1
0
mirror of https://github.com/samba-team/samba.git synced 2025-03-16 06:50:24 +03:00

2249 Commits

Author SHA1 Message Date
Andreas Schneider
b55e69db07 s3-winbind: Do not return NO_MEMORY if we have an empty user list
The domain child for the MACHINE ACCOUNT might fail with
NT_STATUS_NO_MEMORY because an emtpy user list is returned.

*pnum_info is already set to 0 at the beginngin so we should just
declare victory here!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12405

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

(cherry picked from commit e714dc03e0ccf9ec17da6bacc1bcfcaea7518e22)

Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Fri Nov  4 15:18:16 CET 2016 on sn-devel-144
2017-01-02 11:56:51 +01:00
Noel Power
0fcbce8aa7 s3/winbindd: using default domain with user@domain.com format fails
For example for samba client joined to a windows AD DC the following
commands fail if 'winbind use default domain = yes'
   getent passwd user@domain.com
   ssh -o user=user@domain.com localhost

The same commands succeed if the setting above has the default 'no' value

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12298

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct  3 23:37:44 CEST 2016 on sn-devel-144

(cherry picked from commit 7c786f89820dc1f8e2a7e8da1b80042dd69b7188)
2016-10-24 10:56:12 +02:00
Jeremy Allison
a60c9cef3d s3: winbind: Remove dump_event_list() calls.
If needed we can add this into actual tevent.

Preparing to remove source3/lib/events.c

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12283
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 72785309aa2d1bed7abc6dd7c6475ff0f78411da)
2016-10-24 10:56:11 +02:00
Jeremy Allison
257644f688 s3: winbind: Ensure we store name2sid with the correct cache sequence number.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit 9f6fe5e2c54870abfff48c8a9d96e21bfec2425f)
2016-10-24 10:56:11 +02:00
Jeremy Allison
47ab4a0459 s3: winbind: Trust name2sid mappings from the PAC.
Don't refresh sequence number in parent as the
mapping comes from a trusted DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 1017b22f68e798a080e0738d3beecf008b2284ef)
2016-10-24 10:56:11 +02:00
Jeremy Allison
1d28a24787 s3: winbind: refresh_sequence_number is only ever called with 'false'.
Remove redundant parameter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 32ae6721cf02412af3c5a82d5da4806f4d931bcd)
2016-10-24 10:56:11 +02:00
Jeremy Allison
2dfbdc5896 s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.
In addition to priming the netsamlogon cache.

This prevents a winbind AD-DC lookup for something
the PAC already told us.

Note we only do this in the case where the PAC successfully
passed signature verification.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit cf0f28819e771d433af00b3532011de70112b1f8)
2016-10-24 10:56:11 +02:00
Michael Adam
e0deeddc94 idmap: centrally check that unix IDs returned by the idmap backends are in range
Note: in the long run, it might be good to move this kind of
exit check (before handing the result back to the client)
to the parent winbindd code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155

Signed-off-by: Michael Adam <obnox@samba.org>

(Backported from master commit b2bf61307cffd8ff7b6fb9852c107ab763653119.)
2016-09-13 12:27:28 +02:00
Michael Adam
9a320f60cf idmap: don't generally forbid id==0 from idmap_unix_id_is_in_range()
If the range allows it, then id==0 should not be forbidden.
This seems to have been taken in from idmap_ldap when the
function was originally created.

See 634cd2e0451d4388c3e3f78239495cf595368b15 .
The other backends don't seem to have had that
extra check for id == 0.

The reasoning for this change is that the range check should
apply to all cases. If the range includes the 0, then it
should be possible to get it as result. In particular,
this way, the function becomes applicable also to the
passdb backend case, e.g. in a samba4-ad-dc setup where
the Admin gets uid == 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c21976d4b1c604699299f2c0f768c1add93b349d)
2016-09-13 12:27:28 +02:00
Ralph Boehme
d5af3f3b65 winbindd: in wb_lookupsids return domain name if we have it
When doing a SID to xid mapping for an unknown SID, the idmap child gets
passed a lsa_RefDomainList with an empty domain name (ie ""). This is
coming from LsaLookupSids() and causes the mapping request to end up in
the default idmap domain.

