summaryrefslogtreecommitdiff
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s4: messaging: Remove bool auto_remove parameter from imessaging_init().Jeremy Allison2016-07-231-2/+2
| | | | | | | | | With modern messaging this doesn't do anything (it's an empty destructor). Clean up so we can add a proper destructor in future. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groupsStefan Metzmacher2016-06-301-5/+23
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
* auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6Stefan Metzmacher2016-06-301-4/+9
| | | | | | | This includes user_principal_name and dns_domain_name. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: auth: Move the declaration of struct dom_sid tmp_sid to function level ↵Jeremy Allison2016-05-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | scope. It's referred to outside of the {} brace scope it was defined in by the following code: uid_to_unix_users_sid(*uid, &tmp_sid); user_sid = &tmp_sid; As tmp_sid was going out of scope, user_sid was being incorrectly set in the token sid list. I think this *may* be the root cause of: BUG: https://bugzilla.samba.org/show_bug.cgi?id=10618 But even if not this is an obvious error that must be fixed. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Fri May 27 11:28:18 CEST 2016 on sn-devel-144
* s3:auth_builtin: anonymous authentication doesn't allow a passwordStefan Metzmacher2016-04-281-7/+40
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULTRalph Boehme2016-04-121-1/+1
| | | | | | | | | Use SMB_SIGNING_IPC_DEFAULT for RPC connections. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checksStefan Metzmacher2016-04-121-0/+15
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s3-auth: check for return code of cli_credentials_set_machine_account().Günther Deschner2016-03-171-2/+2
| | | | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
* dlist: remove unneeded type argument from DLIST_ADD_END()Michael Adam2016-02-062-2/+2
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* idl: Rename "principle" to "principal_name"Volker Lendecke2016-02-021-4/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* auth: consistent handling of well-known alias as primary gidUri Simchoni2015-11-191-6/+17
| | | | | | | | | | | | | | | When a local user has its primary group id mapped to a well-known alias or a builtin group, smbd accepts logins of such a user, but fails tree-connects to shares with a "force user" set to this user with an error of NT_STATUS_INVALID_SID. This fix causes the connect to succeed and the NT token to resemble the token that would have been created in a login. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: remove a line that has no effectUri Simchoni2015-11-191-2/+0
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Changing log level of two entries to DBG_NOTICEMarc Muehlfeld2015-11-042-4/+4
| | | | | | | | | | | | | | | | | | | On domain members using RFC2307, machine acccounts without an uidNumber attribute are not retrieved via idmap_ad. This leads to many of the following two error messages: Username DOMAIN\machineaccountname$ is invalid on this system and Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) Machine accounts don't have an uidNumber attribute, if not set manually. To avoid flooding the logs, setting message from debug level 1 to DBG_NOTICE. Bugreport: https://bugzilla.samba.org/show_bug.cgi?id=9912 Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Nov 4 00:46:15 CET 2015 on sn-devel-104
* auth: Remove procid_self() from auth_samba4Volker Lendecke2015-10-191-1/+8
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s3-auth: Fix a memory leak in make_server_info_info3()Andreas Schneider2015-08-211-12/+23
| | | | | | | | | | | We call make_server_info(NULL) and it is possible that we do not free it, because server_info is not allocated on the memory context we pass to the function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Pass nt_username to check_account()Andreas Schneider2015-08-211-3/+6
| | | | | | | | | We set nt_username above but do not use it in this function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Fix 'map to guest = Bad Uid' supportAndreas Schneider2015-08-211-0/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-auth: Fix a possible null pointer dereferenceAndreas Schneider2015-07-171-1/+3
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11404 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jul 17 14:04:01 CEST 2015 on sn-devel-104
* Convert all uint32/16/8 to _t in a grab-bag of remaining files.Richard Sharpe2015-05-141-2/+2
| | | | | | | | | | I still need to fix the rpc stuff, but we are almost there. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu May 14 22:16:56 CEST 2015 on sn-devel-104
* Convert all uses of uint32/16/8 to _t in source3/auth.Richard Sharpe2015-05-133-10/+10
| | | | | Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3: Fix pam_authenticate() when lp_null_passwords() is trueMaks Naumov2015-05-041-1/+1
| | | | | | | | | (PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK) is always 0 when lp_null_passwords() == true. Signed-off-by: Maks Naumov <maksqwe1@ukr.net> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:auth: use lp_load_with_shares() in auth3_check_password()Michael Adam2015-04-221-1/+1
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
* s3:auth: use lp_load_with_shares() in auth3_generate_session_info_pac()Michael Adam2015-04-221-1/+1
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
* s3:auth_domain: make use of cli_rpc_pipe_open_schannel()Stefan Metzmacher2015-03-121-91/+10
| | | | | | | This simplifies a lot and allows the previous password to be used. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3:auth_domain: fix talloc problem in connect_to_domain_password_server()Stefan Metzmacher2015-03-121-1/+6
| | | | | | | | return values of connect_to_domain_password_server() need to be exported to the callers memory context. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* smbd: Simplify create_token_from_sid()Volker Lendecke2015-03-111-9/+5
