Merge 2610c05b5b95cc7036b3d6dfb894c6cfbdb68483 as Samba-4.0alpha16

10 files changed, 53 insertions, 88 deletions

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index e2deab78bc..d2464c3cbf 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -31,7 +31,7 @@
 /***************************************************************************
  Set a fixed challenge
 ***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by) 
+_PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by) 
 {
 	auth_ctx->challenge.set_by = talloc_strdup(auth_ctx, set_by);
 	NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.set_by);
@@ -45,7 +45,7 @@ _PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, cons
 /***************************************************************************
  Set a fixed challenge
 ***************************************************************************/
-_PUBLIC_ bool auth_challenge_may_be_modified(struct auth_context *auth_ctx)
+_PUBLIC_ bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx)
 {
 	return auth_ctx->challenge.may_be_modified;
 }
@@ -54,7 +54,7 @@ _PUBLIC_ bool auth_challenge_may_be_modified(struct auth_context *auth_ctx)
  Try to get a challenge out of the various authentication modules.
  Returns a const char of length 8 bytes.
 ****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8])
+_PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8])
 {
 	NTSTATUS nt_status;
 	struct auth_method_context *method;
@@ -104,7 +104,7 @@ PAC isn't available, and for tokenGroups in the DSDB stack.
  Supply either a principal or a DN
 ****************************************************************************/
 _PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
-						 struct auth_context *auth_ctx,
+						 struct auth4_context *auth_ctx,
 						 const char *principal,
 						 struct ldb_dn *user_dn,
 						 struct auth_user_info_dc **user_info_dc)
@@ -155,7 +155,7 @@ _PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
  *
  **/
 
-_PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
+_PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 			     TALLOC_CTX *mem_ctx,
 			     const struct auth_usersupplied_info *user_info, 
 			     struct auth_user_info_dc **user_info_dc)
@@ -188,7 +188,7 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
 }
 
 struct auth_check_password_state {
-	struct auth_context *auth_ctx;
+	struct auth4_context *auth_ctx;
 	const struct auth_usersupplied_info *user_info;
 	struct auth_user_info_dc *user_info_dc;
 	struct auth_method_context *method;
@@ -225,7 +225,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
 
 _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
 				struct tevent_context *ev,
-				struct auth_context *auth_ctx,
+				struct auth4_context *auth_ctx,
 				const struct auth_usersupplied_info *user_info)
 {
 	struct tevent_req *req;
@@ -409,7 +409,7 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 /* Wrapper because we don't want to expose all callers to needing to
  * know that session_info is generated from the main ldb */
 static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
-						   struct auth_context *auth_context,
+						   struct auth4_context *auth_context,
 						   struct auth_user_info_dc *user_info_dc,
 						   uint32_t session_info_flags,
 						   struct auth_session_info **session_info)
@@ -425,13 +425,13 @@ static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
 ***************************************************************************/
 _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, 
 					      struct tevent_context *ev,
-					      struct messaging_context *msg,
+					      struct imessaging_context *msg,
 					      struct loadparm_context *lp_ctx,
 					      struct ldb_context *sam_ctx,
-					      struct auth_context **auth_ctx)
+					      struct auth4_context **auth_ctx)
 {
 	int i;
-	struct auth_context *ctx;
+	struct auth4_context *ctx;
 
 	auth4_init();
 
@@ -440,7 +440,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	ctx = talloc(mem_ctx, struct auth_context);
+	ctx = talloc(mem_ctx, struct auth4_context);
 	NT_STATUS_HAVE_NO_MEMORY(ctx);
 	ctx->challenge.set_by		= NULL;
 	ctx->challenge.may_be_modified	= false;
@@ -487,19 +487,21 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 
 const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
 {
-	const char **auth_methods = NULL;
+	char **auth_methods = NULL;
+
 	switch (lpcfg_server_role(lp_ctx)) {
 	case ROLE_STANDALONE:
-		auth_methods = lpcfg_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "standalone", NULL);
+		auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
 		break;
 	case ROLE_DOMAIN_MEMBER:
-		auth_methods = lpcfg_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "member server", NULL);
+		auth_methods = str_list_make(mem_ctx, "anonymous sam winbind", NULL);
 		break;
-	case ROLE_DOMAIN_CONTROLLER:
-		auth_methods = lpcfg_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL);
+	case ROLE_DOMAIN_BDC:
+	case ROLE_DOMAIN_PDC:
+		auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
 		break;
 	}
-	return auth_methods;
+	return (const char **) auth_methods;
 }
 
