1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1338 Commits

Author SHA1 Message Date
Andreas Schneider
dbdbd4875e s3:libads: Fix memory leaks in ads_krb5_chg_password()
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567

Pair-Programmed-With: Justin Stephenson <jstephen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-08-11 01:49:16 +02:00
Richard Sharpe
2096d13274 Fix some incorrect debug messages that look to be copy-paste issues.
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May  3 08:16:26 CEST 2018 on sn-devel-144
2018-05-03 08:16:26 +02:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Volker Lendecke
efa66c9ebf libads: Fix CID 1349423 Resource leak
get_sorted_dc_list should already take care, but this way it's safer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 29 03:45:00 CEST 2018 on sn-devel-144
2018-03-29 03:45:00 +02:00
Volker Lendecke
1b7881ceec libads: Fix 1433611 Resource leak
Not really a memleak due to the passed-in talloc ctx, but this way it's cleaner

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-29 00:21:53 +02:00
Volker Lendecke
8b5925b304 libads: Fix CID 1433606 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-29 00:21:50 +02:00
Andreas Schneider
bbbe675a1a s3:libads: Fix size types in kerberos functions
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:14 +01:00
Noel Power
0af66455ef s3:libads: 'net ads keytab create' shouldn't write SPN(s)
Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
    i) long form 'param/full_qualified_dns'
   ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
4e518ecdda s3:libads: add param to prevent writing spn(s) to ads
'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.

Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
6cac9a4720 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 2
This patch addresses how the windows SPN is written to the AD.

If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
          i) long form 'param/full_qualified_dns'
         ii) short form 'param/netbios_name'

If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
efabfb1c17 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 1
This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.

Before this change 'net ads keytab add' handled three scenarios

a) 'net ads keytab add param' is passed a fully qualified kerberos principal
   (identified by the presence of '@' in param) In this scenario the keytab
   file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
   the paramater ending with '$'). In this case the machine name
   is converted to a kerberos principal with according to the recipe
   'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
   In this scenario the param containing the service is first converted to
   into 2 kerberos principals (long and short forms) according to the
   following recipe
      i) long form:  'param/fully_qualified_dns@realm'
     ii) short form: 'param/netbios_name@realm'
     where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
     'this' machines computer account on the AD.
     The principals are written to the keytab file
   Secondly 2 windows SPNs are generated from 'param' as follows
      i) long form 'param/full_qualified_dns'
     ii) short form 'param/netbios_name'
   These SPNs are written to the AD computer account object

After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
  i) 'param' will get converted to a kerberos principal (just a single one)
     with the following recipe: 'serviceclass/host@realm' which will
     be written to the keytab file. The SPN written to the AD is created
     as before and the legacy behaviour is preserved.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
5fa82263ad s3:utils: add new 'net ads setspn delete' subcommand
This patch adds 'delete' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

    net ads setspn delete <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
8a6c3c5ae2 s3:utils: add new 'net ads setspn add' subcommand
This patch adds 'add' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

     net ads setspn add <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
65ef044b8d s3:utils: add new 'net ads setspn list' subcommand
This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Only the basic list operation (that corresponds to the -l
    switch for setspn.exe is implemented)

Usage:

     net ads setspn list <computer>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
1400ab709e s3:libads: change ads_add_service_principal_name implementation
Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally  client
code now needs to construct the SPNs to be passed into the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
cf0823fb9e s3:libads: Add a basic Windows SPN parser.
(see https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
d9593803ea s3:libads: Clean up code a little rename 'ads_get_samaccountname()'
Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
2dd94e41f6 s3:libads: ads_get_dnshostname & ads_get_samaccountname don't use param
Both ads_get_dnshostname() & ads_get_samaccountname() are passed
a param machinename as a argument. Instead of using 'machinename' these
functions are erroneously using lp_netbiosname() instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Volker Lendecke
859698d29b libads: Fix the build --without-ads
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Feb  6 02:47:44 CET 2018 on sn-devel-144
2018-02-06 02:47:43 +01:00
Jeremy Allison
e7425bd524 s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144
2018-01-26 02:25:20 +01:00
Noel Power
3048ae318f s3:libads: net ads keytab list fails with "Key table name malformed"
When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
instead, this function will determine the correct keytab to use.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-11-29 21:48:17 +01:00
Andreas Schneider
b81ca4f9dc s3:libads: Fix changing passwords with Kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-11 18:21:22 +02:00
Stefan Metzmacher
b874dc90c9 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:46 +02:00
Stefan Metzmacher
504b446d8d s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
1a26805ad9 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
b0928a2687 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
5fe939e32c s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
487b4717b5 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.

