1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

2960 Commits

Author SHA1 Message Date
Volker Lendecke
73b183e138 winbindd: Use is_domain_offline() where appropriate
That if-condition is precisely covered by the helper routine

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-06-16 01:06:36 +02:00
Volker Lendecke
ea4b40e65a winbindd: Align integer types in for loops
Iterate over the same type as the loop limit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-06-16 01:06:36 +02:00
Andreas Schneider
6b728b87bf s3:winbind: Fix uninitialzed variable warning
Raised by GCC8.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-05-17 17:30:09 +02:00
Günther Deschner
b24d4eb7af s3-winbindd: remove unused fill_domain_username()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-05-17 17:30:09 +02:00
Günther Deschner
3c6481d75c s3-winbindd: use fill_domain_username_talloc() in winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-05-17 17:30:08 +02:00
Andreas Schneider
e1dad1d8dd s3:winbind: Check if we have an open file descriptor
Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-05-17 17:30:08 +02:00
Andreas Schneider
2a0ad57b21 s3:winbind: Add sanity check when closing fd
Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2018-05-17 17:30:08 +02:00
Volker Lendecke
8109857f37 winbindd: Remove an unused function prototype
This has been moved to async in 2009

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu May 17 11:30:18 CEST 2018 on sn-devel-144
2018-05-17 11:30:18 +02:00
Volker Lendecke
8f215b8db6 winbindd: Make "request_error()" static to winbindd.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:20 +02:00
Volker Lendecke
70ce35d528 winbindd: Make "request_ok()" static to winbindd.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:20 +02:00
Volker Lendecke
0e4e2a0883 winbindd: Remove the "old" non-bool dispatch table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
4051b70450 winbindd: Make DOMAIN_INFO a proper async request
This has an async code path hidden inside. Expose that properly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
7b11e91759 winbindd: winbindd_list_trusted_domains() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
4f8ea6da43 winbindd: winbindd_priv_pipe_dir() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
a781596ed6 winbindd: winbindd_ccache_save() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
a180f401f8 winbindd: winbindd_ccache_ntlm_auth() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
de162c033c winbindd: winbindd_dc_info() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
762d8ab759 winbindd: winbindd_netbios_name() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
05105ea0f8 winbindd: winbindd_domain_name() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
c6b9a0fd70 winbindd: winbindd_ping() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
25c365c637 winbindd: winbindd_info() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:19 +02:00
Volker Lendecke
214d78a6fa winbindd: winbindd_interface_version() -> bool_dispatch_table
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:18 +02:00
Volker Lendecke
4109236cfd winbindd: Introduce "bool_dispatch_table"
This is meant to replace the synchronous "dispatch_table".

The current dispatch_table assumes that every synchronous function does
the request_ok or request_error itself. This mixes two concerns: Doing
the work and shipping the reply to the winbind client. This new dispatch
table will make it possible to centralize shipping the reply to the
client. At a later stage this will enable easier statistics on how long
request processing took precisely.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-17 08:44:18 +02:00
Andreas Schneider
228ef49324 s3:winbind: Initialize validation_level in winbind_dual_SamLogon()
Found by Covertiy.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 21:30:22 +02:00
Volker Lendecke
e838d8a5c2 winbind: Fix CID 1435598 Error handling issues (CHECKED_RETURN)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 21:12:33 CEST 2018 on sn-devel-144
2018-05-15 21:12:33 +02:00
Andreas Schneider
1766f77493 winbind: Fix UPN handling in canonicalize_username()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144
2018-05-11 12:02:37 +02:00
Andreas Schneider
a05b63db62 winbind: Fix UPN handling in parse_domain_user()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:37 +02:00
Andreas Schneider
32770e929a winbind: Remove unused function parse_domain_user_talloc()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:37 +02:00
Stefan Metzmacher
789c89e6ec winbind: Pass upn unmodified to lookup names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
2018-05-11 09:07:36 +02:00
Garming Sam
7d23177cea winbindd_irpc: Add an IRPC call to trigger a DC locate
Calling the top level winbindd API would probably be more appropriate,
but we lack certain structures. We introduce this call in order to
return the result to NETLOGON (in order to give site-aware and domain
aware DC location).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-04 06:12:10 +02:00
Volker Lendecke
ffeb2acf65 winbind: Speed up wbinfo -p
This was (possibly) used as an example in the early days of the async winbind
code we have today. It's not necessary to send this through a full tevent_req
round.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Apr 24 17:18:23 CEST 2018 on sn-devel-144
2018-04-24 17:18:23 +02:00
Volker Lendecke
0b04258981 winbind: Remove an unused struct declaration
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 24 04:44:30 CEST 2018 on sn-devel-144
2018-04-24 04:44:30 +02:00
Volker Lendecke
6a9bc0fa20 winbind: Fix CID 1427625 Calling risky function
Probably not really a problem, but we have generate_random(), so why not
use it?

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 19:07:24 +02:00
Volker Lendecke
07532f6a59 libsmb: Pass "account_name/flags" through nb_getdc
Don't hardcode values that we might want to change later

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Volker Lendecke
1643c334db libsmb: Give dsgetdcname.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Volker Lendecke
e29eaa43f5 idmap: Fix CID 1363261 Resource leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-07 02:11:20 +02:00
Volker Lendecke
ad90835c2b idmap: Use TALLOC_FREE instead of explicit code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-07 02:11:20 +02:00
Christof Schmitt
1775ac8aa4 winbindd: Do not ignore domain in the LOOKUPNAME request
A LOOKUPNAME request with a domain and a name containing a winbind
separator character would return the result for the joined domain,
instead of the specified domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr  6 21:03:31 CEST 2018 on sn-devel-144
2018-04-06 21:03:31 +02:00
Gary Lockyer
428c0a81ae source3: initilize_password_db after a fork.
This is required because we need a new pointer for LDB after the fork,
and with LMDB we can not longer rely on tdb_reopen_all() to do that
for us.

