summaryrefslogtreecommitdiff
path: root/source3/winbindd
AgeCommit message (Collapse)AuthorFilesLines
2012-11-12s3:winbind: BUG 9386: Failover if netlogon pipe is not available.Andreas Schneider1-13/+39
Samba continues to query a broken DC while the DC did not finish to rebuild Sysvol (after a Windows crash, for example). It causes end users to received strange codes while trying to authenticate, even if there is a secondary DC available. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
2012-11-09Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache ↵David Disseldorp4-13/+3
access." This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b. Bug 9125 analysis from Volker: The problem is that there are no network calls possible at all that would do what the samlogon cache does for us. There is just no way to retrieve the group membership in a complex trusted environment. If you have just a single domain with Samba as domain controller it might be possible, but even within a single domain it is not possible to correctly retrieve all group memberships using LDAP calls due to ACLs on directory objects. The call to get that is called NetSamLogon on the NETLOGON pipe. But this call requires user credentials and might trigger updating counts on the server. So to correctly implement wbinfo -r after a user has logged in, you have two alternatives: Save the info3 struct or the PAC in the netsamlogon cache. If you insist on doing network calls, you need to cache the user credentials somewhere to re-do the NetSamLogon call every time the wbinfo -r is requested. Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-01s3:winbindd: use PROTOCOL_LATEST instead of PROTOCOL_SMB2_02 (bug #9175)Stefan Metzmacher1-1/+1
We should use the latest supported dialect. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewd-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Nov 1 18:11:27 CET 2012 on sn-devel-104
2012-11-01s3:winbindd: disconnection after getting NETWORK_SESSION_EXPIRED (bug #9175)Stefan Metzmacher1-0/+11
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-01s3:winbindd:cache: fix offline logons with cached credentials (bug #9321)Michael Adam1-0/+7
The removal of consumption of the time field from the centry as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a had the side effect of changing the offset for reading the following nt password hash, so the read password hash was wrong. This patch re-installs the consumption of the time, thereby fixing the bug without changing the disk format of the cache. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-10-19s3: Remove a call to procid_self()Volker Lendecke1-1/+1
Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri Oct 19 23:15:04 CEST 2012 on sn-devel-104
2012-10-19s3: Add "msg_ctx" param to winbindd_register_handlers()Volker Lendecke1-12/+13
2012-10-19s3: Make winbindd_register_handlers staticVolker Lendecke2-2/+1
2012-09-29s3-winbindd: Adjust error code loop logic in rpc_trusted_domains().Günther Deschner1-1/+1
Guenther Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Sat Sep 29 00:34:04 CEST 2012 on sn-devel-104
2012-09-28s3-winbindd: Allow DNS resolution of trusted domains if DNS name is avaliableSumit Bose3-25/+58
Signed-off-by: Günther Deschner <gd@samba.org>
2012-09-27s3: Fix some blank line endingsVolker Lendecke1-4/+4
Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Sep 27 07:57:03 CEST 2012 on sn-devel-104
2012-09-24s3:winbindd fix a compiler warningChristian Ambach1-1/+1
about type potentially being used uninitialized Autobuild-User(master): Christian Ambach <ambi@samba.org> Autobuild-Date(master): Mon Sep 24 03:49:53 CEST 2012 on sn-devel-104
2012-09-22s3:winbindd fix a compiler warningChristian Ambach1-1/+1
about result being potentially uninitialized
2012-09-22build: Fix enabled handling for HAVE_LDAP, we need to use bld.CONFIG_SETAndrew Bartlett1-6/+6
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 22 09:09:17 CEST 2012 on sn-devel-104
2012-09-20winbind: Extend wbcAuthenticateUserEx to provide PACChristof Schmitt3-6/+153
With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-20s3:winbind:idmap_tdb_common: improve readability of assignment by adding an "if"Michael Adam1-3/+5
