summaryrefslogtreecommitdiff
path: root/source3/auth/auth_domain.c
AgeCommit message (Collapse)AuthorFilesLines
2004-01-06(merge from 3.0)Andrew Bartlett1-2/+5
Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter1-3/+0
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce1-2/+2
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter1-220/+76
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-04-28Use NTSTATUS as return value for smb_register_*() functions and init_module()Jelmer Vernooij1-4/+4
function. Patch by metze with some minor modifications. (This used to be commit f4576757d1d52a8f1b96894c869bb76450003fd1)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett1-2/+8
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-04-02Map a useless error code to a useful one...Andrew Bartlett1-0/+5
(This used to be commit 1afb2695a020424d014c4dee9c6a73620281aaa8)
2003-03-25- Support building all auth modules as .so'sJelmer Vernooij1-1/+1
- Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>) (This used to be commit 71b05cd14ae6df8340730e7bad1c783dc278c5d3)
2003-03-24- Add support to auth/ for the new modules systemJelmer Vernooij1-0/+7
- Quite some small fixes (also fixes the build) (This used to be commit 3defbd5e0633acfa4631531b49601c7706072d86)
2003-03-23NTLM Authentication:Andrew Bartlett1-7/+0
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-14Extending code to work both in case of domain membershipRafal Szczesniak1-1/+1
and domain controller respecting interdomain trust relationships. In the latter case we need to find DC of remote domain instead of ours. In the former 'domain' is our domain name. Rafal (This used to be commit 0cd45d5d3b3e3ec5a589c3ee9f0e369901eefe8f)
2003-02-28Doxygen janitor: rpc_resolve_dc parameter is spelled "trust_passwd"Martin Pool1-1/+1
(This used to be commit 9dbc3dcfe0bccf1f76930ae86970b48ba5ed1e91)
2003-01-13Always initialise this variable - and don't set the 'must change now' if it wasAndrew Bartlett1-1/+2
last changed at '0'. We need to actually change this password sometime... Andrew Bartlett (This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b)
2002-12-12merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-90/+10
server = DC1 * (This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
2002-12-01Make it clear that we might not be talking to a PDC here.Andrew Bartlett1-1/+1
(This used to be commit 7d099e9a5b7164e8cdbdb93d8c4527f02c8bdefd)
2002-11-23[merge from APP_HEAD]Gerald Carter1-2/+3
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-8/+7
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-09Fix bug found by tpot with given password server.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 90ac8184a0ae1f702d39f947ef5267765f3d2f88)
2002-11-08Don't set global_machine_password_needs_changing ifTim Potter1-4/+6
lp_machine_password_timeout() is set to zero. (This used to be commit 0fa87a68fea8b12242f644605aab7c2f81c1a4df)
2002-11-06Merge of get_dc_list() api change. This was slightly more intrusiveTim Potter1-2/+17
than the version in APPLIANCE so watch out for boogs. (This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686)
2002-10-17Added new error codes. Fix up connection code to retry in the same wayJeremy Allison1-10/+23
that app-head does. Jeremy. (This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049)
2002-10-04merge of new client side support the Win2k LSARPC UUID in rpcbindGerald Carter1-1/+1
from APP_HEAD (This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-1/+1
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-06This is the 'easy' parts of the trusted domains patch n+3 patch fromAndrew Bartlett1-1/+1
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl> It includes a conversion of make_user_info*() to NTSTATUS and some minor changes to other files. It also picks up on a nasty segfault that can occour in some security=domain cases. Andrew Bartlett (This used to be commit d1e1fc3e4bf72717b3593685f0ea5750d676952a)
2002-08-30added cli_net_auth_3 client code.Jean-François Micouleau1-1/+2
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch. pass also the negociation flags all the way. all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient. in the future we will be able to call auth_2 or auth_3 as we want. J.F. (This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-2/+4
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-31the ads_connect() here doesn't need to actually succeed, as its onlyAndrew Tridgell1-3/+1
needed to find the DC IP. Just don't check its return value! (This used to be commit ab144cd8af1622894d446ce48dde99babeb30bd6)
2002-07-30Fix the build for now..Jim McDonough1-1/+1
Tridge, please look at this. Did you mean to take out the last parm? (This used to be commit f70886df942e8b37fecb503b2d87f39f19c9bdab)
2002-07-30net ads info now reports the IP of the LDAP server as well as its name - ↵Andrew Tridgell1-4/+6
very useful in scripts (This used to be commit fc0d5479b575c1f495b9251413eed18ec1e37e02)
2002-07-30a couple more minor tweaks. This now allows us to operate in ADS modeAndrew Tridgell1-4/+3
without any 'realm =' or 'ads server =' options at all, as long as DNS is working right. (This used to be commit d3fecdd04241ed7b9248e52415693cd54a1faecf)
2002-07-302nd try at a fix for netbiosless connections to a ADS DC. This alsoAndrew Tridgell1-31/+90
make the code a fair bit cleaner as it splits up the ADS and RPC cases, which really are very different. (This used to be commit 5a11c432afebe84b17820396476f48a6a6f6411b)
