1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

50799 Commits

Author SHA1 Message Date
Stefan Metzmacher
82d8aa3b9c s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 21:54:16 +01:00
Ralph Boehme
c37fbfcb24 winbindd: add retry to _winbind_SendToSam
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar 15 20:57:44 CET 2018 on sn-devel-144
2018-03-15 20:57:43 +01:00
Ralph Boehme
e608f058b8 winbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
fcf8edf9b8 winbindd: add retry to _wbint_DsGetDcName
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
c2cd2d3f31 winbindd: add retry to _wbint_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
6244a2beb1 winbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_connected()
This catches more errors and triggers retry as appropriate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:10 +01:00
Ralph Boehme
08718af36f winbindd: fix logic calling dcerpc_binding_handle_is_connected()
The calls were missing the negation operator, a retry should be
attempted is the binding handle got somehow disconnected behind the
scenes and is NOT connected.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
966ff3793a winbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error()
To consolidate the error handling for RPC calls, add the binding handle
as an additional argument to reset_cm_connection_on_error().

All callers pass NULL for now, so no change in behaviour up to here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
2d1f00cc3a winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()
NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
2837b796af winbindd: call reset_cm_connection_on_error() from reconnect_need_retry()
This ensures we use the same disconnect logic in the reconnect backend,
which calls reconnect_need_retry(), and in the dual_srv frontend which
calls reset_cm_connection_on_error.

Both reset_cm_connection_on_error() and reconnect_need_retry() are very
similar, both return a bool indicating whether a retry should be
attempted, unfortunately the functions have a different default return,
so I don't dare unifying them, but instead just call one from the other.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
17749a5d9f winbindd: make reset_cm_connection_on_error() public
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
a33c1d25e0 winbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error()
reconnect_need_retry() already checks for this error, it surfaces up
from tstream_smbXcli_np as a mapping for EIO.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Ralph Boehme
a8d5e4d367 winbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c
ldap_reconnect_need_retry() is a copy of reconnect_need_retry() minus
the RPC connection invalidation.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
4b7a9d560a winbind: Keep "force_reauth" in invalidate_cm_connection
Right now I don't see a way to actually force a re-serverauth
from the client side as long as an entry in netlogon_creds_cli.tdb
exists. cm_connect_netlogon goes through invalidate_cm_connection, and
this wipes our wish to force a reauthenticatoin. Keep this intact until
we actually did reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
0af88b98e7 winbind: Add smbcontrol disconnect-dc
Make a winbind child drop all DC connections

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-15 15:46:09 +01:00
Volker Lendecke
bffae41842 utils: Add destroy_netlogon_creds_cli
This is a pure testing utility that will garble the netlogon_creds_cli
session_key. This creates a similar effect to our schannel credentials
as does a domain controller reboot.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-15 15:46:09 +01:00
Jeremy Allison
c41895be82 CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 13 16:06:10 CET 2018 on sn-devel-144
2018-03-13 16:06:10 +01:00
Swen Schillig
b97d18f0fe s3: Fix max indentation and max column
Minor cleanup reducing the max indentation level and max column length.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-03-12 20:39:16 +01:00
Jeremy Allison
e0b147f650 s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl().
Ensures they don't get stored in the underlying ACL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Mar  8 04:09:38 CET 2018 on sn-devel-144
2018-03-08 04:09:38 +01:00
Jeremy Allison
8edad37e47 s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-07 23:11:21 +01:00
Jeremy Allison
019a1bc4ca s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor.
This will allow us to modify it in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-07 23:11:21 +01:00
Jeremy Allison
e9059c7b40 s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-03-07 23:11:21 +01:00
Andreas Schneider
c5857f1002 s3:tests: Skip smbd error test if we do not log to stdout
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2018-03-03 00:01:23 +01:00
Noel Power
0af66455ef s3:libads: 'net ads keytab create' shouldn't write SPN(s)
Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
    i) long form 'param/full_qualified_dns'
   ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
5adb29f242 s3:utils: Modify default behaviour of 'net ads keytab add'
This change modifies the behaviour of 'net ads keytab add' such
that only the keytab file is modified.

A new command 'net ads keytab add_update_ads' has been added that
preserves the legacy behaviour which can update the AD computer
object with Winows SPN(s) as appropriate. Alternatively the new
command 'net ads setspn add' can be used to manually add the
windows SPN(s) that previously would have been added.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
4e518ecdda s3:libads: add param to prevent writing spn(s) to ads
'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.

Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
6cac9a4720 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 2
This patch addresses how the windows SPN is written to the AD.

If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
          i) long form 'param/full_qualified_dns'
         ii) short form 'param/netbios_name'

If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:15 +01:00
Noel Power
efabfb1c17 s3:libads: Allow 'net ads keytab add' handle Windows SPN(s) part 1
This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.

