1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

579 Commits

Author SHA1 Message Date
Volker Lendecke
a6f4e60306 libwbclient: Add "authoritative" to wbcAuthErrorInfo
smbd needs to react to "authoritative"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
f16e302376 winbind: Add "authoritative" to winbindd_response
This is a relevant piece of info in the samlogon response,
smbd and netlogond need to be able to react to it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Andreas Schneider
1df1d873c8 pam_winbind: Return if we do not have a domain
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-23 03:18:10 +01:00
Chris Lamb
edcf56522c Correct "Controler" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Stefan Metzmacher
cfaa358208 nsswitch: remove unused TALLOC_* defines in pam_winbind.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-01-11 16:39:21 +01:00
Björn Jacke
e7ab2ad887 pam_winbind: Fix compiler warnings
Thanks to Stef Walter <stefw@gnome.org>

BUG: http://bugzilla.samba.org/show_bug.cgi?id=8888

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Dec 16 16:22:32 CET 2016 on sn-devel-144
2016-12-16 16:22:32 +01:00
Björn Jacke
01c8631df5 pam: strip trailing whitespaces in pam_winbind.c
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <ks@sernet.de>

Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Tue Dec 13 18:01:21 CET 2016 on sn-devel-144
2016-12-13 18:01:21 +01:00
Björn Jacke
69f10080c3 pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT

now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
2016-12-13 14:12:06 +01:00
Andreas Schneider
08d1ac0e36 nss_wins: Fix errno values for HOST_NOT_FOUND
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 16 04:10:55 CET 2016 on sn-devel-144
2016-11-16 04:10:55 +01:00
Volker Lendecke
8f4e426f33 wbinfo: Use ntlmv2 by default for wbinfo -a
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-11-15 01:14:21 +01:00
Andreas Schneider
7f14776ba7 nsswitch: Use own credential cache for wbinfo tests
If we do not set it will add the credentials to the system default
credential cache, which is e.g. FILE:/tmp/krb5cc_1000.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-09-25 09:05:27 +02:00
Andreas Schneider
382345126c nsswitch: Also set h_errnop for nss_wins functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Sep 20 20:16:43 CEST 2016 on sn-devel-144
2016-09-20 20:16:43 +02:00
Andreas Schneider
d8a5565ae6 waf: Explicitly link against libnss_wins.so
If we do not specify replace as a depencency here, it will not link to
libreplace using an rpath.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Sep 20 08:00:08 CEST 2016 on sn-devel-144
2016-09-20 08:00:08 +02:00
Andreas Schneider
124ae4e861 nsswitch: Add missing arguments to wins gethostbyname*
The errno pointer argument is missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
2016-09-20 04:10:21 +02:00
Ralph Boehme
2a322a7671 selftest: test idmap backend id allocation for unknown SIDS
If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-06-28 07:27:18 +02:00
Andreas Schneider
539116e588 nsswitch: Fix memory leak in test_wbc_trusts()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
3c9f0815fb nsswitch: Fix memory leak in test_wbc_groups()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
e9fabe3a11 nsswitch: Fix memory leak in test_wbc_users()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
6a620adb25 nsswitch: Fix memory leak in test_wbc_domain_info()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
9b732c2448 nsswitch: Fix memory leak in test_wbc_pingdc2()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
4961362106 nsswitch: Fix memory leak in test_wbc_get_sidaliases()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
2ae40865be nsswitch: Fix memory leak in test_wbc_pingdc()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
f479a1f896 nsswitch: Fix wbclient torture_assert_wbc_ok_goto_fail macro
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Tom Mortensen
0b1f4db325 nss_wins: Fix the hostent setup
This can never have been tested....

Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-22 07:20:17 +02:00
Tom Mortensen
d3569ca271 nss_wins: ip_pton expects the raw IP address
Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-22 07:20:17 +02:00
Stefan Metzmacher
2063692367 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Volker Lendecke
4f65fa9c7b pam_winbind: Avoid a use of sprintf
pam_winbind depends on talloc, which depends on libreplace, so we have asprintf
available.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-31 20:30:11 +02:00
Andreas Schneider
94464ed82c pam_winbind: Create and use a wbclient context
PAM sessions are long running. If we create a pam session a connection
to winbind is established and only closed by the destructor of the
libwbclient library. If we create a wbcContext, we will free it in the
end of the PAM function being called and the socket will be closed. This
decreases the amount of allocated 'winbindd_cli_state' structures in
winbind for every logged in user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 17:45:24 CET 2016 on sn-devel-144
2016-03-25 17:45:24 +01:00
Andreas Schneider
4c139e23e9 pam_winbind: Use the correct type to check the pam_parse() return code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-03-25 14:18:22 +01:00
Jeremy Allison
bac35a178f nsswitch: winbind_nss_solaris.c: Remove unused macro containing strcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Mar 22 07:59:35 CET 2016 on sn-devel-144
2016-03-22 07:59:35 +01:00
Jeremy Allison
a8ab1bfb7b nsswitch: winbind_nss_aix: Remove all uses of strcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-03-22 04:38:24 +01:00
Jeremy Allison
7e435d3cce nsswitch: linux: Remove use of strcpy().
The previous use was safe, but having *any* use of strcpy inside
our code sets off security flags. Replace with an explicit length
calculation and memcpy.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-03-22 04:38:24 +01:00
Herwin Weststrate
0b500d413c Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-11 22:58:18 +01:00
Volker Lendecke
f6f43c496e winbind: Remove unused WINBINDD_UID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 22 23:39:13 CET 2016 on sn-devel-144
2016-02-22 23:39:12 +01:00
Volker Lendecke
07b134407c nss_aix: Hack away WINBINDD_UID_TO_SID
To do a proper xids2sids conversion I need a build environment.

Everyone who needs this and can build AIX please speak up!

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
f387124a04 winbind: Remove unused WINBINDD_GID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
148452b446 libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxGidToSid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
1e4e215f2f libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxUidToSid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
ec94aa543b winbind: Remove unused WINBINDD_SID_TO_GID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
112998fffa winbind: Remove unused WINBINDD_SID_TO_UID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
122b1a3650 libwbclient: Use wbcCtxSidsToUnixIds in wbcCtxSidToGid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
fbbe017820 libwbclient: Use wbcCtxSidsToUnixIds in wbcCtxSidToUid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
182149e937 wbinfo: Add --unix-ids-to-sids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
171931cf7d libwbclient: Implement wbc[Ctx]UnixIdsToSids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
5cd5ce70a1 winbind: Expose WINBINDD_XIDS_TO_SIDS externally
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
dcf6a606cf nss_netbsd: Remove unimplemented prototypes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 11 04:43:53 CET 2016 on sn-devel-144
2016-02-11 04:43:53 +01:00
Volker Lendecke
dfe51390a0 nss_linux: Remove non-nss functions
These functions were meant as a standard interface before libwbclient was
developed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-11 01:32:23 +01:00
Volker Lendecke
89565775a4 libwbclient: Fix a few resource leak CIDs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:17 +01:00
Volker Lendecke
3d5873c848 libwbclient: Add "goto fail" test macros
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:17 +01:00
Michael Adam
490a27b69b pam_winbind: check != PAM_SUCCESS and != NULL explicitly
...instead of using "if (ret)" or similar.
This is just a code cleanup, no changes in behaviour.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-13 10:57:09 +01:00