IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.
Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.
Currently this only applies to an RODC that forwards
the request to an RWDC.
But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
This makes it much clearer what it is used for and
it is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in
authsam_check_password_internals().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals().
But that code will be changed in the next commits, so we can simplify
the logic and only check for user_info->mapped.account_name being NULL.
As it's the important factor that user_info->mapped.account_name is
non-NULL down in the auth stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
user_info->mapped_state has nothing to do with enum auth_password_state,
user_info->password_state is the one that holds the auth_password_state value.
Luckily user_info->password_state was never referenced in the
encrypt_user_info() callers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I've seen that in LogonSamLogonEx request triggered
by a simple bind with a user of a trusted domain
within the same forest. Note simple binds don't
work with users for another forest/external domain,
as the DsCrackNames call on the bind_dn fails.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
It means an LDAP simble bind will now honour
'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
It went wrong in 366f8cf090
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In future we need a real configure check for Heimdal 8.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
These changes were submitted in a patch by
Stefan Metzmacher <metze@samba.org> in his lorikeet-heimdal
import branch of patches to upgrade to a modern Heimdal.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 9 14:14:12 UTC 2021 on sn-devel-184
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.
It means that role won't result in ROLE_STANDALONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We need to offer as much space we have in order to
get the address out of tsocket_address_bsd_sockaddr().
This fixes a regression in commit
43c808f2ff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This changes the docstrings to use the correct method names.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
auth_unix was in the source4/auth/ntlm for two reasons:
- inherited from earlier Samba before the Samba4 fork
- To support the ejs-backed SWAT (web administration tool)
Neither of these are good reasons to keep this unused code
around, there is very unlikely to be a need to support
plaintext PAM authentication in this part of the code in the
future.
See b16362fab6 for some
context on the historical use case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Apr 19 07:07:01 UTC 2021 on sn-devel-184
Remove complexity in the data structures, and pushes the async-ness
one level down.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is a simpler approach to really just wrap the code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
error: overflow converting case value to switch condition type (-1765328344 to 2529638952) [-Werror,-Wswitch]
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Fix a ubsan detected integer overflow.
../../source4/auth/ntlm/auth_sam.c:445:56: runtime error:
signed integer overflow: 60 * 600000000
cannot be represented in type 'int'
In practice this meant that the default for the smb.conf parameter
"old password allowed period" was approximately 16 seconds, rather than
the intended 60 minutes. Similarly the value used would be 22.5 times
less than the value specified in smd.conf.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 13 23:52:38 UTC 2021 on sn-devel-184
Will fix a typo next
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.
Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.
Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 3 22:21:04 UTC 2020 on sn-devel-184
Used to fill the unix info in a struct auth_session_info similar to
auth_session_info_fill_unix().
The new auth_session_info_set_unix() receives the uid and gid for
the unix token as an parameter. It does not query the unix token from
winbind (via security_token_to_unix_token()).
This is useful to fill a user session info manually if winbind is not
available.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14400
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
LDAP Simple BIND authentications have already been mapped to a
DOMAIN\username pair and should not be mapped twice.
This appears to be a regression in 09e24ce40f
included in Samba 4.7.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184
socklen_t can be unsigned
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 13:42:26 UTC 2020 on sn-devel-184
This is simpler and safter in case the structure gets new elements.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(C) SBE network solutions GmbH
Signed-off-by: Torsten Fohrer <torsten.fohrer@sbe.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec 18 14:33:58 UTC 2019 on sn-devel-184
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 27 12:24:16 UTC 2019 on sn-devel-184
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY()
This allows us to be much more consistent (at least in the core Samba)
and documents clearly why the binary should not be installed.
Not modified are
- test_lp_load
- notifyd-tests
- gendrandperf
- test* from examples/libsmbclient
- dbwrap_torture
- split_tokens
- locktest2
- msgtest
- msg_sink
- msg_source
- versiontest
- rpc_open_tcp
- test_headers
As these are not tested in selftest so any change would also be
untested. Of course they probably should be added in a different
MR.
Also not modified (because they are not tests, nor part of the
build system) are:
- smb2mount
- notifydd
- log2pacp
- debug2html
- smbfilter
- destroy_netlogon_creds_cli
- spotlight2*
- tevent_glib_tracker
These do however appear to be untested.
For now, the source4 forked client tools are left unchanged:
- smbclient4
- nmblookup4
Finally, the heimdal binaries are left as install=False as
they are either part of the build system or end-user tools
that we just don't want to install. These are however tested.
The motivation is commit like c34ec003b7
and da87fa998a, which are both totally
correct but are not needed if the selftest is not run on MacOS.
There are likely other platforms or build environments where building
our test binaries is more pain than valuable, see for example also
https://lists.samba.org/archive/samba/2019-November/227137.html
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
Commit dc5788056b removed crypt library from replace. This breaks the
build on fedora 30 ppc64.
[2439/3956] Linking bin/default/source4/auth/ntlm/libauth4-samba4.so
/usr/bin/ld: source4/auth/ntlm/auth_unix.c.5.o: in function `password_check':
auth_unix.c:(.text+0x7e0): undefined reference to `crypt'
crypt library is required to build ntlm auth_unix.c.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Nov 19 04:47:47 UTC 2019 on sn-devel-184
We don't need to parse a text sid, we have those as binary available
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.
