1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

2273 Commits

Author SHA1 Message Date
Stefan Metzmacher
2063692367 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:22 +02:00
Volker Lendecke
d378c85f7a winbind: Fix a typo in a wrong comment...
While trying to disentangle this knot I could not stand to fix the obvious
typo. The whole comment is not really the whole story anymore, but that's a
commit for another day.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 30 21:54:40 CEST 2016 on sn-devel-144
2016-03-30 21:54:40 +02:00
Volker Lendecke
3cc3406220 winbind: Remove unused idmap_backends_unixid_to_sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 30 17:58:48 CEST 2016 on sn-devel-144
2016-03-30 17:58:48 +02:00
Volker Lendecke
fa8f09766e winbind: Remove unused idmap_[ug]id_to_sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
fdfe993f2e winbind: Use plural xids2sids in _wbint_UnixIDs2Sids
We've had plural xid2sid idmap backends for a while. Start using
them.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
bfc1d073b5 winbind: Pass down the domain name to xids2sids
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
5d9069242d winbind: Add idmap_backend_unixids_to_sids
This is the plural version of idmap_backends_unixid_to_sid that expects all ids
to come from the same idmap domain. The singular version walks the domain list
itself, this one expects the domain name to be passed to it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
a3bd040a51 winbind: Do per-domain xids2sids calls
This prepares the equivalent of 2b1dd01934 for xids2sids.

Collecting sids2xids per domain is a bit easier: SIDs carry their own domain
prefix. For the reverse, we need to scan the configuration for all the idmap
range definitions.

It has a separate effect: It enables overlapping idmap ranges. The per-domain
calls are done whenever a range matches. If the idmap child finds a successful
xid2sid mapping, this will be collected as one result. This means that every
range definition can contribute mappings.

If there are two rfc2307 sfu domains with overlapping ranges, the domains will
be queried one after the other for a specific mapping. If the defined ranges
overlap, the admin has to make sure that there are no conflicts, because in the
current code "the first writer wins", and the code does not specify an order
(yet).

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
50aef48e18 winbind: Introduce id_map_ptrs_init
This simplifies _wbint_Sids2UnixIDs a bit and will be re-used in _wbint_UnixIDs2Sids

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
16dc16e904 idmap: Factor out lp_scan_idmap_domains()
This simplifies idmap_found_domain_backend() by moving the regex magic
somewhere else. Also, this routine will be useful soon somewhere else, thus
make it non-static to idmap.c.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-30 14:27:23 +02:00
Volker Lendecke
5291462bd8 winbind: Fix CID 1357100 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144
2016-03-22 15:49:14 +01:00
Michael Adam
a16379c585 idmap_hash: only allow the hash module for default idmap config.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

This module only makes sense as the default idmap config
("idmap config * : backend = hash" ...)

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-17 01:08:32 +01:00
Michael Adam
4172491cbe idmap_hash: rename be_init() --> idmap_hash_initialize()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-17 01:08:32 +01:00
Günther Deschner
4632ad98c4 s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-17 01:08:32 +01:00
Günther Deschner
55be1ee697 s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
Check if the domain from the list is not already configured to use another idmap
backend. Not checking this makes the idmap_hash module map IDs for *all* domains
implicitly. This is quite dangeorous in multi-idmap-config setups.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-17 01:08:32 +01:00
Michael Adam
fb80e1158b s3:winbindd:idmap: add domain_has_idmap_config() helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-17 01:08:32 +01:00
Stefan Metzmacher
bb387c5b90 s3:winbindd: don't unclude two '\0' at the end of the domain list
This avoids a scary "trustdom_list_done: Got invalid trustdom response" message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-13 20:10:33 +01:00
Stefan Metzmacher
716e78f3b2 winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
871e8a9fd0 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
We should avoid using NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:27 +01:00
Volker Lendecke
980f8cfe30 idmap_autorid: Protect against corrupt databases
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-07 22:16:20 +01:00
Volker Lendecke
5652810295 idmap_autorid: Fix a use-after-free
Parsing the domain_range_index references data.dptr

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-07 22:16:20 +01:00
Volker Lendecke
b4239ca096 idmap_script: Parallelize script calls
Fixes a case I've seen where a user with 200 group memberships timed out and
can now log in.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Feb 24 01:17:25 CET 2016 on sn-devel-144
2016-02-24 01:17:24 +01:00
Volker Lendecke
3a1685db0b lib: Remove "includes.h" from util_file.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-02-23 22:03:17 +01:00
Volker Lendecke
3de5d8fdfd lib: Add "mem_ctx" to file_lines_pload
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-02-23 22:03:17 +01:00
Volker Lendecke
8338fe6ac8 lib: Remove sys_waitpid
We have waitpid in libreplace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-02-23 22:03:16 +01:00
Uri Simchoni
7b4dfd939f winbindd: return trust parameters when listing trusts
When asking a child domain process to list trusts on that domain,
return (along with trust domain names and SID) the trust properties -
flags, type, and attributes.

