1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

263 Commits

Author SHA1 Message Date
Gary Lockyer
ae4461dce9 auth auth_log: csbuild unused parm unix_username
Fixes csbuild errors

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’
auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Error: COMPILER_WARNING:
auth/auth_log.c: scope_hint: In function
‘log_authentication_event_human_readable’
auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’
[-Wunused-parameter]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-13 07:16:22 +00:00
Andrew Bartlett
433296c614 Remove unused auth_get_challenge_not_implemented
This became unused after eba8799514 in 2012

Found by callcatcher

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-05-22 05:59:13 +00:00
Gary Lockyer
0e2acf6cfb winbind: Generate and pass logon ID
Generate a random logon_id and pass it in the SamLogon calls.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-02-20 06:03:09 +01:00
Gary Lockyer
96e6adedcd librpc idl: netlogon netr_identity_info logon_id to 64 bit
Fold the two 32 bit values logon_id_high and logon_id_low into a single
64 bit logon_id in netr_identity_info.  This will be used to tie
together winbind and SamLogon requests in audit logging.

Summary of the of the Query and Response from Microsoft on it's usage.

[REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does
the Reserved field have LogonId meaning?

Questions:
  In NetrLogonSamLogonEx does the Reserved field
  (of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning?

  What is a valid LogonID, and does have any audit usage?

  Samba is sending a constant "deadbeef" in hex and would like to
  understand any usage of this field.

Response:
  The NRPC spec is accurate in defining the field as Reserved, and without
  protocol significance. In the header file in our source code, it is
  defined as LogonId and commented as such, but it’s effectively not used.
  This is probably why the API structure has that field name. It may have
  been intended as such but it’s not used.

Samba will send a random value in this field.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-02-20 06:03:09 +01:00
Andrew Bartlett
1bb2a1c6b3 auth: For NTLM and KDC authentication, log the authentication duration
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.

Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.

This complements a similar patch set to log the transaction duration.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-25 08:32:14 +02:00
Andrew Bartlett
e1ede0b1ff auth: Use DBGC_AUTH as DBGC_CLASS for AD DC NTLM auth code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-05-21 23:48:18 +02:00
Gary Lockyer
5c0345ea9b samdb: Add remote address to connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Stefan Metzmacher
0f9a09bd35 s4:auth_winbind: make sure we expand group memberships of the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Stefan Metzmacher
fd7c918256 s4:auth_winbind: only call authsam_logon_success_accounting() for local users
There's no need to do a crack_name_to_nt4_name(), as the authentication
already provides the nt4 domain and account names.

This should only happen on an RODC, that we use the winbind auth module
for local users. So we should make sure we only try to reset
the badPwdCount for users of our own domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-19 20:30:51 +01:00
Andreas Schneider
69fa5ecb6a s4:auth: Add FALL_THROUGH statements in auth_sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
ef3ac405bf s4:auth: Add FALL_THROUGH statements in auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Stefan Metzmacher
57762229da s4:auth_sam: allow logons with an empty domain name
It turns out that an empty domain name maps to the local SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
2018-02-23 04:08:26 +01:00
Stefan Metzmacher
e1ba819960 s4/auth_winbind: ask for validation level 6
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-10 08:35:17 +01:00
Stefan Metzmacher
6fb5704c11 s4:auth_winbind: remove unused 'winbind_wbclient' backend
This is no longer useful as it doesn't support async requests.

It could be readded using pthreadpool_tevent_job_send()
and wbcCtxAuthenticateUserEx() if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
0b72d0b7e5 s4:auth_winbind: remove unused 'winbind_rodc' backend
This is no longer useful as the 'winbind' backend also
handles the rodc case now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
b681810d3c s4:auth_sam: remove unused 'sam_failtrusts' backend
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
a382e05a16 s4:auth/ntlm: remove lpcfg_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
b88f9384b0 s4:auth/ntlmssp: add support for using "winbind" as DC
This adds support for trusted domains to the auth stack on AD DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
a6ad56cfa9 s4:auth: use "sam winbind" for the netlogon server
This adds authentication support for trusted domains to the
netlogon server.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
690c5e6f36 s4:auth/ntlm: provide auth_check_password_wrapper_send/recv to auth4_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
79b891a746 s4:auth_winbind: implement async authentication via IRPC
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Stefan Metzmacher
c29db055a7 s4:auth/ntlm: allow auth_operations to specify check_password_send/recv()
This prepares real async handling in the backends.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144
2017-06-27 21:09:08 +02:00
Stefan Metzmacher
f9388b0ec7 s4:auth/ntlm: introduce auth_check_password_next()
This prepares real async handling in the backends.

