1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

667 Commits

Author SHA1 Message Date
Andreas Schneider
d8a5565ae6 waf: Explicitly link against libnss_wins.so
If we do not specify replace as a depencency here, it will not link to
libreplace using an rpath.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Sep 20 08:00:08 CEST 2016 on sn-devel-144
2016-09-20 08:00:08 +02:00
Andreas Schneider
124ae4e861 nsswitch: Add missing arguments to wins gethostbyname*
The errno pointer argument is missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
2016-09-20 04:10:21 +02:00
Ralph Boehme
2a322a7671 selftest: test idmap backend id allocation for unknown SIDS
If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-06-28 07:27:18 +02:00
Andreas Schneider
539116e588 nsswitch: Fix memory leak in test_wbc_trusts()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
3c9f0815fb nsswitch: Fix memory leak in test_wbc_groups()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
e9fabe3a11 nsswitch: Fix memory leak in test_wbc_users()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
6a620adb25 nsswitch: Fix memory leak in test_wbc_domain_info()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
9b732c2448 nsswitch: Fix memory leak in test_wbc_pingdc2()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
4961362106 nsswitch: Fix memory leak in test_wbc_get_sidaliases()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
2ae40865be nsswitch: Fix memory leak in test_wbc_pingdc()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
f479a1f896 nsswitch: Fix wbclient torture_assert_wbc_ok_goto_fail macro
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Tom Mortensen
0b1f4db325 nss_wins: Fix the hostent setup
This can never have been tested....

Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-22 07:20:17 +02:00
Tom Mortensen
d3569ca271 nss_wins: ip_pton expects the raw IP address
Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-22 07:20:17 +02:00
Stefan Metzmacher
2063692367 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Volker Lendecke
4f65fa9c7b pam_winbind: Avoid a use of sprintf
pam_winbind depends on talloc, which depends on libreplace, so we have asprintf
available.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-31 20:30:11 +02:00
Andreas Schneider
94464ed82c pam_winbind: Create and use a wbclient context
PAM sessions are long running. If we create a pam session a connection
to winbind is established and only closed by the destructor of the
libwbclient library. If we create a wbcContext, we will free it in the
end of the PAM function being called and the socket will be closed. This
decreases the amount of allocated 'winbindd_cli_state' structures in
winbind for every logged in user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 17:45:24 CET 2016 on sn-devel-144
2016-03-25 17:45:24 +01:00
Andreas Schneider
4c139e23e9 pam_winbind: Use the correct type to check the pam_parse() return code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-03-25 14:18:22 +01:00
Jeremy Allison
bac35a178f nsswitch: winbind_nss_solaris.c: Remove unused macro containing strcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Mar 22 07:59:35 CET 2016 on sn-devel-144
2016-03-22 07:59:35 +01:00
Jeremy Allison
a8ab1bfb7b nsswitch: winbind_nss_aix: Remove all uses of strcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-03-22 04:38:24 +01:00
Jeremy Allison
7e435d3cce nsswitch: linux: Remove use of strcpy().
The previous use was safe, but having *any* use of strcpy inside
our code sets off security flags. Replace with an explicit length
calculation and memcpy.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-03-22 04:38:24 +01:00
Herwin Weststrate
0b500d413c Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-11 22:58:18 +01:00
Volker Lendecke
f6f43c496e winbind: Remove unused WINBINDD_UID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 22 23:39:13 CET 2016 on sn-devel-144
2016-02-22 23:39:12 +01:00
Volker Lendecke
07b134407c nss_aix: Hack away WINBINDD_UID_TO_SID
To do a proper xids2sids conversion I need a build environment.

Everyone who needs this and can build AIX please speak up!

