IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
If cm_get_ipc_credentials() returned anonymous creds and signing is required
we were returning the result of cm_get_ipc_credentials() instead of
the original error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12588
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
There're no callers which try to pass a raw lm_response directly anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 9 13:09:37 CET 2016 on sn-devel-144
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 15 14:51:02 CET 2016 on sn-devel-144
There're no callers which tried to pass raw {lm,nt}_response any more.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Set socket options from smb.conf before negprot, as done by libsmbclient
Signed-off-by: Jim McDonough <jmcd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback,
if allowed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
As an AC Domain Controller we should try CLDAP for active directory domains.
E.g. FreeIPA domains doesn't provide NBT at all...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 5 19:23:40 CET 2015 on sn-devel-104
This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we're a member or RWDC there's no need to require talking to a rwdc,
an rodc will forward the request if required.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to call init_dc_connection_rpc() before we can decide if we want to try
NCACN_IP_TCP.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This trust account is usable for SMB authentication via kerberos,
so we should try that if we think the domain is active directory.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should not crash with machine_password==NULL.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This relies on a two-way trust, which we may not have, but is the only
secure way to do this. To do this correctly we need to split NETLOGON
from normal authentication, as we need to use the machine account for
the SMB level, but the inter-domain trust account for the NETLOGON
level.
Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Later we can pass this down directly and have a much more sane
handling of credentials and the spnego handshake.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct 8 03:36:52 CEST 2014 on sn-devel-104
This allows us to pass this value in directly from the cli_credentials
structure in winbindd.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows SMB signing to work against many more DCs, and so improves network security.
The default for "client max protocol" remains NT1 in the rest of the code.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting
This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Oct 6 17:21:03 CEST 2014 on sn-devel-104
It is only used in winbindd_cm.c
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 4 02:34:49 CEST 2014 on sn-devel-104
The requirement is that we have "winbind sealed pipes = false" and
"require strong key = false" before we make anonymous connections.
These are a security risk as we cannot prevent MITM attacks.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This makes it much harder to impersonate the DC, but allows this to be
turned off or returned to IF_REQUIRED with a simple change to the
'client signing' smb.conf parameter.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Sep 28 06:25:55 CEST 2014 on sn-devel-104
There are places in the code where we're not checking that alt_name is NULL
and then calling into the DC lookup code with a NULL name request. This can
happen in offline mode.
Fixes bug #10717 - Winbind crash on losing VPN connection
https://bugzilla.samba.org/show_bug.cgi?id=10717
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
This means we call this code, and mark trusted domains as active directory, when we are an AD DC.
Otherwise, in the previous case we would not have domain->active_directory set, and would fail on
connection_ok() due to not having a full connection to our internal DC
Change-Id: I7ccee569d69d6c5466334540db8920e57aafa991
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.
Andrew Bartlett
Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
This allows the AD DC to be picked up correctly and gives the correct DNS name.
To ensure no confusion, we also always init it with the full DNS name.
It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.
This in turn allows kerberos authentication against winbindd on the AD DC.
Andrew Bartlett
Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
