1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

348 Commits

Author SHA1 Message Date
Gary Lockyer
fe6e7ce2a2 rpc_server lsa: pass remote connection data
Ensure that the session details of the requesting user are available to
the audit logging module for the CreateSecret and OpenSecret operations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-31 09:54:18 +02:00
Stefan Metzmacher
9a513304ad s4:lsa_lookup: remove TALLOC_FREE(state) after all dcesrv_lsa_Lookup{Names,Sids}_base_map() calls
This completes the regression fix of commit 7e091e5051.

There might be strings allocated on state, which are part of the
result.

The reason for the TALLOC_FREE(state) was to cleanup the possible
irpc_handle before leaving the function. Now we call
TALLOC_FREE(state->wb.irpc_handle) explicitly in
dcesrv_lsa_Lookup{Names,Sids}_base_done() instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13420

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 10:27:28 CEST 2018 on sn-devel-144
2018-05-13 10:27:28 +02:00
Gary Lockyer
5c0345ea9b samdb: Add remote address to connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Andrew Bartlett
7e091e5051 s4-lsa: Fix use-after-free in LSA server
This is a regression introduced in ab7988aa2f.

The state variable contains the data to be returned to the client
and packed into NDR after the function returned.

This memory needs to be kept (on mem_ctx as parent) until that is
pushed and freed by the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13420

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2018-05-03 08:17:44 +02:00
Volker Lendecke
dd370f8a51 lsasrv: Fix CID 241332 Self assignment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-04-04 00:44:22 +02:00
Volker Lendecke
ab6228c342 lsasrv: Fix CID 241331 Self assignment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-04-04 00:44:22 +02:00
Volker Lendecke
9ecc6f3b52 lsa_server: Fix CID 1433608 Dereference after null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-29 00:21:52 +02:00
Stefan Metzmacher
c9c6fa45c4 s4:rpc_server/lsa: make use of dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:52 +01:00
Stefan Metzmacher
e9d5b8b6b4 s4:rpc_server/lsa: implement forwarding lsa_Lookup{Sids,Names}() requests to winbindd
This might not be perfect yet, but it's enough to allow names from trusted
forests/domain to be resolved, which is very important for samba based
domain members.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
3801c417db s4:rpc_server/lsa: rewrite lookup sids/names code to honor the given lookup level
[MS-LSAT] 2.2.16 LSAP_LOOKUP_LEVEL defines the which views each level should
consult.

Up to now we support some wellknown sids, the builtin domain and our
account domain, but all levels query all views.

This commit implements 3 views (predefined, builtin, account domain)
+ a dummy winbind view (which will later be used to implement the
gc, forest and trust views)..

Depending on the level we select the required views.

This might not be perfect in all details, but it's enough
to pass all existing tests, which already revealed bugs
during the development of this patch.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
9b6a0b1a63 s4:rpc_server/lsa: prepare dcesrv_lsa_LookupNames* for async processing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
ab7988aa2f s4:rpc_server/lsa: prepare dcesrv_lsa_LookupSids* for async processing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
e6c9984bd5 s4:rpc_server/lsa: base dcesrv_lsa_LookupNames2() on dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
37cb34d164 s4:rpc_server/lsa: base dcesrv_lsa_LookupNames() on dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
ec55c18ced s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupNames2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c78c17dc2f s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c0f6103dde s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
7c1c9bf53f s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupNames()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
5d868fd875 s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
e8a0223633 s4:rpc_server/lsa: remove unused 'status' variable in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
fe43dd8678 s4:rpc_server/lsa: make sure dcesrv_lsa_LookupNames2() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
3339a1c572 s4:rpc_server/lsa: expect prepared [ref] pointers in dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
f6e60d2c2e s4:rpc_server/lsa: make sure dcesrv_lsa_LookupSids_common() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
3909f8fcfe s4:rpc_server/lsa: use LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES/LSA_CLIENT_REVISION_1 in compat code
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Ralph Boehme
6151909c82 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
9f96ede6f5 winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
This reflects the new implementation in winbindd.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
ffa9eb7d64 s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
winbindd doesn't use that data anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
David Mulder
e60f49783e gpo: Apply kerberos settings
Add kdc kerberos settings to gpo.tdb, then retrieve those settings in
lpcfg_default_kdc_policy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
Stefan Metzmacher
f0541309d7 s4:dsdb/samdb: pass an existing 'struct ldb_context' to crack_name_to_nt4_name()
There's no point in creating a temporary ldb_context as
all direct callers already have a valid struct ldb_context for
the local sam.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Volker Lendecke
277eac1a8e lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight()
The previous code in dcesrv_lsa_AddRemoveAccountRights had the following snippet:

