1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

411 Commits

Author SHA1 Message Date
Stefan Metzmacher
61333f7787 s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values
The logic for constructing the values for our own primary domain differs
from the values of trusted domains. In order to make the code easier to
understand we have a new fill_our_one_domain_info() helper that
only takes care of our primary domain.

The cleanup for the trust case will follow in a separate commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11517

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-04 02:31:27 +02:00
Andrew Bartlett
1bb2a1c6b3 auth: For NTLM and KDC authentication, log the authentication duration
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.

Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.

This complements a similar patch set to log the transaction duration.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-25 08:32:14 +02:00
Gary Lockyer
5c0345ea9b samdb: Add remote address to connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Garming Sam
d1730d6ff1 netlogon: Allow zero-GUID to act the same as NULL in GetDCNameEx2
This matches Windows behaviour and allows rpcclient to work against
Samba without knowing the GUID ahead of time. Errors related to this
don't appear to occur within selftest.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri May  4 09:11:19 CEST 2018 on sn-devel-144
2018-05-04 09:11:19 +02:00
Garming Sam
7b56b522d4 netlogon: Store the client site to clobber any plausibly returned via winbind
So far, I have never observed the case where the winbind call ever
bothered to return a proper site, but in case it ever does so, we
clobber it here. This has implications for returning a non-local domain
site name, but for now, we ignore them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-04 06:12:11 +02:00
Garming Sam
6d188fe05b netlogon: Forward GetDCNameEx2 to winbind via IRPC
Here we simply forward everything without alteration (the same struct is
returned). This helps us to fix the case where the DC does not exist in
the target site, furthermore, this is supposed to work for trusted
domains.

In calling out to winbind, we now also notice if you provide a site
which exists in multiple domains and provide the correct domain (instead
of accidentally returning ourselves).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-04 06:12:10 +02:00
Garming Sam
00cb8a3e12 netlogon: Allow return of error code in future asynchronous winbind forwards
We change the naming conventions to match dcesrv_netr_*_base_call used elsewhere.

This is important when we make the underlying Ex2 call asynchronous.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-04 06:12:10 +02:00
Garming Sam
3fcb768057 dsdb: Allow the disable of the Windows server site fallback
A usage in GetDCNameEx2 could return the wrong result. This may need to
be fixed in other places.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-04 06:12:10 +02:00
Garming Sam
0b6186bfce netlogon: Add a comment regarding one of the DC location calls
It appears to be basically deprecated, as it was superceded by other
calls. Presumably it is also unused.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-04 06:12:10 +02:00
Stefan Metzmacher
8022b63f6c s4:rpc_server/netlogon: make use of auth_check_password_send/recv()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
023bd2d15d s4:rpc_server/netlogon: make use of async kdc_check_generic_kerberos_send/recv()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
373da95b0b s4:rpc_server/netlogon: prepare dcesrv_netr_LogonSamLogon_base for async processing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
b10d01d14a s4:rpc_server/netlogon: check auth_level for validation level 6 already in dcesrv_netr_LogonSamLogon_check()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Andrew Bartlett
427a11b812 s4-netlogon: Use log_escape to protect against un-validated strings
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Andrew Bartlett
abd821b76b s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
This splits out the username into the input, mapped and obtained
just as we do elsewhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
efc335a030 source4 netlogon: Add authentication logging for ServerAuthenticate3
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Andrew Bartlett
a075b7f8dd s4-netlogon: Escape user-supplied computer name in Bad credentials log line
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-27 16:57:42 +02:00
Andrew Bartlett
d9a1d572c2 s4-netlogon: Provide logs for machine account success and failures
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-27 16:57:42 +02:00
Gary Lockyer
45709fdfa8 s4/dcerpc_netlogon: Logging for dcesrv_netr_LogonGetDomainInfo
Log details of the remote machine when bad credentials received.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Stefan Metzmacher
f180b1c21c s4:rpc_server: Do some checks of LogonSamLogon flags
This matches a Windows Server, at least if it is itself a
DC of the forest root and the requested domain is the local domain of the DC.
Both constraints are true on a Samba AD DC, as we don't really support
trusts yet.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  9 17:06:04 CEST 2017 on sn-devel-144
2017-06-09 17:06:04 +02:00
Garming Sam
b22387cf85 rpc_server: Move SID helpers into common
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
d3e8bcbc9b netlogon: Add necessary security checks for SendToSam
We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Andrew Bartlett
ea3f00f2b5 auth: Add "auth_description" to allow logs to distinguish simple bind (etc)
This will allow the authentication log to indicate clearly how the password was
supplied to the server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
c048918959 auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Andrew Bartlett
9e09e68d47 s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
This will allow a very verbose JSON line to be logged that others can audit from in the future

