1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

2273 Commits

Author SHA1 Message Date
Stefan Metzmacher
56c7f885a5 librpc/idl: add winbind_GetForestTrustInformation()
This will be used by the netr_DrsGetForestTrustInformation()
in order to contact remote domains via winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
6f859f40b8 s3:winbindd: add wb_irpc_LogonControl()
This can be called by the netlogon server to pass netr_LogonControl*()
to a winbindd child process in order to do the real work.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
03e846bc27 s3:winbindd: implement _winbind_LogonControl*()
This implements NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}.
These are triggered by the netlogon server (currently only as AD DC) via IRPC.

While NETLOGON_CONTROL_REDISCOVER ignores an optional '\dcname' at the end of
the specified domain name for now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
ee5e25b5b3 librpc/idl: add winbind_LogonControl()
This will be used by the netr_LogonControl()
in order to contact remote domains via winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
793af3f2ae s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Uri Simchoni
eaf9920309 winbindd: disconnect child process if request is cancelled at main process
When cancelling a request at the main winbindd process, that is currently
being served by a child winbindd process, just freeing all objects related
to the request is not enough, as the next bytes to come through the pipe
from the child process are the response to the cancelled request, and the
object reading those bytes will be the next request. This breaks the protocol.

This change, upon canceling a request that is being served, closes the
connection to the child process, causing the next request to be served
by a new child process (and the detached child to die eventually).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11358

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jun 29 14:00:24 CEST 2015 on sn-devel-104
2015-06-29 14:00:24 +02:00
Stefan Metzmacher
fb63fd1dc4 s3:winbindd: remove unused argument 'server' from winbind_samlogon_retry_loop()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-06-24 19:33:23 +02:00
Andrew Bartlett
5de7621cbf winbindd: Sync secrets.ldb into secrets.tdb on startup
This ensures that the domain SID and machine account password are written into
secrets.tdb if the secrets.tdb file was either never written or was deleted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-17 22:10:24 +02:00
Andrew Bartlett
b209cd1677 winbindd: Use pdb_get_domain_info() to get exactly the local domain info when we are an AD DC
This also triggers pdb_samba_dsdb_init_secrets(), to force the
correct SID into secrets.tdb.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-17 22:10:24 +02:00
Jeremy Allison
4c5fefe072 winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104
2015-06-11 07:30:36 +02:00
Noel Power
efadcb3121 kerberos auth info3 should contain resource group ids available from pac_logon
successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-11 04:42:10 +02:00
Volker Lendecke
fc5aadb57b winbind: Lookup groupmem via primaryGroupID
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jun  5 17:21:04 CEST 2015 on sn-devel-104
2015-06-05 17:21:04 +02:00
Christof Schmitt
835c278e43 idmap_rfc2307: Fix wbinfo --gid-to-sid query
Fix syntax error in LDAP query for gidNumber.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11313

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-04 22:35:18 +02:00
Stefan Metzmacher
435ddd8223 s3:winbindd: make sure we remove pending io requests before closing client sockets
This avoids a crash inside the tevent epoll backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11141

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed May 20 22:16:54 CEST 2015 on sn-devel-104
2015-05-20 22:16:54 +02:00
Richard Sharpe
12df833563 Convert the few instances of int32 there were to int32_t.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat May 16 03:09:12 CEST 2015 on sn-devel-104
2015-05-16 03:09:12 +02:00
Richard Sharpe
4602c86d58 Convert uint64 to uint64_t
We seemed to have very few uses of that.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-15 19:31:24 +02:00
Richard Sharpe
57568f1900 Convert all uint32/16/8 to _t in a grab-bag of remaining files.
I still need to fix the rpc stuff, but we are almost there.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 14 22:16:56 CEST 2015 on sn-devel-104
2015-05-14 22:16:56 +02:00
Volker Lendecke
e8081af2c7 winbind: Fix CID 1035545 Uninitialized scalar variable
In rpc_sequence_number() we always look at *pseq

