summaryrefslogtreecommitdiff
path: root/source3/auth/auth_util.c
AgeCommit message (Collapse)AuthorFilesLines
2010-06-07s3:auth make sure the primary group sid is usableSimo Sorce1-13/+30
This function was previously performed under the cover by converting back and forth from info3 to samu and then later from samu to info3. Since we now shortcircuit that in some cases, check explicitly using get_primary_group_sid() Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth return the full passwd struct from check_accountSimo Sorce1-12/+6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth remove unused structure memberSimo Sorce1-75/+1
sids are now completely handled using info3, remove dead code that fills server info sids and the structure members themselves Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth create nt token from info3 directlySimo Sorce1-12/+5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth handle unix domain sids in samuSimo Sorce1-2/+3
When we generate a user out of thin air we may end up adding sids that are not part of the sam domain (unix domain sids). Handle the case and preserve these sids as extra sids. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth set the resolved user sid in the fake sam accountSimo Sorce1-0/+3
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth check the user is valid firstSimo Sorce1-43/+39
It makes no sense to go through all the hoops to build samu and convert it to info3, just to discard them later if the user was not valid. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07s3:auth make sure we set the right usernameSimo Sorce1-0/+5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-01s3:auth Rename wksta_name -> workstation_name in auth_usersupplied_infoAndrew Bartlett1-8/+8
2010-05-31s3:smbd map_username() doesn't need sconn anymoreSimo Sorce1-4/+2
Signed-off-by: Andreas Schneider <asn@samba.org>
2010-05-31s3-auth: add "system" bool flag to auth_serversupplied_info.Günther Deschner1-1/+10
Guenther
2010-05-29s3:auth Fix segfault when the user cannot be found by getpwnam()Andrew Bartlett1-3/+10
Add comment to notify when getpwnam() fails. Reviewed-by: Simo Sorce <idra@samba.org>
2010-05-28s3-auth: Added a function to get the server_info from the system user.Andreas Schneider1-0/+39
Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-27s3:auth remove login_server from server infoSimo Sorce1-3/+0
It is not used anymore, we have that information in info3->base.logon_server already
2010-05-28s3:auth Free sampass as soon as we have server_infoSimo Sorce1-1/+4
We don't keep sampass in server_info anymore So it makes no sense to keep it around. Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-28s3:auth use info3 in auth_serversupplied_infoSimo Sorce1-366/+41
Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21s3:dom_sid Global replace of DOM_SID with struct dom_sidAndrew Bartlett1-10/+10
This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-18s3-crypto: only include crypto headers when crypto is done.Günther Deschner1-0/+1
Guenther
2010-05-18s3-rpc_misc: clean out include/rpc_misc.h.Günther Deschner1-1/+1
Well known rids don't really belong into an rpc header, just use the ones defined in security.idl. Guenther
2010-04-11s3: Move [make|free]_user_info to auth/user_info.cVolker Lendecke1-108/+0
2010-04-11s3: Move make_server_info_sam to auth/server_info_sam.cVolker Lendecke1-121/+0
2010-04-11s3: Move sanitize_username to lib/util_str.cVolker Lendecke1-8/+0
2010-04-11s3: Move make_server_info to auth/server_info.cVolker Lendecke1-32/+0
2010-04-11s3: Move user_in_group() and create_token_from_username() to token_utils.cVolker Lendecke1-315/+0
Goal is to be able to call check_sam_security from winbind
2010-04-11s3: Use talloc_stackframe() in user_in_groupVolker Lendecke1-7/+1
2010-04-11s3: Use talloc_stackframe() in user_in_group_sidVolker Lendecke1-8/+1
2010-04-11s3: Use talloc_stackframe() in create_token_from_usernameVolker Lendecke1-7/+1
2010-04-11s3: Fix a memleak in user_in_group_sidVolker Lendecke1-0/+1
2010-04-11s3: Remove the make_auth_methods routineVolker Lendecke1-26/+0
This was just TALLOC_ZERO_P
2010-04-11s3: Make "auth_context" its own talloc parentVolker Lendecke1-1/+1
Remove "mem_ctx" from "struct auth_context"
2010-04-09s3: Fix a typoVolker Lendecke1-1/+1
2010-03-22Fix valgrind error when running under share level security. plaintext_passwordJeremy Allison1-2/+2
is a data blob with a data pointer pointing to an allocation of length zero. Jeremy.
