1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

21 Commits

Author SHA1 Message Date
Stefan Metzmacher
abe427775e libcli/auth: add netlogon_creds_cli_debug_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
8a209e5a0c libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
We need to make sure we can convert the given string to an nthash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
0ed2a65593 libcli/auth: use the correct creds value against servers without LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Michael Adam
bebd35f439 netlogon_creds_cli: use dbwrap_purge instead of dbwrap_delete where appropriate
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-03-01 21:50:24 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Stefan Metzmacher
87c57956ba libcli/auth: add netlogon_creds_cli_GetForestTrustInformation*()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan 21 17:19:33 CET 2015 on sn-devel-104
2015-01-21 17:19:33 +01:00
Stefan Metzmacher
05a3d980f8 libcli/auth: add netlogon_creds_cli_ServerGetTrustInfo*()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-01-21 14:56:07 +01:00
Andrew Bartlett
36ecbf34ba libcli/auth: Ensure that the dns_names in/out parameter is preserved
This is in dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords, which has
status variables filled in by the server and placed in this in/out
array.

This showed up as a segfault in winbindd during RODC DNS update.

Andrew Bartlett

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2014-08-01 09:48:35 +02:00
Volker Lendecke
0a7290ca7d libcli: Remove an unused variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul  1 00:43:18 CEST 2014 on sn-devel-104
2014-07-01 00:43:18 +02:00
Andrew Bartlett
223fbdaf38 s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC
Change-Id: Ib87933c318f510d95f7008e122216d73803ede68
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Ira Cooper
8cd8aa6686 libcli: Overflow array index read possible, in auth code.
Changed the if condtion to detect when we'd improperly overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
2014-02-24 11:56:37 +01:00
Ira Cooper
14063719e0 Revert "libcli: Overflow array index read possible, in auth code."
This reverts commit 538cbfe0e9.

Signed-off-by: Ira Cooper <ira@samba.org>
2014-02-24 14:16:00 +05:30
Ira Cooper
538cbfe0e9 libcli: Overflow array index read possible, in auth code.
The values have to be signed here to allow for the values to go negative,
to prevent the overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 07:23:03 CET 2014 on sn-devel-104
2014-02-24 07:23:03 +01:00
Michael Adam
7e766a0a8a dbwrap: add dbwrap_flags argument to dbwrap_local_open()
To be consistent with db_open() and prepare for future
possible extensions.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Stefan Metzmacher
387ed2e15d libcli/auth: don't alter the computer_name in cluster mode.
This breaks NTLMv2 authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:05 +01:00
Stefan Metzmacher
ece3ba10a1 libcli/auth: add netlogon_creds_cli_set_global_db()
This can be used to inject a db_context from dbwrap_ctdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:11:19 +01:00
Stefan Metzmacher
0e62f32795 libcli/auth: fix usage of an uninitialized variable in netlogon_creds_cli_check_caps()
If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-08 14:34:13 +01:00
Stefan Metzmacher
3d45d4dc3c libcli/auth: remove unused netlogon_creds_cli_context_copy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:16 +01:00
Stefan Metzmacher
fa3af7c2e8 libcli/auth: make use of real options in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
dc96b1ddcc libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()
Until all callers are fixed to pass the same 'server_computer'
value, we try to calculate a server_netbios_name and use this
as unique identifier for a specific domain controller.

Otherwise winbind would use 'hostname.example.com'
while 'net rpc testjoin' would use 'HOSTNAME',
which leads to 2 records in netlogon_creds_cli.tdb
for the same domain controller.

Once all callers are fixed we can think about reverting this
commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
6e6d9f9f12 libcli/auth: add netlogon_creds_cli* infrastructure
This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.

Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.

We now use a node specific computer name in order to establish
individual netlogon sessions per node.

If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.

The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.

LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.

This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:03 +01:00