1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

49418 Commits

Author SHA1 Message Date
Garming Sam
7915987dba winbindd: Make some debugging clearer
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:16 +02:00
Michael Adam
9cf3ac1d0c s3:tests: fix commment typo in the offline test
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Apr 13 02:44:38 CEST 2017 on sn-devel-144
2017-04-13 02:44:38 +02:00
Ralph Boehme
9d419c3fe3 winbindd: only use the domain name from lookup sids if the domain matches
With the use of sIDHistory it happens that two sids map to the same name:
S-1-5-21-1387724271-3540671778-1971508351-1115 DOMAIN2\d1u1 (1)
S-1-5-21-3293503978-489118715-2763867031-1106 DOMAIN2\d1u1 (1)

On the net it looks like this:

     lsa_LookupSids: struct lsa_LookupSids
        in: struct lsa_LookupSids
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
            sids                     : *
                sids: struct lsa_SidArray
                    num_sids                 : 0x00000002 (2)
                    sids                     : *
                        sids: ARRAY(2)
                            sids: struct lsa_SidPtr
                                sid                      : *
                                    sid                      : S-1-5-21-1387724271-3540671778-1971508351-1115
                            sids: struct lsa_SidPtr
                                sid                      : *
                                    sid                      : S-1-5-21-3293503978-489118715-2763867031-1106
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000000 (0)
                    names                    : NULL
            level                    : LSA_LOOKUP_NAMES_ALL (1)
            count                    : *
                count                    : 0x00000000 (0)
     lsa_LookupSids: struct lsa_LookupSids
        out: struct lsa_LookupSids
            domains                  : *
                domains                  : *
                    domains: struct lsa_RefDomainList
                        count                    : 0x00000001 (1)
                        domains                  : *
                            domains: ARRAY(1)
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x000e (14)
                                        size                     : 0x0010 (16)
                                        string                   : *
                                            string                   : 'DOMAIN2'
                                    sid                      : *
                                        sid                      : S-1-5-21-1387724271-3540671778-1971508351
                        max_size                 : 0x00000020 (32)
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000002 (2)
                    names                    : *
                        names: ARRAY(7)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x0008 (8)
                                    size                     : 0x0008 (8)
                                    string                   : *
                                        string                   : 'd1u1'
                                sid_index                : 0x00000000 (0)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x0008 (8)
                                    size                     : 0x0008 (8)
                                    string                   : *
                                        string                   : 'd1u1'
                                sid_index                : 0x00000000 (0)
            count                    : *
                count                    : 0x00000002 (2)
            result                   : NT_STATUS_OK

So the name for S-1-5-21-3293503978-489118715-2763867031-1106 has
S-1-5-21-1387724271-3540671778-1971508351 in referenced lsa_DomainInfo
structure. In that case we should not use the domain name from lsa_DomainInfo,
because we would use the wrong idmap backend.

For the case where the domain part of the sIDHistory sid is a still existing
domain, which can be found our internal list of trusted domains, we now use the
correct idmap backend: the idmap domain from the historic SID.

If the historic domain does no longer exist, we will fallback to the default
idmap domain.

The next step would be doing a lookup sid call for the domain sid, which may
help with one-way trusts.

The long term goal needs to be that idmap backends are based on sids only and
only the smb.conf allows names to be used which will be converted to sids on
startup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12702

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Apr 12 16:43:30 CEST 2017 on sn-devel-144
2017-04-12 16:43:30 +02:00
Uri Simchoni
2fa9346333 build: refuse to build without PAM support if enabled
If PAM support is enabled, refuse to build if the prerequisite
libraries are not in place, instead of silently disabling PAM
support and continuing with the build.

This simplifies inclusion of pam_wrapper in the tree.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-12 12:54:24 +02:00
Volker Lendecke
d92a23e4ae winbind_msrpc: Use any_nt_status_not_ok
Less lines, less bytes .text

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 12 05:40:36 CEST 2017 on sn-devel-144
2017-04-12 05:40:36 +02:00
Volker Lendecke
5ee6d44665 winbind_pam: Use any_nt_status_not_ok in map_auth_samlogon
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Volker Lendecke
e4173fbc53 winbind: Slightly simplify remove_timed_out_clients
Best reviewed with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Volker Lendecke
5eacb88831 winbind: Avoid a "ok==false"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Volker Lendecke
c91bac5a63 winbind: Simplify a logic expression
This isn't 100% the same flow, but before this patch we initialized
domain->primary to "false" via "talloc_zero". This means that the
end-result should be the same before and after this patch that IMHO
simplifies the logic a bit.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Ralph Boehme
8220d7453f winbindd: remove fallback from lookuprids
We're only calling lookuprids for our local SAM and BUILTIN domains, if
that results in a failed lookup for some rid, sending it again via
lookupsids() won't help, it will just fail again.

