summaryrefslogtreecommitdiff
path: root/source3/auth/auth_util.c
AgeCommit message (Collapse)AuthorFilesLines
2003-11-06run krb5 logins through the username map if the winbindd lookup fails; bug 698Gerald Carter1-4/+9
(This used to be commit f7798571178d18aae9c0be5f437838222bfc25b9)
2003-10-20more 2.2.x compatibility fixes - allow user looksup in the kerb5Gerald Carter1-1/+25
sesssetup to fall back to 'user' instaed of failing is REA.LM\user doesn't exist. also fix include line in smb_acls.h as requested by metze (This used to be commit 5ccf6baad7ffb1f992aaf24b41ef5c83362cf613)
2003-10-07make sure to call get_user_groups() with the full winbindd name for a user ↵Gerald Carter1-3/+14
if he;she has one; bug 406 (This used to be commit 19925e3a04f421f4dcc469b701f3cc51ef98ac2c)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter1-46/+80
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce1-4/+4
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter1-142/+260
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-05-01*id_to_*id call reshape to return NTSTATUS errorsSimo Sorce1-11/+13
plus internal fixes 1st stage (This used to be commit 6d036761e565bc93964bb3c939d5b7d78d5778a3)
2003-04-29This is a nice rewrite:Simo Sorce1-10/+7
SAM_ACCOUNT does not have anymore uid and gid fields all the code that used them has been fixed to use the proper idmap calls fix to idmap_tdb for first time idmap.tdb initialization. auth_serversupplied_info structure has now an uid and gid field few other fixes to make the system behave correctly with idmap tested only with tdbsam, but smbpasswd and nisplus should be ok have not tested ldap ! (This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
2003-04-05some more idmapping :)Simo Sorce1-5/+7
(This used to be commit 5ac94535d7b7ce0cc0d44b9a77d6e42ddfd0cd26)
2003-03-23Fix compile.Andrew Bartlett1-2/+2
(This used to be commit 6fbee12a8170e0bce4e94806105786b38160ada5)
2003-03-23NTLM Authentication:Andrew Bartlett1-0/+3
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-15Now that mimir has done the grunt work, I'll fix up the commentAndrew Bartlett1-4/+1
(This used to be commit 7154fe10969a34b97ddc8321bfb5271b8e6d4795)
2003-03-14Fresh meat in trusted domains code:Rafal Szczesniak1-20/+6
- packing/unpacking utility functions for trusted domain password struct; can be used to prepare buffer to store in secrets.tdb or (soon) passdb backend - similiar functions for DOM_SID - respectively modified secrets_(fetch|store) routines - new auth mapping code utilising introduced is_trusted_domain function - added tdb (un)packing of single bytes Rafal (This used to be commit 5281ee7e84421b9be746aed2f1718ceaf2a2fe3d)
2003-02-22First check if the user is in the passdb, then check Get_Pwnam().Andrew Bartlett1-0/+30
We check passdb becouse the user might have things like a logon script set, but we have to check the passdb becouse the user might not be in smbpasswd at all. This is in preperation for the removal of unixsam as an assuption. Andrew Bartlett (This used to be commit 61e3e2695860c58f9b0e8d1856972318666682c8)
2003-02-20For a number of months now, support for being a domain member without alsoAndrew Bartlett1-25/+14
running winbind has been broken. This fixes that, by removing assumptions about being able to call sid_to_uid() at will. This whole area needs revising when we get groups into the PDB. Andrew Bartlett (This used to be commit 980eda74b7df347c38b567ce976197826963324a)
2003-02-17If we didn't make the server_info correctly, then don't segfault trying toAndrew Bartlett1-1/+3
set the 'guest' bit. Andrew Bartlett (This used to be commit 960c53bf952de4431da4e90da035fcfbe98f1bd7)
2003-02-10Some cleanups:Andrew Bartlett1-2/+10
- Don't use pstrcpy into an allocated string - use safe_strcpy() directly instead. - Keep a copy of the 'server_info' attached to the vuid. In future use this for things like the session key, homedir and full name instead of current copies. - Try to avoid memory leak/segfault on Realloc failure - clear up #endif comments Andrew Bartlett (This used to be commit 162477bb086827950b6cb71afa9bef62c2753c2e)
2003-01-13Missing indirect in final free.Jeremy Allison1-2/+2
Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)
2003-01-13Fix to debian bug #171071 - we had the wrong dereference on the pointer to beAndrew Bartlett1-4/+4
Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and valgrind traces! Andrew Bartlett (This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e)
2003-01-11Use size_t for the counter vars, to match the type they are assigned fromAndrew Bartlett1-3/+3
(signed/unsigned mixup). Andrew Bartlett (This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3)
2003-01-02We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett1-5/+5
don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
2002-11-15Small auth updates:Andrew Bartlett1-0/+3
- add static remove unnneded prototype - move become_root() to just around pdb calls, so as to make it easier to remove when we kill off this silly idea - Change auth_sam to do 'account before password' rather than 'password before account'. This means that we match Win2k in giving 'account disabled' instead of 'wrong password' if the wrong password to a disabled account is used. Andrew Bartlett (This used to be commit e6d2debaf6064c3229f41c06545a1ccb83695a77)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-1/+0
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-10-12Nice *big* patch from metze.Andrew Bartlett1-9/+9
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-09-25Move to common user token debugging, and ensure we always print both theAndrew Bartlett1-6/+24
NT_TOKEN and the unix credentials - as we incresingly use the NT stuff we want to make it easy to check they don't get out of wack. Andrew Bartlett (This used to be commit a3882a19254811ace2f9545580c14ce3bd588095)
2002-09-15Don't display debugs of the nt user token twice.Tim Potter1-4/+0
(This used to be commit 2011a38f3bd1e51aa1ca0219a9e46da12426cbc3)
2002-09-15Merge of 'other_sids' patch from appliance.Tim Potter1-4/+19
(This used to be commit 7decd4b3a9e6900ab35f7bf5b266361f308aa58d)
2002-09-06This is the 'easy' parts of the trusted domains patch n+3 patch fromAndrew Bartlett1-53/+69
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl> It includes a conversion of make_user_info*() to NTSTATUS and some minor changes to other files. It also picks up on a nasty segfault that can occour in some security=domain cases. Andrew Bartlett (This used to be commit d1e1fc3e4bf72717b3593685f0ea5750d676952a)
2002-08-30off by one in writing to malloced array. this fixes smbd crash I saw atHerb Lewis1-2/+2
the CIFS conference - finally got purify working (This used to be commit cf9bb66aa9c3217cb8394058c65c84ffc6ae269a)
2002-08-26Try to support non-root-mode systems without getgrouplist().Andrew Bartlett1-7/+9
Andrew Bartlett (This used to be commit 17096315a0f30f946ddecb79708604a111c37011)
2002-08-21Cope with non-unix accounts - we just won't get the groups for those users.Andrew Bartlett1-2/+4
Andrew Bartlett (This used to be commit 7cad7814555645aa3bee95fb48fbd694e6a9e313)
2002-08-20Based orginally by work by Kai, this patch moves our NT_TOKEN generation intoAndrew Bartlett1-93/+401
our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902)
2002-08-11Make 'remote_machine' private to lib/substitute.c, and fix all the user to useAndrew Bartlett1-3/+2
the new accessor functions. Andrew Bartlett (This used to be commit f393de2310e997d05674eb7f1268655373e03647)
2002-06-24Try to get security=domain at least slightly working.Andrew Bartlett1-7/+11
The previous code both had basic logic flaws in it, and some subtle issues regarding the Win2k info3 response. I've tested this against Samba (it looks like that was missed last time due to the 'called name' corruption - which broke my testsuite) and accomidated what I've seen from a info3 printout jmcd gave me. I'll get this tested fully as soon as I get my VMware going again. Andrew Bartlett (This used to be commit 87eba4c811293d2428bfb9bc36de22e66dce7f8b)
2002-06-15This patch does 2 things:Andrew Bartlett1-4/+177
