1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

97 Commits

Author SHA1 Message Date
Samuel Cabrero
be6712bd61 s3:winbind: Simplify open_cached_internal_pipe_conn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 91395e660a)
2022-04-15 13:46:10 +00:00
Samuel Cabrero
621b80645a s3:winbind: Do not use domain's private data to store the SAMR pipes
The domain's private_data pointer is also used to store a ADS_STRUCT,
which is not allocated using talloc and there are many places casting
this pointer directly.

The recently added samba.tests.pam_winbind_setcred was randomly failing
and after debugging it the problem was that kerberos authentication was
failing because the time_offset passed to kerberos_return_pac() was
wrong. This time_offset was retrieved from ads->auth.time_offset, where
the ads pointer was directly casted from domain->private_data but
private_data was pointing to a winbind_internal_pipes struct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e1f29b0970)
2022-04-15 13:46:10 +00:00
Andreas Schneider
eae4c54e2b s3:winbind: Fix using normalized name in sam_name_to_sid()
name is never read again, we want lsa_name to be set.

Found by covscan.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 15 20:22:47 UTC 2021 on sn-devel-184
2021-12-15 20:22:47 +00:00
Andreas Schneider
092e11295a s3:winbindd: Remove dead code from sam_rids_to_names()
domain_name is never NULL in this case. Found by covscan.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-12-15 19:32:30 +00:00
Volker Lendecke
3fb2fd4944 s3:winbind: Close internal RPC pipes after 5 idle seconds
Even internal pipes have a small cost, external ones will block a
process from exiting soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Ralph Boehme
54343f50a6 winbindd: remove obsolete sequence_number from struct winbindd_methods
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 29 15:49:16 UTC 2021 on sn-devel-184
2021-04-29 15:49:16 +00:00
Andreas Schneider
2d8093946d s3:winbindd: Remove obsolete sequence_number callback from samr backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-04-29 15:01:29 +00:00
Volker Lendecke
bf1012ee70 winbindd: Use samr in sam_rids_to_names() instead of lsa
Same argument as with previous patches: We don't need fancy lsa
routing and samr is less prone to deadlock back into winbind

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-06 22:29:34 +00:00
Volker Lendecke
82e30f3203 winbindd: Make sam_sid_to_name use samr instead of lsa
Same argument as with name_to_sid: We don't need the lsa lookup
routing, and samr is less prone to deadlocking.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-06 22:29:34 +00:00
Volker Lendecke
c06be36e60 winbindd: Use samr instead of lsa in sam_name_to_sid()
After the "Unix Users/Groups" and wkn names have been taken care of,
all that remains here is our domain (BUILTIN or workgroup). We don't
need any of the fancy routing in lsa_lookupnames, and samr_LookupNames
is a lot less prone to deadlocks back into winbind.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-06 22:29:34 +00:00
Volker Lendecke
57246e1f81 winbindd: Avoid deadlock in sam_name_to_sid()
"Unix Users" and "Unix Groups" can recurse into nsswitch and thus into
winbind. In the binding process, we have winbindd_off(), but if we
pass the lookupNames request to a forked lsad, lsad does not
necessarily have that setting. So lsad might turn back to winbind,
which could lead to a deadlock. Handle the nsswitch lookups in
winbind.

While there, also do the simple wellknown names and the "DOMAIN\" type
3 lookups directly in winbind.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-06 22:29:34 +00:00
Volker Lendecke
174b911524 winbindd: Improve a DEBUG message in sam_name_to_sid()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Volker Lendecke
6fb317227d winbind: Simplify winbindd_samr.c
talloc_stackframe() panics on failure

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:31 +00:00
Samuel Cabrero
5fe7536145 winbind: Remove noisy error message in wb_open_internal_pipe()
Before merging the s4 and s3 RPC servers the make_internal_rpc_pipe_p()
function did not fail when the requested interface was not registered in
the calling process because it did not check the return value of
rpc_srv_get_pipe_cmds(). If the interface was not registed, the pointer
to the interface functions was NULL and later, when dispatching a call,
rpcint_dispatch() returned NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE in this
case.

