summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2011-02-06s3: Use the right credentials in check_netlogond_securityVolker Lendecke1-1/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Feb 6 20:43:03 CET 2011 on sn-devel-104
2011-02-06s3: Fix auth_netlogond to cope with netlogon_creds_CredentialStateVolker Lendecke1-20/+69
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Feb 6 17:30:48 CET 2011 on sn-devel-104
2011-02-06s3: Fetch the machinepw via ldapi in pdb_adsVolker Lendecke1-41/+112
2011-02-04s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945)Günther Deschner2-0/+2
The benefit of this that it makes us more robust to secure channel resets triggered from tools outside the winbind process. Long term we need to have a shared tdb secure channel store though as well. Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 4 18:11:04 CET 2011 on sn-devel-104
2011-02-04s3-auth: add copy_netr_SamBaseInfo().Günther Deschner1-56/+6
Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-01-17s3: Make sure we call wbcAuthenticateUserEx correctlyVolker Lendecke2-8/+29
There are cases where we fill in params.password.response.lm_data with non-NULL where params.password.response.lm_length is 0. wbcAuthenticateUserEx does not like that. I haven't been able to reproduce this with smbclient yet, I've seen it with a proprietary smb client implementation. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Mon Jan 17 16:30:11 CET 2011 on sn-devel-104
2011-01-17s3: Avoid a few calls to cli_errstrVolker Lendecke1-3/+3
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Mon Jan 17 08:47:25 CET 2011 on sn-devel-104
2010-12-20s3: Remove unused "retry" from cli_full_connectionVolker Lendecke1-1/+1
2010-12-20s3: Always retry the DC connection in auth_domainVolker Lendecke1-8/+4
The only condition that cli_full_connection marks as non-retryable is the basic name lookup and TCP connect. To me this is pretty fishy. For example if the negprot fails, this is supposed to be more retryable than a NetBIOS name lookup failure? I'd rather think the opposite is true. Jeremy, this is code from 2002, 389a16d9d533. If you have any comments from back then, let me know :-) Volker
2010-12-19s3: Fix bug 7066 -- wbcAuthenticateEx gives unix timesVolker Lendecke1-3/+5
We might eventually want to change this, but right now we get unix times out of the winbind pipe struct
2010-12-01s3-waf: avoid module name uppercasing.Günther Deschner1-18/+18
This finally allows mixed case module names like the classic build (./configure --shared_modules=charset_CP850) Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Dec 1 18:39:14 CET 2010 on sn-devel-104
2010-11-30s3-waf: convert TOKEN_UTIL into a subsystem.Günther Deschner1-2/+6
Guenther
2010-11-10Fix memleak I accidently introduced when reading from tdb.Jeremy Allison1-0/+1
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 10 01:56:21 UTC 2010 on sn-devel-104
2010-11-10Ensure we check the return from make_user_info before dereferencing the ↵Jeremy Allison1-2/+2
value returned by it. Jeremy.
2010-11-10Remove fstring from map_username. Create a more sane interface than the ↵Jeremy Allison4-77/+155
called-parameter-is-modified. Jeremy.
