1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Commit Graph

1408 Commits

Author SHA1 Message Date
Jeremy Allison
cf0cfa03ac s3: libads: Don't re-do DNS lookups in ads_domain_func_level() if not needed.
ADS_STRUCT may be being reused after a
DC lookup from ads_find_dc(), so ads->ldap.ss may already have a
good address (even if ads->server.ldap_server == NULL).
Only re-initialize the ADS_STRUCT and redo the ads_find_fc()
DNS lookups if we have to.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 18 09:46:28 UTC 2020 on sn-devel-184
2020-08-18 09:46:28 +00:00
Jeremy Allison
1d066f37b9 s3: libads: Don't re-do DNS lookups in ads_current_time() if not needed.
ADS_STRUCT may be being reused after a
DC lookup from ads_find_dc(), so ads->ldap.ss may already have a
good address (even if ads->server.ldap_server == NULL).
Only re-initialize the ADS_STRUCT and redo the ads_find_fc()
DNS lookups if we have to.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-18 08:25:39 +00:00
Jeremy Allison
c863cc2ba3 s3: libads: ads_connect can be passed in an ADS_STRUCT with an existing IP address.
ads_connect can be passed in a reused ADS_STRUCT
with an existing ads->ldap.ss IP address that
is stored by going through ads_find_dc()
if ads->server.ldap_server was NULL.

If ads->server.ldap_server is still NULL but
the target address isn't a zero ip address,
then store it off before zeroing out ads->ldap
so we don't keep doing multiple calls to
ads_find_dc() in the reuse case.

If a caller wants a clean ADS_STRUCT they
will re-initialize by calling ads_init(), or
call ads_destroy() both of which ensures
ads->ldap.ss is a correctly zero'ed out IP address
by using ads_zero_ldap().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-18 08:25:39 +00:00
Jeremy Allison
6b47f3dbbc s3: libads: In ads_connect(), and ads_disconnect(), replace ZERO_STRUCT(ads->ldap) with calls to ads_zero_ldap(ads)
This clears out the memory, but also leaves ads->ldap as a valid (zero) IPaddr.
Otherwise it's left by accident as AF_UNSPEC (0).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-18 08:25:39 +00:00
Jeremy Allison
61895749f5 s3: libads: Where we implicitly zero out ads->ldap in ads_init() or ads_destroy() ensure we call ads_zero_ldap() after.
For ads_destroy(), this has a mode where the memory is not destroyed
but is being re-initialized. Horrid, but that's the way it works right
now.

This clears out the memory, but also leaves ads->ldap as a valid (zero) IPaddr.
Otherwise it's left by accident as AF_UNSPEC (0).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-18 08:25:39 +00:00
Jeremy Allison
0535a265f9 s3: libads: Add utility function ads_zero_ldap().
When initializing or re-initializing the ldap part of the ADS_STRUCT,
we should call this to ensure that ads->ldap.ss is correctly recognized
as a zero IPaddr by is_zero_addr(). It zeros out the ads->ldap but
then adds zero_sockaddr() to initialize as AF_INET. Otherwise it's
left by accident as AF_UNSPEC (0).

Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-18 08:25:39 +00:00
Isaac Boukris
32eb7f3966 Remove depracated "ldap ssl ads" smb.conf option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Tue Aug 11 10:53:05 UTC 2020 on sn-devel-184
2020-08-11 10:53:05 +00:00
Isaac Boukris
d67e9149a6 s3-libads: Pass timeout to open_socket_out in ms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 16 10:41:40 UTC 2020 on sn-devel-184
2020-07-16 10:41:40 +00:00
Isaac Boukris
39b293c2d0 ads: set sasl-wrapping to plain when over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-13 10:41:38 +00:00
Isaac Boukris
b3af1d334d Fix ads_set_sasl_wrap_flags to only change sasl flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-13 10:41:38 +00:00
Isaac Boukris
9ec83caeb5 Decouple ldap-ssl-ads from ldap-ssl option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-13 10:41:37 +00:00
Isaac Boukris
68d716bdd8 ldap.c: clarify the need for ldap_get_values_len() in a code comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-23 00:54:26 +00:00
Isaac Boukris
f9dd67355b Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
2020-06-22 09:59:04 +00:00
Isaac Boukris
9a447fb7e0 Properly handle msDS-AdditionalDnsHostName returned from Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
attribute, but these have a suffix of "\0$" and thus fail with
ldap_get_values(), use ldap_get_values_len() instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Thu Jun 18 16:43:47 UTC 2020 on sn-devel-184
2020-06-18 16:43:47 +00:00
Björn Baumbach
c8080bbd70 s3-libads: use ldap_init_fd() to initialize a ldap session if possible
Use the known ip address of the ldap server to open the connection and
initialize the ldap session with ldap_init_fd().