It extends the 'server mutex' to conver security=server, becouse the connection race condition exists here too, and while people *should* use security=domain, some sites don't.... (This probably should be done in 2.2 as well). Also, start to actually extract and use the information that the remote server returns in the info3 struct. The server mutex code is now in a new file. Andrew Bartlett (This used to be commit 9b0dabdf4ec3bb45879caae76e03b57ccdad8b4b)
2002-06-12Spelling.Tim Potter1-1/+1
(This used to be commit bfd8a33c68a3747cbad21667d7515aebd61ec537)
2002-05-25Clean up a few unused functions, add a bit of static etc.Andrew Bartlett1-28/+0
Importantly: The removal of the silly 'delete user script' behaviour when secuity=domain. I have left the name the same - as it still does the (previously documented, but not in smb.conf(5)) sane behaviour of deleting users on request. When we decide what to do with the 'add user' functionality, we might rename it. Andrew Bartlett (This used to be commit cdcfe3671eb7570e15649b77f708e6579055e7bc)
2002-05-21typo, sorrySimo Sorce1-1/+1
(This used to be commit d222bc8c4b620095a21ba327940d4750d5dee753)
2002-05-21debug classizedSimo Sorce1-0/+3
(This used to be commit ae5d24873ad0fb3df970cc9912e18e6a5067ae2d)
2002-03-24Spelling fixes.Tim Potter1-1/+1
(This used to be commit a5ac2ac4ada48ee3be061a32ba40bd8c4b3b3865)
2002-03-23Extra parinoa and DEBUG()s for the make_user_info_map() code.Andrew Bartlett1-4/+18
(This used to be commit aa5f125bc0efeee99254e03f36426420db676527)
2002-03-13Ensure we never use "" as a domain name (Win9X apparently does this for 'net ↵Andrew Bartlett1-1/+6
use' duirng login). Picked up from a post to a TNG list by Volker. Andrew Bartlett (This used to be commit f81882fc9510aadd7d1db77753b307800ab50f9b)
2002-03-01Various comment fixes from Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>Andrew Bartlett1-1/+1
(This used to be commit 3bf4b42771d115500941be374bfdd9b8c2fdba4a)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-20Add a touch of 'const' to some auth components, and move the simple plaintextAndrew Bartlett1-10/+10
password check into its own helper funciton. (This will allow it to be called from other places). Andrew Bartlett (This used to be commit 9e96f438057da21254f40facdd9a31dd20652f35)
2002-01-18Don't do tridge's crazy 'am I a trusted domain' lookup for guests.Andrew Bartlett1-9/+12
Andrew Bartlett (This used to be commit 9bfe54a3d484919fe830f9c6ae01f67663974af2)
2002-01-17A nice *big* change to the fundemental way we do things.Andrew Bartlett1-2/+4
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
2002-01-15Commit the auth associated changes I missed from the last commit.Andrew Bartlett1-1/+1
Also set the default value of all the allocated strings to "" to avoid changing the interface (becouse pdb_get...() would point to a null string, rather than a null pointer and parts of samba rely on that). Andrew Bartlett (This used to be commit 5b4079f748e25f21162e21b439063249baf8dca6)
2002-01-11Back out the crazy notion that the NTLMSSP flags actually mean anything...Andrew Bartlett1-21/+21
Replace this with some flags that *we* define. We can do a mapping later if we actually get some more reliable info about what passwords are actually valid. Andrew Bartlett (This used to be commit 7f7a42c3e4d5798ac87ea16a42e4976c3778a76b)
2002-01-05I've decided to move the auth code around a bit more...Andrew Bartlett1-13/+50
The auth_authsupplied_info typedef is now just a plain struct - auth_context, but it has been modified to contain the function pointers to the rest of the auth subsystem's components. (Who needs non-static functions anyway?) In working all this mess out, I fixed a number of memory leaks and moved the entire auth subsystem over to talloc(). Note that the TALLOC_CTX attached to the auth_context can be rather long-lived, it is provided for things that are intended to live as long. (The global_negprot_auth_context lasts the whole life of the smbd). I've also adjusted a few things in auth_domain.c, mainly passing the domain as a paramater to a few functions instead of looking up lp_workgroup(). I'm hopign to make this entire thing a bit more trusted domains (as PDC) freindly in the near future. Other than that, I moved a bit of the code around, hence the rather messy diff. Andrew Bartlett (This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048)