1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

437 Commits

Author SHA1 Message Date
Andrew Bartlett
c31c30043b s4-winbindd: Remove the winbind rewrite from the samba4 effort
This winbind implementation is undermaintained, out of date and not the
future of even the AD DC, let alone any other purpose.

Removing it will reduce our security and bug exposure on this
off by default subsystem

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 24 22:34:57 CEST 2015 on sn-devel-104
2015-06-24 22:34:57 +02:00
Andrew Bartlett
7fcaa07e20 winbindd4: Force home directory in internal winbind to use a lower-case username
This is a BEHAVIOUR CHANGE from Samba 4.0 and 4.1, if mixed-case
usernames were in use.

However, it matches the behaviour in winbindd in all other use cases.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-05-06 01:22:14 +02:00
Andrew Bartlett
406cd32126 s4-winbind: Correctly reject the unsupported WBFLAG_PAM_AUTH_PAC flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-05-06 01:22:14 +02:00
Andreas Schneider
d86f7b9daf s3-winbind: Correct debug message for starting winbind.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:52 +01:00
Volker Lendecke
a99a5a34a5 Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
2015-02-25 16:32:29 +01:00
Garming Sam
58b343be47 idmap: return the correct id type to *id_to_sid methods
We have a pointer to a unixid which is sent down instead of a uid or
gid. We can use this as an in-out variable so that pdb_samba_dsdb can be
returned ID_TYPE_BOTH to cache correctly instead of leaving it as
ID_TYPE_UID or ID_TYPE_GID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720

Change-Id: I0cef2e419cbb337531244b7b41c708cf2ab883e3
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-12-03 04:21:09 +01:00
Andrew Bartlett
b19750dbe9 winbindd: Do not use group_list->out.resume_index after free
Found by AddressSanitizer

Change-Id: I59009144b28c390ddb80b7b3fbb4007dfd16db0e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
2014-09-08 07:26:34 +02:00
Andrew Bartlett
34cc5bd260 winbindd: Do not use user_list->out.resume_index after free
Found by AddressSanitizer

Change-Id: I9f8b95b65de788994a7404fa8889fce45ccb3a30
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
2014-09-08 07:26:34 +02:00
Andrew Bartlett
57228317fc winbind: Fix template homedir to match source3
Fix provided by Andy Igoshin <ai@vsu.ru>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10324

Andrew Bartlett

Change-Id: Ie94d207fed91e9dfd85ee3c3339c376b25ac5fa4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
77b04f1df6 winbind: Allow winbindd to be run from inside "samba"
Change-Id: I6b90a9b62ba5821e0feedb23cd20642078ba0ca6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 29 05:28:39 CEST 2014 on sn-devel-104
2014-04-29 05:28:39 +02:00
Volker Lendecke
1f60aa8ec2 winbind4: Remove unused winbind_get_idmap irpc operation
Change-Id: Ia5e62d30b277f8a7074d451cfb8675eee8e9d21f
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:21 +01:00
Volker Lendecke
699f86cc27 Revert "winbind4: Remove unused winbind_get_idmap irpc operation"
This reverts commit 41ff0f4454.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-02-18 10:28:28 +01:00
Stefan Metzmacher
71096883e1 s4:winbind: make use of dcerpc_binding_[g|s]et_flags()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:17 +01:00
Stefan Metzmacher
785c0fe34a s4:winbind: don't access dcerpc_binding internals in init_domain_binding()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:17 +01:00
Volker Lendecke
41ff0f4454 winbind4: Remove unused winbind_get_idmap irpc operation
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Kai Blin <kai@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 10 13:24:09 CET 2014 on sn-devel-104
2014-02-10 13:24:09 +01:00
Noel Power
0f347e44e2 log winbind version (when requested) in winbindd log
winbindd currently only logs the INTERFACE version request,
it would be useful to additionally have the version returned
in the log also.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Jan 22 21:57:04 CET 2014 on sn-devel-104
2014-01-22 21:57:04 +01:00
Stefan Metzmacher
124a89698b s4:winbind: let wb_samr_userdomgroups_send() take tevent_context/dcerpc_binding_handle
This avoids usage/dereferencing 'struct dcerpc_pipe'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-01-16 16:22:52 +01:00
Stefan Metzmacher
ad14fb9545 s4:winbind: let wb_lsa_lookupnames_send() take tevent_context/dcerpc_binding_handle
This avoids usage/dereferencing 'struct dcerpc_pipe'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-01-16 16:22:52 +01:00
Stefan Metzmacher
5559cdf5c2 s4:winbind: let wb_lsa_lookupsids_send() take tevent_context/dcerpc_binding_handle
This avoids usage/dereferencing 'struct dcerpc_pipe'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-01-16 16:22:52 +01:00
Stefan Metzmacher
59bc7cb0df s4:winbind: make clear that we use the global tevent_context
We should avoid using the tevent_context pointer on a
dcecli_connection, it's the same as the global per task one
anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-01-16 16:22:52 +01:00
Stefan Metzmacher
00d616e104 s4:winbind: correctly fill the libnet_context lsa and samr binding handles
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-01-16 16:22:52 +01:00
Jeremy Allison
0dc6181894 CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:46 +01:00
Jeremy Allison
b0ba4a5621 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:46 +01:00
Andrew Bartlett
2505d48e4f s4-winbindd: Do not terminate a connection that is still pending (bug #9820)
Instead, wait until the call attempts to reply, and let it terminate then

