1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1338 Commits

Author SHA1 Message Date
Volker Lendecke
e524ab9f7e winbind: Fix 100% loop
Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

From the bug report:

"With e551cdb37d re-applied the problem is gone with
and without kerberos. Moreover, if correctly configured,
sshd requests you to change your password at logon time,
which then succeeds.

The problem why I had this reverted was because I had not
gone through the pain to correctly configure all the PAM
services (in particular the "account" section), leading
to sshd letting the user in when the password had to be
changed."

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

(cherry picked from commit e551cdb37d)

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct  2 00:16:29 CEST 2015 on sn-devel-104
2015-10-02 00:16:29 +02:00
Uri Simchoni
e224e62297 net: fix a crash with net ads keytab create
Fix a crash that happens when executing "net ads keytab create"
and the machine account in AD does not have setvice principal names
attached to it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11528

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-09-25 05:19:23 +02:00
Volker Lendecke
b3f906f932 Revert "winbind: Fix 100% loop"
This reverts commit e551cdb37d.

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Sep  1 20:47:50 CEST 2015 on sn-devel-104
2015-09-01 20:47:50 +02:00
Volker Lendecke
e551cdb37d winbind: Fix 100% loop
Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 22:03:31 CEST 2015 on sn-devel-104
2015-08-28 22:03:31 +02:00
Volker Lendecke
4a442e2eb7 lib: Make sid_parse take a uint8_t
sid_parse takes a binary blob, uint8_t reflects this a bit
better than char * does

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26 21:41:12 +02:00
Uri Simchoni
c404793a38 libads: disable dns_lookup_realm in auto-generated krb5.conf files
This patch sets dns_lookup_realm=false in samba-generated krb5.conf.

Disabling dns_lookup_realm in krb5.conf is the recommended practice for
Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
by default, at least in Heimdal.

When used by samba, Kerberos libraries operate based on either the system
krb5.conf, or a private krb5.conf generated specifically for the domain by
samba code. In the former case, it's the responsibility of the administrator
to set dns_lookup_realm=false. In the latter case, it's the responsibility
of samba - which is what this patch does.

In many usage scenarios the value of this variable is of no consequence
since samba knows the realm in which it is operating, and knows how to
generate service principal names. However, there are some scenarios
in which samba calls kerberos_get_principal_from_service_hostname(),
and here samba consults the Kerberos libraries and this parameter comes
into play. One primary example is cli_full_connection() function.

Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
This can be observed by running "net ads join -k -U <user>".

In AD environments, the TXT queries  typically fail quickly, but test setups
or misconfigured DNS may lead to large timeouts (for example, if the domain
is dept.example.com but there's no parent example.com domain and no DNS
zones for example.com). At the very least we want to avoid those lookups
because they are hardly documented and lead to confusion.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Stefan Metzmacher
f87e70a930 s3:libads: improve debug levels/messages in ads_find_dc()
We should not flood the logs (and syslog) with fallback warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul  2 14:41:31 CEST 2015 on sn-devel-104
2015-07-02 14:41:31 +02:00
Stefan Metzmacher
8dbe9d785b s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
gensec_sig_size() is for gensec_{sign,seal}_packet() instead of gensec_wrap().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Uri Simchoni
28f51b9159 libads: further split resolve_and_ping into dns and netbios implementations
split the resolve_and_ping function, which does name lookup followed by
cldap ping, into two variants:
- resolve_and_ping_dns() which uses AD name resolution
- resolve_and_ping_netbios() which uses pre-AD name resolution

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
4d8241e017 libads: Fix fallback logic when finding a domain controller
This is a patch to fix bug 11321.

When finding a domain controller, the method is to resolve
the IP address of candidate servers, and then do an ldap ping until a
suitable server answers.

In case of failure, there's fallback from DNS lookup to netbios lookup
(if netbios is enabled) and then back to site-less DNS lookup. The two
problems here are:
1. It makes more sense to try site-less DNS before NetBIOS because the
fallback to NetBIOS is not likely to give better results.
2. The NetBIOS fallback screws the site-less fallback (I suppose the
"goto considered harmful fellows are sometimes right after all...).

This fix extracts the core code that does name resolving+ldap ping
into a separate function and then activates this function in up to
three modes - site-aware, site-less, and netbios, in that order.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
dcdf2d6f27 libads: Keep 'good' server at the head of custom KDC list
When creating a custom krb.conf file for a domain, make sure
that the DC which already answered the ldap ping is not queried
again, and is always first in the custom KDC list. This has two
advantages:
1. Avoid re-sending an ldap ping to this server
2. The generated list is made up of the servers that answered
   first. Since the DC which already answered an LDAP ping
   is typically the "last good server", this change keeps it
   out of the contest and guarantees that we keep using last
   good server as long as it works.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
183b799103 kerberos: Move DEFAULT_KRB5_PORT to a header file
Move the kerberos port number definition to a header file, so that
it can be used by DNS code.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Uri Simchoni
a9325f185c libads: fix indentation in generated krb5.conf
In case of multiple KDCs, the automatically-generated
domain-specific kerberos configuration file lists all the
KDCs it can find, but the indentation of additional KDCs
is not aligned with that of the first KDC.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-06-16 01:29:24 +02:00
Richard Sharpe
57568f1900 Convert all uint32/16/8 to _t in a grab-bag of remaining files.
I still need to fix the rpc stuff, but we are almost there.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 14 22:16:56 CEST 2015 on sn-devel-104
2015-05-14 22:16:56 +02:00
Uri Simchoni
40eac8e4d8 libads: record service ticket endtime for sealed ldap connections
When a ticket is obtained for binding a signed/sealed ldap connection,
its liftime should be recorded in the ads struct, in order to enable
reuse of the connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11267

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 13 04:32:16 CEST 2015 on sn-devel-104
2015-05-13 04:32:16 +02:00
Volker Lendecke
7ceded5ed7 lib: Make sid_binstring_hex use TALLOC
talloc_tos() is better than plain malloc...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-13 01:44:20 +02:00
David Holder
c324d7901c Add IPv6 support to ADS client side LDAP connects. Corrected format for IPv6 LDAP URI. Signed-off-by: David Holder <david.holder@erion.co.uk>
Signed-off-by: David Holder <david.holder@erion.co.uk>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>
2015-05-12 20:46:16 +02:00
Uri Simchoni
38beef2ff6 libads: Fix deadlock when re-joining a domain and updating keytab
When updating the system keytab as a result of joining a domain,
if the keytb had prior entries, ads_keytab_create_default tries to
update those entries. However, it starts updating before freeing the
cursor which was used for finding those entries, and hence causes
an an attempt to write-lock the keytab while a read-lock exists.