Before this change 'net ads keytab add' handled three scenarios

a) 'net ads keytab add param' is passed a fully qualified kerberos principal
   (identified by the presence of '@' in param) In this scenario the keytab
   file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
   the paramater ending with '$'). In this case the machine name
   is converted to a kerberos principal with according to the recipe
   'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
   In this scenario the param containing the service is first converted to
   into 2 kerberos principals (long and short forms) according to the
   following recipe
      i) long form:  'param/fully_qualified_dns@realm'
     ii) short form: 'param/netbios_name@realm'
     where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
     'this' machines computer account on the AD.
     The principals are written to the keytab file
   Secondly 2 windows SPNs are generated from 'param' as follows
      i) long form 'param/full_qualified_dns'
     ii) short form 'param/netbios_name'
   These SPNs are written to the AD computer account object

After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
  i) 'param' will get converted to a kerberos principal (just a single one)
     with the following recipe: 'serviceclass/host@realm' which will
     be written to the keytab file. The SPN written to the AD is created
     as before and the legacy behaviour is preserved.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
5fa82263ad s3:utils: add new 'net ads setspn delete' subcommand
This patch adds 'delete' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

    net ads setspn delete <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
8a6c3c5ae2 s3:utils: add new 'net ads setspn add' subcommand
This patch adds 'add' to the 'net ads setspn' subcommand

(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Usage:

     net ads setspn add <computer> <SPN>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
65ef044b8d s3:utils: add new 'net ads setspn list' subcommand
This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

Only the basic list operation (that corresponds to the -l
    switch for setspn.exe is implemented)

Usage:

     net ads setspn list <computer>

Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
1400ab709e s3:libads: change ads_add_service_principal_name implementation
Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally  client
code now needs to construct the SPNs to be passed into the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
cf0823fb9e s3:libads: Add a basic Windows SPN parser.
(see https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
d9593803ea s3:libads: Clean up code a little rename 'ads_get_samaccountname()'
Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Noel Power
2dd94e41f6 s3:libads: ads_get_dnshostname & ads_get_samaccountname don't use param
Both ads_get_dnshostname() & ads_get_samaccountname() are passed
a param machinename as a argument. Instead of using 'machinename' these
functions are erroneously using lp_netbiosname() instead.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 14:07:14 +01:00
Andreas Schneider
a89a714656 s3:smbd: Do not crash if we fail to init the session table
This should the following segfault with SMB1:

  #6  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
  #7  <signal handler called>
  #8  smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
      at ../source3/smbd/smbXsrv_session.c:1212
  #9  0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
  #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
  #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
      at ../source3/smbd/process.c:1762
  #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
      deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
  #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
  #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0

Inspection the core shows that:
  conn->client-session_table is NULL
  conn->protocol is PROTOCOL_NONE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-03-02 00:39:59 +01:00
Dan Robertson
b67ffaf518 libsmb: Use smb2 tcon if conn_protocol >= SMB2_02
When the connection protocol is SMB2 the tid from the smb1 member is
used instead of smb2 in cli_state_set_tid which often results in a null
deref.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13310

Signed-off-by: Dan Robertson <drobertson@tripwire.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-02 00:39:58 +01:00
Volker Lendecke
c38062604b winbind: Fix --ping-dc error handling
If the child dies at the wrong moment, we get an error in the "req" itself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar  1 14:48:19 CET 2018 on sn-devel-144
2018-03-01 14:48:19 +01:00
Volker Lendecke
49adb5ac8f winbind: Fix a race between the sigchld and 0-sized socket read
Fix a bug when a child dies when a request is pending in the child. If the
signal handler fires before epoll finds out the other end of the parent-child
socket is closed, we close the socket on our side without taking care of the
pending request. This causes two problems: First, that one pending request
never is replied to properly, and secondly, we might end up with EPOLL_DEL on a
wrong file descriptor. This causes all sorts of trouble if we hit an active
one.

The fix for this problem is not to close the socket in winbind_child_died().
This however stops an idle child that dies hard from being properly cleaned up.
The fix for that is to add the child->monitor_fde that is set pending only when
no child request is active. This way we can remove the close(sock) in the
signal handler.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:46 +01:00
Volker Lendecke
33f5f5c461 winbind: Remove the "winbindd_children" global
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:46 +01:00
Volker Lendecke
09677053f7 winbind: Use forall_children in reinit_after_fork()
This removes the special handling for idmap_child() after the "This is
a little tricky" comment. I believe this was not required at all, the
idmap_child is part of the winbindd_children list.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
0e6d3a59eb winbind: Use forall_children in winbind_msg_ip_dropped_parent()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
dba9a12e30 winbind: Use forall_domain_children in winbind_msg_online
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
0c58fb365a winbind: Use forall_domain_children in winbind_msg_offline()
Note that we only walk the domain children, which all have
child->domain != NULL. So we don't need that check anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
815bdc65a2 winbind: Remove unused winbindd_internal_child()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
723560aed2 winbind: "internal" children never have a domain set
Look at setup_domain_child(): There we always set child->domain. The only other
two children are the idmap and locator children, which don't have a domain set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
94c02211f9 winbind: Use forall_children in winbind_child_died()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Volker Lendecke
4f76a1deae winbind: Implement forall_children()
Step 0 in removing winbindd_children as a variable: We have access to
all children via our domain list and the two explicit children. There's
no need to separately maintain a list of winbind children. Maintaining
child->pid != 0 is sufficient to make sure we only walk active children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13309

