summaryrefslogtreecommitdiff
path: root/source3/auth/auth_util.c
AgeCommit message (Collapse)AuthorFilesLines
2009-08-21s3: fix bug #6650, authentication at member servers when winbindd is not runningMichael Adam1-1/+1
Authentication of domain users on the member server fails when winbindd is not running. This is because the is_trusted_domain() check behaves differently when winbindd is running and when it isn't: Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also give a result for our own domain, this succeeds for the member server's own domain when winbindd is running. When winbindd is not running, is_trusted_domain() checks (and possibly updates) the trustdom cache, and this does the lsa_EnumTrustDom() rpc call to the DC which does not return its own domain. In case of winbindd not running, before 3.4, the domain part was _silently_ mapped to the workgroup in auth_util.c:make_user_info_map(), which effectively did nothing in the member case. But then the parameter "map untrusted to domain" was introduced and the mapping was made to the workstation name instead of the workgroup name by default unless "map untrusted to domain = yes". (Commits d8c54fddda2dba3cbc5fc13e93431b152813892e, 5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and fbca26923915a70031f561b198cfe2cc0d9c3aa6) This was ok as long as winbindd was running, but with winbindd not running, these changes actually uncovered the above logic bug in the check. So the correct check is to treat the workgroup as trusted / or known in the member case. This is most easily achieved by not comparing the domain name against get_global_sam_name() which is the host name unless for a DC but against my_sam_name() which is the workgroup for a DC and for a member, too. (These names are not very intuitive...) I admit that this is a very long commit message for a one-liner, but this has needed some tracking down, and I think the change deserves some justification. Michael
2009-06-03s3:smbd: move more session specific globals to struct smbd_server_connectionStefan Metzmacher1-2/+5
metze
2009-05-28s3/auth map NULL domains to our global sam nameSteven Danneman1-9/+3
This is an addendum to d8c54fdd, which made make_user_info_map() match Windows behavior by mapping untrusted domains given to smbd on the wire with the users credentials to smbd's global sam name. This fix was being circumvented in the case where the client passed a NULL domain. Vista clients do this. In that case smbd was always remapping the name to the machine workgroup. The NULL domain case should also be mapped to the global sam name. Removing the code in this patch, causes us to fall down to the logic added in d8c54fdd and properly map the domain.
2009-05-12s3 auth: Make debug message louder and more usefulDan Sledz1-2/+3
2009-05-11Fix a bunch of compiler warnings about wrong format types.Jeremy Allison1-5/+5
Should make Solaris 10 builds look cleaner. Jeremy.
2009-05-07s3-auth: use full 16byte session key in make_user_info_netlogon_interactive().Günther Deschner1-2/+1
Patch from Jeremy. With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a Samba 3 Domain. There are still two registry settings required: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Do *not* modify the other netlogon registry parameters that were passed around, they weaken security. Guenther (cherry picked from commit b5097d54cb74ca0ea328f9e029562f65f4a01134)
2009-04-28Fix bug #6291 - force user stop working.Jeremy Allison1-1/+37
A previous fix broke the invariant that *uid is always initialized on return from create_token_from_username(). Restore it. Jeremy.
2009-04-14Rework Samba3 to use new libcli/auth code (partial)Andrew Bartlett1-2/+3
This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett
2009-04-01s3-auth: rename static smb_create_user(). Sorry...Günther Deschner1-2/+2
Guenther
2009-02-26s3: fix guest auth when winbindd is runningSteven Danneman1-7/+7
This fix is very subtle. If a server is configured with "security = share" and "guest ok = yes" and winbindd is running authorization will fail during tree connect. This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid through sid_to_uid(). Winbindd is unaware of the hard coded mapping between this sid and whatever uid the name in lp_guestaccount() is assigned. So sid_to_uid() fails and we exit create_token_from_username() without ever calling pdb_getsampwsid() which IS aware of the hard coded mapping. This patch just reorganizes the code, moving sid_to_uid() down to the block of code in which it is needed, avoiding this early failure.
2009-02-21Revert "s3 auth: Add parameter that forces every user through an NSS lookup"Tim Prouty1-22/+4
After the discussion on samba-technical, it was decided that the best answer for now was to revert this change. The right way to do this is to rewrite the token api to use opaque tokens with pluggable modules. This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b.
2009-02-16s3 auth: Add parameter that forces every user through an NSS lookupZach Loafman1-4/+22
When set to yes, "force username map" forces every user, even AD users, through an NSS lookup. This allows the token to be overridden with information from NSS in certain broken environments.
2009-02-13s3:auth: only create_local_token() should add S-1-22-X-Y sidsStefan Metzmacher1-27/+0
metze
2009-02-13s3:auth: add S-1-22-X-Y sids to the local tokenStefan Metzmacher1-0/+38
metze
2009-02-12s3: Added new parameter "map untrusted to domain"Steven Danneman1-4/+8
When enabled this reverts smbd to the legacy domain remapping behavior when a user provides an untrusted domain This partially reverts d8c54fdd
2009-02-11s3: Change behavior when seeing an unknown domain.Dan Sledz1-22/+35
After a lot of testing against various Windows servers (W2K, W2K3, W2K8), within an AD domain it seems that unknown domains will only be translated to the local account domain, not the netbios name of the member server's domain. This makes samba act more like Windows.
