Volker Lendecke [Thu, 29 Dec 2016 10:05:28 +0000 (10:05 +0000)]
winbind: Restructure wb_getpwsid
This patch moves the responsibility to create a winbind user from the
winbind backends into wb_queryuser.c. The name comes from lsa_lookupsids,
the uid from idmap. If we have a netsamlogon_cache, we get the primary
group sid from there. Without netsamlogon_cache, we default to -513, as
we do right now as default for non-reachable ADS domains anyway. Shell
and homedir default to template. This can all be done in the parent
without contacting any LDAP-related calls and is correct once we have
a netsamlogon_cache.
Once the parent has filled in the userinfo, the idmap child is queried
with the GetNssInfo call, taking the userinfo [in,out]. The child is
free to override the whole thing, something the AD backend will do in
the next patch.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 30 Dec 2016 10:57:50 +0000 (10:57 +0000)]
winbind: Adapt cache to extended wbint_userinfo
Separate commit, UL/ was missing some fields already
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 29 Dec 2016 09:56:29 +0000 (09:56 +0000)]
winbind: Add a GetNssInfo parent/child call
This call will be done in the idmap child. It is not 100% the right place,
but there is no better one available to me. It will become a replacement
for the "winbind nss info" parameter: This global parameter is good
for just one domain. It might be possible to have idmap backend AD for
different domains, and the NSS info like primary gid, homedir and shell
might be done with different policies per domain. As we already have a
domain-specific idmap configuration, doing the NSS info configuration
there also is the closest way to do it.
The alternative, if we did not want to put this call into the idmap child
would be to establish an equivalent engine like the whole "idmap config
*" just for the nss info. But as I believe this is closely related,
I'll just keep it in the idmap child.
This also extends the wbint_userinfo structure with pretty much all user
related fields. The idea is that the GetNssInfo call can do whatever it
wants with it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 29 Dec 2016 09:54:56 +0000 (09:54 +0000)]
winbind: Make "idmap_find_domain" public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 25 Dec 2016 10:12:59 +0000 (10:12 +0000)]
winbind: It's legitmate to have 0 groups in info3
At least a Samba DC can send an info3 struct with base.groups.count==0. We
should not fail with that and just return 0 groups.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sat, 17 Dec 2016 14:03:59 +0000 (15:03 +0100)]
idmap: Simplify idmap_ad_nss_init()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 25 Dec 2016 11:33:53 +0000 (11:33 +0000)]
winbind: Fix wb_lookupsids for AD DCs
Not yet a fix, but the IS_DC macro also contains the
ROLE_ACTIVE_DIRECTORY_DC, and once we start to fully do this we'll
need it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 14:01:13 +0000 (14:01 +0000)]
winbind4: Remove unused code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 30 Dec 2016 11:08:22 +0000 (11:08 +0000)]
winbind: Initialize user list info to 0
Further down wbint_userinfo will be extended. Make sure we don't
have uninitialized memory hanging around
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 22 Dec 2016 07:49:38 +0000 (08:49 +0100)]
s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()
This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.
The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.
As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.
In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.
The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.
The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.
We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 22 Dec 2016 07:47:32 +0000 (08:47 +0100)]
s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED
We always have gss_krb5_import_cred(), it available in heimdal
and also the oldest version (1.9) of MIT krb5 that we support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 22 Dec 2016 07:46:21 +0000 (08:46 +0100)]
s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 29 Dec 2016 10:13:55 +0000 (11:13 +0100)]
s4:librpc/rpc: make sure we handle DCERPC_PACKET before DCERPC_CONNECT
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 29 Dec 2016 10:11:50 +0000 (11:11 +0100)]
s4:librpc/rpc: don't do an anonymous bind over ncacn_np:server[packet]
DCERPC_AUTH_LEVEL_PACKET is basically the same as
DCERPC_AUTH_LEVEL_INTEGRITY.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:50 +0000 (18:07 +0100)]
WAF: Fix detection of IPv6
Detection of IPv6 failed with strict CFLAGS due to missing
header file.