in idmap_tdb_common_sids_to_unixids()
2012-09-20s3:winbind:idmap_tdb_common: improve readability of assignment by adding an "if"Michael Adam1-3/+5
in idmap_tdb_common_unixids_to_sids()
2012-09-20s3: Fix idmap_hashVolker Lendecke1-1/+1
Calling be_init with NULL safely crashes, because we dereference NULL. We don't need to call it here, this is called in all workers anyway. Thanks to Jiri Sasek <jiri.sasek@oracle.com> for finding this. Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Sep 20 05:03:54 CEST 2012 on sn-devel-104
2012-09-14s3: make smbldaphelper subsystem an internal libraryAlexander Bokovoy1-1/+1
Break pdb_ldap -> smbldaphelper -> pdb -> pdb_ldap loop by making smbldaphelp intentionally underlinked internal library. It means that libsmbldaphelp is not usable unless its user is also linked to libpdb (that is the case for both its users, idmap_ldap and pdb_ldap, already) but gives us a break of the circular dependency in case pdb_ldap statically linked into pdb (default). This should solve case when idmap_ldap and pdb_ldap are dynamically loaded modules Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Fri Sep 14 01:02:21 CEST 2012 on sn-devel-104
2012-09-13s3: make ldapsam-related functions a smbldaphelper subsystemAlexander Bokovoy1-1/+1
Since these functions are used in pdb_ldap and idmap_ldap, and pdb_ldap might be statically linked to libpdb (default), it is better to keep them as separate subsystem to avoid polluting libpdb namespace. This is first step in refactoring libpdb. Right now I cannot move these functions into proper libsmbldaphelper as it uses more of libpdb-included functions and linking pdb_ldap against libsmbldaphelper library would have created a loop if pdb_ldap is included into libpdb. Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Thu Sep 13 17:36:07 CEST 2012 on sn-devel-104
2012-09-12Avoid overriding default ccache for ads operations.Simo Sorce1-3/+3
Avoid overriding default ccache for ads operations. Nowadays various samba components may need to use GSSAPI and a default cred cache to perform their tasks. This code was completely overriding the whole process default ccache name, thus altering the current credentials and sometimes hijacking them (or getting preemptively hijaked). By using gss_krb5_import_cred we can instead use a private ccache (necessary sometimes to use a different set of credentials fromt he default cifs/fqdn@realm one, for example when contacting foreign DCs using trust credentials) that does not affect the rest of the process. For the kerberos versions which don't have gss_krb5_import_cred we fallback to temp override of KRB5CCNAME and gss_acquire_cred. Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
2012-09-11docs: Move idmap manpage to there old location.Andreas Schneider8-891/+0
This wasn't planned and slipped trough, sorry. Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Sep 11 14:28:53 CEST 2012 on sn-devel-104
2012-09-07s3-smbldap: use smbldap_ prefixed functionsAlexander Bokovoy1-1/+1
2012-09-07wafsamba: Add support for manpages in SAMBA_MODULE.Andreas Schneider8-0/+891
2012-09-04s3-winbind: DON'T PANIC if we couldn't find the domain.Andreas Schneider1-1/+9
If we don't have a connection to a trusted domain but still try to do a lookup we shouldn't segfault. Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Sep 4 18:16:06 CEST 2012 on sn-devel-104
2012-08-23param: Add startup checks for valid server role/binary combinationsAndrew Bartlett1-0/+6
This should eliminate confusion from our users about what they can expect to successfully run. Andrew Bartlett
2012-08-21Fix bug #9098 - winbind does not refresh kerberos tickets.Jeremy Allison3-0/+39
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
2012-08-21Fix bug #9104 - winbindd can mis-identify idle clients - can cause crashes ↵Herb Lewis1-1/+2
and NDR parsing errors. A connection is idle when both struct winbindd_cli_state->request AND struct winbindd_cli_state->response are NULL. Otherwise we can flag as idle a connection in the state of having sent the request to the winbindd child (request != NULL) but not yet received a reply (response == NULL). Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Aug 21 01:31:46 CEST 2012 on sn-devel-104