To reproduce configure smb.conf for ads domain member and run this twice:
net ads join -U <credentials> '--option=kerberos method=secrets and keytab'

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May  4 21:01:41 CEST 2015 on sn-devel-104
2015-05-04 21:01:41 +02:00
Uri Simchoni
df91bc5159 libads: Fix free of uninitialized pointer
In ads_keytab_creat_default(), if the keytab to be created cannot
be opened, the bail-out code calls smb_krb5_kt_free_entry() on
an uninitialized entry.

To reproduce:
1. Join a domain
2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-05-04 18:24:21 +02:00
Richard Sharpe
5074cf825d Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 22 06:22:29 CEST 2015 on sn-devel-104
2015-04-22 06:22:29 +02:00
Anoop C S
226c59ea5b libads: Fix CID 1272956 Fixing wrong if condition
Signed-off-by: Anoop C S <achiraya@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 18 01:33:04 CEST 2015 on sn-devel-104
2015-04-18 01:33:04 +02:00
Günther Deschner
a616df1848 lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Volker Lendecke
706770d7a8 libads: Fix CID 1273305 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-04 14:46:07 +01:00
Volker Lendecke
4a686c5b0b libads: Fix CID 1273306 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-04 14:46:07 +01:00
Andreas Schneider
a13e29cc43 s3-libads: Fix a possible segfault in kerberos_fetch_pac().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11037

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-01-07 21:55:06 +01:00
Andreas Schneider
7f00fcf558 addns: Remove support for dns_host_file.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Günther Deschner
373d58c91d s3-libads: remove unused dn from ads_get_service_principal_names().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Nov 28 16:46:20 CET 2014 on sn-devel-104
2014-11-28 16:46:20 +01:00
Stefan Metzmacher
f53c7c3082 s3:libads: avoid some compiler warnings in ldap.c
We use helper variables and explicit casts using
discard_const_p() to avoid bogus const warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:44 +01:00
Günther Deschner
a62cc2ce44 samba: pass down size_t instead of int to add_string_to_array().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
2014-11-17 19:53:22 +01:00
Matt Rogers
0de6799996 s3-keytab: fix keytab array NULL termination.
Signed-off-by: Matt Rogers <mrogers@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-12 20:21:09 +01:00
Andreas Schneider
5d58b92f8f s3-libads: Add all machine account principals to the keytab.
This adds all SPNs defined in the DC for the computer account to the
keytab using 'net ads keytab create -P'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Andreas Schneider
e1ee4c8bc7 s3-libads: Add function to search for an element in an array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Andreas Schneider
4eaa4ccbdf s3-libads: Add a function to retrieve the SPNs of a computer account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Andreas Schneider
83c62bd3f5 s3-libads: Improve service principle guessing.
If the name passed to the net command with the -S options is the long
hostname of the domaincontroller and not the 15 char NetBIOS name we
should construct a FQDN with the realm to get a Kerberos ticket.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-09-26 05:55:34 +02:00
Günther Deschner
aaf2cae36b s3-kpasswd: Fix build warning.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Sep  1 18:15:15 CEST 2014 on sn-devel-104
2014-09-01 18:15:15 +02:00
Günther Deschner
9e42b01865 s3-kpasswd: send a netbios krb5 address to avoid invalid net address errors from
heimdal.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Simo Sorce
1d779bdbb2 Remove custom password change code in libads
Use standard libkrb5 calls instead.

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Simo Sorce
6bdde64354 Remove duplicate definitions
Thee are already defined both in Heimdal and MIT public headers

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2014-09-01 15:47:33 +02:00
Günther Deschner
d9167c3044 s3-libads/krb5_setpw: free realm from smb_krb5_principal_get_realm().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 16:37:36 +02:00
Günther Deschner
22c6766693 samba: use smb_krb5_create_key_from_string() in some places.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
2014-08-08 06:02:34 +02:00
Christof Schmitt
a5b96ee5fb s3-krb5: Limit search for old kvno to 8bits
Some keytab files store the kvno only in 8bits. Limit the compare to
8bits, so that we don't miss old keys and delete them. This fixes the
problem that updates to the keytab file removed all previous keys.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu May  8 00:54:15 CEST 2014 on sn-devel-104
2014-05-08 00:54:15 +02:00
Günther Deschner
60db71015f s3-libads: allow ads_try_connect() to re-use a resolved ip address.
Pass down a struct sockaddr_storage to ads_try_connect.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
2014-04-17 19:56:16 +02:00
Andreas Schneider
d407446ddc Remove special socket_wrapper code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
4dca841d51 s3-libads: Use ldap_initialize() if available.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Günther Deschner
5f8f1be7a8 s3-kerberos: make ipv6 support for generated krb5 config files more robust.
Older MIT Kerberos libraries will add any secondary ipv6 address as
ipv4 address, defining the (default) krb5 port 88 circumvents that.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Apr  4 16:33:12 CEST 2014 on sn-devel-104
2014-04-04 16:33:12 +02:00
Andrew Bartlett
60024cdd73 kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Bjoern Baumbach
2b44c85c7b s3-libads: Use the IP instead of the name.
Thix fixes 'net rpc join' against ADS.

