summaryrefslogtreecommitdiff
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3-auth: Remember to always free the talloc_stackframe() in auth_samba4Andrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I94469de9d463ee90365bae43094231efaf0a7d8c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* auth_samba4: Fix auth_samba4 to correctly provide a messaging context for itselfAndrew Bartlett2014-04-021-16/+9
| | | | | | | | This is done by calling make_auth4_context_s4(), avoiding code duplication. Change-Id: I3a3bf4e4273f27078c308d55102e4a1f4b052d17 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-auth: Finally change make_user_info_*() use a parent talloc contextAndrew Bartlett2014-04-024-34/+40
| | | | | | Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3: smbd: Factor out code that calls getgroups_unix_user() into a separate ↵Jeremy Allison2014-03-251-52/+92
| | | | | | | | | | | | | | | | | | | | | | function. This code needs to special-case the guest user, as this token can have the token_sid[0] set to the Guest SID, not the mapping of UNIX uid -> SID. Other users that may have a well-known SID set in token_sid[0] (like SYSTEM) are usually not mappable to UNIX users and can be ignored when adding local groups from /etc/group. Found by <linux@kukkukk.com>. Second part of the bugfix for: https://bugzilla.samba.org/show_bug.cgi?id=10508 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: smbd: Ensure we always go via getgroups_unix_user() when creating an NT ↵Jeremy Allison2014-03-211-0/+61
| | | | | | | | | | | | | | | token. This has to be done in every code path that creates an NT token, as remote users may have been added to the local /etc/group database. Tokens created merely from the info3 structs (via the DC or via the krb5 PAC) won't have these local groups. https://bugzilla.samba.org/show_bug.cgi?id=10508 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>
* s3-auth: Steal the memory to avoid duplication.Andreas Schneider2014-03-131-5/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Do not leak tmp_ctx if make_server_info() fails.Andreas Schneider2014-03-131-1/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Make is_null_sid() check easier to read.Simo Sorce2014-03-131-2/+3
| | | | | | Signed-off-by: Simo Sorce <idra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case.Stefan Metzmacher2014-03-131-0/+1
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Change-Id: Iabf22753effd80086d7956619a3dae830e487da8 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-on: https://gerrit.samba.org/161
* Remove all uses of the NT_STATUS_NOT_OK_RETURN_AND_FREE macro from the codebase.Garming Sam2014-03-051-2/+8
| | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-11/+44
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-auth: Pass mem_ctx to do_map_to_guest_server_info().Andreas Schneider2014-02-193-11/+16
| | | | | | | | Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104
* s3-auth: Pass mem_ctx to auth_check_ntlm_password().Andreas Schneider2014-02-193-24/+40
| | | | | | | | | | Coverity-Id: 1168009 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 Signed-off-by: Andreas Schneider <asn@samba.org> Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Pass mem_ctx to make_server_info_sam().Andreas Schneider2014-02-194-28/+47
| | | | | | | | | | Coverity-Id: 1168009 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 Signed-off-by: Andreas Schneider <asn@samba.org> Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Make new_server_id_task() static to auth_samba4Volker Lendecke2014-02-121-0/+42
| | | | | | | | This is not used in other parts of source3, so this patch improves modularity and isolation of features. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* param: rename lp function and variable from "encrypted_passwords" to ↵Garming Sam2014-02-071-1/+1
| | | | | | | | "encrypt_passwords" Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* param: rename lp function and variable from "adduser_script" to ↵Garming Sam2014-02-071-1/+1
| | | | | | | | "add_user_script" Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* param: rename lp function and variable from 'guestaccount' to 'guest_account'Garming Sam2014-02-073-4/+4
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-auth: Add passwd_to_SamInfo3().Andreas Schneider2014-02-052-73/+36
| | | | | | | | | | | | | | | | | | Correctly lookup users which come from smb.conf. passwd_to_SamInfo3() tries to contact winbind if the user is a domain user to get valid information about it. If winbind isn't running it will try to create everything from the passwd struct. This is not always reliable but works in most cases. It improves the current situation which doesn't talk to winbind at all. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104
* s3-auth: Pass talloc context to make_server_info_pw().Andreas Schneider2014-02-054-29/+42
| | | | | | | Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Add passwd_to_SamInfo3().Andreas Schneider2014-02-052-0/+120
| | | | | | | | | | | | | First this function tries to contacts winbind if the user is a domain user to get valid information about it. If winbind isn't running it will try to create everything from the passwd struct. This is not always reliable but works in most cases. It improves the current situation which doesn't talk to winbind at all. Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: make use of rpccli_netlogon_network_logon()Stefan Metzmacher2014-01-071-14/+22
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: make use of rpccli_{create,setup}_netlogon_creds()Stefan Metzmacher2014-01-071-51/+85
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: simplify connect_to_domain_password_server()Stefan Metzmacher2014-01-071-19/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_samba4: Describe the slightly unusual role of auth_samba4Andrew Bartlett2013-12-161-4/+39
| | | | | | | | Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Dec 16 03:18:00 CET 2013 on sn-devel-104
* s3:auth_domain: remove dead code in check_trustdomain_security()Stefan Metzmacher2013-10-171-22/+0
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* build: get rid of vars=locals() in source3/auth/wscript_buildMichael Adam2013-09-241-4/+2
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* build: get rid of source-variables in source3/auth/wscript_buildMichael Adam2013-09-241-20/+11