This avoid unnecessary DNS lookups which might block or prevent the
successful connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-11 01:21:30 +00:00
Stefan Metzmacher
7e36b1ec2e s3:libads: remove unused "GSSAPI" support
All AD servers support "GSS-SPNEGO". So we better
remove code that doesn't use gensec.

If we ever need this back we could use the
"gssapi_krb5_sasl" gensec module explicit
or just pass the SASL mech list to gensec.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun  9 17:24:31 UTC 2020 on sn-devel-184
2020-06-09 17:24:30 +00:00
Isaac Boukris
2b62bd5137 Add msDS-AdditionalDnsHostName entries to the keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-29 12:11:29 +00:00
Isaac Boukris
1df7604b4e Refactor ads_keytab_add_entry() to make it iterable
so we can more easily add msDS-AdditionalDnsHostName entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-29 12:11:29 +00:00
Andreas Schneider
ec69752cb9 s3:libads: Fix ads_get_upn()
This adds the userPrincipalName to ads_find_machine_acct() which
fetches the data for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-04-06 17:35:39 +00:00
Björn Baumbach
e45e0912d9 s3-libads: use dns name to open a ldap session
Required for working certificate verification.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar  5 12:29:26 UTC 2020 on sn-devel-184
2020-03-05 12:29:26 +00:00
Stefan Metzmacher
c403fa1a7f krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
240e5cf325 s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry()
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
fd2ca9d26d s3:libads: make use auth4_context_{for,get}_PAC_DATA_CTR() in kerberos_return_pac()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:36 +00:00
Stefan Metzmacher
f8e7c3d382 auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers
This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:36 +00:00
Isaac Boukris
80f1901de0 kerberos_keytab: do not add single DES keys to keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-19 14:48:41 +00:00
Jones Syue
a58c93318d s3:libads: Fix mem leak in ads_create_machine_acct
Use 'goto done' instead of 'return' to fix machine_escaped leak.

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov  4 22:48:50 UTC 2019 on sn-devel-184
2019-11-04 22:48:50 +00:00
Andreas Schneider
123584294c s3:libads: Do not turn on canonicalization flag for MIT Kerberos
This partially reverts 303b7e59a2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 17:39:13 UTC 2019 on sn-devel-184
2019-10-12 17:39:13 +00:00
Andreas Schneider
14f320fa1e s3:libads: Just change the machine password if account already exists
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
ce77629350 s3:libads: Fix creating machine account using LDAP
This implements the same behaviour as Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
b755a64380 s3:libads: Don't set supported encryption types during account creation
This is already handled by libnet_join_post_processing_ads_modify()
which calls libnet_join_set_etypes() if encrytion types should be set.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
4f389c1f78 s3:libads: Fix detection if acount already exists in ads_find_machine_count()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
35f3e4aed1 s3:libads: Use a talloc_asprintf in ads_find_machine_acct()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
8ed993789f s3:libads: Cleanup error code paths in ads_create_machine_acct()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
b84abb3a46 s3:libnet: Require sealed LDAP SASL connections for joining
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Andreas Schneider
456322a613 s3:libads: Use ldap_add_ext_s() in ads_gen_add()
ldap_add_s() is marked as deprecated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-09 07:06:35 +00:00
Noel Power
32d487d074 s3/libads: clang: Fix 'Value stored during its initialization is never read'
Fixes:

source3/libads/ldap.c:370:11: warning: Value stored to 'status' during its initialization is never read <--[clang]
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
                 ^~~~~~   ~~~~~~~~~~~~~~~~~~~~~~
source3/libads/ldap.c:417:11: warning: Value stored to 'status' during its initialization is never read <--[clang]
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
                 ^~~~~~   ~~~~~~~~~~~~~~~~~~~~~~
source3/libads/ldap.c:1783:13: warning: Value stored to 'ret' during its initialization is never read <--[clang]
        ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
                   ^~~   ~~~~~~~~~~~~~~~~~~~~~~~
source3/libads/ldap.c:1862:13: warning: Value stored to 'ret' during its initialization is never read <--[clang]
        ADS_STATUS ret = ADS_ERROR(LDAP_SUCCESS);
                   ^~~   ~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-26 18:41:27 +00:00
Noel Power
eb3ba3eeaa s3/libads: clang: Fix 'Value stored during initialization is never read'
Fixes:

source3/libads/ldap_utils.c:52:13: warning: Value stored to 'status' during its initialization is never read <--[clang]
        ADS_STATUS status = ADS_SUCCESS;
                   ^~~~~~   ~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-26 18:41:27 +00:00
Noel Power
35e0122e7c s3/libads: clang: Fix 'Value stored to 'nt_status' is never read'
Fixes:

source3/libads/sasl.c:219:2: warning: Value stored to 'nt_status' is never read <--[clang]
        nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
        ^           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-26 18:41:27 +00:00
Noel Power
40ddcf7bdc s3/libads: clang: Fix Array access results in a null pointer dereference
Fixes:

source3/libads/cldap.c:400:6: warning: Array access (from variable 'responses') results in a null pointer dereference <--[clang]
        if (responses[0] == NULL) {
            ^
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-09-25 09:47:32 +00:00
Stefan Metzmacher
303b7e59a2 s3:libads: ads_krb5_chg_password() should always use the canonicalized principal
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Stefan Metzmacher
0bced73bed s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Stefan Metzmacher
bc473e5cf0 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Günther Deschner
8251203456 s3-libads: adapt to coding standards, no code changes
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 19 20:48:45 UTC 2019 on sn-devel-184
2019-09-19 20:48:45 +00:00
Evgeny Sinelnikov
ad4ef1657e s3:ldap: Fix join with don't exists machine account
Add check for requested replies of existing machine object during join
machine to domain. This solves regression fail during join with error:
"None of the information to be translated has been translated."

https://bugzilla.samba.org/show_bug.cgi?id=14007

Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Sep  4 17:02:37 UTC 2019 on sn-devel-184
2019-09-04 17:02:37 +00:00
Mathieu Parent
4449f5d1b8 Spelling fixes s/convertion/conversion/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:26 +00:00
Noel Power
52d20087f6 s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:

source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
        canon_princ = me;
        ^             ~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-08-28 01:47:40 +00:00
Noel Power
f5af3cb21e s3/libads: cppcheck fix error: shiftTooManyBitsSigned: error
Squash 'Shifting signed 32-bit value by 31 bits is undefined behaviour'
error