 /***************************************************************************
@@ -508,9 +510,9 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
 ***************************************************************************/
 _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
 			     struct tevent_context *ev,
-			     struct messaging_context *msg,
+			     struct imessaging_context *msg,
 			     struct loadparm_context *lp_ctx,
-			     struct auth_context **auth_ctx)
+			     struct auth4_context **auth_ctx)
 {
 	NTSTATUS status;
 	const char **auth_methods;
@@ -533,7 +535,7 @@ _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
    This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups)
 
  */
-NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx)
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth4_context **auth_ctx)
 {
 	NTSTATUS status;
 	const char **auth_methods;
@@ -620,10 +622,10 @@ const struct auth_operations *auth_backend_byname(const char *name)
 const struct auth_critical_sizes *auth_interface_version(void)
 {
 	static const struct auth_critical_sizes critical_sizes = {
-		AUTH_INTERFACE_VERSION,
+		AUTH4_INTERFACE_VERSION,
 		sizeof(struct auth_operations),
 		sizeof(struct auth_method_context),
-		sizeof(struct auth_context),
+		sizeof(struct auth4_context),
 		sizeof(struct auth_usersupplied_info),
 		sizeof(struct auth_user_info_dc)
 	};
diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c
index 6b21225aad..4b0fff03cc 100644
--- a/source4/auth/ntlm/auth_anonymous.c
+++ b/source4/auth/ntlm/auth_anonymous.c
@@ -24,7 +24,7 @@
 #include "auth/ntlm/auth_proto.h"
 #include "param/param.h"
 
-_PUBLIC_ NTSTATUS auth_anonymous_init(void);
+_PUBLIC_ NTSTATUS auth4_anonymous_init(void);
 
 /**
  * Return a anonymous logon for anonymous users (username = "")
@@ -66,7 +66,7 @@ static const struct auth_operations anonymous_auth_ops = {
 	.check_password	= anonymous_check_password
 };
 
-_PUBLIC_ NTSTATUS auth_anonymous_init(void)
+_PUBLIC_ NTSTATUS auth4_anonymous_init(void)
 {
 	NTSTATUS ret;
 
diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index da842c98ba..bc27f27fa2 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -24,7 +24,7 @@
 #include "auth/ntlm/auth_proto.h"
 #include "libcli/security/security.h"
 
-_PUBLIC_ NTSTATUS auth_developer_init(void);
+_PUBLIC_ NTSTATUS auth4_developer_init(void);
 
 static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
 			      		    TALLOC_CTX *mem_ctx,
@@ -185,7 +185,7 @@ static const struct auth_operations fixed_challenge_auth_ops = {
 	.check_password	= fixed_challenge_check_password
 };
 
-_PUBLIC_ NTSTATUS auth_developer_init(void)
+_PUBLIC_ NTSTATUS auth4_developer_init(void)
 {
 	NTSTATUS ret;
 
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index f76057a6df..87a7d27559 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -72,7 +72,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
  Do a specific test for an smb password being correct, given a smb_password and
  the lanman and NT responses.
 ****************************************************************************/
-static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
+static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
 				    TALLOC_CTX *mem_ctx,
 				    uint16_t acct_flags,
 				    const struct samr_Password *lm_pwd, 
@@ -142,7 +142,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
   send a message to the drepl server telling it to initiate a
   REPL_SECRET getncchanges extended op to fetch the users secrets
  */
-static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
+static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context,
 					 struct ldb_dn *user_dn)
 {
 	struct dcerpc_binding_handle *irpc_handle;
@@ -170,7 +170,7 @@ static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx, struct auth_contex
 }
 