Having this legacy code adds quite some complexity for no
good reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
c56043a94a s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:43 +02:00
Garming Sam
deec2af7d2 libads: Decide to have no fallback option
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
eaf2c3e21d libads: Check cldap flags in libads/ldap
Pass down request flags and check they are respected with the response
flags. Otherwise, error out and pretend the connection never happened.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Alexander Bokovoy
2dbaade13a libads: abstract out SASL wrapping code
Prepare for rebasing libads on top of libsmbldap.

To make libads using 'struct smbldap_state' instead of direct LDAP
structure, we need to abstract out libads logic from connection
handling. SASL wrapping does not really depend on availability of LDAP
handle and does not need direct access to ADS_STRUCT. As result, we'll
be able to move SASL wrapping code under smbldap once the latter is able
to pass settings that libads passes to the SASL wrapping.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-17 23:02:09 +02:00
Andrew Bartlett
a0ab86dedc auth: Add logging of service authorization
In ntlm_auth.c and authdata.c, the session info will be incomplete

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andreas Schneider
e2028837b9 s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-22 07:11:10 +01:00
Andreas Schneider
ca2d8f3161 s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-03-14 15:22:12 +01:00
Chris Lamb
b2478cdc7d Correct "ommited" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:10 +01:00
Alexander Bokovoy
520167992b libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-08 18:00:12 +01:00
Andreas Schneider
980eae07f9 s3-libads: Do not leak the msg on error
ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar  8 14:59:35 CET 2017 on sn-devel-144
2017-03-08 14:59:35 +01:00
Stefan Metzmacher
bdce9f5fae s3:libads: remove unused fallback to gss_acquire_cred()
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar  6 11:44:54 CET 2017 on sn-devel-144
2017-03-06 11:44:54 +01:00
Stefan Metzmacher
ea0bc12ba5 s3:libads: add more debugging to ads_sasl_spnego_bind()
Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:15 +01:00
Chris Lamb
a4ab7c73bd Correct "occured" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:21 +01:00
Stefan Metzmacher
0013694075 s3:libads: use trust_pw_new_value() for krb5 machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:22 +01:00
Volker Lendecke
c9955da65a libads: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Andreas Schneider
4ef772be3a s3:libads: Include system /etc/krb5.conf if we use MIT Kerberos
The system /etc/krb5.conf defines some defaults like:

    default_ccache_name = KEYRING:persistent:%{uid}

We need to respect that so should include it in our own created
krb5.conf file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-12-02 09:36:07 +01:00
Andreas Schneider
943c6ee030 s3-libads: Fix canonicalization support with MIT Kerberos
This allows to authenticate using user@DOMAIN against an AD DC.

https://bugzilla.samba.org/show_bug.cgi?id=12457

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec  2 00:23:02 CET 2016 on sn-devel-144
2016-12-02 00:23:02 +01:00
Volker Lendecke
8d8c638c3d lib: Fix an uninitialized variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-19 01:26:14 +02:00
Jeremy Allison
44a7040500 s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address.
Analysis by: Rebecca Gellman <rebecca@starfleet-net.co.uk>

Ignore cldap_socket_init() failure when sending
multiple cldap netlogon requests. Allow cldap_netlogon_send()
to catch the bad address and correctly return through a
tevent subreq.

