Age | Commit message (Collapse) | Author | Files | Lines |
|
The SID for the SYSTEM token should be a fixed value, and not the
administrator. Note however that it will be replaced by the SID of
sec_initial_uid() by the create_local_token() code. Fixing this
requires fixes the other parts of the code that cannot cope with a
token of just SID_NT_SYSTEM.
Andrew Bartlett
|
|
This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9
which is marked as being part of bug #8944, ldapsam:trusted and ipasam
and an additional fix for bug #8567
(0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
The problem here was that the primary_gid was simply the pointer result
of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on
the build farm).
Andrew Bartlett
|
|
|
|
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
|
|
This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional
fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
|
|
|
|
|
|
This avoids the union in the struct wbcUnixId and moves us to using only struct unixid
internally.
Andrew Bartlett
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption.
However, this was not done for trusted domain-related modifying operations.
As result, Samba 4 client libraries do not work against Samba 3 while working
against Windows 2008 r2.
Solved this by introducing "session_extract_session_key()" function that allows to specify
intent of use of the key.
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
|
|
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers. By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.
Andrew Bartlett
|
|
|
|
|
|
This was lost when the server_info and session_info structures were split.
This helps avoid doing lookups for the guest account to determine the
uid/gid and SID values.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 22 15:51:09 CET 2011 on sn-devel-104
|
|
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
|
|
This will help with having "sidHistory" support in future.
metze
|
|
this allows the s3 code to understand and cache responses from the s4
winbindd which may include a single SID mapped to both a uid and a gid
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Fri Sep 23 01:47:54 CEST 2011 on sn-devel-104
|
|
|
|
This structure element was only written to, not read.
It is filled into the companion structure, auth_session_info()
by create_local_token().
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Rather than passing this value around the callers, and eventually
setting it in register_existing_vuid(), we simply pass it to
create_local_token(). This also removes the need for
auth_ntlmssp_get_username().
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This means we can't ever call make_server_info_guest() twice.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This means we no longer need two different map to guest functions
and have consistent logic with fewer layering violations.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Jul 22 01:58:39 CEST 2011 on sn-devel-104
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jul 20 02:31:15 CEST 2011 on sn-devel-104
|
|
|
|
|
|
|
|
Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
These additional measures should help ensure we do not accidentily upgrade
a guest to an authenticated user in the future.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This will allow the source3 auth code to call this without needing to
double-parse the SIDs
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.
This will allow of our session handling to be accomplished with common code.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This makes auth3_session_info identical to auth_session_info
The logic to convert the info3 to a struct auth_user_info is
essentially moved up the stack from the named pipe proxy in
source3/rpc_server to create_local_token().
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This ensures we do not miss elements. Pattern copied from auth_netlogond.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
These values were not read before being overwritten again.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This allows us not the put all of these elements into the auth3_session_info
if they are only used as inputs to these functions.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
nss_token can be skipped
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The long term authorization state needs only the final, negotiated
session key, and not the original LM key that may possibly have been
an input.
The special case of the guest account simply needs both values filled
back in with the zeros to avoid changing behaviour in the cached
server_info.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This is closer to the layout of struct auth_session_info in auth.idl
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This brings this structure one step closer to the struct auth_session_info.
A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.
NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL. This patch has not changed this behaviour however.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This will allow a gradual conversion of the required elements from the
current struct auth_serversupplied_info.
This commit adds the structure definition and some helper functions to
copy between the two structures.
At this stage these structures and functions are IDENTICAL to the
existing code, and so show the past history of that code. The plan is
to slowly modify them over the course of the patch series, so that the
changes being made a clear.
By using a seperate structure to auth_serversupplied_info we can
remove elements that are not needed after the authentication, and we
can choose a layout that best reflects the needs of runtime users,
rather than the internals of the authentication subsystem.
By eventually using the auth_session_info from auth.idl, we will gain
a single session authorization structure across the whole codebase,
allowing more code to be shared, and a much more transparent process
for forwarding authorization credentials over the named pipe proxy.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The implementation of copy_serverinfo(), used to copy server_info into
session_info never copied the nss_token variable, and so
17d8f0ad30847bb940f645ee1817d782ddaaee74 introduced this regression.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|