This can not be done in reinit_after_fork() due to the dependency loop
this would create.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-04-06 02:08:45 +02:00
Andrew Bartlett
2610a3f2f7 winbindd: Use talloc_zero_array for consistency with other winbindd_domain allocators
The other allocator for this structure uses talloc_zero()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 24 07:21:37 CET 2018 on sn-devel-144
2018-03-24 07:21:37 +01:00
Andrew Bartlett
fc9150dcab winbindd: Do re-connect if the RPC call fails in the passdb case
This is very, very unlikely but possible as in the AD case the RPC server is in
another process that may eventually be able to restart.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-24 02:31:15 +01:00
Andrew Bartlett
d418d0ca33 winbindd: Add a cache of the samr and lsa handles for the passdb domain
This domain is very close, in AD DC configurations over a internal ncacn_np pipe
and otherwise in the same process via C linking.  It is however very expensive
to re-create the binding handle per SID->name lookup, so keep a cache.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-24 02:31:15 +01:00
Andreas Schneider
8a108f624d s3:winbindd: Fix size types in idmap_tdb_common
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:15 +01:00
Simo Sorce
01319b6e65 Revert "Use "localhost" to be ipv6 only friendly"
This reverts commit 54548f6dde3cf74f0e90ef577a55fd720dca6d93.
2018-03-19 15:34:32 +01:00
Simo Sorce
3e8c50901c Use "localhost" to be ipv6 only friendly
Signed-off-by: Simo Sorce <idra@samba.org>
2018-03-19 15:34:32 +01:00
Ralph Boehme
c37fbfcb24 winbindd: add retry to _winbind_SendToSam
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 15 20:57:44 CET 2018 on sn-devel-144
2018-03-15 20:57:43 +01:00
Ralph Boehme
e608f058b8 winbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
fcf8edf9b8 winbindd: add retry to _wbint_DsGetDcName
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
c2cd2d3f31 winbindd: add retry to _wbint_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
6244a2beb1 winbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_connected()
This catches more errors and triggers retry as appropriate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
08718af36f winbindd: fix logic calling dcerpc_binding_handle_is_connected()
The calls were missing the negation operator, a retry should be
attempted is the binding handle got somehow disconnected behind the
scenes and is NOT connected.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
966ff3793a winbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error()
To consolidate the error handling for RPC calls, add the binding handle
as an additional argument to reset_cm_connection_on_error().

All callers pass NULL for now, so no change in behaviour up to here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
2d1f00cc3a winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()
NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
2837b796af winbindd: call reset_cm_connection_on_error() from reconnect_need_retry()
This ensures we use the same disconnect logic in the reconnect backend,
which calls reconnect_need_retry(), and in the dual_srv frontend which
calls reset_cm_connection_on_error.

Both reset_cm_connection_on_error() and reconnect_need_retry() are very
similar, both return a bool indicating whether a retry should be
attempted, unfortunately the functions have a different default return,
so I don't dare unifying them, but instead just call one from the other.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
17749a5d9f winbindd: make reset_cm_connection_on_error() public
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
a33c1d25e0 winbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error()
reconnect_need_retry() already checks for this error, it surfaces up
from tstream_smbXcli_np as a mapping for EIO.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
a8d5e4d367 winbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c
ldap_reconnect_need_retry() is a copy of reconnect_need_retry() minus
the RPC connection invalidation.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
4b7a9d560a winbind: Keep "force_reauth" in invalidate_cm_connection
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
0af88b98e7 winbind: Add smbcontrol disconnect-dc
Make a winbind child drop all DC connections

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
c38062604b winbind: Fix --ping-dc error handling
If the child dies at the wrong moment, we get an error in the "req" itself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar  1 14:48:19 CET 2018 on sn-devel-144
2018-03-01 14:48:19 +01:00
Volker Lendecke
49adb5ac8f winbind: Fix a race between the sigchld and 0-sized socket read
Fix a bug when a child dies when a request is pending in the child. If the
signal handler fires before epoll finds out the other end of the parent-child
socket is closed, we close the socket on our side without taking care of the
pending request. This causes two problems: First, that one pending request
never is replied to properly, and secondly, we might end up with EPOLL_DEL on a
wrong file descriptor. This causes all sorts of trouble if we hit an active
one.

