1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

571 Commits

Author SHA1 Message Date
Andreas Schneider
08d1ac0e36 nss_wins: Fix errno values for HOST_NOT_FOUND
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 16 04:10:55 CET 2016 on sn-devel-144
2016-11-16 04:10:55 +01:00
Volker Lendecke
8f4e426f33 wbinfo: Use ntlmv2 by default for wbinfo -a
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-11-15 01:14:21 +01:00
Andreas Schneider
7f14776ba7 nsswitch: Use own credential cache for wbinfo tests
If we do not set it will add the credentials to the system default
credential cache, which is e.g. FILE:/tmp/krb5cc_1000.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-09-25 09:05:27 +02:00
Andreas Schneider
382345126c nsswitch: Also set h_errnop for nss_wins functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Sep 20 20:16:43 CEST 2016 on sn-devel-144
2016-09-20 20:16:43 +02:00
Andreas Schneider
d8a5565ae6 waf: Explicitly link against libnss_wins.so
If we do not specify replace as a depencency here, it will not link to
libreplace using an rpath.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Sep 20 08:00:08 CEST 2016 on sn-devel-144
2016-09-20 08:00:08 +02:00
Andreas Schneider
124ae4e861 nsswitch: Add missing arguments to wins gethostbyname*
The errno pointer argument is missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
2016-09-20 04:10:21 +02:00
Ralph Boehme
2a322a7671 selftest: test idmap backend id allocation for unknown SIDS
If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-06-28 07:27:18 +02:00
Andreas Schneider
539116e588 nsswitch: Fix memory leak in test_wbc_trusts()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
3c9f0815fb nsswitch: Fix memory leak in test_wbc_groups()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
e9fabe3a11 nsswitch: Fix memory leak in test_wbc_users()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
6a620adb25 nsswitch: Fix memory leak in test_wbc_domain_info()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
9b732c2448 nsswitch: Fix memory leak in test_wbc_pingdc2()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
4961362106 nsswitch: Fix memory leak in test_wbc_get_sidaliases()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
2ae40865be nsswitch: Fix memory leak in test_wbc_pingdc()
Found by cppcheck.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Andreas Schneider
f479a1f896 nsswitch: Fix wbclient torture_assert_wbc_ok_goto_fail macro
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-06-24 02:01:19 +02:00
Tom Mortensen
0b1f4db325 nss_wins: Fix the hostent setup
This can never have been tested....

Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-22 07:20:17 +02:00
Tom Mortensen
d3569ca271 nss_wins: ip_pton expects the raw IP address
Signed-off-by: Tom Mortensen <tomm@lime-technology.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-22 07:20:17 +02:00
Stefan Metzmacher
2063692367 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Volker Lendecke
4f65fa9c7b pam_winbind: Avoid a use of sprintf
pam_winbind depends on talloc, which depends on libreplace, so we have asprintf
available.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-31 20:30:11 +02:00
Andreas Schneider
94464ed82c pam_winbind: Create and use a wbclient context
PAM sessions are long running. If we create a pam session a connection
to winbind is established and only closed by the destructor of the
libwbclient library. If we create a wbcContext, we will free it in the
end of the PAM function being called and the socket will be closed. This
decreases the amount of allocated 'winbindd_cli_state' structures in
winbind for every logged in user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 17:45:24 CET 2016 on sn-devel-144
2016-03-25 17:45:24 +01:00
Andreas Schneider
4c139e23e9 pam_winbind: Use the correct type to check the pam_parse() return code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-03-25 14:18:22 +01:00
Jeremy Allison
bac35a178f nsswitch: winbind_nss_solaris.c: Remove unused macro containing strcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Mar 22 07:59:35 CET 2016 on sn-devel-144
2016-03-22 07:59:35 +01:00
Jeremy Allison
a8ab1bfb7b nsswitch: winbind_nss_aix: Remove all uses of strcpy.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-03-22 04:38:24 +01:00
Jeremy Allison
7e435d3cce nsswitch: linux: Remove use of strcpy().
The previous use was safe, but having *any* use of strcpy inside
our code sets off security flags. Replace with an explicit length
calculation and memcpy.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2016-03-22 04:38:24 +01:00
Herwin Weststrate
0b500d413c Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-11 22:58:18 +01:00
Volker Lendecke
f6f43c496e winbind: Remove unused WINBINDD_UID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 22 23:39:13 CET 2016 on sn-devel-144
2016-02-22 23:39:12 +01:00
Volker Lendecke
07b134407c nss_aix: Hack away WINBINDD_UID_TO_SID
To do a proper xids2sids conversion I need a build environment.

