summaryrefslogtreecommitdiff
path: root/source3/auth/token_util.c
AgeCommit message (Collapse)AuthorFilesLines
2010-10-14s3-auth Use security_token_debug() from common codeAndrew Bartlett1-26/+0
This prints the security token including the privileges as strings instead of just a bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14s3-auth use security_token_has_sid() from the common codeAndrew Bartlett1-9/+2
The wrapper call is left here to avoid changing semantics for the NULL parameter case. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett1-1/+1
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-09-26s3: Remove talloc_autofree_context() from get_root_nt_token()Volker Lendecke1-1/+1
The memcache_add_talloc() later on steals it anyway
2010-09-25s3: Fix a typoVolker Lendecke1-1/+1
2010-09-20s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.Günther Deschner1-2/+2
Guenther
2010-09-11s3-privs Call security_token_set_privilege() rather than manual assignmentAndrew Bartlett1-1/+1
This avoids as much direct modifiction of the bitmask as possible. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Inline dump_se_priv into callers now that it's just a uint64_tAndrew Bartlett1-1/+1
The previous 128 bit structure needed this helper function. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3:auth Remove NT_USER_TOKENAndrew Bartlett1-6/+6
The all UPPER case typedef is no longer the preferred Samba style and this makes it easier to see that this is the IDL-derivied structure Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-auth Change struct nt_user_token -> struct security_tokenAndrew Bartlett1-14/+14
This common structure is defined in security.idl Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-auth Change type of num_sids to uint32_tAndrew Bartlett1-5/+7
size_t is overkill here, and in struct security_token in the num_sids is uint32_t. This includes a change to the prototype of add_sid_to_array() and add_sid_to_array_unique(), which has had a number of consequnetial changes as I try to sort out all the callers using a pointer to the number of sids. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-31s3-auth Rename NT_USER_TOKEN privileges -> privilege_maskAndrew Bartlett1-3/+3
This is closer to the struct security_token from security.idl Andrew Bartlett
2010-08-31s3-auth Rename NT_USER_TOKEN user_sids -> sidsAndrew Bartlett1-24/+24
This is closer to the struct security_token from security.idl
2010-08-26s3-build: only include memcache.h where needed.Günther Deschner1-0/+1
Guenther
2010-08-06s3-netlogon: remove global include of netlogon.h.Günther Deschner1-0/+2
This reduces precompiled headers by another 4 MB and also slightly speeds up the build. Guenther
2010-08-05s3-secrets: only include secrets.h when needed.Günther Deschner1-0/+1
Guenther
2010-07-11s3: [ug]id_to_unix_... can not failVolker Lendecke1-5/+2
Remove some silly failure checks
2010-06-07s3:auth create nt token from info3 directlySimo Sorce1-26/+157
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-21s3:dom_sid Global replace of DOM_SID with struct dom_sidAndrew Bartlett1-24/+24
This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-18security: merge builtin rid tables.Günther Deschner1-2/+2
Guenther
2010-05-18s3-rpc_misc: clean out include/rpc_misc.h.Günther Deschner1-4/+4
Well known rids don't really belong into an rpc header, just use the ones defined in security.idl. Guenther
2010-04-11s3: Move user_in_group() and create_token_from_username() to token_utils.cVolker Lendecke1-0/+315
Goal is to be able to call check_sam_security from winbind
2009-08-22Implement Metze's suggestion of trying getpwuid(0) then getpwnam(root).Jeremy Allison1-9/+5
Jeremy.
2009-08-21Try and fix the buildfarm by using getpwnam(root) insteadJeremy Allison1-0/+7
of getpwuid(0) if DEVELOPER is defined. I'm hoping the build farm defines DEVELOPER... Jeremy.
2009-08-19Fix bug #6647 - get_root_nt_token: getpwnam("root") failed!Jeremy Allison1-2/+2
Not all systems may have a "root" user, but all must have a passwd entry for a uid of zero. Jeremy.
2008-11-14Make memcache_add_talloc NULL out the source pointerVolker Lendecke1-2/+4
This is an orthogonality measure to make clear this pointer now belongs to the cache. (cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
2008-11-06Make us clean under valgrind --leak-check=full by using ↵Jeremy Allison1-1/+1
talloc_autofree_context() instead of NULL. Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should be deleted when their parent context is deleted, so freeing them at some arbitrary point later will be a double-free. Jeremy.
2008-10-13Add data_blob_string_const_null() function that includes the terminatingJelmer Vernooij1-2/+2
null byte and use it in Samba 3. This matches the behaviour prior to my data_blob changes.
