summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
Commit message (Collapse)AuthorAgeFilesLines
* s3-winbind: Don't fail on users without a uid.Andreas Schneider2011-11-251-1/+18
| | | | | | | | | | | | | | | | | | | This fixes bug #8608. If you join samba with idmap_ad backend to an AD. When you try to enumerate users with 'getent passwd' and the user doesn't have a uid set, then getent is aborted cause of NT_STATUS_NONE_MAPPED. If we can't map a user we should not stop but continue enumerating users. This normally happens with the default user 'krbtgt' with idmap_ad but could also happen with other backends. Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Nov 15 16:52:04 CET 2011 on sn-devel-104 (backported from commit 10b285ccc29b106f164a6c18116e237634867717) Signed-off-by: Andreas Schneider <asn@samba.org>
* Allows changing the maximum number of simultaneous clients in winbindd ↵Pierre Carrier2011-09-281-5/+3
| | | | | | | | | through an smb.conf option. Signed-off-by: Jeremy Allison <jra@samba.org> Fix bug #8186 (Allows changing the maximum number of simultaneous clients in winbindd through an smb.conf option).
* s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCs.Günther Deschner2011-09-281-14/+36
| | | | Guenther
* s3: Fix bug 7844: Race in winbindVolker Lendecke2011-09-221-4/+8
| | | | | | | | | | | | | If a child dies, the parent process right away closes the socket. This is wrong, with tevent we still have events pending. This works fine for epoll but does not for at least the FreeBSD select variant. Tevent sticks a closed socket into the select masks. This then returns an error EBADF. When this happens, the parent winbind dies instead of forking a new child. This moves the socket close from the SIGCHLD cleanup function to the socket receiver. I could not reproduce the parent death anymore and it did not create an obvious fd leak.
* v3-5-test: Fix getent group if trusted domains are not reachableVolker Lendecke2011-08-301-2/+6
| | | | Fix bug #8420 (wb_group_members: non-resistance against garbage).
* s3: explicitly pass domain_sid to wbint_LookupRids() (bug #7841)Volker Lendecke2011-06-282-8/+9
|
* s3-winbind: BUG 8166 - Don't lockout users when offline.Jim McDonough2011-06-011-1/+4
| | | | | | | | Windows does not track bad password attempts when offline. We were locking users out but not honoring the lockout duration. Autobuild-User: Jim McDonough <jmcd@samba.org> Autobuild-Date: Wed May 25 18:11:10 CEST 2011 on sn-devel-104 (cherry picked from commit b58534f1fca27e3e72f4f4107538ec05734bd42a)
* Fix bug 6966 - "allow trusted domains = no" not respected in winbind.Dmitry Butskoy2011-04-191-6/+6
|
* s3: Fix Coverity ID 1137: CONSTANT_EXPRESSION_RESULTVolker Lendecke2011-04-041-2/+2
| | | | | | | | Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Apr 1 09:35:19 CEST 2011 on sn-devel-104 This patch and the last one address bug #8054 - winbindd cache stores/retrieves wrong sizes for 16-bit ints.
* Fix denial of service - memory corruption.Jeremy Allison2011-02-281-0/+7
| | | | | | | | | | | | | | | | | | | | | | | CVE-2011-0719 Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open). All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set. A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated (guest connection). Currently we do not believe this flaw is exploitable beyond a crash or causing the code to loop, but on the advice of our security reviewers we are releasing fixes in case an exploit is discovered at a later date. (cherry picked from commit c3ad6eb506623435d3d9ce62d6f34ed1c960d4be)
* s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945)Günther Deschner2011-02-093-1/+98
| | | | | | | | | | | | | The benefit of this that it makes us more robust to secure channel resets triggered from tools outside the winbind process. Long term we need to have a shared tdb secure channel store though as well. Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org> (similar to commit f60398d7b20869d7b09d81854f3727fdcd897430) (similar to commit 7add712498fe93603b1bffff2c633e097ce8fbdf)
* s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug ↵Stefan Metzmacher2011-02-051-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | #7944) If winbindd connects to a domain controller it doesn't establish the lsa connection over ncacn_ip_tcp direct. This happens only on demand. If someone does a 'net rpc testjoin' and then a wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy of the schannel session key is invalidated. This problem can also happen on other calls, but the lookup_names/sids calls on thet lsa ncacn_ip_tcp connection are the most important ones. The long term fix is to store the schannel client state in a tdb, but for now it's enough to catch the error and invalidate the all connections to the dc and reestablish the schannel session key. The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a) made this worse, as it assumes winbindd's in memory session key is always the current one. metze (cherry picked from commit 255f2e06991aa543cd2c6f4d0123664b2a76c99d) (cherry picked from commit a699ac50f7c9a5eeb57215879e17631c9a1f534f)
* s3:winbind: fix bug #7894 - sporadic winbind panic in rpc query_user_listMichael Adam2010-12-311-0/+7
| | | | | correctly evaluate return code of rpccli_samr_QueryDisplayInfo() before accessing results.
