1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00

48 Commits

Author SHA1 Message Date
Stefan Metzmacher
62d05a8108 nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.

Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Ralph Boehme
c8f76bfd72 nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:09 +01:00
Volker Lendecke
87c4432562 libwbclient: Fix two signed/unsigned hickups
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-18 00:09:16 +01:00
Volker Lendecke
a6f4e60306 libwbclient: Add "authoritative" to wbcAuthErrorInfo
smbd needs to react to "authoritative"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Stefan Metzmacher
2063692367 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Matthew Newton
063c56dba5 Add context versions of wbclient functions
To make the libwbclient library thread-safe, all functions
that call through to wb_common winbindd_request_response need
to have context that they can use. This commit adds all the
necessary functions.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-10 00:50:10 +01:00
Stefan Metzmacher
f80f585d95 nsswitch: allow passing the domain name to wbcPingDC[2]()
winbindd already supports this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:12 +01:00
Jeremy Allison
ca1e4af466 As David Woodhouse points out, this breaks backwards compatibility.
https://bugzilla.samba.org/show_bug.cgi?id=10692

Revert "libwbclient: reject unknown named blobs in wbcCredentialCache()"

This reverts commit 740d12d1e77d356ff22c3725dce8d5019c86a7a5.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 14 21:54:08 CEST 2014 on sn-devel-104
2014-07-14 21:54:08 +02:00
Stefan Metzmacher
740d12d1e7 libwbclient: reject unknown named blobs in wbcCredentialCache()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 10 22:30:45 CEST 2014 on sn-devel-104
2014-07-10 22:30:45 +02:00
Stefan Metzmacher
6704799dec libwbclient: allow only one initial_blob/challenge_blob in wbcCredentialCache()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-07-10 20:04:13 +02:00
Jeremy Allison
f4d83872e0 s3: libwbclient: Don't break out of loop too soon - find all parameters.
Fix bug #10692: wbcCredentialCache fails if challenge_blob is not first

https://bugzilla.samba.org/show_bug.cgi?id=10692

Signed-off-by: Jeremy Allison <jra@samba.org>
2014-07-10 00:26:14 +02:00
Andreas Schneider
751b2b2d2a Remove uid_wrapper related code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:05 +02:00
Christof Schmitt
1bc2f28b94 winbind: Extend wbcAuthenticateUserEx to provide PAC
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.

The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Christof Schmitt
bdb1f23e1d libwbclient: Add wbcPingDc2
Add wbcPingDc2 that optionally returns the DC that was attempted to
ping. wbcPing is implemented as a wrapper around wbcPingDc2.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-15 11:44:42 +10:00
Andreas Schneider
8682c32c1a nsswitch: Disable uid_wrapper in libwbclient.
This way we don't have to link against it in the autoconf build.
2011-10-27 13:32:01 +02:00
Volker Lendecke
c58eb1f8c5 s3: Fix Coverity ID 2148, FORWARD_NULL
Further down we unconditionally reference *info
2011-03-16 22:07:23 +01:00
Volker Lendecke
87c67433c8 libwbclient: Correctly order the wbcAllocateMemory args
In these cases, it does not make a functional difference.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sat Nov 27 19:56:02 CET 2010 on sn-devel-104
2010-11-27 19:56:02 +01:00
Volker Lendecke
8de2c15df3 s3: auth.krb5ccname and auth.unix_username are both fstrings
There's no point in checking for != NULL
2010-09-10 10:52:18 -07:00
Volker Lendecke
03115efae8 libwbclient: Actually copy something in wbcChangeUserPasswordEx
The length argument for memcpy was initialized to 0 and not initialized
2010-04-23 23:41:04 +02:00
Volker Lendecke
7574347e68 libwbclient: Remove some pointless BAIL_ON_WBC_ERROR macro calls 2010-04-23 23:41:04 +02:00
Volker Lendecke
d582caa175 libwbclient: Make wbc_create_error_info not use talloc 2010-04-19 14:27:23 +02:00
Volker Lendecke
f4c8f5146c libwbclient: Make wbcCredentialCache not use talloc 2010-04-19 14:27:23 +02:00
Volker Lendecke
802876af3b libwbclient: Make wbcAuthenticateUserEx not use talloc 2010-04-19 14:27:23 +02:00
Volker Lendecke
406e55fafb libwbclient: Make wbc_create_logon_info not use talloc 2010-04-19 14:27:23 +02:00
Volker Lendecke
d36829c108 libwbclient: Make wbc_create_auth_info not use talloc 2010-04-19 14:27:22 +02:00
Volker Lendecke
1ecdff2bf8 libwbclient: Make wbc_create_password_policy_info not use talloc 2010-04-19 14:27:22 +02:00
Volker Lendecke
77c0b015c7 libwbclient: Make _SID_COMPOSE a function instead of a macro 2010-04-19 14:27:18 +02:00
Volker Lendecke
be813ff2d4 libwbclient: Re-Fix a bug that was fixed with e5741e27c4c
> r21878: Fix a bug with smbd serving a windows terminal server: If winbind
> decides smbd to be idle it might happen that smbd needs to do a winbind
> operation (for example sid2name) as non-root. This then fails to get the
> privileged pipe. When later on on the same connection another authentication
> request comes in, we try to do the CRAP auth via the non-privileged pipe.
>
> This adds a winbindd_priv_request_response() request that kills the existing
> winbind pipe connection if it's not privileged.

