Volker Lendecke [Tue, 3 Jan 2017 14:54:46 +0000 (14:54 +0000)]
winbind: Add "expand_local_aliases" to wb_gettoken
I hate passing down booleans, but we have the "domain_groups_only"
parameter in wbcLookupUserSids which we need to keep for API
compatibility. To make sure we use as few code paths as possible, this
basically passes down this flag.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sat, 31 Dec 2016 12:45:51 +0000 (12:45 +0000)]
torture-netlogon: Use "all_zero" where appropriate
... Saves a few bytes of footprint
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jan 3 19:56:17 CET 2017 on sn-devel-144
Volker Lendecke [Mon, 19 Dec 2016 19:18:41 +0000 (20:18 +0100)]
libsmb: Add name_status_lmhosts
Don't ask... Oh, you did? :-)
Try to figure out a hosts' name from lmhosts. This is for a setup I've
come across where for several reasons kerberos and ldap were unusable
(very organically grown but unchangeable Solaris 10 installation with
tons of ancient libs that ./configure incorrectly finds and where tar xf
samba-4.5.3.tar takes 5 minutes...), so I had to fall back to compile
with --without-ads. Unfortunately in that environment NetBIOS was also
turned off, but the "winbind rpc only" code relies on name_status to
get a DC's name from its IP address for the netlogon calls. This walks
the local lmhosts file to scan for the same information.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Fri, 30 Dec 2016 11:51:37 +0000 (11:51 +0000)]
winbind: Remove find_builtin_domain helper function
There was only one caller, and the function was pretty small anyway.
This makes a "git grep find_domain_from" more obvious :-)
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 2 21:52:02 CET 2017 on sn-devel-144
Volker Lendecke [Thu, 29 Dec 2016 18:13:28 +0000 (18:13 +0000)]
winbind: Add wbint_QueryUserRidList
This is an equivalent of QueryUserList with simpler output. The next
commit will use it to go through wb_getpwsid for getent passwd, to
make sure we get the same results. Eventually, this might get a simpler
backend.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 29 Dec 2016 10:27:58 +0000 (10:27 +0000)]
idmap_ad: Restore querying SFU nss info
With the last commit the getpwsid call did not look at the winbind
nss info parameter anymore. This restores it for the idmap ad backend
with slightly different semantics and configuration: We now have the
unix_primary_group and unix_nss_info domain-specific parameters for
idmap config. This enables overriding the Windows primary group with
the unix one.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 29 Dec 2016 10:05:28 +0000 (10:05 +0000)]
winbind: Restructure wb_getpwsid
This patch moves the responsibility to create a winbind user from the
winbind backends into wb_queryuser.c. The name comes from lsa_lookupsids,
the uid from idmap. If we have a netsamlogon_cache, we get the primary
group sid from there. Without netsamlogon_cache, we default to -513, as
we do right now as default for non-reachable ADS domains anyway. Shell
and homedir default to template. This can all be done in the parent
without contacting any LDAP-related calls and is correct once we have
a netsamlogon_cache.
Once the parent has filled in the userinfo, the idmap child is queried
with the GetNssInfo call, taking the userinfo [in,out]. The child is
free to override the whole thing, something the AD backend will do in
the next patch.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 29 Dec 2016 09:56:29 +0000 (09:56 +0000)]
winbind: Add a GetNssInfo parent/child call
This call will be done in the idmap child. It is not 100% the right place,
but there is no better one available to me. It will become a replacement
for the "winbind nss info" parameter: This global parameter is good
for just one domain. It might be possible to have idmap backend AD for
different domains, and the NSS info like primary gid, homedir and shell
might be done with different policies per domain. As we already have a
domain-specific idmap configuration, doing the NSS info configuration
there also is the closest way to do it.
The alternative, if we did not want to put this call into the idmap child
would be to establish an equivalent engine like the whole "idmap config
*" just for the nss info. But as I believe this is closely related,
I'll just keep it in the idmap child.
This also extends the wbint_userinfo structure with pretty much all user
related fields. The idea is that the GetNssInfo call can do whatever it
wants with it.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()
This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.
The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.
As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.
In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.
The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.
The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.
We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:50 +0000 (18:07 +0100)]
WAF: Fix detection of IPv6
Detection of IPv6 failed with strict CFLAGS due to missing
header file.
Checking for HAVE_IPV6 : not found
../test.c: In function ‘main’:
../test.c:226:34: error: implicit declaration of function
‘if_nametoindex’ [-Werror=implicit-function-declaration]
int idx = if_nametoindex("iface1");
^~~~~~~~~~~~~~
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 2 18:03:20 CET 2017 on sn-devel-144
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:43 +0000 (18:07 +0100)]
WAF: Fix detection os sysname ...
