summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter3-7/+16
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-28add check for NT_STATUS_NOT_IMPLEMENTED in auth check so thatGerald Carter3-36/+50
map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)
2003-06-25large change:Gerald Carter1-1/+1
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter1-1/+1
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-23fix typo (bug #170)Gerald Carter1-1/+1
(This used to be commit d376b67de9ff7a43c9c03c8640d9fe1671d223cb)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce2-5/+5
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-1/+1
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-12Andrew's change to make 'security = domain' work again. Leave the user and groupVolker Lendecke1-38/+88
that has been authenticated unmapped. We need to make sure that every caller of idmap handles failure gracefully. Volker (This used to be commit 902d607b668b2e997778a0ca676ea689943c2817)
2003-06-12Fix some misleading debug messages.Volker Lendecke1-2/+2
(This used to be commit 9c003ae4ff21040b55264f8b4c34bd5956c97dc6)
2003-06-12Andrew is right, this is probably the wrong approach.Volker Lendecke1-26/+5
Take away the automatic mapping of users and groups again. Volker (This used to be commit 74510369d48545e813ac07e52814840803dd6ba2)
2003-06-11Fix 'security = domain' without winbind. This stores the sid we gotVolker Lendecke1-32/+60
from the PDC as a mapping to the uid we got from getpwnam in the local idmap. This should not be worse than the current state, so I decided to commit it. It is different from abartlet's preliminary patch, but I believe this is the better solution. Feel free to comment and/or revert it. Volker (This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59)
2003-06-04Add some static. Patch by Stefan Metzmacher <metze@metzemix.de>Jelmer Vernooij6-10/+10
(This used to be commit e1a8e9b7f3e69c7271d2b715703b2d5b2412bd42)
2003-05-27volker's fix for crash when my_private_data == NULLGerald Carter1-2/+8
(This used to be commit 40127404e3a664539de516723cf1239f47adc442)
2003-05-26Correctly initialize winbind auth method.Volker Lendecke1-0/+3
(This used to be commit b9e7ce9d85c4203779d6b9bfb2e65a4ed5fe33ff)
2003-05-26Spelling.Tim Potter1-1/+2
(This used to be commit eda897306896b729129582fdf4fdd26af555f014)
2003-05-26Add samstrict_dc from metze (been sitting in HEAD for way to long waiting forAndrew Bartlett1-0/+46
me to review it). This patch works well for a DC running with trusted domains, becouse it lets you check the local SAM first, but only for this domain's users. Andrew Bartlett (This used to be commit e0bd4d2844e6073a83b72925bca1aec007a8dd0b)
2003-05-25Get 'add user script' working again for Samba 3.0.Andrew Bartlett3-47/+52
I'm still not convinced that sharing the option name with the administrative code is the best idea, but anyway... Tested by vl, bug #41. Andrew Bartlett (This used to be commit 9d78f064c5e4e6b340f994204977aaac6513320b)
2003-05-16add metze's patch for smb_register functionsSimo Sorce1-1/+1
(This used to be commit 1480c7e8c7a84c34181118c449c50ca99fdcbc6b)
2003-05-15Patch from Luke Howard <lukeh@PADL.COM> that fixes some weird handling ofJelmer Vernooij1-9/+17
modules in auth/ (This used to be commit 4b6785a6c0fe0aebb1cc69bfc9937d19bc692642)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9)
2003-05-12And finally IDMAP in 3_0Simo Sorce2-29/+33
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-11When we have a NT4SP0 PDC trust us, we first have to check theVolker Lendecke1-2/+2
password. On NT4, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT means the password was correct. So the PDC believed that he had his trust account correctly added. Later the auth2 naturally failed. BTW, setting up an interdom trust account is not what I would call well documented and easy to handle... Working on that now :-) Volker (This used to be commit e4e44cf3b18231ec5d7326fb42edec741caa147b)
2003-05-09Cleanups. My NTLMv2 changes also changed the preference from using an implicitAndrew Bartlett1-42/+42