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
f387124a04 winbind: Remove unused WINBINDD_GID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
148452b446 libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxGidToSid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
1e4e215f2f libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxUidToSid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
ec94aa543b winbind: Remove unused WINBINDD_SID_TO_GID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
112998fffa winbind: Remove unused WINBINDD_SID_TO_UID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
122b1a3650 libwbclient: Use wbcCtxSidsToUnixIds in wbcCtxSidToGid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
fbbe017820 libwbclient: Use wbcCtxSidsToUnixIds in wbcCtxSidToUid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
182149e937 wbinfo: Add --unix-ids-to-sids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
171931cf7d libwbclient: Implement wbc[Ctx]UnixIdsToSids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
5cd5ce70a1 winbind: Expose WINBINDD_XIDS_TO_SIDS externally
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
dcf6a606cf nss_netbsd: Remove unimplemented prototypes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 11 04:43:53 CET 2016 on sn-devel-144
2016-02-11 04:43:53 +01:00
Volker Lendecke
dfe51390a0 nss_linux: Remove non-nss functions
These functions were meant as a standard interface before libwbclient was
developed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-11 01:32:23 +01:00
Volker Lendecke
89565775a4 libwbclient: Fix a few resource leak CIDs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:17 +01:00
Volker Lendecke
3d5873c848 libwbclient: Add "goto fail" test macros
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:17 +01:00
Michael Adam
490a27b69b pam_winbind: check != PAM_SUCCESS and != NULL explicitly
...instead of using "if (ret)" or similar.
This is just a code cleanup, no changes in behaviour.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-13 10:57:09 +01:00
Michael Adam
77d0fce7b7 torture: add torture comment output of name/ip to WinsBy{Ip,Name} tests
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-01-11 12:25:26 +01:00
Michael Adam
71ffd3b90b torture: Fix winbind.wbclient.ResolveWinsByIp test
The test gets handed a name, so we first need
to resolve the name to an IP before we can
pass that on to ResolveWinsByIp.

Bug uncovered by the new nss_wrapper code (1.1.2).

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-01-11 12:25:26 +01:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Andreas Schneider
5ab1452436 nss_wins: Use libwbclient to query wins server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11563

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-10-26 21:23:21 +01:00
Andreas Schneider
0abbfb2e4d nss_wins: Use lp_global_no_reinit()
This avoids that we run into use after free issues when we access memory
allocated on the globals and the global being reinitialized.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11563

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-10-26 21:23:21 +01:00
Volker Lendecke
2f7bee43d8 wbinfo: make --verbose --pam-logon print sids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Oct 12 14:01:50 CEST 2015 on sn-devel-104
2015-10-12 14:01:49 +02:00
Andrew Bartlett
1dc05386f2 build: Move __attribute__ ((destructor)) and ((constructor)) tests to wafsamba
This allows us to use them in talloc as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-10-09 20:14:06 +02:00
Björn Jacke
d3e51b9cfe nss_winbind: fix hang on Solaris on big groups
The problem with large groups on Solaris in the the NSS winbind module is
Solaris wants the return value to be NSS_UNAVAIL if the buffer given is too
small for getgrnam_r.  The current code return NSS_TRYAGAIN which causes
Solaris/Illumos to loop without trying to resize the buffer.

Thanks to  Nathan Huff <nhuff@acm.org> for finding this out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10365

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
2015-09-11 00:34:30 +02:00
Björn Jacke
a997c7780e nss_wins: add module for FreeBSD
Thanks to Timur Bakeyev <timur@FreeBSD.org> for the patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11493

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
2015-09-11 00:34:30 +02:00
Andreas Schneider
7d84cd6e40 pam_winbind: Fix a segfault if initialization fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11502

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Sep  8 21:39:21 CEST 2015 on sn-devel-104
2015-09-08 21:39:21 +02:00
Uri Simchoni
5a6a4838f0 winbind client: avoid vicious cycle created by client retry
This patch cancels the retry policy of the winbind client.

When winbindd fails to respond to a request within 30 seconds,
the winbind client closes the connection and retries up to 10
times.

In some cases, delayed response is a result of multiple
requests from multiple clients piling up on the winbind domain
child process. Retrying just piles more and more requests,
creating a vicious cycle.