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-01 09:53:45 +01:00
Andreas Schneider
1aabfff8a6 libsmb: Remove incorrect fall through comment in trusts_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar  1 09:52:37 CET 2018 on sn-devel-144
2018-03-01 09:52:37 +01:00
Andreas Schneider
d4ccca2d66 s3:spoolss: Remove incorrect fall through comment in srv_spoolss_nt.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:44 +01:00
Andreas Schneider
7619442a79 s3:winbindd: Add FALL_THROUGH statements in idmap_autorid.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
5ba0b72fa3 s3:utils: Add FALL_THROUGH statements in ntlm_auth.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
45153120cb s3:utils: Add FALL_THROUGH statements in net_registry_check.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
29b5de26df s3:smbd: Add FALL_THROUGH statements in reply.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
3e2e4096cc s3:rpcclient: Add FALL_THROUGH statements in rpcclient.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
cafe8ac965 s3:lsa: Add FALL_THROUGH statements in srv_lsa_nt.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
824fa2c4db s3:modules: Add FALL_THROUGH statements in getdate.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
f5d69d7134 s3:libnet: Add FALL_THROUGH statements in libnet_join.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
d17cb7cebf s3:rpc_server: Add FALL_THROUGH statements in rpc_server.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
7b946e3480 s3:utils: Add FALL_THROUGH statements in net_rpc_conf.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
36315769b8 s3:utils: Add FALL_THROUGH statements in net_conf.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
273ef59761 s3:utils: Add FALL_THROUGH statements in regedit.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
964b2d4aae s3:smbd: Add FALL_THROUGH statements in trans2.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
a4623fac64 s3:smbd: Add FALL_THROUGH statements in nttrans.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
4744b777f5 s3:modules: Add FALL_THROUGH statements in vfs_acl_common.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
2cc130683e s3:libsmb: Add FALL_THROUGH statements in dsgetdcname.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
3b9aa1c625 s3:lib: Add FALL_THROUGH statements in util_sd.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
feeb49f4cf s3:lib: Add FALL_THROUGH statements in sysacls.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
3f1a4b749d s3:lib: Add FALL_THROUGH statements in cbuf.c 2018-03-01 04:37:42 +01:00
Andreas Schneider
03ed979eb0 s3:auth: Add FALL_THROUGH statements in pampass.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
6744e8c7d4 s3:auth: Add FALL_THROUGH statements in auth_sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
16d14fa863 s3:lib: Add FALL_THROUGH statements in util_str.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Andreas Schneider
9fed4562ca s3:lib: Add FALL_THROUGH statements in util_path.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Andreas Schneider
d78d1a71ff s3:lib: Add FALL_THROUGH statements in substitute_generic.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Stefan Metzmacher
afd97e7209 winbindd: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-28 14:33:19 +01:00
Volker Lendecke
5f4b71d21d winbindd: Remove "DUMP_EVENT_LIST" message
This was no longer implemented, remove it completely

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-26 22:30:14 +01:00
Poornima G
46e6626f73 vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13297

Pair-Programmed-With: Anoop C S <anoopcs@redhat.com>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Feb 26 20:17:50 CET 2018 on sn-devel-144
2018-02-26 20:17:50 +01:00
Andreas Schneider
0258122535 s3:selftest: Run the smbtorture3 TLDAP test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-24 10:54:07 +01:00
Jeremy Allison
5ad5e7966f s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir()
HPUX has this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13270

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 23 22:56:35 CET 2018 on sn-devel-144
2018-02-23 22:56:35 +01:00
Stefan Metzmacher
06601b3a92 winbind: don't try to do an authenticated SMB connection as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 17:58:23 CET 2018 on sn-devel-144
2018-02-23 17:58:23 +01:00
Stefan Metzmacher
55c3af89f1 winbind: set_dc_type_and_flags() is not needed on a DC
On a DC we load the trusts in the parent in add_trusted_domains_dc()
from our local configuration. There's no need to find out the trust details
via network calls.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
18f27b5385 winbind: make sure we don't contact trusted domains via LDAP as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
32a63e3ea9 winbind: make sure we don't contact trusted domains via SAMR as AD DC
This is not needed for the normal operation of an AD DC.

Administrators should just use other tools instead of
wbinfo to list and query users and groups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
532a14dc68 winbind: let cm_connect_netlogon_transport() only work against direct trust as AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
3e17a3b7cd winbind: force the usage of schannel in cm_connect_lsa() as AD DC
This makes sure we only talk to direct trusts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
c58f8c3cd8 s3:smb_macros.h: add IS_AD_DC as addition to IS_DC
In the long run we should remove this again (as well as IS_DC).

But for now this makes some code changes in winbindd easier to
follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13278

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-23 12:47:25 +01:00
Ralph Boehme
f9e2cb1369 vfs_fruit: use off_t, not size_t for TM size calculations
size_t is only a 32-bit integer on 32-bit platforms. We must use off_t
for file sizes.

https://bugzilla.samba.org/show_bug.cgi?id=13296

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
7f2d45a6c2 winbind: Use one queue for all domain children
If we have multiple domain children, it's important
that the first idle child takes over the next waiting request.

Before we had the problem that a request could get stuck in the
queue of a busy child, while later requests could get served fine by
other children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 23 09:04:23 CET 2018 on sn-devel-144
2018-02-23 09:04:23 +01:00
Volker Lendecke
b518cb0597 winbind: Maintain a binding handle per domain and always go via wb_domain_request_send()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
5116aff286 winbind: make choose_domain_child() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
44ebaaac89 winbind: add locator_child_handle() and use it instead of child->binding_handle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
c2d78a0a0a winbind: add idmap_child_handle() and use it instead of child->binding_handle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
1f41193e00 winbind: improve wb_domain_request_send() to use wb_dsgetdcname_send() for a foreign domain
Commit ed3bc614cc got the logic wrong while
trying to implement the logic we had in init_child_connection(),
which was removed by commit d61f3626b7.

