1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

494 Commits

Author SHA1 Message Date
Jelmer Vernooij
49445541e7 Support using system ldbmodify.
Fixes this test when bin/ldbmodify isn't built because we're using the
system ldbmodify.

Change-Id: I2ff0d9808245353006c6be4989976a3edad8f98e
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 18:30:07 +01:00
Stefan Metzmacher
d5326bca33 nsswitch: avoid some compiler warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
Björn Jacke
8ccf5f6669 nss_winbind: add getgroupmembership for FreeBSD
The getgroupmembership call on FreeBSD is needed for "winbind expand groups=0"
(the new default in 4.2) to work.

Thanks to Timur I. Bakeyev for the enhancement patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10835

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-10-20 12:20:04 +02:00
Michael Adam
6bbfb09b07 pam_winbind: fix comment typos
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Oct 18 12:41:07 CEST 2014 on sn-devel-104
2014-10-18 12:41:07 +02:00
Andreas Schneider
7f59711f07 nsswitch: Skip groups we were not able to map.
If we have configured the idmap_ad backend it is possible that the user
is in a group without a gid set. This will result in (uid_t)-1 as the
gid. We return this invalid gid to NSS which is wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
2014-09-19 17:57:14 +02:00
Jeremy Allison
8bbf901f93 Replace all uses of iniparser with tiniparser.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-08-14 21:27:13 +02:00
Ira Cooper
61dd66575d nsswitch: Fix bogus #include line.
We are not allowed to reach around behind the system's back and
include the wrong headerfiles.

Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-08-09 18:26:16 +02:00
Jeremy Allison
ca1e4af466 As David Woodhouse points out, this breaks backwards compatibility.
https://bugzilla.samba.org/show_bug.cgi?id=10692

Revert "libwbclient: reject unknown named blobs in wbcCredentialCache()"

This reverts commit 740d12d1e7.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 14 21:54:08 CEST 2014 on sn-devel-104
2014-07-14 21:54:08 +02:00
Stefan Metzmacher
740d12d1e7 libwbclient: reject unknown named blobs in wbcCredentialCache()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 10 22:30:45 CEST 2014 on sn-devel-104
2014-07-10 22:30:45 +02:00
Stefan Metzmacher
6704799dec libwbclient: allow only one initial_blob/challenge_blob in wbcCredentialCache()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-07-10 20:04:13 +02:00
Jeremy Allison
f4d83872e0 s3: libwbclient: Don't break out of loop too soon - find all parameters.
Fix bug #10692: wbcCredentialCache fails if challenge_blob is not first

https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Jeremy Allison <jra@samba.org>
2014-07-10 00:26:14 +02:00
Christof Schmitt
c863c3a2fc libwbclient: Call correct function for wbcPingDc2 test
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jul  9 18:36:08 CEST 2014 on sn-devel-104
2014-07-09 18:36:08 +02:00
Björn Jacke
0b4af49d27 waf: fix the name of the WINBIND "nss" module on AIX
on AIX this is actually not called NSS and PAM, this is combined im LAM (loadable
authentication module)

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 12 13:32:28 CEST 2014 on sn-devel-104
2014-06-12 13:32:28 +02:00
Christian Ambach
558850c495 s3:lib/afs move afs_settoken.c to common lib dir
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-06-04 20:09:38 +02:00
Andrew Bartlett
6add082461 selftest: Make test_wbinfo.sh work with s3-winbindd
Change-Id: I41ed850b6424eac3fb8b6603d5b87c66bb77dd51
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
4688cf77c4 libwbclient-tests: No longer hardcoded password and test domain
The password is made more complex, and the test domain is made to
use the command line options.

Andrew Bartlett

Change-Id: Ia1ec24a9fc393e7f7b210f845bcf32dbc933d48f
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
2b558f2096 selftest: Set winbind separator = /
This avoids a pile of shell-script escape pain, and fixes some tests.

