1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

311 Commits

Author SHA1 Message Date
Stefan Metzmacher
5ca59a1772 s3:libsmb: don't pass 'passlen' to cli_tree_connect[_send]() and allow pass=NULL
There're no callers which try to pass a raw lm_response directly anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  9 13:09:37 CET 2016 on sn-devel-144
2016-12-09 13:09:37 +01:00
Stefan Metzmacher
879c291363 s3:winbindd: always use saf_store(domain->alt_name, controller) for ad domains
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-02 13:46:11 +01:00
Andreas Schneider
31ee1c5350 s3-winbind: Directly pass creds with cli_session_setup_creds()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 15 14:51:02 CET 2016 on sn-devel-144
2016-11-15 14:51:02 +01:00
Stefan Metzmacher
482d3b35e9 s3:libsmb: let the callers only pass the password string to cli_session_setup[_send]()
There're no callers which tried to pass raw {lm,nt}_response any more.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-15 11:00:26 +01:00
Stefan Metzmacher
55b07e1dec s3:rpc_server: pass the full ndr_interface_table to rpc_pipe_open_internal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:18 +02:00
Jim McDonough
9a274d9ae7 winbind: honor 'socket options' in winbind
Set socket options from smb.conf before negprot, as done by libsmbclient

Signed-off-by: Jim McDonough <jmcd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-17 04:13:13 +02:00
Günther Deschner
d2379caa77 s3-winbind: Fix schannel connections against trusted domain DCs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-13 10:10:11 +02:00
Stefan Metzmacher
a046ffd6cd CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-04-12 19:25:26 +02:00
Stefan Metzmacher
57b04e805d CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-04-12 19:25:26 +02:00
Karolin Seeger
a42dc8610b s3/winbindd: Add missing space in debug message.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Feb 23 14:20:01 CET 2016 on sn-devel-144
2016-02-23 14:20:01 +01:00
Christof Schmitt
aa3883eae6 winbindd: Retry on expired session in cm_connect_netlogon
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
276d604aa5 winbindd: Retry on expired session in cm_connect_sam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
3b6b545642 winbindd: Retry on expired session in cm_connect_lsa
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Marc Muehlfeld
5f407e3fb8 Fix typo in winbindd_cm.c
Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2015-12-23 03:31:09 +01:00
Anoop C S
736397ec49 winbindd: Fix CID 1273310 Remove structurally dead code
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-09-09 18:33:07 +02:00
Richard Sharpe
57303c30b2 Change all uint32/16/8 to 32_t/16_t/8_t in winbindd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-04-29 23:42:20 +02:00
Stefan Metzmacher
f126eeb2a1 s3:winbindd_cm: improve detection for the anonymous fallback.
If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback,
if allowed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
8a2a5986b6 s3:winbindd: improve logic to use CLDAP for a given domain.
As an AC Domain Controller we should try CLDAP for active directory domains.
E.g. FreeIPA domains doesn't provide NBT at all...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan  5 19:23:40 CET 2015 on sn-devel-104
2015-01-05 19:23:39 +01:00
Stefan Metzmacher
c5e966d989 s3:winbindd: make use of cli_rpc_pipe_open_schannel_with_creds()
This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
a601c087b0 s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds_with_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
6f718ba172 s3:winbindd: we only need a an netlogon connection to a rwdc if we're a rodc ourself
If we're a member or RWDC there's no need to require talking to a rwdc,
an rodc will forward the request if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
29816c53b2 s3:winbindd: make sure we try to use NCACN_IP_TCP in cm_connect_netlogon
We need to call init_dc_connection_rpc() before we can decide if we want to try
NCACN_IP_TCP.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
064d40f4d3 s3:winbindd: try to use the trust account with kerberos if possible
This trust account is usable for SMB authentication via kerberos,
so we should try that if we think the domain is active directory.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Stefan Metzmacher
b9e4a8b869 s3:winbindd: fix anon fallback in cm_prepare_connection()
We should not crash with machine_password==NULL.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Stefan Metzmacher
b0e97793ab s3:winbindd: also try to fallback to anonymous if we get NT_STATUS_INVALID_ACCOUNT_NAME
Kerberos authentication may return NT_STATUS_INVALID_ACCOUNT_NAME (PRINCIPAL_UNKNOWN)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-18 06:47:40 +01:00
Günther Deschner
a62cc2ce44 samba: pass down size_t instead of int to add_string_to_array().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
2014-11-17 19:53:22 +01:00
Stefan Metzmacher
71432b9eda s3:libsmb: Remove unused domain copy stored in cli_state
Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
2b9d6d3d9b s3:libsmb: Remove unused password copy stored in cli_state
Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
07bd866f59 s3-winbindd: use cli_rpc_pipe_open_with_creds()
Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
be994ca579 s3-winbindd: Use own machine account to connect to trusted domains as well
This relies on a two-way trust, which we may not have, but is the only
secure way to do this.  To do this correctly we need to split NETLOGON
from normal authentication, as we need to use the machine account for
the SMB level, but the inter-domain trust account for the NETLOGON
level.

Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Stefan Metzmacher
0392ebcd1d s3-winbindd: use a cli_credentials structure to hold the trust credentials
Later we can pass this down directly and have a much more sane
handling of credentials and the spnego handshake.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
ae72733874 s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 12:48:15 CEST 2014 on sn-devel-104
2014-10-08 12:48:15 +02:00
Andrew Bartlett
6f97237edb s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove cli_rpc_pipe_open_spnego
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 03:36:52 CEST 2014 on sn-devel-104
2014-10-08 03:36:52 +02:00
Andrew Bartlett
74dcde5347 s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials
structure in winbindd.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
14f6256c51 s3-winbindd: Allow winbindd to connect over SMB2 to servers
This allows SMB signing to work against many more DCs, and so improves network security.

The default for "client max protocol" remains NT1 in the rest of the code.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
91d6f603b1 s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:50 +02:00
Andrew Bartlett
92ca4f52ae winbindd: Do not overwrite domain list with conflicting info from a trusted domain
This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting

This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Oct  6 17:21:03 CEST 2014 on sn-devel-104
2014-10-06 17:21:03 +02:00
Christof Schmitt
15840955cb windbindd: Make cm_connect_lsa_tcp static
It is only used in winbindd_cm.c

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct  4 02:34:49 CEST 2014 on sn-devel-104
2014-10-04 02:34:48 +02:00
Andrew Bartlett
e2cd325714 winbindd: Do not make anonymous connections by default
The requirement is that we have "winbind sealed pipes = false" and
"require strong key = false" before we make anonymous connections.
These are a security risk as we cannot prevent MITM attacks.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-30 12:32:05 +02:00
Andrew Bartlett
a59b00dc91 s3-winbindd: Require SMB signing by default to disrupt MITM attacks with our DC
This makes it much harder to impersonate the DC, but allows this to be
turned off or returned to IF_REQUIRED with a simple change to the
'client signing' smb.conf parameter.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Sep 28 06:25:55 CEST 2014 on sn-devel-104
2014-09-28 06:25:55 +02:00
Andrew Bartlett
a3ecad4237 idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idl
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Jeremy Allison
92da0b243c s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be NULL. Ensure this is safe with modern AD-DCs.
There are places in the code where we're not checking that alt_name is NULL
and then calling into the DC lookup code with a NULL name request. This can
happen in offline mode.

Fixes bug #10717 - Winbind crash on losing VPN connection

https://bugzilla.samba.org/show_bug.cgi?id=10717

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
2014-09-15 23:29:00 +02:00
Andrew Bartlett
5602377fce set_dc_type_and_flags_trustinfo: Use init_dc_connection and wb_open_internal_pipe
This means we call this code, and mark trusted domains as active directory, when we are an AD DC.

Otherwise, in the previous case we would not have domain->active_directory set, and would fail on
connection_ok() due to not having a full connection to our internal DC

Change-Id: I7ccee569d69d6c5466334540db8920e57aafa991
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
7a29173af8 winbindd: Add debugging to assist in locating errors creating NETLOGON pipes
Change-Id: If15483c37ed43267c6474ce8b5e9d96254745bca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
af7f88721a winbindd: Use a remote RPC server when we are an RODC when needed
This allows us to operate against the local cache where possible, but
to forward some operations to the read-write DC.

Andrew Bartlett

Change-Id: Idc78ae379a402969381758919fcede17568f094e
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
2e961bf598 winbindd: Call set_dc_type_and_flags on the internal domain
This allows the AD DC to be picked up correctly and gives the correct DNS name.

To ensure no confusion, we also always init it with the full DNS name.

It also means that, aside from the BUILTIN domain the initialized
flag is set only in one place, which will help when we add more details
to the domain structure in the future.

This in turn allows kerberos authentication against winbindd on the AD DC.

Andrew Bartlett

Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Günther Deschner
a8c0de35f7 s3-kerberos: remove unused kdc_name from create_local_private_krb5_conf_for_domain().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar  7 18:43:57 CET 2014 on sn-devel-104
2014-03-07 18:43:57 +01:00
Garming Sam
5be5acb736 param: rename lp function and variable from "cli_minprotocol" to "client_min_protocol"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Garming Sam
f548585051 param: rename lp function and variable from "cli_maxprotocol" to "client_max_protocol"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Stefan Metzmacher
22e4e2c1d1 s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:09 +01:00