Check with git show -w.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:49 +02:00
Stefan Metzmacher
ee4ea4b99c s4:auth/ntlm: move auth_check_password_wrapper() further down
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
60bee9d118 s4:auth_winbind: rename 's' to 'state' in winbind_check_password()
This prepares the conversion to winbind_check_password_send/recv()
where the internal state is called 'winbind_check_password_state'
as 'state'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:48 +02:00
Ralph Boehme
0178206fec s4:auth_winbind: remove a block nesting level and fix indentation
The previous commit removed the condition from the block. No change in
behaviour, best viewed with git show -w.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
28f2039886 s4:auth_winbind: fix error checking in winbind_check_password()
We need to handle every error instead of just NT_STATUS_NO_SUCH_USER,
the callers also doesn't require NT_STATUS_NOT_IMPLEMENTED anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
ebb63e1cb3 s4:dsdb/samdb: pass an existing 'struct ldb_context' to crack_auto_name_to_nt4_name()
There's no point in creating a temporary ldb_context as
the only callers already have a valid struct ldb_context for
the local sam.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
f0541309d7 s4:dsdb/samdb: pass an existing 'struct ldb_context' to crack_name_to_nt4_name()
There's no point in creating a temporary ldb_context as
all direct callers already have a valid struct ldb_context for
the local sam.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
bfb25f92aa s4:auth/unix_token: remove unused tevent_context from auth_session_info_fill_unix()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Stefan Metzmacher
c0fa0b88d0 s4:auth: make authenticate_ldap_simple_bind*() use auth_check_password_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:23 +02:00
Stefan Metzmacher
6e165ca85a s4:auth: add authenticate_ldap_simple_bind_send/recv
TODO: we need to make the backend async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 09:13:23 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
c98514adf2 auth_sam: Make auth_sam_trigger_repl_secret more generic
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
f40fdaea7f rodc: Set non-authoritative for RODC bad passwords
This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
b50a147a7e auth_winbind: Allow badPwdCount to be set to 0 with this auth method
We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
a6a19e4308 auth4: Add authoritative flag to check_password
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Jeremy Allison
34f616fc6f s4: auth: Add TALLOC_CTX * to auth_register()
Use the talloc context passed into all modules.
Remove one more talloc_autofree_context().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-11 20:30:12 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Stefan Metzmacher
0ca09b0e10 auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
We should not do anonymous authentication nor a fallback that
ignores the domain part.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
6018924578 auth4: remove unused map_user_info[_cracknames]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
236b24dfd2 auth4: avoid map_user_info() in auth_check_password_send()
The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
8193b70898 auth4: improve authsam_want_check for upn authentication
We need to check if the upn suffix is within our forest.
The check if it's within our domain is done in
authsam_check_password_internals() after calling
crack_name_to_nt4_name().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
09e24ce40f auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
Currently the caller does this before calling the auth backends,
but that should change in order to support trusted domains correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
13649fa2dc auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
We hopefully remove this role in future, but for now we should do this
correct and fallback to sam_ignoredomain at the end of the auth chain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
2a57b285ce auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
bb6583fdf2 auth4: add a "sam_failtrusts" module
This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.

This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.

This is just a temporary solution, until we have full
async support in the gensec/auth4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
5da664dbed auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
We also accept the domain to be the realm string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Gary Lockyer
8aff845db8 ldap_server: Log failures to find a valid user in the simple bind
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
d004196036 auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00