sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code
121,185 Commits 60 Branches 1,146 Tags
Commit Graph

1289 Commits

Author SHA1 Message Date
Björn Baumbach
e45e0912d9 s3-libads: use dns name to open a ldap session 
Required for working certificate verification.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar  5 12:29:26 UTC 2020 on sn-devel-184
 2020-03-05 12:29:26 +00:00
Stefan Metzmacher
c403fa1a7f krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-10 16:32:37 +00:00
Stefan Metzmacher
240e5cf325 s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry() 
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-10 16:32:37 +00:00
Stefan Metzmacher
fd2ca9d26d s3:libads: make use auth4_context_{for,get}_PAC_DATA_CTR() in kerberos_return_pac() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-10 16:32:36 +00:00
Stefan Metzmacher
f8e7c3d382 auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers 
This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-10 16:32:36 +00:00
Isaac Boukris
80f1901de0 kerberos_keytab: do not add single DES keys to keytab 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-11-19 14:48:41 +00:00
Jones Syue
a58c93318d s3:libads: Fix mem leak in ads_create_machine_acct 
Use 'goto done' instead of 'return' to fix machine_escaped leak.

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov  4 22:48:50 UTC 2019 on sn-devel-184
 2019-11-04 22:48:50 +00:00
Andreas Schneider
123584294c s3:libads: Do not turn on canonicalization flag for MIT Kerberos 
This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 17:39:13 UTC 2019 on sn-devel-184
 2019-10-12 17:39:13 +00:00
Andreas Schneider
14f320fa1e s3:libads: Just change the machine password if account already exists 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
ce77629350 s3:libads: Fix creating machine account using LDAP 
This implements the same behaviour as Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
b755a64380 s3:libads: Don't set supported encryption types during account creation 
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
4f389c1f78 s3:libads: Fix detection if acount already exists in ads_find_machine_count() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
35f3e4aed1 s3:libads: Use a talloc_asprintf in ads_find_machine_acct() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
8ed993789f s3:libads: Cleanup error code paths in ads_create_machine_acct() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
b84abb3a46 s3:libnet: Require sealed LDAP SASL connections for joining 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Andreas Schneider
456322a613 s3:libads: Use ldap_add_ext_s() in ads_gen_add() 
ldap_add_s() is marked as deprecated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2019-10-09 07:06:35 +00:00
Noel Power
32d487d074 s3/libads: clang: Fix 'Value stored during its initialization is never read' 
Fixes:

source3/libads/ldap.c:370:11: warning: Value stored to 'status' during its initialization is never read <--[clang]
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
                 ^~~~~~   ~~~~~~~~~~~~~~~~~~~~~~
source3/libads/ldap.c:417:11: warning: Value stored to 'status' during its initialization is never read <--[clang]
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
                 ^~~~~~   ~~~~~~~~~~~~~~~~~~~~~~
source3/libads/ldap.c:1783:13: warning: Value stored to 'ret' during its initialization is never read <--[clang]
        ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
                   ^~~   ~~~~~~~~~~~~~~~~~~~~~~~
source3/libads/ldap.c:1862:13: warning: Value stored to 'ret' during its initialization is never read <--[clang]
        ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
                   ^~~   ~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2019-09-26 18:41:27 +00:00
Noel Power
eb3ba3eeaa s3/libads: clang: Fix 'Value stored during initialization is never read' 
Fixes:

source3/libads/ldap_utils.c:52:13: warning: Value stored to 'status' during its initialization is never read <--[clang]
        ADS_STATUS status = ADS_SUCCESS;
                   ^~~~~~   ~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2019-09-26 18:41:27 +00:00
Noel Power
35e0122e7c s3/libads: clang: Fix 'Value stored to 'nt_status' is never read' 
Fixes:

source3/libads/sasl.c:219:2: warning: Value stored to 'nt_status' is never read <--[clang]
        nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
        ^           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2019-09-26 18:41:27 +00:00
Noel Power
40ddcf7bdc s3/libads: clang: Fix Array access results in a null pointer dereference 
Fixes:

source3/libads/cldap.c:400:6: warning: Array access (from variable 'responses') results in a null pointer dereference <--[clang]
        if (responses[0] == NULL) {
            ^
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2019-09-25 09:47:32 +00:00
Stefan Metzmacher
303b7e59a2 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal 
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2019-09-24 18:30:37 +00:00
Stefan Metzmacher
0bced73bed s3:libads/kerberos: always use the canonicalized principal after kinit 
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2019-09-24 18:30:37 +00:00
Stefan Metzmacher
bc473e5cf0 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2019-09-24 18:30:37 +00:00
Günther Deschner
8251203456 s3-libads: adapt to coding standards, no code changes 
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 19 20:48:45 UTC 2019 on sn-devel-184
 2019-09-19 20:48:45 +00:00
Evgeny Sinelnikov
ad4ef1657e s3:ldap: Fix join with don't exists machine account 
Add check for requested replies of existing machine object during join
machine to domain. This solves regression fail during join with error:
"None of the information to be translated has been translated."