Signed-off-by: Bjoern Baumbach <bb@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 13 17:06:00 CET 2014 on sn-devel-104
2014-03-13 17:06:00 +01:00
Günther Deschner
a8c2807a26 s3-kerberos: let kerberos_return_pac() return a PAC container.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
1270e35ba7 s3-kerberos: return a full PAC in kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
932490ae08 s3-libads: pass down local_service to kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:19 +01:00
Günther Deschner
a8c0de35f7 s3-kerberos: remove unused kdc_name from create_local_private_krb5_conf_for_domain().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar  7 18:43:57 CET 2014 on sn-devel-104
2014-03-07 18:43:57 +01:00
Günther Deschner
168627e187 s3-kerberos: remove print_kdc_line() completely.
Just calling print_canonical_sockaddr() is sufficient, as it already deals with
ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
removed as well. It was pointless because it always derived the port number from
the provided address which was either a SMB (usually port 445) or LDAP
connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
Finally, the kerberos libraries that we support and build with, can deal with
ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
resolving the DC name on the kerberos library anymore.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-07 16:16:54 +01:00
Daniel Liberman
b04e8b7557 s3: ldap client can return NT_STATUS_OK when an error occurs in a paged search.
"Inside ads_do_search_all_args(), if the first call to ads_do_paged_search_args()
fails, the proper error status is returned.

But, if the execution is already inside the loop to get all the accounts doing
several calls to ads_do_paged_search_args(), and one of these calls times out,
the status returned is from the *first* call, so success. This causes
net_ads_search() to interpret the return from ads_do_search_retry() as
success and print all the accounts returned, but it’s only a subset."

Also ensure we free previously returned results on error
in subsequent fetches.

https://bugzilla.samba.org/show_bug.cgi?id=10387

Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 23 01:40:54 CET 2014 on sn-devel-104
2014-01-23 01:40:54 +01:00
Andreas Schneider
c8371b4ec1 s3-libads: Fix memory leaks in ads_build_path().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-09 20:42:54 +01:00
Jeremy Allison
32037e0533 Add a talloc context to sitename_fetch().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2013-09-05 09:17:27 -07:00
Volker Lendecke
8a7246ac2c lib: Add a "mem_ctx" arg to gencache_get (unused so far)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-09-05 09:16:23 -07:00
Stefan Metzmacher
966faef9c6 auth/gensec: treat struct gensec_security_ops as const if possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:04 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Andreas Schneider
6659f0164c s3-libads: Print a message if no realm has been specified.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug  5 12:24:44 CEST 2013 on sn-devel-104
2013-08-05 12:24:43 +02:00
Günther Deschner
6dc7c63efa s3-libads: Fail create_local_private_krb5_conf_for_domain() if parameters missing.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:29:59 +02:00
Andreas Schneider
7bad9d1fcd s3-libads: Print the debug string of a failed call with LDAP_OTHER.
Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 12 13:46:57 CEST 2013 on sn-devel-104
2013-06-12 13:46:57 +02:00
Andreas Schneider
a7f067c244 BUG 9699: Fix adding case sensitive spn.
We should be able to define the case of the spn cause it is important
for some services like nfs. 'net ads keytab add "nfs"' should not
result in an uppercase spn.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr  3 23:57:32 CEST 2013 on sn-devel-104
2013-04-03 23:57:32 +02:00
Andreas Schneider
90cbfc96d1 Make sure to set umask() before calling mkstemp().
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Mar  6 01:16:34 CET 2013 on sn-devel-104
2013-03-06 01:16:34 +01:00
Stefan Metzmacher
3cad605ee9 s3:libads: make use of samba_tevent_context_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-19 23:47:46 +01:00
Stefan Metzmacher
9292e5b743 s3: use generate_random_password() instead of generate_random_str()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04 17:14:22 +01:00
Andreas Schneider
d0e20998a2 s3-libads: Fix copy&paste error in ads_keytab_add_entry().
Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-21 13:56:00 +01:00
Andrew Bartlett
71e1c080cb libads: Always free the talloc_stackframe() on error path
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov  5 03:33:32 CET 2012 on sn-devel-104
2012-11-05 03:33:32 +01:00
Günther Deschner
06f3b1f0b0 s3-kerberos: add aes enctypes to generated krb5.conf.
Guenther
2012-10-02 16:22:31 +02:00
Günther Deschner
eae33e96fc s3-krb5: use and request AES keys in kerberos operations.
Guenther
2012-10-02 16:22:31 +02:00
Simo Sorce
893b213876 Avoid overriding default ccache for ads operations.
Avoid overriding default ccache for ads operations.

Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).

By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.

For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
2012-09-12 21:18:09 +02:00
Alexander Bokovoy
140bb288be s3-smbldap: use smbldap_ prefixed functions 2012-09-07 12:31:42 +02:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Jeremy Allison
526e875cec Check error returns from strupper_m() (in all reasonable places). 2012-08-09 12:06:54 -07:00
Andrew Bartlett
f3562424b6 lib/param: Move all enum declarations to lib/param
This is in preperation for the parameter table being made common.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-24 11:01:17 +02:00
Christof Schmitt
7285ed586f auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06 20:45:51 +10:00
Andrew Bartlett
666dba3353 s3-param: Rename loadparm_s3_context -> loadparm_s3_helpers
This helps clarify the role of this structure and wrapper function.

The purpose here is to provide helper functions to the lib/param
loadparm_context that point back at the s3 lp_ functions.  This allows
a struct loadparm_context to be passed to any point in the code, and
always refer to the correct loadparm system.  If this has not been
set, the variables loaded in the lib/param code will be returned.

As requested by Michael Adam.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
2012-06-27 17:11:16 +02:00
Andrew Bartlett
0da10c842e s3-libads: Use a reducing page size to try and cope with a slow LDAP server
If we cannot get 1000 users downloaded in 15seconds, try with 500, 250
and then 125 users at a time.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-05-26 02:03:08 +02:00
Andrew Bartlett
63fb1d396b s3-libads: Map LDAP_TIMELIMIT_EXCEEDED as NT_STATUS_IO_TIMEOUT
This allows Samba to then handle this error in the same way it would for RPC connections

