IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 26 20:16:33 UTC 2022 on sn-devel-184
This will be changed to support UPNs too in the next patch.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This address an issue if sssd is running and handling nsswitch. If we look up
a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd
structure. We need to be able to deal with that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
Add comments to explain the use of the three lookup
loops.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14571
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Apr 29 09:55:51 UTC 2021 on sn-devel-184
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
This reverts commit f901691209.
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Nov 5 07:53:03 UTC 2020 on sn-devel-184
When using a security tab in Windows Explorer, a lookup over a trusted
forest might come as realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
Allow this lookup using realm to be done against primary domain when we
are a domain controller. This corresponds to FreeIPA use of Samba as a
DC. For normal domain members a realm-based lookup falls back to a
lookup over to its own domain controller with the help of winbindd.
Refactor user name parsing code to reuse cli_credentials_* API to be
consistent with other places. cli_credentials_parse_name() handles
both domain and realm-based user name variants.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 4 16:23:40 UTC 2020 on sn-devel-184
This must only be used between winbindd parent and child!
It must not leak into outside world.
Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.
This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Currently these enums have the same values, but that will
change in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Fixes:
source3/passdb/lookup_sid.c:836:11: warning: Value stored to 'result' during its initialization is never read <--[clang]
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
^~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.
Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.
For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().
[2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000004c-0000-0000-455d-3018575c0000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x000a (10)
size : 0x000c (12)
string : *
string : 'XS\ab'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0.
[0010] 57 5C 00 00 W\..
[2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
lookup_name: flags = 0x00
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This explicitly avoids the legacy_[ug]id_to_sid calls, which create
long-term cache entries to S-1-22-x-y if anthing fails. We can't do
this, because this will turn temporary winbind communication failures
into long-term problems: A short hickup in winbind_uid_to_sid will
create a mapping to S-1-22-1-uid for a week. It should be up to the
lower layers to do the caching.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813
Sending S-1-22-x to a typeless sids2xids call will make winbind prime
the reverse xids2sids cache, which is very likely the wrong mapping. Add
a check that avoids bothering the winbind pipe when it's clear this
can't work anyway.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is the only user and reduces the dependencies of util_unixsids.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Change so we only use unqualified name lookup logic if
domain component = "" and LOOKUP_NAME_ISOLATED flag is
passed in.
Remember to search for "NT Authority" *before* going
into unqualified name lookup logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Somewhere along the line, a config line like "valid users = @foo"
broke when "foo" also exists as a user.
user_ok_token() already does the right thing by adding the LOOKUP_NAME_GROUP
flag; but lookup_name() was not respecting that flag, and went ahead and looked
for users anyway.
Regression test to follow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11320
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 28 21:35:58 CEST 2015 on sn-devel-104
If we set 'winbind use default domain' and specify 'force user = user'
without a domain name we fail to log in. In this case we need to try a
lookup with the domain name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11185
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 31 21:17:23 CEST 2015 on sn-devel-104
A customer complained that after upgrading to Samba 4.0 fileserver
its LDAP server was flooded with uid2sid and gid2sid request for id
0. With 4.0 we do a lot more user-space ACL checking which involves
uid2sid/gid2sid. This caches the corresponding results.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 7 12:00:10 CET 2015 on sn-devel-104
Instead of passing down gid or uid, a pointer to a unixid is now sent
down. This acts as an in-out variable so that the idmap functions can
correctly receive ID_TYPE_BOTH, filling in cache details correctly
rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720
Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066
Pair-programmed-with: Andrew Bartlett <abarlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat Aug 9 00:44:06 CEST 2014 on sn-devel-104
This is generic enough that it could be used in all code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 18 15:43:33 CEST 2014 on sn-devel-104
If we have no name indexes for a domain, all names were domain
names and have been resolved earlier, including the domain name.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10463
Change-Id: I5a7a387fa89d2b2bdd465c13b3dca0e18ca0482c
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Feb 25 11:17:18 CET 2014 on sn-devel-104
This is needed so that pdb_samba4 can map any SID during a provision.
At runtime, winbindd will be asked first, but this shortcut direct to the
ldb file makes it possible to set the permissions on the sysvol share at
provision time.
Andrew Bartlett
This does not check whether the given sid is in our domain, but
but whether it belongs to the local sam, which is a different
thing on a domain member server.
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
This does not check whether the given sid is the domain sid,
but whether it is the sid of the local sam, which is different
for a domain member server.
This will eventually allow the struct unixid to be passed all the way up
and down the stack.
Andrew Bartlett
Signed-off-by: Michael Adam <obnox@samba.org>
This avoids the union in the struct wbcUnixId and moves us to using only struct unixid
internally.
Andrew Bartlett
Signed-off-by: Michael Adam <obnox@samba.org>
This will make it easier to consistantly pass a struct unixid all the way up and
down the idmap stack, and allow ID_TYPE_BOTH to be handled correctly.
Andrew Bartlett
Signed-off-by: Michael Adam <obnox@samba.org>
This interface needs to be publicly available, unid_t here is not really useful
and makes it harder to use it as unid_t is not a public union.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Tue Oct 18 20:57:16 CEST 2011 on sn-devel-104
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
We must leave the MSG_IDMAP_KILL operation in SMBD as it uses smbd
specific internal globals and makes sense only in the context of a smbd
daemon.
The rest is moved under lib/ as we need to deal with id cache cleanups
in other daemons too (like lsasd).
Signed-off-by: Simo Sorce <idra@samba.org>