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-05-29 10:10:23 +00:00
Guenther Deschner
2044ca0e20 s3:ldap: Leave add machine code early for pre-existing accounts
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-02 01:12:10 +00:00
Andreas Schneider
c016afc832 s3:libads: Make sure we can lookup KDCs which are not configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-02 01:12:10 +00:00
Andreas Schneider
40669e3739 s3:libads: Print more information when LDAP fails
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-02 01:12:09 +00:00
Volker Lendecke
d7de2f7748 lib: Remove "struct sid_parse_ret" again
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-03-12 00:42:19 +00:00
Volker Lendecke
e18610a197 lib: Make sid_parse return the parsed length
Use a temporary struct as a return value to make the compiler catch all
callers. If we just changed bool->ssize_t, this would just generate a
warning. struct sid_parse_ret will go away in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-03-12 00:42:19 +00:00
Volker Lendecke
f5cd535bf2 libads: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-02-27 01:35:18 +01:00
Volker Lendecke
258d7d1ca9 libads: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-02-27 01:35:18 +01:00
Stefan Metzmacher
48815cc16a s3:libads: do an early return if we don't have a password for ads_kinit_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-12-23 18:15:19 +01:00
Volker Lendecke
1d5c00a34d libads: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-12-20 23:40:24 +01:00
Swen Schillig
3df7789e4b libads: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-12-19 21:49:29 +01:00
Volker Lendecke
12f3a37a1a libads: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-12-11 00:40:31 +01:00
Andreas Schneider
3f3cc42b51 s3:libads: Use #ifdef instead of #if for config.h definitions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-28 23:19:23 +01:00
Volker Lendecke
a167014554 krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-28 17:44:15 +01:00
Volker Lendecke
f2e939b65b libads: Give krb5_errs.c its own header
The protos were declared in lib/krb5_wrap but the functions are not
available there.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-27 07:13:14 +01:00
Volker Lendecke
baacc70394 libads: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 23 20:23:57 CET 2018 on sn-devel-144
2018-11-23 20:23:57 +01:00
Volker Lendecke
d629c67dd3 libads: Use dom_sid_string_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-11-23 17:14:08 +01:00
Swen Schillig
7f902798a7 s3: Free principal if smb_krb5_principal_get_realm() fails
If smb_krb5_principal_get_realm() fails, procesing is aborted and
resources have to be free'd. In this context free'ing the principal
was missing.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-11-22 08:22:18 +01:00
Swen Schillig
02514427db libads: set proper ads_keytab_flush() return code on error
The return code was left on success when the calls to
ads_get_machine_kvno() or ads_clear_service_principal_names()
failed and the processing had to be aborted.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-11-22 08:22:18 +01:00
Volker Lendecke
5b2c3f2f42 lib: Remove gencache.h from proto.h
It's a pain to recompile the world if gencache.h changes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 19 18:52:50 CEST 2018 on sn-devel-144
2018-10-19 18:52:50 +02:00
Volker Lendecke
fb81fb2d93 libads: Simplify parse_spn()
A few lines less and quite some bytes less .text

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Aug 22 03:59:51 CEST 2018 on sn-devel-144
2018-08-22 03:59:51 +02:00
Volker Lendecke
75ced0d155 libads: Fix an error path talloc leak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-08-22 00:58:41 +02:00
Volker Lendecke
f986a73b24 lib: Pass mem_ctx to lock_path()
Fix a confusing API: Many places TALLOC_FREE the path where it's not
clear you have to do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-08-17 11:30:10 +02:00
Andreas Schneider
9eccf6a16f s3:libads: Free addr before we free the context
Introduced by dbdbd4875e

CID 1438395

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 14 22:02:06 CEST 2018 on sn-devel-144
2018-08-14 22:02:06 +02:00
Andreas Schneider
dbdbd4875e s3:libads: Fix memory leaks in ads_krb5_chg_password()
Found by covscan.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567

Pair-Programmed-With: Justin Stephenson <jstephen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-08-11 01:49:16 +02:00
Richard Sharpe
2096d13274 Fix some incorrect debug messages that look to be copy-paste issues.
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May  3 08:16:26 CEST 2018 on sn-devel-144
2018-05-03 08:16:26 +02:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Volker Lendecke
efa66c9ebf libads: Fix CID 1349423 Resource leak
get_sorted_dc_list should already take care, but this way it's safer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 29 03:45:00 CEST 2018 on sn-devel-144
2018-03-29 03:45:00 +02:00
Volker Lendecke
1b7881ceec libads: Fix 1433611 Resource leak
Not really a memleak due to the passed-in talloc ctx, but this way it's cleaner

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-29 00:21:53 +02:00
Volker Lendecke
8b5925b304 libads: Fix CID 1433606 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-29 00:21:50 +02:00
Andreas Schneider
bbbe675a1a s3:libads: Fix size types in kerberos functions
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:14 +01:00
Noel Power
0af66455ef s3:libads: 'net ads keytab create' shouldn't write SPN(s)
Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
    i) long form 'param/full_qualified_dns'
   ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
4e518ecdda s3:libads: add param to prevent writing spn(s) to ads
'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.

Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
6cac9a4720 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 2
This patch addresses how the windows SPN is written to the AD.

If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
          i) long form 'param/full_qualified_dns'
         ii) short form 'param/netbios_name'

If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
efabfb1c17 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 1
This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.

Before this change 'net ads keytab add' handled three scenarios

a) 'net ads keytab add param' is passed a fully qualified kerberos principal
   (identified by the presence of '@' in param) In this scenario the keytab
   file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
   the paramater ending with '$'). In this case the machine name
   is converted to a kerberos principal with according to the recipe
   'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
   In this scenario the param containing the service is first converted to
   into 2 kerberos principals (long and short forms) according to the
   following recipe
      i) long form:  'param/fully_qualified_dns@realm'
     ii) short form: 'param/netbios_name@realm'
     where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
     'this' machines computer account on the AD.
     The principals are written to the keytab file
   Secondly 2 windows SPNs are generated from 'param' as follows
      i) long form 'param/full_qualified_dns'
     ii) short form 'param/netbios_name'
   These SPNs are written to the AD computer account object

After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
  i) 'param' will get converted to a kerberos principal (just a single one)
     with the following recipe: 'serviceclass/host@realm' which will
     be written to the keytab file. The SPN written to the AD is created
     as before and the legacy behaviour is preserved.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
5fa82263ad s3:utils: add new 'net ads setspn delete' subcommand
This patch adds 'delete' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

    net ads setspn delete <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
8a6c3c5ae2 s3:utils: add new 'net ads setspn add' subcommand
This patch adds 'add' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

     net ads setspn add <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
65ef044b8d s3:utils: add new 'net ads setspn list' subcommand
This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Only the basic list operation (that corresponds to the -l
    switch for setspn.exe is implemented)

Usage:

     net ads setspn list <computer>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
1400ab709e s3:libads: change ads_add_service_principal_name implementation
Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally  client
code now needs to construct the SPNs to be passed into the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
cf0823fb9e s3:libads: Add a basic Windows SPN parser.
(see https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
d9593803ea s3:libads: Clean up code a little rename 'ads_get_samaccountname()'
Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
2dd94e41f6 s3:libads: ads_get_dnshostname & ads_get_samaccountname don't use param
Both ads_get_dnshostname() & ads_get_samaccountname() are passed
a param machinename as a argument. Instead of using 'machinename' these
functions are erroneously using lp_netbiosname() instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Volker Lendecke
859698d29b libads: Fix the build --without-ads
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Feb  6 02:47:44 CET 2018 on sn-devel-144
2018-02-06 02:47:43 +01:00
Jeremy Allison
e7425bd524 s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144
2018-01-26 02:25:20 +01:00
Noel Power
3048ae318f s3:libads: net ads keytab list fails with "Key table name malformed"
When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
instead, this function will determine the correct keytab to use.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-11-29 21:48:17 +01:00
Andreas Schneider
b81ca4f9dc s3:libads: Fix changing passwords with Kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-11 18:21:22 +02:00
Stefan Metzmacher
b874dc90c9 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:46 +02:00
Stefan Metzmacher
504b446d8d s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
1a26805ad9 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
b0928a2687 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
5fe939e32c s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
487b4717b5 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.

Having this legacy code adds quite some complexity for no
good reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
c56043a94a s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:43 +02:00
Garming Sam
deec2af7d2 libads: Decide to have no fallback option
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
eaf2c3e21d libads: Check cldap flags in libads/ldap
Pass down request flags and check they are respected with the response
flags. Otherwise, error out and pretend the connection never happened.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Alexander Bokovoy
2dbaade13a libads: abstract out SASL wrapping code
Prepare for rebasing libads on top of libsmbldap.

