The branch, v4-8-test has been updated via ca87709 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted via 7e8ee67 winbindd: rename winbindd_pam_auth_pac_send and let it return validation via df6062e winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send() via c1ab6c5 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC via be33ac4 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done() via 8269dc9 winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos() via 95ca85d s3/rpc_client: add map_info6_to_validation() via e57baf7 s3/auth: add create_info6_from_pac() via f85ff76 s4/auth_winbind: ask for validation level 6 via 974b4ea winbindd: allow validation level 6 in winbind_SamLogon via dafb614 s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6() via b06743e winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx via 4dac164 winbindd: handle interactive logons in _winbind_SamLogon() via 41c0698 winbindd: pass 'bool interactive' to winbind_dual_SamLogon() via ce965d3 winbindd: add a comment to a parameter in _winbind_SamLogon() via fb14f0f winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop() via 05b7972 s3/rpc_client: add rpccli_netlogon_interactive_logon() via 6fac545 winbindd: add_trusted_domain_from_auth() should not use dns_name = "" via c549aa4 wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available via 2fae412 winbindd: fix debug message in find_default_route_domain() on a DC via bf361c5 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition via bf8e88d winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS via cc7592e s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN via e465b1f winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain via 523ca1b winbindd: move loading of trusted domains on a DC to a seperate function via 304c95c winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts. via 5db31e7 s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic() via 33d901b winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC via 296f677 winbindd: prepare find_auth_domain() transitive trusts on a DC via d103727 winbindd: remove const from set_routing_domain() via 74bbba0 winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts via 5dc2e89 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon() via a895873 s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon() via 0f86338 winbindd: add routing_domain as parameter to add_trusted_domain via 8cd948f winbindd: add missing can_do_ncacn_ip_tcp initialisation via 3a78306 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds() via ae13d62 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL via 099b720 winbind: Fix CID 1427626 Uninitialized scalar variable via d800e1c pdb: Fix CID 1427620 Resource leak via 4360d83 winbind: Fix CID 1427626 Uninitialized scalar variable via 8ee283a pdb: Fix CID 1427624 Resource leak from b368ad2 docs-xml: Add 'samba-tool visualize' to man samba-tool.8.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test - Log ----------------------------------------------------------------- commit ca87709326280a34a35fdb577d48ad339cb21a64 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 23:13:12 2018 +0100 winbindd: WBFLAG_PAM_AUTH_PAC should call add_trusted_domain_from_auth() is the result is trusted Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Sat Feb 10 13:08:50 CET 2018 on sn-devel-144 (cherry picked from commit 597e755328940fc964b861333b557b0650666b24) Autobuild-User(v4-8-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-8-test): Sun Feb 11 15:37:51 CET 2018 on sn-devel-144 commit 7e8ee67c5bce9d901cb5c222744465ffad970c72 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Feb 9 08:38:18 2018 +0100 winbindd: rename winbindd_pam_auth_pac_send and let it return validation Just a preperational step. The next commit will update the caller to make use of the validation info. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 8422c001bec169a73657b1d638ec8ec4c35c243a) commit df6062e18d849f4ab1ca2f0c95e0395918ae4f4f Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 23:10:42 2018 +0100 winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send() winbindd_pam_auth_crap_recv() should not have any real logic. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 5444cc4e7ed8ea0c063110f3b78f360d91b0b0a5) commit c1ab6c5ee26cd9862c09776ec41e55da82233520 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 23:02:26 2018 +0100 winbindd: let winbindd_pam_auth_pac_send() compute info6 from PAC This way we don't loose the DNS info and UPN. A subsequent commit will let winbindd_pam_auth_pac_send() return the full validation info. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 5ce3cb2fb468d8798980b49d84568782becf25ea) commit be33ac40bf35b3c9d94c938a62802002e29ddca1 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 22:00:35 2018 +0100 winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 42e445396881c5b6651a0dde0abde3d6bb0740bf) commit 8269dc95f089cb317987d558086c5424605388b1 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 21:34:46 2018 +0100 winbindd: get netr_SamInfo6 out of winbindd_dual_pam_auth_kerberos() This way we don't loose dns_domain_name and user principal. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 021d75fb223630d06a256a605659abda9ece853f) commit 95ca85d0b0daa90199b0182f86cf4b073604d4d3 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 21:32:53 2018 +0100 s3/rpc_client: add map_info6_to_validation() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 2b0181877806f171eee053c246dcb2eda2300261) commit e57baf76e3c33e9f55cb8afa3b70a7eac4de426e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 21:32:25 2018 +0100 s3/auth: add create_info6_from_pac() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d4ba23fd353ad387a374a5d7f6f6d085a0699d2c) commit f85ff761905fb74a466c8dee985a12a27c4e65a6 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 17:58:07 2018 +0100 s4/auth_winbind: ask for validation level 6 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit e1ba81996033e7c2cfeba13124ee7f404ded2031) commit 974b4eadd9f90fee930b0d4349c38a10d863642b Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 17:57:37 2018 +0100 winbindd: allow validation level 6 in winbind_SamLogon Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 1a9857369d2fae08fefef613cf6cbd3354092a4a) commit dafb6140ccf679ae4402c3f3d086cca9f026a714 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 17:53:49 2018 +0100 s3/rpc_client: add copy_netr_SamInfo6() and map_validation_to_info6() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13260 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 60aa5e7657608c1a5519c03e690cce58efd67abd) commit b06743ec693b0da6ed997ad6738bf87e953b33b6 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Feb 2 15:24:00 2018 +0100 winbindd: introduce a cm_connect_netlogon_secure() which gives a valid netlogon_creds_ctx At lot of callers require a valid schannel connection. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13259 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b60c634123ee00021efc5b5aaa03e1663474d3da) commit 4dac16450fa28c7165f2f9c31ba7e70d2a6d8b17 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 17:39:15 2018 +0100 winbindd: handle interactive logons in _winbind_SamLogon() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d76bcdb0854cff9b08010d47469fd48324d902bc) commit 41c06989895c74fe2a66b804da90abb43ab2f839 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 17:37:54 2018 +0100 winbindd: pass 'bool interactive' to winbind_dual_SamLogon() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 8c6c47aec0e91ab3944bea5f6eda8072f5db959d) commit ce965d3b8d3d0df1685a31f5daf6ee43c141da91 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 8 17:23:49 2018 +0100 winbindd: add a comment to a parameter in _winbind_SamLogon() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 2268f1c0dd1e8543c126553f80d94e80a1e32487) commit fb14f0ff18059319ea8830234fba5a6f4b9b0a82 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 16:36:45 2018 +0100 winbindd: separate plaintext given and interactive in winbind_samlogon_retry_loop() We need to handle 4 cases: plaintext_given=true interactive=true plaintext_given=false interactive=true plaintext_given=true interactive=false plaintext_given=false interactive=false Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d1c3676197032487505e9069c0655427b5fd385c) commit 05b797206cffbb4428d2dba11f0857b94579b7fc Author: Stefan Metzmacher <me...