if (sec_privilege_id(rights->names[i].string) == SEC_PRIV_INVALID) {
        if (sec_right_bit(rights->names[i].string) == 0) {
                talloc_free(msg);
                return NT_STATUS_NO_SUCH_PRIVILEGE;
        }
        talloc_free(msg);
        return NT_STATUS_NO_SUCH_PRIVILEGE;
}

If I'm not mistaken, the inner if-statement is essentially dead code,
as regardless of the outcome of the if-condition we execute the same
code. The effect of this is that you can't "net rpc rights grant" a right,
for example SeInteractiveLogonRight. A quick test against a W2k12 server
shows that W2k12 allows this call.

This patch changes the semantics of dcesrv_lsa_AddRemoveAccountRights
to also allow "rights" to be granted and revoked. At the same
time, it centralizes the check for validity of user input from
dcesrv_lsa_EnumAccountsWithUserRight into dcesrc_lsa_valid_AccountRight
too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 29 09:20:02 CEST 2017 on sn-devel-144
2017-04-29 09:20:02 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Andrew Bartlett
31d625bcd2 s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
The idea here is that perhaps some real client relies on this (and not just Samba torture
commands), so we need a way to support it for the 4.6 release.

If no such client emerges, it can be deprecated and removed in the normal way.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-15 08:21:12 +01:00
Günther Deschner
160d5c40a6 werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in source4/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:23 +02:00
Stefan Metzmacher
8305c0a8fc CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
fcdd15a93f CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Stefan Metzmacher
f9246d78f7 s4:rpc_server/lsa: remove unused code
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c98f96d1b1 s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation()
This means we return mostly the same error codes as a Windows
and also normalize the given information before storing.

Storing is now done within a transaction in order to avoid races
and inconsistent values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
ac4c4a95e5 s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
98dc4100ab s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base()
We need to make sure a trusted domain has 'flatName', 'trustPartner'
and 'securityIdentifier' values, which are unique.

Otherwise other code will get INTERNAL_DB_CORRUPTION errors.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
df7f745099 s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain()
It needs to pass 'name' as 'netbios_name' and also 'dns_name'.

flatName and trustPartner have the same value for downlevel trusts.
And both are required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Volker Lendecke
838218db63 Fix the O3 developer build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-28 18:11:13 +02:00
Stefan Metzmacher
6f8b868a29 s4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
73a4387ab9 s4:rpc_server/lsa: notify winbindd about new trusted domains
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
654d63b94b s4:rpc_server/lsa: implement the policy security descriptor
We now check the requested access mask in OpenPolicy*()
and return NT_STATUS_ACCESS_DENIED if the request is not granted.

E.g. validating a domain trust via the Windows gui requires this
in order prompt the user for the credentials. Otherwise
we fail any other call with ACCESS_DENIED later and the
gui just displays a strange error message.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
a09f9cfd2f s4:rpc_server/lsa: normalize the access_mask for lsa account objects
We still grant all access in the access_mask, but we don't check the
mask at all yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
a15600727f s4:rpc_server/lsa: correctly set *r->out.resume_handle with NT_STATUS_OK in lsa_EnumTrustedDomainsEx()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
ac45921981 s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
If there're no collisions we should not fill the collision_info pointer.

Otherwise Windows fails to create a forest trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:44 +01:00
Stefan Metzmacher
080db5f60a lsa.idl: improve idl for lsa_ForestTrust*Record*
The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType,
but the type is not always available so it's not possible to use an union.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:44 +01:00
Volker Lendecke
a99a5a34a5 Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
2015-02-25 16:32:29 +01:00