summaryrefslogtreecommitdiff
path: root/source3/auth/auth_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a ↵Günther Deschner1-32/+6
sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23530: Fix bugs #4678 and #4697 which had the same root cause.Jeremy Allison1-0/+54
In make_server_info_pw() we assign a user SID in our authoritative SAM, even though this may be from a pure "Unix User" that doesn't exist in the SAM. This causes lookups on "[in]valid users" to fail as they will lookup this name as a "Unix User" SID to check against the user token. Fix this by adding the "Unix User"\unix_username SID to the sid array. The correct fix should probably be changing the server_info->sam_account user SID to be a S-1-22 Unix SID, but this might break old configs where plaintext passwords were used with no SAM backend. Jeremy (This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-5/+5
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22819: Fix Bug 4613. We just dumped the must change & friends. With theVolker Lendecke1-0/+24
pass_last_changed == 0 we now return "Change now!" instead of "Change never" (This used to be commit 450e4d94f64f86a3dd709265d15ed5082d4b53e8)
2007-10-10r22740: Move debug_*_user_token to token_utils.cVolker Lendecke1-45/+0
(This used to be commit 4ad9f8aa61cef94be8d38c6e91aac3a5c848f81f)
2007-10-10r22589: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-5/+9
Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10r22542: Move over to using the _strict varients of the tallocJeremy Allison1-5/+5
calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592)
2007-10-10r22390: Patchset sent to samba-technical to address the winbindGerald Carter1-38/+10
loop when allocating a new id for a SID: auth_util.patch Revert create_local_token() to the 3.0.24 codebase idmap_type.patch Have the caller fillin the id_map.xid.type field when resolving a SID so that if we allocate a new id, we know what type to use winbindd_api.patch Remove the WINBINDD_SIDS_TO_XIDS calls from the public winbindd interface for the 3.0.25 release idmap_rid.patch Cleanup the idmap_rid backend to not call back into winbindd to resolve the SID in order to verify it's type. (This used to be commit 3b24dae9e73b244540a68b631b428a4d0f57440b)
2007-10-10r22135: Check in most of Michael Adam's net conf utility. A good share of ↵Volker Lendecke1-432/+0
this patch is moving functions around to fix some linker dependencies for the registry. Michael, I've renamed your auth_utils2.c to token_utils.c. Thanks! Volker (This used to be commit 9de16f25c1c3e0b203da47391772ef2e2fe291ac)
2007-10-10r22022: - Clarify the commentsAndrew Bartlett1-1/+1
- make sure never to free an uninitialised variable - ensure to free result on getpwnam_alloc failure Andrew Bartlett (This used to be commit 5fe3328e66661371182cc1c3b6e239797c3b4f93)
2007-10-10r22020: Make it more clear that both the vuser struct and it's contents areAndrew Bartlett1-7/+11
talloc_free()'ed at the end of a session. Rework the passwd cache code to use talloc_unlink and talloc_reference, to more carefully manage the cache. Andrew Bartlett (This used to be commit e3e0ec25e67308de314aa61852905ee42aa2c8fe)
2007-10-10r22001: change prototype of dump_data(), so that it takes unsigned char * now,Stefan Metzmacher1-2/+2
which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
2007-10-10r21999: remove useless castsStefan Metzmacher1-6/+6
metze (This used to be commit f948005ca69c50b07fdbcf7801975676d19d1486)
2007-10-10r21536: Fix copy/paste typo.Günther Deschner1-1/+1
Guenther (This used to be commit 7edbb636f7caf43135f0320cc08ff18a34a80594)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke1-2/+1
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r20774: I thought I committed this before Xmas holidays ...Simo Sorce1-1/+1
This change is needed to make it possible to not expire caches in disconnected mode. Jerry, please can you look at this and confirm it is ok? Simo. (This used to be commit 9e8715e4e15d9cede8f4aa9652642995392617e6)
2007-10-10r20169: Support for fallback to legacy mapping code was not completely tested.Simo Sorce1-10/+24