(often this happens in the attempt to then write to the broken pipe).

Andrew Bartlett

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-10 06:57:06 +02:00
Andrew Bartlett
88c72fceb1 s4-winbind: Add special case for BUILTIN domain
This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 20 15:30:00 CEST 2013 on sn-devel-104
2013-06-20 15:30:00 +02:00
Stefan Metzmacher
097a8c7239 s4:winbind: don't leak libnet_context into the main event context
This needs to be a talloc child of struct wbsrv_domain
otherwise the cleanup of a broken connection doesn't work.

The following command can trigger the leak on a domain controller.

root@dc:~/samba# ls -l /var/lib/samba/sysvol/samba.private/
total 16
drwxrwx---+ 5 root 3000000 4096 May 14 14:46 Policies
drwxrwx---+ 2 root 3000000 4096 May 14 11:45 scripts

gid 3000000 belongs to Builtin\Administrators.

The code triggers a ncacn_np: connection to the local smbd
and complains that domain BUILTIN is not available:

[2013/05/29 17:28:03,  2] ../source4/winbind/wb_init_domain.c:376(init_domain_recv_queryinfo)
  Expected domain name BUILTIN, DC dc.samba.private said SAMBA

In that case the connection was not closed, which is fixed by this commit.

Using ncalrpc: for all local SIDs and serving the BUILTIN domain is
a project for another day...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun  4 11:05:09 CEST 2013 on sn-devel-104
2013-06-04 11:05:09 +02:00
Michael Adam
8bf311288b s4:idmap: break account_type check lines for readability in idmap_sid_to_xid()
Also makes code obey README.Coding, regarding line-length.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon May 27 00:05:19 CEST 2013 on sn-devel-104
2013-05-27 00:05:19 +02:00
Volker Lendecke
51533eedd7 winbind4: Fix bug 9832 -- talloc use after free
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 16 13:37:41 CEST 2013 on sn-devel-104
2013-05-16 13:37:40 +02:00
Karolin Seeger
7ff3cbdabf source4/winbind/wb_samba3_cmd.c: Fix typo in comment.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 16 07:49:24 CEST 2013 on sn-devel-104
2013-05-16 07:49:24 +02:00
Volker Lendecke
c672ef11b1 winbind4: Fix bug 9832 -- talloc use after free
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-04-30 09:11:15 +02:00
Michael Adam
f14ba6460a s4:winbindd: fix spacing and line length in cmd_getpwnam_recv_domain()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 28 03:54:41 CET 2013 on sn-devel-104
2013-02-28 03:54:41 +01:00
Michael Adam
bb0e4cbc3c s4:winbindd: do not drop the workgroup name in the getgrgid call
Signed-off-by: Michael Adam <obnox@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 27 05:44:39 CET 2013 on sn-devel-104
2013-02-27 05:44:39 +01:00
Michael Adam
ecd0b10d2f s4:winbindd: do not drop the workgroup name in the getgrnam and getgrent calls.
Signed-off-by: Michael Adam <obnox@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-27 14:01:59 +11:00
Karolin Seeger
240df6c7b0 wb_samba3_cmd.c: Fix typo in comment.
redundent -> redundant

