summaryrefslogtreecommitdiff
path: root/source3/libads
Commit message (Collapse)AuthorAgeFilesLines
* kerberos: make sure we only use prompter type when available.Günther Deschner2015-10-051-1/+11
| | | | | | | | | | | | | | | | | | | | We also verified that we cannot simply remove the prompter as several older versions of Heimdal would crash. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Oct 2 07:29:43 CEST 2015 on sn-devel-104 (cherry picked from commit 6755376cedaf0c88230b47e04c584c7d9fce13e3) Autobuild-User(v4-3-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-3-test): Mon Oct 5 12:44:42 CEST 2015 on sn-devel-104
* winbind: Fix 100% loopVolker Lendecke2015-10-051-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Thanks to "L.P.H. van Belle" <belle@bazuin.nl> for help in reproducing the issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038 From the bug report: "With e551cdb37d3e re-applied the problem is gone with and without kerberos. Moreover, if correctly configured, sshd requests you to change your password at logon time, which then succeeds. The problem why I had this reverted was because I had not gone through the pain to correctly configure all the PAM services (in particular the "account" section), leading to sshd letting the user in when the password had to be changed." Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889) Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104 (cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e)
* net: fix a crash with net ads keytab createUri Simchoni2015-10-051-0/+7
| | | | | | | | | | | | | Fix a crash that happens when executing "net ads keytab create" and the machine account in AD does not have setvice principal names attached to it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11528 Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit e224e622971853bddbe24df717ea5dcddef71b89)
* libads: disable dns_lookup_realm in auto-generated krb5.conf filesUri Simchoni2015-07-171-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch sets dns_lookup_realm=false in samba-generated krb5.conf. Disabling dns_lookup_realm in krb5.conf is the recommended practice for Kerberos usage in Active Directory environment. dns_lookup_realm is enabled by default, at least in Heimdal. When used by samba, Kerberos libraries operate based on either the system krb5.conf, or a private krb5.conf generated specifically for the domain by samba code. In the former case, it's the responsibility of the administrator to set dns_lookup_realm=false. In the latter case, it's the responsibility of samba - which is what this patch does. In many usage scenarios the value of this variable is of no consequence since samba knows the realm in which it is operating, and knows how to generate service principal names. However, there are some scenarios in which samba calls kerberos_get_principal_from_service_hostname(), and here samba consults the Kerberos libraries and this parameter comes into play. One primary example is cli_full_connection() function. Not setting dns_lookup_realm leads to a series of DNS TXT record lookups. This can be observed by running "net ads join -k -U <user>". In AD environments, the TXT queries typically fail quickly, but test setups or misconfigured DNS may lead to large timeouts (for example, if the domain is dept.example.com but there's no parent example.com domain and no DNS zones for example.com). At the very least we want to avoid those lookups because they are hardly documented and lead to confusion. Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:libads: improve debug levels/messages in ads_find_dc()Stefan Metzmacher2015-07-021-8/+14
| | | | | | | | | | We should not flood the logs (and syslog) with fallback warnings. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 2 14:41:31 CEST 2015 on sn-devel-104
* s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ↵Stefan Metzmacher2015-06-231-4/+5
| | | | | | | | | ads_sasl_spnego_ntlmssp_bind gensec_sig_size() is for gensec_{sign,seal}_packet() instead of gensec_wrap(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libads: further split resolve_and_ping into dns and netbios implementationsUri Simchoni2015-06-161-42/+82
| | | | | | | | | | | split the resolve_and_ping function, which does name lookup followed by cldap ping, into two variants: - resolve_and_ping_dns() which uses AD name resolution - resolve_and_ping_netbios() which uses pre-AD name resolution Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* libads: Fix fallback logic when finding a domain controllerUri Simchoni2015-06-161-95/+126
| | | | | | | | | | | | | | | | | | | | | | | | This is a patch to fix bug 11321. When finding a domain controller, the method is to resolve the IP address of candidate servers, and then do an ldap ping until a suitable server answers. In case of failure, there's fallback from DNS lookup to netbios lookup (if netbios is enabled) and then back to site-less DNS lookup. The two problems here are: 1. It makes more sense to try site-less DNS before NetBIOS because the fallback to NetBIOS is not likely to give better results. 2. The NetBIOS fallback screws the site-less fallback (I suppose the "goto considered harmful fellows are sometimes right after all...). This fix extracts the core code that does name resolving+ldap ping into a separate function and then activates this function in up to three modes - site-aware, site-less, and netbios, in that order. Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* libads: Keep 'good' server at the head of custom KDC listUri Simchoni2015-06-161-20/+31
