1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

3334 Commits

Author SHA1 Message Date
Joseph Sutton
a396b705c8 librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.

Update the NDR 4.0.0 ABI.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Noel Power
6830b796ac s3:/winbindd: remove parse_domain_user_fstr
Last caller of parse_domain_user_fstr has been removed so
we can safely remove the function

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Oct 24 13:47:16 UTC 2023 on atb-devel-224
2023-10-24 13:47:16 +00:00
Noel Power
5640d7ab6c s3/winbindd: use parse_domain_user instead of parse_domain_user_fstr
In canonicalize_username replace use of parse_domain_user_fstr
with parse_domain_user

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
b4bdd341a7 s3/winbindd: replace use of parse_domain_user_fstr with parse_domain_user
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
89fb5eee53 s3/winbindd: replace parse_domain_user_fn with parse_domain_user
In winbindd_getgrnam_send use parse_domain_user instead of
parse_domain_user_fstr

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
b5427ef86b s3/winbindd: use parse_domain_user instead of parse_domain_user_fstr
In winbindd_ccache_ntlm_auth replace use of parse_domain_user_fstr
with parse_domain_user

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
9d5652ec02 s3/winbindd: use parse_domain_user instead of parse_domain_user_fstr
in winbindd_getpwnam_send replace parse_domain_user_fstr with
parse_domain_user

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
f734b1b2fc s3/winbindd: use parse_domain_user_fstr instead of parse_domain_user
in winbindd_getgroups_send replace parse_domain_user_fstr
with parse_domain_user

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
d4341d4884 s3/winbindd: Add new parse_domain_user function
Adds a new parse_domain_user function which doesn't use fstrings
but instead uses talloc allocated out strings (created from passed in
ctx)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
87a919082b s3/winbindd: rename parse_domain_user to parse_domain_user_fstr
prepare to port parse_domain_user function to not use fstrings.
rename function parse_domain_user (and all callers) to use
parse_domain_user_fstr

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
c6fe21e138 s3/winbindd: remove canonicalize_username_fstr
not longer any callers to canonicalize_username_fstr so it
can be removed

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
d1beafe7cc s3/winbindd: in winbindd_pam_chauthtok_send use canonicalize_username
replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
be6ed28f02 s3/winbindd: in winbindd_pam_auth_send use canonicalize_username
replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
85e8d33a33 s3/winbindd: in winbindd_pam_logoff_send use canonicalize_username
replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
aa3febfddc s3/winbindd: in winbindd_ccache_save use canonicalize_username
replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
2e06bf9feb s3/winbindd: Add new canonicalize_username function
Add a mew canonicalize_username replacement function for
canonicalize_username_fstr which doesn't use fstrings but instead
uses talloc allocated strings

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
7e1f210b9a s3/winbindd: rename canonicalize_username to canonicalize_username_fstr
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Noel Power
9267d9b268 s3/winbind: Ensure parse_domain_user() can't write beyond the end of domain[]
fail if we try to write beyond the fstring boundry

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-24 12:43:37 +00:00
Pavel Filipenský
6063f3ee73 s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-18 14:43:37 +00:00
Pavel Filipenský
21bb84ed1c s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-10-18 14:43:37 +00:00
Pavel Filipenský
027332cee5 s3:winbindd: Call winbind_add_failed_connection_entry() for the correct dc name
We were calling winbind_add_failed_connection_entry() for saf_servername
which is NULL.  domain->dcname should be used instead.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Oct 11 16:42:15 UTC 2023 on atb-devel-224
2023-10-11 16:42:15 +00:00
Pavel Filipenský
928ce91eb7 s3:winbindd: Skip check_negative_conn_cache() if saf_servername == NULL
saf_servername can be NULL even after calling saf_fetch().  Avoid
calling check_negative_conn_cache() like it was before commit 0fcf0012

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-10-11 15:37:28 +00:00
Andrew Bartlett
4e8e35de7f s3-winbind: Use token as parent for token->sids in check_info3_in_group()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
e2cc29d132 libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Volker Lendecke
fab08854af libsmb: Pass neg contexts through sync smbXcli_negprot_recv()
Looks much larger than it is, there's a lot of callers too feed NULL to.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Sep 25 19:59:17 UTC 2023 on atb-devel-224
2023-09-25 19:59:17 +00:00
Joseph Sutton
41df712d18 s3:winbindd: Add zero digit to literal
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
4e74350fbb s3:winbindd: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Pavel Filipenský
8abac09763 s3:winbindd: Use a correct value for the length of domain children
We often loop over the array of domain children. However, the size of
the array is calculated as lp_winbind_max_domain_connections() which can
change (it is based on smb.conf). The fix is the talloc_array_length().

