1
0
mirror of https://github.com/samba-team/samba.git synced 2025-03-15 02:50:27 +03:00

2557 Commits

Author SHA1 Message Date
Volker Lendecke
c8e325c765 winbindd: Remove an obsolete comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sun Sep 17 23:35:51 CEST 2017 on sn-devel-144
2017-09-17 23:35:51 +02:00
Volker Lendecke
b62bba83ba cli_netlogon: Eliminate rpccli_setup_netlogon_creds_with_creds
Inlining the code from rpccli_setup_netlogon_creds

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
7a3d1b5a6f cli_netlogon: Rename rpccli_create_netlogon_creds_with_creds
This creates a context with access to a credentials, not credentials

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Volker Lendecke
cc639765ff winbind: Rename winbindd_cm_conn->netlogon_creds to _ctx
We have too many variables called _creds :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Aug 30 22:44:45 CEST 2017 on sn-devel-144
2017-08-30 22:44:45 +02:00
Volker Lendecke
ef3b31ab09 winbind: Fix a signed/unsigned hickup
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-08-30 18:56:13 +02:00
Stefan Metzmacher
ccc8c1a45d winbindd: give an IRPC error if wb_irpc_SamLogon() is called without useful routing information
The caller should have checked this already!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
615b0d83d0 winbindd: as DC we should try to get the target_domain from @SOMETHING part of the username in wb_irpc_SamLogon()
We still need a full routing table including all upn suffixes,
but this is a start to support NTLM authentication using user@REALM
against structed domains.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
0ed6ad45ad winbindd: Print debug if we don't know how to route a wb_irpc_SamLogon() request
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
039ad5c9ad winbindd: allow all possible logon levels in wb_irpc_SamLogon()
We should just try to find the correct domain to forward the
request, all logic of not implementing serveral logon levels
belongs to the _winbind_SamLogon() implementation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Volker Lendecke
2b67d936c1 winbindd: Simplify an if-condition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Aug  7 09:32:09 CEST 2017 on sn-devel-144
2017-08-07 09:32:09 +02:00
Volker Lendecke
e5b0669625 winbindd: Add debug for ndr cache hit
When looking through winbind debug logs, it's highly confusing if you don't
find a call in the child that's supposed to handle it. Add a debug if the call
was handled from the cache without calling into the child.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-08-07 05:35:13 +02:00
Volker Lendecke
ed3b4661fd winbindd: Make wcache_query_user static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-08-07 05:35:13 +02:00
Ralph Wuerthner
3a2a9d8d3f idmap: remove unused function idmap_is_online()
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Aug  4 14:08:37 CEST 2017 on sn-devel-144
2017-08-04 14:08:37 +02:00
Volker Lendecke
a70ab5f020 winbindd: Simplify two debug msgs
With DBG_DEBUG we get the function name automatically, DEBUGADD is also
not necessary here

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug  1 11:45:34 CEST 2017 on sn-devel-144
2017-08-01 11:45:34 +02:00
Volker Lendecke
69187d92e5 winbindd: Simplify wcache_cached_creds_exist
No need to fetch, use tdb_exists

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:22 +02:00
Volker Lendecke
9be8fc2c0a winbindd: Make wcache_lookup_usergroups static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:22 +02:00
Volker Lendecke
7736e592ff winbindd: Fix indentation
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:22 +02:00
Volker Lendecke
604f1cede6 winbindd: Make init_wcache static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
91d4151bdf winbindd: Make wcache_lookup_useraliases static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
8f0bd85cfa winbindd: Make wcache_name_to_sid static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
d8f85c0f33 winbindd: Make wcache_lookup_groupmem static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
bbdfb51296 winbindd: Make wcache_flush_cache static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Volker Lendecke
0f65bb7c5c winbindd: Fix a few signed/unsigned hickups
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
2017-08-01 07:53:21 +02:00
Jeremy Allison
dbd3293246 s3: clients: Use netlogon_creds_cli_close_global_db() in all normal exit paths.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-26 21:35:22 +02:00
Uri Simchoni
5c1e2f564b winbindd: avoid refreshing sequence number when domain is offline
When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-21 19:11:13 +02:00
Uri Simchoni
c819c7d58f winbindd: queryuser - only get group name if needed
When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).

Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-21 19:11:13 +02:00
Uri Simchoni
e3a151e247 winbindd: cache name-to-sid from PAC based on lookup domain
The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-07-21 19:11:13 +02:00
Dustin L. Howett via samba-technical
fe7020b0d1 idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN
All other ldap-querying methods in idmap_ad make a single retry attempt if they get
TLDAP_SERVER_DOWN. This patch brings idmap_ad_query_user in line with that design.

This fixes the symptom described in 12720 at the cost of an additional reconnect per
failed lookup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12720

Signed-off-by: Dustin L. Howett <dustin@howett.net>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-07-12 09:01:17 +02:00
Andreas Schneider
4eef11e0a0 s3:winbind: Move debug statement into the error handling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-28 22:18:16 +02:00
Stefan Metzmacher
1421abfc73 s3:trusts_util: pass dcname to trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:45 +02:00
Richard Sharpe
03042b85c8 Bug 15852. There are valid paths where conn->lsa_pipe_tcp->transport is NULL. Protect against this.
Based on a suggestion from Metze.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12852

Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 22 23:16:46 CEST 2017 on sn-devel-144
2017-06-22 23:16:46 +02:00
Stefan Metzmacher
8c4cef218a s3:libsmb: no longer pass remote_realm to cli_state_create()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-22 13:07:40 +02:00
Andreas Schneider
8a2bbba5cd s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-06-20 23:04:34 +02:00
Stefan Metzmacher
9b28f3af87 s3:winbindd: Send flags=0 in netr_LogonSamLogon{WithFlags,Ex}()
These extra flags are an [in,out] argument, so we have to initialize
them to 0. If we pass NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
or NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP, a Windows Server
will just return NT_STATUS_NO_SUCH_USER with authoritative=1
(at least if it is itself a DC of the forest root and the requested
 domain is the local domain of the DC).

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
2017-06-09 13:00:12 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
2368f57b4d winbindd: Do not run SAM auth stack in winbind SamLogon
pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
deec2af7d2 libads: Decide to have no fallback option
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
52a37c697a winbindd_cm: Pass cm_open_connection the need_rw_dc flag
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
ac847898c8 winbindd_cm: Call dcip_check_name even when fetching from cache
This is so that we can ensure that the DC is RWDC if required.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
9d8a373523 winbindd_cm: Rename dcip_to_name to the more accurate dcip_check_name
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
2ff09f6df0 winbindd_cm: Add new parameter to getdc and find_new_dc calls
This is to enforce the requirements on the remote DC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
bbf2414927 winbindd_cm: Add new parameter for dcip_to_name
This is used to check the appropriateness of the DC given.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Volker Lendecke
d02d4b5bc1 winbindd: Give winbindd_ads.c its own header
Not necessary to compile all of winbind when playing with ads.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-17 01:47:17 +02:00
Andreas Schneider
9bbb6c020e s3:winbind: Use a talloc stackframe for rpc_query_user_list
CID #1401581

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-05-16 12:38:20 +02:00
Günther Deschner
3c96b18be3 s3-winbindd: remove some dead prototypes
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-10 15:53:20 +02:00
Volker Lendecke
803ea2d2b7 idmap_rfc2307: "ldap_next_entry" needs the previous entry, not the start
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00
Volker Lendecke
c0f12170e8 idmap_rfc2307: Don't stop after 30 entries
We start over again and again, so we need to search in the whole list.
This is a quick hack generating a bad O(n^2). The real fix is to
call idmap_rfc2307_find_map with "maps" starting at the right offset,
but that's an optimization for later when it's restructured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00
Volker Lendecke
17563f295f idmap_rfc2307: "ldap_next_entry" needs the previous entry, not the start
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00
Volker Lendecke
54a0e7e3d7 idmap_rfc2307: Don't stop after 30 entries
We start over again and again, so we need to search in the whole list.
This is a quick hack generating a bad O(n^2). The real fix is to
call idmap_rfc2307_find_map with "maps" starting at the right offset,
but that's an optimization for later when it's restructured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00
Christian Ambach
9f5dbdec75 s3:winbindd:idmap_autorid remove a stray comment
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed May  3 03:35:34 CEST 2017 on sn-devel-144
2017-05-03 03:35:34 +02:00