summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
Commit message (Collapse)AuthorAgeFilesLines
* s3:winbindd: make use of talloc_string_sub2() in generate_krb5_ccache()Stefan Metzmacher2014-11-251-1/+14
| | | | | | | This way we don't pass a given format string to talloc_asprintf(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:winbindd: avoid invalid pointer type warningsStefan Metzmacher2014-11-253-3/+11
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* samba: pass down size_t instead of int to add_string_to_array().Günther Deschner2014-11-171-1/+1
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
* winbindd_cache: don't leak state_path onto talloc tosDavid Disseldorp2014-11-031-13/+48
| | | | | | | Also check for allocation failures. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbindd: don't leak state_path onto talloc tosDavid Disseldorp2014-11-031-1/+8
| | | | | | | Also check for allocation failures. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* idmap_autorid: don't leak state_path onto talloc tosDavid Disseldorp2014-11-031-1/+9
| | | | | | | Also check for allocation failures. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:libsmb: Remove unused domain copy stored in cli_stateStefan Metzmacher2014-10-171-24/+3
| | | | | | Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3:libsmb: Remove unused password copy stored in cli_stateAndrew Bartlett2014-10-171-2/+2
| | | | | | Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: use cli_rpc_pipe_open_with_creds()Andrew Bartlett2014-10-171-39/+22
| | | | | | | Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Use own machine account to connect to trusted domains as wellAndrew Bartlett2014-10-171-6/+11
| | | | | | | | | | | | | This relies on a two-way trust, which we may not have, but is the only secure way to do this. To do this correctly we need to split NETLOGON from normal authentication, as we need to use the machine account for the SMB level, but the inter-domain trust account for the NETLOGON level. Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: use a cli_credentials structure to hold the trust credentialsStefan Metzmacher2014-10-171-207/+395
| | | | | | | | | | | | Later we can pass this down directly and have a much more sane handling of credentials and the spnego handshake. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we canAndrew Bartlett2014-10-081-7/+47
| | | | | | | | | | | | This is very helpful in the trusted domain situation, as we may not have a two-way trust but we can use our domain trust account to set up a connection to NETLOGON Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
* s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove ↵Andrew Bartlett2014-10-081-11/+13
| | | | | | | | | | cli_rpc_pipe_open_spnego Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 8 03:36:52 CEST 2014 on sn-devel-104
* s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum ↵Andrew Bartlett2014-10-081-2/+2
| | | | | | | | | | | | credentials_kerberos_state This allows us to pass this value in directly from the cli_credentials structure in winbindd. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Allow winbindd to connect over SMB2 to serversAndrew Bartlett2014-10-081-1/+1
| | | | | | | | | | | This allows SMB signing to work against many more DCs, and so improves network security. The default for "client max protocol" remains NT1 in the rest of the code. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()Andrew Bartlett2014-10-087-20/+21
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* winbindd: Do not overwrite domain list with conflicting info from a trusted ↵Andrew Bartlett2014-10-061-0/+75
| | | | | | | | | | | | | | | | domain This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Oct 6 17:21:03 CEST 2014 on sn-devel-104
* windbindd: Make cm_connect_lsa_tcp staticChristof Schmitt2014-10-042-6/+3
| | | | | | | | | | It is only used in winbindd_cm.c Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Oct 4 02:34:49 CEST 2014 on sn-devel-104
* s3-winbindd: Make wcache_sid_to_name staticChristof Schmitt2014-10-042-12/+6
| | | | | | | It is only used in winbindd_cache.c Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-winbindd: Remove extern declaration for cache_methods from winbindd_dual.cChristof Schmitt2014-10-041-1/+0
| | | | | | | cache_methods is not used in winbindd_dual.c Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbind3: Fix pwent variable substitutionJustin Maggard2014-10-031-1/+1
| | | | | | | | | Commit 0ce46318 (winbind3: Simplify fillup_pw_field) broke variable substitution by copying from the wrong (unsubstituted) buffer. Fix it. Signed-off-by: Justin Maggard <jmaggard10@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <rsharpe@samba.org>