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May  6 18:24:01 CEST 2015 on sn-devel-104
2015-05-06 18:24:01 +02:00
Volker Lendecke
4b54bb9024 winbind: Fix CID 1035544 Uninitialized scalar variable
In rpc_sequence_number() we always look at *pseq

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-05-06 15:37:14 +02:00
Richard Sharpe
704592c14d Last lot of convert uint32 to uint32_t in winbindd, I promise.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May  6 07:03:27 CEST 2015 on sn-devel-104
2015-05-06 07:03:27 +02:00
Stefan Metzmacher
3278b6900d s3:winbindd: list local groups for our internal domains too (as AD DC)
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May  6 04:13:36 CEST 2015 on sn-devel-104
2015-05-06 04:13:36 +02:00
Stefan Metzmacher
9eb64502f0 s3:winbindd: list users/groups of our own domain as AD DC
The AD users/groups of the local domain of an AD DC
only exist via winbindd and not in /etc/passwd or /etc/group.

This also matches the behaviour of the source4/winbind code.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-05-06 01:22:14 +02:00
Stefan Metzmacher
419910532f s3:winbindd: don't remove the DOMAIN\ prefix for principals of our own domain as AD DC
This also matches the behaviour of the source4/winbind code.

In Samba 4.0 and 4.1 we had the following

> getent passwd administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false

With Samba 4.2.0 we have:

> getent passwd administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false

With the patches we have:

> getent passwd administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-06 01:22:14 +02:00
Richard Sharpe
57303c30b2 Change all uint32/16/8 to 32_t/16_t/8_t in winbindd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Volker Lendecke
883aa314b8 winbind: Avoid a few talloc_tos() in winbindd_cache.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-16 21:06:07 +02:00
Volker Lendecke
6a19b3dea8 winbind: Use tdb_parse_record in wcache_fetch_seqnum
This removes a malloc use

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-16 21:06:07 +02:00
Stefan Metzmacher
dda25b0bc6 s3:winbindd: add MSG_WINBIND_NEW_TRUSTED_DOMAIN that takes a lsa_TrustDomainInfoInfoEx
When a new trusted domain is added in the LSA server, we need to immediately
have the domain within winbindd. This notification is done via a
MSG_WINBIND_NEW_TRUSTED_DOMAIN message.

In future we might want just a "rescan direct trusts" message,
but that requires a lot of redesign within winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Volker Lendecke
c51300ad89 lib: load_case_tables() -> smb_init_locale()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-24 00:00:20 +01:00
Volker Lendecke
cf368cbdc5 lib: Remove tdb_fetch_compat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:52 +01:00
Volker Lendecke
f199e0ebfc lib: Remove tdb_errorstr_compat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:52 +01:00
Michael Adam
b2f5916d46 s3:winbind:grent: don't stop when querying one domain fails.
Just continue with the next domain.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
6f13e79350 s3:winbind:grent: convert wb_next_grent to use wb_query_group_list.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
81955ebd40 s3:winbind: add wb_query_group_list module - async query group list
Modeled after wb_query_user_list.c

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
9438bcc04c s3:winbind:grent: refactor duplication into wb_next_grent_send_do()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
09cc5cf355 s3:winbind:grent: move resetting next_group up.
This is to make it more obvious that this is a case
of code duplication.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
36fce5c413 s3:winbind:grent: use wb_next_domain() in wb_next_grent.c
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
a221d88c39 s3:winbind:grent: fix a debug message.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
1ed41a5c39 s3:winbind:pwent: refactor duplication into wb_next_pwent_send_do()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
504b65c49c s3:winbind:pwent: move resetting next_user up.
This does not change the behaviour and makes it more evident
that we have anothe code duplication here:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if (state->gstate->num_users == 0) {
	...
}

subreq = wb_fill_pwent_send(...)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

is for the current setting of variables equivalent
to the block found elsewhere:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if (state->gstate->next_user >= state->gstate->num_users) {
	...
}

subreq = wb_fill_pwent_send(...)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

because both num_users is set to a non-negative
value and num_users starts at 0 and is incremented up to
num_users.

