summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
Commit message (Collapse)AuthorAgeFilesLines
...
* s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs callChristof Schmitt2014-09-291-3/+30
| | | | | | | | | | | | | | | | | Create a new lsa_RefDomainList and populate it with the domain SID from the original query. That avoids the problem that for migrated objects, LookupSids returns the SID of the new domain, and combining that with the RID from the input results in an invalid SID. A better fix would be querying the RID of the user in the new domain, but the approach here at least avoids id mappings entries for invalid SIDs. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Sep 29 13:15:18 CEST 2014 on sn-devel-104
* s3-winbindd: Require SMB signing by default to disrupt MITM attacks with our DCAndrew Bartlett2014-09-281-1/+33
| | | | | | | | | | | | | | This makes it much harder to impersonate the DC, but allows this to be turned off or returned to IF_REQUIRED with a simple change to the 'client signing' smb.conf parameter. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Sep 28 06:25:55 CEST 2014 on sn-devel-104
* idl: Merge NETR_TRUST and LSA_TRUST definitions into one set only in lsa.idlAndrew Bartlett2014-09-276-12/+13
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to be ↵Jeremy Allison2014-09-152-3/+8
| | | | | | | | | | | | | | | | | | NULL. Ensure this is safe with modern AD-DCs. There are places in the code where we're not checking that alt_name is NULL and then calling into the DC lookup code with a NULL name request. This can happen in offline mode. Fixes bug #10717 - Winbind crash on losing VPN connection https://bugzilla.samba.org/show_bug.cgi?id=10717 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
* set_dc_type_and_flags_trustinfo: Use init_dc_connection and ↵Andrew Bartlett2014-09-011-18/+26
| | | | | | | | | | | | | wb_open_internal_pipe This means we call this code, and mark trusted domains as active directory, when we are an AD DC. Otherwise, in the previous case we would not have domain->active_directory set, and would fail on connection_ok() due to not having a full connection to our internal DC Change-Id: I7ccee569d69d6c5466334540db8920e57aafa991 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* winbindd: Add debugging to assist in locating errors creating NETLOGON pipesAndrew Bartlett2014-09-011-0/+12
| | | | | | | Change-Id: If15483c37ed43267c6474ce8b5e9d96254745bca Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* winbindd: Do not segfault if the trusted domain has no SIDAndrew Bartlett2014-09-011-1/+9
| | | | | | | | | | | Currently we abort, as skipping the domain would make the loop much more complex for a situation not yet seen in the real world. Andrew Bartlett Change-Id: Ie1e269eb25047d662d8fd0f771ee20de1d48706b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* s3-winbindd: Document parameters in ads_cached_connection_reuseChristof Schmitt2014-08-301-0/+13
| | | | | | | | Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Aug 30 06:10:36 CEST 2014 on sn-devel-104
* s3-winbindd: Use more descriptive parameter names in ↵Christof Schmitt2014-08-301-8/+8
| | | | | | | ads_cached_connection_connect Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-winbindd: Use correct realm for trusted domains in idmap childChristof Schmitt2014-08-301-2/+9
| | | | | | | | | | | | When authenticating users in a trusted domain, the idmap_ad module always connects to a local DC instead of one in the trusted domain. Fix this by passing the correct realm to connect to. Also Comment parameters passed to ads_cached_connection_connect Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbindd-irpc: Ensure not to call irpc_send_reply twice on errorAndrew Bartlett2014-08-011-0/+1
| | | | | | | | | | | | | | | As found during investigation of the previous commit, when the RPC call fails totally, we must only try and send one error reply. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 1 12:11:29 CEST 2014 on sn-devel-104
* s3: winbindd: On new client connect, prune idle or hung connections older ↵Jeremy Allison2014-07-291-0/+36
| | | | | | | | | | | | | | than "winbind request timeout" Bug 3204 winbindd: Exceeding 200 client connections, no idle connection found https://bugzilla.samba.org/show_bug.cgi?id=3204 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ira Cooper <ira@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jul 29 23:31:14 CEST 2014 on sn-devel-104
* lib: directory_create_or_exist() does not use "uid" parameterVolker Lendecke2014-07-281-2/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:idmap: fix talloc hierarchy in idmap_passdb_domain()Michael Adam2014-07-251-1/+1
| | | | | | | | | | (don't init to NULL context - we got one handed in...) Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Jul 25 14:18:20 CEST 2014 on sn-devel-104
* s3:idmap: only check the range values if a range setting has been found.Michael Adam2014-07-251-3/+1
| | | | | | | | Otherwise, the check is superfluous since high and low values are initialized to 0. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:idmap: move loading of idmap options together before range checking in ↵Michael Adam2014-07-251-4/+4