After merging the RPC servers, the rpc_pipe_open_internal() function
will return NT_STATUS_RPC_INTERFACE_NOT_FOUND if the interface is not
registered in the calling process. This causes a noisy error message in
winbind when it tries to open the dssetup pipe to the primary domain and
it is not an AD domain.

The callers of wb_open_internal_pipe() when connecting to the domain
already logs the error at level greather or equal to five. This commit
moves the dupplicated and noisy error message at level zero from
wb_open_internal_pipe() to its callers outside winbindd_cm.c.

This error can be seen in winbindd logs of ad_member and nt4_member test
environments.

[2021/03/01 16:49:38.486004,  0, pid=12456] ../../source3/winbindd/winbindd_cm.c:1893(wb_open_internal_pipe)
  open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_RPC_INTERFACE_NOT_FOUND

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-06 02:20:05 +00:00
Ralph Boehme
f50987df03 winbind: directly use dcerpc_binding_handle_is_connected() in reset_connection_on_error() SAMR code
In the end we should avoid rpccli_is_connected(), rpccli_set_timeout() and the
whole rpc_pipe_client concept.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Aug  8 10:59:38 UTC 2020 on sn-devel-184
2020-08-08 10:59:38 +00:00
Christof Schmitt
640e0ef4fd winbind: Return queried domain name from name_to_sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-04-18 17:21:18 +00:00
Christof Schmitt
32e3f0663b winbind: Query domain from winbind sam_name_to_sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-04-18 17:21:18 +00:00
Volker Lendecke
58f76ab137 winbindd: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-12-20 23:40:25 +01:00
Andrew Bartlett
fc9150dcab winbindd: Do re-connect if the RPC call fails in the passdb case
This is very, very unlikely but possible as in the AD case the RPC server is in
another process that may eventually be able to restart.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-24 02:31:15 +01:00
Andrew Bartlett
d418d0ca33 winbindd: Add a cache of the samr and lsa handles for the passdb domain
This domain is very close, in AD DC configurations over a internal ncacn_np pipe
and otherwise in the same process via C linking.  It is however very expensive
to re-create the binding handle per SID->name lookup, so keep a cache.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-24 02:31:15 +01:00
Volker Lendecke
3f5fa7c458 Revert "winbind: Remove "lookup_usergroups" winbind method"
This reverts commit b231814c6b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Jeremy Allison
e1874bbf26 winbind: Fix CID 1398534 Dereference before null check
Make all query_user_list backends consistent.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 13 13:33:37 CET 2017 on sn-devel-144
2017-01-13 13:33:37 +01:00
Volker Lendecke
24a81937d0 winbind: Fix CID 1398531 Resource leak
Not really a leak due to talloc, but this way it's clear

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-11 00:49:22 +01:00
Volker Lendecke
b26ea7ef5e winbind: Avoid a few explicit ZERO_STRUCT calls
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:13 +01:00
Volker Lendecke
480c9581a1 winbind: Simplify query_user_list to only return rids
Unfortunately this is a pretty large patch, because many functions
implement this API. The alternative would have been to create a new
backend function, add the new one piece by piece and then remove the
original function.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:13 +01:00
Volker Lendecke
b231814c6b winbind: Remove "lookup_usergroups" winbind method
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:12 +01:00
Volker Lendecke
241c81b276 winbind: Remove "query_user" backend function
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:12 +01:00
Volker Lendecke
c5b9c58032 lib: Add lib/util_unixsids.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-12-28 20:17:12 +01:00
Volker Lendecke
e8081af2c7 winbind: Fix CID 1035545 Uninitialized scalar variable
In rpc_sequence_number() we always look at *pseq

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May  6 18:24:01 CEST 2015 on sn-devel-104
2015-05-06 18:24:01 +02:00
Richard Sharpe
57303c30b2 Change all uint32/16/8 to 32_t/16_t/8_t in winbindd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Stefan Metzmacher
1623992105 s3:winbindd: make open_internal_lsa_conn() non static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Andrew Bartlett
2e961bf598 winbindd: Call set_dc_type_and_flags on the internal domain
This allows the AD DC to be picked up correctly and gives the correct DNS name.

