summaryrefslogtreecommitdiff
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3:auth: make use of make_{server,session}_info_anonymous()Stefan Metzmacher2018-03-202-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). When it's really an anonymous connection, we should reflect that in the resulting session info. This should fix a problem where Windows 10 tries to join a Samba hosted NT4 domain and has SMB2/3 enabled. We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST for true anonymous connections. The commit message from a few commit before shows the resulting auth_session_info change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 (cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b)
* s3:auth: add make_{server,session}_info_anonymous()Stefan Metzmacher2018-03-202-1/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). The following is the difference between guest and anonymous token: security_token: struct security_token - num_sids : 0x0000000a (10) - sids: ARRAY(10) - sids : S-1-5-21-3793881525-3372187982-3724979742-501 - sids : S-1-5-21-3793881525-3372187982-3724979742-514 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 + num_sids : 0x00000009 (9) + sids: ARRAY(9) + sids : S-1-5-7 sids : S-1-1-0 sids : S-1-5-2 - sids : S-1-5-32-546 sids : S-1-22-1-65533 + sids : S-1-22-2-65534 + sids : S-1-22-2-100004 sids : S-1-22-2-100002 sids : S-1-22-2-100003 + sids : S-1-22-2-65533 privilege_mask : 0x0000000000000000 (0) ... unix_token : * unix_token: struct security_unix_token uid : 0x000000000000fffd (65533) gid : 0x000000000000fffe (65534) - ngroups : 0x00000004 (4) - groups: ARRAY(4) + ngroups : 0x00000005 (5) + groups: ARRAY(5) groups : 0x000000000000fffe (65534) - groups : 0x000000000000fffd (65533) + groups : 0x00000000000186a4 (100004) groups : 0x00000000000186a2 (100002) groups : 0x00000000000186a3 (100003) + groups : 0x000000000000fffd (65533) info: struct auth_user_info account_name : * - account_name : 'nobody' + account_name : 'ANONYMOUS LOGON' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * - domain_name : 'SAMBA-TEST' + domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'Anonymous Logon' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'LOCALNT4DC2' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x00 (0) security_token: struct security_token num_sids : 0x00000006 (6) sids: ARRAY(6) + sids : S-1-5-7 + sids : S-1-1-0 + sids : S-1-5-2 sids : S-1-22-1-65533 sids : S-1-22-2-65534 sids : S-1-22-2-65533 - sids : S-1-1-0 - sids : S-1-5-2 - sids : S-1-5-32-546 privilege_mask : 0x0000000000000000 (0) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d)
* s3:auth: pass the whole auth_session_info from ↵Stefan Metzmacher2018-03-201-30/+21
| | | | | | | | | | | | copy_session_info_serverinfo_guest() to create_local_token() We only need to adjust sanitized_username in order to keep the same behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906)
* s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() ↵Stefan Metzmacher2018-03-201-80/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and auth3_create_session_info() The changes in the resulting token look like this: unix_token : * unix_token: struct security_unix_token uid : 0x0000000000000000 (0) gid : 0x0000000000000000 (0) - ngroups : 0x00000000 (0) - groups: ARRAY(0) + ngroups : 0x00000001 (1) + groups: ARRAY(1) + groups : 0x0000000000000000 (0) ... domain_name : * domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'System' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'SLOWSERVER' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (similar to commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4)
* s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()Stefan Metzmacher2018-03-202-0/+584
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These functions make it possible to construct a full auth_session_info from the information available from an auth_user_info_dc structure. This has all the logic from create_local_token() that is used to transform a auth_serversupplied_info to a full auth_session_info. In order to workarround the restriction that auth_user_info_dc doesn't contain hints for the unix token/name, we use the special S-1-5-88 (Unix_NFS) sids: - S-1-5-88-1-Y gives the uid=Y - S-1-5-88-2-Y gives the gid=Y - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* The currently implemented flags are: - AUTH3_UNIX_HINT_QUALIFIED_NAME unix_name = DOMAIN+ACCOUNT - AUTH3_UNIX_HINT_ISLOLATED_NAME unix_name = ACCOUNT - AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS Don't translate the nt token SIDS into uid/gids using sid mapping. - AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS Don't translate the unix token uid/gids to S-1-22-X-Y SIDS - AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS The unix token won't get expanded gid values from getgroups_unix_user() By using the hints it is possible to keep the current logic where an authentication backend provides uid/gid values and the unix name. Note the S-1-5-88-* SIDS never appear in the final security_token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3)
* s3:auth: remove static from finalize_local_nt_token()Stefan Metzmacher2018-03-202-4/+4
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870)