| | | | | | | idmap_init_domain() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:idmap: in idmap_init_domain() load methods before loading further configMichael Adam2014-07-251-18/+23
| | | | | | | | Check whether the requested backend exists at all, before going further into the config parsing. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:idmap: don't log missing range config if range checking not requestedMichael Adam2014-07-251-2/+2
| | | | | | | | | | | | | | idmap_init_domain() is called with check_range == false from idmap_passdb_domain(). In this case, we usually don't have an idmap range at all, and we don't want to level 1 debug messages complaining about the fact are irritating at least. This patch removes the debug in the case of check_range == false. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10737 Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3-winbindd: prefer "displayName" over "name" in ads user queries for the ↵Günther Deschner2014-07-151-5/+11
| | | | | | | | | | | | | fullname. This makes use more consistent with security=domain as well where the gecos field is also filled using the displayName field. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbind: Don't set the gecos field to NULL.Andreas Schneider2014-07-151-1/+0
| | | | | | | | | | The value is loaded from the cache anyway. So it will be set to NULL if it is not available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-winbindd: use wcache_query_user_fullname after inspecting samlogon cache.Günther Deschner2014-07-153-0/+57
| | | | | | | | | | | | | | | | | | | | The reason for this followup query is that very often the samlogon cache only contains a info3 netlogon user structure that has been retrieved during a netlogon samlogon authentication using "network" logon level. With that logon level only a few info3 fields are filled in; the user's fullname is never filled in that case. This is problematic when the cache is used to fill in the user's gecos field (for NSS queries). When we have retrieved the user's fullname during other queries, reuse it from the other caches. Thanks to Matt Rogers <mrogers@redhat.com>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbindd: add wcache_query_user_fullname().Günther Deschner2014-07-152-0/+38
| | | | | | | | | | | | | | | This helper function is used to query the full name of a cached user object (for further gecos processing). Thanks to Matt Rogers <mrogers@redhat.com>. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbindd: call interactive samlogon via rpccli_netlogon_password_logon.Günther Deschner2014-07-151-13/+32
| | | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:winbindd: remove unused get[pw|gr]ent_initialized from winbindd_cli_stateStefan Metzmacher2014-07-111-4/+0
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jul 11 18:46:09 CEST 2014 on sn-devel-104
* winbindd: Use a remote RPC server when we are an RODC when neededAndrew Bartlett2014-07-047-35/+72
| | | | | | | | | | | | | This allows us to operate against the local cache where possible, but to forward some operations to the read-write DC. Andrew Bartlett Change-Id: Idc78ae379a402969381758919fcede17568f094e Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-2/+14
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* winbindd: Allow the AD-DC to call getdcnameGarming Sam2014-07-041-6/+16
| | | | | | | | This is particularly useful for RODC and eliminates a knownfail. Change-Id: Ia5089761dcabb1620eadd530dbc9b05580cddd1f Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* s3:winbindd - fix bad bugfix for bug #10280 - winbind panic if AD server is ↵Jeremy Allison2014-07-021-2/+2
| | | | | | | | | | | down. Previous bug fix reversed the sense of the test for out of memory. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10280 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge ↵Jeremy Allison2014-06-181-2/+22
| | | | | | | | | | | | | in resource groups from a trusted PAC. Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Simo Sorce <idra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
* s3-winbindd: Honour pdb_is_responsible_for_everything_else()Andrew Bartlett2014-06-161-8/+11
| | | | | | | | | | | This allows us to avoid running idmap_init_default_domain() which gives an error in the default AD DC config. Andrew Bartlett Change-Id: I923bd941951f6a907e6fa1ad167e5218a01040ff Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
* s3-winbindd: Implement SamLogon IRPC callAndrew Bartlett2014-06-114-51/+150
| | | | | | | | | | | | | | We do this by lifting parts of the winbindd_dual_pam_auth_crap() code into a new helper function winbind_dual_SamLogon(). This allows us to implement the semantics we need for IRPC, without the artifacts of the winbindd pipe protocol. Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104
* s3-winbind: Transparently forward IRPC messages to the winbind_dual childAndrew Bartlett2014-06-111-37/+80
