1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1921 Commits

Author SHA1 Message Date
Andreas Schneider
e2f1255840 s4:auth: Add FALL_THROUGH statements in gensec_krb5.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
69fa5ecb6a s4:auth: Add FALL_THROUGH statements in auth_sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
ef3ac405bf s4:auth: Add FALL_THROUGH statements in auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Volker Lendecke
d88f826c7b libsocket: Add "mem_ctx" to socket_create()
Every caller did a talloc_steal() after socket_create(). Just pass in the
correct memory context.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Stefan Metzmacher
57762229da s4:auth_sam: allow logons with an empty domain name
It turns out that an empty domain name maps to the local SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
2018-02-23 04:08:26 +01:00
Stefan Metzmacher
e1ba819960 s4/auth_winbind: ask for validation level 6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
6fb5704c11 s4:auth_winbind: remove unused 'winbind_wbclient' backend
This is no longer useful as it doesn't support async requests.

It could be readded using pthreadpool_tevent_job_send()
and wbcCtxAuthenticateUserEx() if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
0b72d0b7e5 s4:auth_winbind: remove unused 'winbind_rodc' backend
This is no longer useful as the 'winbind' backend also
handles the rodc case now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
b681810d3c s4:auth_sam: remove unused 'sam_failtrusts' backend
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
a382e05a16 s4:auth/ntlm: remove lpcfg_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
b88f9384b0 s4:auth/ntlmssp: add support for using "winbind" as DC
This adds support for trusted domains to the auth stack on AD DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
a6ad56cfa9 s4:auth: use "sam winbind" for the netlogon server
This adds authentication support for trusted domains to the
netlogon server.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
690c5e6f36 s4:auth/ntlm: provide auth_check_password_wrapper_send/recv to auth4_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
79b891a746 s4:auth_winbind: implement async authentication via IRPC
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Andrew Bartlett
daeb74aed8 debug: new debug class for kerberos
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-30 02:12:22 +02:00
Stefan Metzmacher
c29db055a7 s4:auth/ntlm: allow auth_operations to specify check_password_send/recv()
This prepares real async handling in the backends.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144
2017-06-27 21:09:08 +02:00
Stefan Metzmacher
f9388b0ec7 s4:auth/ntlm: introduce auth_check_password_next()
This prepares real async handling in the backends.

Check with git show -w.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:49 +02:00
Stefan Metzmacher
ee4ea4b99c s4:auth/ntlm: move auth_check_password_wrapper() further down
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
60bee9d118 s4:auth_winbind: rename 's' to 'state' in winbind_check_password()
This prepares the conversion to winbind_check_password_send/recv()
where the internal state is called 'winbind_check_password_state'
as 'state'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:48 +02:00
Ralph Boehme
0178206fec s4:auth_winbind: remove a block nesting level and fix indentation
The previous commit removed the condition from the block. No change in
behaviour, best viewed with git show -w.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
28f2039886 s4:auth_winbind: fix error checking in winbind_check_password()
We need to handle every error instead of just NT_STATUS_NO_SUCH_USER,
the callers also doesn't require NT_STATUS_NOT_IMPLEMENTED anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
ebb63e1cb3 s4:dsdb/samdb: pass an existing 'struct ldb_context' to crack_auto_name_to_nt4_name()
There's no point in creating a temporary ldb_context as
the only callers already have a valid struct ldb_context for
the local sam.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
f0541309d7 s4:dsdb/samdb: pass an existing 'struct ldb_context' to crack_name_to_nt4_name()
There's no point in creating a temporary ldb_context as
all direct callers already have a valid struct ldb_context for
the local sam.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
bfb25f92aa s4:auth/unix_token: remove unused tevent_context from auth_session_info_fill_unix()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
a2efaef15f s4:auth/unix_token: remove unused tevent_context from security_token_to_unix_token()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
3d96b093b7 s4:gensec_gssapi: fix CID 1409781: Possible Control flow issues (DEADCODE)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-16 19:34:17 +02:00
Stefan Metzmacher
c0fa0b88d0 s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:23 +02:00
Stefan Metzmacher
6e165ca85a s4:auth: add authenticate_ldap_simple_bind_send/recv
TODO: we need to make the backend async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:23 +02:00
Stefan Metzmacher
7bf0308a31 s4:auth/gensec: let GENSEC_FEATURE_SESSION_KEY result in GSS_C_INTEG_FLAG
This is important to allow the 'new_spnego' with mech_list protection to work
for a SMB session setup.

This is not strictly needed as we always announce GENSEC_FEATURE_SESSION_KEY
in gensec_gssapi_have_feature(), but it's better to send GSS_C_INTEG_FLAG
over the wire.

This may prevent a ticket from a Samba client to an SMB server
(particularly a DC) being misused to connect to the LDAP server on that
DC, as the LDAP server will require GSSAPI signing of the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:22 +02:00
Stefan Metzmacher
0382a4068b s4:auth: use talloc_reparent() in samba_server_gensec_krb5_start()
This matches logic of samba_server_gensec_start() and avoids warnings like this:

WARNING: talloc_steal with references at ../source4/auth/samba_server_gensec.c:150
        reference at ../auth/gensec/gensec_start.c:586

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
c98514adf2 auth_sam: Make auth_sam_trigger_repl_secret more generic
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
f40fdaea7f rodc: Set non-authoritative for RODC bad passwords
This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
b50a147a7e auth_winbind: Allow badPwdCount to be set to 0 with this auth method
We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
a6a19e4308 auth4: Add authoritative flag to check_password
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Stefan Metzmacher
d4f72d0b86 s4:auth: add samba_server_gensec_krb5_start()
This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
93a6b9da0f s4:auth: split out a samba_server_gensec_start_settings() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
650a81f7bb s4:gensec_krb5: add simple gensec_krb5_update_send/recv() wrapper functions
TODO: we still need to make the internal async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
58b629b2b1 s4:gensec_gssapi: add simple gensec_gssapi_update_send/recv() wrapper functions
TODO: we still need to make the internal async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:11 +02:00
Stefan Metzmacher
0ff6a1ae1f s4:gensec_gssapi: always announce GENSEC_FEATURE_SIGN_PKT_HEADER
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:08 +02:00
Jeremy Allison
3cfa58de12 gensec: Add a TALLOC_CTX * to gensec_register().
Pass in the TALLOC_CTX * from the module init to remove
another talloc_autofree_context() use.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-05-13 16:50:13 +02:00
Jeremy Allison
3429829a42 s4: auth: Remove a talloc_autofree_context() use.
Use NULL here, not the autofree context for this
static pointer. The destructor prevents freeing this
memory anyway.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-11 20:30:13 +02:00
Jeremy Allison
34f616fc6f s4: auth: Add TALLOC_CTX * to auth_register()
Use the talloc context passed into all modules.
Remove one more talloc_autofree_context().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-11 20:30:12 +02:00
Günther Deschner
0a74793f0e s4-auth: remove some dead prototypes
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-10 15:53:20 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Garming Sam
94256c9606 password-lockout: Allow RODC to ensure lockout and lockout reset
Prior to this, the modification of lockoutTime triggered referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:18 +02:00
Garming Sam
de26e2f87a sam.c: Make NTLM login set logonCount when unset
Previously, it only bothered if it was being incremented. Now on first
logon, it should turn the unset logonCount to 0.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:17 +02:00
Stefan Metzmacher
0ca09b0e10 auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
We should not do anonymous authentication nor a fallback that
ignores the domain part.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
6018924578 auth4: remove unused map_user_info[_cracknames]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
236b24dfd2 auth4: avoid map_user_info() in auth_check_password_send()
The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00