Even in the case of a single request taking long to complete,
there's no point in retrying because the retry request would just
wait for the current request to complete. Better to wait patiently.

There's one possible benefit in the retry, namely that winbindd typically
caches the results, and therefore a retry might take a cached result, so
the net effect of the retry may be to increase the timeout to 300 seconds.
But a more straightforward way to have a 300 second timeout is to modify the
timeout. Therefore the timeout is modified from 30 seconds to 300 seconds

(IMHO 300 seconds is too much, but we have "winbind rquest timeout"
with a default of 60 to make sure the request completes or fails
within 60 seconds)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11397

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-07-15 22:41:13 +02:00
Volker Lendecke
affa21f713 wbinfo: Dump user info for pam-logon -v
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-11 01:45:21 +02:00
Volker Lendecke
b1e718f101 nsswitch: Simplify winbind_named_pipe_sock()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun  8 19:48:18 CEST 2015 on sn-devel-104
2015-06-08 19:48:18 +02:00
Christof Schmitt
c1c07b4620 nsswitch: Extend idmap_rfc2307 testcase for reverse lookup
Also test the codepaths to map UID and GID back to SID and names. Use
different user and group to avoid returning results cached from the
previous lookups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11313

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun  5 01:24:32 CEST 2015 on sn-devel-104
2015-06-05 01:24:32 +02:00
Andrew Bartlett
e1aca8d69e selftest: Add tests for expected output of wbinfo -i and wbinfo --uid-info
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-05-06 01:22:14 +02:00
Michael Adam
d892ce2750 nsswitch/wins: use lp_load_global() wrapper of lp_load().
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-04-22 13:57:29 +02:00
Stefan Metzmacher
da4f31e1c9 nsswitch: improve error messages in wbinfo calls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Volker Lendecke
c51300ad89 lib: load_case_tables() -> smb_init_locale()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-24 00:00:20 +01:00
Volker Lendecke
06a727e8f8 lib: Remove load_case_tables_library()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-24 00:00:20 +01:00
Matthew Newton
eb0d6b9999 Ensure we always initialise the winbind context
Stops segfault when a context is passed. Internal Samba code will
currently always call this with NULL so won't trigger the bug.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 18 01:41:32 CET 2015 on sn-devel-104
2015-03-18 01:41:32 +01:00
Matthew Newton
c6cb2d6508 Update libwbclient version to 0.12
Increment the minor version of the libwbclient library after new
context functions added. (Major version increase not required as
the only two functions with changed parameters are private to the
library.)

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 10 03:24:45 CET 2015 on sn-devel-104
2015-03-10 03:24:45 +01:00
Matthew Newton
2664d9070f Move wbc global variables into global context instead
There are some global variables in use in the libwbclient
library. Now that we have a context, move these into it so that
they are thread-safe when the wbcCtx* functions are used.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:10 +01:00
Matthew Newton
063c56dba5 Add context versions of wbclient functions
To make the libwbclient library thread-safe, all functions
that call through to wb_common winbindd_request_response need
to have context that they can use. This commit adds all the
necessary functions.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:10 +01:00
Matthew Newton
348f93ff6e Add wbcContext to wbcRequestResponse
To enable libwbclient to pass winbindd context through
to the winbind client library in wb_common.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:10 +01:00
Matthew Newton
bc75e723ce Add wbcContext struct, create and free functions
The basic context structure and functions for libwbclient so that
libwbclient can be made thread-safe.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:10 +01:00
Matthew Newton
83cfb84b78 Use global context for winbindd_request_response
Updating API call in libwbclient, wbinfo, ntlm_auth and
winbind_nss_* as per previous commit to wb_common.c.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:09 +01:00
Matthew Newton
60c7571984 Make winbind client library thread-safe by adding context
Rather than keep state in global variables, store the current
context such as the winbind file descriptor in a struct that is
passed in. This makes the winbind client library thread-safe.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:09 +01:00
Volker Lendecke
6b898481af pam: Fix CID 1034871 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar  3 20:03:25 CET 2015 on sn-devel-104
2015-03-03 20:03:25 +01:00
Volker Lendecke
ad3e38f6bb pam: Fix CID 1034870 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-03-03 17:34:39 +01:00
Andreas Schneider
a782ae1da4 nss-wins: Do not lookup invalid netbios names
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-23 22:32:48 +01:00
Matthew Newton
764cfda280 Make sure response->extra_data.data is always cleared out
Otherwise a bad read can sometimes cause the function to return -1 with
an invalid pointer in extra_data.data, which is attempted to be freed
by the caller (e.g. libwbclient/wbc_pam.c wbcAuthenticateUserEx())
by calling winbindd_free_response().