Make sure cldap_search_send() copes with cldap parameter == NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12381

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 18 02:16:20 CEST 2016 on sn-devel-144
2016-10-18 02:16:20 +02:00
Stefan Metzmacher
a5f895a530 s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME"
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
2016-10-13 00:35:21 +02:00
Stefan Metzmacher
890b1bbdb8 s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME"
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-10-12 20:54:09 +02:00
Günther Deschner
b2f1dc2569 werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source3/libads/ldap_printer.c
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:18 +02:00
Andreas Schneider
2de4aea728 s3-libads: Do not use deprecated krb5_change_password()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  1 00:43:51 CEST 2016 on sn-devel-144
2016-09-01 00:43:51 +02:00
Andreas Schneider
e01587c948 s3-libads: Do not use deprecated krb5_get_init_creds_opt_init()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:18 +02:00
Andreas Schneider
9d4f1b4d31 s3-libads: Support for MIT Kerberos ntstatus from init_creds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
3cd4bc6446 s3-libads: Use non-deprecated function to get the error
krb5_get_init_creds_opt_get_error is deprecated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
e135a13478 s3-libads: Rename smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
381ebd4af5 krb5_wrap: Move unwrap_edata_ntstatus() and make it static
This also removes the asn1util dependency from krb5_wrap and moves it to
libads which is the only user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
aa1cca9f27 krb5_wrap: Rename smb_krb5_open_keytab()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
d1de425385 krb5_wrap: Rename smb_get_enctype_from_kt_entry()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
bff77afd32 krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_free()
Call the Kerberos function directly.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
4fae92dcad krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_alloc()
Call the Kerberos function directly.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
97249b7cd0 krb5_wrap: Rename cli_krb5_get_ticket()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
e8632e2af5 krb5_wrap: Rename kerberos_free_data_contents()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Uri Simchoni
3fff2667ec libads: use "kerberos encryption types" parameter
When creating the custom krb.conf file, list etypes
according to kerberos encryption types

Also use proper directives for heimdal (heimdal recognizes
the MIT etype directives, but does not act upon them)

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-09 04:39:07 +02:00
Michael Adam
cc339b0069 libads: improve debug messages in sitename_fetch()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 12 21:23:48 CEST 2016 on sn-devel-144
2016-07-12 21:23:48 +02:00
Stefan Metzmacher
a1743de74f libads: ensure the right ccache is used during spnego bind
When doing spnego sasl bind:
1. Try working without kinit only if a password is not
   provided
2. When using kinit, ensure the KRB5CCNAME env var is set
   to a private memory ccache, so that the bind is on behalf
   of the requested user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
2016-07-12 03:23:33 +02:00
Stefan Metzmacher
2672968851 libads: ensure the right ccache is used during gssapi bind
When doing gssapi sasl bind:
1. Try working without kinit only if a password is not
   provided
2. When using kinit, ensure the KRB5CCNAME env var is set
   to a private memory ccache, so that the bind is on behalf
   of the requested user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-07-11 23:46:17 +02:00
Uri Simchoni
a646d9e796 s3-libads: fix a memory leak in ads_sasl_spnego_bind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006

Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
2016-07-05 20:55:08 +02:00
Jeremy Allison
e46cb9b835 s3: krb5: keytab - The done label can be jumped to with context == NULL.
Ensure we don't crash in this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11959

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Jun  9 13:18:56 CEST 2016 on sn-devel-144
2016-06-09 13:18:56 +02:00
Stefan Metzmacher
795e796658 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:16 +02:00
Andreas Schneider
f9099d3c46 s3-libads: Fix compilation with MIT Kerberos
ENCTYPE_NULL is defined by the RFC and used by MIT Kerberos. Heimdal
also provides ENCTYPE_NULL.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Apr 26 22:47:19 CEST 2016 on sn-devel-144
2016-04-26 22:47:19 +02:00
Ralph Boehme
b26ae7fbf6 krb5_wrap: add enctype arg to smb_krb5_kt_seek_and_delete_old_entries()
Unused in this commit, the next commit will use it to avoid deleting
keys with the same kvno but a different enctype.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-04-25 10:35:14 +02:00
Uri Simchoni
34482eb7cc libads: record session expiry for spnego sasl binds
With the move to gensec-based spnego, record the session expiry
in tgs_expire, so that libads users such as winbindd can use this info
to determine how long to keep the connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11852