structure-memcpy for DATA_BLOB parameters to using a pointer to that DATA_BLOB. auth_sam calls some of these functions, so I've cleaned it all up to use this format now. Also clean up some debug statements to make them easier to read. Andrew Bartlett (This used to be commit 0c355c274a6ac084e4bf15a15613dfc007d6c5fc)
2003-05-09Make sure we always have some client data, not just the hash. An NTLMv2 orAndrew Bartlett1-2/+3
LMv2 response less than 24 bytes is just silly. Andrew Bartlett (This used to be commit b4ecdb2e582376d2713f81e8e32a668014905d70)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-2/+2
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-04-30Make the version numbers ints (patch from metze)Jelmer Vernooij1-1/+1
(This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-04-28Use NTSTATUS as return value for smb_register_*() functions and init_module()Jelmer Vernooij8-35/+42
function. Patch by metze with some minor modifications. (This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d)
2003-04-28Add cast for compilerAndrew Bartlett1-1/+1
(This used to be commit 456eb5d05a442ee380cfa756be54619b1d68fa48)
2003-04-24Merge auth changes from HEAD:Andrew Bartlett5-70/+83
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-2/+8
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-16Add support for the new modules system to auth/ (merge from HEAD)Jelmer Vernooij8-84/+105
(This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9)
2003-04-14Fix typoJelmer Vernooij1-1/+1
(This used to be commit 738a2b055a0757002e8cdcbf744c8663e0e26bc2)
2003-03-24(merge from HEAD)Andrew Bartlett2-7/+3
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-03-19Fix some comment typosJelmer Vernooij1-2/+2
(This used to be commit 051b33e98f94ad09b4d8816a88e78715e7dc2a5e)
2003-03-18Add an extra parameter to our 'set_remote_machine_name' andAndrew Bartlett1-1/+1
'set_local_machine_name' so that the client can't change it from under us. (.NET RC2 and WinXP install calls the machine 'machinename' during NTLMSSP on the domain join). Andrew Bartlett (This used to be commit 4c7163e7c2cc09bd95faa05156ee480957a7a4d8)
2003-03-17Merge from HEAD - doxygenAndrew Bartlett1-2/+2
(This used to be commit 7a2566f2e922191e691b6dafb1a09e22913cccd6)
2003-03-17Mege from HEAD - doxygen.Andrew Bartlett1-1/+1
(This used to be commit 04a5cbc8964386774acdca759b4cfaded068c8f2)
2003-02-24Merge of server-side authentication changes to 3.0:Andrew Bartlett3-56/+87
- user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
2003-02-16Merge from HEAD - allow "" as a domain in the NLTMv2 hash calculations. FixesAndrew Bartlett1-2/+22
interop with clients not in our domain. Andrew Bartlett (This used to be commit 6aa3aba3db604d481dc96c3befe066938cb1b0f3)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-2/+2
Needed to move to disk based i/o later. Jeremy. (This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5)
2003-02-10Cleanups: (merge from HEAD)Andrew Bartlett4-5/+12
- use safe_strcpy() instead of pstrcpy() for malloc()ed strings - CUPS: a failure in an attempt to automaticly add a printer is not level 0 stuff. - Fix up a possible Realloc() failure segfault Andrew Bartlett (This used to be commit c1cfc296c2efdb2b5972202146e80f0e3b6a3da4)
2003-02-04Merge HEAD: check both the account and password...Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 830de56bf2f47412acfebf6c6353ab4b98c8517e)
2003-01-28Merge from HEAD:Andrew Bartlett1-1/+9
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
2003-01-28This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+139
used to be commit b741abd496621586040081c04674ae53cb5db47c)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-4/+5
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-15Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett1-225/+78
challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
2003-01-15Crash fixes:Andrew Bartlett1-0/+1
- fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett (This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d)
2003-01-14Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD.Andrew Bartlett2-5/+6
Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f)
2003-01-13Missing indirect in final free.Jeremy Allison1-2/+2
Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)