summaryrefslogtreecommitdiff
path: root/source3/auth
Commit message (Collapse)AuthorAgeFilesLines
* s3-smbd: Create a shortcut for building the token of a user by SID for ↵Andrew Bartlett2012-08-102-47/+143
| | | | | | | | | | | | | posix_acls When a user owns a file, but does not have specific permissions on that file, we need to make up the user permissions. This change ensures that the first thing that we do is to look up the SID, and confirm it is a user. Then, we avoid the getpwnam() and directly create the token via the SID. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
* Correctly check for errors in strlower_m() returns.Jeremy Allison2012-08-095-7/+17
|
* Check error returns from strupper_m() (in all reasonable places).Jeremy Allison2012-08-091-1/+3
|
* lib/param: Move all enum declarations to lib/paramAndrew Bartlett2012-07-243-0/+3
| | | | | | | | This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
* s3-auth Use correct RID for domain guests primary groupAndrew Bartlett2012-07-191-1/+1
| | | | | | | | | | | This was incorrect in commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd as the RID was from the BUILTIN domain, but this creates a guest account token for the real domain. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jul 19 05:56:28 CEST 2012 on sn-devel-104
* Revert "s3:auth make sure the primary group sid is usable"Andrew Bartlett2012-07-191-30/+13
| | | | | | | | | | | | | | | This reverts commit 00089fd74af740f832573d904312854e494a869e. The issue with this patch, which I did sign off on, is that for the domain member case, we already know that the SID is reasonable and valid, and we indeed rely on that, because we keep it as an additonal group anyway. The primary group is not so special that we need to do extra validation. Calling this function may put a user into the domain 'domain users' group, even if they are not in that group to start with. Andrew Bartlett
* loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *.Rusty Russell2012-07-183-7/+7
| | | | | | | | | | They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
* s3-auth_samba4: Explain that check_samba4_security is actually unusedAndrew Bartlett2012-07-131-0/+10
| | | | | | | | | | | Because of the evolution in the way the auth handling has been done, we do not need this code any more. Raw NTLM Session setup & X is done via the auth4 context which returns a full session info. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 13 10:04:05 CEST 2012 on sn-devel-104
* s3-auth Remove unused global_machine_account_needs_changingAndrew Bartlett2012-07-131-66/+0
| | | | | | | | | | | | | | This boolean was only set if the old machine account store (with an MD4 hash in it) was returned. We have not set that password type for years. If this call ever worked, it would store a plaintext password, so we could only ever be here if we had set a password using a version of Samba so old as not to store plaintext, and then never honered the flag anyway. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 13 07:52:40 CEST 2012 on sn-devel-104
* s3-auth Remove confusing reference to global_machine_password_needs_changingAndrew Bartlett2012-07-131-8/+0
| | | | | | This is in the trusted domain codepath, not the primary domain code path. Andrew Bartlett
* s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()Michael Adam2012-07-121-1/+1
| | | | | | | | | This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
* auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2012-07-061-26/+2
| | | | | | | | Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove .get_challenge (only used for security=server)Andrew Bartlett2012-07-034-116/+6
| | | | | | | | | | | | | With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
* s3-param: Rename loadparm_s3_context -> loadparm_s3_helpersAndrew Bartlett2012-06-272-4/+4
| | | | | | | | | | | | | | | | | This helps clarify the role of this structure and wrapper function. The purpose here is to provide helper functions to the lib/param loadparm_context that point back at the s3 lp_ functions. This allows a struct loadparm_context to be passed to any point in the code, and always refer to the correct loadparm system. If this has not been set, the variables loaded in the lib/param code will be returned. As requested by Michael Adam. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
* s3-auth: make_new_system_info_session() now does not query nssAndrew Bartlett2012-06-191-1/+3
| | | | | | | | | | | | | | | This is important in some situations where these queries might be costly LDAP queries and is just not required for the system token. This is because the system token should be just the NT AUTHORITY\SYSTEM user and just enough unix info to allow the token to be used. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jun 19 13:34:28 CEST 2012 on sn-devel-104
* s3-auth: make_new_system_info_session() not query passdbAndrew Bartlett2012-06-191-47/+39
| | | | | | | | | | | | This is important in some situations where these queries might be costly LDAP queries and is just not required for the system token. This is because the system token should be just the NT AUTHORITY\SYSTEM user and just enough unix info to allow the token to be used. We query only NSS to get the name of sec_initial_uid() Signed-off-by: Andreas Schneider <asn@samba.org>
* s3-auth: inline make_session_info functions into only callersAndrew Bartlett2012-06-191-74/+35
| | | | | | | | | With the split up to handle system specially, there is no need for these static helper functions any more. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
* auth: Use only security_token_is_system to determine that a user is SYSTEMAndrew Bartlett2012-06-191-4/+0
| | | | | | | | | | This removes the duplication on how to detect that a user is system in Samba now that the smbd system account is also only SID_NT_SYSTEM we can use the same check everywhere. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
* s3-auth: Fix system token as just being SID_NT_SYSTEMAndrew Bartlett2012-06-191-0/+3
| | | | | | | | This removes the SID matching the sec_initial_uid(). Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
* s3-auth: Remove auth_netlogondAndrew Bartlett2012-06-163-459/+0
| | | | | | | | | | | | | | | | | auth_netlogond was an important module in the development of the combined Samba 4.0, and was the first module to link smbd with the AD authentication store, showing that it was possible for NTLM authentication to be offloaded to the AD server components. We now have auth_samba4, which provides the full GENSEC stack to smbd, which also matches exactly the group membership and privileges assignment and which is supported and tested as part of the official Samba 4.0 release configuration. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