Instead of doing a WINBINDD_GETDCNAME request (which would caused an error
because the implementation was removed in commit
958fdaf5c3), we sent the callers request
and interpreted the result as WINBINDD_GETDCNAME response, which
led to an empty dcname variable. As result the domain child
opened a connection to the primary domain in order to lookup
a dc.

If we want to connect the primary domain from the parent via
a domain child of the primary domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
4d804f5f3e winbind: use state->{ev,request} in wb_domain_request_send()
This will reduce the diff for the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13295

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
d73e3d4519 winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection
domain->dcname was converted from fstring to char * by commit
14bae61ba3.

Luckily this was only ever called with an empty string in
state->request->data.init_conn.dcname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13294

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
b158d4e4c1 winbind: cleanup winbindd_cli_state->pwent_state if winbindd_getpwent_recv() returns an error
A client may skip the explicit endpwent() if getgrent() fails.

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
b7789da846 winbind: cleanup winbindd_cli_state->grent_state if winbindd_getgrent_recv() returns an error
A client may skip the explicit endgrent() if getgrent() fails.

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
6548b82b5c winbind: call lp_winbind_enum_{users,groups}() already in set{pw,gr}ent()
This way we don't keep winbindd_cli_state->{pw,gr}ent_state arround forever,
if the client forgets an explicit end{pw,gr}ent().

This allows client_is_idle() return true in more cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
43af57d872 winbind: protect a pending wb_child_request against a talloc_free()
If the (winbind) client gave up we call TALLOC_FREE(state->mem_ctx)
in remove_client(). This triggers a recursive talloc_free() for all
in flight requests.

In order to maintain the winbindd parent-child protocol, we need
to keep the orphaned wb_simple_trans request until the parent
got the response from the child.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
d29dda141e winbind: use tevent_queue_wait_send/recv in wb_child_request_*()
We need a way to keep the child->queue blocked without relying on
the current 'req' (wb_child_request_state).

The next commit will make use of this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13290

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-23 04:09:18 +01:00
Stefan Metzmacher
e039e9b0d2 s3:cliconnect.c: remove useless ';'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 23:15:16 +01:00
Stefan Metzmacher
0786a65cab s3:libsmb: allow -U"\\administrator" to work
cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 23:15:16 +01:00
Günther Deschner
6a59619844 build: fix libceph-common detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13277

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Feb 22 19:30:12 CET 2018 on sn-devel-144
2018-02-22 19:30:12 +01:00
Douglas Bagnall
a4c853a7de util/rfc1738_unescape(): return end pointer or NULL on error
At present we don't detect errors, but when we do we'll return NULL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 01:04:18 +01:00
Stefan Metzmacher
3ffebee3de winbindd: implement wb_irpc_lsa_{LookupNames4,LookupSids3}()
This will be used by the LSA Server on an AD DC to request remote views
from trusts.

In future we should implement wb_lookupnames_send/recv similar to
wb_lookupsids_send/recv, but for now using wb_lookupname_send/recv in a loop
works as a first step.

We also need to make use of req->in.level and req->in.client_revision
once we want to support more than one domain within our own forest.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
76868818e8 rpcclient: add lookupsids_level command
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Ralph Boehme
9ccc6eef14 rpcclient: fix variable initialisation and add parenthesis to if clauses
Just a few README.Coding fixes.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c376ab29d1 winbindd: make use of talloc_zero_array() in wb_lookupsids*()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
569c910b95 s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_names_generic()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
5cae7da1de s3:cli_lsarpc: use talloc_zero_array() in dcerpc_lsa_lookup_sids_generic()
It just feels better for such a complex function.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13281

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
b5ffa0e21f winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done()
We check for !NT_STATUS_LOOKUP_ERR(), but wb_lookupsid_recv()
only initializes the results together with NT_STATUS_OK.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13280

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Stefan Metzmacher
17c48f26de winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13279

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Björn Jacke
29aa5c93d7 wscript: drop checks for setnetgrent/endnetgrent/getnetgrent
we don't use setnetgrent/endnetgrent/getnetgrent since security share passed
away.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:17 +01:00
Björn Jacke
14f798cbcc s3: remove dead already commented code
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:17 +01:00
Andreas Schneider
6f9c6d369f s3:auth: Pass mem_ctx to init_system_session_info()
We have a stackframe we can use for the lifetime of the session.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 21 02:46:40 CET 2018 on sn-devel-144
2018-02-21 02:46:40 +01:00
Andreas Schneider
7f47cec234 s3:auth: Pass mem_ctx to init_guest_session_info()
Use a mem_ctx which gets freed if possible.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-20 21:55:13 +01:00
Andreas Schneider
b2aec11c76 s3:auth: Pass a mem_ctx to make_new_session_info_guest()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-20 21:55:13 +01:00
Volker Lendecke
9abe97285b tldap: Dump unnecessary includes
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-20 21:55:13 +01:00
Andreas Schneider
a6eac8f649 smbspool: Improve URI handling code
This also checks that the URI given via the environment variables
starts with smb://

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 20 21:46:38 CET 2018 on sn-devel-144
2018-02-20 21:46:38 +01:00
Andreas Schneider
7573b2a960 tests: Add tests for parsing LDAPv3 and LDAPv2 filter strings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 19 23:47:08 CET 2018 on sn-devel-144
2018-02-19 23:47:08 +01:00
Andreas Schneider
654b76739a s3:tldap: Comment code for to LDAP escaping version
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Andreas Schneider
c96dc78aa6 s3:tldap: Fix parsing LDAPv2 escaped strings
Yes, this is outdated, but the missing 'break' produces a compiler
warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Timur I. Bakeyev
e2023e86d5 Remove some bashisms from the test scripts
Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-02-19 07:36:23 +01:00
Volker Lendecke
f8313d715b winbind: Don't send "server_id" explicitly for DUMP_DOMAIN_LIST
messaging already provides the sender id

