IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 91395e660a)
The domain's private_data pointer is also used to store a ADS_STRUCT,
which is not allocated using talloc and there are many places casting
this pointer directly.
The recently added samba.tests.pam_winbind_setcred was randomly failing
and after debugging it the problem was that kerberos authentication was
failing because the time_offset passed to kerberos_return_pac() was
wrong. This time_offset was retrieved from ads->auth.time_offset, where
the ads pointer was directly casted from domain->private_data but
private_data was pointing to a winbind_internal_pipes struct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e1f29b0970)
name is never read again, we want lsa_name to be set.
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 15 20:22:47 UTC 2021 on sn-devel-184
Even internal pipes have a small cost, external ones will block a
process from exiting soon.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 29 15:49:16 UTC 2021 on sn-devel-184
Same argument as with previous patches: We don't need fancy lsa
routing and samr is less prone to deadlock back into winbind
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Same argument as with name_to_sid: We don't need the lsa lookup
routing, and samr is less prone to deadlocking.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
After the "Unix Users/Groups" and wkn names have been taken care of,
all that remains here is our domain (BUILTIN or workgroup). We don't
need any of the fancy routing in lsa_lookupnames, and samr_LookupNames
is a lot less prone to deadlocks back into winbind.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
"Unix Users" and "Unix Groups" can recurse into nsswitch and thus into
winbind. In the binding process, we have winbindd_off(), but if we
pass the lookupNames request to a forked lsad, lsad does not
necessarily have that setting. So lsad might turn back to winbind,
which could lead to a deadlock. Handle the nsswitch lookups in
winbind.
While there, also do the simple wellknown names and the "DOMAIN\" type
3 lookups directly in winbind.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Before merging the s4 and s3 RPC servers the make_internal_rpc_pipe_p()
function did not fail when the requested interface was not registered in
the calling process because it did not check the return value of
rpc_srv_get_pipe_cmds(). If the interface was not registed, the pointer
to the interface functions was NULL and later, when dispatching a call,
rpcint_dispatch() returned NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE in this
case.
After merging the RPC servers, the rpc_pipe_open_internal() function
will return NT_STATUS_RPC_INTERFACE_NOT_FOUND if the interface is not
registered in the calling process. This causes a noisy error message in
winbind when it tries to open the dssetup pipe to the primary domain and
it is not an AD domain.
The callers of wb_open_internal_pipe() when connecting to the domain
already logs the error at level greather or equal to five. This commit
moves the dupplicated and noisy error message at level zero from
wb_open_internal_pipe() to its callers outside winbindd_cm.c.
This error can be seen in winbindd logs of ad_member and nt4_member test
environments.
[2021/03/01 16:49:38.486004, 0, pid=12456] ../../source3/winbindd/winbindd_cm.c:1893(wb_open_internal_pipe)
open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_RPC_INTERFACE_NOT_FOUND
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
In the end we should avoid rpccli_is_connected(), rpccli_set_timeout() and the
whole rpc_pipe_client concept.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Aug 8 10:59:38 UTC 2020 on sn-devel-184
This is very, very unlikely but possible as in the AD case the RPC server is in
another process that may eventually be able to restart.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This domain is very close, in AD DC configurations over a internal ncacn_np pipe
and otherwise in the same process via C linking. It is however very expensive
to re-create the binding handle per SID->name lookup, so keep a cache.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Make all query_user_list backends consistent.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 13 13:33:37 CET 2017 on sn-devel-144
Unfortunately this is a pretty large patch, because many functions
implement this API. The alternative would have been to create a new
backend function, add the new one piece by piece and then remove the
original function.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
In rpc_sequence_number() we always look at *pseq
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 6 18:24:01 CEST 2015 on sn-devel-104
This allows the AD DC to be picked up correctly and gives the correct DNS name.
To ensure no confusion, we also always init it with the full DNS name.
It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.
This in turn allows kerberos authentication against winbindd on the AD DC.
Andrew Bartlett
Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This means that in the AD DC, we use the AD DC servers, while in the classic DC or file server we continue
to use the built-in SAMR and LSA servers.
Andrew Bartlett
Change-Id: I63b1443f5665016f7fcbed35907ec29d4424ab18
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Change-Id: I7d2646078f6e7ba596b92da7d37c285d10ad38c0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Previously only members of these domains were handled.
But we also need to handle the domain itself.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10463
Change-Id: I44f85267eda243d586fffd24a799e153de0ff982
Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
This does not check whether the given sid is in our domain, but
but whether it belongs to the local sam, which is a different
thing on a domain member server.
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
This does not check whether the given sid is the domain sid,
but whether it is the sid of the local sam, which is different
for a domain member server.
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.
This will allow of our session handling to be accomplished with common code.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This fixes looking up the correct unix user instead of allocation a new
uid and creating it.
Fix bug #8215 (winbind unix username lookup doesn't work correctly).
(cherry picked from commit 531edfdd19)
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Wed Jun 15 09:56:01 CEST 2011 on sn-devel-104