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-05-26 02:03:07 +02:00
Simo Sorce
34a65739d3 Move source3/libads/dns.c to lib/addns 2012-05-23 17:51:48 +03:00
Simo Sorce
cc3321c9ff s3-ads-dns: Avoid unnecessary dependencies 2012-05-23 17:51:48 +03:00
Simo Sorce
a7e94fce3f s3-ads-dns: Break dependency on lp_parm
In preparation of making this code common to s3 and s4
2012-05-23 17:51:48 +03:00
Simo Sorce
4a335e9632 s3-ad-dns: Use more standard uint and booleans defs
In preparation of making this code common to s3 and s4
2012-05-23 17:51:48 +03:00
Gregor Beck
7ba1b13e99 s3:registry: remove usage of reg_objects from libads/ldap_printer.c
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-25 14:11:06 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Volker Lendecke
d38a171a43 s3: Attempt to fix the build without kerberos
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
2012-04-24 15:04:13 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
1f1e4275b5 clikrb5: Move pure krb wrapper functions from libads to clikrb5.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Andrew Bartlett
e715460898 s3-libads: Remove ads_verify_ticket() as it is now unused
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03 17:47:32 +02:00
Andrew Bartlett
410ca7311a s3-libads: Rework kerberos_return_pac() to use GENSEC for the server-side
This removes the last user of ads_verify_ticket(), and means that we
only have one code path to verify an incoming krb5 (GSSAPI) ticket.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03 17:47:32 +02:00
Jeremy Allison
959516d61b More strlcat/strlcpy truncate checks. 2012-03-30 21:26:07 +02:00
Andrew Bartlett
b0798cc013 s3-libads: Remove unused ads_set_machine_password()
Found by callcatcher.

Andrew Bartlett
2012-02-23 16:14:19 +11:00
Andrew Bartlett
a6aa24428a s3-libads: Remove unused ads_pull_sids_from_extendeddn()
Found by callcatcher.

Andrew Bartlett
2012-02-23 16:14:19 +11:00
Andrew Bartlett
4a0d1b5ac6 s3-libads: Move to using only the HAVE_KRB5 define
HAVE_KRB5 already implies that GSSAPI is present as well.

Andrew Bartlett
2012-02-13 04:41:05 +01:00
Stefan Metzmacher
4e444f0061 s3:kerberos_verify: ads_dedicated_keytab_verify_ticket() only needs read access
metze
2012-01-20 23:55:52 +01:00
Andrew Bartlett
016fc0af0c krb5: Require krb5_get_host_realm and krb5_free_host_realm be available to build with krb5 2012-01-10 21:50:07 +01:00
Günther Deschner
3583419b98 s3-libads: pretty print a keytab list.
Guenther
2012-01-09 10:34:06 +01:00
Günther Deschner
c3f9e011ed s3-libads: fix malloc/talloc mismatch in ads_keytab_verify_ticket().
Guenther
2012-01-09 10:34:05 +01:00
Andrew Bartlett
27af0ffdf2 s3-libads Use NTLMSSP via auth_generic/gensec
This allows us to use the shared gensec_wrap() implementation already used by the
smb sealing code, as well as making this code more generic.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06 08:12:49 +01:00
Andrew Bartlett
860ad734ba s3-libads Factor out a new routine kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Günther Deschner
bfbb389332 s3-dns: prevent from potentially doing wrong SRV DNS lookups.
With an empty sitename we asked for e.g.
_ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Dec 21 17:23:25 CET 2011 on sn-devel-104
2011-12-21 17:23:25 +01:00
Volker Lendecke
75d3b9ce08 s3: Fix some False/NULL hickups
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Dec 20 13:13:17 CET 2011 on sn-devel-104
2011-12-20 13:13:17 +01:00
Günther Deschner
8a4c8e3f85 s3-smbldap: move ldap_open_with_timeout out of smb_ldap.h to ads where it lives.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Nov 17 03:47:53 CET 2011 on sn-devel-104
2011-11-17 03:47:53 +01:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Volker Lendecke
2a2dd6ff5e s3: Before adding KDC's to the krb5.conf, cldap ping them
Some Kerberos libraries don't do proper failover. This fixes the situation
where a KDC exists in DNS but is not reachable for some reason.

Ported to master by Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 17 11:25:37 CEST 2011 on sn-devel-104
2011-10-17 11:25:36 +02:00
Volker Lendecke
41a0e96724 Add cldap_multi_netlogon_send/recv
Make ads_cldap_netlogon use it. It does not need the fancy multi stuff, but
excercising that code more often is better. And because we have to ask over the
network, the additional load should be neglectable.

Ported to master by Stefan Metzmacher <metze@samba.org>
2011-10-17 09:52:29 +02:00
Stefan Metzmacher
b787b6e1bd libcli/cldap: don't pass tevent_context to cldap_socket_init()
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 10 23:23:07 CEST 2011 on sn-devel-104
2011-10-10 23:23:07 +02:00
Volker Lendecke
94b0f8f7fe s3: Slightly simplify print_kdc_line()
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Sep 26 18:24:25 CEST 2011 on sn-devel-104
2011-09-26 18:24:25 +02:00
Volker Lendecke
9411b8e49d s3: Slightly simplify print_kdc_line()
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
2011-09-26 16:48:43 +02:00
Volker Lendecke
01eb3136b6 s3: Slightly simplify print_kdc_line()
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
2011-09-26 16:48:43 +02:00
Volker Lendecke
507f1fcdcb s3: Add some const to create_local_private_krb5_conf_for_domain
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Sep 18 23:31:28 CEST 2011 on sn-devel-104
2011-09-18 23:31:28 +02:00
Volker Lendecke
b126164ece s3: Add some const to print_kdc_line 2011-09-18 22:00:54 +02:00
Jeremy Allison
92a655da86 If "ldap timeout" is non-zero, set the local search timeout to
be one second longer than the remote search timeout (which is
set to the "ldap timeout" value). This allows the remote search
timeout to fire in preference.

Allow lp_ldap_timeout() to be zero. Don't set the any local alarm
if so.
2011-08-19 18:43:51 -07:00
Volker Lendecke
31ee78fea9 s3: Increase a debug level in ads_find_dc
This message can happen with AD trusts that winbind can not cope with. The
message is not really clear and not worth spamming syslog always.
2011-08-17 12:30:08 +02:00
Andrew Bartlett
1231b784a1 s3-ntlmssp Remove auth_ntlmssp_and_flags()
There is no need to mask out these flags as they simply are not set
yet.