| | | | | | Change-Id: I8b336e2365e10ef9ea04d0957eb0829d3766b11e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbind rename winbindd_update_rodc_dns to be for more generic irpcAndrew Bartlett2014-06-113-10/+16
| | | | | | Change-Id: I385ef8bd766848becc42e58694207dc94cd07a89 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* librpc/idl: Merge wbint.idl with winbind.idl so we can forward IRPC requests ↵Andrew Bartlett2014-06-1138-44/+50
| | | | | | | | to internal winbind calls Change-Id: Iba3913d5a1c7f851b93f37e9beb6dbb20fbf7e55 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbindd: Listen on IRPC and do forwarded DNS updates on an RODCAndrew Bartlett2014-06-114-0/+137
| | | | | | Change-Id: Ib87933c318f510d95f7008e122216d73803ede68 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-winbindd: Register winbindd with irpcAndrew Bartlett2014-06-112-0/+33
| | | | | | Change-Id: Ie3c7109fef6982d95e8cad06870334565352e329 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-3/+42
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* winbindd: Call set_dc_type_and_flags on the internal domainAndrew Bartlett2014-06-115-113/+87
| | | | | | | | | | | | | | | | | | This allows the AD DC to be picked up correctly and gives the correct DNS name. To ensure no confusion, we also always init it with the full DNS name. It also means that, aside from the BUILTIN domain the initialized flag is set only in one place, which will help when we add more details to the domain structure in the future. This in turn allows kerberos authentication against winbindd on the AD DC. Andrew Bartlett Change-Id: Idc829cfe5f2e867c87107b49275b17f294821dcd Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:lib/afs move afs.c to common lib dirChristian Ambach2014-06-041-0/+1
| | | | | | | | | | some of the code in afs.c is needed by wbinfo that lives in the toplevel nsswitch directory, so move the afs.c file to a new top-level lib/afs directory. Use the name afs_funcs to avoid collisions with the afs.h header from OpenAFS Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbind: Use strlcpy to avoid log entry.Andreas Schneider2014-06-041-1/+4
| | | | | | | | | | | | | | The full_name from Windows can be longer than 255 chars which results in a warning on log level 0 that we have a string overflow. This will avoid the warning. However we should fix this sooner or later on the protocol level to have no limit. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jun 4 16:49:11 CEST 2014 on sn-devel-104
* winbindd: Use rpc_pipe_open_interface() so that winbindd uses the correct ↵Andrew Bartlett2014-06-041-12/+31
| | | | | | | | | | | | | rpc servers This means that in the AD DC, we use the AD DC servers, while in the classic DC or file server we continue to use the built-in SAMR and LSA servers. Andrew Bartlett Change-Id: I63b1443f5665016f7fcbed35907ec29d4424ab18 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* winbindd: Remove pointless if statementAndrew Bartlett2014-06-041-14/+10
| | | | | | Change-Id: I7d2646078f6e7ba596b92da7d37c285d10ad38c0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* winbindd: explain that this check protects the AD DC machine account ↵Andrew Bartlett2014-06-041-0/+4
| | | | | | | | password (for now at least) Change-Id: I2e2eb2e7fc4a12f27025f42e4cc41560311ce6c8 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* winbind: Allow winbindd to be run from inside "samba"Andrew Bartlett2014-04-291-1/+2
| | | | | | | | | Change-Id: I6b90a9b62ba5821e0feedb23cd20642078ba0ca6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Apr 29 05:28:39 CEST 2014 on sn-devel-104
* autorid: Add allocation from above in alloc range for well known sidsMichael Adam2014-04-251-0/+86
| | | | | | | | | | | This way, we achieve a better determinism for the id mappings of the well knowns without wasting a separate range. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Apr 25 17:52:10 CEST 2014 on sn-devel-104
* autorid: use dbwrap_trans_do() in idmap_autorid_sid_to_id_alloc()Michael Adam2014-04-251-22/+26
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* autorid: add high_id to range config and fill it where we also fill ↵Michael Adam2014-04-251-0/+2
| | | | | | | | | | range->low_id. This corresponds to low_id for convenience and allows for computations without going back to the global config. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* autorid: reserve 500 IDs at the top of the ALLOC range.Michael Adam2014-04-251-1/+4
| | | | | | | The wellknowns are now allocated into this sub-range. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* autorid: reverse order of arguments of idmap_autorid_sid_to_id_alloc()Michael Adam2014-04-251-4/+5
| | | | | | | for consistency Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* autorid: introduce idmap_autorid_domsid_is_for_alloc()Michael Adam2014-04-251-2/+14
| | | | | | | | | Currently, this checks if the sid is a wellknown domain sid. But the code reads more nicely and more domains might be added in the future. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
generated by cgit (git 2.34.1) at 2025-09-01 23:51:07 +0000