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2013-02-18 22:07:39 +11:00
Andrew Bartlett
5e0fcb04a4 s4-idmap: Remove requirement that posixAccount or posixGroup be set for rfc2307
This change matches the source3/idmap/idmap_ad.c code, and allows this
feature to work with only the setting of the UID/GID in Active
Directory Users and Computers.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-10 14:52:56 +01:00
Andreas Schneider
1aa0503401 Use the new directory_create_or_exist_strict() function.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-09 09:11:20 +01:00
Günther Deschner
563cc67ac6 libcli/auth: rename netlogon_creds_decrypt_samlogon() to netlogon_creds_decrypt_samlogon_validation().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-12-15 21:50:36 +01:00
Michele Baldessari
008bb29023 Set trans to a value that is not LDB_SUCCESS (all LDB_ constants are
positive) so that any "goto failed:" call does not end up calling
ldb_transaction_cancel() if trans is initialized to 0 (LDB_SUCCESS)
by chance.

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-09-10 14:58:28 -07:00
Stefan Metzmacher
b05d28ebdd s4:winbind: let wb_update_rodc_dns_send/recv use netlogon_queue (bug #9097)
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Aug 25 05:06:18 CEST 2012 on sn-devel-104
2012-08-25 05:06:18 +02:00
Stefan Metzmacher
646012954c s4:winbind: let wb_sam_logon_send/recv() use the netlogon_queue (bug #9097)
metze
2012-08-25 01:39:42 +02:00
Stefan Metzmacher
19daec6a95 s4:winbind: add a netlogon_queue (tevent_queue)
This will protect the netlogon_creds later.

metze
2012-08-25 01:39:41 +02:00
Stefan Metzmacher
d4aa8978cc s4:winbind: convert wb_update_rodc_dns_send/recv to tevent_req
metze
2012-08-25 01:39:41 +02:00
Stefan Metzmacher
0ccdaa940a s4:winbind: convert wb_sam_logon_send/recv to tevent_req
metze
2012-08-25 01:39:41 +02:00
Stefan Metzmacher
d3756d8738 s4:winbind: convert wb_sid2domain to tevent_req internally
The public wrapper still uses composite_context, because I don't
have time to fix all the callers...

metze
2012-08-25 01:39:41 +02:00
Sergey Urushkin
e8b3b1c110 s4 rfc2307 gids mapping fix
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-22 19:11:26 +10:00
Andrew Bartlett
8822b3b662 s4-param: Remove unused "idmap trusted only"
When we revamp the idmap layer, we will end up just following the s3
options, and this option is not used there either.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-19 08:02:32 +02:00
Andrew Bartlett
352dbddb6d s4-idmap: Add parameter 'idmap_ldb:use rfc2307' and correct implementation errors 2012-06-20 16:22:41 +10:00
Andrew Bartlett
3c65bac0b6 s4-idmap: Add mapping using uidNumber and gidNumber like idmap_ad
This is a solution for users who are upgrading from Samba 3.x in
particuar, or have clients that will be using idmap_ad.  This avoids
needing to have duplicate values in idmap.ldb and in the directory.

No check for conflicts is made with the idmap.ldb - the AD store always wins.

Andrew Bartlett
2012-06-16 08:18:10 +02:00
Andrew Bartlett
b8815dc23d lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Andrew Bartlett
5960b7b2a4 s4-libnet Always return after composite_error()
These instances should not cause a problem, but make it easier to audit for
this kind of problem in the future with grep.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Apr 23 14:29:45 CEST 2012 on sn-devel-104
2012-04-23 14:29:44 +02:00