summaryrefslogtreecommitdiff
path: root/auth/common_auth.h
Commit message (Collapse)AuthorAgeFilesLines
* auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()Stefan Metzmacher2017-08-071-0/+10
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* heimdal: Pass extra information to hdb_auth_status() to log success and failuresAndrew Bartlett2017-03-291-0/+7
| | | | | | | | | | We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Add hooks for notification of authentication events over the message busAndrew Bartlett2017-03-291-2/+26
| | | | | | | | This will allow tests to be written to confirm the correct events are triggered. We pass in a messaging context from the callers Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Log the transport connection for the authorizationAndrew Bartlett2017-03-291-0/+7
| | | | | | | We also log if a simple bind was over TLS, as this particular case matters to a lot of folks Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Also log the final type of authentication (ntlmssp,krb5)Andrew Bartlett2017-03-291-0/+1
| | | | | | | | | Administrators really care about how their users were authenticated, so make this clear. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add logging of service authorizationAndrew Bartlett2017-03-291-0/+5
| | | | | | | | In ntlm_auth.c and authdata.c, the session info will be incomplete Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Generate a human readable Authentication log message.Gary Lockyer2017-03-291-0/+6
| | | | | | | | | Add a human readable authentication log line, to allow verification that all required details are being passed. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add "auth_description" to allow logs to distinguish simple bind (etc)Andrew Bartlett2017-03-291-0/+1
| | | | | | | | | This will allow the authentication log to indicate clearly how the password was supplied to the server. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSPAndrew Bartlett2017-03-291-0/+2
| | | | | | | | | This allows the GENSEC service description to be read at authentication time for logging, eg that the user authenticated to the SAMR server Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s4-netlogon: Remember many more details in the auth_usersupplied info for ↵Andrew Bartlett2017-03-291-0/+9
| | | | | | | | | | future logs This will allow a very verbose JSON line to be logged that others can audit from in the future Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM authAndrew Bartlett2017-03-271-0/+1
| | | | | | | | | So far this is only on the AD DC Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM definesStefan Metzmacher2017-03-241-3/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: let auth4_context->check_ntlm_password() return pauthoritativeStefan Metzmacher2017-03-241-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-1/+1
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-1/+5
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove .get_challenge (only used for security=server)Andrew Bartlett2012-07-031-4/+0
| | | | | | | | | | | | | With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
* auth: Rename some elements of auth4_contextAndrew Bartlett2012-02-241-7/+7
| | | | | | These operate on NTLM authentication, so make that clear. Andrew Bartlett
* auth: Reorder arguments to generate_session_infoAndrew Bartlett2012-02-181-2/+2
| | | | | | | | | This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
* auth: Pass in the SMB username (for %U) into generate_session_infoAndrew Bartlett2012-02-131-0/+1
| | | | | | | | | This matches what Samba3 does. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
* auth: Make check_password and generate_session_info hook genericAndrew Bartlett2012-01-301-2/+3
| | | | | | | | gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett
* auth: provide private pointer and do not return original PAC signaturesAndrew Bartlett2012-01-291-0/+3
| | | | | | | | | | | There is no need to return the PAC signatures via the special-purpose torture element. Instead, use a private pointer on the auth_context in conjunction with the private PAC processing method. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
* gensec: move gensec_util.c to the top levelAndrew Bartlett2012-01-111-0/+5
| | | | | | | | To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: make auth4_context common to provide access to generate_session_info_pac()Andrew Bartlett2012-01-111-0/+59
| | | | | | | | | | By providing this context, a function pointer for generate_session_info_pac() can be inserted into gensec, allowing the s3 PAC processing in an otherwise more generic gensec module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: include auth.idl structures into common_auth.hAndrew Bartlett2011-07-201-0/+2
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* auth: allow auth_common.h to be included multiple times without errorAndrew Bartlett2011-05-081-0/+5
|
* s3-auth: remove global include of krb5pac.h.Günther Deschner2010-08-311-2/+0
| | | | Guenther
* s3:auth Make Samba3 use the new common struct auth_usersupplied_infoAndrew Bartlett2010-08-141-3/+3
| | | | | | | | | | | | | This common structure will make it much easier to produce an auth module for s3compat that calls Samba4's auth subsystem. In order the make the link work properly (and not map twice), we mark both that we did try and map the user, as well as if we changed the user during the mapping. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4:auth Move struct auth_usersupplied_info to a common locationAndrew Bartlett2010-08-141-0/+63
This also changes the calling convention slightly - we should always allocate this with talloc_zero() to allow some elements to be optional. Some elements may only make sense in Samba3, which I hope will use this common structure. Andrew Bartlett
View Lorry Controller Status