summaryrefslogtreecommitdiff
path: root/source3/auth/auth_util.c
AgeCommit message (Collapse)AuthorFilesLines
2012-12-09s3-rpc_server: support AES for interactive netlogon samlogon password ↵Günther Deschner1-33/+1
decryption. Still need to fix AES support for the returned validation info. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-11-12Use work around for 'winbind use default domain' only if it is setSumit Bose1-1/+2
Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator character is always added to the user name returned by Get_Pwnam_alloc() if it does not contain the winbind separator character. As comments in the code indicates this is done as a work around if 'winbind use default domain' is set to yes in the samba configuration. This make sense if the option is set because otherwise the domain information is lost from the user name. But it causes errors if other services than winbind are used for user lookup, e.g. sssd. sssd can handle different kind of fully qualified user names as input, e.g. user@domain.name or DOM\user, but returns a canonical name, by default user@domain.name. While it would be possible to get around this issue with a special configuration either on the sssd or samba side I think the cleaner solution is to use the work around only if 'winbind use default domain' is set to yes which is what this patch does. Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
2012-08-09Correctly check for errors in strlower_m() returns.Jeremy Allison1-1/+3
2012-07-24lib/param: Move all enum declarations to lib/paramAndrew Bartlett1-0/+1
This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-19s3-auth Use correct RID for domain guests primary groupAndrew Bartlett1-1/+1
This was incorrect in commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd as the RID was from the BUILTIN domain, but this creates a guest account token for the real domain. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jul 19 05:56:28 CEST 2012 on sn-devel-104
2012-07-19Revert "s3:auth make sure the primary group sid is usable"Andrew Bartlett1-30/+13
This reverts commit 00089fd74af740f832573d904312854e494a869e. The issue with this patch, which I did sign off on, is that for the domain member case, we already know that the SID is reasonable and valid, and we indeed rely on that, because we keep it as an additonal group anyway. The primary group is not so special that we need to do extra validation. Calling this function may put a user into the domain 'domain users' group, even if they are not in that group to start with. Andrew Bartlett
2012-07-18loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *.Rusty Russell1-4/+4
They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-06-19s3-auth: make_new_system_info_session() now does not query nssAndrew Bartlett1-1/+3
This is important in some situations where these queries might be costly LDAP queries and is just not required for the system token. This is because the system token should be just the NT AUTHORITY\SYSTEM user and just enough unix info to allow the token to be used. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jun 19 13:34:28 CEST 2012 on sn-devel-104
2012-06-19s3-auth: make_new_system_info_session() not query passdbAndrew Bartlett1-47/+39
This is important in some situations where these queries might be costly LDAP queries and is just not required for the system token. This is because the system token should be just the NT AUTHORITY\SYSTEM user and just enough unix info to allow the token to be used. We query only NSS to get the name of sec_initial_uid() Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19s3-auth: inline make_session_info functions into only callersAndrew Bartlett1-74/+35
With the split up to handle system specially, there is no need for these static helper functions any more. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19auth: Use only security_token_is_system to determine that a user is SYSTEMAndrew Bartlett1-4/+0
This removes the duplication on how to detect that a user is system in Samba now that the smbd system account is also only SID_NT_SYSTEM we can use the same check everywhere. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19s3-auth: Fix system token as just being SID_NT_SYSTEMAndrew Bartlett1-0/+3
This removes the SID matching the sec_initial_uid(). Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-15s3-auth: Fix system info3 return to be just SID_NT_SYSTEMAndrew Bartlett1-11/+17
The SID for the SYSTEM token should be a fixed value, and not the administrator. Note however that it will be replaced by the SID of sec_initial_uid() by the create_local_token() code. Fixing this requires fixes the other parts of the code that cannot cope with a token of just SID_NT_SYSTEM. Andrew Bartlett
2012-06-15s3-auth: Fix system token generation not to dereference pointer as an integerAndrew Bartlett1-1/+1
This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9 which is marked as being part of bug #8944, ldapsam:trusted and ipasam and an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9). The problem here was that the primary_gid was simply the pointer result of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on the build farm). Andrew Bartlett
2012-06-15s3-auth: Give the SYSTEM token all privilegesAndrew Bartlett1-0/+4
2012-05-15s3-auth: Rename to init_system_session_info().Andreas Schneider1-1/+1
Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
2012-05-15s3-auth: Don't lookup the system user in pdb.Andreas Schneider1-4/+95
This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
2012-05-04s3: remove some unused codeVolker Lendecke1-27/+0
2012-05-02s3:passdb: rename sids_to_unix_ids() --> sids_to_unixids() for consistencyMichael Adam1-1/+1
2012-05-02s3-passdb: Use struct unixid in sids_to_unix_idsAndrew Bartlett1-6/+7
