1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00

383 Commits

Author SHA1 Message Date
Volker Lendecke
812312ca17 libcli: Call dbwrap_local_open with the correct tdb flags
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
807cb593ec libcli: Call dbwrap_local_open with the correct hash size
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:19 +02:00
Volker Lendecke
ca6efa96f7 libcli: Call dbwrap_local_open with the correct tdb_flags
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Volker Lendecke
f092ee2a5f libcli: Call dbwrap_local_open with the correct hash size
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24 01:53:18 +02:00
Volker Lendecke
a104e08171 lib: Make g_lock_unlock use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
3bc87a20e9 lib: Make g_lock_lock_send use TDB_DATA
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-08 10:01:50 +01:00
Volker Lendecke
32e823e08d netlogon_creds_cli: Pass "capabilities" up from creds_cli_check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:13 +02:00
Volker Lendecke
4d19f8b4b9 netlogon_creds_cli: Protect netlogon_creds_cli_auth by _lck
This widens the lock range to cover the check for established
credentials. Before this patch it could happen that more than one
winbind finds no credentials and does the auth3. This can pile up.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:13 +02:00
Volker Lendecke
f6e39450f5 netlogon_creds_cli: Protect netlogon_creds_cli_check by _lck
netlogon_creds_cli_lck provides the locking around the operation

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
d61545a5b3 netlogon_creds_cli: Add netlogon_creds_cli_delete_lck
Like netlogon_creds_cli_delete, protected by netlogon_creds_cli_lck
instead of netlogon_creds_cli_lock.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
3e72a12daf netlogon_creds_cli: Add netlogon_creds_cli_lck
This adds an external locking scheme to protect our
netlogon_creds_CredentialState. This is needed because the routines
exposed by netlogon_creds_cli.h need a more flexible locking to
set up our credentials in a properly protected way.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
4b97de8adb rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds
This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
6f879b780a netlogon_creds_cli: Create cli_credentials from netlogon creds ctx
A netlogon_creds_cli_context holds all information required to do an
schannel bind. Used in the next commit.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
dac48cf2b9 netlogon_creds_cli: Factor out netlogon_creds_cli_delete_internal
In a future commit we'll need a version that does not check for
context->db.locked_state

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
c0e28638fa netlogon_creds_cli: Factor out netlogon_creds_cli_store_internal
In a future commit we'll need a version that does not check for
context->db.locked_state

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
62e655568e netlogon_creds_cli: Print netlogon_creds_CredentialState
Add some debugging for the tdb records

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
0463527e4e netlogon_creds_cli: Simplify netlogon_creds_cli_get
netlogon_creds_cli_get_internal almost does everything needed, only
the invalidating for credential chain use is missing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
71fb0a89b4 netlogon_creds_cli: Rename netlogon_creds_cli_lock_fetch->get_internal
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
c377c915d6 netlogon_creds_cli: Transfer a comment
This part of from netlogon_creds_cli_get will go

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
b750a6dbb5 netlogon_creds_cli: Remove tevent_req handling from netlogon_creds_cli_lock_fetch
Disentangle concerns, make netlogon_creds_cli_lock_fetch usable for
other callers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
b92b10d7c3 netlogon_creds_cli: Remove unused code
According to metze this was meant for test code that never materialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
fa53617542 netlogon_creds_cli: Simplify netlogon_creds_cli_delete
Don't implicitly TALLOC_FREE(creds) in the pure delete routine

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
154b28b686 netlogon_creds_cli: Simplify netlogon_creds_cli_store
Don't implicitly TALLOC_FREE(creds) in the pure store routine. This
mixes up responsibilities, and there's not enough callers to justify
the TALLOC_FREE to be centralized.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
8636496531 netlogon_creds_cli: Simplify netlogon_creds_cli_context_global
netlogon_creds_cli_open_global_db() already contains the NULL check. Use that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:11 +02:00
Volker Lendecke
954167a001 netlogon_creds_cli: Fix talloc_stackframe leaks
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:11 +02:00
Volker Lendecke
602ec8884b libcli: Apply some const
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:18 +02:00
Volker Lendecke
6222cd71ee netlogon_creds_cli: Use data_blob_cmp in netlogon_creds_cli_validate
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:18 +02:00
Volker Lendecke
6344570a30 netlogon_creds_cli: Simplify netlogon_creds_cli_context_global
(require_sign_or_seal == false) looks odd :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:18 +02:00
Volker Lendecke
7f09c0865e netlogon_creds_cli: Simplify netlogon_creds_cli_context_common
IMHO a full talloc_stackframe is overkill for the one allocation that is left
here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
f08a04c184 netlogon_creds_cli: Simplify netlogon_creds_cli_context_common
printf knows to only print part of a string. No need to talloc_strdup.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
1de1fd8653 netlogon_creds_cli: A netlogon_creds_cli_context needs a msg_ctx
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
47557ac9b1 netlogon_creds_cli: Remove an obsolete comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
3101ac93e2 netlogon_creds_cli: Avoid a static const struct
Same number of .text bytes, but simpler code.

Yes, this is {{0}} instead of {0}, which I always promote. I've just read a
comment on stackoverflow (which I've unfortunately just closed the tab for :-()
that {{0}} might actually be the correct way to init a struct to zero if the
first struct element is again a struct. I'm lost. 25 years of C coding and I
have no clue of the language :-(

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
849e63ff68 netlogon_creds_cli: Pass "server_dns_domain" through netlogon_creds_cli_context_global
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
2968bfdd1a netlogon_creds_cli: Add "dns_domain" to netlogon_creds_cli_context
Used later for creating schannel cli_credentials

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
8ab6e51def lib: Fix an error path memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 31 13:49:02 CEST 2017 on sn-devel-144
2017-07-31 13:49:01 +02:00
Volker Lendecke
9607b66a93 lib: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-07-31 10:03:27 +02:00
Jeremy Allison
e74081ce5d lib: auth: Store the netlogon_creds_cli_global_db pointer on the NULL context.
Now we shutdown correctly it doesn't need the talloc_autofree_context().

Last use of talloc_autofree_context() ourside the talloc test code !

Please don't add it ever again :-).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 27 01:34:12 CEST 2017 on sn-devel-144
2017-07-27 01:34:12 +02:00
Jeremy Allison
4cc104d015 lib: auth: Add a shutdown function for netlogon_creds_cli_global_db.
Will allow us to move off the talloc_autofree_context().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-26 21:35:22 +02:00
Jeremy Allison
5c8a98c2da lib: cli: fname is a local variable already freed in the function scope, doesn't need to be on talloc_autofree_context()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-26 21:35:22 +02:00
Andrew Bartlett
00db3aba6c param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d139d77ae3 auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Stefan Metzmacher
0f5945a06d libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:46 +02:00
Stefan Metzmacher
1b48c8515e libcli/auth: add const to set_pw_in_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:46 +02:00
Stefan Metzmacher
ddd7ac68cc libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.

We allow up to 4 hashes (next, current, old, older).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
8ae968193b netlogon_creds_cli: Do not corrupt authenticator state on application level errors
If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent
calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS
updates falling off and never continuing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Stefan Metzmacher
abe427775e libcli/auth: add netlogon_creds_cli_debug_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
8a209e5a0c libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
We need to make sure we can convert the given string to an nthash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00
Stefan Metzmacher
0ed2a65593 libcli/auth: use the correct creds value against servers without LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-02-21 16:09:21 +01:00