Reproducer:

winbind max domain connections = 100

smbcontrol all reload-config
smbcontrol all debug 10

/var/log/samba/log.winbindd shows many lines with random garbage pid:

[2023/08/25 10:03:49.898994, 10, pid=158296, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:885(winbind_msg_relay_fn)
  winbind_msg_relay_fn: sending message to pid 1037686087.
[2023/08/25 10:03:49.899010,  3, pid=158296, effective(0, 0), real(0, 0)] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

In this scenario we dereference only a garbage PID, but if we would
dereference some garbage pointer we would segfault.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-30 12:42:29 +00:00
Pavel Filipenský
b13d4370d2 s3:winbindd: Avoid doing the same assignment twice
Done already in setup_child(): child->domain = domain

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-30 12:42:29 +00:00
Volker Lendecke
0bcba393f7 idmap:fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-14 19:53:37 +00:00
Volker Lendecke
b7e0f3423c idmap_tdb: Remove a variable never used
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-14 19:53:37 +00:00
Volker Lendecke
0c6ac3218d idmap: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-14 19:53:37 +00:00
Joseph Sutton
146a9260fb s3:winbindd: Fix debug messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
ac0f599cab s3:winbindd: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Pavel Filipenský
dd998cc163 s3:winbindd: Fix double close(fd)
Reported by Red Hat internal coverity

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15433

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Jul 25 12:08:49 UTC 2023 on atb-devel-224
2023-07-25 12:08:49 +00:00
Volker Lendecke
b2de71734f CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.

Discovered via Coverity ID 1504444 Out-of-bounds access

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Volker Lendecke <vl@samba.org>
2023-07-21 12:05:35 +00:00
Pavel Filipenský
6539f1e4cd s3:winbindd: Change the TALLOC_CTX to fix the tevent call depth tracking
Call depth is not working for winbindd_list_users_send as expected,
it is visible in the flow traces:

  -> process_request_send
      -> winbindd_list_users_send
  -> wb_query_user_list_send

It should look like:

  -> process_request_send
      -> winbindd_list_users_send
          -> wb_query_user_list_send

Tevent call depth tracking internal implementation relies on the fact
that the talloc memory context has type  "struct tevent_req".
Then it can obtain the depth from the parent and increment it by one.

The implementation of winbindd_list_users_send() is passing to
wb_query_user_list_send() context of type
"struct winbindd_list_users_state", and from there the parent
"struct tevent_req" cannot be identified.

So we will pass as TALLOC_CTX 'state' instead of 'state->domains'.
After the call, we can reparent back.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Jul 20 10:38:19 UTC 2023 on atb-devel-224
2023-07-20 10:38:19 +00:00
Andreas Schneider
801772012e Revert "s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon"
This reverts commit 28ddcaf4d8.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 19 10:57:27 UTC 2023 on atb-devel-224
2023-07-19 10:57:27 +00:00
Andreas Schneider
83b58255ed s3:winbindd: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-19 09:58:37 +00:00
Pavel Filipenský
7c0a1c1e13 s3:winbind: Set/unset the winbind_call_flow callback if log level changes
Done only for the parent process. Works with 'smbcontrol reload-config'

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 19 09:00:50 UTC 2023 on atb-devel-224
2023-07-19 09:00:50 +00:00
Pavel Filipenský
a1b2f17c6d s3:winbind: Update winbind to tevent 0.15.0 API
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Pavel Filipenský
5b130e620f s3:winbind: Add callback winbind_call_flow()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
28ddcaf4d8 s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2023-07-19 08:02:33 +00:00
Stefan Metzmacher
50e771c12f s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS
When we were not able to get a valid response from any DC we should
report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1.

This matches what windows does. In a chain of transitive
trusts the ACCESS_DENIED/authoritative=0 is not propagated,
instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
passed along the chain if there's no other DC is available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-07-05 12:17:38 +00:00
Stefan Metzmacher
b317b10dff s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop()
Note this is more than a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true, which is important in order
to recover from NT_STATUS_RPC_SEC_PKG_ERROR errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-07-05 12:17:38 +00:00
Stefan Metzmacher
0cb6de4b1d s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1
Otherwise we could treat a local problem as non-authoritative.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-07-05 12:17:38 +00:00
Stefan Metzmacher
4ad5a35a3f s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}()
Note this is more than a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true.

This is not strictly needed as the callers call
reset_cm_connection_on_error() via reconnect_need_retry().
But it might avoid one roundtrip.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-07-05 12:17:38 +00:00
Stefan Metzmacher
cb59fd43bb s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list()
This is mostly for consistency, every remote call should call
reset_cm_connection_on_error(). Note this is more than
a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-07-05 12:17:37 +00:00
Stefan Metzmacher
3119f6c283 wb_dsgetdcname: don't use stack variables for async code
This is not really a problem because we call ndr_push from
with a _send() function, but still we leave dangling pointers
arround...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Sun Jul  2 17:42:56 UTC 2023 on atb-devel-224
2023-07-02 17:42:56 +00:00
Björn Jacke
3b96ef9290 wb_dsgetdcname: log also the domain name for failures
Signed-off-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-02 16:50:36 +00:00