The fix for this problem is not to close the socket in winbind_child_died().
This however stops an idle child that dies hard from being properly cleaned up.
The fix for that is to add the child->monitor_fde that is set pending only when
no child request is active. This way we can remove the close(sock) in the
signal handler.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:46 +01:00
Volker Lendecke
33f5f5c461 winbind: Remove the "winbindd_children" global
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:46 +01:00
Volker Lendecke
09677053f7 winbind: Use forall_children in reinit_after_fork()
This removes the special handling for idmap_child() after the "This is
a little tricky" comment. I believe this was not required at all, the
idmap_child is part of the winbindd_children list.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
0e6d3a59eb winbind: Use forall_children in winbind_msg_ip_dropped_parent()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
dba9a12e30 winbind: Use forall_domain_children in winbind_msg_online
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
0c58fb365a winbind: Use forall_domain_children in winbind_msg_offline()
Note that we only walk the domain children, which all have
child->domain != NULL. So we don't need that check anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
815bdc65a2 winbind: Remove unused winbindd_internal_child()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
723560aed2 winbind: "internal" children never have a domain set
Look at setup_domain_child(): There we always set child->domain. The only other
two children are the idmap and locator children, which don't have a domain set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
94c02211f9 winbind: Use forall_children in winbind_child_died()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
4f76a1deae winbind: Implement forall_children()
Step 0 in removing winbindd_children as a variable: We have access to
all children via our domain list and the two explicit children. There's
no need to separately maintain a list of winbind children. Maintaining
child->pid != 0 is sufficient to make sure we only walk active children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Andreas Schneider
7619442a79 s3:winbindd: Add FALL_THROUGH statements in idmap_autorid.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Stefan Metzmacher
afd97e7209 winbindd: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-28 14:33:19 +01:00
Volker Lendecke
5f4b71d21d winbindd: Remove "DUMP_EVENT_LIST" message
This was no longer implemented, remove it completely

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-26 22:30:14 +01:00
Stefan Metzmacher
06601b3a92 winbind: don't try to do an authenticated SMB connection as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
2018-02-23 17:58:23 +01:00
Stefan Metzmacher
55c3af89f1 winbind: set_dc_type_and_flags() is not needed on a DC
On a DC we load the trusts in the parent in add_trusted_domains_dc()
from our local configuration. There's no need to find out the trust details
via network calls.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
18f27b5385 winbind: make sure we don't contact trusted domains via LDAP as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
32a63e3ea9 winbind: make sure we don't contact trusted domains via SAMR as AD DC
This is not needed for the normal operation of an AD DC.

Administrators should just use other tools instead of
wbinfo to list and query users and groups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
532a14dc68 winbind: let cm_connect_netlogon_transport() only work against direct trust as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
3e17a3b7cd winbind: force the usage of schannel in cm_connect_lsa() as AD DC
This makes sure we only talk to direct trusts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
7f2d45a6c2 winbind: Use one queue for all domain children
If we have multiple domain children, it's important
that the first idle child takes over the next waiting request.

Before we had the problem that a request could get stuck in the
queue of a busy child, while later requests could get served fine by
other children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 09:04:23 CET 2018 on sn-devel-144
2018-02-23 09:04:23 +01:00
Volker Lendecke
b518cb0597 winbind: Maintain a binding handle per domain and always go via wb_domain_request_send()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
5116aff286 winbind: make choose_domain_child() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
44ebaaac89 winbind: add locator_child_handle() and use it instead of child->binding_handle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
c2d78a0a0a winbind: add idmap_child_handle() and use it instead of child->binding_handle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
1f41193e00 winbind: improve wb_domain_request_send() to use wb_dsgetdcname_send() for a foreign domain
Commit ed3bc614cc got the logic wrong while
trying to implement the logic we had in init_child_connection(),
which was removed by commit d61f3626b7.

Instead of doing a WINBINDD_GETDCNAME request (which would caused an error
because the implementation was removed in commit
958fdaf5c3), we sent the callers request
and interpreted the result as WINBINDD_GETDCNAME response, which
led to an empty dcname variable. As result the domain child
opened a connection to the primary domain in order to lookup
a dc.

If we want to connect the primary domain from the parent via
a domain child of the primary domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
4d804f5f3e winbind: use state->{ev,request} in wb_domain_request_send()
This will reduce the diff for the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
d73e3d4519 winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection
domain->dcname was converted from fstring to char * by commit
14bae61ba3.

Luckily this was only ever called with an empty string in
state->request->data.init_conn.dcname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13294

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
b158d4e4c1 winbind: cleanup winbindd_cli_state->pwent_state if winbindd_getpwent_recv() returns an error
A client may skip the explicit endpwent() if getgrent() fails.

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
b7789da846 winbind: cleanup winbindd_cli_state->grent_state if winbindd_getgrent_recv() returns an error
A client may skip the explicit endgrent() if getgrent() fails.

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
6548b82b5c winbind: call lp_winbind_enum_{users,groups}() already in set{pw,gr}ent()
This way we don't keep winbindd_cli_state->{pw,gr}ent_state arround forever,
if the client forgets an explicit end{pw,gr}ent().

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
43af57d872 winbind: protect a pending wb_child_request against a talloc_free()
If the (winbind) client gave up we call TALLOC_FREE(state->mem_ctx)
in remove_client(). This triggers a recursive talloc_free() for all
in flight requests.

In order to maintain the winbindd parent-child protocol, we need
to keep the orphaned wb_simple_trans request until the parent
got the response from the child.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
d29dda141e winbind: use tevent_queue_wait_send/recv in wb_child_request_*()
We need a way to keep the child->queue blocked without relying on
the current 'req' (wb_child_request_state).

The next commit will make use of this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
3ffebee3de winbindd: implement wb_irpc_lsa_{LookupNames4,LookupSids3}()
This will be used by the LSA Server on an AD DC to request remote views
from trusts.

In future we should implement wb_lookupnames_send/recv similar to
wb_lookupsids_send/recv, but for now using wb_lookupname_send/recv in a loop
works as a first step.