This avoids the union in the struct wbcUnixId and moves us to using only struct unixid internally. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-03-13s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.Alexander Bokovoy1-0/+28
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
2012-03-08s3-auth: Follow auth_ntlmssp and use auth4_context for Session SetupAndrew Bartlett1-10/+10
This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett
2012-03-04s3-auth Add make_session_info_from_pw to avoid multiple getpwnam() callsAndrew Bartlett1-12/+34
2012-02-08s3-auth Add const to make_user_info_mapAndrew Bartlett1-2/+2
2011-12-22s3-auth Restore shortcut for guest security tokenAndrew Bartlett1-11/+11
This was lost when the server_info and session_info structures were split. This helps avoid doing lookups for the guest account to determine the uid/gid and SID values. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Dec 22 15:51:09 CET 2011 on sn-devel-104
2011-10-24idl: Improve MS-PAC IDLSimo Sorce1-2/+2
Change some misleading variable names to reflect the actual function. Add missing field name/types previously marked as unkown. Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-10-18s3:auth_util: add the uid with WBC_ID_TYPE_BOTH also to the group arrayStefan Metzmacher1-2/+4
This will help with having "sidHistory" support in future. metze
2011-09-23s3-winbindd: add support for idmap type WBC_ID_TYPE_BOTHAndrew Tridgell1-1/+2
this allows the s3 code to understand and cache responses from the s4 winbindd which may include a single SID mapped to both a uid and a gid Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Fri Sep 23 01:47:54 CEST 2011 on sn-devel-104
2011-08-03s3-auth directly return the result of make_server_info_guest()Andrew Bartlett1-2/+2
2011-08-03s3-auth remove sanitized_username from auth_serversupplied_infoAndrew Bartlett1-16/+1
This structure element was only written to, not read. It is filled into the companion structure, auth_session_info() by create_local_token(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth set session_info->sanitized_username in create_local_token()Andrew Bartlett1-14/+12
Rather than passing this value around the callers, and eventually setting it in register_existing_vuid(), we simply pass it to create_local_token(). This also removes the need for auth_ntlmssp_get_username(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Use else if in do_map_to_guest_server_infoAndrew Bartlett1-3/+1
This means we can't ever call make_server_info_guest() twice. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Move map to guest to directly after the check_password callsAndrew Bartlett1-0/+32
This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-22Fix const warning.Jeremy Allison1-2/+5
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jul 22 01:58:39 CEST 2011 on sn-devel-104
2011-07-20s3-auth Replace False with false in auth_util.cAndrew Bartlett1-10/+10
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jul 20 02:31:15 CEST 2011 on sn-devel-104
2011-07-20s3-auth Replace True with true in auth_util.cAndrew Bartlett1-12/+12
2011-07-20s3-auth Fix spellingAndrew Bartlett1-7/+7
2011-07-20s3-auth inline make_auth_session_info into only callerAndrew Bartlett1-1/+1
2011-07-20s3-auth Remove seperate guest booleanAndrew Bartlett1-3/+2
Instead, we base our guest calculations on the presence or absense of the authenticated users group in the token, ensuring that we have only one canonical source of this important piece of authorization data Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20auth: Set NETLOGON_GUEST and use it to determine guest statusAndrew Bartlett1-0/+3
These additional measures should help ensure we do not accidentily upgrade a guest to an authenticated user in the future. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20auth: Split out make_user_info_SamBaseInfo and add authenticated argumentAndrew Bartlett1-13/+5
This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use the common auth_session_infoAndrew Bartlett1-24/+24
This patch finally has the same structure being used to describe the authorization data of a user across the whole codebase. This will allow of our session handling to be accomplished with common code. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth use auth_user_info not netr_SamInfo3 in auth3_session_infoAndrew Bartlett1-7/+20
This makes auth3_session_info identical to auth_session_info The logic to convert the info3 to a struct auth_user_info is essentially moved up the stack from the named pipe proxy in source3/rpc_server to create_local_token(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth reimplement copy_session_info via NDR pull/pushAndrew Bartlett1-57/+23
This ensures we do not miss elements. Pattern copied from auth_netlogond. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Avoid redundant copies in create_local_token()Andrew Bartlett1-20/+20
These values were not read before being overwritten again. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Add comments to copy_session_info_serverinfo_guest()Andrew Bartlett1-2/+5
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth inline copy_serverinfo_session_info into only callerAndrew Bartlett1-72/+56
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth use a cached auth_serversupplied_info in make_server_info_guest()Andrew Bartlett1-11/+19
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth remove extra from auth3_session_infoAndrew Bartlett1-4/+5
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Clarify inputs and ouptuts by using elements from server_infoAndrew Bartlett1-5/+5
This allows us not the put all of these elements into the auth3_session_info if they are only used as inputs to these functions. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>