* s3: Use smbsock_any_connect in winbindVolker Lendecke2010-12-261-45/+13
| | | | The last 7 patches address bug #7881 (winbind flaky against w2k8).
* s3: Fix bug 7843: Expand the local SAMs aliasesJeremy Allison2010-12-071-2/+2
|
* s3: Fix bug 7842: WINBINDD_LOOKUPRIDS does not return the domain nameVolker Lendecke2010-12-072-1/+4
|
* s3: Fix bug 7841: WINBINDD_LOOKUPRIDS asks the wrong domainVolker Lendecke2010-12-071-1/+1
|
* Second part of fix for bug #7777 - When requesting lookups for BUILTIN sids, ↵Jeremy Allison2010-11-161-6/+25
| | | | | | | | | winbindd allocates new uids/gids in error. Ensure we return after calling passdb for SID lookups for which we are authoritative. Jeremy.
* First part of fix for bug #7777 - When requesting lookups for BUILTIN sids, ↵Jeremy Allison2010-11-161-0/+10
| | | | | | | | | winbindd allocates new uids/gids in error. Ensure idmap_init_passdb_domain() correctly initialized the default domain first. Jeremy.
* s3: Fix a getgrent crash with many groupsVolker Lendecke2010-11-111-0/+1
| | | | Fix bug #7774.
* s3: Fix bug 7730 -- crash in winbindd_dsgetdcname.cVolker Lendecke2010-11-111-0/+4
|
* Final part of fix for bug #7636 - winbind internal error, backtrace.Jeremy Allison2010-09-061-11/+18
| | | | | | | Ensure cm_get_schannel_creds() returns NTSTATUS. Jeremy. (cherry picked from commit 33060f67be100836d381a74bced351c6579cc58d)
* Fix bug #7589 - ntlm_auth fails to use cached credentials.Jeremy Allison2010-08-231-9/+7
| | | | | | | | | | | | | | | In handling the WINBINDD_PAM_AUTH message winbindd canonicalizes a *copy* of the mapped username, but fails to canonicalize the actual username sent to the backend domain process. When "winbind default domain" is set this can lead to credentials being cached with an index of user: user, not DOMAIN\user. All other code paths that use canonicalize_username() (WINBINDD_PAM_CHAUTHTOK, WINBINDD_PAM_LOGOFF) correctly canonicalize the data sent to the backend. All calls the can cause credentials to be looked up (PAM_CHAUTHTOK etc.) correctly call canonicalize_username() to create the credential lookup key. Jeremy.