2010-02-20s3: Fix some nonempty blank linesVolker Lendecke1-59/+57
2010-01-24s3: Remove some calls to memset -- reduces text size by some bytes for meVolker Lendecke1-8/+3
2010-01-10s3: Replace most calls to sid_append_rid() by sid_compose()Volker Lendecke1-6/+4
2010-01-10s3: Remove the typedef for "auth_serversupplied_info"Volker Lendecke1-18/+18
2010-01-10s3: Remove the typedef for "auth_usersupplied_info"Volker Lendecke1-9/+9
2009-11-14s3:fix a comment typoMichael Adam1-1/+1
Michael
2009-11-14s3:is_trusted_domain: shortcut if domain name == global_sam_nameMichael Adam1-0/+4
A domain can't have a trust with itself. This saves some roundtrips to the ldap server for ldapsam. Michael
2009-11-14s3:is_trusted_domain: shortcut if domain name is NULL or emptyMichael Adam1-0/+4
This saves some roundtrips to LDAP in an ldapsm setup. Michael
2009-08-21s3: fix bug #6650, authentication at member servers when winbindd is not runningMichael Adam1-1/+1
Authentication of domain users on the member server fails when winbindd is not running. This is because the is_trusted_domain() check behaves differently when winbindd is running and when it isn't: Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also give a result for our own domain, this succeeds for the member server's own domain when winbindd is running. When winbindd is not running, is_trusted_domain() checks (and possibly updates) the trustdom cache, and this does the lsa_EnumTrustDom() rpc call to the DC which does not return its own domain. In case of winbindd not running, before 3.4, the domain part was _silently_ mapped to the workgroup in auth_util.c:make_user_info_map(), which effectively did nothing in the member case. But then the parameter "map untrusted to domain" was introduced and the mapping was made to the workstation name instead of the workgroup name by default unless "map untrusted to domain = yes". (Commits d8c54fddda2dba3cbc5fc13e93431b152813892e, 5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and fbca26923915a70031f561b198cfe2cc0d9c3aa6) This was ok as long as winbindd was running, but with winbindd not running, these changes actually uncovered the above logic bug in the check. So the correct check is to treat the workgroup as trusted / or known in the member case. This is most easily achieved by not comparing the domain name against get_global_sam_name() which is the host name unless for a DC but against my_sam_name() which is the workgroup for a DC and for a member, too. (These names are not very intuitive...) I admit that this is a very long commit message for a one-liner, but this has needed some tracking down, and I think the change deserves some justification. Michael
2009-06-03s3:smbd: move more session specific globals to struct smbd_server_connectionStefan Metzmacher1-2/+5
metze
2009-05-28s3/auth map NULL domains to our global sam nameSteven Danneman1-9/+3
This is an addendum to d8c54fdd, which made make_user_info_map() match Windows behavior by mapping untrusted domains given to smbd on the wire with the users credentials to smbd's global sam name. This fix was being circumvented in the case where the client passed a NULL domain. Vista clients do this. In that case smbd was always remapping the name to the machine workgroup. The NULL domain case should also be mapped to the global sam name. Removing the code in this patch, causes us to fall down to the logic added in d8c54fdd and properly map the domain.
2009-05-12s3 auth: Make debug message louder and more usefulDan Sledz1-2/+3
2009-05-11Fix a bunch of compiler warnings about wrong format types.Jeremy Allison1-5/+5
Should make Solaris 10 builds look cleaner. Jeremy.
2009-05-07s3-auth: use full 16byte session key in make_user_info_netlogon_interactive().Günther Deschner1-2/+1
Patch from Jeremy. With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a Samba 3 Domain. There are still two registry settings required: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Do *not* modify the other netlogon registry parameters that were passed around, they weaken security. Guenther (cherry picked from commit b5097d54cb74ca0ea328f9e029562f65f4a01134)
2009-04-28Fix bug #6291 - force user stop working.Jeremy Allison1-1/+37
A previous fix broke the invariant that *uid is always initialized on return from create_token_from_username(). Restore it. Jeremy.
2009-04-14Rework Samba3 to use new libcli/auth code (partial)Andrew Bartlett1-2/+3
This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett
2009-04-01s3-auth: rename static smb_create_user(). Sorry...Günther Deschner1-2/+2
Guenther
2009-02-26s3: fix guest auth when winbindd is runningSteven Danneman1-7/+7
This fix is very subtle. If a server is configured with "security = share" and "guest ok = yes" and winbindd is running authorization will fail during tree connect. This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid through sid_to_uid(). Winbindd is unaware of the hard coded mapping between this sid and whatever uid the name in lp_guestaccount() is assigned. So sid_to_uid() fails and we exit create_token_from_username() without ever calling pdb_getsampwsid() which IS aware of the hard coded mapping. This patch just reorganizes the code, moving sid_to_uid() down to the block of code in which it is needed, avoiding this early failure.