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 16 00:56:36 CET 2018 on sn-devel-144
2018-02-16 00:56:36 +01:00
Volker Lendecke
0e3c2c8bc6 winbind: Don't explicitly send "server_id" for ONLINESTATUS
Messaging already provides the sender id

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-15 20:32:24 +01:00
Andreas Schneider
23ec302122 smbspool: Initialize empty_str on declaration
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Volker Lendecke
46148e657f net: Slightly simplify net_lookup_dsgetdcname()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
093871d931 dsgetdcname: Add some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
3781dba923 libsmb: Fix an error path memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
aa29a695fb libsmb: Fix destructor setup in unexpected.c
The destructor does DLIST_REMOVE, so better make sure "client" is in fact
member of that list when the destructor fires

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
77c1df57a8 net: Add some {}
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-13 16:42:22 +01:00
Volker Lendecke
3bbc575644 smbd: remove "id" from share_mode_entry
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 13 05:01:38 CET 2018 on sn-devel-144
2018-02-13 05:01:38 +01:00
Volker Lendecke
f7e65719a4 smbd: Pass "file_id" explicitly to send_break_to_none
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
1e2659e96d smbd: Pass "file_id" explicitly to send_break_message()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
9d7701c923 srvsvc: Avoid a dependency on share_mode_entry->id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
d9e5148470 smbd: Avoid a dependency on share_mode_entry->id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
ddb1524669 smbd: Avoid a dependency on share_mode_entry->id
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
b7e29d04c6 smbd: Pass "file_id" explicitly to message_to_share_mode_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
fc424b28cd smbd: Pass "file_id" explicitly into share_mode_entry_to_message()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
5fdc62b236 smbd: Remove a redundant check
The file ids in all share modes match the share_mode_data's one

We don't have a paranoia check for this, but the share mode is per inode.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
bab8bf7acb smbd: Use "share_mode_data->id", not "share_mode_entry->id"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
c1079e3d2a srvsvc: Use the passed-in file_id
The one in share_mode_entry will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
3434b32b88 smbd: Pass in "file_id" into validate_my_share_entries
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
9487510e9e smbd: Pass in "file_id" into share_mode_str()
This used to directly access share_entry->id, which will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
786e307fd4 srvsvc: Use the passed-in file id, not the one from share_mode_entry
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
f519162657 smbd: Pass "file_id" through share_entry_forall
It's also in the share_entry, but that is redundant and will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Volker Lendecke
e6187be118 smbd: Fix a signed/unsigned hickup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-13 00:26:43 +01:00
Andreas Schneider
1e8ad19653 winbindd: Initialize the domain groups member
==9405== 4 errors in context 1 of 493:
==9405== Conditional jump or move depends on uninitialised value(s)
==9405==    at 0x7507F71: vfprintf (in /lib64/libc-2.12.so)
==9405==    by 0x75C515B: __vasprintf_chk (in /lib64/libc-2.12.so)
==9405==    by 0x2A8728: dbgtext (stdio2.h:199)
==9405==    by 0x22DCBB: winbindd_list_groups_done (winbindd_list_groups.c:127)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x3CDAE8: dcerpc_binding_handle_call_done (binding_handle.c:445)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x6C7F568: _tevent_req_error (tevent_req.c:167)
==9405==    by 0x202701: wbint_bh_raw_call_done (winbindd_dual_ndr.c:139)
==9405==    by 0x6C82C60: tevent_common_loop_timer_delay (tevent_timed.c:341)
==9405==    by 0x6C83CA1: epoll_event_loop_once (tevent_epoll.c:911)
==9405==    by 0x6C822D5: std_event_loop_once (tevent_standard.c:114)
==9405==    by 0x6C7DC3C: _tevent_loop_once (tevent.c:533)
==9405==    by 0x1D8A03: main (winbindd.c:1490)
==9405==  Uninitialised value was created by a heap allocation
==9405==    at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==9405==    by 0x6A71DCA: _talloc_array (in /usr/lib64/libtalloc.so.2.1.5)
==9405==    by 0x22D959: winbindd_list_groups_send (winbindd_list_groups.c:69)
==9405==    by 0x1D76BC: winbind_client_request_read (winbindd.c:647)
==9405==    by 0x23AF2A: wb_req_read_done (wb_reqtrans.c:126)
==9405==    by 0x6C83EA5: epoll_event_loop_once (tevent_epoll.c:728)
==9405==    by 0x6C822D5: std_event_loop_once (tevent_standard.c:114)
==9405==    by 0x6C7DC3C: _tevent_loop_once (tevent.c:533)
==9405==    by 0x1D8A03: main (winbindd.c:1490)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 13 00:25:27 CET 2018 on sn-devel-144
2018-02-13 00:25:27 +01:00
Andreas Schneider
2abf47cfb3 winbindd: Free is_parent before we terminate
This makes valgrind happy.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-12 19:52:48 +01:00
Andreas Schneider
a5cd134ed7 winbindd: Free memory before we exit the connect child
This will make valgrind happy.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2018-02-12 19:52:48 +01:00
Volker Lendecke
b4384b7f0e winbind: Improve child selection
This improves the situation when a client request blocks a winbind
child. This might be a slow samlogon or lookupnames to a domain that's
far away. With random selection of the child for new request coming in
we could end up with a long queue when other, non-blocked children
could serve those new requests. Choose the shortest queue.

