summaryrefslogtreecommitdiff
path: root/source4/auth/auth.h
Commit message (Collapse)AuthorAgeFilesLines
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-0/+1
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Allow auth_samba4 to be forced to run a specific auth moduleAndrew Bartlett2014-05-161-1/+1
| | | | | | | | | | This will allow new tests to be written to validate winbindd authentication results Andrew Bartlett Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: Remove unused wbc_contextVolker Lendecke2014-03-051-1/+0
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Change-Id: I07d9f7d8028429564d91da39f8d1e73cc13a646c Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "auth4: Remove unused wbc_context"Volker Lendecke2014-02-181-0/+1
| | | | | | | This reverts commit 6b04558c5e0547a807ac0fcb5eeb1085cfe602ac. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: Remove unused wbc_contextVolker Lendecke2014-02-101-1/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Kai Blin <kai@samba.org>
* auth: Remove .get_challenge (only used for security=server)Andrew Bartlett2012-07-031-7/+0
| | | | | | | | | | | | | With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
* auth: Make check_password and generate_session_info hook genericAndrew Bartlett2012-01-301-1/+7
| | | | | | | | gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett
* gensec: move gensec_util.c to the top levelAndrew Bartlett2012-01-111-5/+0
| | | | | | | | To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* auth: make auth4_context common to provide access to generate_session_info_pac()Andrew Bartlett2012-01-111-52/+0
| | | | | | | | | | By providing this context, a function pointer for generate_session_info_pac() can be inserted into gensec, allowing the s3 PAC processing in an otherwise more generic gensec module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Rename memory contexts for greater clarityAndrew Bartlett2011-12-291-1/+1
| | | | | | | | This should better follow the mem_ctx/tmp_ctx pattern used elsewhere in Samba. Thankyou Simo for the suggestion. Andrew Bartlett
* s4-gensec: Move parsing of the PAC blob and creating the session_info into authAndrew Bartlett2011-12-291-6/+10
| | | | | | | | | | | | | This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
* s4-auth Remove unused auth_context_create_from_ldb()Andrew Bartlett2011-12-281-1/+0
|
* s4-auth Move conversion of security_token to unix_token to authAndrew Bartlett2011-07-291-0/+2
| | | | | | | | This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* gensec: Add a way to request a unix token from GENSECAndrew Bartlett2011-07-291-0/+1
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4-auth Rename auth -> auth4 to avoid conflict with s3 authAndrew Bartlett2011-05-081-21/+21
|
* s4-auth: remove unused prototypeAndrew Tridgell2011-05-081-4/+1
|
* s4-messaging Rename messaging -> imessagingAndrew Bartlett2011-05-031-5/+5
| | | | | | | This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
* Fix public header not to include private (not installed) ones.Simo Sorce2011-03-141-0/+1
| | | | | Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
* s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.cGünther Deschner2011-03-041-1/+0
| | | | Guenther
* s4-auth Move libcli/security/session.c to the top levelAndrew Bartlett2011-02-221-0/+1
| | | | | | | This code is now useful in common, as the elements of the auth_session_info structure have now been defined in common IDL. Andrew Bartlett
* s4-auth: rename 'auth' subsystem to 'auth4'Andrew Tridgell2011-02-181-1/+1
| | | | | | | | this prevents conflicts with the s3 auth modules. The auth modules in samba3 may appear in production smb.conf files, so it is preferable to rename the s4 modules for minimal disruption. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2011-02-091-57/+22
| | | | | | | | | | | | | This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
* s4-auth Add auth.idl to encode auth subsystem structures in IDLAndrew Bartlett2011-02-091-0/+1
| | | | | | | This is not only a useful way to encode stuff, it also allows python to handle the structures, and natrually allows them to be NDR encoded. Andrew Bartlett
* s4-auth Remove special case for account_sid from auth_serversupplied_infoAndrew Bartlett2011-01-201-5/+2
| | | | | | | | | | | | This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
* s4-auth Extend python bindings to allow ldb and message to be specifiedAndrew Bartlett2011-01-181-0/+1
| | | | | | This will allow for some more tokenGroups tests in future. Andrew Bartlett
* s4-auth Remove duplicate copies of session_info creation codeAndrew Bartlett2010-12-211-2/+3
| | | | | | | | | We now just do or do not call into LDB based on some flags. This means there may be some more link time dependencies, but we seem to deal with those better now. Andrew Bartlett
* s4/auth: Add logon_parameters to authenticate_username_pwAnatoliy Atanasov2010-11-051-7/+8
| | | | | | | | We need to be able to set the logon parameters in the same way as in the ntlm server so we can handle openldap simple authentication call correctly. Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org> Autobuild-Date: Fri Nov 5 06:32:43 UTC 2010 on sn-devel-104
* s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell2010-09-261-1/+0
| | | | | | | | | | | the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
* s4:auth Move struct auth_usersupplied_info to a common locationAndrew Bartlett2010-08-141-42/+1
| | | | | | | | | This also changes the calling convention slightly - we should always allocate this with talloc_zero() to allow some elements to be optional. Some elements may only make sense in Samba3, which I hope will use this common structure. Andrew Bartlett
* s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett2010-05-201-0/+5
| | | | | | | | | | | | | | This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
* s4:auth Add dependency from the operational module onto authAndrew Bartlett2010-05-201-0/+1
| | | | | | | We had to split up the auth module into a module loaded by main deamon and a subsystem we manually init in the operational module. Andrew Bartlett
* s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett2010-05-201-4/+9
| | | | | | | | This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
* s4:auth Move BUILTIN group addition into session.cAndrew Bartlett2010-05-201-5/+3
| | | | | | | | The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
* s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett2010-04-141-0/+8
| | | | | | | | | | | | | | | | | | The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
* s4:sam.c - make "authsam_expand_nested_groups" publicMatthias Dieter Wallnöfer2010-03-041-0/+6
| | | | This is needed by the "tokenGroups" work in the operational LDB module.
* Spelling fixes for source4/auth.Brad Hards2010-02-221-2/+2
| | | | | | The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above. Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
* Strip trailing spacesSimo Sorce2010-01-121-20/+20
|
* s4:auth: add auth_get_server_info_principal() prototype to auth.hStefan Metzmacher2009-12-291-0/+5
| | | | metze
* s4:auth: make auth_challenge_may_be_modified() publicStefan Metzmacher2009-12-291-1/+1
| | | | metze
* s4:auth: change auth_check_password_send/recv to tevent_reqStefan Metzmacher2009-12-241-5/+7
| | | | metze
* s4:auth Change 'get_challenge' API to be more like Samba3Andrew Bartlett2009-12-221-3/+3
| | | | | | | It is just easier to fill in the known to be 8 byte challenge than stuff about with allocated pointers. Andrew Bartlett
* s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.Andreas Schneider2009-12-161-1/+1
|
* s4-dsdb: create a static system_session contextAndrew Tridgell2009-10-231-1/+1
| | | | | | This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
* s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett2009-07-171-0/+2
| | | | | | | | | Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
* s4:kdc Allow a password change when the password is expiredAndrew Bartlett2009-06-181-1/+2
| | | | | | | | | | | | | | This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
* Don't use crossRef records to find our own domainAndrew Bartlett2009-05-261-3/+5
| | | | | | | | A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
* Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett2009-02-131-1/+11
| | | | | | | | | This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
* Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett2009-02-131-0/+24
| | | | | | | | | | | When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
* s4:lib/tevent: rename structsStefan Metzmacher2008-12-291-4/+4
| | | | | | | | | | | | | | | | | | | | list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
* s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher2008-12-041-1/+2
| | | | metze