1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

49 Commits

Author SHA1 Message Date
Stefan Metzmacher
59bc7cb0df s4:winbind: make clear that we use the global tevent_context
We should avoid using the tevent_context pointer on a
dcecli_connection, it's the same as the global per task one
anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-01-16 16:22:52 +01:00
Andrew Bartlett
2505d48e4f s4-winbindd: Do not terminate a connection that is still pending (bug #9820)
Instead, wait until the call attempts to reply, and let it terminate then

(often this happens in the attempt to then write to the broken pipe).

Andrew Bartlett

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-10 06:57:06 +02:00
Stefan Metzmacher
19daec6a95 s4:winbind: add a netlogon_queue (tevent_queue)
This will protect the netlogon_creds later.

metze
2012-08-25 01:39:41 +02:00
Jeremy Allison
017e0c8d95 Fix simple uses of safe_strcpy -> strlcpy. Easy ones where we just remove -1. 2011-05-04 12:12:13 -07:00
Andrew Bartlett
39bd61e018 s4-winbind Add a proxy method to update DNS records with a read-write DC
This must be done in winbindd as it already has the schannel connection
and the credential chain.  If we re-established that elsewhere, we
would break the chain in winbindd.

Andrew Bartlett

Signed-Off-By: Andrew Tridgell <tridge@samba.org>
2010-09-17 19:02:18 +10:00
Andrew Tridgell
ee61568be6 s4-winbind: use finddcs_cldap() in winbind
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:35 +10:00
Andrew Tridgell
94fb6120d8 s4-secrets: fetch secure channel type with domain SID
The secure channel type is needed to work out what DC to connect to

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Stefan Metzmacher
80f9ad4074 s4:winbind: let WBSRV_SAMBA3_SET_STRING() initialize the whole buffer
We should not send uninitialized bytes to the winbind pipe,
this makes also makes valgrind very unhappy.

metze
2010-07-10 09:35:03 +02:00
Andrew Bartlett
e11a67de7d s4:winbindd Record the privilaged pipe dir
This may help us return an accurate priv pipe dir later on.

Andrew Bartlett
2010-05-18 13:20:30 +10:00
Andrew Bartlett
8da50c8da1 s4:winbindd Rework some winbind structures to make s3compat easier
By making the winbindd_request and winbindd_response structures
pointers, we can more easily integrate with the winbindd from
source3/winbindd

Andrew Bartlett
2010-05-14 23:25:45 +10:00
Stefan Metzmacher
7f6cdad706 s4:winbind: use WINBINDD_SOCKET_NAME instead of WINBINDD_SAMBA3_SOCKET
metze
2010-04-15 09:34:02 +02:00
Stefan Metzmacher
a1cf6a52af s4:winbind: wbsrv_samba3_priv_pipe_dir() needs to return the directory not the pipe path
metze
2010-04-15 09:34:02 +02:00
Matthieu Patou
30baf31411 s4:winbind: implement calls for allowing getent groups
This is to say getgrent and setgrent, and the associated technical objects (states, build directives,...) needed.

Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-03-09 17:20:30 +01:00
Andreas Schneider
fd6a792283 s4-winbind: Migrated winbind connection to tsocket.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-01-20 22:46:59 +01:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Andrew Bartlett
ba22de3d4f Return the same privilaged winbindd socket as we actually use.
Andrew Bartlett
(This used to be commit 2209787812)
2008-09-10 14:08:40 +10:00
Andrew Bartlett
485a6354e5 Fix the wbinfo test on the LDAP backend.
The problem was that we would do a blocking wait for the LDAP server,
which was also blocking on us returning (because we were in single
process mode).

The LDAP connection being made here is useless anyway, and will need
to be an async ldb_connect() before anybody reintroucues it (nobody in
their right mind would program a winbindd backend on pure LDAP, when
the ldb abstraction is available).

Andrew Bartlett
(This used to be commit 23280b2e6e)
2008-06-28 18:10:59 +10:00
Kai Blin
895874d966 idmap: Handle uid->SID mapping
(This used to be commit 6ac6de8476)
2008-02-21 11:21:59 +01:00
Jelmer Vernooij
b83a7a135f r26268: Avoid more use of global_loadparm - put lp_ctx in smb_server and wbsrv_connection.
(This used to be commit 7c00866423)
2007-12-21 05:47:47 +01:00
Stefan Metzmacher
7d554e4104 r25158: rename nsswitch/winbindd_nss.h => nsswitch/winbind_struct_protocol.h
metze
(This used to be commit 1fc3a37902)
2007-10-10 15:06:44 -05:00
Jelmer Vernooij
61ffa08f4c r24712: No longer expose the 'BOOL' data type in any interfaces.
(This used to be commit 1ce32673d9)
2007-10-10 15:02:54 -05:00
Kai Blin
01db94b953 r24575: Implement setpwent
(This used to be commit 9bbbedac99)
2007-10-10 15:02:18 -05:00
Kai Blin
e87a0e5f69 r24157: Merge from kai/samba4-gsoc.git;h=728deba680f8cf85cab168a6278a2cf657f65fdb
Make WBSRV_SAMBA3_SET_STRING use safe_strcpy instead of strncpy.
(This used to be commit 6b92b816fc)
2007-10-10 15:01:28 -05:00
Andrew Bartlett
dc25ec5ce7 r23995: Work to allow mimir's libnet code to be called from winbind.
We now setup a libnet_ctx for each domain.  We should then be able to
replace/merge some more of the winbind code with libnet calls,
referencing domain->libnet_ctx.

