summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
Commit message (Collapse)AuthorAgeFilesLines
* s3-winbind: Fix chached user group lookup of trusted domains.Michael Adam2015-03-091-0/+11
| | | | | | | | | | | | | | | | | If a user group lookup has aleady been done before with a machine account we did always return the incomplete information from the cache. This patch makes sure we return the correct group information from the netsamlogon cache. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Mar 9 19:23:25 CET 2015 on sn-devel-104
* winbind: Make wb_sids2xids_recv work on an arrayVolker Lendecke2015-03-078-21/+27
| | | | | | | | | | | | | | | | | | The trigger for this is that Coverity got confused by the dual use of &xid as an array with the implicit length equality between wb_sids2xids_send and the array passed in to wb_sids2xids_recv for the result. I don't want to start doing things just for the Coverity scan, but this makes the code clearer to me by removing this implicit expected array length equality. Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Sat Mar 7 15:28:59 CET 2015 on sn-devel-104
* winbind: Fix CID 1273294 Uninitialized scalar variableVolker Lendecke2015-03-041-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* winbind: Fix CID 1273295 Uninitialized scalar variableVolker Lendecke2015-03-041-1/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* winbind: Slightly simplify wb_sids2xidsVolker Lendecke2015-02-271-7/+8
| | | | | | | | We only needs "names" and "domains" wb_sids2xids_lookupsids_done. It confused me when reading this code that these variables are stored in "state". Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbind: Simplify winbindd_dsgetdcname_recvVolker Lendecke2015-02-271-5/+5
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Feb 27 01:16:10 CET 2015 on sn-devel-104
* winbind: Fix idmap initializationVolker Lendecke2015-01-221-6/+8
| | | | | | | | | | | | | | | | | | The fix is in the sscanf line: %u in the sscanf format mandates the use of a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On little endian 64-bit this might at least put the correct values into low_id and high_id, but might overwrite the read_only bit set earlier, depending on structure alignment and packing. On big endian 64-bit, this will just fail. Automatic conversion to uint32_t will happen only at assignment, not when you take a pointer of such a thing. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104
* Add a script-only idmap module.Richard Sharpe2015-01-082-0/+402
| | | | | | | | | | | | | In this third version I have cleaned up some unused variable warnings that only the Samba 3 build found and added a man page based on the idmap_tdb2 man page. I have also added support for ID_TYPE_BOTH mappings and replaced calls to popen with something safer. Also, I removed some non-PC macros. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 8 04:30:32 CET 2015 on sn-devel-104
* winbind: Retry after SESSION_EXPIRED error in ping-dcChristof Schmitt2015-01-061-0/+8
| | | | | | | | | | | | | Trying to establish a netlogon connection when the service ticket expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The underlying client code already marks the session as invalid, so retry the netlogon connect in this case. Signed-off-by: Christof Schmit <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 6 02:58:57 CET 2015 on sn-devel-104
* s3:winbindd: improve logic to use CLDAP for a given domain.Stefan Metzmacher2015-01-051-1/+9
| | | | | | | | | | | As an AC Domain Controller we should try CLDAP for active directory domains. E.g. FreeIPA domains doesn't provide NBT at all... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon Jan 5 19:23:40 CET 2015 on sn-devel-104
* s3:winbindd: mark our primary as active_directory if possibleStefan Metzmacher2015-01-051-0/+9
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* winbind: Retry LogonControl RPC in ping-dc after session expirationChristof Schmitt2014-12-231-0/+10
| | | | | | | | | | | | When the underlying session expires, the LogonControl RPC call used in ping-dc returns NT_STATUS_IO_DEVICE_ERROR. Retry once in this case, instead of returning the error to the caller. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Dec 23 02:46:34 CET 2014 on sn-devel-104
* s3:winbindd: make use of cli_rpc_pipe_open_schannel_with_creds()Stefan Metzmacher2014-12-191-17/+40
| | | | | | | This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds_with_creds()Stefan Metzmacher2014-12-191-23/+9
