1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

239 Commits

Author SHA1 Message Date
Stefan Metzmacher
ddd7ac68cc libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.

We allow up to 4 hashes (next, current, old, older).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
8ae968193b netlogon_creds_cli: Do not corrupt authenticator state on application level errors
If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent
calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS
updates falling off and never continuing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Stefan Metzmacher
abe427775e libcli/auth: add netlogon_creds_cli_debug_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
8a209e5a0c libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
We need to make sure we can convert the given string to an nthash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
0ed2a65593 libcli/auth: use the correct creds value against servers without LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Volker Lendecke
38884b2b2b libcli: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Volker Lendecke
3d9b1bdf6c libcli: Use "all_zero" where appropriate
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-03 16:04:28 +01:00
Douglas Bagnall
a7598fb53b rpc_server:netlogon Move from memcache to a tdb cache
This allows the netlogon server to be moved into a multi-process model
while still supporting clients that use a challenge from a different
network connection.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
2016-12-14 20:12:13 +01:00
Björn Jacke
69f10080c3 pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT

now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
2016-12-13 14:12:06 +01:00
Stefan Metzmacher
b74ff8c4da libcli/auth: remove unused variable in msrpc_parse()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-07-06 19:07:16 +02:00
Stefan Metzmacher
58a8323629 libcli/auth: let msrpc_parse() return talloc'ed empty strings
This make it more predictable for the callers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11912
BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1334356
BUG: https://launchpad.net/bugs/1578576

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon May  9 22:27:21 CEST 2016 on sn-devel-144
2016-05-09 22:27:21 +02:00
Stefan Metzmacher
423e95b430 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Stefan Metzmacher
4c4829634f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:23 +02:00
Stefan Metzmacher
574535c74d CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
This is defined in http://www.ietf.org/rfc/rfc4178.txt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Stefan Metzmacher
001735a804 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Michael Adam
bebd35f439 netlogon_creds_cli: use dbwrap_purge instead of dbwrap_delete where appropriate
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-03-01 21:50:24 +01:00
Volker Lendecke
ceb75ad09e spnego: Some simplifications
asn1_tag_remaining already checks for has_error and only
returns positive if there is error-free space left

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2016-02-03 15:04:11 +01:00
Jelmer Vernooij
da8674c72a Rename 'errors' to 'samba-errors' and make it public.
This is necessary because it has public headers.

Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
2016-01-13 07:47:04 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Volker Lendecke
b7f0e29fd2 lib: Use asn1_current_ofs()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
a93946b2fe lib: Use asn1_extract_blob()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
8cfb6a3139 lib: Use asn1_set_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Volker Lendecke
57a0bc9a9f lib: Use asn1_has_error()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-06 00:54:18 +01:00
Stefan Metzmacher
6e5d9c2a3d libcli/auth: use WERR_INVALID_PASSWORD instead of WERR_BAD_PASSWORD
The values are the same, but WERR_INVALID_PASSWORD matches the documentation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:17 +01:00
Stefan Metzmacher
a46a00673d libcli/auth: add forward declaration for struct wkssvc_PasswordBuffer
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:11 +01:00
Stefan Metzmacher
409cf45147 libcli/auth: add some const to netlogon_creds_server_{init,step_check}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-20 20:43:11 +01:00
Thomas Schulz
820a0a91fb libcli/auth: Match Declaration of netlogon_creds_cli_context_tmp with implementation
I have been building 4.2.0 with the GNU C compiler but I decided to see
how it works with the Sun C 5.11 compiler. The Sun compiler complains
about a identifier being redeclared in libcli/auth/netlogon_creds_cli.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11140

Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-20 13:49:26 +01:00
Stefan Metzmacher
87c57956ba libcli/auth: add netlogon_creds_cli_GetForestTrustInformation*()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan 21 17:19:33 CET 2015 on sn-devel-104
2015-01-21 17:19:33 +01:00
Stefan Metzmacher
05a3d980f8 libcli/auth: add netlogon_creds_cli_ServerGetTrustInfo*()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-01-21 14:56:07 +01:00
Jeremy Allison
53f21ffb4a libcli: auth: Ensure all asn1_XX returns are checked.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
2014-09-26 00:51:16 +02:00
Andrew Bartlett
36ecbf34ba libcli/auth: Ensure that the dns_names in/out parameter is preserved
This is in dcerpc_netr_DsrUpdateReadOnlyServerDnsRecords, which has
status variables filled in by the server and placed in this in/out
array.

