summaryrefslogtreecommitdiff
path: root/source3/librpc
Commit message (Collapse)AuthorAgeFilesLines
* librpc/crypto: Fix a misleading commentVolker Lendecke2018-06-181-3/+1
| | | | | | | | | | Probably cut&paste error Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Jun 18 18:34:51 CEST 2018 on sn-devel-144
* smbd: rename smbXsrv_client->ev_ctx into smbXsrv_client->raw_ev_ctxStefan Metzmacher2018-06-181-1/+1
| | | | | | | | | That makes it clearer that no tevent_context wrapper is used here and the related code should really run without any (active) impersonation as before. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* smbd: remove xconn->client->last_session_id based set_current_user_info() ↵Stefan Metzmacher2018-06-181-1/+0
| | | | | | | caching Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* Revert "Use "localhost" to be ipv6 only friendly"Simo Sorce2018-03-191-1/+1
| | | | This reverts commit 54548f6dde3cf74f0e90ef577a55fd720dca6d93.
* Use "localhost" to be ipv6 only friendlySimo Sorce2018-03-191-1/+1
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* s3: gse: use "gensec_gssapi:requested_life_time"Ralph Boehme2018-03-161-2/+8
| | | | | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Mar 16 07:48:37 CET 2018 on sn-devel-144
* smbd: remove "id" from share_mode_entryVolker Lendecke2018-02-131-1/+0
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Feb 13 05:01:38 CET 2018 on sn-devel-144
* s3: librpc: Allow client to correctly report etype unsupported by KDC to caller.Jeremy Allison2018-01-311-0/+3
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13247 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jan 31 00:38:09 CET 2018 on sn-devel-144
* smbd: Fix channel sequence number checks for long-running requestsVolker Lendecke2018-01-141-1/+2
| | | | | | | | | | | | | When the client's supplied csn overflows and hits a pending, long-running request's csn, we panic. Fix this by counting the overflows in smbXsrv_open_global0->channel_generation Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse_krb5: make use of precalculated krb5 keys in ↵Stefan Metzmacher2017-08-181-95/+85
| | | | | | | | | | | | | | | fill_mem_keytab_from_secrets() This avoids a lot of cpu cycles, which were wasted for each single smb connection, even if the client didn't use kerberos. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12973 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 18 10:04:57 CEST 2017 on sn-devel-144
* secrets.idl: add secrets_domain_info that will be used in secrets.tdb for ↵Stefan Metzmacher2017-06-272-2/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | machine account trusts This blob will be store in secrets.tdb. It makes it possible to store much more useful details about the workstation trust. The key feature that that triggered this change is the ability to store details for the next password change before doing the remote change. This will allow us to recover from failures. While being there I also thought about possible new features, which we may implement in the near future. We also store the raw UTF16 like cleartext buffer as well as derived keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys. This will allow us to avoid recalculating the keys for an in memory keytab in future. I also added pointer to an optional lsa_ForestTrustInformation structure, which might be useful to implement multi-tenancy in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse_krb5: simplify fill_keytab_from_password() by using ↵Stefan Metzmacher2017-06-271-26/+14
| | | | | | | | | kerberos_fetch_salt_princ() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join.idl: add krb5_salt to libnet_JoinCtxStefan Metzmacher2017-06-271-1/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join.idl: return the domain_guid in libnet_JoinCtxStefan Metzmacher2017-06-271-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc: let NDR_SECRETS depend on NDR_SECURITYStefan Metzmacher2017-06-271-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()Michael Saxl2017-06-271-0/+8
| | | | | | | | | | | | | If the keytab file isn't readable, we may call krb5_kt_end_seq_get() with an invalid kt_cursor. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Saxl <mike@mwsys.mine.bz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse: add simple gensec_gse_update_send/recv() wrapper functionsStefan Metzmacher2017-05-211-15/+71
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:gse: always announce GENSEC_FEATURE_SIGN_PKT_HEADER support.Stefan Metzmacher2017-05-211-9/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: smbd: Fix open_files.idl to correctly ignore share_mode_lease *lease in ↵Jeremy Allison2017-05-181-1/+1
| | | | | | | | | | | | | | | | | | | | | share_mode_entry. This is currently marked 'skip', which means it isn't stored in the db, but printed out in ndr dump. However, this pointer can be invalid if the lease_idx is set to 0xFFFFFFFF (invalid). This is fixed up inside parse_share_modes(), but not until after ndr_pull_share_mode_data() is called. If lease_idx == 0xFFFFFFFF then ndr_print_share_mode_lease() prints an invalid value and crashes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12793 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu May 18 03:01:40 CEST 2017 on sn-devel-144
* auth_log: Also log the final type of authentication (ntlmssp,krb5)Andrew Bartlett2017-03-291-0/+16
| | | | | | | | | Administrators really care about how their users were authenticated, so make this clear. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* rpc: Always supply both the remote and local address to the auth subsystemGary Lockyer2017-03-291-0/+1
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* lib: Fix an uninitialized variable warningVolker Lendecke2017-03-151-1/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Mar 15 14:21:43 CET 2017 on sn-devel-144
* s3:gse: Correctly handle external trusts with MITAndreas Schneider2017-03-101-0/+54
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Check if we have a target_princpal set we should useAndreas Schneider2017-03-101-1/+2
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Move setup of service_principal to update functionAndreas Schneider2017-03-101-26/+71
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Pass down the gensec_security pointerAndreas Schneider2017-03-101-7/+12