There's no reason to have a different logic between MIT and Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
The function gensec_gssapi_client_creds() may call kinit and gets
a TGT for the user. The principal provided by the user may not
be canonicalized. The user may use 'given.last@example.com'
but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.
It means we should use client_realm = AD.EXAMPLE.PRIVATE
instead of client_realm = EXAMPLE.COM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Fixes:
source4/auth/kerberos/kerberos_util.c:645:3: warning: Value stored to 'code' is never read <--[clang]
code = 0;
^ ~
1 warning generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Fixes:
source4/auth/kerberos/kerberos_pac.c:116:2: warning: Value stored to 'ret' is never read <--[clang]
ret = smb_krb5_make_pac_checksum(mem_ctx,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fixes:
source4/auth/gensec/gensec_gssapi.c:431:11: warning: Value stored to 'nt_status' during its initialization is never read <--[clang]
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
^~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This came about because in py2 we had to check for strings and unicode.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Jun 24 18:48:53 UTC 2019 on sn-devel-184
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
We no longer need Samba to be py2/py3 compatible so we choose to return to the standard
function names.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
This became unused after eba8799514 in 2012
Found by callcatcher
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
To avoid warning above produced by using
-Wcast-function-type we;
+ ensure PyCFunctions of type METH_NOARGS defined dummy arg
+ ensure PyCFunctions of type METH_KEYWORDS use PY_DISCARD_FUNC_SIG
macro
+ ensure PyCFunctions of type METH_KEYWORDS really actually use the
problematic kargs param, if not remove it
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
The 'role' is set to null, we should first set it to the correct value
before printing anything.
Found by GCC 9.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
There are a few oddities in this function, including a duplicated NULL
check, a talloc_free of a context which is passed in and a number of
missing frees before a return.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed May 8 00:36:14 UTC 2019 on sn-devel-184
This option is quite invasive in waf and was mainly for the python3 transition.
Testing with multiple python versions can be done by testing a full compile against
multiple versions, likewise multiple different binding versions can be created
the same way.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 6 04:30:22 UTC 2019 on sn-devel-144
Generate a random logon_id and pass it in the SamLogon calls.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fold the two 32 bit values logon_id_high and logon_id_low into a single
64 bit logon_id in netr_identity_info. This will be used to tie
together winbind and SamLogon requests in audit logging.
Summary of the of the Query and Response from Microsoft on it's usage.
[REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does
the Reserved field have LogonId meaning?
Questions:
In NetrLogonSamLogonEx does the Reserved field
(of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning?
What is a valid LogonID, and does have any audit usage?
Samba is sending a constant "deadbeef" in hex and would like to
understand any usage of this field.
Response:
The NRPC spec is accurate in defining the field as Reserved, and without
protocol significance. In the header file in our source code, it is
defined as LogonId and commented as such, but it’s effectively not used.
This is probably why the API structure has that field name. It may have
been intended as such but it’s not used.
Samba will send a random value in this field.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
HEIMDAL kerberos offers already tracing via a logging facility
through smb_krb5_init_context().
MIT kerberos offers to register a callback via krb5_set_trace_callback
with which tracing information can be routed to a common logging facility.
This is now integrated into smb_krb5_init_context_basic() offering
the same functionality for both kerberos fragrances.
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
The initialization of the kerberos error table
is already performed in smb_krb5_init_context_basic(),
therefore, it can be removed from of its callees.
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 19 04:51:27 CET 2018 on sn-devel-144
When a keytab of type MEMORY is used, the MIT kerberos krb5_kt_add_entry()
library function adds a keytab entry to the beginning of the keytab table,
instead of the end.
This adds a MIT kerberos conditional to reverse iterate through
the keytable entries to address this.
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 10 12:48:02 CET 2018 on sn-devel-144
With this patch the auth_session_info_fill_unix() uses the "unix_name"
from the session_info->unix_info if no original_user_name was specified.
This is used to process a system session info where no original_user_name
is given.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Without this patch security_token_to_unix_token() fails with
NT_STATUS_ACCESS_DENIED, because the system session does only
have one SID.
For a typical token are at least two or more SIDs expected.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
The pyauth code assumes the messaging context code is a py_talloc
object. But the code in pymessaging returns a wrapped talloc object.
Removing the parameter as it's not currently used by any code.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Noel Power <nopower@suse.com>
>>> len("user0@samba.example.com")
23
But the string definition does not take a final '\0' into account.
As per Volker's suggestion, use compiler's support to allocate
the string properly.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This fills in the unix portions of the token needed by smbd and the pysmbd bindings
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Joe Guo <joeg@catalyst.net.nz>
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.
Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.
This complements a similar patch set to log the transaction duration.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
In a typical user login query, the code tries to work out the PSO 2-3
times - once for the msDS-ResultantPSO attribute, and then again for the
msDS-User-Account-Control-Computed & msDS-UserPasswordExpiryTimeComputed
constructed attributes.
