1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1068 Commits

Author SHA1 Message Date
Simo Sorce
893b213876 Avoid overriding default ccache for ads operations.
Avoid overriding default ccache for ads operations.

Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).

By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.

For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
2012-09-12 21:18:09 +02:00
Alexander Bokovoy
140bb288be s3-smbldap: use smbldap_ prefixed functions 2012-09-07 12:31:42 +02:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Jeremy Allison
526e875cec Check error returns from strupper_m() (in all reasonable places). 2012-08-09 12:06:54 -07:00
Andrew Bartlett
f3562424b6 lib/param: Move all enum declarations to lib/param
This is in preperation for the parameter table being made common.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-24 11:01:17 +02:00
Christof Schmitt
7285ed586f auth: Common function for retrieving PAC_LOGIN_INFO from PAC
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06 20:45:51 +10:00
Andrew Bartlett
666dba3353 s3-param: Rename loadparm_s3_context -> loadparm_s3_helpers
This helps clarify the role of this structure and wrapper function.

The purpose here is to provide helper functions to the lib/param
loadparm_context that point back at the s3 lp_ functions.  This allows
a struct loadparm_context to be passed to any point in the code, and
always refer to the correct loadparm system.  If this has not been
set, the variables loaded in the lib/param code will be returned.

As requested by Michael Adam.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
2012-06-27 17:11:16 +02:00
Andrew Bartlett
0da10c842e s3-libads: Use a reducing page size to try and cope with a slow LDAP server
If we cannot get 1000 users downloaded in 15seconds, try with 500, 250
and then 125 users at a time.

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-05-26 02:03:08 +02:00
Andrew Bartlett
63fb1d396b s3-libads: Map LDAP_TIMELIMIT_EXCEEDED as NT_STATUS_IO_TIMEOUT
This allows Samba to then handle this error in the same way it would for RPC connections

Andrew Bartlett

Signed-off-by: Jeremy Allison <jra@samba.org>
2012-05-26 02:03:07 +02:00
Simo Sorce
34a65739d3 Move source3/libads/dns.c to lib/addns 2012-05-23 17:51:48 +03:00
Simo Sorce
cc3321c9ff s3-ads-dns: Avoid unnecessary dependencies 2012-05-23 17:51:48 +03:00
Simo Sorce
a7e94fce3f s3-ads-dns: Break dependency on lp_parm
In preparation of making this code common to s3 and s4
2012-05-23 17:51:48 +03:00
Simo Sorce
4a335e9632 s3-ad-dns: Use more standard uint and booleans defs
In preparation of making this code common to s3 and s4
2012-05-23 17:51:48 +03:00
Gregor Beck
7ba1b13e99 s3:registry: remove usage of reg_objects from libads/ldap_printer.c
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-25 14:11:06 +02:00
Alexander Bokovoy
594e316181 lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.

Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.

Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-25 00:18:32 +02:00
Volker Lendecke
d38a171a43 s3: Attempt to fix the build without kerberos
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
2012-04-24 15:04:13 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Simo Sorce
1f1e4275b5 clikrb5: Move pure krb wrapper functions from libads to clikrb5.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Andrew Bartlett
e715460898 s3-libads: Remove ads_verify_ticket() as it is now unused
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03 17:47:32 +02:00
Andrew Bartlett
410ca7311a s3-libads: Rework kerberos_return_pac() to use GENSEC for the server-side
This removes the last user of ads_verify_ticket(), and means that we
only have one code path to verify an incoming krb5 (GSSAPI) ticket.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03 17:47:32 +02:00
Jeremy Allison
959516d61b More strlcat/strlcpy truncate checks. 2012-03-30 21:26:07 +02:00
Andrew Bartlett
b0798cc013 s3-libads: Remove unused ads_set_machine_password()
Found by callcatcher.

Andrew Bartlett
2012-02-23 16:14:19 +11:00
Andrew Bartlett
a6aa24428a s3-libads: Remove unused ads_pull_sids_from_extendeddn()
Found by callcatcher.

Andrew Bartlett
2012-02-23 16:14:19 +11:00
Andrew Bartlett
4a0d1b5ac6 s3-libads: Move to using only the HAVE_KRB5 define
HAVE_KRB5 already implies that GSSAPI is present as well.