The correct abstraction is to ask for NTLMSSP features.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Günther Deschner
183835d055 source3/libads/ldap_schema.h: fix licence/copyright
Guenther
2011-06-10 15:12:22 +02:00
Günther Deschner
59e878ff62 source3/libads/cldap.h: fix licence/copyright
Guenther
2011-06-10 15:12:20 +02:00
Günther Deschner
d5c5aa1c5f source3/libads/ads_status.h: fix licence/copyright
Guenther
2011-06-10 15:12:19 +02:00
Günther Deschner
f2d4252dfa source3/libads/ads_ldap_protos.h: fix licence/copyright
Guenther
2011-06-10 15:12:17 +02:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00
Andrew Bartlett
8d4a8389bb s3-talloc Change TALLOC_MEMDUP() to talloc_memdup()
Using the standard macro makes it easier to move code into common, as
TALLOC_MEMDUP isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
5e26e94092 s3-talloc Change TALLOC_ZERO_ARRAY() to talloc_zero_array()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_ARRAY isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
ad0a07c531 s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_P isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
d5e6a47f06 s3-talloc Change TALLOC_P() to talloc()
Using the standard macro makes it easier to move code into common, as
TALLOC_P isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
3d15137653 s3-talloc Change TALLOC_ARRAY() to talloc_array()
Using the standard macro makes it easier to move code into common, as
TALLOC_ARRAY isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
73b377432c s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc()
Using the standard macro makes it easier to move code into common, as
TALLOC_REALLOC_ARRAY isn't standard talloc.

Andrew Bartlett
2011-06-09 12:40:08 +02:00
Jeremy Allison
e98fb2f2b9 Remove another PATH_MAX.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Jun  2 02:51:06 CEST 2011 on sn-devel-104
2011-06-02 02:51:06 +02:00
Andrew Bartlett
7630e73dac s3-param prepare for some lp_ functions to return const 2011-06-01 04:19:05 +02:00
Michael Adam
72f2bd6a86 s3:libads/ndr: include ../librpc/ndr/libndr.h instead of librpc/ndr/util.h 2011-05-31 12:54:22 +02:00
Michael Adam
4c542015a1 s3:libads/kerberos_proto.h: add _LIBADS_KERBEROS_PROTO_H_ guard 2011-05-31 01:44:27 +02:00
Michael Adam
6bf3228f28 s3:libads/kerberos_proto.h: add GPL/Copyright header 2011-05-31 01:44:27 +02:00
Michael Adam
eb5db22771 s3:libads/ads_proto.h: add _LIBADS_ADS_PROTO_H_ guard 2011-05-31 01:44:27 +02:00
Michael Adam
6e9c055ce2 s3:libads/ads_proto.h: add GPL/Copyright header 2011-05-31 01:44:27 +02:00
Andrew Bartlett
c615ebed6e s3-lib Replace StrCaseCmp() with strcasecmp_m()
strcasecmp_m() never needs to call to talloc, and via next_codepoint()
still has an ASCII fast-path bypassing iconv() calls.

Andrew Bartlett
2011-05-18 16:12:08 +02:00
Günther Deschner
1e208a7057 s3-includes: no need to globally include libads/ads_status.h.
Guenther
2011-05-06 16:37:22 +02:00
Jeremy Allison
f85e095dd2 More simple const fixups. 2011-05-05 23:56:08 +02:00
Jeremy Allison
e131c94ac1 More const fixes for compiler warnings from the waf build. 2011-05-05 23:56:07 +02:00
Günther Deschner
653b84d2d6 s3-libads: run minimal_includes.pl.
Guenther
2011-05-05 02:05:26 +02:00
Andrew Bartlett
5cc7a3a222 s3-libads Move variables into if (socket_wrapper_dir()) where they are used. 2011-04-29 16:38:12 +10:00
Andrew Bartlett
a427652010 s3-libads: Use ldap_init_fd() to connect to AD server in socket_wrapper
This means that we control the connection setup, don't rely on signals
for timeouts and the connection uses socket_wrapper where that is
required in our test environment.

According to bug reports, this method is also used by curl and other
tools, so we are not the first to (ab)use the OpenLDAP libs in this
way.

It is ONLY enabled for socket_wrapper at this time, as this is the
best way to get 'make test' working for S3 winbind tests in an S4
domain.

Andrew Bartlett
2011-04-28 05:30:21 +02:00
Andrew Bartlett
818ec32d0c s3-libads Pass a struct sockaddr_storage to cldap routines
This avoids these routines doing a DNS lookup that has already been
done, and ensures that the emulated DNS lookup isn't thrown away.

Andrew Bartlett
2011-04-28 05:30:20 +02:00
Andrew Bartlett
e130dec97b s3-libsmb Use 'resolv:hosts file' as a DNS emulation when specified.
This allows make test to operate without making real DNS calls.

Andrew Bartlett
2011-04-27 11:40:18 +10:00
Andrew Bartlett
806eef63ba s3-libads Don't start a DEBUG with 'time'
This strange requirement comes from our subunit test harness.

Andrew Bartlett
2011-04-27 11:25:53 +10:00
Andrew Bartlett
ccb62947e9 s3-libads Remove KRB5_DNS_HACK
We have winbindd write a custom krb5.conf or use a kdc locator plugin
to do this properly now.

Andrew Bartlett
2011-04-26 17:16:34 +10:00
Andrew Bartlett
c18954775e libcli/dns Improve dns_hosts_file, using Samba3's struct dns_rr_srv
By reworking the 'fake DNS' file to use struct dns_rr_srv it should be
possible to emulate that resolver layer as well as the Samba4
sockaddr_storage* based layer.  This will then give us a common DNS
emulation for 'make test'.

Andrew Bartlett
2011-04-26 17:16:34 +10:00
Volker Lendecke
f9e3af71d3 s3: Fix Coverity ID 2336, NULL_RETURNS 2011-04-22 10:06:36 +02:00
Andrew Bartlett
f28f5db15a libcli/auth Move PAC parsing and verification in common.
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.