* idmap_rfc2307: Remove unsed parameter and variableChristof Schmitt2014-10-011-8/+5
| | | | | | | | Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Wed Oct 1 19:20:50 CEST 2014 on sn-devel-104
* idmap_rfc2307: Fix a crash after connection problem to DCChristof Schmitt2014-10-011-0/+1
| | | | | | | | | | | | | | When the connection to the DC has a problem, the code behind ads_do_search_retry closes the current connection and opens a new one. The new connection has a new struct LDAP to represent the connection. In this case, the LDAP pointer in the idmap_rfc2307_context becomes invalid. Fix this problem by updating the local pointer after calling ads_do_search_retry. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* winbindd: Do not make anonymous connections by defaultAndrew Bartlett2014-09-301-0/+29
| | | | | | | | | | | The requirement is that we have "winbind sealed pipes = false" and "require strong key = false" before we make anonymous connections. These are a security risk as we cannot prevent MITM attacks. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs callChristof Schmitt2014-09-291-3/+30
| | | | | | | | | | | | | | | | | Create a new lsa_RefDomainList and populate it with the domain SID from the original query. That avoids the problem that for migrated objects, LookupSids returns the SID of the new domain, and combining that with the RID from the input results in an invalid SID. A better fix would be querying the RID of the user in the new domain, but the approach here at least avoids id mappings entries for invalid SIDs. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Sep 29 13:15:18 CEST 2014 on sn-devel-104
* s3-winbindd: Require SMB signing by default to disrupt MITM attacks with our DCAndrew Bartlett2014-09-281-1/+33
| | | | | | | | | | | | | | This makes it much harder to impersonate the DC, but allows this to be turned off or returned to IF_REQUIRED with a simple change to the 'client signing' smb.conf parameter. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Sep 28 06:25:55 CEST 2014 on sn-devel-104
* idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idlAndrew Bartlett2014-09-276-12/+13
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be ↵Jeremy Allison2014-09-152-3/+8
| | | | | | | | | | | | | | | | | | NULL. Ensure this is safe with modern AD-DCs. There are places in the code where we're not checking that alt_name is NULL and then calling into the DC lookup code with a NULL name request. This can happen in offline mode. Fixes bug #10717 - Winbind crash on losing VPN connection https://bugzilla.samba.org/show_bug.cgi?id=10717 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
* set_dc_type_and_flags_trustinfo: Use init_dc_connection and ↵Andrew Bartlett2014-09-011-18/+26
| | | | | | | | | | | | | wb_open_internal_pipe This means we call this code, and mark trusted domains as active directory, when we are an AD DC. Otherwise, in the previous case we would not have domain->active_directory set, and would fail on connection_ok() due to not having a full connection to our internal DC Change-Id: I7ccee569d69d6c5466334540db8920e57aafa991 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* winbindd: Add debugging to assist in locating errors creating NETLOGON pipesAndrew Bartlett2014-09-011-0/+12
| | | | | | | Change-Id: If15483c37ed43267c6474ce8b5e9d96254745bca Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* winbindd: Do not segfault if the trusted domain has no SIDAndrew Bartlett2014-09-011-1/+9
| | | | | | | | | | | Currently we abort, as skipping the domain would make the loop much more complex for a situation not yet seen in the real world. Andrew Bartlett Change-Id: Ie1e269eb25047d662d8fd0f771ee20de1d48706b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* s3-winbindd: Document parameters in ads_cached_connection_reuseChristof Schmitt2014-08-301-0/+13
| | | | | | | | Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Aug 30 06:10:36 CEST 2014 on sn-devel-104
* s3-winbindd: Use more descriptive parameter names in ↵Christof Schmitt2014-08-301-8/+8
| | | | | | | ads_cached_connection_connect Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-winbindd: Use correct realm for trusted domains in idmap childChristof Schmitt2014-08-301-2/+9
| | | | | | | | | | | | When authenticating users in a trusted domain, the idmap_ad module always connects to a local DC instead of one in the trusted domain. Fix this by passing the correct realm to connect to. Also Comment parameters passed to ads_cached_connection_connect Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbindd-irpc: Ensure not to call irpc_send_reply twice on errorAndrew Bartlett2014-08-011-0/+1