2012-08-15s3-winbind: Return the DC name from DC_PINGChristof Schmitt2-1/+13
The DC that was attempted to ping is useful for troubleshooting. Return the DC name in the response to the wbclient. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-15s3-winbind: Pass ping-dc result to clientChristof Schmitt1-1/+9
The client checks for an error code in response.data.auth.nt_status, make sure the result is stored there. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-13Ensure we update last_access on the winbindd child struct on each request.Jeremy Allison1-0/+1
2012-08-09Correctly check for errors in strlower_m() returns.Jeremy Allison4-5/+13
2012-08-09Check error returns from strupper_m() (in all reasonable places).Jeremy Allison6-15/+39
2012-07-24lib/param: Move all enum declarations to lib/paramAndrew Bartlett2-0/+2
This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-23s3-winbind: Fix bug #9052 resolving our own "Domain Local" groups.Andreas Schneider2-4/+10
We don't resolve our own "Domain Local" groups since bug #7843 has been fixed. So we need to add the add resource groups to the sid list too. Before bug #7843 the "Domain Local" groups were added with a lookupuseraliases call, but this isn't done anymore for our domain so we need to resolve resource groups here. When to use Resource Groups: http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jul 23 22:12:30 CEST 2012 on sn-devel-104
2012-07-23s3-winbind: Fix idmap initialization debug message.Guenther Deschner2-2/+2
Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 23 18:19:00 CEST 2012 on sn-devel-104
2012-07-19Move everything to use the common pidfile functions.Jeremy Allison1-2/+3
The extra code in source3/lib/pidfile.c is no longer needed.
2012-07-19Make the s3 pidfile use the common code inside lib/util/pidfile.cJeremy Allison1-1/+1
2012-07-19Move source4/smbd/pidfile into lib/util in preparation for making it in common.Jeremy Allison1-2/+2
2012-07-18loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *.Rusty Russell3-7/+7
They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18source3/winbindd/winbindd_pam.c: fix stackframe leakRusty Russell1-0/+1
check_info3_in_group() doesn't always free its stackframe. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18source3/winbindd/idmap_tdb_common.c: fix stackframe leakRusty Russell1-0/+1
idmap_tdb_common_sid_to_unixid() doesn't always free its stackframe. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-18source3/winbindd/winbindd_util.c: fix stackframe leakRusty Russell1-2/+4
winbindd_can_contact_domain() doesn't always free its stackframe. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-17Enable AES in winbind.Andreas Schneider1-1/+1
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-14Fix bug #9016 - Connection to outbound trusted domain goes offline.Jeremy Allison1-6/+0
By the time we've gotten to init_dc_connection_network() we shouldn't be second guessing the caller by calling winbindd_can_contact_domain(). If for some reason we do need to restrict the contact list here we can add a condition to only contact the primary domain or domains listed in the tdc cache, but I don't think that's neccessary. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Jul 14 03:17:57 CEST 2012 on sn-devel-104
2012-07-12s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()Michael Adam4-5/+5
This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-12s3: rename sid_check_is_domain() to sid_check_is_our_sam()Michael Adam7-10/+10
This does not check whether the given sid is the domain sid, but whether it is the sid of the local sam, which is different for a domain member server.
2012-07-03s3-winbind: Remove obsolte idmap_adex.Andreas Schneider8-3781/+0
2012-06-22dbwrap: remove get_flags().Rusty Russell1-17/+2
The flags returned were TDB-specific: this was only used for detecting the endianness of obsolete databases (the conversion code was put in in 2003, with reference to Samba 2.3). It's easier to remove it than to translate the NTDB flags to TDB flags, and it's a really weird thing to ask for anyway. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-06-21s3:winbindd: do not expose negative cache idmap entries as valid mappings ↵Stefan Metzmacher1-6/+19
(bug #9002) metze