2002-07-30removed a gratuitous standard_sub_basic() on the 'password server'Andrew Tridgell1-2/+0
field. This has got to be pointless. (This used to be commit fd02adab54b66a19c1b81b8ae91e66713691b060)
2002-07-30- if we are in ADS mode then avoid an expensive netbios lookup to findAndrew Tridgell1-7/+16
the servers netbios name when we don't need it. This also fixes ADS mode when the DC has netbios disabled. - if the password server is specified as an IP then actually use that IP, don't do a lookup for the servers name :) (This used to be commit 72042e94ef0f6841afcfa48eafb9809545860725)
2002-07-21Renamed all the new_cli_netlogon_* functions to cli_netlogon_*Tim Potter1-1/+1
as they're no longer new! (This used to be commit 277f6bbb9a63541a473a80a7994e9bde5c6f22dc)
2002-07-20Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett1-1/+1
distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
2002-07-20NT_STATUS_UNSUCCESSFUL just gets clients confused - move to NO_LOGON_SERVERSAndrew Bartlett1-11/+11
becouse thats what Win2k gives when the PDC is down. Some of these might better go to other errors, but the Win2k text message for 'unsuccessful' is not particularly useful. (A device attached to the system is not functioning...) Andrew Bartlett (This used to be commit 656f1d68e8579f1bd0a7118caf9e0373d5980a69)
2002-07-09Make it clear that the debug comment is the same as the command being testedAndrew Bartlett1-1/+1
for failure. Andrew Bartlett (This used to be commit 6e22f39df8c386781a4f51207a3ccd9c94d151f1)
2002-07-02Address the string_sub problem by changing len = 0 to mean "no expand".Jeremy Allison1-1/+1
Went through and checked all string_subs I could to ensure they're being used correctly. Jeremy. (This used to be commit 17cae0d683be404be69554cd0e84117bdcc56c87)
2002-06-25Update cli_full_connection() to take a 'flags' paramater, and try to get aAndrew Bartlett1-1/+1
few more places to use it. Andrew Bartlett (This used to be commit 23689b0746d5ab030d8693abf71dd2e80ec1d7c7)
2002-06-24Try to get security=domain at least slightly working.Andrew Bartlett1-1/+2
The previous code both had basic logic flaws in it, and some subtle issues regarding the Win2k info3 response. I've tested this against Samba (it looks like that was missed last time due to the 'called name' corruption - which broke my testsuite) and accomidated what I've seen from a info3 printout jmcd gave me. I'll get this tested fully as soon as I get my VMware going again. Andrew Bartlett (This used to be commit 87eba4c811293d2428bfb9bc36de22e66dce7f8b)
2002-06-15This patch does 2 things:Andrew Bartlett1-89/+12
It extends the 'server mutex' to conver security=server, becouse the connection race condition exists here too, and while people *should* use security=domain, some sites don't.... (This probably should be done in 2.2 as well). Also, start to actually extract and use the information that the remote server returns in the info3 struct. The server mutex code is now in a new file. Andrew Bartlett (This used to be commit 9b0dabdf4ec3bb45879caae76e03b57ccdad8b4b)
2002-05-24Name the authentication modules, and therfore fix up both the build farmAndrew Bartlett1-0/+2
and secuirty=server. I *love* automated testing... Andrew Bartlett (This used to be commit c92f4f4d72ffd307ca2d4d792b5e4154f1b85b91)
2002-05-24Remove the password length paramater from cli_full_connection - it reallyAndrew Bartlett1-1/+1
didn't make any sense, and its was always just strlen(password) anyway. This fixes it to be strlen(password)+1 Andrew Bartlett (This used to be commit c205b18bd6b9b69200ff3db55f2c641631d4ab40)
2002-05-24Move the authenticaion subsystem over to the same 'module:options' syntaxAndrew Bartlett1-6/+6
that the passdb code now uses. Similarly, move the 'pluggable' stuff over from passdb as well, allowing runtime loading of new authenticaion modules. (NOTE: The interfaces here can *and do* change - module writers are not assured source-level compatibilty, and certainly not binary compatibility). (This used to be commit 3897cf5e048f50be91ae434f636affc6d539d0d1)
2002-05-21typo, sorrySimo Sorce1-1/+1
(This used to be commit d222bc8c4b620095a21ba327940d4750d5dee753)
2002-05-21debug classizedSimo Sorce1-0/+3
(This used to be commit ae5d24873ad0fb3df970cc9912e18e6a5067ae2d)
2002-04-22Ensure auth requests from the same machine are completely serialized.Jeremy Allison1-5/+40
NT4.x DC's require this. Jeremy. (This used to be commit d162b6285d549370a24a926ab1c46cef7e7f630a)
2002-04-14Partly based on the work by mimir (Rafal SzczesniakAndrew Bartlett1-1/+1
<mimir@diament.ists.pwr.wroc.pl>) this patch allows samba to correctly enumerate its trusted domains - by exaimining the keys in the secrets.tdb file. This patch has been tested with both NT4 and rpcclient/wbinfo, and adds some extra functionality to talloc and rpc_parse to allow it to deal with already unicode strings. Finally, this cleans up some const warnings that were in net_rpc.c by pushing another dash of const into the rpc client code. Andrew Bartlett (This used to be commit 0bdd94cb992b40942aaf2e5e0efd2868b4686296)
2002-03-27Moved debug messages for grabbing/releasing mutex.Jeremy Allison1-2/+0
Jeremy. (This used to be commit e144c174eafc18f236c848b8f3a2c6382796f5a9)
2002-03-26Don't hold the mutex for more than 20 seconds.Jeremy Allison1-2/+4
Jeremy. (This used to be commit 1b9f1a368f2f37700cef357ab4bbc0389ec06378)