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Apr 19 16:53:57 CEST 2016 on sn-devel-144
2016-04-19 16:53:57 +02:00
Stefan Metzmacher
2ec4e165e4 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
This fixes a regression in commit 2cb07ba50d
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
that prevents things like 'net ads join' from working against a Windows 2003 domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 12 23:02:56 CEST 2016 on sn-devel-144
2016-04-12 23:02:56 +02:00
Stefan Metzmacher
20859a22c4 CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
2016-04-12 19:25:24 +02:00
Volker Lendecke
dcaa88158e libads: Fix CID 1356316 Uninitialized pointer read
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-18 00:29:13 +01:00
Günther Deschner
5d498d1b4d s3:libnet:libnet_join: fill in output enctypes and only modify when necessary.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
e0da059b39 s3:libnet:libnet_join: define list of desired encryption types only once.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
c61b111e6f s3:libads:ldap: fix ads_check_ou_dn to deal with account_ou not being initialized
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
e8f6acdeec s3:libads:ndr: add ADS_AUTH_USER_CREDS to ndr_print_ads_auth_flags()
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
34030b025b s3:libads:ldap: print LDAP error message with log level 10.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Stefan Metzmacher
2cb07ba50d s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
c5d7956364 s3:libads: keep service and hostname separately in ads_service_principal
Caller will use them instead of the full principal in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
0c204e1192 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
139ce7d8b6 s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
It will be possible to use this for more than just NTLMSSP in future.

Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
c6f79cfa86 s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
357d37fa11 s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
8f9a9633e4 s3:libads: add missing TALLOC_FREE(frame) in error path
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
cd8af25d4b s3:libads: remove unused ads_connect_gc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:26 +01:00
Andreas Schneider
4e367288a5 krb5_wrap: Move smb_krb5_kt_add_entry() to krb5_wrap
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-10 06:52:25 +01:00
Andreas Schneider
49efa9379c s3-libads: Use the C99 boolean false
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-10 06:52:25 +01:00
Andreas Schneider
a135b353ae s3-libads: Call smb_krb5_create_key_from_string() directly
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-10 06:52:25 +01:00
Andreas Schneider
1e1e12a825 s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry()
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-10 06:52:25 +01:00
Stefan Metzmacher
0c74d62524 s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add
We may not have the permission to modify the object after creation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bj@sernet.de>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144
2016-02-26 11:30:03 +01:00
Günther Deschner
b3931af2df s3-kerberos: avoid entering a password change dialogue also when using MIT.
Without this fix, for accounts with an expired password, a password change
process is initiated and - due to the prompter - this fails with a confusing
error message:

"kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password
mismatch
Failed to join domain: failed to connect to AD: Password mismatch"

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-23 01:41:17 +01:00
Volker Lendecke
f3dbaaca41 libads: Factor out ldap_schema_oids.h
Make the oids accessible without having to include ADS_STRUCT&friends

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-03 15:04:11 +01:00
Stefan Metzmacher
81cf1fa9e1 s3:libads: we always have arcfour-hmac-md5 support
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb  1 13:02:32 CET 2016 on sn-devel-144
2016-02-01 13:02:32 +01:00
Justin Maggard
cf05ba5b32 s3-libads: Use the configured LDAP page size.
We already allow the user to configure LDAP page size, and use it in pdb_ldap.
But then we hard-code the initial LDAP page size value to 1000 in ads_init, so
it doesn't take effect there.  So let's use the configured LDAP page size value
in ads_init also, which defaults to 1000.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 15 03:59:16 CET 2016 on sn-devel-144
2016-01-15 03:59:16 +01:00
Volker Lendecke
bffcc17567 libads: Remove "foreign" from ads_struct
AFAICS this was never actually used

