summaryrefslogtreecommitdiff
path: root/source3/auth/auth_ntlmssp.c
AgeCommit message (Collapse)AuthorFilesLines
2010-08-14s3:auth Make Samba3 use the new common struct auth_usersupplied_infoAndrew Bartlett1-1/+1
This common structure will make it much easier to produce an auth module for s3compat that calls Samba4's auth subsystem. In order the make the link work properly (and not map twice), we mark both that we did try and map the user, as well as if we changed the user during the mapping. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-08s3: Lift the smbd_messaging_context from reload_servicesVolker Lendecke1-1/+1
2010-08-06s3-netlogon: remove global include of netlogon.h.Günther Deschner1-0/+1
This reduces precompiled headers by another 4 MB and also slightly speeds up the build. Guenther
2010-07-28s3-auth: Remove unimplemented functionsSimo Sorce1-10/+0
2010-07-20s3-auth: Move auth_ntlmssp wrappers in their own fileSimo Sorce1-77/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-20s3-auth: Refactor and rename auth_ntlmssp_server_info()Simo Sorce1-11/+13
Rename it to auth_ntlmssp_steal_server_info() to make it clear that the server_info struct is stolen from the auth_ntlmssp_state structure. Use talloc_move instead of manual steal&clear Add comments to explain what is going on. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19s3-auth: Remove unused variable.Simo Sorce1-2/+0
It was a spurious remnant after a rebase.
2010-07-19s3-auth: Use talloc hierarchies to properly free auth_ntlmssp_state contextsSimo Sorce1-6/+12
Turn auth_ntlmssp_end into a destructor and attach it to auth_ntlmssp_state. Remote auth_ntlmssp_end and use TALLOC_FREE in the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19s3-auth: auth_make ntlmssp_state the parent contextSimo Sorce1-29/+12
There is no need for a separate mem_ctx member. Also make the ntlmssp_state a children of auth_ntlmssp_state Also cleanup auth_ntlmssp_end to free only what is not automatically freed Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19s3-auth: Simplify how we free the auth_contextSimo Sorce1-1/+1
Turn the freeing function into a destructor and attach it to the auth_context. Make all callers TALLOC_FREE() the auth_context instead of calling the free function. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19s3-auth: Cleanup and readability fixesSimo Sorce1-21/+23
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19s3-ntlmssp: Remove ntlmssp_end and let the talloc hierarchy handle it.Simo Sorce1-1/+1
All the members are children of ntlmssp_state anyway. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-14s3:auth Change auth_ntlmssp_server_info API to return NTSTATUSAndrew Bartlett1-4/+7
This fixes a bug where register_existing_vuid() could be called with a NULL server_info if the alloction failed. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-06-08Revert "s3:auth Change auth_ntlmssp_server_info API to return NTSTATUS"Volker Lendecke1-6/+4
This reverts commit edba46ce94c335411ab337eeb4ef6f88fb3aae80. Conflicts: source3/auth/auth_ntlmssp.c
2010-06-07s3:auth add hooks to indicate if signing or sealing is desired with NTLMSSPAndrew Bartlett1-0/+10
This allows the right hooks to be called in GENSEC when s3compat implements the auth_ntlmssp interface. Otherwise, we can't do the signing or sealing as we have not negoitated it's use. Andrew Bartlett
2010-06-07s3:auth Change auth_ntlmssp_server_info API to return NTSTATUSAndrew Bartlett1-4/+6
It's nicer to have an NTSTATUS return, and in s3compat there may be a reason other than 'no memory' why this can fail. Andrew Bartlett
2010-05-31s3:ntlmssp Use a TALLOC_CTX for ntlmssp_sign_packet() and ntlmssp_seal_packet()Andrew Bartlett1-2/+4
This ensures the results can't be easily left to leak. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31ntlmssp: Make the ntlmssp.h from source3/ a common headerAndrew Bartlett1-1/+1
The code is not yet in common, but I hope to fix that soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31s3:auth Remove AUTH_NTLMSSP_STATE typedef.Andrew Bartlett1-12/+12
typedefs are no longer preferred Samba style. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-31s3:auth Make AUTH_NTLMSSP_STATE a private structure.Andrew Bartlett1-0/+87
This makes it a little easier for it to writen in terms of GENSEC in future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org>
2010-04-11s3: Make "auth_context" its own talloc parentVolker Lendecke1-1/+1
Remove "mem_ctx" from "struct auth_context"
2010-03-24s3:ntlmssp: use client.netbios_name instead of workstationStefan Metzmacher1-2/+2
metze Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24s3:ntlmssp: rename void *auth_context; into void *callback_private;Stefan Metzmacher1-5/+5
metze Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24s3:ntlmssp: pass names to ntlmssp_server_start() and store them in ntlmssp_stateStefan Metzmacher1-6/+28
Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-24s3:ntlmssp: replace server_role by a server.is_standalone in ntlmssp_stateStefan Metzmacher1-1/+5
Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2010-01-10s3: Remove the typedef for "auth_usersupplied_info"Volker Lendecke1-1/+1
2009-12-29s3:ntlmssp: change get_challange() to return NTSTATUSStefan Metzmacher1-2/+3
metze
2009-12-22s3:ntlmssp: only include ntlmssp.h where actually neededAndrew Bartlett1-0/+1
Andrew Bartlett
2009-02-21Fix the build on SolarisVolker Lendecke1-1/+1
2009-02-21Remove the static "chal" from ntlmssp.c:get_challenge()Volker Lendecke1-2/+4
2008-05-07Rename server_info->was_mapped to server_info->nss_tokenVolker Lendecke1-1/+1
"nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d)
2008-03-06Be more verbose why create local token has failed duringGünther Deschner1-1/+2
NTLMSSP and Kerberos session setup Guenther (This used to be commit 18b8c2c19e50aee8fc900c7507244cb95014a4fa)
2008-02-14Allow auth_ntlmssp_end() to ignore null pointers passed in.Jeremy Allison1-1/+6
Jeremy. (This used to be commit b7628f3a47166791db4cd6451d52ea3881a45bed)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-2/+2
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r22001: change prototype of dump_data(), so that it takes unsigned char * now,Stefan Metzmacher1-1/+1
which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
2007-10-10r17626: Some C++ WarningsVolker Lendecke1-4/+8
(This used to be commit 09e7c010f03ac3c621f7a7fad44685d278c1481a)
2007-10-10r16632: Fix bug #3882 reported by jason@ncac.gwu.edu.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 6b39f53e43572fe29fc037a36328387a0b1bb423)
2007-10-10r15475: Ugly and disgusting patch to fix the username map problem I created byVolker Lendecke1-0/+5
changing the token generation. I *hate* this code! Jerry, you have been looking at this as well, can you double-check that I did not screw it up? Thanks, Volker (This used to be commit 2765c4ff8d44c970db3e075b0a2412662f1936c6)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-1/+1
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-1/+9
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-0/+2
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-2/+4
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7956: Spelling mistake.Jeremy Allison1-1/+1
Jeremy. (This used to be commit f318c371077f28ace52f7d2b1517df0d15a0f05a)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-1/+1
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett1-6/+6
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2004-04-03Fix most of bug #169.Andrew Bartlett1-16/+4
For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-9/+72
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-07-24Server side NTLM signing works - until the first async packet. Working on thisJeremy Allison1-1/+0
next.... Jeremy. (This used to be commit eff74a1fcc597497a4c70589a44c1b70e93ab549)