@samba.org> Date: Fri Feb 9 16:15:18 2018 +0100 s3/rpc_client: add rpccli_netlogon_interactive_logon() This will be used in a subsequent commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13258 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit be26a472ae082d612f9aec28c932d25e2317f9ba) commit 6fac5451885937652969a26a19d6162433154148 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 23 23:19:32 2018 +0100 winbindd: add_trusted_domain_from_auth() should not use dns_name = "" Check whether the DNS domain name in the info6 struct is actually more then just an empty string. If it is we want to call add_trusted_domain() with NULL as DNS domain name argument. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13257 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 2ee2551409e0bd0cd5bf130cc1e3736e58b8c14d) commit c549aa4f1d89c30fd9af49627182b402d406a472 Author: Stefan Metzmacher <me...@samba.org> Date: Sun Feb 4 22:48:01 2018 +0100 wbinfo: avoid segfault in wbinfo_auth_crap() if winbindd is not available Bug: https://bugzilla.samba.org/show_bug.cgi?id=13256 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 8b0e1a77ae5f7ef6d8db9a05718afa8d472a971b) commit 2fae4128318004354135d2a7d570855eab114d60 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 31 08:22:07 2018 +0100 winbindd: fix debug message in find_default_route_domain() on a DC As we don't support multiple domains in a forest yet, we don't need to print a warning a log level 0. This also adds a missing \n. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13255 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b112cbc2462edf810473026c133b0802d1e18468) commit bf361c561465911500b7392b00b52a8746a732ea Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 16:35:52 2018 +0100 s4/rpc_server: trigger trusts reload in winbindd after successfull trust info acquisition Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 6151909c823016417f863c22e77c8a136f3fbb95) commit bf8e88d250cb6a56bf45e9477fee507c546f82a6 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 16:35:13 2018 +0100 winbindd: rename MSG_WINBIND_NEW_TRUSTED_DOMAIN to MSG_WINBIND_RELOAD_TRUSTED_DOMAINS This reflects the new implementation in winbindd. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 9f96ede6f500cc1a7c76e67ee785b44a99244d0d) commit cc7592e52c3135dc6eba9c222c11cb7eccec1ba1 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 11:32:30 2018 +0100 s4/rpc_server: remove unused data argument from MSG_WINBIND_NEW_TRUSTED_DOMAIN winbindd doesn't use that data anymore. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit ffa9eb7d6453eb6c6f3a50ad72288d3891361752) commit e465b1fc48fb11bf67a92754aeeea6288cecee71 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 11:30:53 2018 +0100 winbindd: use add_trusted_domains_dc in wb_imsg_new_trusted_domain Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit d8e4e7cae57eb192c6fcab6b9aef95fb10eeb5a8) commit 523ca1b477a14337c1fc0da1fd037a69f6c0e22d Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 11:28:20 2018 +0100 winbindd: move loading of trusted domains on a DC to a seperate function This allows using the split out function in a subsequent commit in the MSG_WINBIND_NEW_TRUSTED_DOMAIN message handler. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13237 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 4274ef681bf3b974ce99b8f21fda3a86a5b305bc) commit 304c95c2f27cadfe24adad652810c63792999a84 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 13:02:04 2018 +0100 winbindd: don't force using LSA_LOOKUP_NAMES_ALL for non workstation trusts. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 728fb7c593230abeb681854d924e4619d6f4cf37) commit 5db31e7d043b7825fb961034de7f5babbb832a60 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 12:57:11 2018 +0100 s3:rpc_client: pass down lsa_LookupNamesLevel to dcerpc_lsa_lookup_sids_generic() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13236 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7fc19747ef346df9cc72bb516b45a8309f462dd8) commit 33d901ba3d3df00834c0e2dc6df62c06e21210f1 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 12:06:50 2018 +0100 winbindd: prepare find_lookup_domain_from_{name,sid}() transitive trusts on a DC Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 8b7bf6d4d81cde099d78cd9cc03aa085cec672d4) commit 296f677b4aeb97234980cf46e008c96894f941bf Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 12:06:50 2018 +0100 winbindd: prepare find_auth_domain() transitive trusts on a DC Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit af9a37aa1925a18709365ceb93460d8ae0f66f51) commit d1037277e0ee299f1353f0c18c400a07fb947a0d Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 12:03:11 2018 +0100 winbindd: remove const from set_routing_domain() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13235 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c5bd18c0021b428c669dbbc35f65a3d436b4add5) commit 74bbba0ec5573d3dc4ad188df2d480dd5e3aa4fa Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 12:02:05 2018 +0100 winbindd: use Netlogon{Interactive,Network}TransitiveInformation on transitive trusts Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 70bb9c27cf8c464d5af79acbe11a0d2d0e20f5a8) commit 5dc2e891f1b497e62fb4b0cdcc198428bd97362b Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 12:00:19 2018 +0100 s3:rpc_client: allow passing NetlogonNetwork[Transitive]Information to rpccli_netlogon_network_logon() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7329706a037fef75e8ced63bfb7ab93b64482eda) commit a8958733fecec3f673240c0d7dfe7e042fe5d713 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 11:58:31 2018 +0100 s3:rpc_client: allow Netlogon{Network,Interactive}TransitiveInformation in rpccli_netlogon_password_logon() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13234 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit fe47041b4bf8d2ef6f6f9ba15a80038f1c60da3f) commit 0f86338b39b244b2d112dc112891ff1d072a2d79 Author: Ralph Boehme <s...@samba.org> Date: Thu Jan 18 08:38:59 2018 +0100 winbindd: add routing_domain as parameter to add_trusted_domain This also fixes the following CIDs: CID 1427622: Null pointer dereferences (REVERSE_INULL) CID 1427619: Null pointer dereferences (REVERSE_INULL) Bug: https://bugzilla.samba.org/show_bug.cgi?id=13233 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 9a613f4bccf171c40ede3e6ead9236463fcc5883) commit 8cd948fe5e9c8562373f3d78e3806a81befc849f Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 14:30:48 2018 +0100 winbindd: add missing can_do_ncacn_ip_tcp initialisation Bug: https://bugzilla.samba.org/show_bug.cgi?id=13232 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 9fef5d1891e6c1aebea29fbfbb90e77631b7836c) commit 3a78306d5118143fb43ee95c0bca3178251fa001 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 14:30:12 2018 +0100 winbindd: remove useless calls to get_trust_credentials() before cli_rpc_pipe_open_schannel_with_creds() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 1918a870c38c29bd3a05cd3f660ffe6623121bf3) commit ae13d62d4eb200f470fcbd2fa3bc7948609d9024 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jan 15 14:24:47 2018 +0100 winbindd: fix LSA connections via DCERPC_AUTH_SCHANNEL Bug: https://bugzilla.samba.org/show_bug.cgi?id=13231 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 53484d0d98475f55ae3bd02e1a86b9c45b20e33d) commit 099b72018c802f6e7c023db5e81797472419ee69 Author: Volker Lendecke <v...@samba.org> Date: Wed Jan 17 14:45:49 2018 +0100 winbind: Fix CID 1427626 Uninitialized scalar variable Likely a false positive, but Coverity can't follow all the paths leading to line 1598. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13263 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Wed Jan 17 23:58:34 CET 2018 on sn-devel-144 (cherry picked from commit 3be1e68ce69f7ab8ac2cac97920c0e7f65b5ed6f) commit d800e1cd81e575ecc61c5a14b127e8156a098257 Author: Volker Lendecke <v...@samba.org> Date: Wed Jan 17 14:38:41 2018 +0100 pdb: Fix CID 1427620 Resource leak It's not exactly a resource leak (we only really realloc if we shrink dramatically), but assigning the result from tdb_realloc looks nicer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13263 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 4e5c9427085f001941adaf761b18740a2e169240) commit 4360d83f77aeb54d6124bbc50e34def4884dcf5a Author: Volker Lendecke <v...@samba.org> Date: Wed Jan 17 14:42:31 2018 +0100 winbind: Fix CID 1427626 Uninitialized scalar variable Likely a false positive, but Coverity can't follow all the paths leading to line 2030 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13263 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 92131d08987ac7c2fb219bf2e8300f3bc7b702f9) commit 8ee283ab47ffed4ac1004c74ca200dc1e7bbff1e Author: Volker Lendecke <v...@samba.org> Date: Wed Jan 17 14:38:41 2018 +0100 pdb: Fix CID 1427624 Resource leak It's not exactly a resource leak (we only really realloc if we shrink dramatically), but assigning the result from tdb_realloc looks nicer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13263 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit e4f62d4e4b91395d46c99c2a5313b0536793cca7) ----------------------------------------------------------------------- Summary of changes: librpc/idl/messaging.idl | 2 +- nsswitch/wbinfo.c | 13 +- source3/auth/proto.h | 4 + source3/auth/server_info.c | 56 +++ source3/passdb/pdb_samba_dsdb.c | 5 +- source3/rpc_client/cli_lsarpc.c | 10 +- source3/rpc_client/cli_lsarpc.h | 1 + source3/rpc_client/cli_netlogon.c | 131 ++++++- source3/rpc_client/cli_netlogon.h | 16 + source3/rpc_client/util_netlogon.c | 171 +++++++++ source3/rpc_client/util_netlogon.h | 11 + source3/winbindd/winbindd.h | 3 +- source3/winbindd/winbindd_cm.c | 59 ++-- source3/winbindd/winbindd_dual.c | 7 +- source3/winbindd/winbindd_dual_srv.c | 182 +++++++--- source3/winbindd/winbindd_msrpc.c | 63 +++- source3/winbindd/winbindd_pam.c | 252 +++++++++----- source3/winbindd/winbindd_pam_auth_crap.c | 106 +++--- source3/winbindd/winbindd_proto.h | 12 +- source3/winbindd/winbindd_util.c | 556 ++++++++++++++---------------- source4/auth/ntlm/auth_winbind.c | 2 +- source4/rpc_server/lsa/dcesrv_lsa.c | 28 +- 22 files changed, 1168 insertions(+), 522 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/messaging.idl b/librpc/idl/messaging.idl index 37f8fcc..b35f1e1 100644 --- a/librpc/idl/messaging.idl +++ b/librpc/idl/messaging.idl @@ -123,7 +123,7 @@ interface messaging MSG_WINBIND_IP_DROPPED = 0x040A, MSG_WINBIND_DOMAIN_ONLINE = 0x040B, MSG_WINBIND_DOMAIN_OFFLINE = 0x040C, - MSG_WINBIND_NEW_TRUSTED_DOMAIN = 0x040D, + MSG_WINBIND_RELOAD_TRUSTED_DOMAINS = 0x040D, /* event messages */ MSG_DUMP_EVENT_LIST = 0x0500, diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index 54d5758..82863c2 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -1798,13 +1798,22 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman) if (use_ntlmv2) { DATA_BLOB server_chal; DATA_BLOB names_blob; + const char *netbios_name = NULL; + const char *domain = NULL; + + netbios_name = get_winbind_netbios_name(), + domain = get_winbind_domain(); + if (domain == NULL) { + d_fprintf(stderr, "Failed to get domain from winbindd\n"); + return false; + } server_chal = data_blob(params.password.response.challenge, 8); /* Pretend this is a login to 'us', for blob purposes */ names_blob = NTLMv2_generate_names_blob(NULL, - get_winbind_netbios_name(), - get_winbind_domain()); + netbios_name, + domain); if (pass != NULL && !SMBNTLMv2encrypt(NULL, name_user, name_domain, pass, diff --git a/source3/auth/proto.h b/source3/auth/proto.h index e774670..ca851c2 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -312,6 +312,10 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, const