Everyone who needs this and can build AIX please speak up!

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
f387124a04 winbind: Remove unused WINBINDD_GID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
148452b446 libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxGidToSid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
1e4e215f2f libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxUidToSid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
ec94aa543b winbind: Remove unused WINBINDD_SID_TO_GID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
112998fffa winbind: Remove unused WINBINDD_SID_TO_UID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
122b1a3650 libwbclient: Use wbcCtxSidsToUnixIds in wbcCtxSidToGid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
fbbe017820 libwbclient: Use wbcCtxSidsToUnixIds in wbcCtxSidToUid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
182149e937 wbinfo: Add --unix-ids-to-sids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
171931cf7d libwbclient: Implement wbc[Ctx]UnixIdsToSids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
5cd5ce70a1 winbind: Expose WINBINDD_XIDS_TO_SIDS externally
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
dcf6a606cf nss_netbsd: Remove unimplemented prototypes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 11 04:43:53 CET 2016 on sn-devel-144
2016-02-11 04:43:53 +01:00
Volker Lendecke
dfe51390a0 nss_linux: Remove non-nss functions
These functions were meant as a standard interface before libwbclient was
developed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-11 01:32:23 +01:00
Volker Lendecke
89565775a4 libwbclient: Fix a few resource leak CIDs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:17 +01:00
Volker Lendecke
3d5873c848 libwbclient: Add "goto fail" test macros
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-04 09:29:17 +01:00
Michael Adam
490a27b69b pam_winbind: check != PAM_SUCCESS and != NULL explicitly
...instead of using "if (ret)" or similar.
This is just a code cleanup, no changes in behaviour.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-13 10:57:09 +01:00
Michael Adam
77d0fce7b7 torture: add torture comment output of name/ip to WinsBy{Ip,Name} tests
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-01-11 12:25:26 +01:00
Michael Adam
71ffd3b90b torture: Fix winbind.wbclient.ResolveWinsByIp test
The test gets handed a name, so we first need
to resolve the name to an IP before we can
pass that on to ResolveWinsByIp.

Bug uncovered by the new nss_wrapper code (1.1.2).

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-01-11 12:25:26 +01:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Andreas Schneider
5ab1452436 nss_wins: Use libwbclient to query wins server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11563

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-10-26 21:23:21 +01:00
Andreas Schneider
0abbfb2e4d nss_wins: Use lp_global_no_reinit()
This avoids that we run into use after free issues when we access memory
allocated on the globals and the global being reinitialized.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11563

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-10-26 21:23:21 +01:00
Volker Lendecke
2f7bee43d8 wbinfo: make --verbose --pam-logon print sids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Oct 12 14:01:50 CEST 2015 on sn-devel-104
2015-10-12 14:01:49 +02:00
Andrew Bartlett
1dc05386f2 build: Move __attribute__ ((destructor)) and ((constructor)) tests to wafsamba
This allows us to use them in talloc as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-10-09 20:14:06 +02:00
Björn Jacke
d3e51b9cfe nss_winbind: fix hang on Solaris on big groups
The problem with large groups on Solaris in the the NSS winbind module is
Solaris wants the return value to be NSS_UNAVAIL if the buffer given is too
small for getgrnam_r.  The current code return NSS_TRYAGAIN which causes
Solaris/Illumos to loop without trying to resize the buffer.

Thanks to  Nathan Huff <nhuff@acm.org> for finding this out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10365

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
2015-09-11 00:34:30 +02:00