IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
A LOOKUPNAME request with a domain and a name containing a winbind
separator character would return the result for the joined domain,
instead of the specified domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 6 21:03:31 CEST 2018 on sn-devel-144
This demonstrates that wbinfo -n / --name-to-sid returns information
instead of failing the request. More specifically the query for
INVALIDDOMAIN//user returns the user SID for the joined domain, instead
of failing the request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Samba selftest uses the forward slash as winbind separator and in the
USERNAME passed to the test. "net sam rights" expect the backslash. Map
the separator used in selftest to a backslash to avoid creating an
incorrect username DOMAIN\DOMAIN/USERNAME.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
adds libtracker-sparql version 2.0 to configure check with pkg-config.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is required because we need a new pointer for LDB after the fork,
and with LMDB we can not longer rely on tdb_reopen_all() to do that
for us.
This can not be done in reinit_after_fork() due to the dependency loop
this would create.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In wscript_build, the lib name in deps list may have postfix for Python
3. Instead of hard coding the base name directly, need to load correct
name for each Python version with `bld.pyembed_libname`.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Commit ad8c7171ba accidently
moved sec_init() to the point after sec_initial_uid() is
called in the call to directory_create_or_exist_strict().
I missed this in the review (sorry). This works as root
as initial_uid/initial_gid are static (and so initialized
as zero) but doesn't work on ChromeOS as this code isn't
running as root.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13368
Signed-off-by: Lutz Justen <ljusten@google.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 4 23:52:02 CEST 2018 on sn-devel-144
Not really performance critical, but I think it's worth establishing sample
code to use more stack variables than going out to talloc.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
bison generates an C89 files which does some weired things.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13345
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 3 20:18:58 CEST 2018 on sn-devel-144
We have existing utility functions to prepare a socket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13343
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13363
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 30 03:51:48 CEST 2018 on sn-devel-144
get_sorted_dc_list should already take care, but this way it's safer
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 29 03:45:00 CEST 2018 on sn-devel-144
Two changes: First, we can't check multiplication overflow after the
operation. This has to be done before with a division. Second, there
is no OFF_T_MAX, and both operands are size_t, so check for
SIZE_MAX. The result is assigned to off_t, but I'm not sure where the
automatic coercion from size_t to off_t would happen.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Not really a memleak due to the passed-in talloc ctx, but this way it's cleaner
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This part of the protocol is not changed by being an AD DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
These are slower tests that do not need to be run against the ad_dc configuration
in particular.
This saves time in the ad_dc job which needs to stay under 50mins to
pass on travis-ci (and faster tests are better for everyone anyway).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This avoids these running in the ad_dc environment which we need to get under 50mins for
travis-ci.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This aims to keep the ad_dc tests well below 50mins for travis CI and
base.delaywrite is very slow.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This is a slow test and we need to keep the time on ad_dc down to below 50mins total
for travis-ci.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
The other allocator for this structure uses talloc_zero()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 24 07:21:37 CET 2018 on sn-devel-144
This is very, very unlikely but possible as in the AD case the RPC server is in
another process that may eventually be able to restart.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This domain is very close, in AD DC configurations over a internal ncacn_np pipe
and otherwise in the same process via C linking. It is however very expensive
to re-create the binding handle per SID->name lookup, so keep a cache.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13350
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 23 01:59:08 CET 2018 on sn-devel-144
A SMB session reauth will have invalidated conn->vuid via
conn_clear_vuid_caches().
Ensure conn->vuid always has the vuid of the current user in
check_user_ok().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13351
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 22 18:26:04 CET 2018 on sn-devel-144
This fixes compilation with -Wstrict-overflow=2
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 21 04:25:39 CET 2018 on sn-devel-144
The call to full_path_tos() might allocate memory which needs to be free'd
once processign is done.
Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 20 01:29:40 CET 2018 on sn-devel-144
The samlogon_cache is only used to get group memberships of the account
without asking the dc.