struct PAC_LOGON_INFO *logon_info, struct netr_SamInfo3 **pp_info3); +NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx, + const struct PAC_LOGON_INFO *logon_info, + const struct PAC_UPN_DNS_INFO *upn_dns_info, + struct netr_SamInfo6 **pp_info6); NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, struct samu *samu, const char *login_server, diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index 7898175..339cce6 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -363,6 +363,62 @@ NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, } /* + * Create a copy of an info6 struct from the PAC_UPN_DNS_INFO and PAC_LOGON_INFO + * then merge resource SIDs, if any, into it. If successful return the created + * info6 struct. + */ +NTSTATUS create_info6_from_pac(TALLOC_CTX *mem_ctx, + const struct PAC_LOGON_INFO *logon_info, + const struct PAC_UPN_DNS_INFO *upn_dns_info, + struct netr_SamInfo6 **pp_info6) +{ + NTSTATUS status; + struct netr_SamInfo6 *info6 = NULL; + struct netr_SamInfo3 *info3 = NULL; + + info6 = talloc_zero(mem_ctx, struct netr_SamInfo6); + if (info6 == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = copy_netr_SamInfo3(info6, + &logon_info->info3, + &info3); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(info6); + return status; + } + + status = merge_resource_sids(logon_info, info3); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(info6); + return status; + } + + info6->base = info3->base; + info6->sids = info3->sids; + info6->sidcount = info3->sidcount; + + if (upn_dns_info != NULL) { + info6->dns_domainname.string = talloc_strdup(info6, + upn_dns_info->dns_domain_name); + if (info6->dns_domainname.string == NULL) { + TALLOC_FREE(info6); + return NT_STATUS_NO_MEMORY; + } + info6->principal_name.string = talloc_strdup(info6, + upn_dns_info->upn_name); + if (info6->principal_name.string == NULL) { + TALLOC_FREE(info6); + return NT_STATUS_NO_MEMORY; + } + } + + *pp_info6 = info6; + return NT_STATUS_OK; +} + +/* * Check if this is a "Unix Users" domain user, or a * "Unix Groups" domain group, we need to handle it * in a special way if that's the case. diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 16a7a85..4e55a15 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -2959,7 +2959,7 @@ static NTSTATUS pdb_samba_dsdb_enum_trusteddoms(struct pdb_methods *m, domains[di++] = d; } - talloc_realloc(domains, domains, struct trustdom_info *, di); + domains = talloc_realloc(domains, domains, struct trustdom_info *, di); *_domains = talloc_move(mem_ctx, &domains); *_num_domains = di; TALLOC_FREE(tmp_ctx); @@ -3741,7 +3741,8 @@ static NTSTATUS pdb_samba_dsdb_enum_trusted_domains(struct pdb_methods *m, domains[di++] = d; } - talloc_realloc(domains, domains, struct pdb_trusted_domain *, di); + domains = talloc_realloc(domains, domains, struct pdb_trusted_domain *, + di); *_domains = talloc_move(mem_ctx, &domains); *_num_domains = di; TALLOC_FREE(tmp_ctx); diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 41c1ef4..65c6ca0 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -172,6 +172,7 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h, struct policy_handle *pol, int num_sids, const struct dom_sid *sids, + enum lsa_LookupNamesLevel level, char **domains, char **names, enum lsa_SidType *types, @@ -183,7 +184,6 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h, struct lsa_SidArray sid_array; struct lsa_RefDomainList *ref_domains = NULL; struct lsa_TransNameArray lsa_names; - enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL; uint32_t count = 0; int i; @@ -348,6 +348,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, struct policy_handle *pol, int num_sids, const struct dom_sid *sids, + enum lsa_LookupNamesLevel level, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes, @@ -414,6 +415,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, pol, hunk_num_sids, hunk_sids, + level, hunk_domains, hunk_names, hunk_types, @@ -489,11 +491,13 @@ NTSTATUS dcerpc_lsa_lookup_sids(struct dcerpc_binding_handle *h, enum lsa_SidType **ptypes, NTSTATUS *result) { + enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL; return dcerpc_lsa_lookup_sids_generic(h, mem_ctx, pol, num_sids, sids, + level, pdomains, pnames, ptypes, @@ -512,12 +516,14 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, { NTSTATUS status; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL; status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle, mem_ctx, pol, num_sids, sids, + level, pdomains, pnames, ptypes, @@ -540,11 +546,13 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h, enum lsa_SidType **ptypes, NTSTATUS *result) { + enum lsa_LookupNamesLevel level = LSA_LOOKUP_NAMES_ALL; return dcerpc_lsa_lookup_sids_generic(h, mem_ctx, pol, num_sids, sids, + level, pdomains, pnames, ptypes, diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h index 4f9464d..f716b04 100644 --- a/source3/rpc_client/cli_lsarpc.h +++ b/source3/rpc_client/cli_lsarpc.h @@ -130,6 +130,7 @@ NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, struct policy_handle *pol, int num_sids, const struct dom_sid *sids, + enum lsa_LookupNamesLevel level, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes, diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 800b995..2aa0f5e 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -490,7 +490,8 @@ NTSTATUS rpccli_netlogon_password_logon( /* Initialise input parameters */ switch (logon_type) { - case NetlogonInteractiveInformation: { + case NetlogonInteractiveInformation: + case NetlogonInteractiveTransitiveInformation: { struct netr_PasswordInfo *password_info; @@ -519,7 +520,8 @@ NTSTATUS rpccli_netlogon_password_logon( break; } - case NetlogonNetworkInformation: { + case NetlogonNetworkInformation: + case NetlogonNetworkTransitiveInformation: { struct netr_NetworkInfo *network_info; uint8_t chal[8]; unsigned char local_lm_response[24]; @@ -608,6 +610,7 @@ NTSTATUS rpccli_netlogon_network_logon( const uint8_t chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, + enum netr_LogonInfoClass logon_type, uint8_t *authoritative, uint32_t *flags, uint16_t *_validation_level, @@ -627,6 +630,16 @@ NTSTATUS rpccli_netlogon_network_logon( ZERO_STRUCT(lm); ZERO_STRUCT(nt); + switch (logon_type) { + case NetlogonNetworkInformation: + case NetlogonNetworkTransitiveInformation: + break; + default: + DEBUG(0, ("switch value %d not supported\n", + logon_type)); + return NT_STATUS_INVALID_INFO_CLASS; + } + logon = talloc_zero(mem_ctx, union netr_LogonLevel); if (!logon) { return NT_STATUS_NO_MEMORY; @@ -672,7 +685,117 @@ NTSTATUS rpccli_netlogon_network_logon( status = netlogon_creds_cli_LogonSamLogon(creds_ctx, binding_handle, - NetlogonNetworkInformation, + logon_type, + logon, + mem_ctx, + &validation_level, + &validation, + authoritative, + flags); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + *_validation_level = validation_level; + *_validation = validation; + + return NT_STATUS_OK; +} + +NTSTATUS rpccli_netlogon_interactive_logon( + struct netlogon_creds_cli_context *creds_ctx, + struct dcerpc_binding_handle *binding_handle, + TALLOC_CTX *mem_ctx, + uint32_t logon_parameters, + const char *username, + const char *domain, + const char *workstation, + DATA_BLOB lm_hash, + DATA_BLOB nt_hash, + enum netr_LogonInfoClass logon_type, + uint8_t *authoritative, + uint32_t *flags, + uint16_t *_validation_level, + union netr_Validation **_validation) +{ + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + const char *workstation_name_slash; + union netr_LogonLevel *logon = NULL; + struct netr_PasswordInfo *password_info = NULL; + uint16_t validation_level = 0; + union netr_Validation *validation = NULL; + struct netr_ChallengeResponse lm; + struct netr_ChallengeResponse nt; + + *_validation = NULL; + + ZERO_STRUCT(lm); + ZERO_STRUCT(nt); + + switch (logon_type) { + case NetlogonInteractiveInformation: + case NetlogonInteractiveTransitiveInformation: + break; + default: + DEBUG(0, ("switch value %d not supported\n", + logon_type)); + TALLOC_FREE(frame); + return NT_STATUS_INVALID_INFO_CLASS; + } + + logon = talloc_zero(mem_ctx, union