The PSO calculation is reasonably expensive, mostly due to the nested
groups calculation. If we've already constructed the msDS-ResultantPSO
attribute, then we can save ourselves extra work by just re-fetching the
result directly, rather than expanding the nested groups again from
scratch.
The previous patch improves efficiency when there are no PSOs in the
system. This should improve the case where there are PSOs that apply to
the users. (Unfortunately, it won't help where there are some PSOs in
the system, but no PSO applies to the user being queried).
Also updated sam.c so the msDS-ResultantPSO gets calculated first,
before the other constructed attributes.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed May 23 10:09:11 CEST 2018 on sn-devel-144
If a PSO applies to a user, use its lockOutThreshold/Duration settings
instead of the domain setting. When we lookup a user, we now include the
msDS-ResultantPSO attribute. If the attribute is present for a user,
then we lookup the corresponding PSO object to get the lockOutThreshold/
Duration settings.
Note: This is not quite enough to make the PSO lockout tests pass, as
msDS-User-Account-Control-Computed is still constructed based on the
domain lockoutDuration setting rather than the PSO.
Updating the password_hash.c code properly will be done in a subsequent
commit.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 22 02:42:32 CEST 2018 on sn-devel-144
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Generate a GUID for each successful authorization, this will allow the
tying of events in the logs back to a specific session.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With the changes to make samba python code Py2/Py3 compatible there
now are many instances where string content is decoded.
Decoded string variables in Py2 are returned as the unicode type. Many
Py2 c-module functions that take string arguments only check for the
string type. However now it's quite possibe the content formally passed
as a string argument is now passed as unicode after being decoded,
such arguments are rejected and code can fail subtly. This only affects
places where the type is directly checked e.g. via PyStr_Check etc.
arguments that are parsed by ParseTuple* functions generally already
accept both string and unicode (if 's', 'z', 's*' format specifiers
are used)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
There's no need to do a crack_name_to_nt4_name(), as the authentication
already provides the nt4 domain and account names.
This should only happen on an RODC, that we use the winbind auth module
for local users. So we should make sure we only try to reset
the badPwdCount for users of our own domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Every caller did a talloc_steal() after socket_create(). Just pass in the
correct memory context.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
It turns out that an empty domain name maps to the local SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
This is no longer useful as it doesn't support async requests.
It could be readded using pthreadpool_tevent_job_send()
and wbcCtxAuthenticateUserEx() if required.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is no longer useful as the 'winbind' backend also
handles the rodc case now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This adds support for trusted domains to the auth stack on AD DCs.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This adds authentication support for trusted domains to the
netlogon server.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This prepares real async handling in the backends.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144
This prepares real async handling in the backends.
Check with git show -w.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This prepares the conversion to winbind_check_password_send/recv()
where the internal state is called 'winbind_check_password_state'
as 'state'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The previous commit removed the condition from the block. No change in
behaviour, best viewed with git show -w.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We need to handle every error instead of just NT_STATUS_NO_SUCH_USER,
the callers also doesn't require NT_STATUS_NOT_IMPLEMENTED anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
There's no point in creating a temporary ldb_context as
the only callers already have a valid struct ldb_context for
the local sam.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's no point in creating a temporary ldb_context as
all direct callers already have a valid struct ldb_context for
the local sam.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.
This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.
This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This matches logic of samba_server_gensec_start() and avoids warnings like this:
WARNING: talloc_steal with references at ../source4/auth/samba_server_gensec.c:150
reference at ../auth/gensec/gensec_start.c:586
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).
(further patches still need to address forcing a RWDC contact)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pass in the TALLOC_CTX * from the module init to remove
another talloc_autofree_context() use.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Use NULL here, not the autofree context for this
static pointer. The destructor prevents freeing this
memory anyway.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Use the talloc context passed into all modules.
Remove one more talloc_autofree_context().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Not currently used - no logic changes inside.
This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.
Updated all known module interface numbers, and added a
WHATSNEW.
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
Prior to this, the modification of lockoutTime triggered referrals.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Previously, it only bothered if it was being incremented. Now on first
logon, it should turn the unset logonCount to 0.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The cracknames call is done in the "sam" backend now.
In order to support trusted domains correctly, the backends
need to get the raw values from the client.
This is the important change in order to no longer
silently map users from trusted domains to local users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to check if the upn suffix is within our forest.
The check if it's within our domain is done in
authsam_check_password_internals() after calling
crack_name_to_nt4_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.
This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.
This is just a temporary solution, until we have full
async support in the gensec/auth4.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will allow tests to be written to confirm the correct events are triggered.
We pass in a messaging context from the callers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Existing comment is no longer relevant.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Administrators really care about how their users were authenticated, so make
this clear.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Add a human readable authentication log line, to allow
verification that all required details are being passed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This will allow the authentication log to indicate clearly how the password was
supplied to the server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This function is only called for simple binds, and by moving the mapping into
the function call we allow the unmapped values to be included in the
user_info and so logged.
We also include the local address and the remote address of the client
for future logging
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
We will soon have a much better replacement, but a note here may help some in the transition
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
