summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_cm.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable ↵Gerald Carter1-64/+86
netbios = yes' (This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
2007-10-10r4905: patch from abartlet to remove storing the auth-user credentials from ↵Gerald Carter1-4/+0
the cli* in cm_prepare_connection(). using credentials from a domain other thanour primary domain will cause the schannel setup to fail (This used to be commit a13e29b5f2f1e48225b5b5964bc0777948f16622)
2007-10-10r4749: Fix memleakVolker Lendecke1-0/+2
(This used to be commit a8aab6de7516b70cae6c096883874fa152777b13)
2007-10-10r4746: add server support for lsa_enum_acct_rights(); last checkin for the nightGerald Carter1-15/+0
(This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2007-10-10r4732: Even if we have 'password server' set, we need to look up the native ↵Volker Lendecke1-0/+6
DC name via netbios, as the user might have set an IP address or a fqdn. Volker (This used to be commit 61466f38429ba67ace3e84c870a0f913f64d122c)
2007-10-10r4575: adding extra debug to cm_prepare_connection()Gerald Carter1-0/+3
(This used to be commit 13a2aa50ea203cee9c2323bb0428f8c50a3c0f77)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-4/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3843: If a connection to a DC is requested, open connections ↵Volker Lendecke1-160/+424
simultaeneously to all DCs found. The first one to reply wins. Volker (This used to be commit 84ac54aef2bd56b5c889d3b05b8828aceb8ae00e)
2007-10-10r1532: Remove unused structure elementVolker Lendecke1-1/+0
(This used to be commit 128951cfe43e364970ec5760230a6450f54ae86d)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter1-11/+35
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-9/+71
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r153: Fix memleakVolker Lendecke1-0/+1
(This used to be commit fbeff419913b01bf0e814ada6ec55d56fe90f179)
2007-10-10r115: finally checking in tridge's winbindd_schannel patch for connectionsGerald Carter1-0/+34
(This used to be commit 1fae60ab20c5cbe396dc8af1c8c9a98d5683fdf4)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-3/+3
to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427)
2004-01-08fix a seg fault caused by abartlet's last checkin; there's no way this could ↵Gerald Carter1-1/+1
have been tested against an NT4 DC (This used to be commit 8e8a351cabb502f1a93b219fec064fb4eb094856)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-15/+88
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-06Ensure that for wbinfo --set-auth-user, we actually use the domain.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 93a5d8079a0291be14517e437f8f0c964c21e91d)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-34/+27
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05We can't possilby get 'ok' here, as the if statement above just checked for it.Andrew Bartlett1-2/+0
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-3/+2
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter1-0/+12
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-08-20fix small logic error in cm_open_connection() to work with non-krb5 connectionsGerald Carter1-7/+31
(This used to be commit 2d85612752daa26c0773b86bd40eb3430b1cce3b)
2003-08-19 - Make 'net' use a single funciton for setting the 'use machine account' code.Andrew Bartlett1-10/+80
- Make winbindd try to use kerberos for connections to DCs, so that it can access RA=2 servers, particularly for netlogon. - Make rpcclient follow the new flags for the NETLOGON pipe - Make all the code that uses schannel use the centralised functions for doing so. Andrew Bartlett (This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
2003-07-31working on transtive trusts issue:Gerald Carter1-6/+23
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison1-1/+2
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-25domain in schannel bind credentials must be the dest domain, not oursGerald Carter1-0/+5
(This used to be commit e12f6a8c13f27c3caea96b467cc4294e20dad341)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-2/+2
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-68/+2
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter1-0/+3
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-25* fix typos in a few debug statementsGerald Carter1-1/+1
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25large change:Gerald Carter1-15/+3
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter1-62/+9
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-12/+33
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison1-6/+1
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-10Add in rety loop for query_user_list (from APP_HEAD). Deals with a bugJeremy Allison1-0/+31
using MSRPC backend and should be safe with ldap backend. Jeremy. (This used to be commit 67535329a2df8986c2d1d85e25cd5c558ee61405)
2003-06-06compile errorGerald Carter1-1/+1
(This used to be commit 8804b059a4f453b29c8b0da975f5d6d8501f4b11)
2003-06-06merge from APP_HEAD. Push negative connection cacheGerald Carter1-317/+4
into rpc_find_dc(). Should probably be extended some more in 3.0 but this is what we have for the moment. (This used to be commit 0e23abf95cf7ba2d0a314a34bddb4d46de2a3cd1)
2003-05-15Fix for winbindd segfault (finally I think this is the correct one :-)Jeremy Allison1-1/+1
from "Roylance, Stephen D." <SROYLANCE@PARTNERS.ORG>. Jeremy. (This used to be commit 459fb6519bc9bc9bbb151291ff795ecc0c014d63)
2003-05-14Ok, try and fix this correctly... Simplify the nasty loop logic.Jeremy Allison1-7/+7
Jeremy. (This used to be commit c19599a5624ac7ea63b529bf7d36cdcd7c8ef89f)
2003-05-14Fix winbindd coredump. Remember to set a ** pointer to null beforeJeremy Allison1-0/+2
searching and not finding otherwise we return a valid looking pointer that was whatever crap was on the stack. Jeremy. (This used to be commit 5d3ac0e39b2b3c60de7c1fe562e4da1f508a2884)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-52/+72
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-1/+1
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-3/+5
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-02Whitespace syncup.Tim Potter1-4/+4
(This used to be commit 2125b0b8ce2bfbb85f325ccbb2a455728ee3f135)
2003-03-17Merge from HEAD - make winbindd locking sane again:Andrew Bartlett1-36/+32
Original message: This patch attemptes to clean up winbindd's mutex locking. The current locking scheme in winbind is a complete mess - indeed, the next step should be to push the locking into cli_full_connection(), but I'll leave it for now. This patch works on the noted behaviour that 2 parts of the connection process need protection - and independent protection. Tim Potter did some work on this a little while back, verifying the second case. The two cases are: - between connect() and first session setup - during the auth2 phase of the netlogon pipe setup. I've removed the counter on the lock, as I fail to see what it gains us. This patch also adds 'anonymous fallback' to our winbindd -> DC connection. If the authenticated connection fails (wbinfo -A specifed) - say that account isn't trusted by a trusted DC - then we try an anonymous. Both tpot and mbp like the patch. Andrew Bartlett (This used to be commit b5283c00a900393b83f0edb2785c5caf402404eb)
2003-01-16Fixed up mutex protection around winbindd logon code. Sync with APP-HEAD.Jeremy Allison1-28/+41
Jeremy. (This used to be commit daf179bcd6297b525bfc644efb154734723f4d58)
2003-01-16Add mutex protection around auth calls.Jeremy Allison1-41/+37
Jeremy. (This used to be commit ea4fe9baadd70e6fc22c5e33de66165895d2e42c)
2002-12-13merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-49/+1
server = DC1 * (This used to be commit f49de4c5176bf635ac080e082fda412066b466c8)
2002-11-23[merge from APP_HEAD]Gerald Carter1-3/+4
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit 016ef8b36b30846311a5321803298f8e28719244)