1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1275 Commits

Author SHA1 Message Date
Volker Lendecke
a55bd7e424 lib: Add samlogon_cache.h
Move prototypes into its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-02 09:36:08 +01:00
Volker Lendecke
df9e7c7ae5 lib: Remove global xfile.h includes
This makes it more obvious where this legacy code is used

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Nov 20 06:23:19 CET 2016 on sn-devel-144
2016-11-20 06:23:19 +01:00
Volker Lendecke
1314db09dd lib: Rename fgets_slash to x_fgets_slash
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-11-20 02:28:11 +01:00
Uri Simchoni
3f82db56cb smbd: in ntlm auth, do not map empty domain in case of \user@realm
When mapping user and domain during NTLM authentication, an empty domain
is mapped to the local SAM db. However, an empty domain may legitimately
be used if the user field has both user and domain in upn@realm format.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-25 01:46:23 +02:00
Trever L. Adams
7accec7f78 Update smbrun to allow for settings environment variables.
Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 13 04:26:26 CEST 2016 on sn-devel-144
2016-10-13 04:26:26 +02:00
Jeremy Allison
ccfba2537d s3: auth: Use wbcAuthenticateUserEx to prime the caches.
Idea by Volker - use WBC_AUTH_USER_LEVEL_PAC to pass
the PAC to winbind from smbd on auth, this allows
winbind to prime the user info via netsamlogon_cache_store()
and the name2sid cache *before* smbd looks up the user.

Note that as this is merely a cache prime having
winbind not available is not an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 28 22:45:27 CEST 2016 on sn-devel-144
2016-09-28 22:45:27 +02:00
Jeremy Allison
da47e13323 s4: messaging: Remove bool auto_remove parameter from imessaging_init().
With modern messaging this doesn't do anything (it's an
empty destructor). Clean up so we can add a proper destructor
in future.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-23 06:04:11 +02:00
Stefan Metzmacher
4406cf792a krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
2016-06-30 07:16:45 +02:00
Stefan Metzmacher
3eba60aa65 auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6
This includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Jeremy Allison
1b3b893454 s3: auth: Move the declaration of struct dom_sid tmp_sid to function level scope.
It's referred to outside of the {} brace scope it was defined in by
the following code:

                uid_to_unix_users_sid(*uid, &tmp_sid);
                user_sid = &tmp_sid;

As tmp_sid was going out of scope, user_sid was
being incorrectly set in the token sid list.

I think this *may* be the root cause of:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10618

But even if not this is an obvious error that must
be fixed.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri May 27 11:28:18 CEST 2016 on sn-devel-144
2016-05-27 11:28:18 +02:00
Stefan Metzmacher
ead483b0c0 s3:auth_builtin: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-28 16:51:17 +02:00
Ralph Boehme
eaa7f66d35 CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-04-12 19:25:26 +02:00
Stefan Metzmacher
4fb6867495 CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Günther Deschner
c06058a99b s3-auth: check for return code of cli_credentials_set_machine_account().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
2016-03-17 20:43:17 +01:00
Michael Adam
476672b647 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-06 21:48:17 +01:00
Volker Lendecke
88c4687945 idl: Rename "principle" to "principal_name"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-02 08:42:09 +01:00
Uri Simchoni
d8717a038e auth: consistent handling of well-known alias as primary gid
When a local user has its primary group id mapped to a well-known
alias or a builtin group, smbd accepts logins of such a user, but
fails tree-connects to shares with a "force user" set to this user
with an error of NT_STATUS_INVALID_SID.

This fix causes the connect to succeed and the NT token to resemble
the token that would have been created in a login.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-11-19 20:17:23 +01:00
Uri Simchoni
42b7d48f76 auth: remove a line that has no effect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-11-19 20:17:23 +01:00
Marc Muehlfeld
18879dab9a Changing log level of two entries to DBG_NOTICE
On domain members using RFC2307, machine acccounts without an uidNumber
attribute are not retrieved via idmap_ad. This leads to many of the following
two error messages:
   Username DOMAIN\machineaccountname$ is invalid on this system
and
   Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
Machine accounts don't have an uidNumber attribute, if not set manually. To
avoid flooding the logs, setting message from debug level 1 to DBG_NOTICE.

Bugreport: https://bugzilla.samba.org/show_bug.cgi?id=9912

Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov  4 00:46:15 CET 2015 on sn-devel-104
2015-11-04 00:46:15 +01:00
Volker Lendecke
46308bb2a6 auth: Remove procid_self() from auth_samba4
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-10-19 12:09:10 +02:00
Andreas Schneider
6363c0232c s3-auth: Fix a memory leak in make_server_info_info3()
We call make_server_info(NULL) and it is possible that we do not free
it, because server_info is not allocated on the memory context we pass
to the function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-08-21 14:46:15 +02:00
Andreas Schneider
e8c76932e4 s3-auth: Pass nt_username to check_account()
We set nt_username above but do not use it in this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-08-21 14:46:15 +02:00
Andreas Schneider
34965d4d98 s3-auth: Fix 'map to guest = Bad Uid' support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-08-21 14:46:15 +02:00
Andreas Schneider
109ff388fd s3-auth: Fix a possible null pointer dereference
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11404