Andrew Bartlett
2012-02-13 04:41:05 +01:00
Stefan Metzmacher
4e444f0061 s3:kerberos_verify: ads_dedicated_keytab_verify_ticket() only needs read access
metze
2012-01-20 23:55:52 +01:00
Andrew Bartlett
016fc0af0c krb5: Require krb5_get_host_realm and krb5_free_host_realm be available to build with krb5 2012-01-10 21:50:07 +01:00
Günther Deschner
3583419b98 s3-libads: pretty print a keytab list.
Guenther
2012-01-09 10:34:06 +01:00
Günther Deschner
c3f9e011ed s3-libads: fix malloc/talloc mismatch in ads_keytab_verify_ticket().
Guenther
2012-01-09 10:34:05 +01:00
Andrew Bartlett
27af0ffdf2 s3-libads Use NTLMSSP via auth_generic/gensec
This allows us to use the shared gensec_wrap() implementation already used by the
smb sealing code, as well as making this code more generic.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06 08:12:49 +01:00
Andrew Bartlett
860ad734ba s3-libads Factor out a new routine kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Günther Deschner
bfbb389332 s3-dns: prevent from potentially doing wrong SRV DNS lookups.
With an empty sitename we asked for e.g.
_ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Dec 21 17:23:25 CET 2011 on sn-devel-104
2011-12-21 17:23:25 +01:00
Volker Lendecke
75d3b9ce08 s3: Fix some False/NULL hickups
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Dec 20 13:13:17 CET 2011 on sn-devel-104
2011-12-20 13:13:17 +01:00
Günther Deschner
8a4c8e3f85 s3-smbldap: move ldap_open_with_timeout out of smb_ldap.h to ads where it lives.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Nov 17 03:47:53 CET 2011 on sn-devel-104
2011-11-17 03:47:53 +01:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Volker Lendecke
2a2dd6ff5e s3: Before adding KDC's to the krb5.conf, cldap ping them
Some Kerberos libraries don't do proper failover. This fixes the situation
where a KDC exists in DNS but is not reachable for some reason.

Ported to master by Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 17 11:25:37 CEST 2011 on sn-devel-104
2011-10-17 11:25:36 +02:00
Volker Lendecke
41a0e96724 Add cldap_multi_netlogon_send/recv
Make ads_cldap_netlogon use it. It does not need the fancy multi stuff, but
excercising that code more often is better. And because we have to ask over the
network, the additional load should be neglectable.

Ported to master by Stefan Metzmacher <metze@samba.org>
2011-10-17 09:52:29 +02:00
Stefan Metzmacher
b787b6e1bd libcli/cldap: don't pass tevent_context to cldap_socket_init()
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 10 23:23:07 CEST 2011 on sn-devel-104
2011-10-10 23:23:07 +02:00
Volker Lendecke
94b0f8f7fe s3: Slightly simplify print_kdc_line()
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Sep 26 18:24:25 CEST 2011 on sn-devel-104
2011-09-26 18:24:25 +02:00
Volker Lendecke
9411b8e49d s3: Slightly simplify print_kdc_line()
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
2011-09-26 16:48:43 +02:00
Volker Lendecke
01eb3136b6 s3: Slightly simplify print_kdc_line()
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
2011-09-26 16:48:43 +02:00
Volker Lendecke
507f1fcdcb s3: Add some const to create_local_private_krb5_conf_for_domain
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Sep 18 23:31:28 CEST 2011 on sn-devel-104
2011-09-18 23:31:28 +02:00
Volker Lendecke
b126164ece s3: Add some const to print_kdc_line 2011-09-18 22:00:54 +02:00
Jeremy Allison
92a655da86 If "ldap timeout" is non-zero, set the local search timeout to
be one second longer than the remote search timeout (which is
set to the "ldap timeout" value). This allows the remote search
timeout to fire in preference.

Allow lp_ldap_timeout() to be zero. Don't set the any local alarm
if so.
2011-08-19 18:43:51 -07:00
Volker Lendecke
31ee78fea9 s3: Increase a debug level in ads_find_dc
This message can happen with AD trusts that winbind can not cope with. The
message is not really clear and not worth spamming syslog always.
2011-08-17 12:30:08 +02:00
Andrew Bartlett
1231b784a1 s3-ntlmssp Remove auth_ntlmssp_and_flags()
There is no need to mask out these flags as they simply are not set
yet.

The correct abstraction is to ask for NTLMSSP features.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Günther Deschner
183835d055 source3/libads/ldap_schema.h: fix licence/copyright
Guenther
2011-06-10 15:12:22 +02:00
Günther Deschner
59e878ff62 source3/libads/cldap.h: fix licence/copyright
Guenther
2011-06-10 15:12:20 +02:00
Günther Deschner
d5c5aa1c5f source3/libads/ads_status.h: fix licence/copyright
Guenther
2011-06-10 15:12:19 +02:00
Günther Deschner
f2d4252dfa source3/libads/ads_ldap_protos.h: fix licence/copyright
Guenther
2011-06-10 15:12:17 +02:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00