1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

212 Commits

Author SHA1 Message Date
Volker Lendecke
5b87e915dc winbind: Pass up args from winbind_samlogon_retry_loop
In particular "authoritative" is useful at the top level

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
00c25a5080 cli_netlogon: Add return parms to rpccli_netlogon_password_logon
Just for symmetry with rpccli_netlogon_network_logon()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
57b3b12229 winbind: Fix a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar  6 23:18:46 CET 2017 on sn-devel-144
2017-03-06 23:18:45 +01:00
Volker Lendecke
a55bd7e424 lib: Add samlogon_cache.h
Move prototypes into its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-02 09:36:08 +01:00
Christof Schmitt
b69dce5895 winbindd: Replace calls to domain->methods
domain->methods is always set to cache_methods; call those functions
directly instead of going through the indirection.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-11 20:15:25 +02:00
Jeremy Allison
1017b22f68 s3: winbind: Trust name2sid mappings from the PAC.
Don't refresh sequence number in parent as the
mapping comes from a trusted DC.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-09-29 22:17:20 +02:00
Jeremy Allison
cf0f28819e s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.
In addition to priming the netsamlogon cache.

This prevents a winbind AD-DC lookup for something
the PAC already told us.

Note we only do this in the case where the PAC successfully
passed signature verification.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-09-28 19:02:26 +02:00
Aurelien Aptel
f13d07e459 s3/winbindd: use == -1 instead of < 0 for error checking uid_t
The sign of the uid_t type is left unspecified by POSIX. It's defined as
an unsigned 32b int on Linux, therefore the < 0 check is always
false.

For unsigned version of uid_t, "uid == -1" will implicitely cast -1 to
unsigned making it a valid test for both signed and unsigned version of
uid_t.

This commit makes the cast to (uid_t) explicit anyway.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jul  1 05:22:36 CEST 2016 on sn-devel-144
2016-07-01 05:22:36 +02:00
Stefan Metzmacher
f9989f2142 s3:winbindd: pass 'interactive' down through winbindd_dual_auth_passdb()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Noel Power
e8fab02773 s3: winbind: Prevent null ptr access by returning error if no creds available
Prevent rpccli_netlogon_network_logon/rpccli_netlogon_password_logon
being called with 'NULL' credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11569

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-11-04 22:15:24 +01:00
Richard Sharpe
b95b2be845 A small improvement to the DEBUG message when pass-through authentication
fails with ACCESS_DENIED. Increased it to log level 1 so it will print out
and pointed to Restrict NTLM as the setting so people know what to look for.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Sun Oct 11 06:28:05 CEST 2015 on sn-devel-104
2015-10-11 06:28:05 +02:00
Stefan Metzmacher
fb63fd1dc4 s3:winbindd: remove unused argument 'server' from winbind_samlogon_retry_loop()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-06-24 19:33:23 +02:00
Jeremy Allison
4c5fefe072 winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104
2015-06-11 07:30:36 +02:00
Noel Power
efadcb3121 kerberos auth info3 should contain resource group ids available from pac_logon
successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-11 04:42:10 +02:00
Richard Sharpe
57303c30b2 Change all uint32/16/8 to 32_t/16_t/8_t in winbindd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Stefan Metzmacher
111269d484 s3:winbindd: make use of talloc_string_sub2() in generate_krb5_ccache()
This way we don't pass a given format string to talloc_asprintf().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00
Andrew Bartlett
91d6f603b1 s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:50 +02:00
Andrew Bartlett
a3ecad4237 idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idl
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Günther Deschner
1839417bcc s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Günther Deschner
c735823f68 s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Andrew Bartlett
af7f88721a winbindd: Use a remote RPC server when we are an RODC when needed
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.

Andrew Bartlett

Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Jeremy Allison
e907f84156 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC.
Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
2014-06-18 03:30:35 +02:00
Andrew Bartlett
ba4467ca65 s3-winbindd: Implement SamLogon IRPC call
We do this by lifting parts of the winbindd_dual_pam_auth_crap() code
into a new helper function winbind_dual_SamLogon().  This allows us to
implement the semantics we need for IRPC, without the artifacts of the
winbindd pipe protocol.

Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104
2014-06-11 12:43:58 +02:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Christian Ambach
89961ca297 s3:lib/afs move afs.c to common lib dir
some of the code in afs.c is needed by wbinfo that lives in the toplevel
nsswitch directory, so move the afs.c file to a new top-level lib/afs
directory. Use the name afs_funcs to avoid collisions with the afs.h
header from OpenAFS

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-06-04 20:09:38 +02:00
Andrew Bartlett
4d50c75159 s3-auth: Finally change make_user_info_*() use a parent talloc context
Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-04-02 11:05:46 +02:00
Günther Deschner
a8c2807a26 s3-kerberos: let kerberos_return_pac() return a PAC container.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
1270e35ba7 s3-kerberos: return a full PAC in kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
932490ae08 s3-libads: pass down local_service to kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:19 +01:00
Stefan Metzmacher
a34c837fdb s3:winbindd: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:15 +01:00
Stefan Metzmacher
38d4dba374 s3:rpc_client: make use of the new netlogon_creds_cli_context
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.

This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:06 +01:00
Andreas Schneider
eae5373cfb s3-winbind: Add support for the kernel krb5 keyring buffer.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2013-09-10 13:48:22 +02:00
Andreas Schneider
13094dc8f6 s3-winbind: Don't set a default directory for DIR.
There is not default so you should always have to specify a directory in
the config file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2013-09-10 13:48:22 +02:00
Günther Deschner
7ad3a367d5 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-23 15:39:29 -07:00
Andreas Schneider
0529b59fbe s3-winbind: Do not delete an existing valid credential cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994

Thanks to David Woodhouse <dwmw2@infradead.org>.

Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
2013-07-15 12:48:46 +02:00
Andreas Schneider
659dd65f8f winbind: Correctly use names in the domain struct.
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-03-05 23:29:29 +01:00
Andreas Schneider
3b01dd5f59 s3:winbind: BUG 9386: Failover if netlogon pipe is not available.
Samba continues to query a broken DC while the DC did not finish to
rebuild Sysvol (after a Windows crash, for example). It causes end users
to received strange codes while trying to authenticate, even if there is
a secondary DC available.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
2012-11-12 18:57:18 +01:00
Christof Schmitt
1bc2f28b94 winbind: Extend wbcAuthenticateUserEx to provide PAC
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.

The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20 19:49:32 -07:00
Jeremy Allison
c84e6aebc2 Fix bug #9098 - winbind does not refresh kerberos tickets.
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
2012-08-21 22:01:15 +02:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Jeremy Allison
526e875cec Check error returns from strupper_m() (in all reasonable places). 2012-08-09 12:06:54 -07:00
Andreas Schneider
a256d61c50 s3-winbind: Fix bug #9052 resolving our own "Domain Local" groups.
We don't resolve our own "Domain Local" groups since bug #7843 has been
fixed. So we need to add the add resource groups to the sid list too.

Before bug #7843 the "Domain Local" groups were added with a
lookupuseraliases call, but this isn't done anymore for our domain
so we need to resolve resource groups here.

When to use Resource Groups:
http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 23 22:12:30 CEST 2012 on sn-devel-104
2012-07-23 22:12:29 +02:00
Rusty Russell
aa2e02e684 source3/winbindd/winbindd_pam.c: fix stackframe leak
check_info3_in_group() doesn't always free its stackframe.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18 05:08:31 +09:30
Volker Lendecke
3f18316358 s3: Fix Coverity ID 2727 to 2740 -- UNINIT 2012-04-19 20:52:27 +02:00
Andrew Bartlett
0902392413 s3-winbindd Only use SamLogonEx when we can get unencrypted session keys
This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.

The check comes from the fact that the credentials chain is tied to
the session key, and so if the credentials check passes then the
netlogon session key will be correct, and so the user session key
will be correctly decrypted.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104
2012-03-19 21:31:46 +01:00
Matthieu Patou
5ebbd46b4a s3-winbindd: Close netlogon connection if the status returned by the NetrSamLogonEx call is timeout in the pam_auth_crap path
If not the child process would hang for quite a long time up to the
moment when the connection is cleaned by the kernel (took ~ 20 minutes)
in my tests.

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Feb 27 23:10:03 CET 2012 on sn-devel-104
2012-02-27 23:10:03 +01:00
Andrew Bartlett
3ebd79a6d0 s3-winbindd: pass logon parmeters down to check_sam_security()
This allows ntlm_auth --diagnostics to work against the local DC, just
as it works against a member server.

Andrew Bartlett
2012-02-20 10:50:47 +11:00
Matthieu Patou
56d5cb9386 s3-winbind: don't try to do clever thing if the username is not found while authenticating through winbind
This could cause that we authenticate a user with a bogus domain to
winbind's domain if the password supplied for the PAM_AUTH match.

The problem was reported by Jeff Venable (jvenable@juniper.net).
Patch from Andrew Bartlett (abartlett@samba.org).

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104
2012-01-30 18:58:12 +01:00