The code duplication will be factored out next.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
b3023c7e83 s3:winbind:pwent: move wb_next_domain() to winbindd_util.c for re-use
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
d0dc6481a8 s3:winbind:pwent: rename wb_next_find_domain to wb_next_domain
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
e8996807b1 s3:winbind:pwent: use wb_next_find_domain()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
9d1840b9bb s3:winbind:util: fix comment typo
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:51 +01:00
Michael Adam
24015224da s3:winbind:grent: don't stop group enumeration when a group has no gid
simply continue with the next group

Note: this patch introduces some code duplication to make it
easier to create minimal backport patch. Subsequent patches
will provide some refactoring to reduce the duplication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8905

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-16 20:26:50 +01:00
Stefan Metzmacher
1623992105 s3:winbindd: make open_internal_lsa_conn() non static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
f126eeb2a1 s3:winbindd_cm: improve detection for the anonymous fallback.
If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback,
if allowed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Michael Adam
f5d0204bfa s3-winbind: Fix chached user group lookup of trusted domains.
If a user group lookup has aleady been done before with a machine
account we did always return the incomplete information from the cache.
This patch makes sure we return the correct group information from the
netsamlogon cache.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar  9 19:23:25 CET 2015 on sn-devel-104
2015-03-09 19:23:25 +01:00
Volker Lendecke
5ba377f3df winbind: Make wb_sids2xids_recv work on an array
The trigger for this is that Coverity got confused by the dual use of &xid
as an array with the implicit length equality between wb_sids2xids_send
and the array passed in to wb_sids2xids_recv for the result.

I don't want to start doing things just for the Coverity scan, but this
makes the code clearer to me by removing this implicit expected array
length equality.

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar  7 15:28:59 CET 2015 on sn-devel-104
2015-03-07 15:28:59 +01:00
Volker Lendecke
8e195fb52e winbind: Fix CID 1273294 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-04 14:46:07 +01:00
Volker Lendecke
25928b1bcc winbind: Fix CID 1273295 Uninitialized scalar variable
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-04 14:46:07 +01:00
Volker Lendecke
200d0bc3a8 winbind: Slightly simplify wb_sids2xids
We only needs "names" and "domains" wb_sids2xids_lookupsids_done. It confused
me when reading this code that these variables are stored in "state".

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-27 22:53:06 +01:00
Volker Lendecke
1cb753ae4e winbind: Simplify winbindd_dsgetdcname_recv
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 27 01:16:10 CET 2015 on sn-devel-104
2015-02-27 01:16:10 +01:00
Volker Lendecke
63552f1c4c winbind: Fix idmap initialization
The fix is in the sscanf line: %u in the sscanf format mandates the use of
a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On
little endian 64-bit this might at least put the correct values into
low_id and high_id, but might overwrite the read_only bit set earlier,
depending on structure alignment and packing. On big endian 64-bit,
this will just fail.

Automatic conversion to uint32_t will happen only at assignment, not
when you take a pointer of such a thing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104
2015-01-22 17:58:16 +01:00
Richard Sharpe
b817ce6d91 Add a script-only idmap module.
In this third version I have cleaned up some unused variable warnings that
only the Samba 3 build found and added a man page based on the idmap_tdb2
man page. I have also added support for ID_TYPE_BOTH mappings and replaced
calls to popen with something safer. Also, I removed some non-PC macros.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan  8 04:30:32 CET 2015 on sn-devel-104
2015-01-08 04:30:32 +01:00
Christof Schmitt
a2670f15de winbind: Retry after SESSION_EXPIRED error in ping-dc
Trying to establish a netlogon connection when the service ticket
expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The
underlying client code already marks the session as invalid, so retry
the netlogon connect in this case.