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-01-09 21:21:07 +01:00
Stefan Metzmacher
c257b14b8b nsswitch/wbinfo: allow 'wbinfo --ping-dc --domain=SOMEDOMAIN'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
f80f585d95 nsswitch: allow passing the domain name to wbcPingDC[2]()
winbindd already supports this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:12 +01:00
Stefan Metzmacher
575b093dac nsswitch: fix soname of linux nss_*.so.2 modules
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-12-19 13:15:12 +01:00
Günther Deschner
78b7db1814 pam_winbind: fix warn_pwd_expire implementation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9056

warn_pwd_expire parameter is not working as documented in pam_winbind manual
page. This patch adds missing bit and allows disabling warning message fully,
i.e. setting warn time to zero days.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec  3 21:36:49 CET 2014 on sn-devel-104
2014-12-03 21:36:49 +01:00
Jelmer Vernooij
49445541e7 Support using system ldbmodify.
Fixes this test when bin/ldbmodify isn't built because we're using the
system ldbmodify.

Change-Id: I2ff0d9808245353006c6be4989976a3edad8f98e
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 18:30:07 +01:00
Stefan Metzmacher
d5326bca33 nsswitch: avoid some compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
Björn Jacke
8ccf5f6669 nss_winbind: add getgroupmembership for FreeBSD
The getgroupmembership call on FreeBSD is needed for "winbind expand groups=0"
(the new default in 4.2) to work.

Thanks to Timur I. Bakeyev for the enhancement patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10835

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-10-20 12:20:04 +02:00
Michael Adam
6bbfb09b07 pam_winbind: fix comment typos
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Oct 18 12:41:07 CEST 2014 on sn-devel-104
2014-10-18 12:41:07 +02:00
Andreas Schneider
7f59711f07 nsswitch: Skip groups we were not able to map.
If we have configured the idmap_ad backend it is possible that the user
is in a group without a gid set. This will result in (uid_t)-1 as the
gid. We return this invalid gid to NSS which is wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
2014-09-19 17:57:14 +02:00
Jeremy Allison
8bbf901f93 Replace all uses of iniparser with tiniparser.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-08-14 21:27:13 +02:00
Ira Cooper
61dd66575d nsswitch: Fix bogus #include line.
We are not allowed to reach around behind the system's back and
include the wrong headerfiles.

Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-08-09 18:26:16 +02:00
Jeremy Allison
ca1e4af466 As David Woodhouse points out, this breaks backwards compatibility.
https://bugzilla.samba.org/show_bug.cgi?id=10692

Revert "libwbclient: reject unknown named blobs in wbcCredentialCache()"

This reverts commit 740d12d1e7.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 14 21:54:08 CEST 2014 on sn-devel-104
2014-07-14 21:54:08 +02:00
Stefan Metzmacher
740d12d1e7 libwbclient: reject unknown named blobs in wbcCredentialCache()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 10 22:30:45 CEST 2014 on sn-devel-104
2014-07-10 22:30:45 +02:00
Stefan Metzmacher
6704799dec libwbclient: allow only one initial_blob/challenge_blob in wbcCredentialCache()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-07-10 20:04:13 +02:00
Jeremy Allison
f4d83872e0 s3: libwbclient: Don't break out of loop too soon - find all parameters.
Fix bug #10692: wbcCredentialCache fails if challenge_blob is not first