To ensure no confusion, we also always init it with the full DNS name.

It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.

This in turn allows kerberos authentication against winbindd on the AD DC.

Andrew Bartlett

Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
5a71f46f46 winbindd: Use rpc_pipe_open_interface() so that winbindd uses the correct rpc servers
This means that in the AD DC, we use the AD DC servers, while in the classic DC or file server we continue
to use the built-in SAMR and LSA servers.

Andrew Bartlett

Change-Id: I63b1443f5665016f7fcbed35907ec29d4424ab18
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
e85ab68518 winbindd: Remove pointless if statement
Change-Id: I7d2646078f6e7ba596b92da7d37c285d10ad38c0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Stefan Metzmacher
8fec421543 samr: don't block the sam sid or the builtin domain sid in sid_to_name
Previously only members of these domains were handled.
But we also need to handle the domain itself.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10463

Change-Id: I44f85267eda243d586fffd24a799e153de0ff982
Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@sernet.de>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-02-25 09:17:07 +01:00
Michael Adam
1ee95e4cb1 s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()
This does not check whether the given sid is in our domain, but
but whether it belongs to the local sam, which is a different
thing on a domain member server.

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12 18:36:02 +02:00
Michael Adam
c43505b621 s3: rename sid_check_is_domain() to sid_check_is_our_sam()
This does not check whether the given sid is the domain sid,
but whether it is the sid of the local sam, which is different
for a domain member server.
2012-07-12 16:43:51 +02:00
Volker Lendecke
d716a9bd06 s3: Fix Coverity ID 242184 Dereference after null check
rpc_query_user unconditionally dereferences user_info if successfull
2012-05-10 09:11:57 +02:00
Volker Lendecke
b72944fea7 s3: Fix two int/enum mixups 2011-08-26 16:36:17 +02:00
Andreas Schneider
eb8a0c7672 s3-winbind: We need to use internal rpc connections in winbind.
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
2011-08-21 09:05:04 -04:00
Andrew Bartlett
9fcc617ff5 s3-auth Use the common auth_session_info
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.

This will allow of our session handling to be accomplished with common code.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:13 +10:00
Andrew Bartlett
f16d8f4eb8 s3-auth Use struct auth3_session_info outside the auth subsystem
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)

The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:10 +10:00
Stefan Metzmacher
283f8a7fb5 Revert "s3-winbind: Fix paranoia checks in winbindd_samr.c."
This reverts commit 207a84d725.

This is the wrong fix for the problem, see bug #8215.

metze
2011-06-16 18:41:01 +02:00
Andreas Schneider
207a84d725 s3-winbind: Fix paranoia checks in winbindd_samr.c.
This fixes looking up the correct unix user instead of allocation a new
uid and creating it.

Fix bug #8215 (winbind unix username lookup doesn't work correctly).
(cherry picked from commit 531edfdd19)

Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Wed Jun 15 09:56:01 CEST 2011 on sn-devel-104
2011-06-15 09:56:01 +02:00
Günther Deschner
233779cce4 s3-winbindd: remove unused headers.
Guenther
2011-05-02 15:03:44 +02:00
Günther Deschner
9824e2e5ee s3-rpc_client: add and use rpc_client/rpc_client.h.
Guenther
2011-04-13 22:23:59 +02:00
Günther Deschner
7e73214ebf s3-auth: use auth.h where needed.
Guenther
2011-03-30 01:13:09 +02:00
Günther Deschner
235f148590 s3-passdb: use passdb headers where needed.
Guenther
2011-03-30 01:13:08 +02:00
Günther Deschner
cc94bcb952 s3-winbindd: copy acct_info to wb_acct_info so we dont need passdb for it.
Guenther
2011-03-30 01:13:08 +02:00
Jeremy Allison
bae14fba52 Remove two unused labels.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Mar 29 02:23:02 CEST 2011 on sn-devel-104
2011-03-29 02:23:02 +02:00