summaryrefslogtreecommitdiff
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3:auth_winbind: ignore a missing winbindd as NT4 PDC/BDC without trustsStefan Metzmacher2019-01-091-1/+32
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Thu Dec 20 12:15:09 CET 2018 on sn-devel-144 (cherry picked from commit 63dc60767eb13d8fc09ed4bc44faa538581b18f1) Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-8-test): Wed Jan 9 15:55:39 CET 2019 on sn-devel-144
* s3:auth_winbind: return NT_STATUS_NO_LOGON_SERVERS if winbindd is not availableStefan Metzmacher2019-01-091-1/+1
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit ec3adc1e5b3cc953576efa795dfb25af08a8ab79)
* s3:auth_winbind: remove fallback to optional backendStefan Metzmacher2019-01-092-17/+1
| | | | | | | | | | | | This is not possible anymore, as the trustdomain backend was removed in commit 75c152c0d764165a4a9dd0a85390af063dd0192a. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13722 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13723 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit f3bac8c91121871bf8ce852bc3e3ea2e834d3f27)
* s3:auth: make use of make_{server,session}_info_anonymous()Stefan Metzmacher2018-03-212-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). When it's really an anonymous connection, we should reflect that in the resulting session info. This should fix a problem where Windows 10 tries to join a Samba hosted NT4 domain and has SMB2/3 enabled. We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST for true anonymous connections. The commit message from a few commit before shows the resulting auth_session_info change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 (cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b) Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-8-test): Wed Mar 21 02:29:57 CET 2018 on sn-devel-144
* s3:auth: add make_{server,session}_info_anonymous()Stefan Metzmacher2018-03-202-1/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). The following is the difference between guest and anonymous token: security_token: struct security_token - num_sids : 0x0000000a (10) - sids: ARRAY(10) - sids : S-1-5-21-3793881525-3372187982-3724979742-501 - sids : S-1-5-21-3793881525-3372187982-3724979742-514 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 + num_sids : 0x00000009 (9) + sids: ARRAY(9) + sids : S-1-5-7 sids : S-1-1-0 sids : S-1-5-2 - sids : S-1-5-32-546 sids : S-1-22-1-65533 + sids : S-1-22-2-65534 + sids : S-1-22-2-100004 sids : S-1-22-2-100002 sids : S-1-22-2-100003 + sids : S-1-22-2-65533 privilege_mask : 0x0000000000000000 (0) ... unix_token : * unix_token: struct security_unix_token uid : 0x000000000000fffd (65533) gid : 0x000000000000fffe (65534) - ngroups : 0x00000004 (4) - groups: ARRAY(4) + ngroups : 0x00000005 (5) + groups: ARRAY(5) groups : 0x000000000000fffe (65534) - groups : 0x000000000000fffd (65533) + groups : 0x00000000000186a4 (100004) groups : 0x00000000000186a2 (100002) groups : 0x00000000000186a3 (100003) + groups : 0x000000000000fffd (65533) info: struct auth_user_info account_name : * - account_name : 'nobody' + account_name : 'ANONYMOUS LOGON' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * - domain_name : 'SAMBA-TEST' + domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'Anonymous Logon' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'LOCALNT4DC2' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x00 (0) security_token: struct security_token num_sids : 0x00000006 (6) sids: ARRAY(6) + sids : S-1-5-7 + sids : S-1-1-0 + sids : S-1-5-2 sids : S-1-22-1-65533 sids : S-1-22-2-65534 sids : S-1-22-2-65533 - sids : S-1-1-0 - sids : S-1-5-2 - sids : S-1-5-32-546 privilege_mask : 0x0000000000000000 (0) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d)
* s3:auth: pass the whole auth_session_info from ↵Stefan Metzmacher2018-03-201-30/+21
| | | | | | | | | | | | copy_session_info_serverinfo_guest() to create_local_token() We only need to adjust sanitized_username in order to keep the same behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906)
* s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() ↵Stefan Metzmacher2018-03-201-80/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and auth3_create_session_info() The changes in the resulting token look like this: unix_token : * unix_token: struct security_unix_token uid : 0x0000000000000000 (0) gid : 0x0000000000000000 (0) - ngroups : 0x00000000 (0) - groups: ARRAY(0) + ngroups : 0x00000001 (1) + groups: ARRAY(1) + groups : 0x0000000000000000 (0) ... domain_name : * domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'System' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'SLOWSERVER' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x01 (1) unix_info : * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4)
* s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()Stefan Metzmacher2018-03-202-0/+584