https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Jeremy Allison <jra@samba.org>
2014-07-10 00:26:14 +02:00
Christof Schmitt
c863c3a2fc libwbclient: Call correct function for wbcPingDc2 test
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jul  9 18:36:08 CEST 2014 on sn-devel-104
2014-07-09 18:36:08 +02:00
Björn Jacke
0b4af49d27 waf: fix the name of the WINBIND "nss" module on AIX
on AIX this is actually not called NSS and PAM, this is combined im LAM (loadable
authentication module)

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 12 13:32:28 CEST 2014 on sn-devel-104
2014-06-12 13:32:28 +02:00
Christian Ambach
558850c495 s3:lib/afs move afs_settoken.c to common lib dir
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-06-04 20:09:38 +02:00
Andrew Bartlett
6add082461 selftest: Make test_wbinfo.sh work with s3-winbindd
Change-Id: I41ed850b6424eac3fb8b6603d5b87c66bb77dd51
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
4688cf77c4 libwbclient-tests: No longer hardcoded password and test domain
The password is made more complex, and the test domain is made to
use the command line options.

Andrew Bartlett

Change-Id: Ia1ec24a9fc393e7f7b210f845bcf32dbc933d48f
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
2b558f2096 selftest: Set winbind separator = /
This avoids a pile of shell-script escape pain, and fixes some tests.

Andrew Bartlett

Change-Id: Ie1d0e32ab484a5b0ddbc4073831fe6de27e38e92
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:25 +02:00
Andreas Schneider
1e9750a832 nsswitch: Fix the check for the privileged pipe.
Change-Id: I8f23ecc8444c3b25d5be2a7fdbf51ba7fe4a5ed9
Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-05-16 10:23:26 +02:00
Alexander Bokovoy
06c25eb25e wbclient: ensure response struct is initialized
Prior to asking for a winbindd private pipe we need to initialize
response structure to deal with a possible response failure.

winbind_open_pipe_sock() issues two winbindd requests:
 - asks for interface version
 - asks for a private pipe

The first call returns interface version in a response structure (which
is a union). The second call might fail -- in this case response
structure will not be initialized or filled in with any information.

As result, if the second call failed, response structure will have data
from an interface string interpreted as a pointer to a string during
SAFE_FREE() at the end of the winbind_open_pipe_sock().

To avoid that, ensure response struct is initialized before asking for
a private pipe.

https://bugzilla.samba.org/show_bug.cgi?id=10596

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May  8 04:24:53 CEST 2014 on sn-devel-104
2014-05-08 04:24:53 +02:00
Andreas Schneider
d407446ddc Remove special socket_wrapper code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
2522bb8090 selftest: Rename WINBINDD_SOCKET_DIR environment variable.
It is very confusing if the env var uses the same name as the define in
the source code. So prefix it with SELFTEST.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
c29fb2e615 wbclient: Check with nss_wrapper_enabled().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
b2163f23c0 Remove special nss_wrapper code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
486fa4a134 libwbclient: Handle uid_wrapper for pipe access.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
751b2b2d2a Remove uid_wrapper related code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:05 +02:00
Andrew Bartlett
8175e98029 selftest: Rename wbinfo_s3 to wbinfo_simple and reorder code for clarity
Change-Id: Ic2e06e448fce1d91422b711abf663b9253009a53
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Apr  2 13:07:24 CEST 2014 on sn-devel-104
2014-04-02 13:07:24 +02:00
Andrew Bartlett
9ed7555c82 nsswitch: Remove fallback setting of WINBINDD_SOCKET_DIR
This is the original cause of the wbc NT_STATUS_OBJECT_NAME_NOT_FOUND issues in recent git master, as the
build was able to progress without the correct path being set as an override.