Andrew Bartlett
(This used to be commit bad2dc14d7)
2007-10-10 15:01:16 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Kai Blin
3fb4bd1c06 r23311: Updating the samba4 winbind protocol to version 18.
nsswitch/winbindd_nss.h is just copied from SAMBA_3_0.
nsswitch/winbind_nss_config.h is copied from SAMBA_3_0, too, but I had to
drop some of the defines to make things build again.

Kai
(This used to be commit 553b7e146f)
2007-10-10 14:53:10 -05:00
Andrew Bartlett
1aaea2d3a7 r23141: Use the finddcs() library call rather than a winbind-specific version.
(I created finddcs() from the winbind code a while back, so this
finishes that work)

Andrew Bartlett
(This used to be commit 218b279a46)
2007-10-10 14:52:56 -05:00
Andrew Bartlett
64df4c7c57 r23133: I felt pity on Kai, as he starts work on winbind in Samba4, so I
decided to clean it up a little.

We now use SPNEGO for authentication if possible, and common routines
shared with the rest of the librpc codebase.  Rather than make a
connection to IPC$, then connect the pipes to it, we instead have the
lsa and samr pipes as 'secondary connections'.

Andrew Bartlett
(This used to be commit 86654056b2)
2007-10-10 14:52:53 -05:00
Stefan Metzmacher
e48ed74f4a r17342: implement a SamLogon via IRPC in samba4's winbind
metze
(This used to be commit c3ce7a0c37)
2007-10-10 14:15:17 -05:00
Jelmer Vernooij
e3f2414cf9 r14380: Reduce the size of structs.h
(This used to be commit 1a16a6f1df)
2007-10-10 13:57:16 -05:00
Andrew Bartlett
b70009649a r13244: Allow control of the location of the Samba3-compatible winbindd pipe
in Samba4.  This allows us to start winbindd by default, including in
'make test'.

This is via a new 'winbindd socket directory' parameter for utilities
linked against loadparm, as well as a --with-winbindd-socket-dir
option to configure (setting the default and the value for simple
clients).

I hope to add basic winbindd tests, to ensure continued correct
operation, but at least now I don't have to manually change my 'server
services' line.

The other problem with the hard-coded /tmp/.winbind is that RedHat has
moved this in Fedora (to /var/run I think).  For this reason, this
functionality should probably be ported to Samba3 as well.

The default for Samba4 is PREFIX/var/run/winbind_pipe.

I have also re-added the paranoia checks from Samba3 for correct
permissions on the socket directory.

Andrew Bartlett
(This used to be commit 8866aa06ff)
2007-10-10 13:51:37 -05:00
Andrew Bartlett
f18194edae r12866: This removes the abstraction layer in winbindd intended to deal with
multiple protocols, replacing it with the packet handling subsystem.

We don't have multiple protocols at present, and the abstraction layer
only serves to confuse matters.  Also, the new packet subsystem removes
the need to handle partial reads.

We can easily add new protocols from the socket up instead, becaue the
difficult bits are done by the packet layer.

Andrew Bartlett
(This used to be commit acf9dc8fe9)
2007-10-10 13:50:55 -05:00
Jelmer Vernooij
63d718e243 r12696: Reduce the size of include/structs.h
(This used to be commit 6391761601)
2007-10-10 13:49:40 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Volker Lendecke
69307693dc r11528: Separate finding dcs from initializing a domain. Makes it easier to possibly
support cldap and other stuff in the future.

This temporarily disables wbinfo -t, but that will come back soon.

Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.

Volker
(This used to be commit d14948fdf6)
2007-10-10 13:45:49 -05:00
Volker Lendecke
6b6a739eca r11517: Cleanup time, this looks larger than it is. This mainly gets rid of
wb_domain_request, now that we have queued rpc requests.

Volker
(This used to be commit 848522d1b6)
2007-10-10 13:45:47 -05:00
Volker Lendecke
d6e070b74a r11274: Start a connection attempt to the DC's port 389. To do this properly, make
socket_connect and ldap_connect properly async.

Volker
(This used to be commit bcc71fc1de)
2007-10-10 13:45:12 -05:00
Volker Lendecke
0f51ae83f0 r11181: Implement wbinfo -s and wbinfo --user-sids. The patch is so large because
--user-sids required the extension to trusted domains.

Implement "winbind sealed pipes" parameter for debugging purposes.

Volker
(This used to be commit 3821a17bdb)
2007-10-10 13:44:57 -05:00
Volker Lendecke
17355fbbd4 r11094: Connect to SAM, implement getdcname
(This used to be commit a14398715e)
2007-10-10 13:44:48 -05:00
Volker Lendecke
42ececdfae r11093: Implement wb_queue_domain_send: If the domain is not yet initialized, do that
first. And if a request is being processed, queue it. This correctly survived
3 endless loops with wbinfo's doing different things while starting up smbd.