Signed-off-by: Christof Schmit <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan  6 02:58:57 CET 2015 on sn-devel-104
2015-01-06 02:58:57 +01:00
Stefan Metzmacher
8a2a5986b6 s3:winbindd: improve logic to use CLDAP for a given domain.
As an AC Domain Controller we should try CLDAP for active directory domains.
E.g. FreeIPA domains doesn't provide NBT at all...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan  5 19:23:40 CET 2015 on sn-devel-104
2015-01-05 19:23:39 +01:00
Stefan Metzmacher
3c99260551 s3:winbindd: mark our primary as active_directory if possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-01-05 17:01:08 +01:00
Christof Schmitt
2fdc551603 winbind: Retry LogonControl RPC in ping-dc after session expiration
When the underlying session expires, the LogonControl RPC call used in
ping-dc returns NT_STATUS_IO_DEVICE_ERROR. Retry once in this case,
instead of returning the error to the caller.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 23 02:46:34 CET 2014 on sn-devel-104
2014-12-23 02:46:34 +01:00
Stefan Metzmacher
c5e966d989 s3:winbindd: make use of cli_rpc_pipe_open_schannel_with_creds()
This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
a601c087b0 s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds_with_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
6f718ba172 s3:winbindd: we only need a an netlogon connection to a rwdc if we're a rodc ourself
If we're a member or RWDC there's no need to require talking to a rwdc,
an rodc will forward the request if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
29816c53b2 s3:winbindd: make sure we try to use NCACN_IP_TCP in cm_connect_netlogon
We need to call init_dc_connection_rpc() before we can decide if we want to try
NCACN_IP_TCP.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
a44e8a3249 s3:winbindd: use find_domain_from_name_noinit() in winbindd_ping_dc_send()
We should not try to connect to the given domain from within the winbindd parent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:12 +01:00
Stefan Metzmacher
8a40669309 s3:winbindd: report our own name for PING_DC and internal domains
This means "wbinfo --ping-dc" works fine on a DC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:12 +01:00
Stefan Metzmacher
064d40f4d3 s3:winbindd: try to use the trust account with kerberos if possible
This trust account is usable for SMB authentication via kerberos,
so we should try that if we think the domain is active directory.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Stefan Metzmacher
b9e4a8b869 s3:winbindd: fix anon fallback in cm_prepare_connection()
We should not crash with machine_password==NULL.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Stefan Metzmacher
b0e97793ab s3:winbindd: also try to fallback to anonymous if we get NT_STATUS_INVALID_ACCOUNT_NAME
Kerberos authentication may return NT_STATUS_INVALID_ACCOUNT_NAME (PRINCIPAL_UNKNOWN)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Volker Lendecke
0013001e70 lib: Split out write_data[_iov]
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-12-07 00:12:07 +01:00
Volker Lendecke
a8491cb95a lib: read_data->read_data_ntstatus
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-12-07 00:12:07 +01:00
Volker Lendecke
97b2570a5e lib: Split out sys_[read|write] & friends
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-12-07 00:12:07 +01:00
Garming Sam
3b76b705f0 pdb: Increase version number to fix ABI
In the process, we can also rename pdb to avoid conflicts with libpdb.

We don't depend directly on pdb to avoid duplicate symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10355
Change-Id: I4df6ba2f4ce35d3718dc4198b527cca46a139efe
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-12-03 04:21:09 +01:00
Garming Sam
7979c6cc50 idmap: unify passdb *id_to_sid methods
Instead of passing down gid or uid, a pointer to a unixid is now sent
down. This acts as an in-out variable so that the idmap functions can
correctly receive ID_TYPE_BOTH, filling in cache details correctly
rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720

Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066
Pair-programmed-with: Andrew Bartlett <abarlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-12-03 04:21:09 +01:00
Stefan Metzmacher
111269d484 s3:winbindd: make use of talloc_string_sub2() in generate_krb5_ccache()
This way we don't pass a given format string to talloc_asprintf().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00
Stefan Metzmacher
a5f35ed5cf s3:winbindd: avoid invalid pointer type warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00
Günther Deschner
a62cc2ce44 samba: pass down size_t instead of int to add_string_to_array().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
2014-11-17 19:53:22 +01:00
David Disseldorp
35539826d4 winbindd_cache: don't leak state_path onto talloc tos
Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-03 23:46:05 +01:00
David Disseldorp
d428aa65d3 winbindd: don't leak state_path onto talloc tos
Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-03 23:46:05 +01:00
David Disseldorp
364d55ccab idmap_autorid: don't leak state_path onto talloc tos
Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-03 23:46:05 +01:00
Stefan Metzmacher
71432b9eda s3:libsmb: Remove unused domain copy stored in cli_state
Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
2b9d6d3d9b s3:libsmb: Remove unused password copy stored in cli_state
Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
07bd866f59 s3-winbindd: use cli_rpc_pipe_open_with_creds()
Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
be994ca579 s3-winbindd: Use own machine account to connect to trusted domains as well
This relies on a two-way trust, which we may not have, but is the only
secure way to do this.  To do this correctly we need to split NETLOGON
from normal authentication, as we need to use the machine account for
the SMB level, but the inter-domain trust account for the NETLOGON
level.

Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Stefan Metzmacher
0392ebcd1d s3-winbindd: use a cli_credentials structure to hold the trust credentials
Later we can pass this down directly and have a much more sane
handling of credentials and the spnego handshake.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
ae72733874 s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 12:48:15 CEST 2014 on sn-devel-104
2014-10-08 12:48:15 +02:00
Andrew Bartlett
6f97237edb s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove cli_rpc_pipe_open_spnego
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 03:36:52 CEST 2014 on sn-devel-104
2014-10-08 03:36:52 +02:00
Andrew Bartlett
74dcde5347 s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials
structure in winbindd.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
14f6256c51 s3-winbindd: Allow winbindd to connect over SMB2 to servers
This allows SMB signing to work against many more DCs, and so improves network security.

The default for "client max protocol" remains NT1 in the rest of the code.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
91d6f603b1 s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:50 +02:00
Andrew Bartlett
92ca4f52ae winbindd: Do not overwrite domain list with conflicting info from a trusted domain
This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting

This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Oct  6 17:21:03 CEST 2014 on sn-devel-104
2014-10-06 17:21:03 +02:00
Christof Schmitt
15840955cb windbindd: Make cm_connect_lsa_tcp static
It is only used in winbindd_cm.c

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct  4 02:34:49 CEST 2014 on sn-devel-104
2014-10-04 02:34:48 +02:00
Christof Schmitt
0e3ea71c21 s3-winbindd: Make wcache_sid_to_name static
It is only used in winbindd_cache.c

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-10-04 00:11:21 +02:00
Christof Schmitt
d46081bf43 s3-winbindd: Remove extern declaration for cache_methods from winbindd_dual.c
cache_methods is not used in winbindd_dual.c

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-10-04 00:11:21 +02:00
Justin Maggard
902086d0d4 winbind3: Fix pwent variable substitution
Commit 0ce46318 (winbind3: Simplify fillup_pw_field) broke variable
substitution by copying from the wrong (unsubstituted) buffer.  Fix it.

Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <rsharpe@samba.org>
2014-10-03 19:55:08 +02:00
Christof Schmitt
7f17e017b5 idmap_rfc2307: Remove unsed parameter and variable
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Oct  1 19:20:50 CEST 2014 on sn-devel-104
2014-10-01 19:20:50 +02:00
Christof Schmitt
304e3904f0 idmap_rfc2307: Fix a crash after connection problem to DC
When the connection to the DC has a problem, the code behind
ads_do_search_retry closes the current connection and opens a new one.
The new connection has a new struct LDAP to represent the connection. In
this case, the LDAP pointer in the idmap_rfc2307_context becomes
invalid.

Fix this problem by updating the local pointer after calling
ads_do_search_retry.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-10-01 16:56:49 +02:00
Andrew Bartlett
e2cd325714 winbindd: Do not make anonymous connections by default
The requirement is that we have "winbind sealed pipes = false" and
"require strong key = false" before we make anonymous connections.
These are a security risk as we cannot prevent MITM attacks.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-30 12:32:05 +02:00
Christof Schmitt
9c9216410f s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call
Create a new lsa_RefDomainList and populate it with the domain SID from
the original query. That avoids the problem that for migrated objects,
LookupSids returns the SID of the new domain, and combining that with
the RID from the input results in an invalid SID.