We also need to make use of req->in.level and req->in.client_revision
once we want to support more than one domain within our own forest.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
c376ab29d1 winbindd: make use of talloc_zero_array() in wb_lookupsids*()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
b5ffa0e21f winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done()
We check for !NT_STATUS_LOOKUP_ERR(), but wb_lookupsid_recv()
only initializes the results together with NT_STATUS_OK.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13280

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
17c48f26de winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13279

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Andreas Schneider
6f9c6d369f s3:auth: Pass mem_ctx to init_system_session_info()
We have a stackframe we can use for the lifetime of the session.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 21 02:46:40 CET 2018 on sn-devel-144
2018-02-21 02:46:40 +01:00
Volker Lendecke
f8313d715b winbind: Don't send "server_id" explicitly for DUMP_DOMAIN_LIST
messaging already provides the sender id

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 16 00:56:36 CET 2018 on sn-devel-144
2018-02-16 00:56:36 +01:00
Volker Lendecke
0e3c2c8bc6 winbind: Don't explicitly send "server_id" for ONLINESTATUS
Messaging already provides the sender id

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-15 20:32:24 +01:00
Andreas Schneider
1e8ad19653 winbindd: Initialize the domain groups member
==9405== 4 errors in context 1 of 493:
==9405== Conditional jump or move depends on uninitialised value(s)
==9405==    at 0x7507F71: vfprintf (in /lib64/libc-2.12.so)
==9405==    by 0x75C515B: __vasprintf_chk (in /lib64/libc-2.12.so)
==9405==    by 0x2A8728: dbgtext (stdio2.h:199)
==9405==    by 0x22DCBB: winbindd_list_groups_done (winbindd_list_groups.c:127)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x3CDAE8: dcerpc_binding_handle_call_done (binding_handle.c:445)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x202701: wbint_bh_raw_call_done (winbindd_dual_ndr.c:139)
==9405==    by 0x6C82C60: tevent_common_loop_timer_delay (tevent_timed.c:341)
==9405==    by 0x6C83CA1: epoll_event_loop_once (tevent_epoll.c:911)
==9405==    by 0x6C822D5: std_event_loop_once (tevent_standard.c:114)
==9405==    by 0x6C7DC3C: _tevent_loop_once (tevent.c:533)
==9405==    by 0x1D8A03: main (winbindd.c:1490)
==9405==  Uninitialised value was created by a heap allocation
==9405==    at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==9405==    by 0x6A71DCA: _talloc_array (in /usr/lib64/libtalloc.so.2.1.5)
==9405==    by 0x22D959: winbindd_list_groups_send (winbindd_list_groups.c:69)
==9405==    by 0x1D76BC: winbind_client_request_read (winbindd.c:647)
==9405==    by 0x23AF2A: wb_req_read_done (wb_reqtrans.c:126)
==9405==    by 0x6C83EA5: epoll_event_loop_once (tevent_epoll.c:728)
==9405==    by 0x6C822D5: std_event_loop_once (tevent_standard.c:114)
==9405==    by 0x6C7DC3C: _tevent_loop_once (tevent.c:533)
==9405==    by 0x1D8A03: main (winbindd.c:1490)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 13 00:25:27 CET 2018 on sn-devel-144
2018-02-13 00:25:27 +01:00
Andreas Schneider
2abf47cfb3 winbindd: Free is_parent before we terminate
This makes valgrind happy.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-12 19:52:48 +01:00
Andreas Schneider
a5cd134ed7 winbindd: Free memory before we exit the connect child
This will make valgrind happy.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-12 19:52:48 +01:00
Volker Lendecke
b4384b7f0e winbind: Improve child selection
This improves the situation when a client request blocks a winbind
child. This might be a slow samlogon or lookupnames to a domain that's
far away. With random selection of the child for new request coming in
we could end up with a long queue when other, non-blocked children
could serve those new requests. Choose the shortest queue.

This is an immediate and simple fix. Step two will be to have a
per-domain and not a per-child queue. Right now we're pre-selecting
the check-out queue at Fry's randomly without looking at the queue
length. With this change we're picking the shortest queue. The better
change will be what Fry's really does: One central queue and red/green
lights on the busy/free checkout counters.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 12 19:51:35 CET 2018 on sn-devel-144
2018-02-12 19:51:35 +01:00
Stefan Metzmacher
597e755328 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 10 13:08:50 CET 2018 on sn-devel-144
2018-02-10 13:08:50 +01:00
Stefan Metzmacher
8422c001be winbindd: rename winbindd_pam_auth_pac_send and let it return validation
Just a preperational step. The next commit will update the caller to
make use of the validation info.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:18 +01:00
Stefan Metzmacher
5444cc4e7e winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
winbindd_pam_auth_crap_recv() should not have any real logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:18 +01:00
Stefan Metzmacher
5ce3cb2fb4 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
This way we don't loose the DNS info and UPN. A subsequent commit will
let winbindd_pam_auth_pac_send() return the full validation info.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:18 +01:00
Stefan Metzmacher
42e4453968 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
021d75fb22 winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
This way we don't loose dns_domain_name and user principal.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
1a9857369d winbindd: allow validation level 6 in winbind_SamLogon
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
b60c634123 winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
At lot of callers require a valid schannel connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
d76bcdb085 winbindd: handle interactive logons in _winbind_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
8c6c47aec0 winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
2268f1c0dd winbindd: add a comment to a parameter in _winbind_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
d1c3676197 winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
We need to handle 4 cases:

plaintext_given=true  interactive=true
plaintext_given=false interactive=true
plaintext_given=true  interactive=false
plaintext_given=false interactive=false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
2ee2551409 winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
Check whether the DNS domain name in the info6 struct is actually more
then just an empty string. If it is we want to call add_trusted_domain()
with NULL as DNS domain name argument.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13257

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
b112cbc246 winbindd: fix debug message in find_default_route_domain() on a DC
As we don't support multiple domains in a forest yet,
we don't need to print a warning a log level 0.