The fix for this was lost during the conversion to libwbclient.

Thanks to Ira Cooper <samba@ira.wakeful.net> for pointing this out!

Volker
2010-04-13 13:30:53 +02:00
Volker Lendecke
fcab3d64f4 libwbclient: Remove a pointless variable 2010-04-13 13:28:39 +02:00
Volker Lendecke
9b1f9da436 libwbclient: Streamline result processing of wbcCredentialCache() 2010-04-04 12:51:24 +02:00
Volker Lendecke
b198283f1f libwbclient: Fix a memleak in wbcCredentialCache 2010-04-04 12:51:24 +02:00
Kai Blin
b99d9f86e4 libwbclient: Separate out the async functions 2010-02-13 14:30:36 +01:00
Kai Blin
145f2c751b libwbclient: Implement wbcAuthenticateUserEx_send/recv 2010-02-11 23:56:35 +01:00
Volker Lendecke
e2ddda3289 libwbclient: wbc_create_logon_info is always called with mem_ctx==NULL 2010-02-07 12:29:24 +01:00
Volker Lendecke
2607dc5ee8 libwbclient: wbc_create_password_policy_info is always called with mem_ctx==NULL 2010-02-07 12:29:24 +01:00
Volker Lendecke
1b2aad29a8 libwbclient: wbc_create_error_info is always called with mem_ctx==NULL 2010-02-07 12:29:24 +01:00
Volker Lendecke
e879b50b32 libwbclient: Actually implement wbcCredentialCache() 2010-01-24 20:32:16 +01:00
Volker Lendecke
7d18d058a1 s3: Add wbinfo --ccache-save
With this command you can give winbind your password for later use by
the automatic ntlm_auth
2010-01-24 20:32:16 +01:00
Volker Lendecke
96b12e0d59 libwbclient: Use winbindd_free_response() 2010-01-24 14:52:33 +01:00
Volker Lendecke
9b6b01aab6 s3:winbind: Add a lower-cost alternative to wbinfo -t: wbinfo --ping-dc
This just does a NULL RPC call through an existing NETLOGON connection. If
someone knows an operation that "just works" and does not return NOT_SUPPORTED,
please tell me :-)
2009-12-21 23:23:52 +01:00
Günther Deschner
74948c979a libwbclient: add wbcChangeTrustCredentials.
Guenther
2009-10-13 12:42:44 +02:00
Günther Deschner
2df47b0a54 libwbclient: implement secure channel verification for specific domains in wbcCheckTrustCredentials().
Guenther
2009-10-07 11:18:03 +02:00
Günther Deschner
9264f48914 wbclient: Fix Bug #6680: always activate handling of large (> 256 byte) ntlmv2
blobs in wbcAuthenticateUserEx().

Guenther
2009-09-01 16:13:57 +02:00
Günther Deschner
e7e98ba480 libwbclient: fix returned LogonInfo in wbc_LogonUser().
That function could return emtpy blobs for username and ccache for e.g. cached
logins.

Guenther
2009-06-18 16:37:45 +02:00
Kai Blin
5e67aa92f6 libwbclient: Attempt to fix build on AIX 2009-06-04 22:32:50 +02:00
Kai Blin
29ee4f6a34 libwbclient: Silence a compiler warning 2009-05-30 09:17:37 +02:00
Volker Lendecke
0accf2cf0f Fix Coverity ID 626: DEADCODE 2009-04-23 11:08:59 +02:00
Kai Blin
6821d898d7 nsswitch: Move source3 files to top level dir.
Don't move source4 files yet to not confuse git's rename tracking too much.
2008-12-16 13:02:45 +01:00