If the caller wrongly had sent any other SID that is not from our SAM or
BUILTIN via lookuprids(), that it is up to the caller to fix that, not
us.

The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Ralph Boehme
2eeb53890b winbindd: remove lookupsid() fallback for a failed lookupsids()
If lookupsids() returned any other error then OK, SOME_NOT_MAPPED or
NONE_MAPPED we must just bail out.

If some or all SIDs could not be mapped via lookupds(), don't fallback
to lookupsid(), it will just fail again.

The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Ralph Boehme
c79a5acf20 winbindd: remove fallback to lookupsid for unknown SIDs
In wb_lookupsids_done() if a SID failed with lookupsids(), remove the
hokey retry via lookupsid().

The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Ralph Boehme
32e752e145 winbindd: handling of failed lookupsids in wb_lookupsids_single_done()
If lookupsid() failed with NT_STATUS_SOME_NOT_MAPPED or
NT_STATUS_NONE_MAPPED, if we didn't get a domain name, don't add a fake
domain to the lsa_RefDomainList. Just set the domain index in the
translated name to UINT32_MAX.

It's up to callers like wb_sids2xids to handle such failed mappings and
wb_sids2xids_lookupsids_done() has been updated in a previous commit to
deal with it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Ralph Boehme
36e01b6232 winbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX
If the SID was in an unknown domain, src_name->sid_index will be
UINT32_MAX.

This change allows wb_lookupsids_move_name() to add such names to the
result set. This is not used for now, but will be used in subsequent
commits.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Ralph Boehme
1efaeb072e winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()
This lets wb_sids2xids_lookupsids_done() deal with wp_lookupsids
returning UINT32_MAX as domain index for SIDs from unknown domains.

Call find_domain_from_sid_noinit() to search our list of known
domains. If a matching domain is found, use it's name, otherwise use the
empty string "". This needed to handle Samba DCs which always returns
sid_index UINT32_MAX for unknown SIDs, even from known domains.

Currently the wb_lookupsids adds these fake domains with an empty string
as domain name, but that's not the correct place to do it. We need the
domain name as it gets passed to the idmap child where the choise of
idmap backend is based on the domain name. This will possibly be changed
in the future to be based on domain SIDs, not the name.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Michael Adam
26661218b3 s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:13 +02:00
Michael Adam
16c89835cf s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:13 +02:00
Michael Adam
fffd611fdc s3:vfs:shadow_copy2: fix quoting in debug messages
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:13 +02:00
Volker Lendecke
3667876ebe selftest: Test for bug 12558
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-10 20:44:21 +02:00
Volker Lendecke
56df7cf3d9 auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".

We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144
2017-04-10 05:04:03 +02:00
Stefan Metzmacher
45227b301f auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
make_auth3_context_for_ntlm() was the only caller of
make_auth_context_subsystem().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
f23af921df auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
9ad3b43d03 auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
This will be used in the s3 netlogon server in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
948a1dab4d winbindd: allow wbinfo -a REALM\\user to work on a DC
find_domain_from_name_noinit() find the correct domain based
on domain->alt_name, but the child for the local domain
fails to detect that winbindd_dual_auth_passdb() should be
used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Andreas Schneider
a9bd9a143e s3:tests: Create a test directory for a clean test
The test fails on openSUSE Tumbleweed with:

NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \foo\bar\testfile

This cleans up the code to create a directory 'test' which can be
completely removed so nothing will stay behind. It also makes sure that
all parent directories are created and the files have some content.

https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 12:29:19 CEST 2017 on sn-devel-144
2017-04-08 12:29:19 +02:00
Ralph Boehme
8dfbba59d7 winbindd: error handling in rpc_lookup_sids()
NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.