Andrew Bartlett

Change-Id: Ie1d0e32ab484a5b0ddbc4073831fe6de27e38e92
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:25 +02:00
Andreas Schneider
1e9750a832 nsswitch: Fix the check for the privileged pipe.
Change-Id: I8f23ecc8444c3b25d5be2a7fdbf51ba7fe4a5ed9
Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-05-16 10:23:26 +02:00
Alexander Bokovoy
06c25eb25e wbclient: ensure response struct is initialized
Prior to asking for a winbindd private pipe we need to initialize
response structure to deal with a possible response failure.

winbind_open_pipe_sock() issues two winbindd requests:
 - asks for interface version
 - asks for a private pipe

The first call returns interface version in a response structure (which
is a union). The second call might fail -- in this case response
structure will not be initialized or filled in with any information.

As result, if the second call failed, response structure will have data
from an interface string interpreted as a pointer to a string during
SAFE_FREE() at the end of the winbind_open_pipe_sock().

To avoid that, ensure response struct is initialized before asking for
a private pipe.

https://bugzilla.samba.org/show_bug.cgi?id=10596

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May  8 04:24:53 CEST 2014 on sn-devel-104
2014-05-08 04:24:53 +02:00
Andreas Schneider
d407446ddc Remove special socket_wrapper code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
2522bb8090 selftest: Rename WINBINDD_SOCKET_DIR environment variable.
It is very confusing if the env var uses the same name as the define in
the source code. So prefix it with SELFTEST.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
c29fb2e615 wbclient: Check with nss_wrapper_enabled().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
b2163f23c0 Remove special nss_wrapper code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
486fa4a134 libwbclient: Handle uid_wrapper for pipe access.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
751b2b2d2a Remove uid_wrapper related code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:05 +02:00
Andrew Bartlett
8175e98029 selftest: Rename wbinfo_s3 to wbinfo_simple and reorder code for clarity
Change-Id: Ic2e06e448fce1d91422b711abf663b9253009a53
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Apr  2 13:07:24 CEST 2014 on sn-devel-104
2014-04-02 13:07:24 +02:00
Andrew Bartlett
9ed7555c82 nsswitch: Remove fallback setting of WINBINDD_SOCKET_DIR
This is the original cause of the wbc NT_STATUS_OBJECT_NAME_NOT_FOUND issues in recent git master, as the
build was able to progress without the correct path being set as an override.

Andrew Bartlett

Change-Id: I1dbc7350695756356e869199b589eb781eb5c673
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar  5 18:34:48 CET 2014 on sn-devel-104
2014-03-05 18:34:48 +01:00
Andreas Schneider
f26db53273 nsswitch: Fix idmap rfc2307 test with system ldb.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-02-21 15:59:28 +01:00
Volker Lendecke
efed82cb69 krb5_locator: Slightly simplify code
This makes it a bit easier to read for me

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>
2014-02-20 11:43:08 -08:00
Garming Sam
63c24977ba param: rename lp function and variable from 'lockdir' to 'lock_directory'
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:10 -08:00
Garming Sam
2c2f175b0d Revert "pam_winbind: fix segfault in pam_sm_authenticate()"
This reverts commit ec0f51b200.

A more generic fix is now in use.

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jan 15 01:37:38 CET 2014 on sn-devel-104
2014-01-15 01:37:38 +01:00
Garming Sam
3a814e329b pam_winbind: Do not honour require_membership_of in the acct module parameters
This needs a password to work, and it confuses users for it to appear to be valid here.