Checking for HAVE_IPV6 : not found
../test.c: In function ‘main’:
../test.c:226:34: error: implicit declaration of function
‘if_nametoindex’ [-Werror=implicit-function-declaration]
int idx = if_nametoindex("iface1");
^~~~~~~~~~~~~~
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 2 18:03:20 CET 2017 on sn-devel-144
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:43 +0000 (18:07 +0100)]
WAF: Fix detection os sysname ...
Detection of sysname failed with stricter CFLAGS
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
Checking uname sysname type : not found
Checking uname machine type : not found
Checking uname release type : not found
Checking uname version type : not found
../test.c: In function ‘main’:
../test.c:8:32: error: implicit declaration of function ‘printf’
[-Werror=implicit-function-declaration]
printf("%s", n.sysname);
^~~~~~
../test.c:8:32: warning: incompatible implicit declaration
of built-in function ‘printf’
../test.c:8:32: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:36 +0000 (18:07 +0100)]
WAF: Fix detection of linker features
Following check of linker feature failed with strict CFLAGS
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
Checking for rpath library support : not found
Checking for -Wl,--version-script support : not found
../main.c: In function ‘main’:
../main.c:1:26: error: implicit declaration of function ‘lib_func’
[-Werror=implicit-function-declaration]
int main(void) {return !(lib_func() == 42);}
^~~~~~~~
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:18 +0000 (18:07 +0100)]
lib replace: Fix detection of features
If configure script is executed with stricter cflags
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
then detection of few features will fail.
Checking for C99 vsnprintf : not found
Checking for HAVE_SHARED_MMAP : not found
Checking for HAVE_MREMAP : not found
lib/replace/test/shared_mmap.c:18:1:
error: return type defaults to ‘int’ [-Werror=implicit-int]
main()
^~~~
lib/replace/test/shared_mmap.c: In function ‘main’:
lib/replace/test/shared_mmap.c:25:16:
error: implicit declaration of function ‘exit’
[-Werror=implicit-function-declaration]
if (fd == -1) exit(1);
^~~~
lib/replace/test/shared_mmap.c:25:16:
warning: incompatible implicit declaration of built-in function ‘exit’
lib/replace/test/shared_mmap.c:25:16:
note: include ‘<stdlib.h>’ or provide a declaration of ‘exit’
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Sun, 1 Jan 2017 09:03:49 +0000 (10:03 +0100)]
Happy New Year 2017!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 1 13:47:26 CET 2017 on sn-devel-144
Volker Lendecke [Tue, 27 Dec 2016 13:08:58 +0000 (13:08 +0000)]
idmap4: Use sid_check_is_in_unix_groups()
This avoids the need for the special unix groups sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Dec 29 00:05:25 CET 2016 on sn-devel-144
Volker Lendecke [Tue, 27 Dec 2016 13:08:58 +0000 (13:08 +0000)]
idmap4: Use sid_check_is_in_unix_users()
This avoids the need for the special unix users sid
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 13:05:49 +0000 (13:05 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 13:04:57 +0000 (13:04 +0000)]
lib: Add required prerequisites for librpc/gen_ndr/security.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 12:57:23 +0000 (12:57 +0000)]
passdb: Move lookup_unix_[user|group]_name to lookup_sid.c
This is the only user and reduces the dependencies of util_unixsids.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 12:52:00 +0000 (12:52 +0000)]
lib: Add lib/util_unixsids.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 12:32:13 +0000 (12:32 +0000)]
idmap4: Slightly simplify idmap_xid_to_sid
No need to parse "S-1-22-1", we have global_sid_Unix_Users
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 12:21:09 +0000 (12:21 +0000)]
idmap4: Fix error path memleaks in idmap_init
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 12:19:54 +0000 (12:19 +0000)]
idmap4: Fix idmap_ctx talloc hierarchy
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Martin Schwenke [Tue, 27 Dec 2016 19:18:26 +0000 (06:18 +1100)]
ctdb-takeover: Clean up when exiting on error
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Dec 28 05:18:08 CET 2016 on sn-devel-144
Martin Schwenke [Tue, 27 Dec 2016 19:14:56 +0000 (06:14 +1100)]
ctdb-takeover: Fix CID
1398169 Unchecked return value
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Ralph Boehme [Tue, 27 Dec 2016 14:41:51 +0000 (15:41 +0100)]
ctdbd_conn: remove unused fde from struct ctdbd_connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12485