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Use smb_krb5_get_realm_from_hostname()Andreas Schneider2017-03-101-25/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With credentials for administrator@FOREST1.EXAMPLE.COM this patch changes the target_principal for the ldap service of host dc2.forest2.example.com from ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM to ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. The problem is that KDCs only return such referral tickets if there's a forest trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If there's only an external domain trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. In the case of an external trust the client can still ask explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of FOREST1.EXAMPLE.COM will generate it. From there the client can use the krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC of FOREST2.EXAMPLE.COM for a service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as target principal. As _krb5_get_cred_kdc_any() first calls get_cred_kdc_referral() (which always starts with the client realm) and falls back to get_cred_kdc_capath() (which starts with the given realm). MIT krb5 only tries the given realm of the target principal, if we want to autodetect support for transitive forest trusts, we'll have to do the fallback ourself. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapperAlexander Bokovoy2017-03-081-48/+1
| | | | | | | | | | | | | | | | | | | | MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing credentials from a keytab without specifying actual principal. This was fixed in MIT krb5 1.9.2 (see commit 71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5). Move fallback code to the smb_gss_krb5_import_cred wrapper. We only expect this fallback to happen with krb5 GSSAPI mechanism, thus hard code use of krb5 mech when calling to gss_acquire_cred. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
* s3-gse: convert to use smb_gss_krb5_import_credAlexander Bokovoy2017-03-081-9/+11
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3:librpc: Handle gss_min in gse_get_client_auth_token() correctlyAndreas Schneider2017-03-021-6/+40
| | | | | | | | | | | | | This will make sure we correctly fall back to NTLMSSP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Mar 2 12:41:40 CET 2017 on sn-devel-144
* s3:librpc: Fix OM_uint32 comparsion in if-clauseAndreas Schneider2017-02-231-1/+1
| | | | | | | | | Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:librpc: Make sure kt_curser and kt_entry are initializedAndreas Schneider2017-02-231-5/+2
| | | | | | | | | Found by covscan. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12592 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* librpc: Use "all_zero" where appropriateVolker Lendecke2017-01-031-28/+10
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()Stefan Metzmacher2017-01-021-13/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This avoids the usage of the ccselect_realm logic in MIT krb5, which leads to unpredictable results. The problem is the usage of gss_acquire_cred(), that just creates a credential handle without ccache. As result gss_init_sec_context() will trigger a code path where it use "ccselect" plugins. And the ccselect_realm module just chooses a random ccache from a global list where the realm of the provides target principal matches the realm of the ccache user principal. In the winbindd case we're using MEMORY:cliconnect to setup the smb connection to the DC. For ldap connections we use MEMORY:winbind_ccache. The typical case is that we do the smb connection first. If we try to create a new ldap connection, while the credentials in MEMORY:cliconnect are expired, we'll do the required kinit into MEMORY:winbind_ccache, but the ccselect_realm module will select MEMORY:cliconnect and tries to get a service ticket for the ldap server using the already expired TGT from MEMORY:cliconnect. The solution will be to use gss_krb5_import_cred() and explicitly pass the desired ccache, which avoids the ccselect logic. We could also use gss_acquire_cred_from(), but that's only available in modern MIT krb5 versions, while gss_krb5_import_cred() is available in heimdal and all supported MIT versions (>=1.9). As far as I can see both call the same internal function in MIT (at least for the ccache case). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CREDStefan Metzmacher2017-01-021-3/+0
| | | | | | | | | | We always have gss_krb5_import_cred(), it available in heimdal and also the oldest version (1.9) of MIT krb5 that we support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() failsStefan Metzmacher2017-01-021-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAGStefan Metzmacher2016-12-201-1/+0
| | | | | | | | | | | | We should only use GSS_C_DELEG_POLICY_FLAG in order to let the KDC decide if we should send delegated credentials to a remote server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>
* s3:crypto: Use smb_krb5_kt_open_relative() for MEMORY keytabAndreas Schneider2016-12-161-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:gse: We need to use the users realm in the target_principalStefan Metzmacher2016-11-151-2/+4
| | | | | | | | This is important in order to let the kdc of the users realm start with the trust referral routing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli: Increase the debug level for expired ticketsVolker Lendecke2016-11-021-2/+7
| | | | | | | | | | | In libads/sasl.c we do a retry in this case. We should not spam syslog with that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Nov 2 05:22:38 CET 2016 on sn-devel-144
* s3:dcerpc_helpers: correctly support DCERPC_AUTH_LEVEL_PACKETStefan Metzmacher2016-10-261-1/+9
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* librpc/rpc: move dcerpc_pull_ncacn_packet() from source3/librpc/rpc/ to the ↵Stefan Metzmacher2016-10-262-48/+0
| | | | | | | | toplevel Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc: move NDR_PRINT_DEBUG() into the caller of dcerpc_pull_ncacn_packet()Stefan Metzmacher2016-10-261-4/+0
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc: remove bigendian argument from dcerpc_pull_ncacn_packet()Stefan Metzmacher2016-10-262-7/+5
| | | | | | | | We should get this from the packet itself. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse: pass gss_got_flags to gssapi_get_sig_size()Stefan Metzmacher2016-10-261-1/+1
| | | | | | | | | | | We need to calculate the signature length based on the negotiated flags. This is most important on the server side where, gss_accept_sec_context() doesn't get gss_want_flags, but fills gss_got_flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib: Fix a signed/unsigned hickupVolker Lendecke2016-10-191-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* mit: make it possible to build with MIT kerberos and --picky-developerGünther Deschner2016-09-291-1/+2
| | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* krb5_wrap: Rename kerberos_get_principal_from_service_hostname()Andreas Schneider2016-08-311-2/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Rename smb_krb5_keytab_name()Andreas Schneider2016-08-311-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5_wrap: Rename smb_krb5_open_keytab()Andreas Schneider2016-08-311-4/+4
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status