1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

334 Commits

Author SHA1 Message Date
Stefan Metzmacher
ec55c18ced s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupNames2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c78c17dc2f s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c0f6103dde s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
7c1c9bf53f s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupNames()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
5d868fd875 s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
e8a0223633 s4:rpc_server/lsa: remove unused 'status' variable in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
fe43dd8678 s4:rpc_server/lsa: make sure dcesrv_lsa_LookupNames2() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
3339a1c572 s4:rpc_server/lsa: expect prepared [ref] pointers in dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
f6e60d2c2e s4:rpc_server/lsa: make sure dcesrv_lsa_LookupSids_common() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
3909f8fcfe s4:rpc_server/lsa: use LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES/LSA_CLIENT_REVISION_1 in compat code
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Ralph Boehme
6151909c82 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
9f96ede6f5 winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS
This reflects the new implementation in winbindd.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
Ralph Boehme
ffa9eb7d64 s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN
winbindd doesn't use that data anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-10 08:35:16 +01:00
David Mulder
e60f49783e gpo: Apply kerberos settings
Add kdc kerberos settings to gpo.tdb, then retrieve those settings in
lpcfg_default_kdc_policy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
Stefan Metzmacher
f0541309d7 s4:dsdb/samdb: pass an existing 'struct ldb_context' to crack_name_to_nt4_name()
There's no point in creating a temporary ldb_context as
all direct callers already have a valid struct ldb_context for
the local sam.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-26 08:47:15 +02:00
Volker Lendecke
277eac1a8e lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight()
The previous code in dcesrv_lsa_AddRemoveAccountRights had the following snippet:

if (sec_privilege_id(rights->names[i].string) == SEC_PRIV_INVALID) {
        if (sec_right_bit(rights->names[i].string) == 0) {
                talloc_free(msg);
                return NT_STATUS_NO_SUCH_PRIVILEGE;
        }
        talloc_free(msg);
        return NT_STATUS_NO_SUCH_PRIVILEGE;
}

If I'm not mistaken, the inner if-statement is essentially dead code,
as regardless of the outcome of the if-condition we execute the same
code. The effect of this is that you can't "net rpc rights grant" a right,
for example SeInteractiveLogonRight. A quick test against a W2k12 server
shows that W2k12 allows this call.

This patch changes the semantics of dcesrv_lsa_AddRemoveAccountRights
to also allow "rights" to be granted and revoked. At the same
time, it centralizes the check for validity of user input from
dcesrv_lsa_EnumAccountsWithUserRight into dcesrc_lsa_valid_AccountRight
too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 29 09:20:02 CEST 2017 on sn-devel-144
2017-04-29 09:20:02 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Andrew Bartlett
31d625bcd2 s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
The idea here is that perhaps some real client relies on this (and not just Samba torture
commands), so we need a way to support it for the 4.6 release.

If no such client emerges, it can be deprecated and removed in the normal way.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-15 08:21:12 +01:00
Günther Deschner
160d5c40a6 werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in source4/rpc_server/
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-28 00:04:23 +02:00
Stefan Metzmacher
8305c0a8fc CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
fcdd15a93f CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Stefan Metzmacher
f9246d78f7 s4:rpc_server/lsa: remove unused code
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c98f96d1b1 s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation()
This means we return mostly the same error codes as a Windows
and also normalize the given information before storing.

Storing is now done within a transaction in order to avoid races
and inconsistent values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
ac4c4a95e5 s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
98dc4100ab s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base()
We need to make sure a trusted domain has 'flatName', 'trustPartner'
and 'securityIdentifier' values, which are unique.

Otherwise other code will get INTERNAL_DB_CORRUPTION errors.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
df7f745099 s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain()
It needs to pass 'name' as 'netbios_name' and also 'dns_name'.

flatName and trustPartner have the same value for downlevel trusts.
And both are required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Volker Lendecke
838218db63 Fix the O3 developer build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-28 18:11:13 +02:00
Stefan Metzmacher
6f8b868a29 s4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
73a4387ab9 s4:rpc_server/lsa: notify winbindd about new trusted domains
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
654d63b94b s4:rpc_server/lsa: implement the policy security descriptor
We now check the requested access mask in OpenPolicy*()
and return NT_STATUS_ACCESS_DENIED if the request is not granted.

