IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The structures we unlinked have been talloc_reference()ed in gensec
and thus don't need the second talloc parent anymore. But this
talloc_unlink isn't necessary because tmp_ctx is free()ed a few lines
down.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
add_sid_to_array_unique() only fails for ENOMEM, and other parts of
the auth stack would probably crash under ENOMEM anyway. But this is
authorization-related code that should be as clean as possible.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
First set up "server_info" in a local variable and once it's fully set
up, assign it to the out parameter "pserver_info".
Pointer dereferencing obfuscates the code for me.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(find the missing TALLOC_FREE() in the - part of the patch...)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Avoid using "uchar" in source3/auth/proto.h, this is #defined in includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Under the following conditions a user from an ignored domain might be able to
authenticate:
- using Kerberos
- successfully previous authentication so the idmap and name caches are filled
- winbind not running (fwiw, winbindd is mandatory on a domain member)
- nscd running with a cached getpwnam for the ignored user (otherwise auth fails
because getpwnam fails)
- lookup_name() function being modified to look into the name cache before
contacting winbindd. Currently it talks directly to winbindd and that will
check the cache.
Currently, authentication will only fail because creating the local token for
the user fails because an LSA lookupname RPC call fails (because winbindd is not
running).
All of this makes a successfull authentication unlikelly, but that is more by
accident then by design.
To ensures that if winbindd is not running and as such winbindd itself can not
enforce the restriction, also implement the ignored domains check in the auth
system as a last line of defense.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore domains" doesn't prevent user login from trusted domain
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
It's a bit shocking how many references we have to global
contexts. Make this a bit more obvious.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Rather than have safe_string.h #include string_wrappers.h, make users of
string_wrappers.h include it explicitly.
includes.h now no longer includes string_wrappers.h transitively. Still
allow includes.h to #include safe_string.h for now so that as many
modules as possible get the safety checks in it.
Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This is needed for make_session_info_from_username() to fill in the domain
name. The callchain goes like this:
make_session_info_from_username()
-> make_server_info_pw()
-> passwd_to_SamInfo3()
Other callers of passwd_to_SamInfo3() are also affected. A subsequent change
will let set_conn_force_user_group() user the domainname from the session_info
returned from make_session_info_from_username() to create substitution
context. Without this fix domain name would be NULL.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_user_info_map() are sent to a different logfile if "log file" uses %U.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
When a domain member gets an empty domain name or '.', it should
not forward the authentication to domain controllers of
the primary domain.
But we need to keep passing UPN account names with
an empty domain to the DCs as a domain member.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There's no real logic change here, but is makes it easier to
understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The fake async code has been pushed down into the 3 users, remove the sync
callback. Overall it's more lines of code, but the central interface is
simplified.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jan 6 23:34:00 UTC 2020 on sn-devel-184
This is just fake async, but it avoids one use of a sync function
pointer in auth4_context
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Use generate_random_buffer() directly on the talloc'ed buffer
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Did this ever really work?
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 2 22:47:24 UTC 2019 on sn-devel-184
