1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

92507 Commits

Author SHA1 Message Date
Stefan Metzmacher
3f41b58384 s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:16 +01:00
Stefan Metzmacher
e4fea80693 s3:rpc_client: remove unused rpccli_netlogon_sam_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:16 +01:00
Stefan Metzmacher
a4faf57b47 s3:rpc_client: remove unused rpccli_netlogon_setup_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:15 +01:00
Stefan Metzmacher
6d457ad9c1 s3:rpc_client: remove unused rpccli_netlogon_set_trust_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:15 +01:00
Stefan Metzmacher
660150b12a s3:rpc_client: make cli_rpc_pipe_open_schannel() more flexible
It expects a messaging_context now
and returns a netlogon_creds_cli_context.

This way we can finally avoid having a rpc_pipe_client->netlogon_creds.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:15 +01:00
Stefan Metzmacher
a34c837fdb s3:winbindd: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:15 +01:00
Stefan Metzmacher
c6bb47f2f1 s3:rpcclient: make use of rpccli_netlogon_password_logon() in the 'samlogon' cmd
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:14 +01:00
Stefan Metzmacher
4c99e49898 s3:rpcclient: remove optional auth_level parameter of the 'samlogon' cmd
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:14 +01:00
Garming Sam
a012e2fdd6 s3:rpcclient: give errors and clean up correctly after failing to obtain secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:14 +01:00
Stefan Metzmacher
5107ca02a4 s3:rpcclient: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:14 +01:00
Stefan Metzmacher
77defb175e s3:libnet: pass in struct netlogon_creds_cli_context from the caller.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:13 +01:00
Stefan Metzmacher
a8ecebe3e8 s3:libsmb: remove unused trust_pw_find_change_and_store_it()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:13 +01:00
Stefan Metzmacher
3c30e19c4a s3:winbindd: make use of trust_pw_change() in _wbint_ChangeMachineAccount()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:13 +01:00
Stefan Metzmacher
57741dd4ba s3:winbindd: make use of trust_pw_change() for periodic password changes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:13 +01:00
Stefan Metzmacher
dbd49d90bb s3:winbindd: use invalidate_cm_connection() to kill the netlogon connection
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:12 +01:00
Stefan Metzmacher
cfd139347c s3:net_rpc: make use of trust_pw_change()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:12 +01:00
Stefan Metzmacher
a9281e6570 s3:rpcclient: make use of trust_pw_change()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:12 +01:00
Stefan Metzmacher
16c6e4992f s3:libsmb: add trust_pw_change()
This protects the password change using a domain specific g_lock,
so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
even on multiple cluster nodes doesn't race anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:12 +01:00
Stefan Metzmacher
d1340c20b0 s3:net_rpc: add net_context->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:11 +01:00
Stefan Metzmacher
3bf77812e8 s3:rpcclient: make use of rpcclient_netlogon_creds instead of cli->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:11 +01:00
Stefan Metzmacher
fb13b002d5 s3:rpcclient: remove unused rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
rpccli_netlogon_setup_creds() is already called in the main do_cmd()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:11 +01:00
Stefan Metzmacher
1696b127c6 s3:rpcclient: add rpcclient_netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:11 +01:00
Stefan Metzmacher
a1c468e1d7 s3:rpcclient: add rpcclient_msg_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:10 +01:00
Stefan Metzmacher
94caf7e190 s3:rpc_client: use rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:10 +01:00
Stefan Metzmacher
3a89eee03a s3:libnet: use rpccli_{create,setup}_netlogon_creds() in libnet_join_joindomain_rpc_unsecure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:10 +01:00
Stefan Metzmacher
963800539c s3:libnet_join: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:10 +01:00
Stefan Metzmacher
531bbf3aff s3:auth_domain: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:09 +01:00
Stefan Metzmacher
34e66780e5 s3:auth_domain: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:09 +01:00
Stefan Metzmacher
d9d55f5406 s3:auth_domain: simplify connect_to_domain_password_server()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:09 +01:00
Stefan Metzmacher
22e4e2c1d1 s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:09 +01:00
Stefan Metzmacher
07126b6fb2 s3:winbindd: call rpccli_pre_open_netlogon_creds() in the parent
This opens the CLEAR_IF_FIRST tdb in the long living parent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:08 +01:00
Stefan Metzmacher
b7dc3fb204 s3:rpc_client: add rpccli_netlogon_password_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:08 +01:00
Stefan Metzmacher
5196493c9e s3:rpc_client: add rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:08 +01:00
Stefan Metzmacher
a07cc9a1c6 s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon_ex()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:08 +01:00
Stefan Metzmacher
3c025af657 s3:rpc_client: add rpccli_pre_open_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:07 +01:00
Stefan Metzmacher
14ceb7b501 s3:rpc_client: add rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:07 +01:00
Stefan Metzmacher
5adfc5f9f7 s3:rpc_client: use netlogon_creds_cli_auth_level() in cli_rpc_pipe_open_schannel_with_key()
This means the auth level is now based on the "winbindd sealed pipes" option,
defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:07 +01:00
Stefan Metzmacher
38d4dba374 s3:rpc_client: make use of the new netlogon_creds_cli_context
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.

This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:06 +01:00
Stefan Metzmacher
11aed7cd3d docs-xml: update 'winbind sealed pipes' description
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:06 +01:00
Stefan Metzmacher
225982e1cb s3:winbindd: make use of the "winbind sealed pipes" option for all connections
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:06 +01:00
Stefan Metzmacher
1d69fdddd5 docs-xml: explain the interaction of 'client schannel' with 'require strong key = yes'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:06 +01:00
Stefan Metzmacher
f703a37a56 docs-xml: explain the interaction between security = ads and other options.
It implies 'require strong key = yes' and 'client schannel = yes'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
fa3af7c2e8 libcli/auth: make use of real options in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
e7954bcc04 s3:param: set Globals.bRequireStrongKey = true
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
6630c68cce lib/param: add "require strong key" option, defaulting to true
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
de4f8f0825 lib/param: add "reject md5 servers" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
b39ca3a2ae lib/param: add "neutralize nt4 emulation" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
99d8653d83 s3:param: set Globals.bWinbindSealedPipes = true
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
dc96b1ddcc libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()
Until all callers are fixed to pass the same 'server_computer'
value, we try to calculate a server_netbios_name and use this
as unique identifier for a specific domain controller.

Otherwise winbind would use 'hostname.example.com'
while 'net rpc testjoin' would use 'HOSTNAME',
which leads to 2 records in netlogon_creds_cli.tdb
for the same domain controller.

Once all callers are fixed we can think about reverting this
commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
6e6d9f9f12 libcli/auth: add netlogon_creds_cli* infrastructure
This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.

Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.

We now use a node specific computer name in order to establish
individual netlogon sessions per node.

If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.

The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.

LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.

This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:03 +01:00