This is an immediate and simple fix. Step two will be to have a
per-domain and not a per-child queue. Right now we're pre-selecting
the check-out queue at Fry's randomly without looking at the queue
length. With this change we're picking the shortest queue. The better
change will be what Fry's really does: One central queue and red/green
lights on the busy/free checkout counters.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 12 19:51:35 CET 2018 on sn-devel-144
2018-02-12 19:51:35 +01:00
Stefan Metzmacher
597e755328 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 10 13:08:50 CET 2018 on sn-devel-144
2018-02-10 13:08:50 +01:00
Stefan Metzmacher
8422c001be winbindd: rename winbindd_pam_auth_pac_send and let it return validation
Just a preperational step. The next commit will update the caller to
make use of the validation info.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:18 +01:00
Stefan Metzmacher
5444cc4e7e winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send()
winbindd_pam_auth_crap_recv() should not have any real logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:18 +01:00
Stefan Metzmacher
5ce3cb2fb4 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC
This way we don't loose the DNS info and UPN. A subsequent commit will
let winbindd_pam_auth_pac_send() return the full validation info.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:18 +01:00
Stefan Metzmacher
42e4453968 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
021d75fb22 winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos()
This way we don't loose dns_domain_name and user principal.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
2b01818778 s3/rpc_client: add map_info6_to_validation()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
d4ba23fd35 s3/auth: add create_info6_from_pac()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
1a9857369d winbindd: allow validation level 6 in winbind_SamLogon
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
60aa5e7657 s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
b60c634123 winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx
At lot of callers require a valid schannel connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
d76bcdb085 winbindd: handle interactive logons in _winbind_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
8c6c47aec0 winbindd: pass 'bool interactive' to winbind_dual_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
2268f1c0dd winbindd: add a comment to a parameter in _winbind_SamLogon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
d1c3676197 winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop()
We need to handle 4 cases:

plaintext_given=true  interactive=true
plaintext_given=false interactive=true
plaintext_given=true  interactive=false
plaintext_given=false interactive=false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
be26a472ae s3/rpc_client: add rpccli_netlogon_interactive_logon()
This will be used in a subsequent commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
2ee2551409 winbindd: add_trusted_domain_from_auth() should not use dns_name = ""
Check whether the DNS domain name in the info6 struct is actually more
then just an empty string. If it is we want to call add_trusted_domain()
with NULL as DNS domain name argument.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13257

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
b112cbc246 winbindd: fix debug message in find_default_route_domain() on a DC
As we don't support multiple domains in a forest yet,
we don't need to print a warning a log level 0.

This also adds a missing \n.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13255

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
9f96ede6f5 winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
This reflects the new implementation in winbindd.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
d8e4e7cae5 winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
4274ef681b winbindd: move loading of trusted domains on a DC to a seperate function
This allows using the split out function in a subsequent commit in the
MSG_WINBIND_NEW_TRUSTED_DOMAIN message handler.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
728fb7c593 winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
7fc19747ef s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
8b7bf6d4d8 winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
af9a37aa19 winbindd: prepare find_auth_domain() transitive trusts on a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
c5bd18c002 winbindd: remove const from set_routing_domain()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
70bb9c27cf winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
7329706a03 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
fe47041b4b s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Ralph Boehme
9a613f4bcc winbindd: add routing_domain as parameter to add_trusted_domain
This also fixes the following CIDs:

CID 1427622:  Null pointer dereferences  (REVERSE_INULL)
CID 1427619:  Null pointer dereferences  (REVERSE_INULL)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13233

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
9fef5d1891 winbindd: add missing can_do_ncacn_ip_tcp initialisation
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13232

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
1918a870c3 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Stefan Metzmacher
53484d0d98 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:15 +01:00
Volker Lendecke
be3c8d08ec lib: Make g_lock_locks use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Feb  8 14:50:49 CET 2018 on sn-devel-144
2018-02-08 14:50:49 +01:00
Volker Lendecke
67fcc7dbb9 lib: Make g_lock_dump use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
a6c749e76c lib: Make g_lock_do use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
ed3521d172 lib: Make g_lock_write_data use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
a104e08171 lib: Make g_lock_unlock use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
bdeb7e7d81 lib: Make g_lock_lock use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
3bc87a20e9 lib: Make g_lock_lock_send use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
859698d29b libads: Fix the build --without-ads
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Feb  6 02:47:44 CET 2018 on sn-devel-144
2018-02-06 02:47:43 +01:00
Ralph Boehme
84f07a8dcb s3/smbd: fix handling of delete-on-close on directories
This implements a check to test the delete-on-close flag of a directory
for requests to create files in this directory.

Windows server implement this check, Samba doesn't as it has performance
implications.