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Ralph Boehme [Tue, 27 Dec 2016 08:19:16 +0000 (09:19 +0100)]
ctdbd_conn: fix a resource leak
When reinitializing the ctdb messaging subsystem we must free the ctdb
connection fde.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12485
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 10:19:17 +0000 (10:19 +0000)]
winbindd: Use idmap cache in xids2sids
Typically smbd should have looked into the idmap cache itself before
contacting winbind. But winbind has internal users of this API (getpwuid
and getgrgid for example), and those need to use the cache too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Dec 28 00:06:41 CET 2016 on sn-devel-144
Volker Lendecke [Tue, 20 Dec 2016 15:22:48 +0000 (16:22 +0100)]
idmap: Prime gencache after xids2sids calls
This fixes a performance regression for "hide unreadable". With an empty
gencache, we only do xid2sid calls when reading a large number of acls. We
lost caching the xid2sid calls while implmenting the multiple-id calls,
probably because at that time the bug with ID_TYPE_BOTH backends was still
pending. This patch restores the xid2sid caching hopefully correctly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Wed, 21 Dec 2016 10:29:08 +0000 (11:29 +0100)]
idmap: Pass up the xid2sids unix-ids from the idmap child
When asking for gid2sid with an idmap backend that does ID_TYPE_BOTH
and the sid in question is actually a user, the parent winbind needs
to know about it. The next commit will prime the gencache also after
xid2sid calls, and if we filled it with a ID_TYPE_GID entry, a later
sid2uid call would fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Volker Lendecke [Sun, 11 Dec 2016 18:57:20 +0000 (19:57 +0100)]
idmap_rid: Add the error string in a debug
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Dec 27 18:05:13 CET 2016 on sn-devel-144
Volker Lendecke [Sun, 11 Dec 2016 18:57:12 +0000 (19:57 +0100)]
idmap_autorid: Add the error string in a debug
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 10:50:29 +0000 (10:50 +0000)]
ctdb: Fix CID
1398175 Dereference after null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 10:48:21 +0000 (10:48 +0000)]
ctdb: Fix CID
1398178 Argument cannot be negative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Tue, 27 Dec 2016 10:47:10 +0000 (10:47 +0000)]
ctdb: Fix CID
1398179 Argument cannot be negative
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Wed, 21 Dec 2016 09:48:15 +0000 (09:48 +0000)]
lib: Fix a comment in idmap_cache.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Mon, 19 Dec 2016 18:32:46 +0000 (19:32 +0100)]
lib: Fix whitespace in lmhosts.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Volker Lendecke [Tue, 6 Dec 2016 12:23:33 +0000 (12:23 +0000)]
idl: Fix a comment typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Stefan Metzmacher [Fri, 23 Dec 2016 06:22:27 +0000 (07:22 +0100)]
krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5
krb5_cc_copy_creds() expects an already initialized output cache.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Dec 24 21:04:23 CET 2016 on sn-devel-144
Andreas Schneider [Thu, 22 Dec 2016 16:01:35 +0000 (17:01 +0100)]
auth/credentials: Add missing error code check for MIT Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Tue, 13 Dec 2016 10:33:06 +0000 (11:33 +0100)]
auth/gensec: Fix typo in log message
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
David Mulder [Wed, 21 Dec 2016 20:49:36 +0000 (21:49 +0100)]
auth/gensec: Remove unneeded cli_credentials_set_conf() call
The cli_credentials_set_client_gss_creds() will set the correct realm
from the gss creds.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 23 Dec 2016 00:55:30 +0000 (13:55 +1300)]
WHATSNEW: Add text for AD DC changes
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Garming Sam [Thu, 22 Dec 2016 02:10:24 +0000 (15:10 +1300)]
ldb_tdb: avoid erroneous error messages
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri Dec 23 02:28:54 CET 2016 on sn-devel-144
Andrew Bartlett [Wed, 20 May 2015 09:06:22 +0000 (11:06 +0200)]
dsdb: Parse linked attributes using their DN+Binary or DN+String syntax, if needed
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Thu, 22 Dec 2016 21:27:30 +0000 (10:27 +1300)]
ldbdump: Parse the -i option
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Thu, 8 Dec 2016 11:25:22 +0000 (12:25 +0100)]
s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send()
Also old servers should be able to handle NTLMSSP via SPNEGO.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144
Stefan Metzmacher [Fri, 4 Nov 2016 11:25:34 +0000 (12:25 +0100)]