* s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()Stefan Metzmacher2018-03-201-19/+39
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b)
* s3:auth: don't try to expand system or anonymous tokens in ↵Stefan Metzmacher2018-03-201-0/+24
| | | | | | | | | | finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6)
* s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()Stefan Metzmacher2018-03-201-8/+114
| | | | | | | | | | | | | | | | We should add Builtin_Guests depending on the current token not based on 'is_guest'. Even authenticated users can be member a guest related group and therefore get Builtin_Guests. Sadly we still need to use 'is_guest' within create_local_nt_token() as we only have S-1-22-* SIDs there and still need to add Builtin_Guests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7)
* s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()Stefan Metzmacher2018-03-201-16/+19
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308)
* s3:auth: move add_local_groups() out of finalize_local_nt_token()Stefan Metzmacher2018-03-201-7/+15
| | | | | | | | | | | finalize_local_nt_token() will be used in another place, were we don't want to add local groups in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8)
* s3:auth: add the "Unix Groups" sid for the primary gidStefan Metzmacher2018-03-201-0/+4
| | | | | | | | | | The primary gid might not be in the gid array. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405)
* s3:auth: remove unused auth_serversupplied_info->systemStefan Metzmacher2018-03-201-1/+0
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9)
* build: deal with recent glibc sunrpc header removalGünther Deschner2018-01-251-1/+1
| | | | | | | | | | | | | | | | We need to rely on libtirpc or libntirpc to be around in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238 BUG: https://bugzilla.samba.org/show_bug.cgi?id=10976 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit ee0be7eb723be1420fd601ea1abe0af748562953)
* include: Create system/nis.h in libreplaceAndreas Schneider2018-01-251-0/+13
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238 Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit c29d087e1ea4c92717ef86e372fe80f410580fdc)
* auth3: prepare the logic for "map untrusted to domain = auto"Stefan Metzmacher2017-06-161-3/+5
| | | | | | | | | | | | | This implements the same behavior as Windows, we should pass the domain and account names given by the client directly to the auth backends, they can decide if they are able to process the authentication pass it to the next backend. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: call is_trusted_domain() as the last condition make_user_info_map()Stefan Metzmacher2017-06-161-2/+4
| | | | | | | | | | We should avoid contacting winbind if we already know the domain is our local sam or our primary domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: remove some dead prototypesGünther Deschner2017-05-101-9/+0
| | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-229-16/+16
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()Volker Lendecke2017-04-101-3/+3
| | | | | | | | | | | | | | | | | | | | This is in the spirit of the "map untrusted to domain" parameter: We fall back to the local SAM when we get a non-authoritative NO_SUCH_USER from our domain controller. With this change we can implement "map untrusted to domain = auto". We should not strictly need 'sam' before 'winbind', but it makes it clearer to read and has the same effect. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144
* auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()Stefan Metzmacher2017-04-101-8/+2
| | | | | | | | | | | make_auth3_context_for_ntlm() was the only caller of make_auth_context_subsystem(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: only use "sam_netlogon3 winbind:trustdomain" in ↵Stefan Metzmacher2017-04-101-1/+30
| | | | | | | | | | | | | make_auth3_context_for_netlogon If some needs the old behavior for a while, the deprecated "auth methods = guest sam winbind:trustdomain" option can be used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDCStefan Metzmacher2017-04-101-0/+64
| | | | | | | | | | This will be used in the s3 netlogon server in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Add hooks for notification of authentication events over the message busAndrew Bartlett2017-03-292-3/+6
| | | | | | | | This will allow tests to be written to confirm the correct events are triggered. We pass in a messaging context from the callers Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Log the transport connection for the authorizationAndrew Bartlett2017-03-291-0/+1
| | | | | | | We also log if a simple bind was over TLS, as this particular case matters to a lot of folks Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)Andrew Bartlett2017-03-291-10/+34
| | | | | | | | gensec_session_info() is not called for bare NTLM, so we have to log manually Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* rpc: Always supply both the remote and local address to the auth subsystemGary Lockyer2017-03-294-3/+32
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Always supply both the remote and local address to the auth subsystemAndrew Bartlett2017-03-292-1/+11
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Generate a human readable Authentication log message.Gary Lockyer2017-03-291-1/+17
