summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_cm.c
AgeCommit message (Collapse)AuthorFilesLines
2010-08-09s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the ↵Günther Deschner1-7/+13
secure channel. This is an important fix as the following could and is happening: * winbind authenticates a user via schannel secured netlogon samlogonex call, current secure channel cred state is stored in winbind state, winbind sucessfully decrypts session key from the info3 * winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the secure channel on the dc) * subsequent samlogonex calls use the new secure channel creds on the dc to encrypt info3 session key, while winbind tries to use old schannel creds for decryption Guenther
2010-08-05s3-secrets: only include secrets.h when needed.Günther Deschner1-0/+1
Guenther
2010-08-05s3: avoid global include of ads.h.Günther Deschner1-0/+1
Guenther
2010-07-07s3-winbindd: route samr chgpwd ops for own domain over internal samr pipe as ↵Günther Deschner1-0/+8
well. Guenther
2010-07-06s3-winbind: Make sure that the policy handles are closed.Andreas Schneider1-0/+12
2010-05-31s3: only use netlogon/nbt header when needed.Günther Deschner1-0/+1
Guenther
2010-05-18s3-rpc_client: move protos to cli_lsarpc.hGünther Deschner1-0/+1
Guenther
2010-05-18s3-rpc_client: move protos to cli_netlogon.hGünther Deschner1-0/+1
Guenther
2010-05-17s3-kerberos: pass down kdc_name to create_local_private_krb5_conf_for_domain().Günther Deschner1-2/+4
Guenther
2010-05-17s3-winbind: make the getpeername() checks in cm_prepare_connection IPv6 aware.Günther Deschner1-5/+25
Note that this failure was hard to track, as winbind did only log a super helpful "cm_prepare_connection: Success" debug message. IPv6 gurus, please check Successfully tested in two independent IPv6 networks now. Guenther
2010-05-06s3: only include gen_ndr headers where needed.Günther Deschner1-0/+1
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time as follows: ccache build w/o patch real 4m21.529s ccache build with patch real 3m6.402s pch build w/o patch real 4m26.318s pch build with patch real 3m6.932s Guenther
2010-04-23s3: init_dc_connection() can't init for internal domainsVolker Lendecke1-0/+4
This fixes a crash in winbindd_dual_pam_chng_pswd_auth_crap when given global_sam_name() in the domain field
2010-04-01s3:winbindd: fix problems with SIGCHLD handling (bug #7317)Stefan Metzmacher1-3/+0
The main problem is that we call CatchChild() within the parent winbindd, which overwrites the signal handler that was registered by winbindd_setup_sig_chld_handler(). That means winbindd_sig_chld_handler() and winbind_child_died() are never triggered when a winbindd domain child dies. As a result will get "broken pipe" for all requests to that domain. To reduce the risk of similar bugs in future we call CatchChild() in winbindd_reinit_after_fork() now. We also use a full winbindd_reinit_after_fork() in the cache validation child now instead instead of just resetting the SIGCHLD handler by hand. This will also fix possible tdb problems on systems without pread/pwrite and disabled mmap as we now correctly reopen the tdb handle for the child. metze
2010-04-01s3:winbindd: correctly invalidate the cached connectionStefan Metzmacher1-6/+11
There're maybe additional TCP connection for ncacn_ip_tcp. metze
2010-04-01s3:winbindd: make sure we don't try rpc requests against unaccessable domainsStefan Metzmacher1-5/+28
This makes sure we don't crash while trying to dereference domain->conn.cli->foo while trying to establish a rpc connection to the server. metze
2010-03-29s3:winbindd_cm: invalidate connection if cm_connect_netlogon() failsStefan Metzmacher1-2/+2
metze
2010-03-29s3:winbindd: consistently use TALLOC_FREE(conn->foo_pipe) is we create a new ↵Stefan Metzmacher1-0/+5
connection metze
2010-03-29s3:winbindd_cm: use rpccli_is_connected() helper functionStefan Metzmacher1-4/+4
metze
2010-03-29s3:winbindd_cm: use cli_state_is_connected() helper functionStefan Metzmacher1-14/+4
metze
2010-02-23s3 move the sitename cache in its own fileSimo Sorce1-0/+1
2010-02-23s3:winbindd: never mark external domains as internal!Stefan Metzmacher1-4/+1
This way we can endup with silently using builtin_passdb_methods for an ad domain without an inbound trust. This fixes bug #7170. metze
2010-01-06s3: Fix infinite loop in NCACN_IP_TCP asa there is no timeout. Assume ↵Bo Yang1-1/+2
lsa_pipe_tcp is ok but network is down, then send request is ok, but select() on writeable fds loops forever since there is no response. Signed-off-by: Bo Yang <boyang@samba.org>
2009-11-26s3-rpc: Avoid including every pipe's client and server stubs everywhere in ↵Günther Deschner1-0/+4
samba. Guenther
2009-11-24s3: Always try SamLogonExVolker Lendecke1-2/+6
Required for cluster systems working in a Samba domain. With NT4 this won't work, but real NT4 DCs should not be around in environments that pay big bucks for a cluster... And if they are, they can always install a Samba DC trusting that NT4 domain.