Example request with domain name "":

  wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
     in: struct wbint_Sids2UnixIDs
         domains                  : *
             domains: struct lsa_RefDomainList
                 count                    : 0x00000001 (1)
                 domains                  : *
                     domains: ARRAY(1)
                         domains: struct lsa_DomainInfo
                             name: struct lsa_StringLarge
                                 length                   : 0x0000 (0)
                                 size                     : 0x0002 (2)
                                 string                   : *
                                     string                   : ''
                             sid                      : *
                                 sid                      : S-1-5-21-3152989960-574718769-2188965058
                 max_size                 : 0x00000020 (32)
         ids                      : *
             ids: struct wbint_TransIDArray
                 num_ids                  : 0x00000001 (1)
                 ids: ARRAY(1)
                     ids: struct wbint_TransID
                         type                     : ID_TYPE_NOT_SPECIFIED (0)
                         domain_index             : 0x00000000 (0)
                         rid                      : 0x000029aa (66666)
                         xid: struct unixid
                             id                       : 0xffffffff (4294967295)
                             type                     : ID_TYPE_NOT_SPECIFIED (0)

In _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with the
domain name "" and this triggers use of the default idmap domain which
in case of idmap_autorid will allocate an id from a idmap_autorid range.

If we know the domain, ensure we return it for SIDs were the SID was not
found but the domain of the SID was found. Callers like sids2xids depend
on the domain name and returning an empty string "" for valid domain can
trigger unwanted idmap range allocations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9be918116e356c358ef77cc2933e471090088293)
2016-08-04 11:10:19 +02:00
Ralph Boehme
01632a8ffc winbindd/idmap_rfc2307: fix a crash
map->map is NULL if lookupsid failed.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5e346af078847512e86755a4634583a8a5178c0e)
2016-08-04 11:10:19 +02:00
Andreas Schneider
a2353bebe7 s3-winbind: Fix memory leak with each cached credential login
When we allow offline logon and have a lot of logins, windbind will leak
4k of memory which each log in. On systems with heavy load this can grow
quickly and the OOM killer will kill Winbind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11999

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 29 19:03:53 CEST 2016 on sn-devel-144

(cherry picked from commit 826f61960ec74deedc9d556a3b8fe04d9178dcd8)

Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-4-test): Mon Jul  4 13:04:53 CEST 2016 on sn-devel-144
2016-07-04 13:04:53 +02:00
Volker Lendecke
26f5b40d94 winbind: Fix CID 1357100 Unchecked return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
2016-04-18 12:58:20 +02:00
Michael Adam
fb0c85b52c idmap_hash: only allow the hash module for default idmap config.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

This module only makes sense as the default idmap config
("idmap config * : backend = hash" ...)

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-18 12:58:20 +02:00
Michael Adam
dab38c3bef idmap_hash: rename be_init() --> idmap_hash_initialize()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-18 12:58:20 +02:00
Günther Deschner
8bd67a1ef2 s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-18 12:58:20 +02:00
Günther Deschner
87fcc70eea s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
Check if the domain from the list is not already configured to use another idmap
backend. Not checking this makes the idmap_hash module map IDs for *all* domains
implicitly. This is quite dangeorous in multi-idmap-config setups.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-18 12:58:20 +02:00
Michael Adam
9d56304e32 s3:winbindd:idmap: add domain_has_idmap_config() helper function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-04-18 12:58:20 +02:00
Stefan Metzmacher
1309832f6a CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-03-30 04:38:31 +02:00
Stefan Metzmacher
f1dea29889 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-03-30 04:38:30 +02:00
Stefan Metzmacher
fc3582bfde CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-29 14:45:07 +02:00
Stefan Metzmacher
b57c0e73ad winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 716e78f3b294210130f3cf253f496391534819b0)
2016-03-29 14:44:24 +02:00
Stefan Metzmacher
6ed79425d8 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
We should avoid using NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 871e8a9fd029bbcbccb79bd17f9c6a2617b8be55)
2016-03-29 14:44:23 +02:00
Stefan Metzmacher
a44025b9a4 s3:winbindd: don't unclude two '\0' at the end of the domain list
This avoids a scary "trustdom_list_done: Got invalid trustdom response" message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit bb387c5b90e19b5a2f7d65fb8db816e9da51d090)
2016-03-15 20:29:33 +01:00
Uri Simchoni
2335e6fa8f winbindd: return trust parameters when listing trusts
When asking a child domain process to list trusts on that domain,
return (along with trust domain names and SID) the trust properties -
flags, type, and attributes.

Use those attributes to initialize domain object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144

(cherry picked from commit 7b4dfd939f417c7d8c4c2c1e8c77f4af9bcd28d7)
2016-03-04 11:40:11 +01:00
Uri Simchoni
46c12895fb winbindd: initialize foreign domain as AD based on trust
Based on trust parameters, initialize the active_directory
member of domain object to true.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d0aa5d057497022aeefffa9882d3ac2b7e18a682)
2016-03-04 11:40:11 +01:00
Uri Simchoni
f9aef97053 winbindd: introduce add_trusted_domain_from_tdc()
This is purely a refactoring patch -
Add a routine that adds a winbindd domain object based on
domain trust cache entry. add_trusted_domain() becomes
a wrapper for this new routine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c65841a3bd737b61251603a916a315043703c832)
2016-03-04 11:40:11 +01:00
Michael Adam
c4536f8cb4 dlist: remove unneeded type argument from DLIST_ADD_END()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 476672b647e44898a6de8894b23e598ad13b1fcf)
2016-03-04 11:40:10 +01:00
Volker Lendecke
5e1a84c43e winbind: Properly error check init_lsa_ref_domain_list
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-01-13 07:48:30 +01:00
Volker Lendecke
5a2c305643 idmap: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-01-13 07:48:30 +01:00
Christof Schmitt
6f3656c47d Revert "winbind: Retry after SESSION_EXPIRED error in ping-dc"
This reverts commit a2670f15dea27c10e3827216adf572f9c3894f85.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