This commit implements the check and a new option to control it. By
default the check is skipped, setting "check parent directory delete on
close = yes" enables it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb  3 23:42:16 CET 2018 on sn-devel-144
2018-02-03 23:42:16 +01:00
Volker Lendecke
21eb5169f4 vfs_virusfilter: Fix CID 1428738 Macro compares unsigned to 0
vsnprintf returns "int" and not "size_t"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 31 05:28:48 CET 2018 on sn-devel-144
2018-01-31 05:28:48 +01:00
Volker Lendecke
734404bbe9 vfs_virusfilter: Fix CID 1428740 Macro compares unsigned to 0
vsnprintf returns "int" and not "size_t"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-31 00:40:01 +01:00
Volker Lendecke
8a4409c956 vfs_virusfilter: Fix CID 1428739 Buffer not null terminated
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-31 00:40:01 +01:00
Jeremy Allison
9fc471242f s3: librpc: Allow client to correctly report etype unsupported by KDC to caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13247

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 31 00:38:09 CET 2018 on sn-devel-144
2018-01-31 00:38:08 +01:00
Jeremy Allison
e7425bd524 s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144
2018-01-26 02:25:20 +01:00
Trever L. Adams
e320c4c9b7 Samba-VirusFilter: clean up dir check vfs_close and vfs_open
Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2018-01-25 12:24:08 +01:00
Trever L. Adams
c890011a76 Samba-VirusFilter: fix virusfilter_vfs_close() crash
Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2018-01-25 12:24:08 +01:00
Volker Lendecke
d4f7d9e08c libnmb: Fix CID 1428474 Incorrect expression (COPY_PASTE_ERROR)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 25 01:53:53 CET 2018 on sn-devel-144
2018-01-25 01:53:53 +01:00
Trever L. Adams
cbf743d329 Samba-VirusFilter: clamav VFS and man page.
Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jan 24 15:08:59 CET 2018 on sn-devel-144
2018-01-24 15:08:59 +01:00
Trever L. Adams
5970d68bf6 Samba-VirusFilter: F-Secure AntiVirus (fsav) VFS and man page.
Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-24 10:29:46 +01:00
Trever L. Adams
0b25089edd Samba-VirusFilter: Sophos VFS backend.
Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-24 10:29:46 +01:00
Trever L. Adams
b1e69edd05 Samba-VirusFilter: common headers and sources.
Samba-VirusFilter Contributors:

SATOH Fumiyasu @ OSS Technology Corp., Japan
Module creator/maintainer

Luke Dixon luke.dixon@zynstra.com
Samba 4 support

Trever L. Adams
Documentation
Code contributions
Samba-master merge work

With many thanks to the Samba Team.

Signed-off-by: Trever L. Adams <trever.adams@gmail.com>
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-24 10:29:46 +01:00
Volker Lendecke
7ea5d38a69 libnmb: Move "read_packet" to nmbd
It's only used there

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 24 05:48:19 CET 2018 on sn-devel-144
2018-01-24 05:48:19 +01:00
Volker Lendecke
6a60970306 libnmb: Make nb_packet_read_recv return a talloc'ed pkt
This saves a few explicit destructors only doing free_packet()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-24 00:58:17 +01:00
Volker Lendecke
45aec7d3a2 libnmb: Add "parse_packet_talloc"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-24 00:58:17 +01:00
Volker Lendecke
8993342965 dsgetdcname: Fix a signed/unsigned hickup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-23 01:49:23 +01:00
Volker Lendecke
0050d1b9a7 libnmb: Fix two signed/unsigned hickups
Two warnings less

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-23 01:49:23 +01:00
Volker Lendecke
e4dc85b69c libnmb: tsocket_address_unix_from_path deals fine with NULL
Other callers use NULL instead of "". Streamline it a bit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-23 01:49:23 +01:00
Volker Lendecke
e8e09d72ce libnmb: Remove a pointless struct member
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-23 01:49:23 +01:00
Volker Lendecke
c404d58830 libsmb: Give unexpected.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-23 01:49:22 +01:00
Andreas Schneider
39a6ea766d waf: Fix NFS quota support with libtirpc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 22 17:26:52 CET 2018 on sn-devel-144
2018-01-22 17:26:52 +01:00
Günther Deschner
ee0be7eb72 build: deal with recent glibc sunrpc header removal
We need to rely on libtirpc or libntirpc to be around in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10976

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-01-22 12:26:20 +01:00
Andreas Schneider
c29d087e1e include: Create system/nis.h in libreplace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-01-22 12:26:20 +01:00
Andreas Schneider
ca5eaf0cdc s3:waf: Move HAVE_NETGROUP to wscript
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-01-22 12:26:20 +01:00
Volker Lendecke
c6999a248a vfs_fileid: Fix the 32-bit build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-21 07:08:23 +01:00
Puran Chand
3904c26ac8 Added smbc_SetConfiguration which lets the user set the smb.conf for libsmbclient code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13229

Signed-off-by: Puran Chand <pchand@vmware.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-21 07:08:23 +01:00
Volker Lendecke
3be1e68ce6 winbind: Fix CID 1427626 Uninitialized scalar variable
Likely a false positive, but Coverity can't follow all the paths leading
to line 1598.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jan 17 23:58:34 CET 2018 on sn-devel-144
2018-01-17 23:58:34 +01:00
Volker Lendecke
4e5c942708 pdb: Fix CID 1427620 Resource leak
It's not exactly a resource leak (we only really realloc if we shrink
dramatically), but assigning the result from tdb_realloc looks nicer.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-17 19:24:11 +01:00
Volker Lendecke
92131d0898 winbind: Fix CID 1427626 Uninitialized scalar variable
Likely a false positive, but Coverity can't follow all the paths leading
to line 2030