* s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the ↵Günther Deschner2010-08-111-7/+13
| | | | | | | | | | | | | | | | | | | | | secure channel. This is an important fix as the following could and is happening: * winbind authenticates a user via schannel secured netlogon samlogonex call, current secure channel cred state is stored in winbind state, winbind sucessfully decrypts session key from the info3 * winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the secure channel on the dc) * subsequent samlogonex calls use the new secure channel creds on the dc to encrypt info3 session key, while winbind tries to use old schannel creds for decryption Guenther (cherry picked from commit be396411a4e1f3a174f8a44b6c062d834135e70a) (cherry picked from commit afe0e73b7bb640428396c9f40dbbcba5c311fcd9)
* s3: Fix bug 7578Jeremy Allison2010-07-281-2/+2
| | | | 'net idmap restore' fails to set HWM, causing duplicates
* s3-kerberos: pass down kdc_name to create_local_private_krb5_conf_for_domain().Günther Deschner2010-05-191-2/+4
| | | | | Guenther (cherry picked from commit e3bdff3d67b46277ee59685218bd90f3788b487d)
* s3-winbind: make the getpeername() checks in cm_prepare_connection IPv6 aware.Günther Deschner2010-05-191-5/+25
| | | | | | | | | | | | Note that this failure was hard to track, as winbind did only log a super helpful "cm_prepare_connection: Success" debug message. IPv6 gurus, please check Successfully tested in two independent IPv6 networks now. Guenther (cherry picked from commit 14ac2bb36ee22be6133ca1d069dc5de6c1891f47)
* s3: Fix a winbind crash when scanning trustsVolker Lendecke2010-04-251-0/+6
| | | | | | | | | | add_trusted_domain() for a new domain always needs to be followed by a setup_domain_child(). This was not always done, in particular not when walking to the forest root for additional trusts. This is a minimal patch, we need to fix add_trusted_domain(). Fix bug #7389 (Fix a winbind crash when scanning trusted domains).
* s3:winbindd: make "smbcontrol winbindd validate-cache" reliable againStefan Metzmacher2010-04-131-0/+3
| | | | | | | | | commit 73577205cf81644e7fe853eaf3e6459f7f443096 (s3:winbindd: fix problems with SIGCHLD handling (bug #7317)) broke this. metze (cherry picked from commit eb9b7d0363669574de8ec380089407890f15eac2)
* s3:winbindd: remove unused variablesStefan Metzmacher2010-04-131-2/+0
| | | | | metze (cherry picked from commit e18ddb6036f5e0a2211e89a7c9b5514c30a653cf)
* s3:winbindd: fix problems with SIGCHLD handling (bug #7317)Stefan Metzmacher2010-04-133-17/+6
| | | | | | | | | | | | | | | | | | | | | | The main problem is that we call CatchChild() within the parent winbindd, which overwrites the signal handler that was registered by winbindd_setup_sig_chld_handler(). That means winbindd_sig_chld_handler() and winbind_child_died() are never triggered when a winbindd domain child dies. As a result will get "broken pipe" for all requests to that domain. To reduce the risk of similar bugs in future we call CatchChild() in winbindd_reinit_after_fork() now. We also use a full winbindd_reinit_after_fork() in the cache validation child now instead instead of just resetting the SIGCHLD handler by hand. This will also fix possible tdb problems on systems without pread/pwrite and disabled mmap as we now correctly reopen the tdb handle for the child. metze (cherry picked from commit 73577205cf81644e7fe853eaf3e6459f7f443096)
* s3:winbindd: make sure we don't try rpc requests against unaccessable domainsStefan Metzmacher2010-04-011-5/+28
| | | | | | | | | | This makes sure we don't crash while trying to dereference domain->conn.cli->foo while trying to establish a rpc connection to the server. This fixes bug #7316. metze (cherry picked from commit d930904b997d310aeff781bde1e7e3ce47dde8a1)
* s3:winbindd: correctly retry if the netlogon pipe gets disconnected during a ↵Stefan Metzmacher2010-03-301-2/+2
| | | | | | | | | logon call This fixes hopefully the last part of bug #7295. metze (cherry picked from commit 4c6cde99c0751a073120d8bc36d40922d8027344)
* s3:winbindd_reconnect: don't only reconnect on NT_STATUS_UNSUCCESSFULStefan Metzmacher2010-03-301-14/+59
| | | | | metze (cherry picked from commit 6bd5a2a3739938f95fce23ab2da652c9b5a48111)
* s3:winbindd_cm: invalidate connection if cm_connect_netlogon() failsStefan Metzmacher2010-03-301-2/+2
| | | | | metze (cherry picked from commit 94a4bcd2f0c0464e192556679c6636639cb307ea)
* s3:winbindd: consistently use TALLOC_FREE(conn->foo_pipe) is we create a new ↵Stefan Metzmacher2010-03-301-0/+5
| | | | | | | connection metze (cherry picked from commit 4f391fedac7111683d13f2d79fee7c0dbc27f86e)
* s3:winbindd_cm: use rpccli_is_connected() helper functionStefan Metzmacher2010-03-301-4/+4
| | | | | metze (cherry picked from commit d980c06a994d032a833adc8d56d2f2c037f8fdaf)
* s3:winbindd_cm: use cli_state_is_connected() helper functionStefan Metzmacher2010-03-301-14/+4
| | | | | metze (cherry picked from commit 408a3eb35a0e61b5d66a3b48ebbd1a6796672d0f)
* s3: Fix bug 7212, "getent group does not return group members"Volker Lendecke2010-03-291-0/+1
|
* s3: Fix a bad memleak in winbindVolker Lendecke2010-03-231-1/+2
| | | | | | (cherry picked from commit 13400a6589a20452097bc338fa742d834bbd6a34) Fix bug #7278 (winbind has a bad memleak).
