summaryrefslogtreecommitdiff
path: root/source3/auth/proto.h
AgeCommit message (Collapse)AuthorFilesLines
2012-03-13s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.Alexander Bokovoy1-0/+1
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
2012-03-08s3-auth: Remove single-implementation plugin layerAndrew Bartlett1-0/+40
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context were only ever initialised to a single value. Make it easier to follow by just calling the function directly. Andrew Bartlett
2012-03-04s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett1-12/+0
This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-02-24s3-auth: Provide helper routine to check password and return session_infoAndrew Bartlett1-0/+5
2012-02-24s3-auth: Add a way to get an auth4_context from the auth stackAndrew Bartlett1-0/+1
This will allow us to use the same layer that auth_ntlmssp does in the non-SPNEGO session setup, which will in turn make the authentication code more consistent in the AD server case. Andrew Bartlett
2012-02-18auth: Reorder arguments to generate_session_infoAndrew Bartlett1-2/+2
This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-17s3-auth Hook checking passwords and generating session_info via the ↵Andrew Bartlett1-1/+24
auth4_context This avoids creating a second auth_context, as it is a private pointer in the auth4_context that has already been passed in, and makes the gensec_ntlmssp code agnostic to the type of authentication backend behind it. This will in turn allow the ntlmssp server code to be further merged. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-08s3-auth Add const to make_user_info_mapAndrew Bartlett1-2/+2
2012-01-05s3-auth use gensec directly rather than via auth_generic_stateAndrew Bartlett1-5/+1
This is possible because the s3 gensec modules are started as normal gensec modules, so we do not need a wrapper any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-auth Add TALLOC_CTX * to auth_generic_prepare()Andrew Bartlett1-1/+1
This makes the long term owner of this memory more clear. So far only the clear cases have been moved from NULL however. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-28s3-auth: Remove protype for already-removed auth_ntlmssp_startAndrew Bartlett1-1/+0
2011-12-22s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()Andrew Bartlett1-1/+1
This function handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22s3-auth rename auth_ntlmssp_state -> auth_generic_stateAndrew Bartlett1-4/+4
This structure handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21s3-auth remove auth_ntlmssp_session_info()Andrew Bartlett1-3/+0
Instead, call gensec_session_info() directly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-17s3-auth: remove dead prototype.Günther Deschner1-1/+0
Guenther
2011-08-03selftest: test plugin_s4_dc against all ncacn_np testsAndrew Bartlett1-0/+2
Changes to the s3 epmapper behaviour seem to have fixed the rest of these tests. Andrew Bartlett
2011-08-03s3-auth rename auth_ntlmssp_steal_session_info()Andrew Bartlett1-3/+3
There is no longer any theft of memory as the underlying routines now produce a new auth_session_info for this caller, allocating it on the supplied memory context. Andrew Bartlett
2011-08-03s3-auth Add function to start any GENSEC mech by OIDAndrew Bartlett1-3/+4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth set session_info->sanitized_username in create_local_token()Andrew Bartlett1-0/+1
Rather than passing this value around the callers, and eventually setting it in register_existing_vuid(), we simply pass it to create_local_token(). This also removes the need for auth_ntlmssp_get_username(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Split auth_ntlmssp_start into two functionsAndrew Bartlett1-1/+2
This helps map on to the GENSEC semantics better, and ensures that the full set of desired features are set before the mechanism starts. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Move map to guest to directly after the check_password callsAndrew Bartlett1-0/+4
This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth inline make_auth_session_info into only callerAndrew Bartlett1-1/+0
2011-07-20s3-auth Use the common auth_session_infoAndrew Bartlett1-11/+11
This patch finally has the same structure being used to describe the authorization data of a user across the whole codebase. This will allow of our session handling to be accomplished with common code. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth remove unused copy_serverinfoAndrew Bartlett1-2/+0
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use struct auth3_session_info outside the auth subsystemAndrew Bartlett1-7/+9
This seperation between the structure used inside the auth modules and in the wider codebase allows for a gradual migration from struct auth_serversupplied_info -> struct auth_session_info (from auth.idl) The idea here is that we keep a clear seperation between the structure before and after the local groups, local user lookup and the session key modifications have been processed, as the lack of this seperation has caused issues in the past. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Add struct auth3_session_info to aid transition to auth_session infoAndrew Bartlett1-0/+3
This will allow a gradual conversion of the required elements from the current struct auth_serversupplied_info. This commit adds the structure definition and some helper functions to copy between the two structures. At this stage these structures and functions are IDENTICAL to the existing code, and so show the past history of that code. The plan is to slowly modify them over the course of the patch series, so that the changes being made a clear. By using a seperate structure to auth_serversupplied_info we can remove elements that are not needed after the authentication, and we can choose a layout that best reflects the needs of runtime users, rather than the internals of the authentication subsystem. By eventually using the auth_session_info from auth.idl, we will gain a single session authorization structure across the whole codebase, allowing more code to be shared, and a much more transparent process for forwarding authorization credentials over the named pipe proxy. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Add const to indicate input elementsAndrew Bartlett1-2/+2
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-04s3-auth: Pass the remote_address down to user_info.Andreas Schneider1-2/+14
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-07-04s3-auth: Added remote_address to ntlmssp server.Andreas Schneider1-1/+2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-05-31s3:auth/proto.h: add _AUTH_PROTO_H_ guardMichael Adam1-0/+5
2011-05-31s3:auth/proto.h: add GPL/Copyright headerMichael Adam1-0/+31
2011-04-06s3-auth: Make server_info const in create_local_token()Andrew Bartlett1-1/+1
Andreas Schneider <asn@samba.org> correctly points out that this input parameter should now be const, and that found a bug where I used then used it incorrectly as a talloc context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Apr 6 00:33:31 CEST 2011 on sn-devel-104
2011-04-05s3-auth use create_local_token() to transform server_info -> session_infoAndrew Bartlett1-8/+12
Before a auth_serversupplied_info struct can be used for authorization, the local groups and privileges must be calculated. create_local_token() now copies the server_info, and then sets the calulated token and unix groups. Soon, it will also transform the result into an expanded struct auth_session_info. Until then, the variable name (server_info vs session_info provides a clue to the developer about what information has been entered in the structure). By moving the calls to create_local_token within the codebase, we remove duplication, and ensure that the session key (where modified) is consistently copied into the new structure. Andrew Bartlett
2011-04-04s3-auth consolidate create_local_token() into make_server_info_krb5()Andrew Bartlett1-2/+2
This ensures that all callers don't need to each add builtin groups and privileges to the user's token Andrew Bartlett
2011-03-30s3-prototyes: user_in_netgroup and user_in_list moved to auth, out of smbd.Günther Deschner1-0/+2
Guenther
2011-03-30s3-auth: move auth prototypes to auth/proto.h.Günther Deschner1-0/+266
Guenther