A better fix would be querying the RID of the user in the new domain,
but the approach here at least avoids id mappings entries for invalid
SIDs.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Sep 29 13:15:18 CEST 2014 on sn-devel-104
2014-09-29 13:15:18 +02:00
Andrew Bartlett
a59b00dc91 s3-winbindd: Require SMB signing by default to disrupt MITM attacks with our DC
This makes it much harder to impersonate the DC, but allows this to be
turned off or returned to IF_REQUIRED with a simple change to the
'client signing' smb.conf parameter.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Sep 28 06:25:55 CEST 2014 on sn-devel-104
2014-09-28 06:25:55 +02:00
Andrew Bartlett
a3ecad4237 idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idl
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Jeremy Allison
92da0b243c s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs.
There are places in the code where we're not checking that alt_name is NULL
and then calling into the DC lookup code with a NULL name request. This can
happen in offline mode.

Fixes bug #10717 - Winbind crash on losing VPN connection

https://bugzilla.samba.org/show_bug.cgi?id=10717

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
2014-09-15 23:29:00 +02:00
Andrew Bartlett
5602377fce set_dc_type_and_flags_trustinfo: Use init_dc_connection and wb_open_internal_pipe
This means we call this code, and mark trusted domains as active directory, when we are an AD DC.

Otherwise, in the previous case we would not have domain->active_directory set, and would fail on
connection_ok() due to not having a full connection to our internal DC

Change-Id: I7ccee569d69d6c5466334540db8920e57aafa991
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
7a29173af8 winbindd: Add debugging to assist in locating errors creating NETLOGON pipes
Change-Id: If15483c37ed43267c6474ce8b5e9d96254745bca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
a348959088 winbindd: Do not segfault if the trusted domain has no SID
Currently we abort, as skipping the domain would make the loop much more complex for a situation not yet seen in the real world.

Andrew Bartlett

Change-Id: Ie1e269eb25047d662d8fd0f771ee20de1d48706b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Christof Schmitt
f8ec0f9807 s3-winbindd: Document parameters in ads_cached_connection_reuse
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Aug 30 06:10:36 CEST 2014 on sn-devel-104
2014-08-30 06:10:36 +02:00
Christof Schmitt
b20fce84fa s3-winbindd: Use more descriptive parameter names in ads_cached_connection_connect
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-08-30 03:48:12 +02:00
Christof Schmitt
c203c722e7 s3-winbindd: Use correct realm for trusted domains in idmap child
When authenticating users in a trusted domain, the idmap_ad module
always connects to a local DC instead of one in the trusted domain.

Fix this by passing the correct realm to connect to.

Also Comment parameters passed to ads_cached_connection_connect

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-08-30 03:48:12 +02:00
Andrew Bartlett
c01ee4614a winbindd-irpc: Ensure not to call irpc_send_reply twice on error
As found during investigation of the previous commit, when the RPC
call fails totally, we must only try and send one error reply.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug  1 12:11:29 CEST 2014 on sn-devel-104
2014-08-01 12:11:28 +02:00
Jeremy Allison
f9588675ea s3: winbindd: On new client connect, prune idle or hung connections older than "winbind request timeout"
Bug 3204 winbindd: Exceeding 200 client connections, no idle connection found

https://bugzilla.samba.org/show_bug.cgi?id=3204

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 29 23:31:14 CEST 2014 on sn-devel-104
2014-07-29 23:31:14 +02:00
Volker Lendecke
f5efddb9ae lib: directory_create_or_exist() does not use "uid" parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-07-28 22:04:13 +02:00
Michael Adam
b51809c13e s3:idmap: fix talloc hierarchy in idmap_passdb_domain()
(don't init to NULL context - we got one handed in...)