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-17 19:24:11 +01:00
Volker Lendecke
e4f62d4e4b pdb: Fix CID 1427624 Resource leak
It's not exactly a resource leak (we only really realloc if we shrink
dramatically), but assigning the result from tdb_realloc looks nicer.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-17 19:24:11 +01:00
Sachin Prabhu
0edce86e97 vfs_glusterfs: Add fallocate support for vfs_glusterfs
Adds fallocate support to the vfs glusterfs plugin.

v2: Add check for glusterfs-api version.
RHBZ: 1478875
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 17 06:09:29 CET 2018 on sn-devel-144
2018-01-17 06:09:29 +01:00
Christof Schmitt
e77f8e4628 Remove file system sharemode before calling unlink
GPFS implements the DENY_DELETE sharemode, which prevents unlink() from
deleting the file.. This causes the problem that deleting a file through
"delete on close" fails, as the code in close.c first calls unlink() and
only later removes the file system sharemode.

Fix this by removing the file system sharemode before calling unlink().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13217

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Jan 17 01:31:53 CET 2018 on sn-devel-144
2018-01-17 01:31:53 +01:00
Volker Lendecke
a63aafb05d srcctl3: Improve debug messages
A customer's syslog was filled with

_svcctl_OpenServiceW: Failed to get a valid security descriptor

messages. This improves the messages to give info about which service failed
with which error code. Also, it makes OpenServiceW fail with the same error
message Windows fails with for unknown services.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 16 02:43:03 CET 2018 on sn-devel-144
2018-01-16 02:43:03 +01:00
Volker Lendecke
6aa0cc2570 rpc_server: Improve a debug message
A client sending us a bind with an unknown interface should not spam
syslog by default. Also, show what interface the client tried to connect
to.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-01-15 22:17:08 +01:00
Andreas Schneider
05ebafd91e s3:rpc_client: Clenup copy_netr_SamInfo3() code
This gets rid of some strange macro and makes sure we clenaup at the
end.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 15 22:16:13 CET 2018 on sn-devel-144
2018-01-15 22:16:13 +01:00
Andreas Schneider
bfc727f0b2 s3:winbind: Use a stackframe and cleanup when leaving
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-15 17:48:18 +01:00
Andreas Schneider
00d176c6c5 s3:winbind: Use a goto for cleaning up at the end
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-15 17:48:18 +01:00
Andreas Schneider
264249db0f s3:winbindd: Improve logic so it is easier to understand
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-15 17:48:18 +01:00
Andreas Schneider
8d90f2a03e s3:test: Always validate the join after changing the secret
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
2018-01-14 17:38:26 +01:00
Volker Lendecke
0b57434151 smbd: Fix channel sequence number checks for long-running requests
When the client's supplied csn overflows and hits a pending, long-running
request's csn, we panic. Fix this by counting the overflows in
smbXsrv_open_global0->channel_generation

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2018-01-14 10:26:05 +01:00
Volker Lendecke
03f65a7cdc smbd: Remove a "!" from an if-condition for easier readability
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-14 10:26:05 +01:00
Volker Lendecke
e8636e7ab7 smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-14 10:26:05 +01:00
Ralph Boehme
9b423fe804 winbindd: set routing_domain when enumerating trusts
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-14 10:26:05 +01:00
David Mulder
2ca73cba53 gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
Stefan Metzmacher
b4e1e3019a winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
9fb36370a5 winbindd: add more trust types to get_trust_type_string
Add support for the following trust types: "Local", "Workstation",
"RWDC", "RODC"´and "Routed (via ...)".

Where we previously returned "None" this now returns "Routed (via ...)",
otherwise (hopefully) no change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
f12a43f487 winbindd: fix trust_is_oubound()
A trust is only inbound if NETR_TRUST_FLAG_OUTBOUND is set. Trust flags = 0x0
does not imply an outbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
09021f920f winbindd: fix trust_is_inbound()
A trust is only inbound if NETR_TRUST_FLAG_INBOUND is set. Trust flags = 0x0
does not imply an inbound trust, nor does NETR_TRUST_FLAG_IN_FOREST.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
a39cf19c25 winbindd: transitive trust logic in trust_is_transitive()
trust_is_transitive() currently defaults to transitive=true, unless
LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE, LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN or
LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL trust attribute is set.

This is not correct, for the trust to be transative,
LSA_TRUST_ATTRIBUTE_WITHIN_FOREST or LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE must
be set.

Logic taken from dsdb_trust_routing_by_name().

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
939592c660 winbindd: use add_trusted_domain_from_auth
After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
f4d27f2bf9 winbindd: add add_trusted_domain_from_auth
Function to add a new trusted domain to the domain list and TDC after an
successfull authentication. On Member servers only, not on DCs though.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Ralph Boehme
b2ea3606a7 winbindd: add set_routing_domain() 2018-01-13 12:55:08 +01:00
Ralph Boehme
2e644af164 winbindd: add find_default_route_domain()
On a member server this is just our primary domain. The logic for DCs is
not yet implemented, on a DC of a child-domain in a forrest this would
be the parent domain.

Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Stefan Metzmacher
40c91150e3 winbindd: avoid automatic enumerating trusts on DCs
We have a static list of trust based on our configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Stefan Metzmacher
29e6d55909 winbindd: load the trusted domains on a DC already in init_domain_list()
We should do that in the parent as early as possible.
Similar to our primary domain, which is also a direct trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Ralph Boehme
fa3b81b21c pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00
Ralph Boehme
f8bcd37058 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
Signed-off-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:07 +01:00