The number of indirections starts to become a bit scary, but what can you do
without a decent programming language that provides closures :-)

One thing that we might consider is to auto-generate async rpc requests that
return composite_context structs instead of rpc_requests. Otherwise I'd have
to write a lot of wrappers like composite_netr_LogonSamLogon_send.

The alternative would be to write two versions of wb_queue_domain_send which I
would like to avoid. This is cluttered enough already.

Volker
(This used to be commit 66c1b674f9)
2007-10-10 13:44:48 -05:00
Volker Lendecke
9e5d44d567 r10852: Continuation-based programming can become a bit spaghetti...
Initialize a domain structure properly. Excerpt from wb_init_domain.c:

/*
 * Initialize a domain:
 *
 * - With schannel credentials, try to open the SMB connection with the machine
 *   creds. Fall back to anonymous.
 *
 * - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
 *   pipe.
 *
 * - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
 *   to schannel and then to anon bind.
 *
 * - With queryinfopolicy, verify that we're talking to the right domain
 *
 * A bit complex, but with all the combinations I think it's the best we can
 * get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
 * have a signed&sealed lsa connection on all of them.
 *
 * Is this overkill? In particular the authenticated SMB connection seems a
 * bit overkill, given that we do schannel for netlogon and ntlmssp for
 * lsa later on w2k3, the others don't do this anyway.
 */

Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.

Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.

Volker
(This used to be commit 3e69fdc07c)
2007-10-10 13:39:36 -05:00
Volker Lendecke
b468ba1386 r10846: Create a "wbsrv_domain", change wb_finddcs to the style of the rest of the
async helpers.

Volker
(This used to be commit 10585ba4e8)
2007-10-10 13:39:35 -05:00
Volker Lendecke
c8cb36f08d r10838: Get us an schannel'ed netlogon pipe.
Abartlet, now I think I need some assistance to implement the pam auth & crap
auth calls.

Volker
(This used to be commit 90a30c8b65)
2007-10-10 13:39:34 -05:00
Volker Lendecke
e0c11738ae r10834: Work in progress on winbind. With some helper routines the composite functions
start to look sane.

Question: What about providing all winbind commands as irpc interfaces that
are called from the samba3 compatibility layer? This way it would be easy for
other samba components to access its functionality. Does that make sense?

Volker
(This used to be commit 2a6b805385)
2007-10-10 13:39:33 -05:00
Volker Lendecke
012893cb42 r10691: This gets half-way to wbinfo -n. It acquires an lsa pipe, and does a
queryinfopolicy. Idea is to get a consistency check between that and our
notion of the domain name and sid, and take the lsa pipe as the holder of the
central smbcli_tree that netlogon and samr use as well.

Volker
(This used to be commit 126c80aefc)
2007-10-10 13:39:19 -05:00
Volker Lendecke
e5c6a3e361 r10683: Samba3's wbinfo -t should give the correct answer now.
Tridge, if you have time, you might want to look at the segfault I was still
seeing. Now I store the handle to the netlogon pipe in the global winbind
state and free it on the next entry into check_machacc. The problem seems to
be that talloc_free()ing a pipe struct from within a callback function on that
pipe is not possible. I think I can live with that, but it has been not really
obvious. To reproduce the segfault you might want to look at putting a
talloc_free(state->getcreds->out.netlogon) into
wbsrv_samba3_check_machacc_receive_creds. This is called from a dcerpc
callback function.

In particular if the check failed it would be nice if I could delete the pipe
directly and not post a different event to some winbind queue.

I tried to delete the pipe from a timed event triggered immediately, but this
also fails because the inner loop seems to hit the same event again, calling
it twice.

Volker
(This used to be commit 5436d77648)
2007-10-10 13:39:18 -05:00
Volker Lendecke
9593101ec1 r10491: First step towards wbinfo -t: This issues a name request for the primary
domain and gets the DC's name via a mailslot call.

Metze, I renamed wbsrv_queue_reply to wbsrv_send_reply in accordance with
irpc_send_reply. Having _queue_ here and _send_ there is a bit confusing. And
as everything is async anyway, the semantics should not be too much of a
problem.

Volker
(This used to be commit 4637964b19)
2007-10-10 13:38:54 -05:00
Stefan Metzmacher
fdeff0fa50 r10434: add a short path to the event context that should be used for async replies
metze
(This used to be commit cc9579d085)
2007-10-10 13:38:45 -05:00
Stefan Metzmacher
bcf0615be5 r10426: - restructure the winbind server code a bit
- remove the echo test stuff
- abstract out the used protocol
- we have a seperate handler for the samba3 protocol now
- the backend can easy do async replies
  by setting WBSRV_CALL_FLAGS_REPLY_ASYNC in wbsrv_call
  and then call wbsrv_queue_reply() later

metze
(This used to be commit 32f3e68a56)
2007-10-10 13:38:44 -05:00