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jul 25 14:18:20 CEST 2014 on sn-devel-104
2014-07-25 14:18:20 +02:00
Michael Adam
b78d44fe89 s3:idmap: only check the range values if a range setting has been found.
Otherwise, the check is superfluous since high and low values are
initialized to 0.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-07-25 11:52:10 +02:00
Michael Adam
f354917208 s3:idmap: move loading of idmap options together before range checking in idmap_init_domain()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-07-25 11:52:10 +02:00
Michael Adam
3ac00c9dc3 s3:idmap: in idmap_init_domain() load methods before loading further config
Check whether the requested backend exists at all, before going
further into the config parsing.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-07-25 11:52:10 +02:00
Michael Adam
3c6ec8908a s3:idmap: don't log missing range config if range checking not requested
idmap_init_domain() is called with check_range == false from
idmap_passdb_domain(). In this case, we usually don't have an
idmap range at all, and we don't want to level 1 debug
messages complaining about the fact are irritating at least.

This patch removes the debug in the case of check_range == false.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10737

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-07-25 11:52:10 +02:00
Günther Deschner
2a790a5aff s3-winbindd: prefer "displayName" over "name" in ads user queries for the fullname.
This makes use more consistent with security=domain as well where the gecos
field is also filled using the displayName field.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Andreas Schneider
403693f228 s3-winbind: Don't set the gecos field to NULL.
The value is loaded from the cache anyway. So it will be set to NULL if
it is not available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-07-15 16:00:40 +02:00
Günther Deschner
1839417bcc s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Günther Deschner
cf0ae511eb s3-winbindd: add wcache_query_user_fullname().
This helper function is used to query the full name of a cached user object (for
further gecos processing).

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Günther Deschner
c735823f68 s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Stefan Metzmacher
fa06617886 s3:winbindd: remove unused get[pw|gr]ent_initialized from winbindd_cli_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 11 18:46:09 CEST 2014 on sn-devel-104
2014-07-11 18:46:09 +02:00
Andrew Bartlett
af7f88721a winbindd: Use a remote RPC server when we are an RODC when needed
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.

Andrew Bartlett

Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
0b77cd969c s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd
This changes the auth code in winbindd to use this as a flag, and to
therefore contact the RW DC.

Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Garming Sam
95a55df021 winbindd: Allow the AD-DC to call getdcname
This is particularly useful for RODC and eliminates a knownfail.

Change-Id: Ia5089761dcabb1620eadd530dbc9b05580cddd1f
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Jeremy Allison
6767d519c5 s3:winbindd - fix bad bugfix for bug #10280 - winbind panic if AD server is down.
Previous bug fix reversed the sense of the test for out of memory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10280

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-07-02 08:03:15 +02:00
Jeremy Allison
e907f84156 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC.
Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
2014-06-18 03:30:35 +02:00
Andrew Bartlett
ad533709e5 s3-winbindd: Honour pdb_is_responsible_for_everything_else()
This allows us to avoid running idmap_init_default_domain() which
gives an error in the default AD DC config.

Andrew Bartlett

Change-Id: I923bd941951f6a907e6fa1ad167e5218a01040ff
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
2014-06-16 00:26:26 +02:00
Andrew Bartlett
ba4467ca65 s3-winbindd: Implement SamLogon IRPC call
We do this by lifting parts of the winbindd_dual_pam_auth_crap() code
into a new helper function winbind_dual_SamLogon().  This allows us to
implement the semantics we need for IRPC, without the artifacts of the
winbindd pipe protocol.

Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104
2014-06-11 12:43:58 +02:00
Andrew Bartlett
eabe7d732e s3-winbind: Transparently forward IRPC messages to the winbind_dual child
Change-Id: I8b336e2365e10ef9ea04d0957eb0829d3766b11e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
faa4452df7 s3-winbind rename winbindd_update_rodc_dns to be for more generic irpc
Change-Id: I385ef8bd766848becc42e58694207dc94cd07a89
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
f4ab082d2b librpc/idl: Merge wbint.idl with winbind.idl so we can forward IRPC requests to internal winbind calls
Change-Id: Iba3913d5a1c7f851b93f37e9beb6dbb20fbf7e55
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
223fbdaf38 s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODC
Change-Id: Ib87933c318f510d95f7008e122216d73803ede68
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
cb79cc342e s3-winbindd: Register winbindd with irpc
Change-Id: Ie3c7109fef6982d95e8cad06870334565352e329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
597d2a7a29 auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.