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-12-18 05:24:25 +01:00
Andreas Schneider
e6f88c1451 libads: Fix picky const warning with krb5_set_password_using_ccache
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 23 18:20:31 CET 2015 on sn-devel-104
2015-11-23 18:20:31 +01:00
Günther Deschner
6755376ced kerberos: make sure we only use prompter type when available.
We also verified that we cannot simply remove the prompter as several older
versions of Heimdal would crash.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Oct  2 07:29:43 CEST 2015 on sn-devel-104
2015-10-02 07:29:43 +02:00
Volker Lendecke
e524ab9f7e winbind: Fix 100% loop
Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

From the bug report:

"With e551cdb37d re-applied the problem is gone with
and without kerberos. Moreover, if correctly configured,
sshd requests you to change your password at logon time,
which then succeeds.

The problem why I had this reverted was because I had not
gone through the pain to correctly configure all the PAM
services (in particular the "account" section), leading
to sshd letting the user in when the password had to be
changed."

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

(cherry picked from commit e551cdb37d)

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct  2 00:16:29 CEST 2015 on sn-devel-104
2015-10-02 00:16:29 +02:00
Uri Simchoni
e224e62297 net: fix a crash with net ads keytab create
Fix a crash that happens when executing "net ads keytab create"
and the machine account in AD does not have setvice principal names
attached to it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11528

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-09-25 05:19:23 +02:00
Volker Lendecke
b3f906f932 Revert "winbind: Fix 100% loop"
This reverts commit e551cdb37d.

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Sep  1 20:47:50 CEST 2015 on sn-devel-104
2015-09-01 20:47:50 +02:00
Volker Lendecke
e551cdb37d winbind: Fix 100% loop
Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 22:03:31 CEST 2015 on sn-devel-104
2015-08-28 22:03:31 +02:00
Volker Lendecke
4a442e2eb7 lib: Make sid_parse take a uint8_t
sid_parse takes a binary blob, uint8_t reflects this a bit
better than char * does

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26 21:41:12 +02:00
Uri Simchoni
c404793a38 libads: disable dns_lookup_realm in auto-generated krb5.conf files
This patch sets dns_lookup_realm=false in samba-generated krb5.conf.

Disabling dns_lookup_realm in krb5.conf is the recommended practice for
Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
by default, at least in Heimdal.

When used by samba, Kerberos libraries operate based on either the system
krb5.conf, or a private krb5.conf generated specifically for the domain by
samba code. In the former case, it's the responsibility of the administrator
to set dns_lookup_realm=false. In the latter case, it's the responsibility
of samba - which is what this patch does.

In many usage scenarios the value of this variable is of no consequence
since samba knows the realm in which it is operating, and knows how to
generate service principal names. However, there are some scenarios
in which samba calls kerberos_get_principal_from_service_hostname(),
and here samba consults the Kerberos libraries and this parameter comes
into play. One primary example is cli_full_connection() function.

Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
This can be observed by running "net ads join -k -U <user>".

In AD environments, the TXT queries  typically fail quickly, but test setups
or misconfigured DNS may lead to large timeouts (for example, if the domain
is dept.example.com but there's no parent example.com domain and no DNS
zones for example.com). At the very least we want to avoid those lookups
because they are hardly documented and lead to confusion.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Stefan Metzmacher
f87e70a930 s3:libads: improve debug levels/messages in ads_find_dc()
We should not flood the logs (and syslog) with fallback warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul  2 14:41:31 CEST 2015 on sn-devel-104
2015-07-02 14:41:31 +02:00
Stefan Metzmacher
8dbe9d785b s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
gensec_sig_size() is for gensec_{sign,seal}_packet() instead of gensec_wrap().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Uri Simchoni
28f51b9159 libads: further split resolve_and_ping into dns and netbios implementations
split the resolve_and_ping function, which does name lookup followed by
cldap ping, into two variants:
- resolve_and_ping_dns() which uses AD name resolution
- resolve_and_ping_netbios() which uses pre-AD name resolution

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
4d8241e017 libads: Fix fallback logic when finding a domain controller
This is a patch to fix bug 11321.

