diff options
Diffstat (limited to 'source4/winbind')
| -rw-r--r-- | source4/winbind/idmap.c | 7 | ||||
| -rw-r--r-- | source4/winbind/idmap.h | 2 | ||||
| -rw-r--r-- | source4/winbind/wb_async_helpers.c | 67 | ||||
| -rw-r--r-- | source4/winbind/wb_cmd_getpwnam.c | 3 | ||||
| -rw-r--r-- | source4/winbind/wb_cmd_getpwuid.c | 9 | ||||
| -rw-r--r-- | source4/winbind/wb_cmd_list_trustdom.c | 3 | ||||
| -rw-r--r-- | source4/winbind/wb_connect_lsa.c | 11 | ||||
| -rw-r--r-- | source4/winbind/wb_init_domain.c | 3 | ||||
| -rw-r--r-- | source4/winbind/wb_pam_auth.c | 19 | ||||
| -rw-r--r-- | source4/winbind/wb_samba3_cmd.c | 90 | ||||
| -rw-r--r-- | source4/winbind/wb_samba3_protocol.c | 3 | ||||
| -rw-r--r-- | source4/winbind/wb_server.c | 2 | ||||
| -rw-r--r-- | source4/winbind/wb_sids2xids.c | 10 | ||||
| -rw-r--r-- | source4/winbind/wb_xids2sids.c | 10 |
14 files changed, 100 insertions, 139 deletions
diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c index 92ac41f1d2..333a86445a 100644 --- a/source4/winbind/idmap.c +++ b/source4/winbind/idmap.c @@ -158,6 +158,7 @@ static struct dom_sid *idmap_msg_get_dom_sid(TALLOC_CTX *mem_ctx, * \return allocated idmap_context on success, NULL on error */ struct idmap_context *idmap_init(TALLOC_CTX *mem_ctx, + struct event_context *ev_ctx, struct loadparm_context *lp_ctx) { struct idmap_context *idmap_ctx; @@ -169,7 +170,7 @@ struct idmap_context *idmap_init(TALLOC_CTX *mem_ctx, idmap_ctx->lp_ctx = lp_ctx; - idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, lp_ctx, + idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_idmap_url(lp_ctx), system_session(mem_ctx, lp_ctx), NULL, 0, NULL); @@ -654,7 +655,7 @@ NTSTATUS idmap_xids_to_sids(struct idmap_context *idmap_ctx, &id[i].sid); } if (!NT_STATUS_IS_OK(id[i].status)) { - DEBUG(1, ("idmapping failed for id[%d]\n", i)); + DEBUG(1, ("idmapping xid_to_sid failed for id[%d]\n", i)); error_count++; } } @@ -699,7 +700,7 @@ NTSTATUS idmap_sids_to_xids(struct idmap_context *idmap_ctx, &id[i].unixid); } if (!NT_STATUS_IS_OK(id[i].status)) { - DEBUG(1, ("idmapping failed for id[%d]\n", i)); + DEBUG(1, ("idmapping sid_to_xid failed for id[%d]\n", i)); error_count++; } } diff --git a/source4/winbind/idmap.h b/source4/winbind/idmap.h index 6eae92cc68..13dbe0b921 100644 --- a/source4/winbind/idmap.h +++ b/source4/winbind/idmap.h @@ -31,6 +31,8 @@ struct idmap_context { struct dom_sid *unix_users_sid; }; +struct event_context; + #include "winbind/idmap_proto.h" #endif diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c index 662dd111dd..25d52a16b5 100644 --- a/source4/winbind/wb_async_helpers.c +++ b/source4/winbind/wb_async_helpers.c @@ -305,73 +305,6 @@ NTSTATUS wb_lsa_lookupnames_recv(struct composite_context *c, talloc_free(c); return status; } - - -#if 0 - -struct cmd_checkmachacc_state { - struct composite_context *ctx; - struct wbsrv_call *call; - struct wbsrv_domain *domain; -}; - -static void cmd_checkmachacc_recv_init(struct composite_context *ctx); - - struct composite_context *wb_cmd_checkmachacc_send(struct wbsrv_call *call) -{ - struct composite_context *result, *ctx; - struct cmd_checkmachacc_state *state; - struct wbsrv_service *service = call->wbconn->listen_socket->service; - - result = composite_create(mem_ctx, call->event_ctx; - if (result == NULL) goto failed; - - state = talloc(result, struct cmd_checkmachacc_state); - if (state == NULL) goto failed; - state->ctx = result; - result->private_data = state; - state->call = call; - - state->domain = service->domains; - - ctx = wb_init_domain_send(service, state->domain); - if (ctx == NULL) goto failed; - ctx->async.fn = cmd_checkmachacc_recv_init; - ctx->async.private_data = state; - - return result; - - failed: - talloc_free(result); - return NULL; -} - -static void cmd_checkmachacc_recv_init(struct composite_context *ctx) -{ - struct cmd_checkmachacc_state *state = - talloc_get_type(ctx->async.private_data, - struct cmd_checkmachacc_state); - - state->ctx->status = wb_init_domain_recv(ctx); - if (!composite_is_ok(state->ctx)) return; - - composite_done(state->ctx); -} - - NTSTATUS wb_cmd_checkmachacc_recv(struct composite_context *c) -{ - NTSTATUS status = composite_wait(c); - talloc_free(c); - return status; -} - - NTSTATUS wb_cmd_checkmachacc(struct wbsrv_call *call) -{ - struct composite_context *c = wb_cmd_checkmachacc_send(call); - return wb_cmd_checkmachacc_recv(c); -} -#endif - struct samr_getuserdomgroups_state { struct composite_context *ctx; struct dcerpc_pipe *samr_pipe; diff --git a/source4/winbind/wb_cmd_getpwnam.c b/source4/winbind/wb_cmd_getpwnam.c index fb2dc197c9..7d821537f0 100644 --- a/source4/winbind/wb_cmd_getpwnam.c +++ b/source4/winbind/wb_cmd_getpwnam.c @@ -92,7 +92,8 @@ static void cmd_getpwnam_recv_domain(struct composite_context *ctx) return; } - user_info->in.user_name = user_name; + user_info->in.level = USER_INFO_BY_NAME; + user_info->in.data.user_name = user_name; user_info->in.domain_name = domain->libnet_ctx->samr.name; state->workgroup_name = talloc_strdup(state, domain->libnet_ctx->samr.name); diff --git a/source4/winbind/wb_cmd_getpwuid.c b/source4/winbind/wb_cmd_getpwuid.c index c250af1b56..15cc592cf6 100644 --- a/source4/winbind/wb_cmd_getpwuid.c +++ b/source4/winbind/wb_cmd_getpwuid.c @@ -34,6 +34,7 @@ struct cmd_getpwuid_state { struct composite_context *ctx; struct wbsrv_service *service; uid_t uid; + struct dom_sid *sid; char *workgroup; struct wbsrv_domain *domain; @@ -81,14 +82,13 @@ static void cmd_getpwuid_recv_sid(struct composite_context *ctx) struct cmd_getpwuid_state *state = talloc_get_type(ctx->async.private_data, struct cmd_getpwuid_state); - struct dom_sid *sid; DEBUG(5, ("cmd_getpwuid_recv_sid called %p\n", ctx->private_data)); - state->ctx->status = wb_uid2sid_recv(ctx, state, &sid); + state->ctx->status = wb_uid2sid_recv(ctx, state, &state->sid); if (!composite_is_ok(state->ctx)) return; - ctx = wb_sid2domain_send(state, state->service, sid); + ctx = wb_sid2domain_send(state, state->service, state->sid); composite_continue(state->ctx, ctx, cmd_getpwuid_recv_domain, state); } @@ -110,7 +110,8 @@ static void cmd_getpwuid_recv_domain(struct composite_context *ctx) user_info = talloc(state, struct libnet_UserInfo); if (composite_nomem(user_info, state->ctx)) return; - user_info->in.user_name = state->domain->libnet_ctx->cred->username; + user_info->in.level = USER_INFO_BY_SID; + user_info->in.data.user_sid = state->sid; user_info->in.domain_name = state->domain->libnet_ctx->samr.name; /* We need the workgroup later, so copy it */ diff --git a/source4/winbind/wb_cmd_list_trustdom.c b/source4/winbind/wb_cmd_list_trustdom.c index 83bd517a02..8d0c1bd947 100644 --- a/source4/winbind/wb_cmd_list_trustdom.c +++ b/source4/winbind/wb_cmd_list_trustdom.c @@ -143,7 +143,8 @@ static void cmd_list_trustdoms_recv_doms(struct rpc_request *req) state->domains = talloc_realloc(state, state->domains, struct wb_dom_info *, state->num_domains); - if (composite_nomem(state->domains, state->ctx)) return; + if (state->num_domains && + composite_nomem(state->domains, state->ctx)) return; for (i=0; i<state->r.out.domains->count; i++) { int j = i+old_num_domains; diff --git a/source4/winbind/wb_connect_lsa.c b/source4/winbind/wb_connect_lsa.c index 61b123a502..a728f8abe4 100644 --- a/source4/winbind/wb_connect_lsa.c +++ b/source4/winbind/wb_connect_lsa.c @@ -62,8 +62,11 @@ struct composite_context *wb_init_lsa_send(TALLOC_CTX *mem_ctx, /* this will make the