Andrew Bartlett
2011-04-20 04:31:07 +02:00
Günther Deschner
6768b65123 s3-waf: try to fix the non-ldap-but-krb5 build.
Guenther
2011-04-15 12:37:55 +02:00
Günther Deschner
9824e2e5ee s3-rpc_client: add and use rpc_client/rpc_client.h.
Guenther
2011-04-13 22:23:59 +02:00
Günther Deschner
a730dff783 s3-libndr: add ../librpc/ndr/libndr.h include in some places.
Guenther
2011-03-31 00:14:01 +02:00
Günther Deschner
49ccae1c20 s3-includes: no point in including all security headers globally.
Guenther
2011-03-30 01:13:07 +02:00
Günther Deschner
0e771263ee s3-includes: only include system/filesys.h when needed.
Guenther
2011-03-30 01:13:07 +02:00
Günther Deschner
2639f0b3ab s3-prototypes: remove protos of some dead functions.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Mar 24 00:52:01 CET 2011 on sn-devel-104
2011-03-24 00:52:01 +01:00
Volker Lendecke
8dc93bed09 s3: Fix Coverity ID 770, REVERSE_INULL
We dereference "res" in various places, no point in checking. All current
callers send "res!=NULL".
2011-03-21 15:40:10 +01:00
Günther Deschner
3aa9d3005a s3-build: only include asn1 headers where actually needed.
Guenther
2011-03-16 23:46:18 +01:00
Günther Deschner
fad0112373 s3-build: stop including ldap and lber headers everywhere in the code.
Instead use new header smb_ldap.h where all LDAP API related things are handled,
while smbldap.h only deals with our smbldap_X() API.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Mar 16 10:54:51 CET 2011 on sn-devel-104
2011-03-16 10:54:50 +01:00
Volker Lendecke
16b007c223 Quite some callers of sid_split_rid do not care about the rid 2011-03-10 18:48:34 +01:00
Volker Lendecke
32731db56f s3: Fix some nonempty blank lines 2011-02-27 19:27:44 +01:00
Günther Deschner
bc1312303d s3-libads: make ndr_print_ads_auth_flags() static.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Fri Feb 25 01:55:26 CET 2011 on sn-devel-104
2011-02-25 01:55:26 +01:00
Andrew Bartlett
0bad0e3ff2 s3-libads Remove MIT-specific krb5_princ_realm macro calls.
When compiled against heimdal, we need to use a more elegant API.

Andrew Bartlett
2011-02-18 17:00:34 +11:00
Günther Deschner
f076c76260 s3-libads: make ads_guess_service_principal static.
Guenther
2011-02-11 12:22:41 +01:00
Günther Deschner
fdd4d56405 s3: give ../librpc/ndr/util.c its own header.
Guenther
2011-02-10 12:58:06 +01:00
Stefan Metzmacher
a34aa148ca s3:libads: use dcerpc_spoolss_X() functions
metze

Signed-off-by: Andreas Schneider <asn@samba.org>
2011-01-21 12:30:22 +01:00
Volker Lendecke
8c6b0b61e5 s3: Fix some nonempty blank lines
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Jan 12 19:04:25 CET 2011 on sn-devel-104
2011-01-12 19:04:24 +01:00
Günther Deschner
3294ccbb6d netlogon: move netlogon helpers to ../libcli/netlogon.
Guenther
2011-01-07 15:02:24 +01:00
Andrew Bartlett
bb7806283e s3-libads Default to NOT using the server-supplied principal from SPNEGO
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks.  (Becuase
it isn't the name being contacted that is verified with the KDC).

This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour.  As in Samba4, this
defaults to false.

Against 2008 servers, this will not change behaviour.  Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.

Andrew Bartlett
2010-12-10 16:08:30 +11:00
Volker Lendecke
da75c01762 s3: Remove unused ads_get_attrname_by_oid 2010-11-20 14:42:44 +01:00
Volker Lendecke
d14cf7a50b s3: Make ads_get_attrnames_by_oids static 2010-11-20 14:42:44 +01:00
Volker Lendecke
491fdb24e4 s3: Make ads_ranged_search_internal static 2010-11-20 14:42:44 +01:00
Volker Lendecke
365116ea92 s3: Fix some nonempty blank lines 2010-11-20 14:42:44 +01:00
Volker Lendecke
b3091e0e22 s3: Remove unused ads_search_retry_extended_dn 2010-11-20 14:42:44 +01:00
Volker Lendecke
cdf52d56d5 s3: Make ads_do_search_retry_args() static 2010-11-20 14:42:44 +01:00
Andrew Bartlett
f768b32e37 libcli/security Provide a common, top level libcli/security/security.h
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.

This includes (along with other security headers) dom_sid.h and
security_token.h

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 05:54:10 +00:00
Jeremy Allison
d8814b1a48 Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.

Jeremy.
2010-09-23 21:44:24 -07:00
Andrew Bartlett
03011bf118 s3-libads call common GUID_from_ndr_blob()
This does a length-limited check, and so avoids reading beyond the
allocated memory if the server sends less than 16 bytes.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-20 16:15:11 -07:00
Andrew Bartlett
d7bc452a89 s3: Replace sid_binstring and sid_guidstring with PIDL-based alternatives
This reduces the manual marshalling of these structures by removing
the duplication here.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-20 16:15:03 -07:00
Günther Deschner
62544c5d2b s3-build: only include smbldap.h where needed.
Guenther
2010-09-20 13:54:56 -07:00
Jeremy Allison
447d96878a Fix all sid_parse returns to be checked. Tidy up some checks and error
messages.

Jeremy.
2010-09-15 15:40:15 -07:00
Jeremy Allison
718fd39f10 Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder <andreas.moroder@gmx.net>".
Jeremy.
2010-09-09 15:29:03 -07:00
Björn Jacke
5b016dbab8 s3/libads: use monotonic clock for ldap connection timeouts 2010-09-07 20:37:53 +02:00
Björn Jacke
a63822f5d2 s3/libads: use monotonic clock for DNS timeouts 2010-09-07 20:29:13 +02:00
Günther Deschner
bf3912be46 s3-libads: avoid crashing in ads_keytab_list().
Heimdal's krb5_kt_start_seq_get() will leave a non 0 fd in the krb5_kt_cursor
struct when it cannot find a given keytab.