When finding a domain controller, the method is to resolve
the IP address of candidate servers, and then do an ldap ping until a
suitable server answers.

In case of failure, there's fallback from DNS lookup to netbios lookup
(if netbios is enabled) and then back to site-less DNS lookup. The two
problems here are:
1. It makes more sense to try site-less DNS before NetBIOS because the
fallback to NetBIOS is not likely to give better results.
2. The NetBIOS fallback screws the site-less fallback (I suppose the
"goto considered harmful fellows are sometimes right after all...).

This fix extracts the core code that does name resolving+ldap ping
into a separate function and then activates this function in up to
three modes - site-aware, site-less, and netbios, in that order.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
dcdf2d6f27 libads: Keep 'good' server at the head of custom KDC list
When creating a custom krb.conf file for a domain, make sure
that the DC which already answered the ldap ping is not queried
again, and is always first in the custom KDC list. This has two
advantages:
1. Avoid re-sending an ldap ping to this server
2. The generated list is made up of the servers that answered
   first. Since the DC which already answered an LDAP ping
   is typically the "last good server", this change keeps it
   out of the contest and guarantees that we keep using last
   good server as long as it works.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
183b799103 kerberos: Move DEFAULT_KRB5_PORT to a header file
Move the kerberos port number definition to a header file, so that
it can be used by DNS code.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
a9325f185c libads: fix indentation in generated krb5.conf
In case of multiple KDCs, the automatically-generated
domain-specific kerberos configuration file lists all the
KDCs it can find, but the indentation of additional KDCs
is not aligned with that of the first KDC.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Richard Sharpe
57568f1900 Convert all uint32/16/8 to _t in a grab-bag of remaining files.
I still need to fix the rpc stuff, but we are almost there.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 14 22:16:56 CEST 2015 on sn-devel-104
2015-05-14 22:16:56 +02:00
Uri Simchoni
40eac8e4d8 libads: record service ticket endtime for sealed ldap connections
When a ticket is obtained for binding a signed/sealed ldap connection,
its liftime should be recorded in the ads struct, in order to enable
reuse of the connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11267

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 13 04:32:16 CEST 2015 on sn-devel-104
2015-05-13 04:32:16 +02:00
Volker Lendecke
7ceded5ed7 lib: Make sid_binstring_hex use TALLOC
talloc_tos() is better than plain malloc...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-13 01:44:20 +02:00
David Holder
c324d7901c Add IPv6 support to ADS client side LDAP connects. Corrected format for IPv6 LDAP URI. Signed-off-by: David Holder <david.holder@erion.co.uk>
Signed-off-by: David Holder <david.holder@erion.co.uk>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>
2015-05-12 20:46:16 +02:00
Uri Simchoni
38beef2ff6 libads: Fix deadlock when re-joining a domain and updating keytab
When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update those entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May  4 21:01:41 CEST 2015 on sn-devel-104
2015-05-04 21:01:41 +02:00
Uri Simchoni
df91bc5159 libads: Fix free of uninitialized pointer
In ads_keytab_creat_default(), if the keytab to be created cannot
be opened, the bail-out code calls smb_krb5_kt_free_entry() on
an uninitialized entry.

To reproduce:
1. Join a domain
2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-05-04 18:24:21 +02:00
Richard Sharpe
5074cf825d Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 22 06:22:29 CEST 2015 on sn-devel-104
2015-04-22 06:22:29 +02:00
Anoop C S
226c59ea5b libads: Fix CID 1272956 Fixing wrong if condition
Signed-off-by: Anoop C S <achiraya@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 18 01:33:04 CEST 2015 on sn-devel-104
2015-04-18 01:33:04 +02:00
Günther Deschner
a616df1848 lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Volker Lendecke
706770d7a8 libads: Fix CID 1273305 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-04 14:46:07 +01:00
Volker Lendecke
4a686c5b0b libads: Fix CID 1273306 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-04 14:46:07 +01:00
Andreas Schneider
a13e29cc43 s3-libads: Fix a possible segfault in kerberos_fetch_pac().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11037