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Stefan Metzmacher
4af89d534d auth4: let auth_check_password* return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Stefan Metzmacher
74deb488e9 netlogon4: make use of auth_context_create_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Volker Lendecke
2251c30528 rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-15 02:28:15 +01:00
Andrew Bartlett
ffb8b50e3c s4-rpc_server: Allow each interface to declare if it uses handles
This will allow the NETLOGON server in the AD DC to declare that it does not use
handles, and so allow some more flexibility with association groups

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Douglas Bagnall
a7598fb53b rpc_server:netlogon Move from memcache to a tdb cache
This allows the netlogon server to be moved into a multi-process model
while still supporting clients that use a challenge from a different
network connection.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
2016-12-14 20:12:13 +01:00
Günther Deschner
d97f7a48ea werror: replace WERR_DCNOTFOUND with WERR_NERR_DCNOTFOUND in source4/rpc_server/netlogon/dcerpc_netlogon.c
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:29 +02:00
Günther Deschner
cda198c0c5 werror: replace WERR_GENERAL_FAILURE with WERR_GEN_FAILURE in source4/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:21 +02:00
Günther Deschner
eaee3b85e8 werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source4/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:20 +02:00
Stefan Metzmacher
3b94fde963 s4:rpc_server/netlogon: make use of auth_convert_user_info_dc_saminfo{2,6}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:27 +02:00
Stefan Metzmacher
5128a874c8 s4:rpc_server/netlogon: initialize pointer to NULL in dcesrv_netr_LogonSamLogon_base()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:27 +02:00
Stefan Metzmacher
4624c838c8 CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
ea3f14c3f8 CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
fb20f135f0 CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Stefan Metzmacher
5fe7085e3b CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
afe48e960b CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Volker Lendecke
88c4687945 idl: Rename "principle" to "principal_name"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-02 08:42:09 +01:00
Arvid Requate
d3ac3da986 s4:rpc_server/netlogon: Fix for NetApp
This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.

The issue is triggered by NetApp filers in three steps:

1. The client calls netr_ServerReqChallenge to set up challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
   set to 0. Native AD and Samba respond to this with
   NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
   the challenge token negotiated in the first step.

3. Next the client calls netr_ServerAuthenticate2 again, this time with
   NETLOGON_NEG_STRONG_KEYS set to 1.
   Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
   of the challenge and denies logon with the message

   No challenge requested by client [CLNT1/CLNT1$], cannot authenticate

Git commit 321ebc99b5 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug  6 20:29:04 CEST 2015 on sn-devel-104
2015-08-06 20:29:04 +02:00
Stefan Metzmacher
fcc6b5c56a s4:rpc_server/netlogon: check domain state in netr_*GetForestTrustInformation()
This should only work on a forest root domain controller and a forest function
level >= 2003.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
ef8f55ad8a s4:rpc_server/netlogon: make use of dsdb_trust_xref_forest_info()
This collects the whole information about the local forest,
including all domains and defined top level names (uPNSuffixes and
msDS-SPNSuffixes).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
9af2561325 s4:rpc_server/netlogon: implement netr_DsRGetForestTrustInformation with trusted domains
We redirect this to remote DC as netr_GetForestTrustInformation() via an IRPC
call to winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
70cea2b85c s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c57fef89e1 s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a02300c0c7 s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
0b4bdee4a1 s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback to the previous hash for trusts
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a56d9fe5da s4:rpc_server/netlogon: extract and pass down the password version in dcesrv_netr_ServerPasswordSet2()
For domain trusts we need to extract NL_PASSWORD_VERSION from the password
buffer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
aded6f6551 s4:dsdb/common: pass optional new_version to samdb_set_password_sid()
For trust account we need to store version number provided by the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Günther Deschner
a0700dd275 netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
459d1d3fb9 s4:rpc_server/netlogon: fix bugs in dcesrv_netr_DsRGetDCNameEx2()
We should return the our ip address the client is connected too.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2015-01-26 11:55:07 +01:00
Andrew Bartlett
a3ecad4237 idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idl
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
470e5b8222 s4-netlogond: Give a better error if we do not have a flatname attribute
Change-Id: I3bc283b6fab4326131084d1abb89cb486af7b35a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep  1 02:58:46 CEST 2014 on sn-devel-104
2014-09-01 02:58:46 +02:00
Stefan Metzmacher
321ebc99b5 s4:rpc_server/netlogon: keep a global challenge table
Some clients call netr_ServerReqChallenge() and netr_ServerAuthenticate3()
on different connections. This works against Windows DCs as they
have a global challenge table.

A VMware provisioning task for Windows VMs seemy to rely on this behavior.