* s3-auth: rework default auth methods around the lp_server_role() parameterAndrew Bartlett2012-06-151-17/+23
| | | | | | | | To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER is mapped to the samba4 auth module, and this is no longer required to be specified in fileserver.conf. Andrew Bartlett
* s3-auth: Merge SEC_DOMAIN and SEC_ADS cases in creating the default auth ↵Andrew Bartlett2012-06-151-7/+2
| | | | module list
* s3-auth: Fix system info3 return to be just SID_NT_SYSTEMAndrew Bartlett2012-06-151-11/+17
| | | | | | | | | | The SID for the SYSTEM token should be a fixed value, and not the administrator. Note however that it will be replaced by the SID of sec_initial_uid() by the create_local_token() code. Fixing this requires fixes the other parts of the code that cannot cope with a token of just SID_NT_SYSTEM. Andrew Bartlett
* s3-auth: Fix system token generation not to dereference pointer as an integerAndrew Bartlett2012-06-151-1/+1
| | | | | | | | | | | | | This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9 which is marked as being part of bug #8944, ldapsam:trusted and ipasam and an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9). The problem here was that the primary_gid was simply the pointer result of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on the build farm). Andrew Bartlett
* s3-auth: Give the SYSTEM token all privilegesAndrew Bartlett2012-06-151-0/+4
|
* Introduce system MIT krb5 build with --with-system-mitkrb5 option.Alexander Bokovoy2012-05-231-2/+2
| | | | | | | | | | | | | | | | | System MIT krb5 build also enabled by specifying --without-ad-dc When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level configure in WAF build we are trying to detect and use system-wide MIT krb5 libraries. As result, Samba 4 DC functionality will be disabled due to the fact that it is currently impossible to implement embedded KDC server with MIT krb5. Thus, --with-system-mitkrb5/--without-ad-dc build will only produce * Samba 4 client libraries and their Python bindings * Samba 3 server (smbd, nmbd, winbindd from source3/) * Samba 3 client libraries In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture. This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
* s3-auth: Rename to init_system_session_info().Andreas Schneider2012-05-152-2/+2
| | | | | Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
* s3-auth: Don't lookup the system user in pdb.Andreas Schneider2012-05-151-4/+95
| | | | | This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
* s3:auth: remove unused auth_server.cStefan Metzmacher2012-05-153-500/+0
| | | | metze
* s3-auth: remove "security=server" (depricated since 3.6)Stefan Metzmacher2012-05-151-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | "security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
* s3:auth/server_info: the primary rid should be in the groups rid array (bug ↵Alejandro Escanero Blanco2012-05-091-5/+0
| | | | | | | | | #8798) Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed May 9 19:36:01 CEST 2012 on sn-devel-104
* s3: remove some unused codeVolker Lendecke2012-05-042-28/+0
|
* s3:passdb: rename sids_to_unix_ids() --> sids_to_unixids() for consistencyMichael Adam2012-05-021-1/+1
|
* s3-passdb: Use struct unixid in sids_to_unix_idsAndrew Bartlett2012-05-021-6/+7
| | | | | | | | | This avoids the union in the struct wbcUnixId and moves us to using only struct unixid internally. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
* s3-auth_samba4: use new_server_id_task() to allocate server id valuesAndrew Bartlett2012-04-301-6/+27
| | | | | | | | | This is rather than just picking a random number out of the air. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Apr 30 11:29:34 CEST 2012 on sn-devel-104
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-121-1/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSPAndrew Bartlett2012-04-031-2/+3
| | | | | | | | | Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client) will not select krb5. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* More strlcat/strlcpy truncate checks.Jeremy Allison2012-03-301-10/+45
|
* lib/util: Remove obsolete sys_getpid() and sys_fork().Jelmer Vernooij2012-03-241-2/+2
| | | | | | | | | The performance of these is minimal (these days) and they can return invalid results when used as part of applications that do not use sys_fork(). Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
* lib/util: Remove dummy wrapper for getpwuid().Jelmer Vernooij2012-03-241-2/+2
|
* lib/util: Remove dummy wrapper for getpwnam().Jelmer Vernooij2012-03-241-2/+2
|
* s3-krb5: Remove GSS_WRAP_IOV conditionalAndrew Bartlett2012-03-151-1/+1
| | | | | | | We already confirm that we have this functionality before we set HAVE_KRB5 at configure time. Andrew Bartlett
* s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.Alexander Bokovoy2012-03-132-0/+29
| | | | | | | | | | | | | | | | On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
* s3-auth: Remove single-implementation plugin layerAndrew Bartlett2012-03-083-11/+48
| | | | | | | | The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context were only ever initialised to a single value. Make it easier to follow by just calling the function directly. Andrew Bartlett
* s3-auth: Follow auth_ntlmssp and use auth4_context for Session SetupAndrew Bartlett2012-03-081-10/+10
| | | | | | | | | | This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett
* s3-auth Add make_session_info_from_pw to avoid multiple getpwnam() callsAndrew Bartlett2012-03-041-12/+34
|
* s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett2012-03-044-193/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
* s3-auth: Provide helper routine to check password and return session_infoAndrew Bartlett2012-02-242-0/+31
|
* auth: Rename some elements of auth4_contextAndrew Bartlett2012-02-241-3/+3
| | | | | | These operate on NTLM authentication, so make that clear. Andrew Bartlett
* s3-auth: Add a way to get an auth4_context from the auth stackAndrew Bartlett2012-02-244-11/+108
| | | | | | | | This will allow us to use the same layer that auth_ntlmssp does in the non-SPNEGO session setup, which will in turn make the authentication code more consistent in the AD server case. Andrew Bartlett
View Lorry Controller Status