https://bugzilla.samba.org/show_bug.cgi?id=14007

Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Sep  4 17:02:37 UTC 2019 on sn-devel-184
 2019-09-04 17:02:37 +00:00
Mathieu Parent
4449f5d1b8 Spelling fixes s/convertion/conversion/ 
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
 2019-09-01 22:21:26 +00:00
Noel Power
52d20087f6 s3/libads: clang: Fix Value stored to 'canon_princ' is never read 
Fixes:

source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
        canon_princ = me;
        ^             ~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
 2019-08-28 01:47:40 +00:00
Noel Power
f5af3cb21e s3/libads: cppcheck fix error: shiftTooManyBitsSigned: error 
Squash 'Shifting signed 32-bit value by 31 bits is undefined behaviour'
error

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2019-05-29 10:10:23 +00:00
Guenther Deschner
2044ca0e20 s3:ldap: Leave add machine code early for pre-existing accounts 
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-04-02 01:12:10 +00:00
Andreas Schneider
c016afc832 s3:libads: Make sure we can lookup KDCs which are not configured 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-04-02 01:12:10 +00:00
Andreas Schneider
40669e3739 s3:libads: Print more information when LDAP fails 
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-04-02 01:12:09 +00:00
Volker Lendecke
d7de2f7748 lib: Remove "struct sid_parse_ret" again 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-03-12 00:42:19 +00:00
Volker Lendecke
e18610a197 lib: Make sid_parse return the parsed length 
Use a temporary struct as a return value to make the compiler catch all
callers. If we just changed bool->ssize_t, this would just generate a
warning. struct sid_parse_ret will go away in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-03-12 00:42:19 +00:00
Volker Lendecke
f5cd535bf2 libads: Align integer types 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2019-02-27 01:35:18 +01:00
Volker Lendecke
258d7d1ca9 libads: Use dom_sid_str_buf 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2019-02-27 01:35:18 +01:00
Stefan Metzmacher
48815cc16a s3:libads: do an early return if we don't have a password for ads_kinit_password() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-12-23 18:15:19 +01:00
Volker Lendecke
1d5c00a34d libads: Use dom_sid_str_buf 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
 2018-12-20 23:40:24 +01:00
Swen Schillig
3df7789e4b libads: Add kerberos tracing 
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
 2018-12-19 21:49:29 +01:00
Volker Lendecke
12f3a37a1a libads: Use dom_sid_str_buf 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-12-11 00:40:31 +01:00
Andreas Schneider
3f3cc42b51 s3:libads: Use #ifdef instead of #if for config.h definitions 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
 2018-11-28 23:19:23 +01:00
Volker Lendecke
a167014554 krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm() 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-11-28 17:44:15 +01:00
Volker Lendecke
f2e939b65b libads: Give krb5_errs.c its own header 
The protos were declared in lib/krb5_wrap but the functions are not
available there.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-11-27 07:13:14 +01:00
Volker Lendecke
baacc70394 libads: Align integer types 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 23 20:23:57 CET 2018 on sn-devel-144
 2018-11-23 20:23:57 +01:00
Volker Lendecke
d629c67dd3 libads: Use dom_sid_string_buf 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2018-11-23 17:14:08 +01:00
Swen Schillig
7f902798a7 s3: Free principal if smb_krb5_principal_get_realm() fails 
If smb_krb5_principal_get_realm() fails, procesing is aborted and
resources have to be free'd. In this context free'ing the principal
was missing.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2018-11-22 08:22:18 +01:00
Swen Schillig
02514427db libads: set proper ads_keytab_flush() return code on error 
The return code was left on success when the calls to
ads_get_machine_kvno() or ads_clear_service_principal_names()
failed and the processing had to be aborted.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2018-11-22 08:22:18 +01:00
Volker Lendecke
5b2c3f2f42 lib: Remove gencache.h from proto.h 
It's a pain to recompile the world if gencache.h changes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 19 18:52:50 CEST 2018 on sn-devel-144
 2018-10-19 18:52:50 +02:00
Volker Lendecke
fb81fb2d93 libads: Simplify parse_spn() 
A few lines less and quite some bytes less .text

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Aug 22 03:59:51 CEST 2018 on sn-devel-144
 2018-08-22 03:59:51 +02:00
Volker Lendecke
75ced0d155 libads: Fix an error path talloc leak 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-08-22 00:58:41 +02:00
Volker Lendecke
f986a73b24 lib: Pass mem_ctx to lock_path() 
Fix a confusing API: Many places TALLOC_FREE the path where it's not
clear you have to do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2018-08-17 11:30:10 +02:00