This also adds a missing \n.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13255

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
9f96ede6f5 winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
This reflects the new implementation in winbindd.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
d8e4e7cae5 winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
4274ef681b winbindd: move loading of trusted domains on a DC to a seperate function
This allows using the split out function in a subsequent commit in the
MSG_WINBIND_NEW_TRUSTED_DOMAIN message handler.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
728fb7c593 winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
7fc19747ef s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
8b7bf6d4d8 winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
af9a37aa19 winbindd: prepare find_auth_domain() transitive trusts on a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
c5bd18c002 winbindd: remove const from set_routing_domain()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
70bb9c27cf winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
7329706a03 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Ralph Boehme
9a613f4bcc winbindd: add routing_domain as parameter to add_trusted_domain
This also fixes the following CIDs:

CID 1427622:  Null pointer dereferences  (REVERSE_INULL)
CID 1427619:  Null pointer dereferences  (REVERSE_INULL)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13233

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
9fef5d1891 winbindd: add missing can_do_ncacn_ip_tcp initialisation
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13232

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
1918a870c3 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
53484d0d98 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Volker Lendecke
3be1e68ce6 winbind: Fix CID 1427626 Uninitialized scalar variable
Likely a false positive, but Coverity can't follow all the paths leading
to line 1598.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jan 17 23:58:34 CET 2018 on sn-devel-144
2018-01-17 23:58:34 +01:00
Volker Lendecke
92131d0898 winbind: Fix CID 1427626 Uninitialized scalar variable
Likely a false positive, but Coverity can't follow all the paths leading
to line 2030

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-17 19:24:11 +01:00
Andreas Schneider
05ebafd91e s3:rpc_client: Clenup copy_netr_SamInfo3() code
This gets rid of some strange macro and makes sure we clenaup at the
end.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 15 22:16:13 CET 2018 on sn-devel-144
2018-01-15 22:16:13 +01:00
Andreas Schneider
bfc727f0b2 s3:winbind: Use a stackframe and cleanup when leaving
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-15 17:48:18 +01:00
Andreas Schneider
00d176c6c5 s3:winbind: Use a goto for cleaning up at the end
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-15 17:48:18 +01:00
Andreas Schneider
264249db0f s3:winbindd: Improve logic so it is easier to understand
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-15 17:48:18 +01:00
Ralph Boehme
9b423fe804 winbindd: set routing_domain when enumerating trusts
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-14 10:26:05 +01:00
David Mulder
2ca73cba53 gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
Stefan Metzmacher
b4e1e3019a winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
9fb36370a5 winbindd: add more trust types to get_trust_type_string
Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".

Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
f12a43f487 winbindd: fix trust_is_oubound()
A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
09021f920f winbindd: fix trust_is_inbound()
A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
a39cf19c25 winbindd: transitive trust logic in trust_is_transitive()
trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.

This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.

Logic taken from dsdb_trust_routing_by_name().

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
939592c660 winbindd: use add_trusted_domain_from_auth
After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
f4d27f2bf9 winbindd: add add_trusted_domain_from_auth
Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
b2ea3606a7 winbindd: add set_routing_domain() 2018-01-13 12:55:08 +01:00
Ralph Boehme
2e644af164 winbindd: add find_default_route_domain()
On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Stefan Metzmacher
40c91150e3 winbindd: avoid automatic enumerating trusts on DCs
We have a static list of trust based on our configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Stefan Metzmacher
29e6d55909 winbindd: load the trusted domains on a DC already in init_domain_list()
We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Stefan Metzmacher
4b0641bf10 winbindd: use find_trust_from_name_noinit when we require a direct trust
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Stefan Metzmacher
2385e719ba winbindd: add find_trust_from_{name,sid}_noinit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Stefan Metzmacher
b724e01ec7 winbindd: remember the secure_channel_type in winbindd_domain
This way we have an indication of non direct trusts with
SEC_CHAN_NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Ralph Boehme
5bf2979bb6 winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
This extends add_trusted_domain() to be a the one true one-stop function
to add winbindd domain.