| | | | | | | | | | | | | | | | | When creating a custom krb.conf file for a domain, make sure that the DC which already answered the ldap ping is not queried again, and is always first in the custom KDC list. This has two advantages: 1. Avoid re-sending an ldap ping to this server 2. The generated list is made up of the servers that answered first. Since the DC which already answered an LDAP ping is typically the "last good server", this change keeps it out of the contest and guarantees that we keep using last good server as long as it works. Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* kerberos: Move DEFAULT_KRB5_PORT to a header fileUri Simchoni2015-06-162-2/+2
| | | | | | | | | Move the kerberos port number definition to a header file, so that it can be used by DNS code. Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* libads: fix indentation in generated krb5.confUri Simchoni2015-06-161-3/+3
| | | | | | | | | | | In case of multiple KDCs, the automatically-generated domain-specific kerberos configuration file lists all the KDCs it can find, but the indentation of additional KDCs is not aligned with that of the first KDC. Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* Convert all uint32/16/8 to _t in a grab-bag of remaining files.Richard Sharpe2015-05-142-5/+5
| | | | | | | | | | I still need to fix the rpc stuff, but we are almost there. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu May 14 22:16:56 CEST 2015 on sn-devel-104
* libads: record service ticket endtime for sealed ldap connectionsUri Simchoni2015-05-131-0/+23
| | | | | | | | | | | | | | | When a ticket is obtained for binding a signed/sealed ldap connection, its liftime should be recorded in the ads struct, in order to enable reuse of the connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11267 Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <rb@sernet.de> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed May 13 04:32:16 CEST 2015 on sn-devel-104
* lib: Make sid_binstring_hex use TALLOCVolker Lendecke2015-05-131-3/+3
| | | | | | | talloc_tos() is better than plain malloc... Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Add IPv6 support to ADS client side LDAP connects. Corrected format for IPv6 ↵David Holder2015-05-121-1/+7
| | | | | | | | LDAP URI. Signed-off-by: David Holder <david.holder@erion.co.uk> Signed-off-by: David Holder <david.holder@erion.co.uk> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <rb@sernet.de>
* libads: Fix deadlock when re-joining a domain and updating keytabUri Simchoni2015-05-041-2/+3
| | | | | | | | | | | | | | | | | | When updating the system keytab as a result of joining a domain, if the keytb had prior entries, ads_keytab_create_default tries to update those entries. However, it starts updating before freeing the cursor which was used for finding those entries, and hence causes an an attempt to write-lock the keytab while a read-lock exists. To reproduce configure smb.conf for ads domain member and run this twice: net ads join -U <credentials> '--option=kerberos method=secrets and keytab' Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon May 4 21:01:41 CEST 2015 on sn-devel-104
* libads: Fix free of uninitialized pointerUri Simchoni2015-05-041-2/+3
| | | | | | | | | | | | | | In ads_keytab_creat_default(), if the keytab to be created cannot be opened, the bail-out code calls smb_krb5_kt_free_entry() on an uninitialized entry. To reproduce: 1. Join a domain 2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.Richard Sharpe2015-04-2210-55/+55
| | | | | | | | Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Apr 22 06:22:29 CEST 2015 on sn-devel-104
* libads: Fix CID 1272956 Fixing wrong if conditionAnoop C S2015-04-181-1/+1
| | | | | | | | | Signed-off-by: Anoop C S <achiraya@redhat.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 18 01:33:04 CEST 2015 on sn-devel-104
* lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.Günther Deschner2015-03-271-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libads: Fix CID 1273305 Uninitialized scalar variableVolker Lendecke2015-03-041-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* libads: Fix CID 1273306 Uninitialized scalar variableVolker Lendecke2015-03-041-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-libads: Fix a possible segfault in kerberos_fetch_pac().Andreas Schneider2015-01-071-13/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11037 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* addns: Remove support for dns_host_file.Andreas Schneider2014-12-181-5/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-libads: remove unused dn from ads_get_service_principal_names().Günther Deschner2014-11-281-7/+0
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Nov 28 16:46:20 CET 2014 on sn-devel-104