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: we only need a an netlogon connection to a rwdc if we're a rodc ↵Stefan Metzmacher2014-12-191-2/+2
| | | | | | | | | | ourself If we're a member or RWDC there's no need to require talking to a rwdc, an rodc will forward the request if required. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: make sure we try to use NCACN_IP_TCP in cm_connect_netlogonStefan Metzmacher2014-12-191-0/+5
| | | | | | | | We need to call init_dc_connection_rpc() before we can decide if we want to try NCACN_IP_TCP. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: use find_domain_from_name_noinit() in winbindd_ping_dc_send()Stefan Metzmacher2014-12-191-1/+1
| | | | | | | | We should not try to connect to the given domain from within the winbindd parent. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: report our own name for PING_DC and internal domainsStefan Metzmacher2014-12-191-0/+22
| | | | | | | | This means "wbinfo --ping-dc" works fine on a DC. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: try to use the trust account with kerberos if possibleStefan Metzmacher2014-12-181-7/+19
| | | | | | | | | | This trust account is usable for SMB authentication via kerberos, so we should try that if we think the domain is active directory. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: fix anon fallback in cm_prepare_connection()Stefan Metzmacher2014-12-181-18/+1
| | | | | | | | | We should not crash with machine_password==NULL. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:winbindd: also try to fallback to anonymous if we get ↵Stefan Metzmacher2014-12-181-0/+1
| | | | | | | | | | | NT_STATUS_INVALID_ACCOUNT_NAME Kerberos authentication may return NT_STATUS_INVALID_ACCOUNT_NAME (PRINCIPAL_UNKNOWN) Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib: Split out write_data[_iov]Volker Lendecke2014-12-071-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: read_data->read_data_ntstatusVolker Lendecke2014-12-071-2/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: Split out sys_[read|write] & friendsVolker Lendecke2014-12-071-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* pdb: Increase version number to fix ABIGarming Sam2014-12-031-1/+1
| | | | | | | | | | | | | In the process, we can also rename pdb to avoid conflicts with libpdb. We don't depend directly on pdb to avoid duplicate symbols. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10355 Change-Id: I4df6ba2f4ce35d3718dc4198b527cca46a139efe Pair-programmed-with: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* idmap: unify passdb *id_to_sid methodsGarming Sam2014-12-031-14/+2
| | | | | | | | | | | | | | | Instead of passing down gid or uid, a pointer to a unixid is now sent down. This acts as an in-out variable so that the idmap functions can correctly receive ID_TYPE_BOTH, filling in cache details correctly rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720 Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066 Pair-programmed-with: Andrew Bartlett <abarlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3:winbindd: make use of talloc_string_sub2() in generate_krb5_ccache()Stefan Metzmacher2014-11-251-1/+14
| | | | | | | This way we don't pass a given format string to talloc_asprintf(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:winbindd: avoid invalid pointer type warningsStefan Metzmacher2014-11-253-3/+11
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* samba: pass down size_t instead of int to add_string_to_array().Günther Deschner2014-11-171-1/+1
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
* winbindd_cache: don't leak state_path onto talloc tosDavid Disseldorp2014-11-031-13/+48
| | | | | | | Also check for allocation failures. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbindd: don't leak state_path onto talloc tosDavid Disseldorp2014-11-031-1/+8
| | | | | | | Also check for allocation failures. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* idmap_autorid: don't leak state_path onto talloc tosDavid Disseldorp2014-11-031-1/+9
| | | | | | | Also check for allocation failures. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:libsmb: Remove unused domain copy stored in cli_stateStefan Metzmacher2014-10-171-24/+3
| | | | | | Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3:libsmb: Remove unused password copy stored in cli_stateAndrew Bartlett2014-10-171-2/+2
| | | | | | Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: use cli_rpc_pipe_open_with_creds()Andrew Bartlett2014-10-171-39/+22
| | | | | | | Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Use own machine account to connect to trusted domains as wellAndrew Bartlett2014-10-171-6/+11