To make libads using 'struct smbldap_state' instead of direct LDAP
structure, we need to abstract out libads logic from connection
handling. SASL wrapping does not really depend on availability of LDAP
handle and does not need direct access to ADS_STRUCT. As result, we'll
be able to move SASL wrapping code under smbldap once the latter is able
to pass settings that libads passes to the SASL wrapping.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-17 23:02:09 +02:00
Andrew Bartlett
a0ab86dedc auth: Add logging of service authorization
In ntlm_auth.c and authdata.c, the session info will be incomplete

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andreas Schneider
e2028837b9 s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-22 07:11:10 +01:00
Andreas Schneider
ca2d8f3161 s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-03-14 15:22:12 +01:00
Chris Lamb
b2478cdc7d Correct "ommited" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:10 +01:00
Alexander Bokovoy
520167992b libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-08 18:00:12 +01:00
Andreas Schneider
980eae07f9 s3-libads: Do not leak the msg on error
ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar  8 14:59:35 CET 2017 on sn-devel-144
2017-03-08 14:59:35 +01:00
Stefan Metzmacher
bdce9f5fae s3:libads: remove unused fallback to gss_acquire_cred()
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar  6 11:44:54 CET 2017 on sn-devel-144
2017-03-06 11:44:54 +01:00
Stefan Metzmacher
ea0bc12ba5 s3:libads: add more debugging to ads_sasl_spnego_bind()
Any fallbacks to other authentication methods should be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-24 18:40:15 +01:00
Chris Lamb
a4ab7c73bd Correct "occured" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:21 +01:00
Stefan Metzmacher
0013694075 s3:libads: use trust_pw_new_value() for krb5 machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:22 +01:00
Volker Lendecke
c9955da65a libads: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Andreas Schneider
4ef772be3a s3:libads: Include system /etc/krb5.conf if we use MIT Kerberos
The system /etc/krb5.conf defines some defaults like:

    default_ccache_name = KEYRING:persistent:%{uid}

We need to respect that so should include it in our own created
krb5.conf file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-12-02 09:36:07 +01:00
Andreas Schneider
943c6ee030 s3-libads: Fix canonicalization support with MIT Kerberos
This allows to authenticate using user@DOMAIN against an AD DC.

https://bugzilla.samba.org/show_bug.cgi?id=12457

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec  2 00:23:02 CET 2016 on sn-devel-144
2016-12-02 00:23:02 +01:00
Volker Lendecke
8d8c638c3d lib: Fix an uninitialized variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-19 01:26:14 +02:00
Jeremy Allison
44a7040500 s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address.
Analysis by: Rebecca Gellman <rebecca@starfleet-net.co.uk>

Ignore cldap_socket_init() failure when sending
multiple cldap netlogon requests. Allow cldap_netlogon_send()
to catch the bad address and correctly return through a
tevent subreq.

Make sure cldap_search_send() copes with cldap parameter == NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12381

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 18 02:16:20 CEST 2016 on sn-devel-144
2016-10-18 02:16:20 +02:00
Stefan Metzmacher
a5f895a530 s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME"
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
2016-10-13 00:35:21 +02:00
Stefan Metzmacher
890b1bbdb8 s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME"
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-10-12 20:54:09 +02:00
Günther Deschner
b2f1dc2569 werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source3/libads/ldap_printer.c
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:18 +02:00
Andreas Schneider
2de4aea728 s3-libads: Do not use deprecated krb5_change_password()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  1 00:43:51 CEST 2016 on sn-devel-144
2016-09-01 00:43:51 +02:00
Andreas Schneider
e01587c948 s3-libads: Do not use deprecated krb5_get_init_creds_opt_init()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:18 +02:00
Andreas Schneider
9d4f1b4d31 s3-libads: Support for MIT Kerberos ntstatus from init_creds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
3cd4bc6446 s3-libads: Use non-deprecated function to get the error
krb5_get_init_creds_opt_get_error is deprecated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
e135a13478 s3-libads: Rename smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
381ebd4af5 krb5_wrap: Move unwrap_edata_ntstatus() and make it static
This also removes the asn1util dependency from krb5_wrap and moves it to
libads which is the only user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
aa1cca9f27 krb5_wrap: Rename smb_krb5_open_keytab()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
d1de425385 krb5_wrap: Rename smb_get_enctype_from_kt_entry()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:15 +02:00
Andreas Schneider
bff77afd32 krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_free()
Call the Kerberos function directly.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
4fae92dcad krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_alloc()
Call the Kerberos function directly.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
97249b7cd0 krb5_wrap: Rename cli_krb5_get_ticket()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00
Andreas Schneider
e8632e2af5 krb5_wrap: Rename kerberos_free_data_contents()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:13 +02:00
Uri Simchoni
3fff2667ec libads: use "kerberos encryption types" parameter
When creating the custom krb.conf file, list etypes
according to kerberos encryption types