As a fallback we're storing the challenge in a global memcache with a fixed
size. This should allow these strange clients to work against a
Samba AD DC.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10723

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-07-19 10:25:05 +02:00
Andrew Bartlett
608d91e300 s4:rpc_server/netlogon: explicitly use dcerpc_binding_handle_set_sync_ev() for irpc
This indicates that we're using nested event loops...

Andrew Bartlett

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Change-Id: I4dcc7bf3c624612980e53b6119a60989fc2ea3b6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-05-13 00:08:12 +02:00
Andrew Bartlett
a0de929009 dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.

Andrew Bartlett

Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
25fb73f282 s4:rpc_server/netlogon: return a zero return_authenticator and rid on error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:29 +01:00
Stefan Metzmacher
7d2abf520d s4:netlogon: implement "allow nt4 crypto" and "reject md5 clients" features.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  7 16:53:31 CET 2014 on sn-devel-104
2014-01-07 16:53:31 +01:00
Stefan Metzmacher
2e36fbc77d s4:netlogon: don't generate a debug message for SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:18 +01:00
Stefan Metzmacher
3b77b804cd s4:netlogon: correctly calculate the negotiate_flags
We need to bit-wise AND the client and server flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:18 +01:00
Benjamin Franzke
68ebb09193 s4:dsdb: Move cldap netlogon functions into samdb/ldb_modules
As netlogon is handled by the samdb now,
the corresponding functions should live there as well.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-11-11 23:00:54 +01:00
Matthieu Patou
b67085de7f s4-netlogon: honnor DS_RETURN_DNS_NAME flag
Reviewed-By: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:52 -07:00
Matthieu Patou
927a1030d7 s4-netlogon: do not add \\ it has already be done in the fill_netlogon_samlogon_response
Reviewed-By: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:47 -07:00
Stefan Metzmacher
9d548318da s4:netlogon: make use of netlogon_creds_decrypt_samlogon_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:01 +02:00
Günther Deschner
d8461992db s4-rpc_server: use netlogon_creds_encrypt_samlogon().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Sun Dec 16 01:34:01 CET 2012 on sn-devel-104
2012-12-16 01:34:01 +01:00
Günther Deschner
71572632bd s4-rpc_server: support AES encryption in interactive and generic samlogon.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:08 +01:00
Günther Deschner
01e69703fb s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09 19:39:07 +01:00
Jelmer Vernooij
90b1a94cb4 netlogon: Per MS-NRPC, don't send unknown workstation flags back to the
client.
2012-09-26 22:12:07 +02:00
Stefan Metzmacher
04d770adac s4:rpc_server/netlogon: add support for AES based netlogon schannel
metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:39 +02:00
Stefan Metzmacher
99231181e3 s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for it
metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:38 +02:00
Stefan Metzmacher
e48aabc006 s4:rpc_server/netlogon: implement netr_LogonGetCapabilities
This is also needed to support AES.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:38 +02:00
Andrew Bartlett
e7397eeaa2 s4-netlogond: Fix use of uninitialised value dns_name
The GET_CHECK_STR macro (now unrolled) did not initialise the trusts->array[n].dns_name
when the value was not set.  New tests for our trusted domains code create
domain trusts without a DNS domain name.  Found by the autobuild flakey build detector.

Andrew Bartlett
2012-02-27 07:36:05 +01:00
Matthias Dieter Wallnöfer
9a91d7f05a s4:netlogon RPC server - dcesrv_netr_DsRGetSiteName - add a small explaination
NETLOGON pipe is only thought for DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-23 10:36:33 +01:00
Matthias Dieter Wallnöfer
521c708fe4 s4:netlogon RPC server - DsRGetDcNameEx - set the DNS name flags correctly
The rules are explained in MS-NRPC 2.2.1.2.1.

Patch inspired by Matthieu Patou.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-11-27 12:51:54 +01:00
Matthieu Patou
1770dafafd s4-netlogon: return WERR_NO_SUCH_DOMAIN instead of WERR_DS_UNAVAILABLE if we are unable to translate the domain to a dn
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-11-27 12:50:49 +01:00
Andrew Bartlett
5603dab647 libcli/auth: Provide a struct loadparm_context to schannel calls
This will allow us to pass this down to the tdb_wrap layer.