| | | | | | | | | Add a human readable authentication log line, to allow verification that all required details are being passed. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s3-auth: Split out get_user_sid_info3_and_extra() from ↵Andrew Bartlett2017-03-292-15/+29
| | | | | | | | | | create_local_nt_token_from_info3() This will allow us to get the SID in another location for logging Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add a reminder about the strings currently used for auditingAndrew Bartlett2017-03-291-0/+4
| | | | | | | | We will soon have a much better replacement, but a note here may help some in the transition Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Fill in user_info->service_description from all callersAndrew Bartlett2017-03-294-5/+28
| | | | | | | | This will allow the logging code to make clear which protocol an authentication was for. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s3-auth: Pass service_description into gensec via auth_generic_prepare()Andrew Bartlett2017-03-292-0/+10
| | | | | | | | | | | This allows the GENSEC service description to be set from the various callers that go via this function. The RPC service description is the name of the interface from the IDL. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM authAndrew Bartlett2017-03-271-1/+2
| | | | | | | | | So far this is only on the AD DC Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in ↵Stefan Metzmacher2017-03-241-4/+9
| | | | | | | | | | | | | | make_auth_context_subsystem() "auth methods" never works as AD DC at all, so there's not really a change. This allows us to implement "auth methods" (temporary) for the auth4 stack. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handlingStefan Metzmacher2017-03-243-8/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()Stefan Metzmacher2017-03-241-1/+18
| | | | | | | | | | This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM interaction obsolete. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: let auth4_context->check_ntlm_password() return pauthoritativeStefan Metzmacher2017-03-243-3/+12
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth4: let auth_check_password* return pauthoritativeStefan Metzmacher2017-03-241-2/+9
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: let auth_check_ntlm_password() return pauthoritativeStefan Metzmacher2017-03-243-23/+32
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: make make_auth_context_subsystem() staticStefan Metzmacher2017-03-242-4/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: make use of make_auth3_context_for_ntlm()Stefan Metzmacher2017-03-241-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: add make_auth3_context_for_{ntlm,netlogon,winbind}Stefan Metzmacher2017-03-242-0/+24
| | | | | | | | | For now they'll all do the same, but that will change in the following commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Remove unused make_auth_context_fixedVolker Lendecke2017-03-242-22/+0
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Introduce auth3_context_set_challengeVolker Lendecke2017-03-242-1/+15
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Simplify the logic in auth_check_ntlm_passwordVolker Lendecke2017-03-241-29/+29
| | | | | | | | | | | | Move everything but the strict loop logic outside. This makes the loop exit condition clearer to me: Anything but NOT_IMPLEMENTED breaks the loop. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Don't try other auth modules on any errorVolker Lendecke2017-03-241-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | So far if any kind of error has happened, we just tried further auth modules. An auth module should have the chance to definitely say "no, this is a valid error, no further attempts anywhere else". The protocol so far was for an auth module to return NT_STATUS_NOT_IMPLEMENTED if it wanted to pass on to other modules, but any error led to the next auth modules also being given a try. This patch makes any auth module return code except NOT_IMPLEMENTED to terminate the loop, such that every module has to explicitly request to pass on to the next module via NOT_IMPLEMENTED. All modules we reference in make_auth_context_subsystem() have code to explicitly say "not for me please" with NOT_IMPLEMENTED. This *might* break existing setups which fail in for example "guest" or "winbind" due to other reasons. I prefer it this way though, because adding another parameter like "This is a real authoritative failure, don't go looking somewhere else" will only add to the mess. But it's more a theoretical than a practical change with the default auth backends. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Introduce make_auth_context_specificVolker Lendecke2017-03-241-22/+27
| | | | | | | | | | | Take a string instead of a string list. Simplifies make_auth_context_subsystem and later similar callers BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Slightly simplify make_auth_context_subsystem() step2Volker Lendecke2017-03-241-39/+34
| | | | | | | | | | Use "git show -b" to see the simple diff. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: Slightly simplify make_auth_context_subsystem() step1Volker Lendecke2017-03-241-4/+6
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status