E.g. validating a domain trust via the Windows gui requires this
in order prompt the user for the credentials. Otherwise
we fail any other call with ACCESS_DENIED later and the
gui just displays a strange error message.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
a09f9cfd2f s4:rpc_server/lsa: normalize the access_mask for lsa account objects
We still grant all access in the access_mask, but we don't check the
mask at all yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-30 13:41:25 +02:00
Stefan Metzmacher
a15600727f s4:rpc_server/lsa: correctly set *r->out.resume_handle with NT_STATUS_OK in lsa_EnumTrustedDomainsEx()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
ac45921981 s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
If there're no collisions we should not fill the collision_info pointer.

Otherwise Windows fails to create a forest trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:44 +01:00
Stefan Metzmacher
080db5f60a lsa.idl: improve idl for lsa_ForestTrust*Record*
The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType,
but the type is not always available so it's not possible to use an union.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:44 +01:00
Volker Lendecke
a99a5a34a5 Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
2015-02-25 16:32:29 +01:00
Stefan Metzmacher
12a6c325c8 s4:rpc_server/lsa: add dcesrv_lsa_OpenTrustedDomain_common()
dcesrv_lsa_OpenTrustedDomain() and dcesrv_lsa_OpenTrustedDomainByName()
need to use the same logic and make sure trusted_domain_user_dn is valid.

Otherwise dcesrv_lsa_OpenTrustedDomainByName() followed by
dcesrv_lsa_DeleteObject() will leave the trust domain account
in the database.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2015-01-26 11:55:07 +01:00
Andrew Bartlett
ef7fb904a9 CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl
This requires an additional control to be used in the
LSA server to add domain trust account objects.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104
2015-01-15 14:54:47 +01:00
Stefan Metzmacher
57300bbf5e s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is cleared
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  6 22:50:23 CET 2015 on sn-devel-104
2015-01-06 22:50:23 +01:00
Stefan Metzmacher
cfe6377173 s4:rpc_server/lsa: allow LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
2015-01-06 20:25:04 +01:00
Stefan Metzmacher
ec7351184f s4:rpc_server/lsa: fix segfault in check_ft_info()
This is triggered by lsa_lsaRSetForestTrustInformation()
with ForestTrustInfo elements using FOREST_TRUST_TOP_LEVEL_NAME.

The nb_name variable was uninitialized and dereferenced without checking.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
2c92545452 s4:rpc_server/lsa: remove trustAuthIncoming/trustAuthOutgoing when the related flag is removed.
When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is cleared
we should also remove the related credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
1d6e9e5e58 s4:rpc_server/lsa: pass the correct variable to setInfoTrustedDomain_base()
This requires 'struct lsa_policy_state', we now pass this directly
instead of a instead of an opaque 'struct dcesrv_handle'.

dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle'
with 'struct lsa_trusted_domain_state' before, which results in segfaults.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-12-19 13:15:13 +01:00
Andrew Bartlett
a3ecad4237 idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idl
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context()
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-28 02:24:57 +02:00
Garming Sam
0b8213ae1c Remove all uses of the NT_STATUS_NOT_OK_RETURN_AND_FREE macro from the codebase.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.

Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:22 +01:00
Garming Sam
952bc3cad0 Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.

Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-03-05 16:33:21 +01:00
Stefan Metzmacher
bc4c7d4c1e s4:rpc_server: make use of dcerpc_binding_get_transport()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:17 +01:00
Christian Ambach
ce975e61b8 s4:rpc_server/lsa_lookup fix a compile warning
about a set, but unused variable

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 13 01:49:50 CET 2013 on sn-devel-104
2013-12-13 01:49:50 +01:00
Michael Adam
1c9c2e3b65 s4:rpc-server: fix lsa_lookupsids return value for the domain sid
We currently return type UNKNOWN and copy the domain sid to the name.
Instead we should return type DOMAIN and return NULL as name.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 13 13:34:16 CET 2013 on sn-devel-104
2013-11-13 13:34:16 +01:00