Also use proper directives for heimdal (heimdal recognizes
the MIT etype directives, but does not act upon them)

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-09 04:39:07 +02:00
Michael Adam
cc339b0069 libads: improve debug messages in sitename_fetch()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 12 21:23:48 CEST 2016 on sn-devel-144
2016-07-12 21:23:48 +02:00
Stefan Metzmacher
a1743de74f libads: ensure the right ccache is used during spnego bind
When doing spnego sasl bind:
1. Try working without kinit only if a password is not
   provided
2. When using kinit, ensure the KRB5CCNAME env var is set
   to a private memory ccache, so that the bind is on behalf
   of the requested user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
2016-07-12 03:23:33 +02:00
Stefan Metzmacher
2672968851 libads: ensure the right ccache is used during gssapi bind
When doing gssapi sasl bind:
1. Try working without kinit only if a password is not
   provided
2. When using kinit, ensure the KRB5CCNAME env var is set
   to a private memory ccache, so that the bind is on behalf
   of the requested user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-07-11 23:46:17 +02:00
Uri Simchoni
a646d9e796 s3-libads: fix a memory leak in ads_sasl_spnego_bind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006

Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
2016-07-05 20:55:08 +02:00
Jeremy Allison
e46cb9b835 s3: krb5: keytab - The done label can be jumped to with context == NULL.
Ensure we don't crash in this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11959

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Jun  9 13:18:56 CEST 2016 on sn-devel-144
2016-06-09 13:18:56 +02:00
Stefan Metzmacher
795e796658 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:16 +02:00
Andreas Schneider
f9099d3c46 s3-libads: Fix compilation with MIT Kerberos
ENCTYPE_NULL is defined by the RFC and used by MIT Kerberos. Heimdal
also provides ENCTYPE_NULL.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Apr 26 22:47:19 CEST 2016 on sn-devel-144
2016-04-26 22:47:19 +02:00
Ralph Boehme
b26ae7fbf6 krb5_wrap: add enctype arg to smb_krb5_kt_seek_and_delete_old_entries()
Unused in this commit, the next commit will use it to avoid deleting
keys with the same kvno but a different enctype.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-04-25 10:35:14 +02:00
Uri Simchoni
34482eb7cc libads: record session expiry for spnego sasl binds
With the move to gensec-based spnego, record the session expiry
in tgs_expire, so that libads users such as winbindd can use this info
to determine how long to keep the connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11852

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Apr 19 16:53:57 CEST 2016 on sn-devel-144
2016-04-19 16:53:57 +02:00
Stefan Metzmacher
2ec4e165e4 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
This fixes a regression in commit 2cb07ba50d
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
that prevents things like 'net ads join' from working against a Windows 2003 domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 12 23:02:56 CEST 2016 on sn-devel-144
2016-04-12 23:02:56 +02:00
Stefan Metzmacher
20859a22c4 CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
2016-04-12 19:25:24 +02:00
Volker Lendecke
dcaa88158e libads: Fix CID 1356316 Uninitialized pointer read
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-18 00:29:13 +01:00
Günther Deschner
5d498d1b4d s3:libnet:libnet_join: fill in output enctypes and only modify when necessary.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
e0da059b39 s3:libnet:libnet_join: define list of desired encryption types only once.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
c61b111e6f s3:libads:ldap: fix ads_check_ou_dn to deal with account_ou not being initialized
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
e8f6acdeec s3:libads:ndr: add ADS_AUTH_USER_CREDS to ndr_print_ads_auth_flags()
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00
Günther Deschner
34030b025b s3:libads:ldap: print LDAP error message with log level 10.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-03-14 16:19:23 +01:00