Use those attributes to initialize domain object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144
2016-02-23 22:02:16 +01:00
Uri Simchoni
d0aa5d0574 winbindd: initialize foreign domain as AD based on trust
Based on trust parameters, initialize the active_directory
member of domain object to true.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-23 18:52:21 +01:00
Uri Simchoni
c65841a3bd winbindd: introduce add_trusted_domain_from_tdc()
This is purely a refactoring patch -
Add a routine that adds a winbindd domain object based on
domain trust cache entry. add_trusted_domain() becomes
a wrapper for this new routine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-23 18:52:21 +01:00
Karolin Seeger
a42dc8610b s3/winbindd: Add missing space in debug message.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Feb 23 14:20:01 CET 2016 on sn-devel-144
2016-02-23 14:20:01 +01:00
Michael Adam
def483c815 winbindd: move a variable into scope
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-02-23 01:41:17 +01:00
Volker Lendecke
f6f43c496e winbind: Remove unused WINBINDD_UID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 22 23:39:13 CET 2016 on sn-devel-144
2016-02-22 23:39:12 +01:00
Volker Lendecke
f387124a04 winbind: Remove unused WINBINDD_GID_TO_SID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
ec94aa543b winbind: Remove unused WINBINDD_SID_TO_GID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
112998fffa winbind: Remove unused WINBINDD_SID_TO_UID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:16 +01:00
Volker Lendecke
eeb0f3b075 winbind: Remove unused wbint_Gid2Sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
e2dda192e7 winbind: Use xids2sids in getgrgid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
b0f6adf351 winbind: Use xids2sids in gid2sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
708df7e85c winbind: Remove unused wbint_Uid2Sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
89f753c1fc winbind: Use xids2sids in getpwuid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
05aa3406cb winbind: Use xids2sids in uid2sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
5cd5ce70a1 winbind: Expose WINBINDD_XIDS_TO_SIDS externally
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
e50c1a6648 winbind: Add parse_xidlist()
This will be part of parsing the socket protocols xids2sids request

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
5bb6600110 winbind: Add wb_xids2sids
Async wrapper around wbint_UnixIDs2Sids

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
24929ee081 winbind: Add wbint_UnixIDs2Sids
The idmap backend function is doing multiple conversions in one run, but this
is not used so far. First step in exposing plural xid2sid. This is a fake
routine in that it does the one-element calls, but you have to start somewhere.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
4d5680e9ae winbind: Simplify _wbint_Sids2UnixIDs
Same number of lines, but from my point of view quite a bit simpler now
that we only have to handle one domain.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
2b1dd01934 winbind: Make _wbint_Sids2UnixIDs single-domain
This is required to handle domain-specific error messages properly in the
parent. Currently unused, but I want to handle DOMAIN_CONTROLLER_NOT_FOUND
for the idmap_ad backend soon by doing a getdcname (RPC or ourselves or
so) from the parent context.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:15 +01:00
Volker Lendecke
9743be68d7 winbind: Remove a level of indirection
idmap_doms does not need a talloc of its own

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-02-22 20:29:14 +01:00
Volker Lendecke
d3be72a5e3 idmap_ad: Fix a copy&paste error
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Feb 16 14:14:21 CET 2016 on sn-devel-144
2016-02-16 14:14:21 +01:00
Volker Lendecke
db64deb681 winbind: Fix a type error
nss_info_methods has "get_nss_info"'s p_gid parameter as
gid_t *, not uint32_t *. Probably that did not hurt due to
typedefs, but if we find a platform where gid_t is not
uint32_t, this would be VERY hard to debug

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-16 10:50:10 +01:00
Volker Lendecke
ad82251c23 winbind: Add some const
This makes source and destination a bit clearer to me

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-16 10:50:10 +01:00