Guenther
2010-08-31 23:17:39 +02:00
Simo Sorce
26e24928b3 s3-krb: Reformat and add doxygen comment to decode_pac_data()
Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-30 14:26:37 +02:00
Simo Sorce
cbe9f879af s3-ads: Fix wrong test in if statement 2010-08-19 11:28:12 -04:00
Simo Sorce
1ab17f13a2 s3-ads: Remove unused wrapper and make function static 2010-08-18 09:37:56 -04:00
Simo Sorce
71dfa62b61 s3-ads: cleanup ads_keytab_list() 2010-08-18 07:47:10 -04:00
Simo Sorce
64d8300a56 s3-ads: cleanup ads_keytab_create_default() 2010-08-18 07:47:10 -04:00
Simo Sorce
3a9912370d s3-ads: cleanup ads_keytab_add_entry() 2010-08-18 07:47:10 -04:00
Simo Sorce
d6d1ed8bdf s3-ads: Split, simplify and cleanup keytab functions
add helper function for both smb_krb5_kt_add_entry_ext() and
ads_keytab_flush()
2010-08-18 07:47:09 -04:00
Simo Sorce
0a89722671 s3-ads: Remove unused function and file 2010-08-17 06:48:56 -04:00
Andrew Bartlett
71d80e6be0 s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult.  This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.

The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time.  We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.

If not found, ADS support will not be compiled in.

This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.

A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.

Andrew Bartlett

Signed-off-by: Simo Sorce <idra@samba.org>
2010-08-13 09:08:27 -04:00
Günther Deschner
257a1f1097 s3-krb5: include krb5pac.h where needed.
Guenther
2010-08-06 15:43:37 +02:00
Günther Deschner
c136b84f0d s3-secrets: only include secrets.h when needed.
Guenther
2010-08-05 10:12:25 +02:00
Günther Deschner
e7a6a3ec0d s3: avoid global include of ads.h.
Guenther
2010-08-05 00:32:02 +02:00
Günther Deschner
9e0000224a s3-printing: remove unused get_local_printer_publishing_data() call.
Guenther
2010-07-31 00:54:45 +02:00
Günther Deschner
813fbbd68c s3-build: avoid to globally include printing and spoolss headers.
This shrinks precompiled headers by 3MB and will slightly speed up any build.

Guenther
2010-07-31 00:50:31 +02:00
Simo Sorce
28c74564c5 cleanups: Trailing spaces, line length, etc... 2010-07-30 16:34:53 -04:00
Simo Sorce
26f1218a36 s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys 2010-07-20 20:02:09 -04:00
Jeremy Allison
5002b3a90d Add approriate TALLOC_CTX's thoughout the spnego code. No more implicit NULL contexts.
Jeremy.
2010-07-20 16:17:58 -07:00
Jeremy Allison
cce19c5162 Fix one more data_blob -> data_blob_talloc. Move away from implicit NULL context tallocs.
Jeremy.
2010-07-20 14:59:31 -07:00
Jeremy Allison
4ed9437b7e Add TALLOC_CTX argument to spnego_parse_negTokenInit, reduce
use of malloc, and data_blob().

Jeremy.
2010-07-20 13:35:43 -07:00
Jeremy Allison
7d17bfcf51 Rename spnego_gen_negTokenTarg() -> spnego_gen_krb5_negTokenInit()
as this correctly describes what this function does.

Jeremy.
2010-07-20 11:14:49 -07:00
Jeremy Allison
8a882b645c Remove gen_negTokenTarg(), as it's not actually creating a TokenTarg frame, but a TokenInit one.
Move to using spnego_gen_negTokenInit() instead.

Jeremy
2010-07-20 11:04:19 -07:00
Jeremy Allison
0bb8d133c9 Remove gen_negTokenInit() - change all callers to spnego_gen_negTokenInit().
We now have one function to do this in all calling code. More rationalization
to follow.

Jeremy.
2010-07-19 17:14:26 -07:00
Jeremy Allison
625a511389 Remove parse_negTokenTarg(), as it's actually incorrect. We're processing
negTokenInit's here. Use common code in spnego_parse_negTokenInit().

Jeremy.
2010-07-19 15:41:45 -07:00
Simo Sorce
cdcdaaa6dd s3-ntlmssp: Remove ntlmssp_end and let the talloc hierarchy handle it.
All the members are children of ntlmssp_state anyway.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 14:19:47 +10:00
Günther Deschner
04641abb33 s3-libads: move ldap posix schema defines to their own header file.
Guenther
2010-07-01 23:20:40 +02:00
Günther Deschner
dff7be8ccb s3-libads: only include libds flags where needed.
Guenther
2010-07-01 23:20:40 +02:00
Günther Deschner
56538be6af s3-libads: move ads_dns out of main includes.
Guenther
2010-07-01 23:20:40 +02:00
Günther Deschner
e64df82146 s3-libads: move ads_status to a separate header file.
Guenther
2010-07-01 23:20:39 +02:00
Günther Deschner
6b25d47fea s3-libads: move ads_protos.h to ads_ldap_protos.h.
Guenther
2010-07-01 23:20:39 +02:00
Günther Deschner
eb634e8c7f s3-libnet_join: small IDL enhancement.
Guenther
2010-07-01 21:19:52 +02:00
Günther Deschner
2f9076ac29 s3-libads: use shared well known guids.
Guenther
2010-07-01 21:17:17 +02:00
Günther Deschner
614e010daa s3: remove authdata.h
Guenther
2010-06-03 11:00:27 +02:00
Günther Deschner
ce85181430 s3: remove rpc_secdes.h completely.
Guenther
2010-06-03 11:00:26 +02:00
Matthieu Patou
57ab910b6f s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
 previous password key when the password is changed. It also check the
 user ticket against previous password.