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-01-14 23:44:26 +01:00
Garming Sam
6f4ec0c041 pam_winbind: Fix segfault caused by invalid configuration options
This is a better fix for 8564 and will allow ec0f51b200 to be reverted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8564

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-01-14 23:44:26 +01:00
Andreas Schneider
541164d47a wbinfo: Fix a memory leak in wbinfo_ping_dc().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-09 20:42:54 +01:00
Jeremy Allison
b0ba4a5621 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:46 +01:00
Noel Power
f62683956a fail authentication for single group name which cannot be converted to sid
furthermore if more than one name is supplied and no sid is converted
then also fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Nov 29 15:45:11 CET 2013 on sn-devel-104
2013-11-29 15:45:11 +01:00
Volker Lendecke
ffae8a13b6 pam_winbind: Use strlcat in safe_append_string
We have that available via libreplace, so use it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Nov 28 14:33:32 CET 2013 on sn-devel-104
2013-11-28 14:33:32 +01:00
Noel Power
01cae099e0 handle later iniparser version assigning a zero length string value for 'key='
older iniparser versions ( like that used in upstream samba ) ignore 'key='
entries, the key is not entered into the dictionary at all. Later
versions of iniparse specifically handle the following special cases

* key=
* key=;
* key=#

by assigning a value of "" ( a zero length string ) to the key
in the dictionary.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Nov 20 16:12:13 CET 2013 on sn-devel-104
2013-11-20 16:12:13 +01:00
Michael Adam
00c674985f wbinfo: fix output of wbinfo --sid-to-name for sids of type DOMAIN
to print only the domain name and not "DOMIN\<SID>".

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 11:40:28 +01:00
Michael Adam
f7240932af wbinfo: fix output of "--lookup-sids" to use the configured winbind separator
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 11:40:28 +01:00
Michael Adam
fdf28f0898 wbinfo: fix ouptput of --lookup-sids for sids of type DOMAIN
To print only the domain name and not "DOMIN\<SID>".

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-13 11:40:28 +01:00
Volker Lendecke
c6909887c2 nsswitch: Fix short writes in winbind_write_sock
We set the socket to nonblocking and don't handle EAGAIN right. We do
a poll anyway, so wait for writability, which should fix this.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10195
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-10-21 17:52:35 +02:00
Christian Ambach
20b64eae75 waf: replace dependency to libintl with samba_intl
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Mon Aug 12 00:46:34 CEST 2013 on sn-devel-104
2013-08-12 00:46:34 +02:00
Jeff Layton
ba9d8612e3 wbclient: fix conversion logic in wbcSidToStringBuf
Might as well fix it to handle large authority values properly. Also
correct some of the formatting.

Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-31 15:16:04 -07:00
Jeff Layton
1a4ec0b885 wbclient: fix conversion logic in wbcStringToSid
Signed-off-by: Jeff Layton <jlayton@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-31 15:15:47 -07:00
Andreas Schneider
f908e6b0c5 nsswitch: Add OPT_KRB5CCNAME to avoid an error message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10048

Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 26 17:40:26 CEST 2013 on sn-devel-104
2013-07-26 17:40:25 +02:00
Günther Deschner
73e6feff9b wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-23 15:39:14 -07:00
Andreas Schneider
33bce26fcf nsswitch: Don't enumerate all domains with wbinfo -u|-g.
By default wbinfo -u|-g should only enumerate the domain winbindd is
joined to. The command can be harmfull if you have e.g. 30 domains and
700k users. Then the parent will collect all information and the
oom-killer will kill winbind. As we still want to support it, you can
enable it the old behaviour with wbinfo --domain='*' -u. This is
a measure that sysadmins don't shoot themself.

https://bugzilla.samba.org/show_bug.cgi?id=10034

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 11:54:58 CEST 2013 on sn-devel-104
2013-07-18 11:54:56 +02:00
Bill Parker
9b58da9866 Fix bug 10025 - Lack of Sanity Checking in calls to malloc()/calloc().
In reviewing various files in Samba-4.0.7, I found a number
of instances where malloc()/calloc() were called without the
checking the return value for a value of NULL, which would
indicate failure.

(NB. The changes needed to ccan, iniparser, popt and heimdal
will be reported upstream, not patched inside Samba).

Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Source <idra@samba.org>
2013-07-17 16:12:19 -07:00
Christian Ambach
e65c53226c nsswitch: fix a comment
the beginning if is only ifdef LINUX now, not the long list this comment refers to

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2013-06-25 12:53:28 +02:00