cm_connect_netlogon now handles the retry for an expired session.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 13 03:35:57 CET 2016 on sn-devel-144
2016-01-13 03:35:57 +01:00
Christof Schmitt
aa3883eae6 winbindd: Retry on expired session in cm_connect_netlogon
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
276d604aa5 winbindd: Retry on expired session in cm_connect_sam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
3b6b545642 winbindd: Retry on expired session in cm_connect_lsa
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
4c6804e414 winbindd: Remove double retry from some ADS methods
The retry through the new reconnect_ads layer is enough. This structure
also makes the distinction between retry layer and actual methods call a
bit clearer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
e4adf55e24 winbindd: Add retry also for ADS method calls
RPC calls can return IO_DEVICE_ERROR on expired SMB2 sessions. Retrying
on a new connection avoids surfacing this error to winbindd clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Christof Schmitt
fb5b0cec3c winbindd: Reset connection for expired session before reconnecting
A RPC call on a expired SMB2 session returns IO_DEVICE_ERROR. In this
case, reset the connection before issuing the same call
again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11670

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-13 00:26:16 +01:00
Marc Muehlfeld
5f407e3fb8 Fix typo in winbindd_cm.c
Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2015-12-23 03:31:09 +01:00
Christof Schmitt
7cd99b4207 idmap_rfc2307: Fix handling of cn realm
When cn_realm was set, the idmap_rfc2307 module tried to determine the
realm from the AD connection struct. In case of referring to a different
domain using the ldap_domain config option, the wrong realm was used.

Since the LDAP-server case already requires having the realm in the
config, extend that to the AD case to fix the issue: Having LDAP records
with @realm in the cn, now always requires having the realm in the
config.

Now cn_realm and ldap_realm always would have to be specified together,
so replace the two options with a single "realm" option.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-12-14 12:37:08 +01:00
Volker Lendecke
7e9aaecec5 winbind: Don't crash on invalid idmap configs
We should not leave NULL in idmap_domains[]. This will lead to NULL
ptr deferences in idmap_find_domain().

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11612
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Nov 19 20:16:44 CET 2015 on sn-devel-104
2015-11-19 20:16:44 +01:00
Mathieu Parent
c315fce17e Fix various spelling errors
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov  6 13:43:45 CET 2015 on sn-devel-104
2015-11-06 13:43:45 +01:00
Noel Power
e8fab02773 s3: winbind: Prevent null ptr access by returning error if no creds available
Prevent rpccli_netlogon_network_logon/rpccli_netlogon_password_logon
being called with 'NULL' credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11569

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-11-04 22:15:24 +01:00
Volker Lendecke
ad924ab859 winbindd: Remove reference to procid_self()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-10-19 12:09:10 +02:00
Volker Lendecke
258ce91f31 lib: Move sys_rw* to lib/util
genrand.c will require it soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-10-13 01:23:07 +02:00
Richard Sharpe
b95b2be845 A small improvement to the DEBUG message when pass-through authentication
fails with ACCESS_DENIED. Increased it to log level 1 so it will print out
and pointed to Restrict NTLM as the setting so people know what to look for.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Sun Oct 11 06:28:05 CEST 2015 on sn-devel-104
2015-10-11 06:28:05 +02:00
Christof Schmitt
96c48b3c06 s3: Move call to prctl_set_comment to reinit_after_fork
This save a few lines of code.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-09-24 08:00:16 +02:00
Anoop C S
736397ec49 winbindd: Fix CID 1273310 Remove structurally dead code
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-09-09 18:33:07 +02:00
Jeremy Allison
0fb8ea7652 winbind: Don't delete an existing krb5 ticket on cached logon.
Cached logon doesn't mean the ticket is bad, wait until we go
online again to determine that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11198

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep  4 01:35:16 CEST 2015 on sn-devel-104
2015-09-04 01:35:16 +02:00
Volker Lendecke
617bc3fe61 winbind: Remove "have_idmap_config" from winbindd_domain
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Aug 24 19:19:31 CEST 2015 on sn-devel-104
2015-08-24 19:19:31 +02:00
Volker Lendecke
b62c7e26b4 winbind: Do not look for the domain in wb_gid2sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
2015-08-24 16:16:12 +02:00