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 17 14:04:01 CEST 2015 on sn-devel-104
2015-07-17 14:04:01 +02:00
Richard Sharpe
57568f1900 Convert all uint32/16/8 to _t in a grab-bag of remaining files.
I still need to fix the rpc stuff, but we are almost there.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 14 22:16:56 CEST 2015 on sn-devel-104
2015-05-14 22:16:56 +02:00
Richard Sharpe
0f9f5bab27 Convert all uses of uint32/16/8 to _t in source3/auth.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-13 19:11:24 +02:00
Maks Naumov
9343386b91 s3: Fix pam_authenticate() when lp_null_passwords() is true
(PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK)
is always 0 when lp_null_passwords() == true.

Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-05-04 18:24:21 +02:00
Michael Adam
696ce368bd s3:auth: use lp_load_with_shares() in auth3_check_password()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-04-22 13:57:29 +02:00
Michael Adam
f1cdba23a8 s3:auth: use lp_load_with_shares() in auth3_generate_session_info_pac()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-04-22 13:57:29 +02:00
Stefan Metzmacher
484adf45ed s3:auth_domain: make use of cli_rpc_pipe_open_schannel()
This simplifies a lot and allows the previous password to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
91e4cbc46f s3:auth_domain: fix talloc problem in connect_to_domain_password_server()
return values of connect_to_domain_password_server() need to be exported
to the callers memory context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Volker Lendecke
ca59881380 smbd: Simplify create_token_from_sid()
This if-statement is unnecessary. First, talloc_array returns non-NULL
even if asked for 0 elements. Second, a bit further down we do a

SMB_ASSERT(num_group_sids > 0);

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-11 16:11:08 +01:00
Volker Lendecke
05cec933bd smbd: Simplify create_token_from_sid()
With the previous commit all 3 branches do the same

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-11 16:11:08 +01:00
Volker Lendecke
64a0724c6e smbd: Streamline the gids handling in create_token_from_sid()
Usually, I'm all for avoiding talloc. But in this case I believe that this
routine is complex enough to justify this change. For an hour or so I suspect
that the winbind case had an uninitialized "*gid" until I discovered the
sid_to_gid(). This makes it more obvious that *gid is assigned.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-11 16:11:08 +01:00
Volker Lendecke
785b5f698f smbd: Put a variable definition closer to its use
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-11 16:11:08 +01:00
Jeremy Allison
83066ed539 s3: auth: Add previously missing allocation fail check.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
60895e62fe s3: auth: Plumb in the SamInfo3_handle_sids() utility function into passwd_to_SamInfo3().
Core fix for:

https://bugzilla.samba.org/show_bug.cgi?id=11044

Based on code from Michael Zeis <mzeis.quantum@gmail.com>

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
d20b2d3972 s3: auth: Convert samu_to_SamInfo3() to use the new utility function.
Based on code from Michael Zeis <mzeis.quantum@gmail.com>

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Jeremy Allison
9395243890 s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out the code to handle "Unix Users" and "Unix Groups".
Based on code from Michael Zeis <mzeis.quantum@gmail.com>

https://bugzilla.samba.org/show_bug.cgi?id=11044

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-01-14 06:24:06 +01:00
Stefan Metzmacher
3dcc321daf s3:auth: add some const to user_in_list()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
Stefan Metzmacher
c6d3571650 s3:auth: add missing auth_samba4_init() prototype
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:05 +01:00
root
e8bd0c0e93 Don't drop any error codes just because we think there cannot be any errors we didn't think of if the user asked for a level 10 log.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 30 09:14:51 CET 2014 on sn-devel-104
2014-10-30 09:14:50 +01:00
Andrew Bartlett
ae72733874 s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 12:48:15 CEST 2014 on sn-devel-104
2014-10-08 12:48:15 +02:00
Stefan Metzmacher
45807028d4 lib/util: move memcache.[ch] to the toplevel 'samba-util' library
This is generic enough that it could be used in all code.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 18 15:43:33 CEST 2014 on sn-devel-104
2014-07-18 15:43:33 +02:00
Volker Lendecke
1dddf6c24a auth: Fix an incompatible pointer assignment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jul  7 10:58:30 CEST 2014 on sn-devel-104
2014-07-07 10:58:30 +02:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Jeremy Allison
0e5a9f44e4 s3: auth: Change auth3_generate_session_info_pac() to use a copy of the info3 struct from the struct PAC_LOGON_INFO.
Call create_info3_from_pac_logon_info() to add in any resource SIDs
from the struct PAC_LOGON_INFO to the info3.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Jeremy Allison
db775c68cc s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it.
Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Jeremy Allison
527f7b5438 s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
make_server_info_info3() only reads from the info3 pointer.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00
Jeremy Allison
c2411767ad s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
Both functions only read from the struct netr_SamInfo3 * argument.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
2014-06-18 01:03:13 +02:00