samba.git/source3/winbindd, branch talloc-2.3.2 Unnamed repository; edit this file 'description' to name the repository. auth:creds: Rename CRED_USE_KERBEROS values 2020-11-03T15:25:37+00:00 Andreas Schneider asn@samba.org 2020-08-20T07:40:41+00:00 1298280a22ef7494fb85a6a5953bae15d22fa204 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 CVE-2020-14323 winbind: Fix invalid lookupsids DoS 2020-10-29T10:25:37+00:00 Volker Lendecke vl@samba.org 2020-07-09T19:49:25+00:00 a380f19d570003c0134e5a9618fbeee524ca332a A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke <vl@samba.org> 
A lookupsids request without extra_data will lead to "state->domain==NULL",
which makes winbindd_lookupsids_recv trying to dereference it.

Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>
daemons: report status to systemd even when running in foreground 2020-10-26T19:58:17+00:00 Alexander Bokovoy ab@samba.org 2020-10-24T13:52:43+00:00 3e27dc4847bd35ca8914be087d5a8ca096510399 When systemd launches samba services, the configuration we have in systemd service files expects that the main process (/usr/sbin/*) would use sd_notify() to report back its status. However, we only use sd_notify() when running become_daemon(). As a result, samba/smbd/winbindd/nmbd processes never report back its status and the status updates from other childs (smbd, winbindd, etc) are not accepted as we now have implied NotifyAccess=main since commit d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc This leads to a timeout and killing samba process by systemd. Situation is reproducible in Fedora 33, for example. Make sure that we have required status updates for all daemons in case we aren't runnning in interactive mode. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184 
When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().

As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit
d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc

This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.

Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184
librpc/dcesrv_core: move two rpcint_dispatch() copies into dcesrv_call_dispatch_local() 2020-10-23T16:02:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-23T09:42:14+00:00 7c8a7e8a15b433cd151afff0b52e9e5096a2c230 We only need this function once, so that we need to fix bugs only once... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org> 
We only need this function once, so that we need to fix bugs only once...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14551

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE 2020-10-23T04:47:26+00:00 Stefan Metzmacher metze@samba.org 2020-09-11T14:24:49+00:00 54b4d2d3cb307019a260d15c6e6b4a3fb7fc337c We try to give a valid hint for predefined sids and pass ID_TYPE_BOTH as a hint that the domain part of the sid is valid. In most cases the idmap child/backend does not require a type_hint as mappings already exist. This is a speed up as we no longer need to contact a domain controller. It's also possible to accept kerberos authentication without reaching out to a domain controller at all (if the idmap backend doesn't need a hint). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184 
We try to give a valid hint for predefined sids and
pass ID_TYPE_BOTH as a hint that the domain part of the sid is valid.

In most cases the idmap child/backend does not require a type_hint
as mappings already exist.

This is a speed up as we no longer need to contact a domain controller.

It's also possible to accept kerberos authentication without reaching
out to a domain controller at all (if the idmap backend doesn't need a
hint).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184
winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE 2020-10-23T03:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-09-15T15:26:11+00:00 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 This must only be used between winbindd parent and child! It must not leak into outside world. Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint, while others may only need ID_TYPE_BOTH in order to validate that the domain exists. This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent in future and only do that on demand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This must only be used between winbindd parent and child!
It must not leak into outside world.

Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.

This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config 2020-10-23T03:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-09-10T15:13:14+00:00 c55f4f37589130a0d8952489da175bbcf53f6748 In future we'll try to avoid wb_lookupsids_send() and only call it if needed. The domain name passed should be only relevant to find the correct idmap backend, and these should all be available in wb_parent_idmap_config as it was created before the idmap child was forked. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
In future we'll try to avoid wb_lookupsids_send() and only call
it if needed.

The domain name passed should be only relevant to find the correct
idmap backend, and these should all be available in
wb_parent_idmap_config as it was created before the idmap child was forked.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
wb_sids2xids: fill cache as soon as possible 2020-10-23T03:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-09-10T21:06:02+00:00 3f4626ea6d235470195918b77af35ac2cfeb227c After adding entries to the cache we can mark them as filled from the cache by setting its domain_index to UINT32_MAX. This will allow further changes to fill the results into state->all_ids in steps. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
After adding entries to the cache we can mark them
as filled from the cache by setting its domain_index
to UINT32_MAX.

This will allow further changes to fill the results
into state->all_ids in steps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
wb_sids2xids: directly use state->all_ids to collect results 2020-10-23T03:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-09-15T12:17:37+00:00 374acc2e5fcc3c4b40f41906d0349499e3304841 In order to translate the indexes from state->lookup_sids[] for wb_lookupsids_send/recv() and state->map_ids.ids[] for dcerpc_wbint_Sids2UnixIDs_send/recv() back to state->all_ids.ids[] or state->sids[] we have state->tmp_idx[]. This simplifies wb_sids2xids_recv() a lot and make further restructuring much easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
In order to translate the indexes from state->lookup_sids[]
for wb_lookupsids_send/recv() and state->map_ids.ids[]
for dcerpc_wbint_Sids2UnixIDs_send/recv() back to
state->all_ids.ids[] or state->sids[] we have state->tmp_idx[].

This simplifies wb_sids2xids_recv() a lot and make further
restructuring much easier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() 2020-10-23T03:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-09-15T11:58:26+00:00 19c8b6a8b188e45a6342a3d1308085800388a38e With all the indexes we have into various array, this makes clear 'li' is the index into the state->lookup_sids array. This makes the following changes easier to review. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
With all the indexes we have into various array, this makes clear
'li' is the index into the state->lookup_sids array.

This makes the following changes easier to review.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>