IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Next commits will covert the winbindd_dual_pam_auth_crap() function to a
local RPC call handler receiving the challenge as a DATA_BLOB in the 'r'
struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The ADS_STRUCT is not allocated using talloc and there are many places
casting this pointer directly so use a typed pointer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The domain's private_data pointer is also used to store a ADS_STRUCT,
which is not allocated using talloc and there are many places casting
this pointer directly.
The recently added samba.tests.pam_winbind_setcred was randomly failing
and after debugging it the problem was that kerberos authentication was
failing because the time_offset passed to kerberos_return_pac() was
wrong. This time_offset was retrieved from ads->auth.time_offset, where
the ads pointer was directly casted from domain->private_data but
private_data was pointing to a winbind_internal_pipes struct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Found by oss-fuzz:
../../source3/winbindd/winbindd_pam.c:2879:7: error: variable 'validation_level' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:3003:6: note: uninitialized use occurs here
validation_level,
^~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2879:3: note: remove the 'if' if its condition is always false
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2879:7: error: variable 'validation_level' is used uninitialized whenever '||' condition is true [-Werror,-Wsometimes-uninitialized]
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:3003:6: note: uninitialized use occurs here
validation_level,
^~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2879:7: note: remove the '||' if its condition is always false
if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/winbindd/winbindd_pam.c:2853:27: note: initialize the variable 'validation_level' to silence this warning
uint16_t validation_level;
^
= 0
1 warning and 2 errors generated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15044
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 12 18:54:50 UTC 2022 on sn-devel-184
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and the parent will call this function to fill the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state parameter. Avoid
passing this struct around.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will return a netr_Validation from the child. This
function will be moved to the parent to fill the winbindd_response
struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Map netr_SamInfo3 to netr_Validation in this function instead of doing
it in the caller.
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will return the netr_Validation in the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will not receive a winbindd_cli_state struct as parameter.
Avoid passing around this struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Later winbindd_dual_pam_auth() will be converted to a local RPC
handler and it will not receive a winbindd_cli_state struct as parameter.
Avoid passing around this struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Delay the assignment of the out varible and assign it only if
returning NT_STATUS_OK, the caller does not use the returned
netr_SamInfo3 if the function does not return NT_STATUS_OK.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This function allocates a lot of intermedite variables, use a temporary
memory context.
The out variable info3 is assigned using talloc_steal() because the
local my_info3 is used below.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Map netr_SamInfo6 to netr_Validation in winbindd_dual_pam_auth_kerberos()
instead of doing it in the caller.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Refactor winbindd_dual_pam_auth_kerberos() to do not take a
winbindd_cli_state struct as parameter but its members. The kerberos
ccache name is returned as an out parameter and the caller is
responsible for copying it in the winbindd_response struct.
Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state as argument so
reduce passing this struct around.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Refactor the append_afs_token() function to do not take a
winbindd_response as a parameter but its members directly. The AFS token
is returned as an out parameter in a DATA_BLOB, and the caller is
responsible for setting it the extra_data winbindd_response field and
extending the winbindd_response length.
Later winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the netr_Validation will be returned in the 'r' struct
from the child to the parent. The parent will then fill the
winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Refactor the append_unix_username() function to do not take a
winbindd_response struct as parameter but its members. The
unix username is returned as an out parameter and the caller is
responsible for setting it in the winbindd_response struct.
Later winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the netr_Validation will be returned in the 'r' struct
from the child to the parent. The parent will then fill the
winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Refactor the check_info3_in_group() function to take a wbint_SidArray
struct. The sid strings stored in extra_data are parsed into a
wbint_SidArray in a separated function.
Later, winbindd_dual_pam_auth() will be converted to a local RPC
call handler and the wbint_SidArray containing the required membership
will be part of the 'r' struct.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The source3/winbindd/winbindd.c file does not belong to 'winbindd-lib'
subsystem. Funtions called from winbindd-lib must be part of it.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
There are no users of this function but the next commit will convert the
struct-based WINBINDD_PING call to a local RPC wbint_Ping() call.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
It avoids having to explicitly blacklist new DCE/RPC calls.
This is the current list of non cacheable calls:
NDR_WBINT_PING
NDR_WBINT_QUERYSEQUENCENUMBER
NDR_WBINT_ALLOCATEUID
NDR_WBINT_ALLOCATEGID
NDR_WBINT_CHECKMACHINEACCOUNT
NDR_WBINT_CHANGEMACHINEACCOUNT
NDR_WBINT_PINGDC
NDR_WBINT_LISTTRUSTEDDOMAINS
It includes the ListTrustedDomains call recently converted to a local
RPC call.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals()
This doesn't apply here. We should also handle wbinfo -a
authentication UPN names, e.g. administrator@DOMAIN,
even if the account belongs to the local sam.
With this change the behavior is consistent also locally on DCs and
also an RODC can handle these requests locally for cached accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By using NDR we avoid manual marshalling (netr_DomainTrust array
to text string) and unmarshalling (parse the received text string
back to a netr_DomainTrust array).
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The 'list_all_domains' flag in a winbind request is only set by the
torture_winbind_struct_list_trustdom() test, in fact to check the flag
is ignored.
The WINBINDD_LIST_TRUSTDOM command received by winbind parent is handled
by winbindd_list_trusted_domains() which fills the response from the
cached domain list and does not handle the flag.
The WINBINDD_LIST_TRUSTDOM command sent from the parent to the domain
childs when the rescan timer expires do not set this flag, so this
commit removes the code handling it in the child.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function will be converted to a local RPC call handler so move it
to the file including ndr_winbindd_scompat.c.
Updated debug message and use newer debug macros.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb 23 16:17:29 UTC 2022 on sn-devel-184
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
The commit 1d5c546 changed the debug message printed when setting
winbind to offline state and offline logons are disabled from
level 10 to level 0. This message isn't really an error and might
scare some users, e.g. https://bugzilla.suse.com/show_bug.cgi?id=1195573
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 9 20:20:36 UTC 2022 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This makes it clear that our internal representation of a rpc client
connection in the source3/ server is struct dcerpc_ncacn_conn and that
struct pipes_struct is only around for API compatibility with the
existing server stubs.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
ncacn_conn was created by make_internal_ncacn_conn with talloc_zero(),
and that does not set session_info for the purely one-shot connection
state in winbindd_dual_ndrcmd().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Also available via dcesrv_connection_get_remote_address(p->dce_call->conn)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Also available via dcesrv_connection_get_local_address(p->dce_call->conn)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