add_trusted_domain_from_tdc() used a struct winbindd_tdc_domain to fill
in the winbindd domain which made it hard to track which attributes
would be required and which are optional.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 12:55:06 +01:00
Stefan Metzmacher
8587445885 winbindd: initialize some stack pointers to NULL
This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:06 +01:00
Stefan Metzmacher
126d6ceecf winbindd: rename alternative_name to dns_name
This reduces the diff in the following commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:06 +01:00
Ralph Boehme
5ffade7b29 winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
Unique key for domains is the NetBIOS name, period. If the the caller
passes a domain name that matches a different domains DNS name or vice
versa, that is an error. The same applies to SIDs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 12:55:06 +01:00
Ralph Boehme
c7c06fd238 winbindd: enforce valid SID in add_trusted_domain_from_tdc()
It's the callers responsibility to ensure we get a valid SID. Adding
half-baked domains with only partially valid data is a recipe for
desaster.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 12:55:06 +01:00
Ralph Boehme
e43ee33a1b winbindd: set info6 data in append_info3_as_txt
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jan 13 12:53:59 CET 2018 on sn-devel-144
2018-01-13 12:53:59 +01:00
Ralph Boehme
7290b5cf67 winbindd: pass validation in append_info3_as_txt
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:09 +01:00
Ralph Boehme
194a9e4907 winbindd: pass down validation to append_auth_data()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:09 +01:00
Ralph Boehme
7b30f69833 winbindd: simplify an if condition in winbindd_dual_pam_auth
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:09 +01:00
Ralph Boehme
f153c95176 winbindd: let winbind_dual_SamLogon return validation
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:09 +01:00
Ralph Boehme
1337104caa winbindd: remove a space in winbind_dual_SamLogon
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
13d0d524c4 winbindd: let winbindd_dual_pam_auth_samlogon() return validation info
Pass up validation info instead of info3. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
cc3ee55ae7 winbindd: let winbind_samlogon_retry_loop return validation info
Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
aae75d124a winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon
result is already checked a few lines above.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
489e942aa9 s3/rpc_client: return validation from rpccli_netlogon functions
Return the validation info instead of the already mapped info3. Higher
layers need info6 if available, this is the first step in passing the
unmapped info up to callers.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
158c89068b s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
The next commit will add an additional caller that in rpc_client and I
don't want to pull in AUTH_COMMON. The natural place to consolidate
netlogon related helper functions seems to be util_netlogon.c which
already has copy_netr_SamBaseInfo().

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
a1a9feb720 winbindd: prevent long lines in a later commit
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
e9a9a94d84 winbindd: simplify if condition in find_domain_from_name_noinit()
No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
751fa043f3 winbindd: remove an else branch
No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
ca4d5ea362 winbindd: remove a space
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Ralph Boehme
5812c7cb5c winbindd: fix overly long lines
Just another long lines cleanup. Best viewed with git show -w.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Stefan Metzmacher
6d339b4800 winbindd: remove 'winbind trusted domains only' handling
This parameter is already deprecated in favor of the newer idmap_nss backend.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:23 +01:00
Ralph Boehme
da3f60b1e5 winbindd: use setproctitle
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-10 01:01:23 +01:00
Christof Schmitt
93a5dce933 winbind: Fix backslash in format string
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Dec 19 07:18:58 CET 2017 on sn-devel-144
2017-12-19 07:18:58 +01:00
Gary Lockyer
242aacb0e2 source3/winbindd/winbindd.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept.  This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 04:38:20 +01:00
Andreas Schneider
ad0d2756da s3:winbindd: Use a stackframe for memory management in _wbint_QueryGroupList
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-08 22:58:17 +01:00
Volker Lendecke
41cfc737df lib: Remove unused serverid.tdb
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec  5 04:58:26 CET 2017 on sn-devel-144
2017-12-05 04:58:26 +01:00
Volker Lendecke
926b8be2cd winbindd: Name<->SID cache is not sequence number based anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 29 20:57:25 CET 2017 on sn-devel-144
2017-11-29 20:57:25 +01:00
Volker Lendecke
80506136cc winbindd: Move name<->sid cache to gencache
The mapping from name to sid and vice versa has nothing to
do with a specific domain. It is publically available. Thus put
it into gencache without referring to the domain this was
retrieved from

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-11-29 16:59:16 +01:00
Volker Lendecke
650f29e2f3 winbindd: Factor out winbindd_domain_init_backend from get_cache()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-11-29 16:59:16 +01:00
Volker Lendecke
089cb9e24c lib: Pass blob instead of &blob to gencache_set_data_blob
Passing a whole DATA_BLOB is cheap enough to simplify the callers: A caller
does not have to create a separate variable.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-11-29 16:59:16 +01:00
Ralph Boehme
1ce165a733 winbindd: let normalize_name_map() call find_domain_from_name_noinit()
Let normalize_name_map fetch the domain itself with
find_domain_from_name_noinit().

This removes two calls to find_domain_from_name_noinit() in the default
configuration of "winbind normalize names = no". The domain is only need
in normalize_name_map if "winbind normalize names" is enabled.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-29 16:59:15 +01:00
Ralph Boehme
a8e0bdc971 winbindd: restore SEC_CHAN_NULL fallback in cm_connect_netlogon_transport
This partially reverts commit d7e31d9f4d
"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.

Without this we fail to enumerate domains in trusted forests so users
from any child-domain (or tree-root) in the trusted forest can't login
via eg SMB.

This is a temporary hack that will go away once we get rid of the trusted domain
list.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-29 16:59:15 +01:00
Ralph Boehme
88bdecae0a winbindd: tdb_exists returns 1 if a record is found
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Nov 19 15:14:13 CET 2017 on sn-devel-144
2017-11-19 15:14:13 +01:00
Volker Lendecke
050ca45dc7 winbind: Remove winbind_messaging_context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 18 04:07:24 CET 2017 on sn-devel-144
2017-11-18 04:07:23 +01:00
Volker Lendecke
d8a01d09c1 winbind: winbind_messaging_context -> server_messaging_context
Don't use winbind_messaging_context anymore.