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These functions make it possible to construct a full auth_session_info from the information available from an auth_user_info_dc structure. This has all the logic from create_local_token() that is used to transform a auth_serversupplied_info to a full auth_session_info. In order to workarround the restriction that auth_user_info_dc doesn't contain hints for the unix token/name, we use the special S-1-5-88 (Unix_NFS) sids: - S-1-5-88-1-Y gives the uid=Y - S-1-5-88-2-Y gives the gid=Y - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* The currently implemented flags are: - AUTH3_UNIX_HINT_QUALIFIED_NAME unix_name = DOMAIN+ACCOUNT - AUTH3_UNIX_HINT_ISLOLATED_NAME unix_name = ACCOUNT - AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS Don't translate the nt token SIDS into uid/gids using sid mapping. - AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS Don't translate the unix token uid/gids to S-1-22-X-Y SIDS - AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS The unix token won't get expanded gid values from getgroups_unix_user() By using the hints it is possible to keep the current logic where an authentication backend provides uid/gid values and the unix name. Note the S-1-5-88-* SIDS never appear in the final security_token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3)
* s3:auth: remove static from finalize_local_nt_token()Stefan Metzmacher2018-03-202-4/+4
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870)
* s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()Stefan Metzmacher2018-03-201-19/+39
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b)
* s3:auth: don't try to expand system or anonymous tokens in ↵Stefan Metzmacher2018-03-201-0/+24
| | | | | | | | | | finalize_local_nt_token() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6)
* s3:auth: add add_builtin_guests() handling to finalize_local_nt_token()Stefan Metzmacher2018-03-201-8/+114
| | | | | | | | | | | | | | | | We should add Builtin_Guests depending on the current token not based on 'is_guest'. Even authenticated users can be member a guest related group and therefore get Builtin_Guests. Sadly we still need to use 'is_guest' within create_local_nt_token() as we only have S-1-22-* SIDs there and still need to add Builtin_Guests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7)
* s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()Stefan Metzmacher2018-03-201-16/+19
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308)
* s3:auth: move add_local_groups() out of finalize_local_nt_token()Stefan Metzmacher2018-03-201-7/+15
| | | | | | | | | | | finalize_local_nt_token() will be used in another place, were we don't want to add local groups in a following commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8)
* s3:auth: add the "Unix Groups" sid for the primary gidStefan Metzmacher2018-03-201-0/+4
| | | | | | | | | | The primary gid might not be in the gid array. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405)
* s3:auth: remove unused auth_serversupplied_info->systemStefan Metzmacher2018-03-201-1/+0
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9)
* s3/auth: add create_info6_from_pac()Stefan Metzmacher2018-02-112-0/+60
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13261 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d4ba23fd353ad387a374a5d7f6f6d085a0699d2c)
* build: deal with recent glibc sunrpc header removalGünther Deschner2018-01-251-1/+1
| | | | | | | | | | | | | | | | We need to rely on libtirpc or libntirpc to be around in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238 BUG: https://bugzilla.samba.org/show_bug.cgi?id=10976 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit ee0be7eb723be1420fd601ea1abe0af748562953)
* include: Create system/nis.h in libreplaceAndreas Schneider2018-01-251-0/+13
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13238 Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit c29d087e1ea4c92717ef86e372fe80f410580fdc)
* s3:rpc_client: Clenup copy_netr_SamInfo3() codeAndreas Schneider2018-01-252-21/+38
| | | | | | | | | | | This gets rid of some strange macro and makes sure we clenaup at the end. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13209 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 05ebafd91ee2dd511372ce63d656e9fc6735ee28)
* s3/rpc_client: move copy_netr_SamInfo3() to util_netlogonRalph Boehme2018-01-133-44/+1
| | | | | | | | | | | | The next commit will add an additional caller that in rpc_client and I don't want to pull in AUTH_COMMON. The natural place to consolidate netlogon related helper functions seems to be util_netlogon.c which already has copy_netr_SamBaseInfo(). No change in behaviour. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3:auth: is_trusted_domain() is now only useful (and used as DC)Stefan Metzmacher2017-12-131-49/+10
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth: remove lp_auth_methods() handlingStefan Metzmacher2017-12-131-30/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:auth: remove "map untrusted to domain" handlingStefan Metzmacher2017-12-131-33/+4
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: remove leftover prototype from auth_domain.Günther Deschner2017-10-301-4/+0
| | | | | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Oct 30 00:15:07 CET 2017 on sn-devel-144
* smbd: Fix the memory hierarchy in the unix tokenVolker Lendecke2017-10-271-1/+2
| | | | | | | "groups" should hang off the token itself, not its parent Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth3: Remove auth_domainVolker Lendecke2017-09-223-423/+2
| | | | | | | | | | | If you're a domain member, use winbind. Auth_domain is from times when we did not have winbind. It has served its purpose, but we should move on. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Sep 22 00:02:29 CEST 2017 on sn-devel-144
* auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()Stefan Metzmacher2017-08-071-7/+42
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth3: prepare the logic for "map untrusted to domain = auto"Stefan Metzmacher2017-06-161-3/+5
| | | | | | | | | | | | | This implements the same behavior as Windows, we should pass the domain and account names given by the client directly to the auth backends, they can decide if they are able to process the authentication pass it to the next backend. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: call is_trusted_domain() as the last condition make_user_info_map()Stefan Metzmacher2017-06-161-2/+4
| | | | | | | | | | We should avoid contacting winbind if we already know the domain is our local sam or our primary domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: remove some dead prototypesGünther Deschner2017-05-101-9/+0
| | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-229-16/+16
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()Volker Lendecke2017-04-101-3/+3
| | | | | | | | | | | | | | | | | | | | This is in the spirit of the "map untrusted to domain" parameter: We fall back to the local SAM when we get a non-authoritative NO_SUCH_USER from our domain controller. With this change we can implement "map untrusted to domain = auto". We should not strictly need 'sam' before 'winbind', but it makes it clearer to read and has the same effect. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144
* auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()Stefan Metzmacher2017-04-101-8/+2
| | | | | | | | | | | make_auth3_context_for_ntlm() was the only caller of make_auth_context_subsystem(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: only use "sam_netlogon3 winbind:trustdomain" in ↵Stefan Metzmacher2017-04-101-1/+30
| | | | | | | | | | | | | make_auth3_context_for_netlogon If some needs the old behavior for a while, the deprecated "auth methods = guest sam winbind:trustdomain" option can be used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDCStefan Metzmacher2017-04-101-0/+64
| | | | | | | | | | This will be used in the s3 netlogon server in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Add hooks for notification of authentication events over the message busAndrew Bartlett2017-03-292-3/+6
| | | | | | | | This will allow tests to be written to confirm the correct events are triggered. We pass in a messaging context from the callers Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Log the transport connection for the authorizationAndrew Bartlett2017-03-291-0/+1
| | | | | | | We also log if a simple bind was over TLS, as this particular case matters to a lot of folks Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)Andrew Bartlett2017-03-291-10/+34
| | | | | | | | gensec_session_info() is not called for bare NTLM, so we have to log manually Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* rpc: Always supply both the remote and local address to the auth subsystemGary Lockyer2017-03-294-3/+32
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Always supply both the remote and local address to the auth subsystemAndrew Bartlett2017-03-292-1/+11
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Generate a human readable Authentication log message.Gary Lockyer2017-03-291-1/+17
| | | | | | | | | Add a human readable authentication log line, to allow verification that all required details are being passed. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s3-auth: Split out get_user_sid_info3_and_extra() from ↵Andrew Bartlett2017-03-292-15/+29
| | | | | | | | | | create_local_nt_token_from_info3() This will allow us to get the SID in another location for logging Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add a reminder about the strings currently used for auditingAndrew Bartlett2017-03-291-0/+4
| | | | | | | | We will soon have a much better replacement, but a note here may help some in the transition Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Fill in user_info->service_description from all callersAndrew Bartlett2017-03-294-5/+28
| | | | | | | | This will allow the logging code to make clear which protocol an authentication was for. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s3-auth: Pass service_description into gensec via auth_generic_prepare()Andrew Bartlett2017-03-292-0/+10
| | | | | | | | | | | This allows the GENSEC service description to be set from the various callers that go via this function. The RPC service description is the name of the interface from the IDL. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM authAndrew Bartlett2017-03-271-1/+2
| | | | | | | | | So far this is only on the AD DC Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in ↵Stefan Metzmacher2017-03-241-4/+9
| | | | | | | | | | | | | | make_auth_context_subsystem() "auth methods" never works as AD DC at all, so there's not really a change. This allows us to implement "auth methods" (temporary) for the auth4 stack. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handlingStefan Metzmacher2017-03-243-8/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()Stefan Metzmacher2017-03-241-1/+18
| | | | | | | | | | This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM interaction obsolete. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status