| | | | | | | | | | | | | | | As found during investigation of the previous commit, when the RPC call fails totally, we must only try and send one error reply. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 1 12:11:29 CEST 2014 on sn-devel-104
* s3: winbindd: On new client connect, prune idle or hung connections older ↵Jeremy Allison2014-07-291-0/+36
| | | | | | | | | | | | | | than "winbind request timeout" Bug 3204 winbindd: Exceeding 200 client connections, no idle connection found https://bugzilla.samba.org/show_bug.cgi?id=3204 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ira Cooper <ira@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jul 29 23:31:14 CEST 2014 on sn-devel-104
* lib: directory_create_or_exist() does not use "uid" parameterVolker Lendecke2014-07-281-2/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:idmap: fix talloc hierarchy in idmap_passdb_domain()Michael Adam2014-07-251-1/+1
| | | | | | | | | | (don't init to NULL context - we got one handed in...) Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Jul 25 14:18:20 CEST 2014 on sn-devel-104
* s3:idmap: only check the range values if a range setting has been found.Michael Adam2014-07-251-3/+1
| | | | | | | | Otherwise, the check is superfluous since high and low values are initialized to 0. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:idmap: move loading of idmap options together before range checking in ↵Michael Adam2014-07-251-4/+4
| | | | | | | idmap_init_domain() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:idmap: in idmap_init_domain() load methods before loading further configMichael Adam2014-07-251-18/+23
| | | | | | | | Check whether the requested backend exists at all, before going further into the config parsing. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:idmap: don't log missing range config if range checking not requestedMichael Adam2014-07-251-2/+2
| | | | | | | | | | | | | | idmap_init_domain() is called with check_range == false from idmap_passdb_domain(). In this case, we usually don't have an idmap range at all, and we don't want to level 1 debug messages complaining about the fact are irritating at least. This patch removes the debug in the case of check_range == false. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10737 Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3-winbindd: prefer "displayName" over "name" in ads user queries for the ↵Günther Deschner2014-07-151-5/+11
| | | | | | | | | | | | | fullname. This makes use more consistent with security=domain as well where the gecos field is also filled using the displayName field. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbind: Don't set the gecos field to NULL.Andreas Schneider2014-07-151-1/+0
| | | | | | | | | | The value is loaded from the cache anyway. So it will be set to NULL if it is not available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.Günther Deschner2014-07-153-0/+57
| | | | | | | | | | | | | | | | | | | | The reason for this followup query is that very often the samlogon cache only contains a info3 netlogon user structure that has been retrieved during a netlogon samlogon authentication using "network" logon level. With that logon level only a few info3 fields are filled in; the user's fullname is never filled in that case. This is problematic when the cache is used to fill in the user's gecos field (for NSS queries). When we have retrieved the user's fullname during other queries, reuse it from the other caches. Thanks to Matt Rogers <mrogers@redhat.com>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbindd: add wcache_query_user_fullname().Günther Deschner2014-07-152-0/+38
| | | | | | | | | | | | | | | This helper function is used to query the full name of a cached user object (for further gecos processing). Thanks to Matt Rogers <mrogers@redhat.com>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.Günther Deschner2014-07-151-13/+32
| | | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:winbindd: remove unused get[pw|gr]ent_initialized from winbindd_cli_stateStefan Metzmacher2014-07-111-4/+0
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jul 11 18:46:09 CEST 2014 on sn-devel-104
* winbindd: Use a remote RPC server when we are an RODC when neededAndrew Bartlett2014-07-047-35/+72
| | | | | | | | | | | | | This allows us to operate against the local cache where possible, but to forward some operations to the read-write DC. Andrew Bartlett Change-Id: Idc78ae379a402969381758919fcede17568f094e Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-2/+14
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
generated by cgit (git 2.34.1) at 2025-09-26 09:00:01 +0000