Add necessary fixes. (This used to be commit 4a81ee9608d45f95eaaccc78a080e717cb7d4682)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-7/+20
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r20098: Properly fix issues with create_token_from_username()Jeremy Allison1-6/+11
reported by James. Ensure that this function allocates everything on the temporary context except the return memory. Never call this with a null mem context, and now use conn->mem_ctx instead in smbd/service.c. Remove separate free functions for conn->ngroups and conn->nt_user_token as they are now always talloc'ed off the conn->mem_ctx. Future optimization will be to remove conn->mem_ctx and make all objects pointed to in the conn struct talloc'ed off conn itself. Easy to free then :-). Jeremy. (This used to be commit f83b6de44f1058811ff94ac72a8a71bd8e49e4e8)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-40/+77
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r19991: Sorry for this 2000-liner...Volker Lendecke1-1/+1
The main thing here is a rewrite of srv_winreg_nt.c. The core functionality has moved to registry/reg_api.c which is then usable by the rest of Samba as well. On that way it fixes creating keys with more than one element in the path. This did not work before. Two things that sneaked in (sorry :-) is the change of some routines from NTSTATUS to WERROR the removed "parent" argument to regkey_open_internal. Volker (This used to be commit fea52801de8c7b85c578d200c599475680c5339f)
2007-10-10r19980: Implement pam account stack checks when obey pam restrictions is true.Simo Sorce1-1/+1
It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82)
2007-10-10r19773: TALLOC_FREE checks for NULL itselfVolker Lendecke1-4/+1
(This used to be commit fb3983ae1fdd1935333ffee80bceb747228ac0f3)
2007-10-10r19008: Fix a segfaultVolker Lendecke1-0/+1
(This used to be commit adfc82f0e6b12f8ccfe00f3ff49a089a4c936239)
2007-10-10r18271: Big change:Gerald Carter1-2/+2
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r18029: More C++ stuffVolker Lendecke1-2/+2
(This used to be commit 089b51e28cc5e3674e4edf5464c7a15673c5ec0f)
2007-10-10r17924: Get rid of warnings now that talloc is merged.Volker Lendecke1-4/+1
Destructors now take a pointer to the "real" destroyed object as an argument. Volker (This used to be commit 70edd716ef0ccb218fe18d1233bd30abe46b62bf)
2007-10-10r17875: Fix (rather theoretical, but still...) null deref found byJeremy Allison1-8/+11
Stanford checker. Jeremy. (This used to be commit 45d77ae12235e6b39cc30845d69ac3777d3eefd0)
2007-10-10r17736: Apply the Unix group patch when creating the token for aGerald Carter1-1/+28
username map. (This used to be commit 0298a3466bc6c5e322db7dac386e4e5eef0e2702)
2007-10-10r17710: Thanks to Thomas Bork for testing and continued feedback on this.Gerald Carter1-2/+25
Comments from the patch: /* Add the "Unix Group" SID for each gid to catch mapped groups and their Unix equivalent. This is to solve the backwards compatibility problem of 'valid users = +ntadmin' where ntadmin has been paired with "Domain Admins" in the group mapping table. Otherwise smb.conf would need to be changed to 'valid user = "Domain Admins"'. --jerry */ (This used to be commit 3848199287c5829aef66d0dee38a79056fe1ff5c)
2007-10-10r17402: Added lookup_name_smbconf() to be called when lookingJeremy Allison1-2/+2
up names from smb.conf. If the name is unqualified it causes the lookup to be done in WORKGROUP\name, then "Unix [users|groups]"\name rather than searching the domain. Should fix the problems with "force user" selecting a domain user by preference. Jeremy. (This used to be commit 1e1fcb5eb2ac4bd360461b29f85c07dbf460025d)
2007-10-10r17399: Some C++ warningsVolker Lendecke1-7/+8
(This used to be commit d12b08fc619f7b566ef5c4cc7294174e887014fe)
2007-10-10r17393: Remove Volker's ASSERT that num_groupsids > 0.Jeremy Allison1-3/+5
For guest connection they may well be zero. This should fix up the buildfarm (fingers crossed). Jeremy. (This used to be commit 16ebccbc5889c3b4c1a20bf3453bd523ddf6f5b0)
2007-10-10r17392: Commit Volker's fix for the valid users problem.Jeremy Allison1-30/+22
Let's look at the build farm now... :-). Jeremy. (This used to be commit 6d822b85676f033a1a2e422e2d5ac92aaf566aef)