Detection of sysname failed with stricter CFLAGS
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
Checking uname sysname type : not found
Checking uname machine type : not found
Checking uname release type : not found
Checking uname version type : not found
../test.c: In function ‘main’:
../test.c:8:32: error: implicit declaration of function ‘printf’
[-Werror=implicit-function-declaration]
printf("%s", n.sysname);
^~~~~~
../test.c:8:32: warning: incompatible implicit declaration
of built-in function ‘printf’
../test.c:8:32: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:36 +0000 (18:07 +0100)]
WAF: Fix detection of linker features
Following check of linker feature failed with strict CFLAGS
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
Checking for rpath library support : not found
Checking for -Wl,--version-script support : not found
../main.c: In function ‘main’:
../main.c:1:26: error: implicit declaration of function ‘lib_func’
[-Werror=implicit-function-declaration]
int main(void) {return !(lib_func() == 42);}
^~~~~~~~
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Lukas Slebodnik [Tue, 6 Dec 2016 17:07:18 +0000 (18:07 +0100)]
lib replace: Fix detection of features
If configure script is executed with stricter cflags
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
then detection of few features will fail.
Checking for C99 vsnprintf : not found
Checking for HAVE_SHARED_MMAP : not found
Checking for HAVE_MREMAP : not found
lib/replace/test/shared_mmap.c:18:1:
error: return type defaults to ‘int’ [-Werror=implicit-int]
main()
^~~~
lib/replace/test/shared_mmap.c: In function ‘main’:
lib/replace/test/shared_mmap.c:25:16:
error: implicit declaration of function ‘exit’
[-Werror=implicit-function-declaration]
if (fd == -1) exit(1);
^~~~
lib/replace/test/shared_mmap.c:25:16:
warning: incompatible implicit declaration of built-in function ‘exit’
lib/replace/test/shared_mmap.c:25:16:
note: include ‘<stdlib.h>’ or provide a declaration of ‘exit’
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 1 13:47:26 CET 2017 on sn-devel-144
Volker Lendecke [Tue, 27 Dec 2016 13:08:58 +0000 (13:08 +0000)]
idmap4: Use sid_check_is_in_unix_groups()
This avoids the need for the special unix groups sid
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Dec 29 00:05:25 CET 2016 on sn-devel-144
Martin Schwenke [Tue, 27 Dec 2016 19:18:26 +0000 (06:18 +1100)]
ctdb-takeover: Clean up when exiting on error
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Dec 28 05:18:08 CET 2016 on sn-devel-144
Volker Lendecke [Tue, 27 Dec 2016 10:19:17 +0000 (10:19 +0000)]
winbindd: Use idmap cache in xids2sids
Typically smbd should have looked into the idmap cache itself before
contacting winbind. But winbind has internal users of this API (getpwuid
and getgrgid for example), and those need to use the cache too.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Dec 28 00:06:41 CET 2016 on sn-devel-144
Volker Lendecke [Tue, 20 Dec 2016 15:22:48 +0000 (16:22 +0100)]
idmap: Prime gencache after xids2sids calls
This fixes a performance regression for "hide unreadable". With an empty
gencache, we only do xid2sid calls when reading a large number of acls. We
lost caching the xid2sid calls while implmenting the multiple-id calls,
probably because at that time the bug with ID_TYPE_BOTH backends was still
pending. This patch restores the xid2sid caching hopefully correctly.
Volker Lendecke [Wed, 21 Dec 2016 10:29:08 +0000 (11:29 +0100)]
idmap: Pass up the xid2sids unix-ids from the idmap child
When asking for gid2sid with an idmap backend that does ID_TYPE_BOTH
and the sid in question is actually a user, the parent winbind needs
to know about it. The next commit will prime the gencache also after
xid2sid calls, and if we filled it with a ID_TYPE_GID entry, a later
sid2uid call would fail.
Volker Lendecke [Sun, 11 Dec 2016 18:57:20 +0000 (19:57 +0100)]
idmap_rid: Add the error string in a debug
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Dec 27 18:05:13 CET 2016 on sn-devel-144
krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5
krb5_cc_copy_creds() expects an already initialized output cache.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Dec 24 21:04:23 CET 2016 on sn-devel-144
Garming Sam [Thu, 22 Dec 2016 02:10:24 +0000 (15:10 +1300)]
ldb_tdb: avoid erroneous error messages
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri Dec 23 02:28:54 CET 2016 on sn-devel-144
s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send()
Also old servers should be able to handle NTLMSSP via SPNEGO.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144
projects / thirdparty / samba.git / log