* s3:winbindd: add DEBUG(10,...) for the end of each top levelStefan Metzmacher2010-03-112-6/+25
| | | | | | | | | That will hopefully make debugging a bit easier (at least for me). metze (cherry picked from commit 31293c64a323eb59fd8e81cd44bb33768a43e0c0) Fix bug #7225 (Make winbindd logs more verbose for troubleshooting).
* s3:winbindd: never mark external domains as internal!Stefan Metzmacher2010-03-021-4/+1
| | | | | | | | | | This way we can endup with silently using builtin_passdb_methods for an ad domain without an inbound trust. This fixes bug #7170. metze (cherry picked from commit f924b7749280b31ece19885de1c3ad1bd71942ac)
* Fix one of the valgrind warnings from bug #6814 - Fixes for problems ↵Roel van Meer2010-03-021-0/+8
| | | | | | | reported by valgrind The timeval passed to event_add_to_select_args() must be initialized as event_add_to_select_args() uses a timeval_min() on this and next_event.
* s3: Fix but 7145 -- duplicate sam and unix accountsVolker Lendecke2010-03-012-0/+22
| | | | | | | | | | | For me this survives the TESTS=posix_s3 POSIX_SUBTESTS="RPC-SAMR-LARGE-DC LOCAL-NSS-WRAPPER" make test reproducer. Günther, please check! Volker (cherry picked from commit 0e9882a65e91e4ab55dc103c7f6aec4ccd966db0)
* s3/winbind_ccache: Fix typo in debug message.Karolin Seeger2010-01-281-1/+1
| | | | | Karolin (cherry picked from commit 139634563824a92c98091786e17b82d480df4a8a)
* s3: Add the session key to the ccache_ntlm_auth responseVolker Lendecke2010-01-261-4/+17
|
* s3: Add wbinfo --ccache-saveVolker Lendecke2010-01-264-0/+80
| | | | | With this command you can give winbind your password for later use by the automatic ntlm_auth
* s3: Fix a winbind segfault in "trusted_domains"Volker Lendecke2010-01-141-3/+4
| | | | | | | | | | We have to initialize domain->backend by calling "get_cache" before doing a query Thanks to Christian Ambach to find this :-) (cherry picked from commit 026b23062eeee23dffeb627800b3cb6f55d89ad6) Fix bug #7037.
* s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth()Volker Lendecke2010-01-131-1/+1
| | | | | | | | | | ntlmssp_update allocates the reply_blob as a child of ntlmssp_state. This means with ntlmss_end() it will be gone. winbindd_dual_ccache_ntlm_auth used the blob after the ntlmssp_end(). (cherry picked from commit 43c841b6bd92e987109df81b6b8a2b85f21b0181) Addresses bug #7027 (winbindd crash in winbindd_dual_ccache_ntlm_auth due to freed memory reference.)
* s3: List trusted domains from wcache when domain is offline.Bo Yang2010-01-061-24/+139
| | | | | Signed-off-by: Bo Yang <boyang@samba.org> (cherry picked from commit d06fb8e02706559e91c6d185427409bb093bb896)
generated by cgit (git 2.34.1) at 2025-08-29 00:34:48 +0000