* s3:libads: avoid some compiler warnings in ldap.cStefan Metzmacher2014-11-251-15/+19
| | | | | | | | We use helper variables and explicit casts using discard_const_p() to avoid bogus const warnings. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* samba: pass down size_t instead of int to add_string_to_array().Günther Deschner2014-11-171-1/+1
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
* s3-keytab: fix keytab array NULL termination.Matt Rogers2014-11-121-2/+1
| | | | | | Signed-off-by: Matt Rogers <mrogers@redhat.com> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-libads: Add all machine account principals to the keytab.Andreas Schneider2014-09-261-22/+52
| | | | | | | | | | This adds all SPNs defined in the DC for the computer account to the keytab using 'net ads keytab create -P'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-libads: Add function to search for an element in an array.Andreas Schneider2014-09-262-0/+33
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-libads: Add a function to retrieve the SPNs of a computer account.Andreas Schneider2014-09-262-0/+66
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-libads: Improve service principle guessing.Andreas Schneider2014-09-261-58/+66
| | | | | | | | | | | If the name passed to the net command with the -S options is the long hostname of the domaincontroller and not the 15 char NetBIOS name we should construct a FQDN with the realm to get a Kerberos ticket. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-kpasswd: Fix build warning.Günther Deschner2014-09-011-1/+1
| | | | | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Sep 1 18:15:15 CEST 2014 on sn-devel-104
* s3-kpasswd: send a netbios krb5 address to avoid invalid net address errors fromGünther Deschner2014-09-011-0/+14
| | | | | | | | | heimdal. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
* Remove custom password change code in libadsSimo Sorce2014-09-011-555/+59
| | | | | | | | | Use standard libkrb5 calls instead. Signed-off-by: Simo Sorce <idra@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
* Remove duplicate definitionsSimo Sorce2014-09-011-9/+0
| | | | | | | | | Thee are already defined both in Heimdal and MIT public headers Signed-off-by: Simo Sorce <idra@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
* s3-libads/krb5_setpw: free realm from smb_krb5_principal_get_realm().Günther Deschner2014-08-081-3/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba: use smb_krb5_create_key_from_string() in some places.Günther Deschner2014-08-081-1/+6
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org>
* s3-krb5: Limit search for old kvno to 8bitsChristof Schmitt2014-05-081-2/+5
| | | | | | | | | | | | Some keytab files store the kvno only in 8bits. Limit the compare to 8bits, so that we don't miss old keys and delete them. This fixes the problem that updates to the keytab file removed all previous keys. Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Simo Sorce <idra@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Thu May 8 00:54:15 CEST 2014 on sn-devel-104
* s3-libads: allow ads_try_connect() to re-use a resolved ip address.Günther Deschner2014-04-171-18/+26
| | | | | | | | | | | | Pass down a struct sockaddr_storage to ads_try_connect. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
* Remove special socket_wrapper code.Andreas Schneider2014-04-171-32/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-libads: Use ldap_initialize() if available.Andreas Schneider2014-04-171-5/+20
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-kerberos: make ipv6 support for generated krb5 config files more robust.Günther Deschner2014-04-041-2/+27
| | | | | | | | | | | | | Older MIT Kerberos libraries will add any secondary ipv6 address as ipv4 address, defining the (default) krb5 port 88 circumvents that. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Apr 4 16:33:12 CEST 2014 on sn-devel-104
* kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUTAndrew Bartlett2014-04-021-1/+1
| | | | | | Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/gensec: remove tevent_context argument from gensec_update()Stefan Metzmacher2014-03-272-2/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-libads: Use the IP instead of the name.Bjoern Baumbach2014-03-131-1/+1
| | | | | | | | | | | Thix fixes 'net rpc join' against ADS. Signed-off-by: Bjoern Baumbach <bb@sernet.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Mar 13 17:06:00 CET 2014 on sn-devel-104
* s3-kerberos: let kerberos_return_pac() return a PAC container.Günther Deschner2014-03-122-9/+27
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-kerberos: return a full PAC in kerberos_return_pac().Günther Deschner2014-03-122-13/+19
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-libads: pass down local_service to kerberos_return_pac().Günther Deschner2014-03-122-5/+2
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-kerberos: remove unused kdc_name from ↵Günther Deschner2014-03-072-8/+5
| | | | | | | | | | | | create_local_private_krb5_conf_for_domain(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Mar 7 18:43:57 CET 2014 on sn-devel-104
View Lorry Controller Status