 
-static NTSTATUS authsam_authenticate(struct auth_context *auth_context, 
+static NTSTATUS authsam_authenticate(struct auth4_context *auth_context, 
 				     TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, 
 				     struct ldb_dn *domain_dn,
 				     struct ldb_message *msg,
@@ -357,7 +357,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 				   
 /* Wrapper for the auth subsystem pointer */
 static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
-							  struct auth_context *auth_context,
+							  struct auth4_context *auth_context,
 							  const char *principal,
 							  struct ldb_dn *user_dn,
 							  struct auth_user_info_dc **user_info_dc)
@@ -381,7 +381,7 @@ static const struct auth_operations sam_ops = {
 	.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
 };
 
-_PUBLIC_ NTSTATUS auth_sam_init(void)
+_PUBLIC_ NTSTATUS auth4_sam_init(void)
 {
 	NTSTATUS ret;
 
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
index 7efeb9242a..9e1ceae0ca 100644
--- a/source4/auth/ntlm/auth_server.c
+++ b/source4/auth/ntlm/auth_server.c
@@ -27,7 +27,7 @@
 #include "param/param.h"
 #include "libcli/resolve/resolve.h"
 
-_PUBLIC_ NTSTATUS auth_server_init(void);
+_PUBLIC_ NTSTATUS auth4_server_init(void);
 
 /* This version of 'security=server' rewirtten from scratch for Samba4
  * libraries in 2008 */
@@ -223,7 +223,7 @@ static const struct auth_operations server_auth_ops = {
 	.check_password	= server_check_password
 };
 
-_PUBLIC_ NTSTATUS auth_server_init(void)
+_PUBLIC_ NTSTATUS auth4_server_init(void)
 {
 	NTSTATUS ret;
 
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 75eabe855b..241906e281 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -30,7 +30,7 @@
 */
 _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 					   struct tevent_context *ev,
-					   struct messaging_context *msg,
+					   struct imessaging_context *msg,
 					   struct loadparm_context *lp_ctx,
 					   const char *nt4_domain,
 					   const char *nt4_username,
@@ -38,7 +38,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 					   const uint32_t logon_parameters,
 					   struct auth_session_info **session_info) 
 {
-	struct auth_context *auth_context;
+	struct auth4_context *auth_context;
 	struct auth_usersupplied_info *user_info;
 	struct auth_user_info_dc *user_info_dc;
 	NTSTATUS nt_status;
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index 743cb8103d..d79ebc1772 100644
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -28,7 +28,7 @@
 #include "../libcli/auth/pam_errors.h"
 #include "param/param.h"
 
-_PUBLIC_ NTSTATUS auth_unix_init(void);
+_PUBLIC_ NTSTATUS auth4_unix_init(void);
 
 /* TODO: look at how to best fill in parms retrieveing a struct passwd info
  * except in case USER_INFO_DONT_CHECK_UNIX_ACCOUNT is set
@@ -607,12 +607,10 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, struct loadparm_context *lp
 {
 	char *username;
 	char *password;
-	char *pwcopy;
 	char *salt;
 	char *crypted;
 	struct passwd *pws;
 	NTSTATUS nt_status;
-	int level = lpcfg_passwordlevel(lp_ctx);
 
 	*ret_passwd = NULL;
 
@@ -737,46 +735,11 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, struct loadparm_context *lp
 		return nt_status;
 	}
 
-	if ( user_info->flags | USER_INFO_CASE_INSENSITIVE_PASSWORD) {
-		return nt_status;
-	}
-
-	/* if the password was given to us with mixed case then we don't
-	 * need to proceed as we know it hasn't been case modified by the
-	 * client */
-	if (strhasupper(password) && strhaslower(password)) {
-		return nt_status;
-	}
-
-	/* make a copy of it */
-	pwcopy = talloc_strdup(ctx, password);
-	if (!pwcopy)
-		return NT_STATUS_NO_MEMORY;
-
-	/* try all lowercase if it's currently all uppercase */
-	if (strhasupper(pwcopy)) {
-		strlower(pwcopy);
-		nt_status = password_check(username, pwcopy, crypted, salt);
-		if NT_STATUS_IS_OK(nt_status) {
-			*ret_passwd = pws;
-			return nt_status;
-		}
-	}
-
-	/* give up? */
-	if (level < 1) {
-		return NT_STATUS_WRONG_PASSWORD;
-	}
-
-	/* last chance - all combinations of up to level chars upper! */
-	strlower(pwcopy);
+	/* we no longer try different case combinations here. The use
+	 * of this code is now web auth, where trying different case
+	 * combinations makes no sense
+	 */
 