s3:libsmb: pass cli_credentials to cli_check_msdfs_proxy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 4 Nov 2016 11:37:08 +0000 (12:37 +0100)]
s3:client: use cli_cm_force_encryption_creds in smbspool.c (in a #if 0 section)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 16:27:49 +0000 (17:27 +0100)]
s3:libsmb: make use of cli_cm_force_encryption_creds() where we already have creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 16:26:41 +0000 (17:26 +0100)]
s3:libsmb: split out cli_cm_force_encryption_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 12 Dec 2016 05:00:32 +0000 (06:00 +0100)]
s3:libsmb: make use of cli_tree_connect_creds() in SMBC_server_internal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 08:06:38 +0000 (09:06 +0100)]
s3:libsmb: make use of cli_tree_connect_creds() in clidfs.c:do_connect()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:46:54 +0000 (16:46 +0100)]
s3:libsmb: remove now unused cli_session_setup()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:42:45 +0000 (16:42 +0100)]
s3:libsmb: avoid using cli_session_setup() in SMBC_server_internal()
Using cli_session_creds_init() will allow it to be passed to other sub functions
later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:45:39 +0000 (16:45 +0100)]
s3:libsmb: make use of get_cmdline_auth_info_creds() in clidfs.c:do_connect()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:libsmb: remove unused cli_*_encryption* functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:libsmb: make use of cli_smb1_setup_encryption() in cli_cm_force_encryption()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:client: make use of cli_smb1_setup_encryption() in cmd_posix_encrypt()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:torture: make use of cli_smb1_setup_encryption() in force_cli_encryption()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 31 Oct 2016 22:02:27 +0000 (23:02 +0100)]
s3:libsmb: add cli_smb1_setup_encryption*() functions
This will allow us to setup SMB1 encryption by just passing
cli_credentials.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 19 Dec 2016 22:04:17 +0000 (23:04 +0100)]
s3:printing: remove double PRINT_SPOOL_PREFIX define
We already have this in source3/include/printing.h
which is also included in source3/printing/printspoolss.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Tue, 20 Sep 2016 07:46:34 +0000 (09:46 +0200)]
testprogs: Use better KRB5CCNAME in test_password_settings.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Anoop C S [Thu, 15 Dec 2016 10:36:35 +0000 (16:06 +0530)]
docs-xml: Remove duplicate listing of configfile option in man pages
stdarg.configfile option is hierarchically included within
common.samba.client entity. So explicit inclusion of this
term will generate man pages with configfile option listed
twice.
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec 21 13:13:16 CET 2016 on sn-devel-144
Martin Schwenke [Tue, 20 Dec 2016 11:40:36 +0000 (22:40 +1100)]
WHATSNEW: CTDB updates
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Dec 21 08:36:32 CET 2016 on sn-devel-144
Garming Sam [Wed, 14 Dec 2016 03:05:05 +0000 (16:05 +1300)]
getncchanges: use the uptodateness_vector to filter links to replicate
This is to mirror the check in get_nc_changes_build_object.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144
Bob Campbell [Sun, 18 Dec 2016 23:27:31 +0000 (12:27 +1300)]
torture/drs: test link replication with hwm and utdv
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bob Campbell [Thu, 15 Dec 2016 01:23:58 +0000 (14:23 +1300)]
torture/drs: move ExopBaseTest into DrsBaseTest and extend
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 19 Sep 2016 12:40:42 +0000 (14:40 +0200)]
s3-rpc_client: Pass NULL as no password
GENSEC expects NULL as no password.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 17:37:56 CET 2016 on sn-devel-144
Andreas Schneider [Sat, 1 Oct 2016 09:27:54 +0000 (11:27 +0200)]
auth/credentials: Add NULL check to free_dccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Sat, 1 Oct 2016 09:25:44 +0000 (11:25 +0200)]
auth/credentials: Add NULL check in free_mccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 6 Oct 2016 07:22:29 +0000 (09:22 +0200)]
auth/credentials: Move function to free ccaches to the top
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 6 Oct 2016 06:16:57 +0000 (08:16 +0200)]
auth/credentials: Add talloc NULL check in cli_credentials_set_principal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 10:23:10 +0000 (11:23 +0100)]
WHATSNEW: Add some information about ID mapping