Andrew Bartlett

Change-Id: I1dbc7350695756356e869199b589eb781eb5c673
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar  5 18:34:48 CET 2014 on sn-devel-104
2014-03-05 18:34:48 +01:00
Andreas Schneider
f26db53273 nsswitch: Fix idmap rfc2307 test with system ldb.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-02-21 15:59:28 +01:00
Volker Lendecke
efed82cb69 krb5_locator: Slightly simplify code
This makes it a bit easier to read for me

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2014-02-20 11:43:08 -08:00
Garming Sam
63c24977ba param: rename lp function and variable from 'lockdir' to 'lock_directory'
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:10 -08:00
Garming Sam
2c2f175b0d Revert "pam_winbind: fix segfault in pam_sm_authenticate()"
This reverts commit ec0f51b200.

A more generic fix is now in use.

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jan 15 01:37:38 CET 2014 on sn-devel-104
2014-01-15 01:37:38 +01:00
Garming Sam
3a814e329b pam_winbind: Do not honour require_membership_of in the acct module parameters
This needs a password to work, and it confuses users for it to appear to be valid here.

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-01-14 23:44:26 +01:00
Garming Sam
6f4ec0c041 pam_winbind: Fix segfault caused by invalid configuration options
This is a better fix for 8564 and will allow ec0f51b200 to be reverted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8564

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-01-14 23:44:26 +01:00
Andreas Schneider
541164d47a wbinfo: Fix a memory leak in wbinfo_ping_dc().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-09 20:42:54 +01:00
Jeremy Allison
b0ba4a5621 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:46 +01:00
Noel Power
f62683956a fail authentication for single group name which cannot be converted to sid
furthermore if more than one name is supplied and no sid is converted
then also fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Nov 29 15:45:11 CET 2013 on sn-devel-104
2013-11-29 15:45:11 +01:00
Volker Lendecke
ffae8a13b6 pam_winbind: Use strlcat in safe_append_string
We have that available via libreplace, so use it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Nov 28 14:33:32 CET 2013 on sn-devel-104
2013-11-28 14:33:32 +01:00
Noel Power
01cae099e0 handle later iniparser version assigning a zero length string value for 'key='
older iniparser versions ( like that used in upstream samba ) ignore 'key='
entries, the key is not entered into the dictionary at all. Later
versions of iniparse specifically handle the following special cases

* key=
* key=;
* key=#

by assigning a value of "" ( a zero length string ) to the key
in the dictionary.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Nov 20 16:12:13 CET 2013 on sn-devel-104
2013-11-20 16:12:13 +01:00
Michael Adam
00c674985f wbinfo: fix output of wbinfo --sid-to-name for sids of type DOMAIN
to print only the domain name and not "DOMIN\<SID>".

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 11:40:28 +01:00
Michael Adam
f7240932af wbinfo: fix output of "--lookup-sids" to use the configured winbind separator
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 11:40:28 +01:00
Michael Adam
fdf28f0898 wbinfo: fix ouptput of --lookup-sids for sids of type DOMAIN
To print only the domain name and not "DOMIN\<SID>".

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 11:40:28 +01:00
Volker Lendecke
c6909887c2 nsswitch: Fix short writes in winbind_write_sock
We set the socket to nonblocking and don't handle EAGAIN right. We do
a poll anyway, so wait for writability, which should fix this.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10195
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-10-21 17:52:35 +02:00
Christian Ambach
20b64eae75 waf: replace dependency to libintl with samba_intl
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Mon Aug 12 00:46:34 CEST 2013 on sn-devel-104
2013-08-12 00:46:34 +02:00
Jeff Layton
ba9d8612e3 wbclient: fix conversion logic in wbcSidToStringBuf
Might as well fix it to handle large authority values properly. Also
correct some of the formatting.

Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-31 15:16:04 -07:00
Jeff Layton
1a4ec0b885 wbclient: fix conversion logic in wbcStringToSid
Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-31 15:15:47 -07:00
Andreas Schneider
f908e6b0c5 nsswitch: Add OPT_KRB5CCNAME to avoid an error message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10048

Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 26 17:40:26 CEST 2013 on sn-devel-104
2013-07-26 17:40:25 +02:00
Günther Deschner
73e6feff9b wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-23 15:39:14 -07:00
Andreas Schneider
33bce26fcf nsswitch: Don't enumerate all domains with wbinfo -u|-g.
By default wbinfo -u|-g should only enumerate the domain winbindd is
joined to. The command can be harmfull if you have e.g. 30 domains and
700k users. Then the parent will collect all information and the
oom-killer will kill winbind. As we still want to support it, you can
enable it the old behaviour with wbinfo --domain='*' -u. This is
a measure that sysadmins don't shoot themself.

https://bugzilla.samba.org/show_bug.cgi?id=10034

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 11:54:58 CEST 2013 on sn-devel-104
2013-07-18 11:54:56 +02:00
Bill Parker
9b58da9866 Fix bug 10025 - Lack of Sanity Checking in calls to malloc()/calloc().
In reviewing various files in Samba-4.0.7, I found a number
of instances where malloc()/calloc() were called without the
checking the return value for a value of NULL, which would
indicate failure.

(NB. The changes needed to ccan, iniparser, popt and heimdal
will be reported upstream, not patched inside Samba).

Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Source <idra@samba.org>
2013-07-17 16:12:19 -07:00
Christian Ambach
e65c53226c nsswitch: fix a comment
the beginning if is only ifdef LINUX now, not the long list this comment refers to

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2013-06-25 12:53:28 +02:00
Andrew Bartlett
2c70b0edcf nsswitch: Remove #if SAMBA_BUILD_ >= 4 now we only have the waf build
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-05-28 12:17:12 +10:00
Christian Ambach
1a7bd5e12c nsswitch: fix some typos
Signed-off-by: Christian Ambach <ambi@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 17 01:09:33 CEST 2013 on sn-devel-104
2013-05-17 01:09:33 +02:00
David Disseldorp
0fa404c7d5 Bug 9807 - wbinfo: fix segfault in wbinfo_pam_logon
wbinfo_pam_logon() incorrectly assumes that wbcLogonUser() always
returns an allocated wbcAuthErrorInfo struct on failure.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 17 21:29:29 CEST 2013 on sn-devel-104
2013-04-17 21:29:29 +02:00
Andreas Schneider
9624ca4f88 BUG 9735: Fix winbind seperator in upn to username conversion.
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 22 16:18:06 CET 2013 on sn-devel-104
2013-03-22 16:18:06 +01:00
Christof Schmitt
6ac0bdc451 Add testcase for idmap_rfc2307 module
Create a new test environment with 'idmap config DOMAIN : backend =
rfc2307'. A new test script adds LDAP records and queries them again for
the mapped uid and gid.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar  9 08:18:43 CET 2013 on sn-devel-104
2013-03-09 08:18:43 +01:00
Richard Sharpe
11d1286323 Correct the name of the nss_winbind module for FreeBSD by creating a symlink
from the FreeBSD required name to the built module.

Signed-off-by: Timur Bakeyev <timur@FreeBSD.org>
Reviewed-by: Andrew Bartlett <abartlett@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Fri Mar  8 05:04:04 CET 2013 on sn-devel-104
2013-03-08 05:04:04 +01:00
Andreas Schneider
301a3cb4af wbinfo: Fix several memory leaks.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22 16:36:13 +01:00
Andrew Bartlett
613f49ab8b build: Remove includes.h dep in winbind client libraries
Our LGPL winbind client libs do not link against our server-side code, and
should not use the server-side includes.h.

