IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It's a pain to recompile the world if gencache.h changes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Oct 19 18:52:50 CEST 2018 on sn-devel-144
This reflects that the messaging context is also used outside of the
server processes.
The command used for the rename:
find . -name '*.[hc]' -print0 | xargs -0 sed -i 's/server_messaging_context/global_messaging_context/'
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This reflects that the event context is also used outside of the server
processes.
The command used for the rename:
find . -name '*.[hc]' -print0 | xargs -0 sed -i 's/server_event_context/global_event_context/'
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
On a DC we load the trusts in the parent in add_trusted_domains_dc()
from our local configuration. There's no need to find out the trust details
via network calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This is not needed for the normal operation of an AD DC.
Administrators should just use other tools instead of
wbinfo to list and query users and groups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This makes sure we only talk to direct trusts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
At lot of callers require a valid schannel connection.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This partially reverts commit d7e31d9f4d
"winbindd: Use rpccli_connect_netlogon" and restores handling of SEC_CHAN_NULL.
Without this we fail to enumerate domains in trusted forests so users
from any child-domain (or tree-root) in the trusted forest can't login
via eg SMB.
This is a temporary hack that will go away once we get rid of the trusted domain
list.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13167
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Don't use winbind_messaging_context anymore.
This fixes a bug analysed by Peter Somogyi <PSOMOGYI@hu.ibm.com>: If a
parent winbind forks, it only called reinit_after_fork on
winbind_messaging_context. On the other hand, deep in dbwrap_open we use
server_messaging_context(). This is not reinitialized by
winbind_reinit_after fork, so the parent and child share a ctdb
connection. This is invalid, because replies from ctdb end up in the
wrong process.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
There's no point in having two global event contexts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This creates a context with access to a credentials, not credentials
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have too many variables called _creds :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Aug 30 22:44:45 CEST 2017 on sn-devel-144
Based on a suggestion from Metze.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12852
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 22 23:16:46 CEST 2017 on sn-devel-144
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is so that we can ensure that the DC is RWDC if required.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is to enforce the requirements on the remote DC.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is used to check the appropriateness of the DC given.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
We're in cm_connect_netlogon_transport, not in cm_connect_sam
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 2 00:31:54 CET 2017 on sn-devel-144
The implementation of pdb_get_trust_credentials() should have all
the details to set the kerberos_state to a useful value.
This should enable the fallback to NTLMSSP again, when using our
machine account against trusted domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Any fallbacks to other authentication methods should be logged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
If we are in a situation where we don't have credentials to contact the
remote domain or against an NT4 with the following settings:
workgroup = NT4DOM
security = domain
require strong key = no
client use spnego = no
client ipc signing = auto
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We're using only NCACN_NP here as we rely on the smb signing restrictions
of cm_prepare_connection().
This should fix SMB authentication with a user of a domain
behind a transitive trust.
With this change winbindd is able to call
dcerpc_netr_DsrEnumerateDomainTrusts against the
dc of a trusted domain again. This only works
for two-way trusts.
The main problem is the usage of is_trusted_domain()
which doesn't know about the domain, if winbindd can't
enumerate the domains in the other forest.
is_trusted_domain() is used in make_user_info_map(),
which is called in auth3_check_password() before
auth_check_ntlm_password().
That means we're mapping the user of such a domain
to our own local sam, before calling our auth modules.
A much better fix, which removes the usage of is_trusted_domain()
in planed for master, but this should do the job for current releases.
We should avoid talking to DCs of other domains and always
go via our primary domain. As we should code with one-way trusts
also, we need to avoid relying on a complete list of
domains in future.
For now "wbinfo -m" lists domains behind a two-way transitive
trust again, but that is likely to change in future again!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This reverts commit d2379caa77.
This change doesn't solve the real problem, it just
causes useless network traffic and the following error:
rpccli_setup_netlogon_creds failed for W2012R2-L6, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
While the old logic caused NT_STATUS_CANT_ACCESS_DOMAIN_INFO (without
network traffic) instead of the NT_STATUS_NO_TRUST_SAM_ACCOUNT.
A better fix will follow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
If cm_get_ipc_credentials() returned anonymous creds and signing is required
we were returning the result of cm_get_ipc_credentials() instead of
the original error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12588
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
There're no callers which try to pass a raw lm_response directly anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 9 13:09:37 CET 2016 on sn-devel-144