In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
416c74e8c8 s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
0e7e4ebad3 s3/rpc_client: use NT_STATUS_LOOKUP_ERR
No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
fc37c7327d s3/include: add NT_STATUS_LOOKUP_ERR
Useful helper macro to check the return value of LSA and SAMR
translations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
a36de8b81a vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.

If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.

Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Volker Lendecke
baa3e71f79 smbd: Fix smb1 findfirst with DFS
9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Stefan Metzmacher
e999b798c6 s3:ntlm_auth: fix memory leak in manage_gensec_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-07 16:49:15 +02:00
Ralph Boehme
b680ceebf8 selftest: tests idmap mapping with idmap_rid
This adds two blackbox tests that run wbinfo --sids-to-unix-ids:

o a non-existing SID from the primary domain should return a mapping

o a SID with a bogus (and therefor unknown) domain must not return a mapping

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr  7 00:05:02 CEST 2017 on sn-devel-144
2017-04-07 00:05:02 +02:00
Ralph Boehme
9671811da8 winbindd: remove unused single_domains array
This was added as part of 9be918116e, but
is not needed anymore as the previous commit changed the logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
a684df160e winbindd: use correct domain name for failed lookupsids
What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.

But as a domain member, using

  state->single_domains[state->single_sids_done]

for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).

So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
167bb5ead8 winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
Those are implicitly already catched by the

  if (sid->num_auths != 5)

check, but I'd like to make the desired behaviour more obvious.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Volker Lendecke
415d61eebb idmap_ldap: Fix CID 1404836 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Apr  6 19:31:25 CEST 2017 on sn-devel-144
2017-04-06 19:31:24 +02:00
Stefan Metzmacher
e69aa55c5d winbindd: let WBFLAG_PAM_GET_PWD_POLICY only fake the password policy
As WBFLAG_PAM_GET_PWD_POLICY is only kept for legacy external callers
of libwbclient, we should avoid having the complexity to do additional
network roundtrips to our domain, while we still can't garantee that
the returned password policy actually represents the reality for
the current authentication.

Instead we're calculating r->data.auth.policy.expire and
r->data.auth.policy.min_passwordage based on the effective
{last,allow,force}_password_change values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr  6 14:03:09 CEST 2017 on sn-devel-144
2017-04-06 14:03:09 +02:00
Stefan Metzmacher
f1e3c8ebb3 rpcclient: allow -U'OTHERDOMAIN\user' again
I guess the primary reason for forcing lp_workgroup()
was the usage of -U% together with schannel,
see source3/script/tests/test_rpcclient_samlogon.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12731

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr  5 14:09:23 CEST 2017 on sn-devel-144
2017-04-05 14:09:23 +02:00
Ralph Boehme
8b32fc4006 winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.

The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  1 21:18:59 CEST 2017 on sn-devel-144
2017-04-01 21:18:59 +02:00
Ralph Boehme
8bd5f774fd selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-01 17:33:14 +02:00
Ralph Boehme
6b7a14b4b9 winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-01 17:33:14 +02:00
Andreas Schneider
2be02fdd1e s3:tests: Add a subsitution test for %D %u %g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-30 00:33:13 +02:00
Christof Schmitt
bc39fb07ce winbindd: Fix password policy for pam authentication
Authenticating users from trusted domains would return the password
policy of the joined domain. Fix the code so that the password policy of
the joined domain is only returned for users from that domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Mar 29 22:54:47 CEST 2017 on sn-devel-144
2017-03-29 22:54:47 +02:00
Gary Lockyer
f1603598d6 rpc_server: Re-order and rename remote and local address in np_open()
We use this order and name consistently eleswhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
7cbe1c844e s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
This is triggered in the ncacn_np pass-though case in particular

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
e9611b4bd0 s3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe{,_p}()
We use this order and name consistently eleswhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
7505ae043d s3-rpc_server: pass remote and local address to rpc_pipe_open_external
We want the real client address here for audit purposes, if possible.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Gary Lockyer
3d99831ec9 s3-rpc_server: Rename client -> remote_client and server -> local_server
This changes struct dcerpc_ncacn_conn

While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.

By using both names we avoid a little of this.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:28 +02:00
Gary Lockyer
7bb21df258 s3-rpc_server: Re-order local and remote address in make_server_pipes_struct()
The rest of the code uses remote before local, and this
often causes bugs

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:28 +02:00