2009-02-11Fix double free caused by incorrect talloc_steal usage.Dan Sledz1-2/+2
2009-01-21Fix a typoVolker Lendecke1-1/+1
2008-12-04Fix bug #1254 - write list not working under share-level securityJeremy Allison1-1/+1
A somewhat more elegant fix than I could use for 3.2.x or 3.0.x. Turns out the only part of check_user_ok() that needs to change for share level security is the VUID cache pieces, so I can just always use check_user_ok() for all lp_security() cases. Jeremy
2008-09-03Revert "Split lookup_name() and create a new functiong called"Simo Sorce1-4/+13
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
2008-08-17Split lookup_name() and create a new functiong calledSimo Sorce1-13/+4
lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
2008-08-14Fix show-stopper for 3.2. Smbd depends on group SIDJeremy Allison1-0/+34
position zero being the primary group sid. Authenicating via winbindd call returned a non-sorted sid list. This fixes is for both a winbindd call and a pac list from an info3 struct. Without this we mess up the primary group associated with created files. Found by Herb. Jeremy. (This used to be commit cb925dec85cfc4cfc194c3ff76dbeba2bd2178d7)
2008-08-14Make it clear that this is a temporary context byusing a talloc stackframe ↵Jeremy Allison1-22/+16
instead. Jeremy (This used to be commit 7f7dd5e8883e23d7fe3f9cb804905c5b23a5a41c)
2008-06-26Fix the non-LDAP, non-krb5 build, fix gcc -O3 warnings.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 9e2ab30d3cf6950fc79152b2169e7aeae8d6a366)
2008-06-26Add server_info to pipes_structVolker Lendecke1-0/+16
(This used to be commit d621867bb8767e1c4236d28dd9294a61db6cbb10)
2008-06-24Fix for bug #5551, smbd recursing back into winbindd from a winbindd call.Jeremy Allison1-13/+66
Jeremy. (This used to be commit a07fe72538e8e724b9736d5a85cc590864c5cab2)
2008-06-19Wrap the unix token info in a unix_user_token in auth_serversupplied_infoVolker Lendecke1-23/+25
No functional change, this is a preparation for more current_user ref removal (This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445)
2008-05-11Make sure we have serversupplied_info->sanitized_username everywhereVolker Lendecke1-10/+53
(This used to be commit 88423a17b966652eba4085e88f7ddb5c86b463dd)
2008-05-10Add function make_serverinfo_from_username()Volker Lendecke1-0/+38
This will be used for 'security=share' and 'force user' (This used to be commit 88e43097cafcd2849d9f1200a377357fde4cce99)
2008-05-10Add a mem_ctx argument to make_server_info_guest()Volker Lendecke1-4/+5
(This used to be commit e4a9492967f3d2b64f27943f99414608e0c03d21)
2008-05-10Make copy_serverinfo non-static, add mem_ctxVolker Lendecke1-3/+4
(This used to be commit a3651ced9e0859578df8cc44da64e7a8066bde76)
2008-05-07Rename server_info->was_mapped to server_info->nss_tokenVolker Lendecke1-3/+3
"nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d)
2008-05-05Remove "userdom_struct user" from "struct user_struct"Volker Lendecke1-0/+10
(This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805)
2008-05-05Fix a typoVolker Lendecke1-1/+1
(This used to be commit 964bd02220c04030d8cb0f97ca9b409400d1238c)
2008-05-05Remove unused set_current_user_guest()Volker Lendecke1-33/+0
(This used to be commit a33e8d2ffa4daea1deba13b3571cb0b36d521476)
2008-04-04Use sid_array_from_info3 in lookup_usergroups_cached().Günther Deschner1-1/+1
Guenther (This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce)
2008-02-17Use netr_SamInfo3 in make_server_info_info3().Günther Deschner1-25/+27
Guenther (This used to be commit 5866c11b288c217f0c38240c44f8bfeff185890d)
2008-02-13auth_winbind: use wbcAuthenticateUserEx()Stefan Metzmacher1-0/+233
smbd doesn't need $(WBCOMMON_OBJ) anymore, it works with any libwbclient.so now and may talk to an older winbindd. metze (This used to be commit e3435930a307cff3066fe2047ed8c5c48911f001)
2008-01-09Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS.Michael Adam1-10/+13
Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2007-12-28Remove static zerosVolker Lendecke1-3/+6
(This used to be commit dbcc213710a9af31b6094d4741a6f68f573dcdad)
2007-12-22Fix "may be used uninitialized" compiler warnings.James Peach1-3/+3
(This used to be commit 22ac34a329c9be9cf7d1e6749ebcfb50215378e4)
2007-12-21De-couple smbd from staticly linking against winbindd client files.Gerald (Jerry) Carter1-3/+3
Implements a wrapper layer in winbind_util.c which are just stubs if compiled --without-winbind. When building with winbindd, it is now required to build the libwbclient DSO first (in the Makefile) and then either set LD_LIBRARY_PATH or /etc/ld.so.conf to pick up the library PATH. (This used to be commit 42787bccff4fcffafc7aae6a678e792604ecaaa5)
2007-12-15Replace sid_string_static by sid_string_dbg in DEBUGsVolker Lendecke1-4/+4
(This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-15Use sid_string_talloc where we have a tmp talloc ctxVolker Lendecke1-2/+2
(This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03)
2007-11-27Remove pstrings from everything except srv_spoolss_nt.c.Jeremy Allison1-3/+3
Jeremy. (This used to be commit 0002a9e96b0ef78316295a6eb94ff29b64e2f988)
2007-11-14Remove pstring from auth/*Jeremy Allison1-14/+38
Jeremy. (This used to be commit 72c19d114b40ee307bbe45d9828667165a26d7a3)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-25/+25
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-12Add become_root/unbecome_root around one call of getsampwsid()Michael Adam1-1/+6
in create_token_from_username(). This caused set_nt_acl to partially fail in certain circumstances. This is expected to bring an improvement to bug #4308. Michael (This used to be commit e68671b59500d7e1b645c80ee264c49893f8df84)
2007-10-10r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a ↵Günther Deschner1-32/+6
sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)