2008-09-03Revert "Split lookup_name() and create a new functiong called"Simo Sorce1-3/+4
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
2008-08-17Split lookup_name() and create a new functiong calledSimo Sorce1-4/+3
lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
2008-07-30Removed redundant logging from create_builtin_users and ↵Tim Prouty1-16/+4
create_builtin_administrators The Debug messages in create_builtin_users and create_builtin_users have now been encapsulated in add_sid_to_builtin. (This used to be commit ca153139b1dced07c196aac93dbc9d9428d98124)
2008-07-30Enabled domain groups to be added to builtin groups at domain join timeTim Prouty1-2/+2
Previously this was done at token creation time if the Administrators and Users builtins hadn't been created yet. A major drawback to this approach is that if a customer is joined to a domain and decides they want to join a different domain, the domain groups from this new domain will not be added to the builtins. It would be ideal if these groups could be added exclusively at domain join time, but we can't rely solely on that because there are cases where winbindd must be running to allocate new gids for the builtins. In the future if there is a way to allocate gids for builtins without running winbindd, this code can be removed from create_local_nt_token. - Made create_builtin_users and create_builtin_administrators non-static so they can be called from libnet - Added a new function to libnet_join that will make a best effort to add domain administrators and domain users to BUILTIN\Administrators and BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be running to allocate new gids, but if the builtins already exist, the domain groups will be added even if winbindd is not running. In the case of a failure the error will be logged, but the join will not be failed. - Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing. (This used to be commit e92faf5996cadac480deb60a4f6232eea90b00f6)
2008-07-30Refactored the code that adds Domain Admins to BUILTIN\Administrators to use ↵Tim Prouty1-26/+30
the new helper functions. - Modified create_builtin_administrators and add_builtin_administrators to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_administrators to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_administrators and handle the new error that can be returned. - Made it more explicit that add_builtin_administrators is only called when winbindd can't be pinged. (This used to be commit f6411ccb4a1530034e481e1c63b6114a93317b29)
2008-07-30Refactored the code that adds Domain Users to BUILTIN\Users to use the new ↵Tim Prouty1-17/+22
helper functions. - Modified create_builtin_users to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_users to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_users and handle the new error that can be returned. (This used to be commit 8d75d40b9f6d22bae7430211f8a1fe99051b756c)
2008-07-30Helper functions to enable domain groups to be added to builtin groups at ↵Tim Prouty1-0/+59
domain join time Added two new helper functions which wrap the raw pdb alias functions so they can be more conveniently called while adding domain groups to builtin groups. (This used to be commit 668ef314559df40f1b8aa0991539adcd8d35ffe3)
2008-04-30BUG 5429: Clarify log msgs re: failure to create BUILTIN\{Administrators,Users}Gerald W. Carter1-7/+9
Raise the debug msgs from Lvl 0 in the create_builtin_XX() functions to prevent unnecessary panic from people reading the logs. (This used to be commit 2983b9dc790e0f90ec1e6add131438c6bfd361b4)
2008-04-15auth: add SeDiskOperatorsPrivilege to get_root_nt_token to fix registry shares.Michael Adam1-0/+2
Michael (This used to be commit 6bb107b17d557c27d035ca518ab61296814a3cea)
2008-01-09Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS.Michael Adam1-24/+39
Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2007-12-29Fix a panicVolker Lendecke1-1/+1
get_root_nt_token asks for "struct nt_user_token". talloc_get_type is not smart enough to see that this is the same as NT_USER_TOKEN... :-) (This used to be commit 22a98bf7b81fb89dce1f32ef65cfe6caaba985b3)
2007-12-28Convert get_root_nt_token to memcacheVolker Lendecke1-3/+15
(This used to be commit fada689893314bed2fc78588b3fd9b144f4c808a)
2007-12-17Reformat: Remove trailing spaces.Michael Adam1-47/+47
Michael (This used to be commit 5249b3d204bf5f9191c2a4a7e81d09227eb5ddea)
2007-12-17Fix flags in caller of lookup_name() in create_builtin_administrators().Michael Adam1-1/+2
Michael (This used to be commit 46bfbf5c8af6c030e67219a29c49fd2d40003b18)
2007-12-15Replace sid_string_static by sid_string_dbg in DEBUGsVolker Lendecke1-3/+4
(This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-12-13Fix typo in debug statement.Michael Adam1-1/+1
Michael (This used to be commit da23684261f40c06dea30ab2df0c878ebb0d0d81)
2007-12-10Correctly unbecome_root() on errorVolker Lendecke1-0/+2
(This used to be commit aec5f1512660953168a2c55b2890cd6c076b8a92)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-4/+4
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r25598: Add missing become_root/unbecome_root around calls of add_aliases.Michael Adam1-0/+4
This triggered a "cannot access LDAP when not root"-bug with "passdb backend = ldap" and "winbind nested groups = yes". This *might* be a step towards fixing bug #4308, since the failure was observerd when triggered by acl code. Michael (This used to be commit ba8c48244e140403b728d9a2ca297b40e8888964)
2007-10-10r23801: The FSF has moved around a lot. This fixes their Mass Ave address.Andrew Tridgell1-2/+1
(This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23485: This checkin consists mostly of refactorings in preparation of theMichael Adam1-41/+0
activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)