| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add check for requested replies of existing machine object during join
machine to domain. This solves regression fail during join with error:
"None of the information to be translated has been translated."
https://bugzilla.samba.org/show_bug.cgi?id=14007
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184
(cherry picked from commit ad4ef1657e9b2a088a3bfadcce196cfcceead1dc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
|
| |
|
|
|
|
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduced by dbdbd4875ecac3e7334750f46f1f494b7afe6628
CID 1438395
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 14 22:02:06 CEST 2018 on sn-devel-144
(cherry picked from commit 9eccf6a16f5b198181a4fa80b835b1a65b40ed76)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Found by covscan.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13567
Pair-Programmed-With: Justin Stephenson <jstephen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit dbdbd4875ecac3e7334750f46f1f494b7afe6628)
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May 3 08:16:26 CEST 2018 on sn-devel-144
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
|
|
|
|
|
| |
get_sorted_dc_list should already take care, but this way it's safer
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 29 03:45:00 CEST 2018 on sn-devel-144
|
| |
|
|
|
|
|
| |
Not really a memleak due to the passed-in talloc ctx, but this way it's cleaner
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
|
|
| |
This fixes compilation with -Wstrict-overflow=2
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify default behaviour of 'net ads keytab create'
The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.
If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'net ads keytab add' currently in addition to adding to the
keytab file this command also can update AD computer objects
via ldap. This behaviour isn't very intuitive or expected given
the command name. By default we shouldn't write to the ADS.
Prepare to change the default behaviour by modifying the function
'ads_keytab_add_entry' to take a paramater to modify the existing
behaviour to optionally update the AD (or not).
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch addresses how the windows SPN is written to the AD.
If a legacy service (e.g. cifs, http etc.) is passed as param to
'net ads keytab add param' then windows SPNs are generated from
'param' as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
If the SPN is a is a Windows SPN (e.g. conforming to format
'serviceclass/host:port') then this is the SPN that is passed to
the AD.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch addresses how the windows SPN is converted into a kerberos
priniciple to be written to the keytab file. A followup patch will
deal with writing Window SPN(s) to the AD.
Before this change 'net ads keytab add' handled three scenarios
a) 'net ads keytab add param' is passed a fully qualified kerberos principal
(identified by the presence of '@' in param) In this scenario the keytab
file alone is updated with the principal contained in 'param'.
b) 'net ads keytab add param'; is passed a machine name (identified by
the paramater ending with '$'). In this case the machine name
is converted to a kerberos principal with according to the recipe
'param@realm' where realm is determined by lp_realm().
c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
In this scenario the param containing the service is first converted to
into 2 kerberos principals (long and short forms) according to the
following recipe
i) long form: 'param/fully_qualified_dns@realm'
ii) short form: 'param/netbios_name@realm'
where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
'this' machines computer account on the AD.
The principals are written to the keytab file
Secondly 2 windows SPNs are generated from 'param' as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
These SPNs are written to the AD computer account object
After this change a) & b) & c) will retain legacy behaviour except
in the case of c) where if the 'param' passed to c) is a Windows SPN
(e.g. conforming to format 'serviceclass/host:port'
i) 'param' will get converted to a kerberos principal (just a single one)
with the following recipe: 'serviceclass/host@realm' which will
be written to the keytab file. The SPN written to the AD is created
as before and the legacy behaviour is preserved.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds 'delete' to the 'net ads setspn' subcommand
(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)
Usage:
net ads setspn delete <computer> <SPN>
Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds 'add' to the 'net ads setspn' subcommand
(see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)
Usage:
net ads setspn add <computer> <SPN>
Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds basic functionality not unlike the setspn.exe
command that is provided by windows for adminsistering SPN on
the AD. (see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)
Only the basic list operation (that corresponds to the -l
switch for setspn.exe is implemented)
Usage:
net ads setspn list <computer>
Note: <computer> is optional, if not specified the computer account
associated with value returned by lp_netbios_name() is used instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the function 'ads_add_service_principal_name' created
the SPNs based on the machine_name and dns name passed to the function.
In order to prepare for a future patch that will also need to write
SPN(s) to the AD computer account, the function implementation will
need to be changed. Instead of the function creating the SPN(s) it
will now take the list SPN(s) to write to the AD 'machine_name' account
as an input param instead.
The name of the function has been changed to
'ads_add_service_principal_names' to reflect this. Additionally client
code now needs to construct the SPNs to be passed into the function.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
| |
(see https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function 'ads_get_samaccountname()' basically returns the machine_name passed
as an input param (appended with '$') if it exists on the ad. The function
really is testing for the existence of the samaccountname and is not really
'getting' it. This is also the way it is used. Renaming this function to
'ads_has_samaccountname()' better reflects what it is actually doing and how
clients calling the code use it. It also makes the client code using calling
this function less confusing.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
| |
Both ads_get_dnshostname() & ads_get_samaccountname() are passed
a param machinename as a argument. Instead of using 'machinename' these
functions are erroneously using lp_netbiosname() instead.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Feb 6 02:47:44 CET 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
own it here.
Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
| |
When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
instead, this function will determine the correct keytab to use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
| |
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
| |
ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
| |
|
|
|
|
|
|
|
|
| |
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
| |
Pass down request flags and check they are respected with the response
flags. Otherwise, error out and pretend the connection never happened.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prepare for rebasing libads on top of libsmbldap.
To make libads using 'struct smbldap_state' instead of direct LDAP
structure, we need to abstract out libads logic from connection
handling. SASL wrapping does not really depend on availability of LDAP
handle and does not need direct access to ADS_STRUCT. As result, we'll
be able to move SASL wrapping code under smbldap once the latter is able
to pass settings that libads passes to the SASL wrapping.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
|
|
|
| |
In ntlm_auth.c and authdata.c, the session info will be incomplete
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
| |
|
|
|
|
|
| |
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 8 14:59:35 CET 2017 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
| |
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 6 11:44:54 CET 2017 on sn-devel-144
|
| |
|
|
|
|
|
|
|
| |
Any fallbacks to other authentication methods should be logged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
| |
|
|
|
|
| |
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
|
| |
|
|
|
|
|
| |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
| |
|
|
|
|
|
| |
... Saves a few bytes of footprint
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system /etc/krb5.conf defines some defaults like:
default_ccache_name = KEYRING:persistent:%{uid}
We need to respect that so should include it in our own created
krb5.conf file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows to authenticate using user@DOMAIN against an AD DC.
https://bugzilla.samba.org/show_bug.cgi?id=12457
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 2 00:23:02 CET 2016 on sn-devel-144
|