This removes a build-time dep on talloc that was brought in via includes.h as
this code also does not use talloc.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-02-22 08:46:35 +01:00
Ira Cooper
63a7d3817f nsswitch: Fix two bitfield constants being the same.
WBFLAG_PAM_AUTH_PAC and WBFLAG_BIG_NTLMV2_BLOB
are the same causing errors in NTLMv2 authentication.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 18 22:13:09 CET 2013 on sn-devel-104
2013-01-18 22:13:09 +01:00
Jeremy Allison
d814cfac01 Sort winbind request flags. Ira saw we have a duplicate.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed by: Ira Cooper <ira@wakeful.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-18 11:28:40 -08:00
Andrew Bartlett
c9d2ca585e selftest: Add test for rfc2307 mapping handling
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-10 14:52:52 +01:00
Andreas Schneider
f8a5abf960 libwbclient: Fix null check in process_domain_info_string().
Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-21 13:56:00 +01:00
Andreas Schneider
24a897f029 nsswitch: Fix wbclient BAIL macros.
In the code you normally use:

BAIL_ON_WBC_ERROR;

but the last ; is statement never reached, so dead code.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-21 13:56:00 +01:00
Andreas Schneider
1dc414e4d2 nsswitch: Fix pam_get_{item,data} build warnings.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-12 15:00:02 +01:00
Andreas Schneider
de22df1419 nsswitch: Remove unused variable in _pam_winbind_change_pwd().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-12 15:00:02 +01:00
Andreas Schneider
b8ed2efb50 nsswitch: Cleanup code in parse_wbinfo_domain_user().
Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-12 15:00:02 +01:00
Andreas Schneider
04c0d4878e wbinfo: Use new samba_getpass() function.
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2012-12-03 14:35:08 +01:00
Andrew Bartlett
f22e15d9d5 build: Do not install testing binaries
These binaries are for developer or selftest use, and are not
supported for installation onto the system.  The autoconf build does
not install these binaries, and so neither should the waf build.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 22 12:00:36 CET 2012 on sn-devel-104
2012-11-22 12:00:36 +01:00
David Disseldorp
ec0f51b200 pam_winbind: fix segfault in pam_sm_authenticate()
Ensure the potentially null winbind context is not dereferenced on
cleanup.

https://bugzilla.samba.org/show_bug.cgi?id=8564

Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 26 22:40:57 CEST 2012 on sn-devel-104
2012-10-26 22:40:57 +02:00
Andreas Schneider
1f017efeed waf: Create a libnss_winbind.so symlink.
This fixes bug #9299.
2012-10-22 09:04:21 +02:00
Andrew Bartlett
1f267ca10e nsswitch: Build nss_winbind on all supported platforms
This matches what the autoconf build can do.

Andrew Bartlett
2012-10-03 14:25:57 +02:00
Andrew Bartlett
0e037bfc60 selftest: Always build a linux-style nss_winbind for nss_wrapper 2012-10-03 14:25:57 +02:00
Ira Cooper
6dbe0aad26 s3: Fix libnss_winbind.so's build on Illumos/Solaris
Due to not building and linking in the winbind_nss_solaris bits in addition
to the linux bits, nss was broken on Solaris.

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Sun Sep 30 22:56:30 CEST 2012 on sn-devel-104
2012-09-30 22:56:29 +02:00
Andrew Bartlett
968da5f890 nsswitch: Add waf tests for solaris special cases
These are in configure.in for autoconf.  Found in the config.h comparison on
the smbtorture4 build.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 26 11:50:10 CEST 2012 on sn-devel-104
2012-09-26 11:50:10 +02:00
Andrew Bartlett
914b02be5a libwbclient: bump ABI to 0.11 as wbcAuthenticateUserEx now provides PAC parsing
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Sep 21 06:37:15 CEST 2012 on sn-devel-104
2012-09-21 06:37:15 +02:00
Christof Schmitt
1bc2f28b94 winbind: Extend wbcAuthenticateUserEx to provide PAC
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.

The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Günther Deschner
98d90c02f0 pam_winbind: match more return codes when wbcGetPwnam has failed.
This is required to properly return PAM_USER_UNKNOWN in case winbind had a
problem.

Guenther

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Sep 19 15:06:10 CEST 2012 on sn-devel-104
2012-09-19 15:06:10 +02:00