secondary connection on the same IPC$ share, secured with SPNEGO or NTLMSSP */ - ctx = dcerpc_secondary_connection_send(domain->netlogon_pipe, - domain->lsa_binding); + ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe, + domain->lsa_binding, + &ndr_table_lsarpc, + domain->libnet_ctx->cred, + domain->libnet_ctx->lp_ctx); composite_continue(state->ctx, ctx, init_lsa_recv_pipe, state); return result; @@ -79,8 +82,8 @@ static void init_lsa_recv_pipe(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct init_lsa_state); - state->ctx->status = dcerpc_secondary_connection_recv(ctx, - &state->lsa_pipe); + state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state, + &state->lsa_pipe); if (!composite_is_ok(state->ctx)) return; state->handle = talloc(state, struct policy_handle); diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index fc35f11db6..8b82ab711e 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -151,8 +151,6 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx, state->domain->libnet_ctx->cred = cli_credentials_init(state->domain); if (state->domain->libnet_ctx->cred == NULL) goto failed; - cli_credentials_set_event_context(state->domain->libnet_ctx->cred, service->task->event_ctx); - cli_credentials_set_conf(state->domain->libnet_ctx->cred, service->task->lp_ctx); /* Connect the machine account to the credentials */ @@ -211,7 +209,6 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx) &state->domain->netlogon_pipe); if (!composite_is_ok(state->ctx)) { - talloc_free(state->domain->netlogon_binding); return; } talloc_steal(state->domain->netlogon_pipe, state->domain->netlogon_binding); diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index 62744297c6..ee54bcd58f 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -214,14 +214,11 @@ NTSTATUS wb_cmd_pam_auth_crap_recv(struct composite_context *c, struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, - const char *domain, - const char *user, - const char *password) + struct cli_credentials *credentials) { - struct cli_credentials *credentials; const char *workstation; NTSTATUS status; - + const char *user, *domain; DATA_BLOB chal, nt_resp, lm_resp, names_blob; int flags = CLI_CRED_NTLM_AUTH; if (lp_client_lanman_auth(service->task->lp_ctx)) { @@ -234,16 +231,6 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, DEBUG(5, ("wbsrv_samba3_pam_auth called\n")); - credentials = cli_credentials_init(mem_ctx); - if (!credentials) { - return NULL; - } - cli_credentials_set_conf(credentials, service->task->lp_ctx); - cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED); - cli_credentials_set_username(credentials, user, CRED_SPECIFIED); - - cli_credentials_set_password(credentials, password, CRED_SPECIFIED); - chal = data_blob_talloc(mem_ctx, NULL, 8); if (!chal.data) { return NULL; @@ -269,7 +256,7 @@ struct composite_context *wb_cmd_pam_auth_send(TALLOC_CTX *mem_ctx, return NULL; } return wb_cmd_pam_auth_crap_send(mem_ctx, service, - 0 /* logon parameters */, + MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT|MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT /* logon parameters */, domain, user, workstation, chal, nt_resp, lm_resp); } diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c index 24074700fc..f0aaaa7778 100644 --- a/source4/winbind/wb_samba3_cmd.c +++ b/source4/winbind/wb_samba3_cmd.c @@ -30,6 +30,8 @@ #include "librpc/gen_ndr/netlogon.h" #include "libcli/security/security.h" #include "auth/pam_errors.h" +#include "auth/credentials/credentials.h" +#include "smbd/service_task.h" /* Send off the reply to an async Samba3 query, handling filling in the PAM, NTSTATUS and string errors. @@ -41,13 +43,14 @@ static void wbsrv_samba3_async_auth_epilogue(NTSTATUS status, struct