This fixes a bug analysed by Peter Somogyi <PSOMOGYI@hu.ibm.com>: If a
parent winbind forks, it only called reinit_after_fork on
winbind_messaging_context. On the other hand, deep in dbwrap_open we use
server_messaging_context(). This is not reinitialized by
winbind_reinit_after fork, so the parent and child share a ctdb
connection. This is invalid, because replies from ctdb end up in the
wrong process.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-18 00:09:16 +01:00
Volker Lendecke
e1f12acc13 winbind: Remove winbind_event_context
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-18 00:09:16 +01:00
Volker Lendecke
7e83d14894 winbind: Replace winbind_event_context with server_event_context
There's no point in having two global event contexts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-18 00:09:16 +01:00
Volker Lendecke
03be840a7a winbindd: Fix some signed/unsigned warnings
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-18 00:09:15 +01:00
Volker Lendecke
e5251ee188 winbindd: Remove a misleading comment
The reality is a bit more complex than this comment indicates. We should never
suggest anywhere that we can connect to domains that we don't have a direct
trust account to. For the member case, it's "our" domain, and for the DC case,
it's the direct trusts. Everything else is pure luck.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 28 00:31:58 CEST 2017 on sn-devel-144
2017-10-28 00:31:58 +02:00
Ralph Boehme
490c35df35 winbindd: idmap_rid: error code for failing id-to-sid mapping request
NT_STATUS_NO_SUCH_DOMAIN triggers complete request failure in the parent
winbindd. By returning NT_STATUS_NONE_MAPPED winbindd lets the individual
mapping fail but keeps processing any remaining mapping requests.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 10 19:57:37 CEST 2017 on sn-devel-144
2017-10-10 19:57:37 +02:00
Ralph Boehme
108675c4cf winbindd: idmap_rid: don't rely on the static domain list
The domain list in the idmap child is inherited from the parent winbindd
process and may not contain all domains in case enumerating trusted
domains didn't finish before the first winbind request that triggers the
idmap child fork comes along.

The previous commits added the domain SID as an additional argument to
the wbint_UnixIDs2Sids request, storing the domain SID in struct
idmap_domain.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-10-10 15:51:27 +02:00
Ralph Boehme
71f99cb132 winbindd: pass domain SID to wbint_UnixIDs2Sids
This makes the domain SID available to the idmap child for
wbint_UnixIDs2Sids mapping request. It's not used yet anywhere, this
comes in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-10-10 15:51:27 +02:00
Ralph Boehme
59438bfd3d winbindd: add domain SID to idmap mapping domains
Fetch the domain SID for every domain in the idmap-domain map. This is
in preperation of passing the domain SID as an additional argument to
xid2sid requests to the idmap child.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-10-10 15:51:27 +02:00
Volker Lendecke
762fba44d7 winbind: Remove the use of "talloc_dict"
As members we only collect names, indexed by sids. This is served
well by just a simple dbwrap_rbt.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-09-30 08:01:24 +02:00
Ralph Wuerthner
05beefd50a s3:winbind: unmapped Unix users must be resolved locally
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Sep 29 18:33:21 CEST 2017 on sn-devel-144
2017-09-29 18:33:21 +02:00
Ralph Wuerthner
196bd54563 s3:winbind: unmapped Unix groups in getgrgid must be resolved locally
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-09-29 14:35:16 +02:00
Volker Lendecke
d7e31d9f4d winbindd: Use rpccli_connect_netlogon
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:13 +02:00
Volker Lendecke
4b97de8adb rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds
This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
c8e325c765 winbindd: Remove an obsolete comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Sep 17 23:35:51 CEST 2017 on sn-devel-144
2017-09-17 23:35:51 +02:00
Volker Lendecke
b62bba83ba cli_netlogon: Eliminate rpccli_setup_netlogon_creds_with_creds
Inlining the code from rpccli_setup_netlogon_creds

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
7a3d1b5a6f cli_netlogon: Rename rpccli_create_netlogon_creds_with_creds
This creates a context with access to a credentials, not credentials

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
cc639765ff winbind: Rename winbindd_cm_conn->netlogon_creds to _ctx
We have too many variables called _creds :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Aug 30 22:44:45 CEST 2017 on sn-devel-144
2017-08-30 22:44:45 +02:00
Volker Lendecke
ef3b31ab09 winbind: Fix a signed/unsigned hickup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-08-30 18:56:13 +02:00
Stefan Metzmacher
ccc8c1a45d winbindd: give an IRPC error if wb_irpc_SamLogon() is called without useful routing information
The caller should have checked this already!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
615b0d83d0 winbindd: as DC we should try to get the target_domain from @SOMETHING part of the username in wb_irpc_SamLogon()
We still need a full routing table including all upn suffixes,
but this is a start to support NTLM authentication using user@REALM
against structed domains.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
0ed6ad45ad winbindd: Print debug if we don't know how to route a wb_irpc_SamLogon() request
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
039ad5c9ad winbindd: allow all possible logon levels in wb_irpc_SamLogon()
We should just try to find the correct domain to forward the
request, all logic of not implementing serveral logon levels
belongs to the _winbind_SamLogon() implementation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Volker Lendecke
2b67d936c1 winbindd: Simplify an if-condition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Aug  7 09:32:09 CEST 2017 on sn-devel-144
2017-08-07 09:32:09 +02:00
Volker Lendecke
e5b0669625 winbindd: Add debug for ndr cache hit
When looking through winbind debug logs, it's highly confusing if you don't
find a call in the child that's supposed to handle it. Add a debug if the call
was handled from the cache without calling into the child.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-08-07 05:35:13 +02:00
Volker Lendecke
ed3b4661fd winbindd: Make wcache_query_user static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-08-07 05:35:13 +02:00
Ralph Wuerthner
3a2a9d8d3f idmap: remove unused function idmap_is_online()
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Aug  4 14:08:37 CEST 2017 on sn-devel-144
2017-08-04 14:08:37 +02:00
Volker Lendecke
a70ab5f020 winbindd: Simplify two debug msgs
With DBG_DEBUG we get the function name automatically, DEBUGADD is also
not necessary here