| | | | | | | | | | | | | This relies on a two-way trust, which we may not have, but is the only secure way to do this. To do this correctly we need to split NETLOGON from normal authentication, as we need to use the machine account for the SMB level, but the inter-domain trust account for the NETLOGON level. Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: use a cli_credentials structure to hold the trust credentialsStefan Metzmacher2014-10-171-207/+395
| | | | | | | | | | | | Later we can pass this down directly and have a much more sane handling of credentials and the spnego handshake. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we canAndrew Bartlett2014-10-081-7/+47
| | | | | | | | | | | | This is very helpful in the trusted domain situation, as we may not have a two-way trust but we can use our domain trust account to set up a connection to NETLOGON Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
* s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove ↵Andrew Bartlett2014-10-081-11/+13
| | | | | | | | | | cli_rpc_pipe_open_spnego Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 8 03:36:52 CEST 2014 on sn-devel-104
* s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum ↵Andrew Bartlett2014-10-081-2/+2
| | | | | | | | | | | | credentials_kerberos_state This allows us to pass this value in directly from the cli_credentials structure in winbindd. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Allow winbindd to connect over SMB2 to serversAndrew Bartlett2014-10-081-1/+1
| | | | | | | | | | | This allows SMB signing to work against many more DCs, and so improves network security. The default for "client max protocol" remains NT1 in the rest of the code. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: Pass the whole winbindd_domain to invalidate_cm_connection()Andrew Bartlett2014-10-087-20/+21
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* winbindd: Do not overwrite domain list with conflicting info from a trusted ↵Andrew Bartlett2014-10-061-0/+75
| | | | | | | | | | | | | | | | domain This places less trust in our primary DC or trusted domain DC and refuses to update info that is conflicting This does not currently reject the connection to the DC, but only ensures it can only update missing information or to correct the case of the domain. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Oct 6 17:21:03 CEST 2014 on sn-devel-104
* windbindd: Make cm_connect_lsa_tcp staticChristof Schmitt2014-10-042-6/+3
| | | | | | | | | | It is only used in winbindd_cm.c Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Oct 4 02:34:49 CEST 2014 on sn-devel-104
* s3-winbindd: Make wcache_sid_to_name staticChristof Schmitt2014-10-042-12/+6
| | | | | | | It is only used in winbindd_cache.c Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-winbindd: Remove extern declaration for cache_methods from winbindd_dual.cChristof Schmitt2014-10-041-1/+0
| | | | | | | cache_methods is not used in winbindd_dual.c Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbind3: Fix pwent variable substitutionJustin Maggard2014-10-031-1/+1
| | | | | | | | | Commit 0ce46318 (winbind3: Simplify fillup_pw_field) broke variable substitution by copying from the wrong (unsubstituted) buffer. Fix it. Signed-off-by: Justin Maggard <jmaggard10@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <rsharpe@samba.org>
* idmap_rfc2307: Remove unsed parameter and variableChristof Schmitt2014-10-011-8/+5
| | | | | | | | Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Wed Oct 1 19:20:50 CEST 2014 on sn-devel-104
* idmap_rfc2307: Fix a crash after connection problem to DCChristof Schmitt2014-10-011-0/+1
| | | | | | | | | | | | | | When the connection to the DC has a problem, the code behind ads_do_search_retry closes the current connection and opens a new one. The new connection has a new struct LDAP to represent the connection. In this case, the LDAP pointer in the idmap_rfc2307_context becomes invalid. Fix this problem by updating the local pointer after calling ads_do_search_retry. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* winbindd: Do not make anonymous connections by defaultAndrew Bartlett2014-09-301-0/+29
| | | | | | | | | | | The requirement is that we have "winbind sealed pipes = false" and "require strong key = false" before we make anonymous connections. These are a security risk as we cannot prevent MITM attacks. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
generated by cgit (git 2.34.1) at 2025-08-29 10:01:52 +0000