2007-10-10r17391: Revert the second part of the valid users fix - theJeremy Allison1-23/+5
netlogon code uses pdb_get_group_sid() which could return a S-1-1-22 unix sid. Who knew.... :-(. I'm going to test Volker's fix instead. Once 3.0.23b is out we *have* to rip out the pdb_set_group_sid() code.... Jeremy. (This used to be commit 65003e1b251b4762cef2b3cdcc895269f9319eb8)
2007-10-10r17388: Fix the "valid users"/token issue for now. Volker,Jeremy Allison1-5/+23
please come in and fix it in a less ugly way once you have some time. Thanks, Jeremy. (This used to be commit 79b1e668e2ce263c84ff8fafaafb3e57b06717ab)
2007-10-10r17378: Fix the issues people have been having with mappedJeremy Allison1-2/+2
users (username map) and failure to connect to a share. Essentially, even on a standalone system we were going into the create_token_from_username() code (I think by mistake) if the username was mapped. Fixes bug #3991. Volker & Jerry - please go over this with a very careful eye and let me know if this isn't correct (I think it is, but this isn't my code and it's a dangerous area for me to be playing in :-). Jeremy (This used to be commit 0b5b2b53ec6e4c25b5f6645451dfce4aa7ae8a61)
2007-10-10r17022: Fix the build farm -- maybe this is the real fix, testing moreVolker Lendecke1-1/+2
(This used to be commit 19d02690002a35cb6e0204db236d2b768e48c6d8)
2007-10-10r17016: Different and smaller fix for the valid users = username problem.Volker Lendecke1-1/+7
If no winbind is around, the best we can do to get the user's token correct is to ask unix via create_token_from_username. More investigation is needed if this also fixes the +groupname for unmapped groups problems more cleanly. Volker (This used to be commit f6e3ee147ffde572532fb44b619dda01388d4a31)
2007-10-10r17011: Back out r17010 after talking to Jerry. Another fix pending...Volker Lendecke1-34/+9
Volker (This used to be commit 7a629118ee6f468505172147724f7f532f0f4a4f)
2007-10-10r17010: If winbind is not around, add S-1-22-1-<uid> to the user's token.Volker Lendecke1-9/+34
See the comment in the patch for the reason. Volker (This used to be commit 5e07ab750af3744e1ee5bfc813d5c6532aff4ecb)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-25/+79
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16865: This is a proposal to fix bug 3915. Before sending patches around, ↵Volker Lendecke1-6/+17
this is what svn is for. The idea is that we fall back to a pure unix user with S-1-22 SIDs in the token in case anything weird is going on with the 'force user'. Volker (This used to be commit 9ec5ccfe851ac8a1f88b88c8c8461a5cf75b4c57)
2007-10-10r16864: Intermediate checkin -- swap the sid_check_is_in_unix_users andVolker Lendecke1-38/+38
sid_check_is_in_our_domain cases. Volker (This used to be commit dc403cec88d91fdeb09cbd04321d88bbdc0f490c)
2007-10-10r16766: A warning found by RHEL3. This might actually be 3.0.23 code, maybe ↵Volker Lendecke1-1/+1
there are vasprintf implementations that don't like a NULL format. Volker (This used to be commit 03c665c307e518c9ff66096904873266b145637c)
2007-10-10r16749: BUG 3905: don't fail in create_local_nt_token() when aGerald Carter1-3/+4
checking for the builtin Administrators group membership. security = server has no domain info in secrets.tdb (This used to be commit fa477969fbbcd9f707461a2d9015bebf719ddfbb)
2007-10-10r16471: Bug reported by Vitaly Protsko <villy@sft.ru> in 3.0.23rc1.Gerald Carter1-0/+25
Add missing automatic add of the Administrators SID in the absence of winbindd and precense of Domain Admins SID in the user's token. (This used to be commit ce7846d6f19f63ca99179b75e6f2195cc593795f)
2007-10-10r16241: Fix Klocwork #106 and others like it.Jeremy Allison1-10/+30
Make 2 important changes. pdb_get_methods() returning NULL is a *fatal* error. Don't try and cope with it just call smb_panic. This removes a *lot* of pointless "if (!pdb)" handling code. Secondly, ensure that if samu_init() fails we *always* back out of a function. That way we are never in a situation where the pdb_XXX() functions need to start with a "if (sampass)" test - this was just bad design, not defensive programming. Jeremy. (This used to be commit a0d368197d6ae6777b7c2c3c6e970ab8ae7ca2ae)