But for authentication we always ask the dc.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This makes the Builtin_Guests handling more dynamic,
by having a persistent storage for the memberships.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
These tests require a fs with xattr support. This allows adding
xattr_tdb to all other shares in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Not yet used, will be used to tidyup existing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This makes the test independent from the developers environment.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 16 07:48:37 CET 2018 on sn-devel-144
smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise
aborts in tevent_req_is_nterror()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338
Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).
When it's really an anonymous connection, we should reflect that in the
resulting session info.
This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.
We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.
The commit message from a few commit before shows the resulting
auth_session_info change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
For unauthenticated connections we should default to a
session info with an anonymous nt token.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We only need to adjust sanitized_username in order to keep the same behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
These functions make it possible to construct a full auth_session_info
from the information available from an auth_user_info_dc structure.
This has all the logic from create_local_token() that is used
to transform a auth_serversupplied_info to a full auth_session_info.
In order to workarround the restriction that auth_user_info_dc
doesn't contain hints for the unix token/name, we use
the special S-1-5-88 (Unix_NFS) sids:
- S-1-5-88-1-Y gives the uid=Y
- S-1-5-88-2-Y gives the gid=Y
- S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*
The currently implemented flags are:
- AUTH3_UNIX_HINT_QUALIFIED_NAME
unix_name = DOMAIN+ACCOUNT
- AUTH3_UNIX_HINT_ISLOLATED_NAME
unix_name = ACCOUNT
- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
Don't translate the nt token SIDS into uid/gids
using sid mapping.
- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
Don't translate the unix token uid/gids to S-1-22-X-Y SIDS
- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
The unix token won't get expanded gid values
from getgroups_unix_user()
By using the hints it is possible to keep the current logic
where an authentication backend provides uid/gid values and
the unix name.
Note the S-1-5-88-* SIDS never appear in the final security_token.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should add Builtin_Guests depending on the current token
not based on 'is_guest'. Even authenticated users can be member
a guest related group and therefore get Builtin_Guests.
Sadly we still need to use 'is_guest' within create_local_nt_token()
as we only have S-1-22-* SIDs there and still need to
add Builtin_Guests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should not crash if we're called with NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
finalize_local_nt_token() will be used in another place,
were we don't want to add local groups in a following commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The primary gid might not be in the gid array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 15 20:57:44 CET 2018 on sn-devel-144
This catches more errors and triggers retry as appropriate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
The calls were missing the negation operator, a retry should be
attempted is the binding handle got somehow disconnected behind the
scenes and is NOT connected.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
To consolidate the error handling for RPC calls, add the binding handle
as an additional argument to reset_cm_connection_on_error().
All callers pass NULL for now, so no change in behaviour up to here.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This ensures we use the same disconnect logic in the reconnect backend,
which calls reconnect_need_retry(), and in the dual_srv frontend which
calls reset_cm_connection_on_error.
Both reset_cm_connection_on_error() and reconnect_need_retry() are very
similar, both return a bool indicating whether a retry should be
attempted, unfortunately the functions have a different default return,
so I don't dare unifying them, but instead just call one from the other.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
reconnect_need_retry() already checks for this error, it surfaces up
from tstream_smbXcli_np as a mapping for EIO.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
ldap_reconnect_need_retry() is a copy of reconnect_need_retry() minus
the RPC connection invalidation.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is a pure testing utility that will garble the netlogon_creds_cli
session_key. This creates a similar effect to our schannel credentials
as does a domain controller reboot.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 13 16:06:10 CET 2018 on sn-devel-144
Minor cleanup reducing the max indentation level and max column length.
Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Ensures they don't get stored in the underlying ACL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 8 04:09:38 CET 2018 on sn-devel-144
This will allow us to modify it in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Modify default behaviour of 'net ads keytab create'
The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.
If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This change modifies the behaviour of 'net ads keytab add' such
that only the keytab file is modified.