winbindd_response *resp = &s3call->response; if (!NT_STATUS_IS_OK(status)) { resp->result = WINBINDD_ERROR; - WBSRV_SAMBA3_SET_STRING(resp->data.auth.nt_status_string, - nt_errstr(status)); - WBSRV_SAMBA3_SET_STRING(resp->data.auth.error_string, - get_friendly_nt_error_msg(status)); } else { resp->result = WINBINDD_OK; } + + WBSRV_SAMBA3_SET_STRING(resp->data.auth.nt_status_string, + nt_errstr(status)); + WBSRV_SAMBA3_SET_STRING(resp->data.auth.error_string, + get_friendly_nt_error_msg(status)); resp->data.auth.pam_error = nt_status_to_pam(status); resp->data.auth.nt_status = NT_STATUS_V(status); @@ -110,10 +113,12 @@ NTSTATUS wbsrv_samba3_netbios_name(struct wbsrv_samba3_call *s3call) NTSTATUS wbsrv_samba3_priv_pipe_dir(struct wbsrv_samba3_call *s3call) { - s3call->response.result = WINBINDD_OK; - s3call->response.extra_data.data = - smbd_tmp_path(s3call, s3call->wbconn->lp_ctx, WINBINDD_SAMBA3_PRIVILEGED_SOCKET); - NT_STATUS_HAVE_NO_MEMORY(s3call->response.extra_data.data); + char *path = smbd_tmp_path(s3call, s3call->wbconn->lp_ctx, WINBINDD_SAMBA3_PRIVILEGED_SOCKET); + NT_STATUS_HAVE_NO_MEMORY(path); + s3call->response.result = WINBINDD_OK; + s3call->response.extra_data.data = path; + + s3call->response.length += strlen(path) + 1; return NT_STATUS_OK; } @@ -123,41 +128,65 @@ NTSTATUS wbsrv_samba3_ping(struct wbsrv_samba3_call *s3call) return NT_STATUS_OK; } -#if 0 -/* - Validate that we have a working pipe to the domain controller. - Return any NT error found in the process +/* Plaintext authentication + + This interface is used by ntlm_auth in it's 'basic' authentication + mode, as well as by pam_winbind to authenticate users where we are + given a plaintext password. */ -static void checkmachacc_recv_creds(struct composite_context *ctx); +static void check_machacc_recv(struct composite_context *ctx); NTSTATUS wbsrv_samba3_check_machacc(struct wbsrv_samba3_call *s3call) { + NTSTATUS status; + struct cli_credentials *creds; struct composite_context *ctx; + struct wbsrv_service *service = + s3call->wbconn->listen_socket->service; + + /* Create a credentials structure */ + creds = cli_credentials_init(s3call); + if (creds == NULL) { + return NT_STATUS_NO_MEMORY; + } - DEBUG(5, ("wbsrv_samba3_check_machacc called\n")); + cli_credentials_set_conf(creds, service->task->lp_ctx); - ctx = wb_cmd_checkmachacc_send(s3call->call); - NT_STATUS_HAVE_NO_MEMORY(ctx); + /* Connect the machine account to the credentials */ + status = cli_credentials_set_machine_account(creds, service->task->lp_ctx); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(creds); + return status; + } - ctx->async.fn = checkmachacc_recv_creds; + ctx = wb_cmd_pam_auth_send(s3call, service, creds); + + if (!ctx) { + talloc_free(creds); + return NT_STATUS_NO_MEMORY; + } + + ctx->async.fn = check_machacc_recv; ctx->async.private_data = s3call; - s3call->call->flags |= WBSRV_CALL_FLAGS_REPLY_ASYNC; + s3call->flags |= WBSRV_CALL_FLAGS_REPLY_ASYNC; return NT_STATUS_OK; } - -static void checkmachacc_recv_creds(struct composite_context *ctx) + +static void check_machacc_recv(struct composite_context *ctx) { struct wbsrv_samba3_call *s3call = talloc_get_type(ctx->async.private_data, struct wbsrv_samba3_call); NTSTATUS status; - status = wb_cmd_checkmachacc_recv(ctx); + status = wb_cmd_pam_auth_recv(ctx); + + if (!NT_STATUS_IS_OK(status)) goto done; + done: wbsrv_samba3_async_auth_epilogue(status, s3call); } -#endif /* Find the name of a suitable domain controller, by query on the @@ -543,6 +572,7 @@ NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call) struct composite_context *ctx; struct wbsrv_service *service = s3call->wbconn->listen_socket->service; + struct cli_credentials *credentials; char *user, *domain; if (!wb_samba3_split_username(s3call, s3call->wbconn->lp_ctx, @@ -551,8 +581,17 @@ NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call) return NT_STATUS_NO_SUCH_USER; } - ctx = wb_cmd_pam_auth_send(s3call, service, domain, user, - s3call->request.data.auth.pass); + credentials = cli_credentials_init(s3call); + if (!credentials) { + return NT_STATUS_NO_MEMORY; + } + cli_credentials_set_conf(credentials, service->task->lp_ctx); + cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED); + cli_credentials_set_username(credentials, user, CRED_SPECIFIED); + + cli_credentials_set_password(credentials, s3call->request.data.auth.pass, CRED_SPECIFIED); + + ctx = wb_cmd_pam_auth_send(s3call, service, credentials); NT_STATUS_HAVE_NO_MEMORY(ctx); ctx->async.fn = pam_auth_recv; @@ -681,6 +720,9 @@ static void list_users_recv(struct composite_context *ctx) if (NT_STATUS_IS_OK(status)) { s3call->response.extra_data.data = extra_data; s3call->response.length += extra_data_len; + if (extra_data) { + s3call->response.length += 1; + } } wbsrv_samba3_async_epilogue(status, s3call); diff --git a/source4/winbind/wb_samba3_protocol.c b/source4/winbind/wb_samba3_protocol.c index b252273cb6..3b97dff276 100644 --- a/source4/winbind/wb_samba3_protocol.c +++ b/source4/winbind/wb_samba3_protocol.c @@ -78,10 +78,8 @@ NTSTATUS wbsrv_samba3_handle_call(struct wbsrv_samba3_call *s3call) case WINBINDD_INTERFACE_VERSION: return wbsrv_samba3_interface_version(s3call); -#if 0 case WINBINDD_CHECK_MACHACC: return wbsrv_samba3_check_machacc(s3call); -#endif case WINBINDD_PING: return wbsrv_samba3_ping(s3call); @@ -187,7 +185,6 @@ NTSTATUS wbsrv_samba3_handle_call(struct wbsrv_samba3_call *s3call) case WINBINDD_SET_MAPPING: case WINBINDD_SET_HWM: case WINBINDD_DUMP_MAPS: - case WINBINDD_CHECK_MACHACC: case WINBINDD_DOMAIN_INFO: case WINBINDD_SHOW_SEQUENCE: case WINBINDD_WINS_BYIP: diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c index 99191f3c6c..f84dece11c 100644 --- a/source4/winbind/wb_server.c +++ b/source4/winbind/wb_server.c @@ -149,7 +149,7 @@ static void winbind_task_init(struct task_server *task) return; } - service->idmap_ctx = idmap_init(service, task->lp_ctx); + service->idmap_ctx = idmap_init(service, task->event_ctx, task->lp_ctx); if (service->idmap_ctx == NULL) { task_server_terminate(task, "Failed to load idmap database"); return; diff --git a/source4/winbind/wb_sids2xids.c b/source4/winbind/wb_sids2xids.c index 302b915ff5..6b89caf465 100644 --- a/source4/winbind/wb_sids2xids.c +++ b/source4/winbind/wb_sids2xids.c @@ -67,15 +67,13 @@ NTSTATUS wb_sids2xids_recv(struct composite_context *ctx, struct id_mapping **ids) { NTSTATUS status = composite_wait(ctx); + struct sids2xids_state *state = talloc_get_type(ctx->private_data, + struct sids2xids_state); DEBUG(5, ("wb_sids2xids_recv called\n")); - if (NT_STATUS_IS_OK(status)) { - struct sids2xids_state *state = - talloc_get_type(ctx->private_data, - struct sids2xids_state); - *ids = state->ids; - } + *ids = state->ids; + talloc_free(ctx); return status; } diff --git a/source4/winbind/wb_xids2sids.c b/source4/winbind/wb_xids2sids.c index 1be394d276..a1cf2667ff 100644 --- a/source4/winbind/wb_xids2sids.c +++ b/source4/winbind/wb_xids2sids.c @@ -67,15 +67,13 @@ NTSTATUS wb_xids2sids_recv(struct composite_context *ctx, struct id_mapping **ids) { NTSTATUS status = composite_wait(ctx); + struct xids2sids_state *state = talloc_get_type(ctx->private_data, + struct xids2sids_state); DEBUG(5, ("wb_xids2sids_recv called.\n")); - if (NT_STATUS_IS_OK(status)) { - struct xids2sids_state *state = - talloc_get_type(ctx->private_data, - struct xids2sids_state); - *ids = state->ids; - } + *ids = state->ids; + talloc_free(ctx); return status; } |