devel-104