That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.

Andrew Bartlett

Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
2e961bf598 winbindd: Call set_dc_type_and_flags on the internal domain
This allows the AD DC to be picked up correctly and gives the correct DNS name.

To ensure no confusion, we also always init it with the full DNS name.

It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.

This in turn allows kerberos authentication against winbindd on the AD DC.

Andrew Bartlett

Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Christian Ambach
89961ca297 s3:lib/afs move afs.c to common lib dir
some of the code in afs.c is needed by wbinfo that lives in the toplevel
nsswitch directory, so move the afs.c file to a new top-level lib/afs
directory. Use the name afs_funcs to avoid collisions with the afs.h
header from OpenAFS

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-06-04 20:09:38 +02:00
Andreas Schneider
62b4d442b9 s3-winbind: Use strlcpy to avoid log entry.
The full_name from Windows can be longer than 255 chars which results in
a warning on log level 0 that we have a string overflow. This will avoid
the warning. However we should fix this sooner or later on the protocol
level to have no limit.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun  4 16:49:11 CEST 2014 on sn-devel-104
2014-06-04 16:49:11 +02:00
Andrew Bartlett
5a71f46f46 winbindd: Use rpc_pipe_open_interface() so that winbindd uses the correct rpc servers
This means that in the AD DC, we use the AD DC servers, while in the classic DC or file server we continue
to use the built-in SAMR and LSA servers.

Andrew Bartlett

Change-Id: I63b1443f5665016f7fcbed35907ec29d4424ab18
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
e85ab68518 winbindd: Remove pointless if statement
Change-Id: I7d2646078f6e7ba596b92da7d37c285d10ad38c0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
04bc200e95 winbindd: explain that this check protects the AD DC machine account password (for now at least)
Change-Id: I2e2eb2e7fc4a12f27025f42e4cc41560311ce6c8
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
77b04f1df6 winbind: Allow winbindd to be run from inside "samba"
Change-Id: I6b90a9b62ba5821e0feedb23cd20642078ba0ca6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 29 05:28:39 CEST 2014 on sn-devel-104
2014-04-29 05:28:39 +02:00
Michael Adam
2372bd7d0c autorid: Add allocation from above in alloc range for well known sids
This way, we achieve a better determinism for the id mappings
of the well knowns without wasting a separate range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Apr 25 17:52:10 CEST 2014 on sn-devel-104
2014-04-25 17:52:10 +02:00
Michael Adam
90d9445da4 autorid: use dbwrap_trans_do() in idmap_autorid_sid_to_id_alloc()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
0df8988c08 autorid: add high_id to range config and fill it where we also fill range->low_id.
This corresponds to low_id for convenience and allows
for computations without going back to the global config.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
a1adc881cf autorid: reserve 500 IDs at the top of the ALLOC range.
The wellknowns are now allocated into this sub-range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
57e49d90f2 autorid: reverse order of arguments of idmap_autorid_sid_to_id_alloc()
for consistency

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
3f1297f363 autorid: introduce idmap_autorid_domsid_is_for_alloc()
Currently, this checks if the sid is a wellknown domain sid.
But the code reads more nicely and more domains might be added
in the future.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
eaf770a611 autorid: factor idmap_autorid_sid_to_id() out of idmap_autorid_sids_to_unixids()
- reduces indentation
- unifies error code paths and bumping counters
- makes the code more easy to read

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
64e267c2fe autorid: make the checks for bumping num_mapped identical for alloc and rid case
in idmap_autorid_sids_to_unixids()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
5d7b1363f0 autorid: explicitly return NTSTATUS_OK in idmap_autorid_sid_to_id_alloc().
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
79a245808c autorid: more explicitly and reasonably set map->state in idmap_autorid_sid_to_id_alloc
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00