1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

65 Commits

Author SHA1 Message Date
Ralph Boehme
54343f50a6 winbindd: remove obsolete sequence_number from struct winbindd_methods
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 29 15:49:16 UTC 2021 on sn-devel-184
2021-04-29 15:49:16 +00:00
Andreas Schneider
371bc98766 s3:winbindd: Remove obsolete sequence_number callback from msrpc backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-04-29 15:01:29 +00:00
Christof Schmitt
640e0ef4fd winbind: Return queried domain name from name_to_sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-04-18 17:21:18 +00:00
Christof Schmitt
60b0e91237 winbind: Query domain from msrpc name_to_sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2019-04-18 17:21:17 +00:00
Volker Lendecke
58f76ab137 winbindd: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-12-20 23:40:25 +01:00
Stefan Metzmacher
728fb7c593 winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Stefan Metzmacher
7fc19747ef s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
1ce165a733 winbindd: let normalize_name_map() call find_domain_from_name_noinit()
Let normalize_name_map fetch the domain itself with
find_domain_from_name_noinit().

This removes two calls to find_domain_from_name_noinit() in the default
configuration of "winbind normalize names = no". The domain is only need
in normalize_name_map if "winbind normalize names" is enabled.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-29 16:59:15 +01:00
Volker Lendecke
d92a23e4ae winbind_msrpc: Use any_nt_status_not_ok
Less lines, less bytes .text

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 12 05:40:36 CEST 2017 on sn-devel-144
2017-04-12 05:40:36 +02:00
Volker Lendecke
3f5fa7c458 Revert "winbind: Remove "lookup_usergroups" winbind method"
This reverts commit b231814c6b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12612

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-06 15:09:17 +01:00
Aurelien Aptel
ca5d36d842 s3/winbindd: fix invalid free
coverity fix.

TALLOC_FREE() might be called on uninitialized 'rids' at the end of the
function in case of an early error. Initialize it to NULL to turn the
TALLOC_FREE() to a noop in this case.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 18 17:19:39 CET 2017 on sn-devel-144
2017-01-18 17:19:39 +01:00
Volker Lendecke
4495535cb5 winbind: Fix CID 1398533 Resource leak
Not really a leak due to talloc, but this way it's clear

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-11 00:49:22 +01:00
Volker Lendecke
480c9581a1 winbind: Simplify query_user_list to only return rids
Unfortunately this is a pretty large patch, because many functions
implement this API. The alternative would have been to create a new
backend function, add the new one piece by piece and then remove the
original function.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:13 +01:00
Volker Lendecke
b231814c6b winbind: Remove "lookup_usergroups" winbind method
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:12 +01:00
Volker Lendecke
241c81b276 winbind: Remove "query_user" backend function
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-04 12:22:12 +01:00
Volker Lendecke
807f37493d winbind: lookup_usergroups_cached doesn't use the "domain" parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-12-04 16:35:22 +01:00
Volker Lendecke
a55bd7e424 lib: Add samlogon_cache.h
Move prototypes into its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-02 09:36:08 +01:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Volker Lendecke
4b54bb9024 winbind: Fix CID 1035544 Uninitialized scalar variable
In rpc_sequence_number() we always look at *pseq

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-05-06 15:37:14 +02:00
Richard Sharpe
57303c30b2 Change all uint32/16/8 to 32_t/16_t/8_t in winbindd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Stefan Metzmacher
a5f35ed5cf s3:winbindd: avoid invalid pointer type warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00
Andrew Bartlett
91d6f603b1 s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:50 +02:00
Günther Deschner
1839417bcc s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Andrew Bartlett
af7f88721a winbindd: Use a remote RPC server when we are an RODC when needed
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.

Andrew Bartlett

Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Jeremy Allison
f799f63e43 CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Dec  9 09:00:41 CET 2013 on sn-devel-104
2013-12-09 09:00:41 +01:00
Jeremy Allison
0de6282e00 Fix bug #10187 - Missing talloc_free can leak stackframe in error path.
Fix error path.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Oct  9 03:50:56 CEST 2013 on sn-devel-104
2013-10-09 03:50:56 +02:00
Günther Deschner
7a49c96693 s3-winbindd: rework reconnect logic in winbindd_lookup_names().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-30 11:49:53 +01:00
Günther Deschner
cd51774316 s3-winbindd: rework reconnect logic in winbindd_lookup_sids().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-30 11:49:50 +01:00
Günther Deschner
82ace10492 s3-winbindd: remove lookup_sids_fn_t.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-30 11:49:47 +01:00
Günther Deschner
d9243815b4 s3-winbindd: remove lookup_names_fn_t.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-30 11:49:44 +01:00
David Disseldorp
9195792a38 Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
This reverts commit ae6a779bf9.

Bug 9125 analysis from Volker:

The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.

Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-09 16:41:05 +01:00
Günther Deschner
8a4c8e3f85 s3-smbldap: move ldap_open_with_timeout out of smb_ldap.h to ads where it lives.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Nov 17 03:47:53 CET 2011 on sn-devel-104
2011-11-17 03:47:53 +01:00
Günther Deschner
21691b38bc s3-winbindd: no need to globally include ldap headers in winbindd.
Guenther
2011-11-17 02:11:46 +01:00
Volker Lendecke
12f0624a85 s3: Fix a typo 2011-09-08 13:38:27 +02:00
Volker Lendecke
fd65e5eb8c s3: Make winbindd_lookup_names static
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Sep  6 20:03:56 CEST 2011 on sn-devel-104
2011-09-06 20:03:56 +02:00
Andrew Bartlett
5e26e94092 s3-talloc Change TALLOC_ZERO_ARRAY() to talloc_zero_array()
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_ARRAY isn't standard talloc.
2011-06-09 12:40:08 +02:00
Andrew Bartlett
3d15137653 s3-talloc Change TALLOC_ARRAY() to talloc_array()
Using the standard macro makes it easier to move code into common, as
TALLOC_ARRAY isn't standard talloc.
2011-06-09 12:40:08 +02:00
Günther Deschner
ae6a779bf9 s3-winbindd: make sure we obey the -n switch also for samlogon cache access.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Jun  8 14:44:31 CEST 2011 on sn-devel-104
2011-06-08 14:44:31 +02:00
Jeremy Allison
7d6ebe0de7 More const fixes. Remove CONST_DISCARD. 2011-05-06 01:44:07 +02:00
Andrew Bartlett
a427652010 s3-libads: Use ldap_init_fd() to connect to AD server in socket_wrapper
This means that we control the connection setup, don't rely on signals
for timeouts and the connection uses socket_wrapper where that is
required in our test environment.

According to bug reports, this method is also used by curl and other
tools, so we are not the first to (ab)use the OpenLDAP libs in this
way.

It is ONLY enabled for socket_wrapper at this time, as this is the
best way to get 'make test' working for S3 winbind tests in an S4
domain.

Andrew Bartlett
2011-04-28 05:30:21 +02:00
Stefan Metzmacher
f7bc84409a s3:rpc_client: map fault codes to NTSTATUS with dcerpc_fault_to_nt_status()
Most fault codes have a NTSTATUS representation, so use that.

This brings the fault handling in common with the source4/librpc/rpc code,
which make it possible to share more highlevel code, between source3 and
source4 as the error checking can be the same now.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104
2011-04-24 10:44:53 +02:00
Stefan Metzmacher
e7cf7204e6 s3:winbindd: let winbindd_lookup_names() use dcerpc_binding_handle functions
metze
2011-04-24 09:53:54 +02:00
Stefan Metzmacher
7309daa532 s3:winbindd: let winbindd_lookup_sids() dcerpc_binding_handle functions
metze
2011-04-24 09:53:52 +02:00
Andreas Schneider
d9ad60f0dc s3-winbindd: Use the correct enums for samr_QueryDomainInfo. 2011-03-31 17:20:25 +02:00
Volker Lendecke
0764e72051 s3: Fix Coverity ID 2237: REVERSE_INULL 2011-03-30 09:58:33 +02:00
Günther Deschner
cc94bcb952 s3-winbindd: copy acct_info to wb_acct_info so we dont need passdb for it.
Guenther
2011-03-30 01:13:08 +02:00
Andreas Schneider
bf18403c81 s3-rpc_client: Move client pipe functions to own header. 2011-02-28 18:15:04 +01:00
Stefan Metzmacher
255f2e0699 s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)
If winbindd connects to a domain controller it doesn't establish the lsa
connection over ncacn_ip_tcp direct. This happens only on demand.

If someone does a 'net rpc testjoin' and then a
wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with
ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy
of the schannel session key is invalidated.

This problem can also happen on other calls, but the
lookup_names/sids calls on thet lsa ncacn_ip_tcp connection
are the most important ones.

The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.

The fix for bug 7568 (commit be396411a4)
made this worse, as it assumes winbindd's in memory session key is
always the current one.

metze
2011-02-02 15:45:19 +01:00
Günther Deschner
e026685b7c s3-winbind: prefer dcerpc_samr_X functions in winbindd/winbindd_msrpc.c.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Feb  2 14:14:43 CET 2011 on sn-devel-104
2011-02-02 14:14:43 +01:00
Günther Deschner
49969e6aeb s3-winbind: no need to include ../librpc/gen_ndr/cli_lsa.h in
winbindd/winbindd_msrpc.c.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Jan 19 00:37:46 CET 2011 on sn-devel-104
2011-01-19 00:37:46 +01:00