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-01-07 21:55:06 +01:00
Andreas Schneider
7f00fcf558 addns: Remove support for dns_host_file.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Günther Deschner
373d58c91d s3-libads: remove unused dn from ads_get_service_principal_names().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Nov 28 16:46:20 CET 2014 on sn-devel-104
2014-11-28 16:46:20 +01:00
Stefan Metzmacher
f53c7c3082 s3:libads: avoid some compiler warnings in ldap.c
We use helper variables and explicit casts using
discard_const_p() to avoid bogus const warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:44 +01:00
Günther Deschner
a62cc2ce44 samba: pass down size_t instead of int to add_string_to_array().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
2014-11-17 19:53:22 +01:00
Matt Rogers
0de6799996 s3-keytab: fix keytab array NULL termination.
Signed-off-by: Matt Rogers <mrogers@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-12 20:21:09 +01:00
Andreas Schneider
5d58b92f8f s3-libads: Add all machine account principals to the keytab.
This adds all SPNs defined in the DC for the computer account to the
keytab using 'net ads keytab create -P'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Andreas Schneider
e1ee4c8bc7 s3-libads: Add function to search for an element in an array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Andreas Schneider
4eaa4ccbdf s3-libads: Add a function to retrieve the SPNs of a computer account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Andreas Schneider
83c62bd3f5 s3-libads: Improve service principle guessing.
If the name passed to the net command with the -S options is the long
hostname of the domaincontroller and not the 15 char NetBIOS name we
should construct a FQDN with the realm to get a Kerberos ticket.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Günther Deschner
aaf2cae36b s3-kpasswd: Fix build warning.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Sep  1 18:15:15 CEST 2014 on sn-devel-104
2014-09-01 18:15:15 +02:00
Günther Deschner
9e42b01865 s3-kpasswd: send a netbios krb5 address to avoid invalid net address errors from
heimdal.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Simo Sorce
1d779bdbb2 Remove custom password change code in libads
Use standard libkrb5 calls instead.

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Simo Sorce
6bdde64354 Remove duplicate definitions
Thee are already defined both in Heimdal and MIT public headers

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Günther Deschner
d9167c3044 s3-libads/krb5_setpw: free realm from smb_krb5_principal_get_realm().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 16:37:36 +02:00
Günther Deschner
22c6766693 samba: use smb_krb5_create_key_from_string() in some places.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
2014-08-08 06:02:34 +02:00
Christof Schmitt
a5b96ee5fb s3-krb5: Limit search for old kvno to 8bits
Some keytab files store the kvno only in 8bits. Limit the compare to
8bits, so that we don't miss old keys and delete them. This fixes the
problem that updates to the keytab file removed all previous keys.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu May  8 00:54:15 CEST 2014 on sn-devel-104
2014-05-08 00:54:15 +02:00
Günther Deschner
60db71015f s3-libads: allow ads_try_connect() to re-use a resolved ip address.
Pass down a struct sockaddr_storage to ads_try_connect.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
2014-04-17 19:56:16 +02:00
Andreas Schneider
d407446ddc Remove special socket_wrapper code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
4dca841d51 s3-libads: Use ldap_initialize() if available.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Günther Deschner
5f8f1be7a8 s3-kerberos: make ipv6 support for generated krb5 config files more robust.
Older MIT Kerberos libraries will add any secondary ipv6 address as
ipv4 address, defining the (default) krb5 port 88 circumvents that.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Apr  4 16:33:12 CEST 2014 on sn-devel-104
2014-04-04 16:33:12 +02:00
Andrew Bartlett
60024cdd73 kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Bjoern Baumbach
2b44c85c7b s3-libads: Use the IP instead of the name.
Thix fixes 'net rpc join' against ADS.

Signed-off-by: Bjoern Baumbach <bb@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 13 17:06:00 CET 2014 on sn-devel-104
2014-03-13 17:06:00 +01:00
Günther Deschner
a8c2807a26 s3-kerberos: let kerberos_return_pac() return a PAC container.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
1270e35ba7 s3-kerberos: return a full PAC in kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00