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 11:40:07 CET 2016 on sn-devel-144
Andreas Schneider [Wed, 14 Dec 2016 07:25:45 +0000 (08:25 +0100)]
WHATSNEW: Add Printing changes
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 07:15:38 +0000 (08:15 +0100)]
WHATSNEW: Use capital K for Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 18 Nov 2016 18:02:30 +0000 (18:02 +0000)]
HEIMDAL:lib/krb5: Harden _krb5_derive_key()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Fri, 18 Nov 2016 18:02:30 +0000 (18:02 +0000)]
HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 22 Nov 2016 12:53:53 +0000 (13:53 +0100)]
HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
This allows the optimized checksum->verify() function to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 22 Nov 2016 12:42:31 +0000 (13:42 +0100)]
HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 22 Nov 2016 16:08:46 +0000 (17:08 +0100)]
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 23 Nov 2016 10:44:22 +0000 (11:44 +0100)]
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Stefan Metzmacher [Wed, 23 Nov 2016 10:42:59 +0000 (11:42 +0100)]
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Stefan Metzmacher [Wed, 23 Nov 2016 10:41:10 +0000 (11:41 +0100)]
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Volker Lendecke [Sat, 5 Nov 2016 20:22:46 +0000 (21:22 +0100)]
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
Stefan Metzmacher [Fri, 28 Oct 2016 10:14:37 +0000 (12:14 +0200)]
s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally
This way we can have a very simple get_cmdline_auth_info_creds() function,
which can be used pass cli_credentials down the stack instead of
constantly translating from user_auth_info to cli_credentials, while
loosing information.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 20 04:57:05 CET 2016 on sn-devel-144
Stefan Metzmacher [Fri, 9 Dec 2016 15:04:38 +0000 (16:04 +0100)]
s3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading
All users of POPT_COMMON_CREDENTIALS basically need the same logic,
while some ignore a broken smb.conf and some complain about it.
This will allow the future usage of config options in the
credential post processing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 14:30:28 +0000 (15:30 +0100)]
tests/credentials.py: demonstrate the last 'username' line of creds.parse_file() beats other lines
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 11:41:58 +0000 (12:41 +0100)]
auth/credentials: change the parsing order of cli_credentials_parse_file()
We now first just remember the domain, realm, username, password values
(the last value wins).
At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.
It means the last 'username' line beats the domain, realm or password lines, e.g.:
username=USERDOMAIN\username
domain=DOMAIN
will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 13:01:35 +0000 (14:01 +0100)]
tests/credentials.py: verify the new cli_credentials_parse_file() 'username' parsing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sun, 11 Dec 2016 21:50:53 +0000 (22:50 +0100)]
auth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credentials_parse_string()
Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:
username=DOMAIN/username
password=password
domain=DOMAIN
This change allows us to parse the same.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 13:12:31 +0000 (14:12 +0100)]
tests/credentials.py: add tests to verify realm/principal behaviour of cli_credentials_parse_string()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Dec 2016 15:47:57 +0000 (16:47 +0100)]
auth/credentials: let cli_credentials_parse_string() always reset principal and realm
If we reset username we need to reset principal if it was set at the same level.
If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 11:20:19 +0000 (12:20 +0100)]
auth/credentials: let cli_credentials_parse_string() always reset username and domain
If cli_credentials_parse_string() is used we should no longer use
any guessed values and need to make sure username and domain
are reset if principal and realm are set.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 13:49:18 +0000 (14:49 +0100)]
tests/credentials.py: add tests with a realm from smb.conf
As we don't want to create a new smb.conf file
we just simulate it with "creds.set_realm(realm, credentials.UNINITIALISED)".
That's basically the same as the cli_credentials_set_conf() behaviour
if a realm is specified in the configuration.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
git.samba.org / samba.git / log