2009-10-13s3: use enum netr_SchannelType all over the place.Günther Deschner1-1/+1
Guenther
2009-10-05Revert "s3: Attempt to fix machine password change"Volker Lendecke1-2/+0
This reverts commit 20a8ea91e10af167067cc794a251265aaf489e75. Ooops, this should not have been committed.
2009-10-05s3: Attempt to fix machine password changeVolker Lendecke1-0/+2
2009-09-25s3:winbindd_cm: don't invalidate the whole connection when just samr gave ↵Stefan Metzmacher1-1/+12
ACCCESS_DENIED metze
2009-09-24Revert "s3:winbindd: use a tcp connection for lsa in case ↵Stefan Metzmacher1-9/+0
lookup_names/lookup_sids doesn't work over ncacn_np" This reverts commit f23691cffd39e5df81b7b075e61ed1def6cce9f6. This should not have been commited... metze
2009-09-24s3:winbindd: use a tcp connection for lsa in case lookup_names/lookup_sids ↵Günther Deschner1-0/+9
doesn't work over ncacn_np metze
2009-09-23s3:winbind: Fix an uninitialized variableVolker Lendecke1-1/+1
2009-09-22s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working.Günther Deschner1-0/+2
Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp connection when talking to AD for LSA lookup calls. In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve sids and names. Guenther
2009-09-22s3-winbindd: add cm_connect_lsa_tcp().Günther Deschner1-0/+59
Guenther
2009-09-15s3-dcerpc: use dcerpc_AuthLevel and remove duplicate set of flags.Günther Deschner1-5/+5
Guenther
2009-09-11s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel().Günther Deschner1-3/+4
Guenther
2009-09-11s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp ↵Günther Deschner1-1/+2
and cli_rpc_pipe_open_ntlmssp. Guenther
2009-09-09s3-winbindd: Fix Bug #6700: Use dns domain name when needing to guess server ↵Günther Deschner1-1/+1
principal. Patch from Robert LeBlanc <robert@leblancnet.us>. Thanks! Guenther
2009-08-23s3:winbind: For internal domains it is pointless to connect to a DCVolker Lendecke1-0/+6
2009-07-28Added prefer_ipv4 bool parameter to resolve_name().Jeremy Allison1-2/+2
W2K3 DC's can have IPv6 addresses but won't serve krb5/ldap or cldap on those addresses. Make sure when we're asking for DC's we prefer IPv4. If you have an IPv6-only network this prioritizing code will be a no-op. And if you have a mixed network then you need to prioritize IPv4 due to W2K3 DC's. Jeremy.
2009-07-27Fix a typoVolker Lendecke1-1/+1
2009-05-07Fix some type-punned warningsVolker Lendecke1-2/+5
2009-04-21s3-secdesc: use SEC_FLAG_MAXIMUM_ALLOWED instead of SEC_RIGHTS_MAXIMUM_ALLOWED.Günther Deschner1-9/+9
Guenther
2009-04-20Fix to use modified cli_rpc_pipe_open_schannel_with_key APIAndrew Bartlett1-2/+2
2009-04-20Remove use of talloc_reference in cli_rpc_pipe_open_schannel_with_key()Andrew Bartlett1-1/+1
2009-04-14s3: Fix ntlm_auth and winbindd to use new common libcli/auth APIsAndrew Bartlett1-9/+9
2009-04-14Rework Samba3 to use new libcli/auth code (partial)Andrew Bartlett1-0/+1
This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett
2009-03-18s3: remove POLICY_HND.Günther Deschner1-3/+3
Guenther
2009-03-17Fix a valgrind errorVolker Lendecke1-1/+1
Found in "make test" -- if we can't connect at all, "cli" is uninitialized
2009-03-13Remove pwd_cache.c, it was doing nothing. Make user_name, domain, andJeremy Allison1-14/+25
password talloc'ed strings within the cli_struct. Jeremy.
2009-03-06s3:winbindd_cm: remove useless cli_setup_signing_state(*cli, Undefined) callStefan Metzmacher1-2/+0
cli_setup_signing_state() with Undefined is a noop. metze