summaryrefslogtreecommitdiff
path: root/source4/auth/session.c
Commit message (Collapse)AuthorAgeFilesLines
* auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM authAndrew Bartlett2017-03-271-0/+9
| | | | | | | | | So far this is only on the AD DC Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2014-8143:auth: Force talloc type of session_info pointer to matchAndrew Bartlett2015-01-151-0/+5
| | | | | | | | | | | | | This helps us keep things safe in LDB where we put this in a opaque pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Andrew Bartlett Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Remove all uses of the NT_STATUS_NOT_OK_RETURN_AND_FREE macro from the codebase.Garming Sam2014-03-051-1/+4
| | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I421e169275fe323e2b019c6cc5d386289aec07f7 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-9/+36
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth4: Remove an unused variableVolker Lendecke2013-10-151-1/+0
| | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett2013-01-211-5/+39
| | | | | | | | | | | | | | | | | | This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth-session: MIT doesn't have import/export cred yetSimo Sorce2012-05-041-3/+5
| | | | | | | For now let's just loose this functionality with the MIT build. gss_import/export_cred should be availa ble when MIT 1.11 is released and this code is used only in some proxy scenario. Not normally needed for common configurations.
* s4-auth Move conversion of security_token to unix_token to authAndrew Bartlett2011-07-291-1/+1
| | | | | | | | This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* auth: Move auth_session_info into IDLAndrew Bartlett2011-04-051-27/+13
| | | | | | | | | | This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
* s4-auth: Always talloc_zero() the struct auth_session_infoAndrew Bartlett2011-04-051-1/+1
|
* libcli/named_pipe_auth Change from 'info3' to auth_session_info_transportAndrew Bartlett2011-02-101-0/+147
| | | | | | | | | | | | | | | This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2011-02-091-17/+26
| | | | | | | | | | | | | This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
* s4-auth Remove special case for account_sid from auth_serversupplied_infoAndrew Bartlett2011-01-201-83/+29
| | | | | | | | | | | | This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
* s4-auth: fixed status return Andrew Tridgell2011-01-141-1/+1
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-auth Add function to obtain any user's session_info from a given LDBAndrew Bartlett2011-01-141-0/+39
| | | | | | | | | | | This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
* s4-auth use new dsdb_expand_nested_groups()Andrew Bartlett2011-01-141-6/+6
| | | | | | | | This isn't quite as good as using tokenGroups, but that is only available for BASE searches, and this isn't how the all the callers work at the moment. Andrew Bartlett
* s4-auth Ensure that we always copy across domain groupsAndrew Bartlett2010-12-211-13/+13
| | | | | | | | | | | Even if we can't calculate the local groups (because we don't have a local SAM to do it with) we still need to include the domain groups in the session_info token. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
* s4-auth rework session_info handling not to require an auth contextAndrew Bartlett2010-12-211-6/+7
| | | | | | | This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
* s4-auth Remove event context from privilage database handlingAndrew Bartlett2010-12-211-1/+0
| | | | | | | These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
* s4-auth Remove obsolete commentAndrew Bartlett2010-12-211-7/+0
| | | | | | | The code that this referred to went away in September with 7dbfeb0dc040889244a1110940af2d070f823374 Andrew Bartlett
* libcli/security Add debug class to security_token_debug() et alAndrew Bartlett2010-10-121-1/+1
| | | | | | This will allow it to replace functions in source3 that use debug classes. Andrew Bartlett
* s4-auth: removed unused variable dom_sidAndrew Tridgell2010-09-271-1/+1
|
* s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell2010-09-261-18/+0
| | | | | | | | | | | the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
* s4:auth Avoid doing database lookups for NT AUTHORITY usersAndrew Bartlett2010-08-181-108/+116
|
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-161-1/+1
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth/session.c - suppress a warning when freeing "group_string"Matthias Dieter Wallnöfer2010-06-301-3/+5
|
* s4:auth/session.c - free "group_string" when not neededAnatoliy Atanasov2010-06-301-1/+1
| | | | Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
* Revert "Add old functionality back which was removed in commit 589a42e2."Wilco Baan Hofman2010-06-201-15/+2
| | | | | | This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f. Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
* Add old functionality back which was removed in commit 589a42e2.Wilco Baan Hofman2010-06-201-2/+15
| | | | | | Andrew, please review! Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
* s4:auth Remove un-needed headers.Andrew Bartlett2010-05-211-2/+0
|
* s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett2010-05-201-4/+3
| | | | | | | | | | | | | | This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
* s4:auth Move BUILTIN group addition into session.cAndrew Bartlett2010-05-201-5/+142
| | | | | | | | The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
* s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett2010-04-141-7/+6
| | | | | | | | | | | | | | | | | | The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
* s4:auth Remove event context from anonymous_session()Andrew Bartlett2010-04-111-112/+2
| | | | | | | | This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
* s4:auth: move make_server_info_netlogon_validation() function arroundStefan Metzmacher2009-01-211-140/+0
| | | | metze
* s4:lib/tevent: rename structsStefan Metzmacher2008-12-291-3/+3
| | | | | | | | | | | | | | | | | | | | list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
* Heimdal provides Kerberos PAC parsing routines. Use them.Andrew Bartlett2008-08-281-0/+3
| | | | | | | | | | | | | | This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
* Clarify commentAndrew Bartlett2008-08-081-2/+2
| | | | (This used to be commit 719941e929ddb6fea011fcc0c8c6b91c26e586af)
* Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij2008-04-171-2/+6
| | | | (This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
* Install public header files again and include required prototypes.Jelmer Vernooij2008-04-021-5/+6
| | | | (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
* r26264: pass name resolve order explicitly, use torture context for settings ↵Jelmer Vernooij2007-12-211-2/+3
| | | | | | in dssync tests. (This used to be commit c7eae1c7842f9ff8b70cce9e5d6f3ebbbe78e83b)
* r26260: Store loadparm context in gensec context.Jelmer Vernooij2007-12-211-2/+3
| | | | (This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
* r26250: Avoid global_loadparm in a couple more places.Jelmer Vernooij2007-12-211-4/+8
| | | | (This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43)
* r26229: Set loadparm context as opaque pointer in ldb, remove more uses of ↵Jelmer Vernooij2007-12-211-0/+1
| | | | | | global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
* r26127: Move session code out of auth_util.c. No longer making it part of ↵Jelmer Vernooij2007-12-211-0/+328
auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
View Lorry Controller Status