A new command 'net ads keytab add_update_ads' has been added that
preserves the legacy behaviour which can update the AD computer
object with Winows SPN(s) as appropriate. Alternatively the new
command 'net ads setspn add' can be used to manually add the
windows SPN(s) that previously would have been added.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.
Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This patch addresses how the windows SPN is written to the AD.
If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.
Before this change 'net ads keytab add' handled three scenarios
a) 'net ads keytab add param' is passed a fully qualified kerberos principal
(identified by the presence of '@' in param) In this scenario the keytab
file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
the paramater ending with '$'). In this case the machine name
is converted to a kerberos principal with according to the recipe
'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
In this scenario the param containing the service is first converted to
into 2 kerberos principals (long and short forms) according to the
following recipe
i) long form: 'param/fully_qualified_dns@realm'
ii) short form: 'param/netbios_name@realm'
where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
'this' machines computer account on the AD.
The principals are written to the keytab file
Secondly 2 windows SPNs are generated from 'param' as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
These SPNs are written to the AD computer account object
After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
i) 'param' will get converted to a kerberos principal (just a single one)
with the following recipe: 'serviceclass/host@realm' which will
be written to the keytab file. The SPN written to the AD is created
as before and the legacy behaviour is preserved.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This patch adds 'delete' to the 'net ads setspn' subcommand
(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)
Usage:
net ads setspn delete <computer> <SPN>
Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This patch adds 'add' to the 'net ads setspn' subcommand
(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)
Usage:
net ads setspn add <computer> <SPN>
Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)
Only the basic list operation (that corresponds to the -l
switch for setspn.exe is implemented)
Usage:
net ads setspn list <computer>
Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally client
code now needs to construct the SPNs to be passed into the function.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Both ads_get_dnshostname() & ads_get_samaccountname() are passed
a param machinename as a argument. Instead of using 'machinename' these
functions are erroneously using lp_netbiosname() instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This should the following segfault with SMB1:
#6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#7 <signal handler called>
#8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
at ../source3/smbd/smbXsrv_session.c:1212
#9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
#10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
#11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
at ../source3/smbd/process.c:1762
#12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
#13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
#14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0
Inspection the core shows that:
conn->client-session_table is NULL
conn->protocol is PROTOCOL_NONE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
When the connection protocol is SMB2 the tid from the smb1 member is
used instead of smb2 in cli_state_set_tid which often results in a null
deref.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13310
Signed-off-by: Dan Robertson <drobertson@tripwire.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
If the child dies at the wrong moment, we get an error in the "req" itself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 1 14:48:19 CET 2018 on sn-devel-144
Fix a bug when a child dies when a request is pending in the child. If the
signal handler fires before epoll finds out the other end of the parent-child
socket is closed, we close the socket on our side without taking care of the
pending request. This causes two problems: First, that one pending request
never is replied to properly, and secondly, we might end up with EPOLL_DEL on a
wrong file descriptor. This causes all sorts of trouble if we hit an active
one.
The fix for this problem is not to close the socket in winbind_child_died().
This however stops an idle child that dies hard from being properly cleaned up.
The fix for that is to add the child->monitor_fde that is set pending only when
no child request is active. This way we can remove the close(sock) in the
signal handler.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This removes the special handling for idmap_child() after the "This is
a little tricky" comment. I believe this was not required at all, the
idmap_child is part of the winbindd_children list.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Note that we only walk the domain children, which all have
child->domain != NULL. So we don't need that check anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Look at setup_domain_child(): There we always set child->domain. The only other
two children are the idmap and locator children, which don't have a domain set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Step 0 in removing winbindd_children as a variable: We have access to
all children via our domain list and the two explicit children. There's
no need to separately maintain a list of winbind children. Maintaining
child->pid != 0 is sufficient to make sure we only walk active children.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 1 09:52:37 CET 2018 on sn-devel-144
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13297
Pair-Programmed-With: Anoop C S <anoopcs@redhat.com>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Feb 26 20:17:50 CET 2018 on sn-devel-144
HPUX has this problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13270
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 23 22:56:35 CET 2018 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
On a DC we load the trusts in the parent in add_trusted_domains_dc()
from our local configuration. There's no need to find out the trust details
via network calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This is not needed for the normal operation of an AD DC.