Signed-off-by: Günther Deschner <gd@samba.org>
2010-06-02 14:32:23 +02:00
Andrew Bartlett
d6fa371b92 s3:ntlmssp Use a TALLOC_CTX for ntlmssp_sign_packet() and ntlmssp_seal_packet()
This ensures the results can't be easily left to leak.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31 15:11:27 +02:00
Andrew Bartlett
ebae21f023 ntlmssp: Make the ntlmssp.h from source3/ a common header
The code is not yet in common, but I hope to fix that soon.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31 15:10:56 +02:00
Günther Deschner
82e140c045 s3: use shared security defines.
Guenther
2010-05-31 11:53:00 +02:00
Günther Deschner
fbb7814f91 s3: only use netlogon/nbt header when needed.
Guenther
2010-05-31 11:32:37 +02:00
Günther Deschner
6d194756e0 s3-build: use ndr_misc.h where needed.
Guenther
2010-05-28 02:49:36 +02:00
Günther Deschner
ab707cb9b3 s3-printing: fix buildwarning in publishing code after registry changes.
Guenther
2010-05-26 15:14:20 +02:00
Michael Adam
0fe1ff99a1 s3:registry: move reg_objects.h to registry/ and use it only where needed
Every place outside of registry/ where this is used, should probably
be changed to use pure reg_api.c code.
2010-05-25 10:35:31 +02:00
Michael Adam
53ba74ecee s3:libads:use regval_ctr/blob accessor functions in ldap_printer.c 2010-05-25 10:35:29 +02:00
Andrew Bartlett
cba7f8b827 s3:dom_sid Global replace of DOM_SID with struct dom_sid
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 10:39:59 +02:00
Günther Deschner
e4bdb7e00e s3-libads: add ads_set_sasl_wrap_flags().
Guenther
2010-05-20 18:45:59 +02:00
Günther Deschner
cc06133b0a s3-rpc_client: move protos to cli_spoolss.h
Guenther
2010-05-18 21:42:45 +02:00
Günther Deschner
7f6bb48bdf s3-secdesc: remove "typedef struct security_descriptor SEC_DESC".
Guenther
2010-05-18 12:30:12 +02:00
Günther Deschner
8951c8301a s3-secdesc: remove "typedef struct security_acl SEC_ACL".
Guenther
2010-05-18 12:30:12 +02:00
Günther Deschner
a8b01d1f3b s3-secdesc: remove "typedef struct security_ace SEC_ACE".
Guenther
2010-05-18 12:30:11 +02:00
Jelmer Vernooij
b8268cf7b0 s3: Remove use of iconv_convenience. 2010-05-18 11:45:31 +02:00
Günther Deschner
fe31b67d5e s3-registry: only include registry headers when really needed.
Guenther
2010-05-18 01:15:38 +02:00
Günther Deschner
dd5a4e23f8 s3-kerberos: temporary fix for ipv6 in print_kdc_line().
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill
in just the kdc_name if we have it and let the krb5 lib figure out the
appropriate ipv6 address

ipv6 gurus, please check.

Guenther
2010-05-17 13:18:11 +02:00
Günther Deschner
e3bdff3d67 s3-kerberos: pass down kdc_name to create_local_private_krb5_conf_for_domain().
Guenther
2010-05-17 12:47:50 +02:00
Andrew Bartlett
454b0b3f20 s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATA
All the callers just want the PAC_LOGON_INFO, so search for that in
ads_verify_ticket(), and don't bother the callers with the rest of the
PAC.

This change makes sense on it's own (removing boilerplate wrappers
that just confuse the code), but it also makes it much easier to
implement a matching ads_verify_ticket() function in Samba4 for the
s3compat proposal.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-11 22:52:37 +02:00
Jelmer Vernooij
fc336590dc Remove the copy of ldb from Samba 3.
There were two utility functions that other parts of Samba 3
still relied on; they have been moved to lib/ldb_compat.[ch].
2010-05-06 11:34:30 +02:00
Günther Deschner
c6ebab846d s3: only include gen_ndr headers where needed.
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time
as follows:

ccache build w/o patch
real    4m21.529s
ccache build with patch
real    3m6.402s

pch build w/o patch
real    4m26.318s
pch build with patch
real    3m6.932s

Guenther
2010-05-06 00:22:59 +02:00
Volker Lendecke
a7b06f4c0d s3: Fix a memleak in check_pac_checksum 2010-05-04 12:00:13 +02:00
Matthias Dieter Wallnöfer
079897709e s3:libads/ldap.c - fix a build breakage 2010-04-27 20:45:06 +02:00
Stefan Metzmacher
cc2ef27e36 s3:libads: retry with signing after getting LDAP_STRONG_AUTH_REQUIRED
If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED,
if "client ldap sasl wrapping = plain", instead of failing we now
autoupgrade to "client ldap sasl wrapping = sign" for the given connection.

metze
2010-03-30 09:53:11 +02:00
Stefan Metzmacher
7d977da925 s3:ntlmssp: pass names and use_ntlmv2 to ntlmssp_client_start() and store them
Inspired by the NTLMSSP merge work by Andrew Bartlett.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24 17:34:55 +01:00
Günther Deschner
8e6dd25391 s3-libads: fix get_remote_printer_publishing_data after spoolss_EnumPrinterDataEx IDL change.
Guenther
2010-03-05 15:18:01 +01:00
Simo Sorce
8492f92843 s3:ads fix dn parsing name was always null
While there also use ldap_exploded_dn instead of ldb_dn_validate()
so we can remove a huge dependency that is hanging there only for one very
minor marginal use.

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-02 19:03:17 +01:00
Simo Sorce
61b7a24f16 s3 move the sitename cache in its own file 2010-02-23 12:46:26 -05:00
Andreas Schneider
5ad801beb9 s3-libads: Remove obsolete signal type cast. 2010-02-23 12:23:43 +01:00
Andrew Tridgell
8120bc2ba9 s3-lib: use TYPESAFE_QSORT() in remaining s3 library code
the sort_query_replies() in nmblib.c is a TODO. It uses a hack that
treats a char* as a structure. I've left that one alone for now.
2010-02-14 18:44:20 +11:00
Jeremy Allison
687e4eba3c Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
Passing NULL as dest_realm for cli_session_setup_spnego() was
always using our own realm (as for a NetBIOS name). Change this
to look for the mapped realm using krb5_get_host_realm() if
the destination machine name is a DNS name (contains a '.').
Could get fancier with DNS name detection (length, etc.) but
this will do for now.

Jeremy.
2010-01-30 19:24:28 -08:00
Andrew Bartlett
802e9328ed s3:ntlmssp: only include ntlmssp.h where actually needed
Andrew Bartlett
2009-12-22 21:07:53 +01:00
Jim McDonough
265e4dfbb6 s3: bug #6967: Prevent glibc error on net ads join:
talloc()ed memory should not be SAFE_FREE()ed.

Signed-off-by: Jim McDonough <jmcd@samba.org>
2009-12-04 12:43:27 -05:00
Günther Deschner
ae20737066 s3-kerberos: do not include authdata headers before including krb5 headers.
Guenther
2009-11-27 18:31:13 +01:00