summaryrefslogtreecommitdiff
path: root/source3/auth/auth_domain.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.Gerald Carter1-1/+1
The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
2007-10-10r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,Gerald Carter1-1/+1
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>. (This used to be commit 8304ccba7346597425307e260e88647e49081f68)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r21642: Fix bug 4365. Please note that this was only tested with Vista so ↵Volker Lendecke1-1/+1
far, it needs testing with other clients as well. I'm afraid I'm visiting a conference tomorrow and saturday, so I'd be happy to get support in this. Thanks, Volker (This used to be commit 2186e276a0f15457ee6b29ecf2d109d812628ff9)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke1-2/+2
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r19980: Implement pam account stack checks when obey pam restrictions is true.Simo Sorce1-0/+11
It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-0/+11
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16076: Fix for machine password timeout overflow from Shlomi YaakobovichJeremy Allison1-1/+1
<Shlomi@exanet.com>. Jeremy. (This used to be commit 5cd234a1fff1e9d025eea6600649e56c997eafc2)
2007-10-10r15476: Transfer the was_mapped flag from user_info to server_info also in ↵Volker Lendecke1-0/+4
auth_sam and auth_domain. Thanks for Simo to point this out. Volker (This used to be commit 293b89dfb109d6e220ced433f025cf987aa1f500)
2007-10-10r15472: Remove an unused function parameterVolker Lendecke1-1/+0
(This used to be commit d2f39ae7fe79fd31846c555849655023a2d1cbc7)
2007-10-10r13382: added server affinity cache stores for 'net rpc join' and trusted ↵Gerald Carter1-0/+4
domain code (This used to be commit 9eb743584d32cdb67e0512ac915c34565bce1c01)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-19/+22
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.Gerald Carter1-1/+1
Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
2007-10-10r11652: Reinstate the netsamlogon_cache in order to workGerald Carter1-0/+2
around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-9/+10
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r11492: Fix bug #3224 (I hope). Correctly use machine_account_nameJeremy Allison1-3/+4
and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-1/+1
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-96/+108
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-1/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling ↵Gerald Carter1-1/+1
in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f)
2004-02-02Remove bogus check. No functional change, just cosmetics.Volker Lendecke1-5/+0
Volker (This used to be commit e3a5e2d9c23e8ba6bc817e433e596f535644c862)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-4/+9
to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427)
2004-01-07Doxygen comment fix.Rafal Szczesniak1-2/+5
rafal (This used to be commit b5e492b8eaf7cefe185d44b6c708f96ff61bd27b)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-2/+5
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-08-28Fix bug found by tridge in 2.2.x. Ensure that %U substitution isJeremy Allison1-3/+0
restored on next valid packet if a logon fails. This has relevence if people are using su.exe within logon scripts ! Jeremy. (This used to be commit d405a93a9d3f9a1d93bb3289b00683fba3160bbe)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison1-1/+1
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-1/+1
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-03This patch takes the work the jerry did for beta2, and generalises it:Andrew Bartlett1-3/+3
- The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-209/+51
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter1-1/+2
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-28add check for NT_STATUS_NOT_IMPLEMENTED in auth check so thatGerald Carter1-14/+27
map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)
2003-06-25large change:Gerald Carter1-1/+1
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter1-1/+1
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-1/+1
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-04Add some static. Patch by Stefan Metzmacher <metze@metzemix.de>Jelmer Vernooij1-2/+2
(This used to be commit e1a8e9b7f3e69c7271d2b715703b2d5b2412bd42)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-2/+2
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-04-28Use NTSTATUS as return value for smb_register_*() functions and init_module()Jelmer Vernooij1-4/+4
function. Patch by metze with some minor modifications. (This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d)
2003-04-24Merge auth changes from HEAD:Andrew Bartlett1-1/+6
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-2/+8
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-16Add support for the new modules system to auth/ (merge from HEAD)Jelmer Vernooij1-1/+8
(This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9)
2003-03-24(merge from HEAD)Andrew Bartlett1-7/+0
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-03-17Mege from HEAD - doxygen.Andrew Bartlett1-1/+1
(This used to be commit 04a5cbc8964386774acdca759b4cfaded068c8f2)
2003-01-14Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD.Andrew Bartlett1-1/+2
Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f)
2003-01-04Make it clear that the credentials are being setup on the NETLOGON channel, andAndrew Bartlett1-3/+3
may not be to our PDC (might be BDC, or trusted DC). Andrew Bartlett (This used to be commit 610be8d483f335226386f92b5e85ddeb07846d41)
2002-12-13merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-88/+8
server = DC1 * (This used to be commit f49de4c5176bf635ac080e082fda412066b466c8)
2002-11-23[merge from APP_HEAD]Gerald Carter1-2/+3
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit 016ef8b36b30846311a5321803298f8e28719244)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-8/+7
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-09Fix bug found by tpot with given password server.Jeremy Allison1-1/+1
Jeremy. (This used to be commit d46b4cb563850c77ee23b95df35a7f752a235d35)