1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

224 Commits

Author SHA1 Message Date
Gary Lockyer
3bc5685445 rpc: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.

The local address allows us to know which interface an authentication is on

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
d69187c153 winbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_logon()
rpccli_netlogon_password_logon() is called in winbind_samlogon_retry_loop() if interactive
is set, and does not use the hashed passwords.

This is only needed for winbindd_dual_auth_passdb(), and by moving the call we both
avoid the extra work and allow it to also be removed in this code path

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
c048918959 auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Stefan Metzmacher
5bba164d15 winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY
make_auth3_context_for_winbind() restricts the used auth backends now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:10 +01:00
Stefan Metzmacher
65d5f845ed auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Stefan Metzmacher
111a6bfc03 winbindd: let winbindd_dual_auth_passdb() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Volker Lendecke
15d1da0a19 winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means "Dunno"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Stefan Metzmacher
eff81e32e5 winbindd: make use of make_auth3_context_for_winbind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Volker Lendecke
ab6ae3af39 winbindd: Call make_auth_context_subsystem directly
Soon we'll call specific methods here

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:08 +01:00
Volker Lendecke
eecdc3b1ee winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-09 20:04:19 +01:00
Volker Lendecke
0ff97d969f winbind: Set "authoritative" in response to auth_crap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
3a6a7b53af winbind: Pass up args from winbind_dual_SamLogon
We'll need to pass "authoritative" back to the winbind client

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
5b87e915dc winbind: Pass up args from winbind_samlogon_retry_loop
In particular "authoritative" is useful at the top level

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
00c25a5080 cli_netlogon: Add return parms to rpccli_netlogon_password_logon
Just for symmetry with rpccli_netlogon_network_logon()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-03-07 09:15:17 +01:00
Volker Lendecke
57b3b12229 winbind: Fix a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar  6 23:18:46 CET 2017 on sn-devel-144
2017-03-06 23:18:45 +01:00
Volker Lendecke
a55bd7e424 lib: Add samlogon_cache.h
Move prototypes into its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-02 09:36:08 +01:00
Christof Schmitt
b69dce5895 winbindd: Replace calls to domain->methods
domain->methods is always set to cache_methods; call those functions
directly instead of going through the indirection.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-11 20:15:25 +02:00
Jeremy Allison
1017b22f68 s3: winbind: Trust name2sid mappings from the PAC.
Don't refresh sequence number in parent as the
mapping comes from a trusted DC.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-09-29 22:17:20 +02:00
Jeremy Allison
cf0f28819e s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.
In addition to priming the netsamlogon cache.

This prevents a winbind AD-DC lookup for something
the PAC already told us.

Note we only do this in the case where the PAC successfully
passed signature verification.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-09-28 19:02:26 +02:00
Aurelien Aptel
f13d07e459 s3/winbindd: use == -1 instead of < 0 for error checking uid_t
The sign of the uid_t type is left unspecified by POSIX. It's defined as
an unsigned 32b int on Linux, therefore the < 0 check is always
false.

For unsigned version of uid_t, "uid == -1" will implicitely cast -1 to
unsigned making it a valid test for both signed and unsigned version of
uid_t.

This commit makes the cast to (uid_t) explicit anyway.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jul  1 05:22:36 CEST 2016 on sn-devel-144
2016-07-01 05:22:36 +02:00
Stefan Metzmacher
f9989f2142 s3:winbindd: pass 'interactive' down through winbindd_dual_auth_passdb()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Noel Power
e8fab02773 s3: winbind: Prevent null ptr access by returning error if no creds available
Prevent rpccli_netlogon_network_logon/rpccli_netlogon_password_logon
being called with 'NULL' credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11569

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-11-04 22:15:24 +01:00
Richard Sharpe
b95b2be845 A small improvement to the DEBUG message when pass-through authentication
fails with ACCESS_DENIED. Increased it to log level 1 so it will print out
and pointed to Restrict NTLM as the setting so people know what to look for.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Sun Oct 11 06:28:05 CEST 2015 on sn-devel-104
2015-10-11 06:28:05 +02:00
Stefan Metzmacher
fb63fd1dc4 s3:winbindd: remove unused argument 'server' from winbind_samlogon_retry_loop()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-06-24 19:33:23 +02:00
Jeremy Allison
4c5fefe072 winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104
2015-06-11 07:30:36 +02:00
Noel Power
efadcb3121 kerberos auth info3 should contain resource group ids available from pac_logon
successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-11 04:42:10 +02:00
Richard Sharpe
57303c30b2 Change all uint32/16/8 to 32_t/16_t/8_t in winbindd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Stefan Metzmacher
111269d484 s3:winbindd: make use of talloc_string_sub2() in generate_krb5_ccache()
This way we don't pass a given format string to talloc_asprintf().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00
Andrew Bartlett
91d6f603b1 s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:50 +02:00
Andrew Bartlett
a3ecad4237 idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idl
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Günther Deschner
1839417bcc s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Günther Deschner
c735823f68 s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Andrew Bartlett
af7f88721a winbindd: Use a remote RPC server when we are an RODC when needed
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.

Andrew Bartlett

Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Jeremy Allison
e907f84156 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC.
Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
2014-06-18 03:30:35 +02:00
Andrew Bartlett
ba4467ca65 s3-winbindd: Implement SamLogon IRPC call
We do this by lifting parts of the winbindd_dual_pam_auth_crap() code
into a new helper function winbind_dual_SamLogon().  This allows us to
implement the semantics we need for IRPC, without the artifacts of the
winbindd pipe protocol.

Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104
2014-06-11 12:43:58 +02:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Christian Ambach
89961ca297 s3:lib/afs move afs.c to common lib dir
some of the code in afs.c is needed by wbinfo that lives in the toplevel
nsswitch directory, so move the afs.c file to a new top-level lib/afs
directory. Use the name afs_funcs to avoid collisions with the afs.h
header from OpenAFS

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-06-04 20:09:38 +02:00
Andrew Bartlett
4d50c75159 s3-auth: Finally change make_user_info_*() use a parent talloc context
Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2014-04-02 11:05:46 +02:00
Günther Deschner
a8c2807a26 s3-kerberos: let kerberos_return_pac() return a PAC container.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
1270e35ba7 s3-kerberos: return a full PAC in kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:20 +01:00
Günther Deschner
932490ae08 s3-libads: pass down local_service to kerberos_return_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-12 10:13:19 +01:00
Stefan Metzmacher
a34c837fdb s3:winbindd: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:15 +01:00
Stefan Metzmacher
38d4dba374 s3:rpc_client: make use of the new netlogon_creds_cli_context
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.

This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:06 +01:00
Andreas Schneider
eae5373cfb s3-winbind: Add support for the kernel krb5 keyring buffer.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2013-09-10 13:48:22 +02:00
Andreas Schneider
13094dc8f6 s3-winbind: Don't set a default directory for DIR.
There is not default so you should always have to specify a directory in
the config file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2013-09-10 13:48:22 +02:00
Günther Deschner
7ad3a367d5 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-23 15:39:29 -07:00
Andreas Schneider
0529b59fbe s3-winbind: Do not delete an existing valid credential cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994

Thanks to David Woodhouse <dwmw2@infradead.org>.

Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
2013-07-15 12:48:46 +02:00
Andreas Schneider
659dd65f8f winbind: Correctly use names in the domain struct.
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-03-05 23:29:29 +01:00