| | | | | | | | | | This if-statement is unnecessary. First, talloc_array returns non-NULL even if asked for 0 elements. Second, a bit further down we do a SMB_ASSERT(num_group_sids > 0); Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Simplify create_token_from_sid()Volker Lendecke2015-03-111-6/+2
| | | | | | | With the previous commit all 3 branches do the same Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Streamline the gids handling in create_token_from_sid()Volker Lendecke2015-03-111-2/+8
| | | | | | | | | | Usually, I'm all for avoiding talloc. But in this case I believe that this routine is complex enough to justify this change. For an hour or so I suspect that the winbind case had an uninitialized "*gid" until I discovered the sid_to_gid(). This makes it more obvious that *gid is assigned. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Put a variable definition closer to its useVolker Lendecke2015-03-111-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3: auth: Add previously missing allocation fail check.Jeremy Allison2015-01-141-0/+4
| | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3: auth: Plumb in the SamInfo3_handle_sids() utility function into ↵Jeremy Allison2015-01-143-5/+17
| | | | | | | | | | | | | passwd_to_SamInfo3(). Core fix for: https://bugzilla.samba.org/show_bug.cgi?id=11044 Based on code from Michael Zeis <mzeis.quantum@gmail.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3: auth: Convert samu_to_SamInfo3() to use the new utility function.Jeremy Allison2015-01-141-57/+9
| | | | | | | | | Based on code from Michael Zeis <mzeis.quantum@gmail.com> https://bugzilla.samba.org/show_bug.cgi?id=11044 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3: auth: Add a utility function - SamInfo3_handle_sids() that factors out ↵Jeremy Allison2015-01-141-0/+70
| | | | | | | | | | | the code to handle "Unix Users" and "Unix Groups". Based on code from Michael Zeis <mzeis.quantum@gmail.com> https://bugzilla.samba.org/show_bug.cgi?id=11044 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* s3:auth: add some const to user_in_list()Stefan Metzmacher2014-11-142-3/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:auth: add missing auth_samba4_init() prototypeStefan Metzmacher2014-11-141-0/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Don't drop any error codes just because we think there cannot be any errors ↵root2014-10-301-0/+3
| | | | | | | | | | we didn't think of if the user asked for a level 10 log. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Oct 30 09:14:51 CET 2014 on sn-devel-104
* s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we canAndrew Bartlett2014-10-081-1/+1
| | | | | | | | | | | | This is very helpful in the trusted domain situation, as we may not have a two-way trust but we can use our domain trust account to set up a connection to NETLOGON Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 8 12:48:15 CEST 2014 on sn-devel-104
* lib/util: move memcache.[ch] to the toplevel 'samba-util' libraryStefan Metzmacher2014-07-181-1/+1
| | | | | | | | | | This is generic enough that it could be used in all code. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jul 18 15:43:33 CEST 2014 on sn-devel-104
* auth: Fix an incompatible pointer assignmentVolker Lendecke2014-07-071-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Jul 7 10:58:30 CEST 2014 on sn-devel-104
* s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbinddAndrew Bartlett2014-07-041-0/+7
| | | | | | | | | This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* s3: auth: Change auth3_generate_session_info_pac() to use a copy of the ↵Jeremy Allison2014-06-181-2/+9
| | | | | | | | | | | info3 struct from the struct PAC_LOGON_INFO. Call create_info3_from_pac_logon_info() to add in any resource SIDs from the struct PAC_LOGON_INFO to the info3. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Simo Sorce <idra@samba.org>
* s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and ↵Jeremy Allison2014-06-182-0/+80
| | | | | | | | | | merge resource group SIDs into it. Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Simo Sorce <idra@samba.org>
* s3: auth: Change make_server_info_info3() to take a const struct ↵Jeremy Allison2014-06-183-6/+6
| | | | | | | | | | netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO. make_server_info_info3() only reads from the info3 pointer. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Simo Sorce <idra@samba.org>
* s3: auth: Add some const to the struct netr_SamInfo3 * arguments of ↵Jeremy Allison2014-06-183-4/+4
| | | | | | | | | | copy_netr_SamInfo3() and make_server_info_info3() Both functions only read from the struct netr_SamInfo3 * argument. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Simo Sorce <idra@samba.org>
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-113-10/+28
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* smbd: fix creation of BUILTIN\{Administrators,Users} when "tdbsam:map ↵Michael Adam2014-05-191-3/+13
| | | | | | | | | | | | | | | | builtin = false" In this case, passdb/group mapping is not responsible for the id mapping of the builtins, so the check whether the SID maps to a unix ID is not valid for checking whether the builtin has been created as a proper group. So this patch changes the check to whether we find the builtin in the group mapping database. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon May 19 16:41:41 CEST 2014 on sn-devel-104
* auth: Allow auth_samba4 to be forced to run a specific auth moduleAndrew Bartlett2014-05-162-12/+27
| | | | | | | | | | This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-auth: Register ncalrpc_as_system gensec module.Andreas Schneider2014-04-241-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:auth: allow special SYSTEM and ANONYMOUS handling in ↵Stefan Metzmacher2014-04-241-2/+43
| | | | | | | | | | auth3_generate_session_info() auth_ctx->generate_session_info() will be used by the SCHANNEL and NCALRPC_AS_SYSTEM gensec modules in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Move wbcAuthUserInfo_to_netr_SamInfo3 to the top levelAndrew Bartlett2014-04-182-192/+0
| | | | | | | | | This allows auth_winbind in source4 to use this more correct conversion routine. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status