This showed up as a segfault in winbindd during RODC DNS update.

Andrew Bartlett

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2014-08-01 09:48:35 +02:00
Volker Lendecke
0a7290ca7d libcli: Remove an unused variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul  1 00:43:18 CEST 2014 on sn-devel-104
2014-07-01 00:43:18 +02:00
Andrew Bartlett
223fbdaf38 s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC
Change-Id: Ib87933c318f510d95f7008e122216d73803ede68
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Jelmer Vernooij
e0cddcd5c4 Typo: s/preceeded/preceded/
Caught by lintian, the Debian package linter :)

Change-Id: Ia7162ea8c2b1845155345526b66d71ae64f15227
Reviewed-on: https://gerrit.samba.org/216
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Mon Apr 14 03:51:15 CEST 2014 on sn-devel-104
2014-04-14 03:51:15 +02:00
Stefan Metzmacher
cd648ec00f libcli/auth: s/encrypt/do_encrypt
This avoids compiler warnings.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:42 +02:00
Ira Cooper
8cd8aa6686 libcli: Overflow array index read possible, in auth code.
Changed the if condtion to detect when we'd improperly overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
2014-02-24 11:56:37 +01:00
Ira Cooper
14063719e0 Revert "libcli: Overflow array index read possible, in auth code."
This reverts commit 538cbfe0e9.

Signed-off-by: Ira Cooper <ira@samba.org>
2014-02-24 14:16:00 +05:30
Ira Cooper
538cbfe0e9 libcli: Overflow array index read possible, in auth code.
The values have to be signed here to allow for the values to go negative,
to prevent the overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 07:23:03 CET 2014 on sn-devel-104
2014-02-24 07:23:03 +01:00
Michael Adam
85235d03c1 libcli: use DBWRAP_LOCK_ORDER_NONE when opening schannel_store.tdb
Make lack of lock order checking more visible.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Michael Adam
7e766a0a8a dbwrap: add dbwrap_flags argument to dbwrap_local_open()
To be consistent with db_open() and prepare for future
possible extensions.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Stefan Metzmacher
b8fdeb8ca7 libcli/auth: reject computer_name longer than 15 chars
This matches Windows, it seems they use a fixed size field to store
netlogon_creds_CredentialState.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:14 +01:00
Stefan Metzmacher
387ed2e15d libcli/auth: don't alter the computer_name in cluster mode.
This breaks NTLMv2 authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:05 +01:00
Stefan Metzmacher
ece3ba10a1 libcli/auth: add netlogon_creds_cli_set_global_db()
This can be used to inject a db_context from dbwrap_ctdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:11:19 +01:00
Stefan Metzmacher
0e62f32795 libcli/auth: fix usage of an uninitialized variable in netlogon_creds_cli_check_caps()
If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-08 14:34:13 +01:00
Stefan Metzmacher
3d45d4dc3c libcli/auth: remove unused netlogon_creds_cli_context_copy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:16 +01:00
Stefan Metzmacher
fa3af7c2e8 libcli/auth: make use of real options in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
dc96b1ddcc libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()
Until all callers are fixed to pass the same 'server_computer'
value, we try to calculate a server_netbios_name and use this
as unique identifier for a specific domain controller.

Otherwise winbind would use 'hostname.example.com'
while 'net rpc testjoin' would use 'HOSTNAME',
which leads to 2 records in netlogon_creds_cli.tdb
for the same domain controller.

Once all callers are fixed we can think about reverting this
commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
6e6d9f9f12 libcli/auth: add netlogon_creds_cli* infrastructure
This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.

Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.

We now use a node specific computer name in order to establish
individual netlogon sessions per node.

If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.

The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.

LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.

This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:03 +01:00