Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Remove some silly failure checks
|
|
|
|
|
|
pointer of nt and lm hash.
This fixes kernel cifs client with sec=ntlmv2.
Guenther
|
|
This function was previously performed under the cover by converting
back and forth from info3 to samu and then later from samu to info3.
Since we now shortcircuit that in some cases, check explicitly using
get_primary_group_sid()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
sids are now completely handled using info3, remove dead code that fills
server info sids and the structure members themselves
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
When we generate a user out of thin air we may end up adding sids
that are not part of the sam domain (unix domain sids).
Handle the case and preserve these sids as extra sids.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
It makes no sense to go through all the hoops to build samu and
convert it to info3, just to discard them later if the user was
not valid.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Guenther
|
|
Add comment to notify when getpwnam() fails.
Reviewed-by: Simo Sorce <idra@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
It is not used anymore, we have that information in
info3->base.logon_server already
|
|
We don't keep sampass in server_info anymore
So it makes no sense to keep it around.
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
Well known rids don't really belong into an rpc header, just use the ones
defined in security.idl.
Guenther
|
|
|
|
|
|
|
|
|
|
Goal is to be able to call check_sam_security from winbind
|
|
|
|
|
|
|
|
|
|
This was just TALLOC_ZERO_P
|
|
Remove "mem_ctx" from "struct auth_context"
|
|
|
|
is a data blob with a data pointer pointing to an allocation of length zero.
Jeremy.
|
|
|
|
|
|
|
|
|
|
|
|
Michael
|
|
A domain can't have a trust with itself.
This saves some roundtrips to the ldap server for ldapsam.
Michael
|
|
This saves some roundtrips to LDAP in an ldapsm setup.
Michael
|
|
Authentication of domain users on the member server fails when winbindd
is not running. This is because the is_trusted_domain() check behaves
differently when winbindd is running and when it isn't:
Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also
give a result for our own domain, this succeeds for the member
server's own domain when winbindd is running. When winbindd is not
running, is_trusted_domain() checks (and possibly updates) the trustdom
cache, and this does the lsa_EnumTrustDom() rpc call to the DC which
does not return its own domain.
In case of winbindd not running, before 3.4, the domain part was _silently_
mapped to the workgroup in auth_util.c:make_user_info_map(),
which effectively did nothing in the member case.
But then the parameter "map untrusted to domain" was introduced
and the mapping was made to the workstation name instead of
the workgroup name by default unless "map untrusted to domain = yes".
(Commits
d8c54fddda2dba3cbc5fc13e93431b152813892e,
5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and
fbca26923915a70031f561b198cfe2cc0d9c3aa6)
This was ok as long as winbindd was running, but with winbindd not running,
these changes actually uncovered the above logic bug in the check.
So the correct check is to treat the workgroup as trusted / or known
in the member case. This is most easily achieved by not comparing the
domain name against get_global_sam_name() which is the host name unless
for a DC but against my_sam_name() which is the workgroup for a DC and for
a member, too. (These names are not very intuitive...)
I admit that this is a very long commit message for a one-liner, but this has
needed some tracking down, and I think the change deserves some justification.
Michael
|
|
metze
|
|
This is an addendum to d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.
This fix was being circumvented in the case where the client passed
a NULL domain. Vista clients do this. In that case smbd was always
remapping the name to the machine workgroup. The NULL domain case
should also be mapped to the global sam name.
Removing the code in this patch, causes us to fall down to the logic
added in d8c54fdd and properly map the domain.
|
|
|