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s3-auth: register schannel gensec module in auth_generic_prepare() as well.Günther Deschner2013-09-191-1/+4
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib: Use "mem_ctx" arg in gencache_getVolker Lendecke2013-09-051-3/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 5 20:09:21 CEST 2013 on sn-devel-104
* lib: Add a "mem_ctx" arg to gencache_get (unused so far)Volker Lendecke2013-09-051-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/gensec: treat struct gensec_security_ops as const if possible.Stefan Metzmacher2013-08-101-7/+8
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AESStefan Metzmacher2013-08-101-1/+2
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-rpc_cli: pass down ndr_interface_table to cli_rpc_pipe_open_noauth().Günther Deschner2013-08-051-1/+1
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-rpc_cli: pass down ndr_interface_table to cli_rpc_pipe_open_schannel().Günther Deschner2013-08-051-1/+1
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove "password level"Andrew Bartlett2013-06-111-79/+0
| | | | | | | | | | | We now only lowercase the password, we do not attempt to find another case combination that the password might be in. This option is already depricated, so it is now time to remove it. Andrew Bartlett Reviewed-by: Simo Sorce <idra@samba.org>
* auth: Ensure auth_sam is not used on the AD DCAndrew Bartlett2013-05-161-0/+7
| | | | | | | Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu May 16 22:51:26 CEST 2013 on sn-devel-104
* BUG 9817: Fix 'map untrusted to domain' with NTLMv2.Andreas Schneider2013-04-241-2/+8
| | | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
* BUG 9139: Fix the username map optimization.Andreas Schneider2013-04-091-4/+8
| | | | | | | | | | | | | | | | | | If we successfully map a user. We call set_last_from_to(user_in, unixname); in the while loop reading the map file. After a successfull map we don't stop and continue the loop to check all other mappings in the username mapfile. But when we hit the end of the file and leave the loop we call: set_last_from_to(user_in, user_in); This overwrites the successful mapping, and the next time we call map_username() we skip the username and no mapping is done. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* Fix bug #9039 'map untrusted to domain' treats WORKSTATION as bogus domain.Daniel Kobras2013-02-281-1/+2
| | | | | | | | | | | | s3: never try to map global SAM name Do not treat the global SAM name as a BOGUS domain, and exempt local users from mapping, instead. This change reinstates the exact mapping behaviour of Samba 3.2 if parameter 'map untrusted to domain' is set. Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3:auth small optimization in create_token_from_sidChristian Ambach2013-02-051-3/+5
| | | | | | | | | | | save some calls to lp_idmap_default_range(), calling it once is enough Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Feb 5 19:14:25 CET 2013 on sn-devel-104
* s3:auth: use new lp_idmap_default_range() instead of lp_idmap_gid() in ↵Michael Adam2013-02-051-2/+2
| | | | | | | create_token_from_sid() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:auth: wbcAuthenticateEx gives unix times (bug #9625)Stefan Metzmacher2013-02-011-3/+3
| | | | | | | | | | | | | | | We also need to convert last_logon, last_logoff and acct_expiry from unix time to nt time. Otherwise a windows member server will reject clients using CAP_DYNAMIC_REAUTH or smb2) with STATUS_NETWORK_SESSION_EXPIRED, if the logoff and kickoff time is expired. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Feb 1 18:42:42 CET 2013 on sn-devel-104
* s3-auth: Make sure we work on valid data_blobs.Andreas Schneider2012-12-121-2/+2
| | | | | | | Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3:auth: Tidy up some of the API confusion in create_token_from_XXX() calls.Jeremy Allison2012-12-111-6/+9
| | | | | | | | | | | | | Based on Michaels example, split out the return of NT_STATUS_NO_MEMORY on talloc fail from other possible errors. Allow the NTSTATUS return to be the only valid indication of success in these calls. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Dec 11 20:04:25 CET 2012 on sn-devel-104
* s3:auth: fix dereference level in talloc checks in create_token_from_sid()Michael Adam2012-12-111-2/+2
| | | | | | | | | | | Commit c5b150b33fc54ed97dbd0736cc6f4c15977d6e70 introduced these checks. The current check "found_username == NULL" is wrong (we would segfault earlier in this case). We need to check *found_username == NULL instead as noted by Günter. Reported-by: Günter Kukkukk <linux@kukkukk.com> Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:auth: fix function header comment for user_sid_in_group_sid()Michael Adam2012-12-111-1/+1
| | | | | | | | | | | This is embarrassing: the commit 0770a4c01bef26ec51321cd5b97aea4eab9e00a8 which intended to fix an earlier copy'n'paste error, contained another typo, fixed with this commit... Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
* s3:auth: fix create_token_from_sid() to not fail in the winbindd caseMichael Adam2012-12-101-2/+10
| | | | | | | | | | | | | | | | | | | Commit 1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored the sid-based variant out of create_token_from_username() broke the case of a user handled by winbindd in that the "found_username" was set to NULL which caused the function to fail with NT_STATUS_NO_MEMORY further down. This patch fixes the function so that the case of found_username == NULL is cleanly separated from the NO_MEMORY case and the caller can provide the username in this case, if required. This fixes bug #9457. Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
* s3:auth: fix header comment for user_sid_in_group_sid()Michael Adam2012-12-101-2/+2
| | | | | | | | This function was created in 1c3c5e2156d9096f60bd53a96b88c2f1001d898a and the header comment contained copy'n'paste errors from the original function user_in_group_sid() that took the user name. Signed-off-by: Michael Adam <obnox@samba.org>
* s3-auth: remove crypto from serverinfo_to_SamInfoX calls.Günther Deschner2012-12-093-29/+1
| | | | | | | | | All crypto is dealt with within the netlogon samlogon server now. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
View Lorry Controller Status