netr_LogonLevel); + if (logon == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + password_info = talloc_zero(logon, struct netr_PasswordInfo); + if (password_info == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + if (workstation[0] != '\\' && workstation[1] != '\\') { + workstation_name_slash = talloc_asprintf(frame, "\\\\%s", workstation); + } else { + workstation_name_slash = workstation; + } + + if (workstation_name_slash == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + /* Initialise input parameters */ + + password_info->identity_info.domain_name.string = domain; + password_info->identity_info.parameter_control = logon_parameters; + password_info->identity_info.logon_id_low = 0xdead; + password_info->identity_info.logon_id_high = 0xbeef; + password_info->identity_info.account_name.string = username; + password_info->identity_info.workstation.string = workstation_name_slash; + + if (nt_hash.length != sizeof(password_info->ntpassword.hash)) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER; + } + memcpy(password_info->ntpassword.hash, nt_hash.data, nt_hash.length); + if (lm_hash.length != 0) { + if (lm_hash.length != sizeof(password_info->lmpassword.hash)) { + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER; + } + memcpy(password_info->lmpassword.hash, lm_hash.data, lm_hash.length); + } + + logon->password = password_info; + + /* Marshall data and send request */ + + status = netlogon_creds_cli_LogonSamLogon(creds_ctx, + binding_handle, + logon_type, logon, mem_ctx, &validation_level, @@ -680,11 +803,13 @@ NTSTATUS rpccli_netlogon_network_logon( authoritative, flags); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); return status; } *_validation_level = validation_level; *_validation = validation; + TALLOC_FREE(frame); return NT_STATUS_OK; } diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h index d31bdee..d0232b5 100644 --- a/source3/rpc_client/cli_netlogon.h +++ b/source3/rpc_client/cli_netlogon.h @@ -84,6 +84,22 @@ NTSTATUS rpccli_netlogon_network_logon( const uint8_t chal[8], DATA_BLOB lm_response, DATA_BLOB nt_response, + enum netr_LogonInfoClass logon_type, + uint8_t *authoritative, + uint32_t *flags, + uint16_t *_validation_level, + union netr_Validation **_validation); +NTSTATUS rpccli_netlogon_interactive_logon( + struct netlogon_creds_cli_context *creds_ctx, + struct dcerpc_binding_handle *binding_handle, + TALLOC_CTX *mem_ctx, + uint32_t logon_parameters, + const char *username, + const char *domain, + const char *workstation, + DATA_BLOB lm_hash, + DATA_BLOB nt_hash, + enum netr_LogonInfoClass logon_type, uint8_t *authoritative, uint32_t *flags, uint16_t *_validation_level, diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c index 15c769f..2d73bc9 100644 --- a/source3/rpc_client/util_netlogon.c +++ b/source3/rpc_client/util_netlogon.c @@ -190,6 +190,152 @@ NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS copy_netr_SamInfo6(TALLOC_CTX *mem_ctx, + const struct netr_SamInfo6 *in, + struct netr_SamInfo6 **pout) +{ + struct netr_SamInfo6 *info6 = NULL; + unsigned int i; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + + info6 = talloc_zero(mem_ctx, struct netr_SamInfo6); + if (info6 == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + + status = copy_netr_SamBaseInfo(info6, &in->base, &info6->base); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + if (in->sidcount) { + info6->sidcount = in->sidcount; + info6->sids = talloc_array(info6, struct netr_SidAttr, + in->sidcount); + if (info6->sids == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + + for (i = 0; i < in->sidcount; i++) { + info6->sids[i].sid = dom_sid_dup(info6->sids, + in->sids[i].sid); + if (info6->sids[i].sid == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + info6->sids[i].attributes = in->sids[i].attributes; + } + } + + if (in->dns_domainname.string != NULL) { + info6->dns_domainname.string = talloc_strdup(info6, + in->dns_domainname.string); + if (info6->dns_domainname.string == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; -- Samba Shared Repository