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug  1 11:45:34 CEST 2017 on sn-devel-144
2017-08-01 11:45:34 +02:00
Volker Lendecke
69187d92e5 winbindd: Simplify wcache_cached_creds_exist
No need to fetch, use tdb_exists

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:22 +02:00
Volker Lendecke
9be8fc2c0a winbindd: Make wcache_lookup_usergroups static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:22 +02:00
Volker Lendecke
7736e592ff winbindd: Fix indentation
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:22 +02:00
Volker Lendecke
604f1cede6 winbindd: Make init_wcache static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
91d4151bdf winbindd: Make wcache_lookup_useraliases static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
8f0bd85cfa winbindd: Make wcache_name_to_sid static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
d8f85c0f33 winbindd: Make wcache_lookup_groupmem static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
bbdfb51296 winbindd: Make wcache_flush_cache static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
0f65bb7c5c winbindd: Fix a few signed/unsigned hickups
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Jeremy Allison
dbd3293246 s3: clients: Use netlogon_creds_cli_close_global_db() in all normal exit paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-26 21:35:22 +02:00
Uri Simchoni
5c1e2f564b winbindd: avoid refreshing sequence number when domain is offline
When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-21 19:11:13 +02:00
Uri Simchoni
c819c7d58f winbindd: queryuser - only get group name if needed
When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).

Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-21 19:11:13 +02:00
Uri Simchoni
e3a151e247 winbindd: cache name-to-sid from PAC based on lookup domain
The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-21 19:11:13 +02:00
Dustin L. Howett via samba-technical
fe7020b0d1 idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN
All other ldap-querying methods in idmap_ad make a single retry attempt if they get
TLDAP_SERVER_DOWN. This patch brings idmap_ad_query_user in line with that design.

This fixes the symptom described in 12720 at the cost of an additional reconnect per
failed lookup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12720

Signed-off-by: Dustin L. Howett <dustin@howett.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-07-12 09:01:17 +02:00
Andreas Schneider
4eef11e0a0 s3:winbind: Move debug statement into the error handling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-28 22:18:16 +02:00
Stefan Metzmacher
1421abfc73 s3:trusts_util: pass dcname to trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Richard Sharpe
03042b85c8 Bug 15852. There are valid paths where conn->lsa_pipe_tcp->transport is NULL. Protect against this.
Based on a suggestion from Metze.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12852

Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 22 23:16:46 CEST 2017 on sn-devel-144
2017-06-22 23:16:46 +02:00
Stefan Metzmacher
8c4cef218a s3:libsmb: no longer pass remote_realm to cli_state_create()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-22 13:07:40 +02:00
Andreas Schneider
8a2bbba5cd s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-06-20 23:04:34 +02:00
Stefan Metzmacher
9b28f3af87 s3:winbindd: Send flags=0 in netr_LogonSamLogon{WithFlags,Ex}()
These extra flags are an [in,out] argument, so we have to initialize
them to 0. If we pass NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
or NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP, a Windows Server
will just return NT_STATUS_NO_SUCH_USER with authoritative=1
(at least if it is itself a DC of the forest root and the requested
 domain is the local domain of the DC).

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
2017-06-09 13:00:12 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
2368f57b4d winbindd: Do not run SAM auth stack in winbind SamLogon
pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
deec2af7d2 libads: Decide to have no fallback option
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
52a37c697a winbindd_cm: Pass cm_open_connection the need_rw_dc flag
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
ac847898c8 winbindd_cm: Call dcip_check_name even when fetching from cache
This is so that we can ensure that the DC is RWDC if required.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
9d8a373523 winbindd_cm: Rename dcip_to_name to the more accurate dcip_check_name
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
2ff09f6df0 winbindd_cm: Add new parameter to getdc and find_new_dc calls
This is to enforce the requirements on the remote DC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
bbf2414927 winbindd_cm: Add new parameter for dcip_to_name
This is used to check the appropriateness of the DC given.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Volker Lendecke
d02d4b5bc1 winbindd: Give winbindd_ads.c its own header
Not necessary to compile all of winbind when playing with ads.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-17 01:47:17 +02:00
Andreas Schneider
9bbb6c020e s3:winbind: Use a talloc stackframe for rpc_query_user_list
CID #1401581

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-05-16 12:38:20 +02:00
Günther Deschner
3c96b18be3 s3-winbindd: remove some dead prototypes
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-10 15:53:20 +02:00
Volker Lendecke
803ea2d2b7 idmap_rfc2307: "ldap_next_entry" needs the previous entry, not the start
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00
Volker Lendecke
c0f12170e8 idmap_rfc2307: Don't stop after 30 entries
We start over again and again, so we need to search in the whole list.
This is a quick hack generating a bad O(n^2). The real fix is to
call idmap_rfc2307_find_map with "maps" starting at the right offset,
but that's an optimization for later when it's restructured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00