Administrators should just use other tools instead of
wbinfo to list and query users and groups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This makes sure we only talk to direct trusts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
In the long run we should remove this again (as well as IS_DC).
But for now this makes some code changes in winbindd easier to
follow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
size_t is only a 32-bit integer on 32-bit platforms. We must use off_t
for file sizes.
https://bugzilla.samba.org/show_bug.cgi?id=13296
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
If we have multiple domain children, it's important
that the first idle child takes over the next waiting request.
Before we had the problem that a request could get stuck in the
queue of a busy child, while later requests could get served fine by
other children.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 09:04:23 CET 2018 on sn-devel-144
Commit ed3bc614cc got the logic wrong while
trying to implement the logic we had in init_child_connection(),
which was removed by commit d61f3626b7.
Instead of doing a WINBINDD_GETDCNAME request (which would caused an error
because the implementation was removed in commit
958fdaf5c3), we sent the callers request
and interpreted the result as WINBINDD_GETDCNAME response, which
led to an empty dcname variable. As result the domain child
opened a connection to the primary domain in order to lookup
a dc.
If we want to connect the primary domain from the parent via
a domain child of the primary domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This will reduce the diff for the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
domain->dcname was converted from fstring to char * by commit
14bae61ba3.
Luckily this was only ever called with an empty string in
state->request->data.init_conn.dcname.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13294
Signed-off-by: Stefan Metzmacher <metze@samba.org>
A client may skip the explicit endpwent() if getgrent() fails.
This allows client_is_idle() return true in more cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
A client may skip the explicit endgrent() if getgrent() fails.
This allows client_is_idle() return true in more cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This way we don't keep winbindd_cli_state->{pw,gr}ent_state arround forever,
if the client forgets an explicit end{pw,gr}ent().
This allows client_is_idle() return true in more cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
If the (winbind) client gave up we call TALLOC_FREE(state->mem_ctx)
in remove_client(). This triggers a recursive talloc_free() for all
in flight requests.
In order to maintain the winbindd parent-child protocol, we need
to keep the orphaned wb_simple_trans request until the parent
got the response from the child.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
We need a way to keep the child->queue blocked without relying on
the current 'req' (wb_child_request_state).
The next commit will make use of this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
cli_credentials_get_principal() returns NULL in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
At present we don't detect errors, but when we do we'll return NULL.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will be used by the LSA Server on an AD DC to request remote views
from trusts.
In future we should implement wb_lookupnames_send/recv similar to
wb_lookupsids_send/recv, but for now using wb_lookupname_send/recv in a loop
works as a first step.
We also need to make use of req->in.level and req->in.client_revision
once we want to support more than one domain within our own forest.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It just feels better for such a complex function.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It just feels better for such a complex function.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
It just feels better for such a complex function.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We check for !NT_STATUS_LOOKUP_ERR(), but wb_lookupsid_recv()
only initializes the results together with NT_STATUS_OK.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13280
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
we don't use setnetgrent/endnetgrent/getnetgrent since security share passed
away.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We have a stackframe we can use for the lifetime of the session.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 21 02:46:40 CET 2018 on sn-devel-144
This also checks that the URI given via the environment variables
starts with smb://
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 20 21:46:38 CET 2018 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 19 23:47:08 CET 2018 on sn-devel-144
Yes, this is outdated, but the missing 'break' produces a compiler
warning.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
messaging already provides the sender id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 16 00:56:36 CET 2018 on sn-devel-144
The destructor does DLIST_REMOVE, so better make sure "client" is in fact
member of that list when the destructor fires
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 13 05:01:38 CET 2018 on sn-devel-144