-#if 0
-        if (NT_STATUS_IS_OK(nt_status = string_combinations(pwcopy, password_check, level))) {
-		*ret_passwd = pws;
-		return nt_status;
-	}
-#endif   
 	return NT_STATUS_WRONG_PASSWORD;
 }
 
@@ -839,7 +802,7 @@ static const struct auth_operations unix_ops = {
 	.check_password	= authunix_check_password
 };
 
-_PUBLIC_ NTSTATUS auth_unix_init(void)
+_PUBLIC_ NTSTATUS auth4_unix_init(void)
 {
 	NTSTATUS ret;
 
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 17bfa32167..c19b5cfd42 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -99,7 +99,7 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
  Create an auth_usersupplied_data structure after appropriate mapping.
 ****************************************************************************/
 
-NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, 
+NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context, 
 			   enum auth_password_state to_state,
 			   const struct auth_usersupplied_info *user_info_in,
 			   const struct auth_usersupplied_info **user_info_encrypted)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index dfb8fce2a6..da152e718a 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -31,7 +31,7 @@
 #include "nsswitch/libwbclient/wbclient.h"
 #include "libcli/security/security.h"
 
-_PUBLIC_ NTSTATUS auth_winbind_init(void);
+_PUBLIC_ NTSTATUS auth4_winbind_init(void);
 
 static NTSTATUS get_info3_from_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
 					       struct wbcAuthUserInfo *info,
@@ -324,7 +324,7 @@ static const struct auth_operations winbind_wbclient_ops = {
 	.check_password	= winbind_check_password_wbclient
 };
 
-_PUBLIC_ NTSTATUS auth_winbind_init(void)
+_PUBLIC_ NTSTATUS auth4_winbind_init(void)
 {
 	NTSTATUS ret;
 
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
index 2ac2773c85..d954ec0086 100644
--- a/source4/auth/ntlm/wscript_build
+++ b/source4/auth/ntlm/wscript_build
@@ -3,7 +3,7 @@
 bld.SAMBA_MODULE('auth4_sam_module',
 	source='auth_sam.c',
 	subsystem='auth4',
-	init_function='auth_sam_init',
+	init_function='auth4_sam_init',
 	deps='samdb auth4_sam NTLMSSP_COMMON samba-hostconfig'
 	)
 
@@ -11,7 +11,7 @@ bld.SAMBA_MODULE('auth4_sam_module',
 bld.SAMBA_MODULE('auth4_anonymous',
 	source='auth_anonymous.c',
 	subsystem='auth4',
-	init_function='auth_anonymous_init',
+	init_function='auth4_anonymous_init',
 	deps='talloc'
 	)
 
@@ -19,7 +19,7 @@ bld.SAMBA_MODULE('auth4_anonymous',
 bld.SAMBA_MODULE('auth4_server',
 	source='auth_server.c',
 	subsystem='auth4',
-	init_function='auth_server_init',
+	init_function='auth4_server_init',
 	deps='samba-util LIBCLI_SMB CREDENTIALS_NTLM'
 	)
 
@@ -27,7 +27,7 @@ bld.SAMBA_MODULE('auth4_server',
 bld.SAMBA_MODULE('auth4_winbind',
 	source='auth_winbind.c',
 	subsystem='auth4',
-	init_function='auth_winbind_init',
+	init_function='auth4_winbind_init',
 	deps='RPC_NDR_WINBIND MESSAGING wbclient'
 	)
 
@@ -35,7 +35,7 @@ bld.SAMBA_MODULE('auth4_winbind',
 bld.SAMBA_MODULE('auth4_developer',
 	source='auth_developer.c',
 	subsystem='auth4',
-	init_function='auth_developer_init',
+	init_function='auth4_developer_init',
 	deps='talloc'
 	)
 
@@ -43,7 +43,7 @@ bld.SAMBA_MODULE('auth4_developer',
 bld.SAMBA_MODULE('auth4_unix',
 	source='auth_unix.c',
 	subsystem='auth4',
-	init_function='auth_unix_init',
+	init_function='auth4_unix_init',
 	deps='pam PAM_ERRORS LIBTSOCKET'
 	)