Andrew Bartlett
2011-10-13 14:06:07 +02:00
Andrew Tridgell
4afe426877 s4-ipv6: fill in pdc_ip in DsRGetDCNameEx2
this may be different from the CLDAP response, as it can be IPv6

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun  8 06:07:29 CEST 2011 on sn-devel-104
2011-06-08 06:07:29 +02:00
Andrew Bartlett
ea0ac9cdfc s4-auth Rename auth -> auth4 to avoid conflict with s3 auth 2011-05-08 10:56:26 +02:00
Andrew Tridgell
f0e7303023 s4-rpc: improved error mapping for several RPC server calls
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-04 10:30:30 +10:00
Matthias Dieter Wallnöfer
0b5719f5fc s4:netlogon RPC server - "LogonGetDomainInfo" - check for NULL attributes
This is needed to complete the transition from "samdb_msg_add_string" to
"ldb_msg_add_string".
And this patch yields better NTSTATUS error results than before
(INVALID_PARAMETER rather than OUT_OF_MEMORY).

Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Mar  1 14:42:15 CET 2011 on sn-devel-104
2011-03-01 14:42:15 +01:00
Jelmer Vernooij
59a077d8f5 Fix some types
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-28 23:30:06 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Stefan Metzmacher
a4d4217dfa s4:rpc_server/netlogon: add dcesrv_netr_LogonSamLogon_check()
We need to check for invalid parameters before we check for
access denied.

metze
2011-02-02 11:58:26 +01:00
Stefan Metzmacher
578e87dbf2 s4:rpc_server/netlogon: set *r->out.authoritative = 1 even on INVALID_PARAMETER/INFO_CLASS
metze
2011-02-02 11:58:26 +01:00
Stefan Metzmacher
97727e1068 s4:rpc_server/netlogon: return INVALID_INFO_CLASS for invalid netr_Validation levels
metze
2011-02-02 11:58:26 +01:00
Matthias Dieter Wallnöfer
d0993e1278 s4:netlogon/LogonGetDomainInfo - handle a NULL "dns_hostname"
- Performs the short computer name check against the sam account name.
- Enhances the LogonGetDomainInfo testsuite which checks the NULL
  "dns_hostname" behaviour

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Nov 19 12:50:33 CET 2010 on sn-devel-104
2010-11-19 12:50:32 +01:00
Matthias Dieter Wallnöfer
229f3cc9e8 s4:netlogon RPC server - "LogonGetDomainInfo" - always check the LDB return codes
Plus some cosmetic indentation fixes

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 31 19:26:45 UTC 2010 on sn-devel-104
2010-10-31 19:26:45 +00:00
Matthias Dieter Wallnöfer
39d40892c6 s4:netlogon RPC server - point out that the "LogonGetDomainInfo" "servicePrincipalName" generation is still needed 2010-10-31 18:44:06 +00:00
Matthias Dieter Wallnöfer
7b3dbbde04 s4:dsdb - remove some calls of "samdb_msg_add_string" when we have talloc'ed strings
They can be substituted by "ldb_msg_add_string" if the string was already
talloc'ed.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 24 20:03:27 UTC 2010 on sn-devel-104
2010-10-24 20:03:27 +00:00
Stefan Metzmacher
821a20221d s4:rpc_server/netlogon: netr_ServerAuthenticate3 should return NO_TRUST_SAM_ACCOUNT
If we can't find the account we should return NT_STATUS_NO_TRUST_SAM_ACCOUNT
instead of NT_STATUS_ACCESS_DENIED.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Oct 23 10:05:35 UTC 2010 on sn-devel-104
2010-10-23 10:05:35 +00:00
Stefan Metzmacher
f0879fc3b2 s4:rpc_server/netlogon: netr_ServerAuthenticate3 should reject invalid sec_channel_types early
metze
2010-10-23 11:02:43 +02:00
Stefan Metzmacher
c2696b2ec3 s4:rpc_server/netlogon: netr_ServerAuthenticate3 should check the challenge after the account
metze
2010-10-23 11:01:43 +02:00
Stefan Metzmacher
5ee49fc1c1 s4:rpc_server/netlogon: fix comment in netr_DsRGetDCName()
metze
2010-10-23 10:58:15 +02:00
Stefan Metzmacher
675c354b6b s4:rpc_server/netlogon: handle DC_RETURN_NETBIOS and DC_RETURN_DNS in netr_DsRGetDCNameEx2()
metze
2010-10-23 10:58:15 +02:00
Stefan Metzmacher
fcc2f6ba4a s4:rpc_server/netlogon: validate flags in netr_DsRGetDCNameEx2() and callers
Thanks to Tarun Chopra for the help of looking up all the bits in
the docs.

metze
2010-10-23 10:58:14 +02:00
Stefan Metzmacher
e297625d96 s4:rpc_server/netlogon: netr_GetDcName should return WERR_DCNOTFOUND for invalid names
Only netbios domain names are allowed.

metze
2010-10-23 10:58:14 +02:00
Matthias Dieter Wallnöfer
a3f61dea40 Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c""
This reverts commit 8a2ce5c47c.

Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17 13:37:16 +00:00