2010-11-09s3: Quieten a bogus error messageVolker Lendecke1-3/+1
This happens if you set "auth methods = winbind" without a fallback method. The return NT_STATUS_LOGON_FAILURE; is not strictly require here, because we fall through to the equivalent statement a few lines down, but it makes the code a bit clearer IMO. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue Nov 9 20:15:59 UTC 2010 on sn-devel-104
2010-11-05s3: Make proper use of sid_check_is_in_xx routinesVolker Lendecke1-2/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Nov 5 15:35:59 UTC 2010 on sn-devel-104
2010-11-05s3: Fix a typoVolker Lendecke1-1/+1
2010-10-20Make getpwnam_alloc() static to lib/username.c, and ensure all username ↵Jeremy Allison3-6/+6
lookups go through Get_Pwnam_alloc(), which is the correct wrapper function. We were using it *some* of the time anyway, so this just makes us properly consistent. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Oct 20 16:02:12 UTC 2010 on sn-devel-104
2010-10-20s3-waf: move RPC_CLIENT_SCHANNEL into a subsystem.Günther Deschner1-0/+1
Guenther
2010-10-15s3-rpc_server: Make auth_serversupplied_info const.Andreas Schneider1-1/+1
2010-10-14s3-auth Use security_token_debug() from common codeAndrew Bartlett2-27/+1
This prints the security token including the privileges as strings instead of just a bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14s3-auth use security_token_has_sid() from the common codeAndrew Bartlett1-9/+2
The wrapper call is left here to avoid changing semantics for the NULL parameter case. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett3-3/+3
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-08s3-waf: slowly getting modules to match how they look like in old build.Günther Deschner1-19/+19
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Fri Oct 8 09:31:01 UTC 2010 on sn-devel-104
2010-09-28s3-waf: add AUTH_SCRIPT module to AUTH subsystem (which is build as sharedGünther Deschner1-0/+7
module by default). Guenther
2010-09-28s3-waf: fix dependencies in most of our module subsystems.Günther Deschner1-6/+2
Guenther
2010-09-28s3-auth_util: make sure the system server info actually contains S-1-5-18.Günther Deschner1-0/+9
Without this, all security descriptor checks for the winreg spoolss backend fail and make our spoolss system in its current shape basically unusable. Andreas, please check. Guenther
2010-09-27s3-waf: move auth subsystem to auth/wscript_build.Günther Deschner1-0/+84
Guenther
2010-09-26s3: Remove talloc_autofree_context() from get_root_nt_token()Volker Lendecke1-1/+1
The memcache_add_talloc() later on steals it anyway
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_fixed()Volker Lendecke1-3/+4
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_subsystem()Volker Lendecke3-6/+11
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_text_list()Volker Lendecke1-3/+6
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context()Volker Lendecke1-3/+7
2010-09-26s3: Fix a memleak in make_new_server_info_system()Volker Lendecke1-0/+1
2010-09-26s3: Remove talloc_autofree_context() from init_system_info()Volker Lendecke1-1/+2
2010-09-25s3: Fix a typoVolker Lendecke1-1/+1
2010-09-20s3-util: use shared dom_sid_dup.Günther Deschner2-6/+7
Guenther
2010-09-20s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.Günther Deschner2-4/+5
Guenther
2010-09-16libcli/auth/ntlmssp Be clear about talloc parents for session keysAndrew Bartlett1-9/+16
The previous API was not clear as to who owned the returned session key. This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code, and avoids making allocations - we steal and zero instead. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Call security_token_set_privilege() rather than manual assignmentAndrew Bartlett1-1/+1
This avoids as much direct modifiction of the bitmask as possible. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Inline dump_se_priv into callers now that it's just a uint64_tAndrew Bartlett1-1/+1
The previous 128 bit structure needed this helper function. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3:auth Remove NT_USER_TOKENAndrew Bartlett2-8/+8
The all UPPER case typedef is no longer the preferred Samba style and this makes it easier to see that this is the IDL-derivied structure Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-auth Change struct nt_user_token -> struct security_tokenAndrew Bartlett1-14/+14
This common structure is defined in security.idl Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-auth Change type of num_sids to uint32_tAndrew Bartlett1-5/+7
size_t is overkill here, and in struct security_token in the num_sids is uint32_t. This includes a change to the prototype of add_sid_to_array() and add_sid_to_array_unique(), which has had a number of consequnetial changes as I try to sort out all the callers using a pointer to the number of sids. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-09s3-auth: Added get_server_info_system function.Andreas Schneider1-0/+5
2010-09-01s3-auth: fix uninitialized error code in get_guest_info3().Günther Deschner1-2/+1
Guenther
2010-08-31s3-auth: remove global include of krb5pac.h.Günther Deschner2-0/+2
Guenther
2010-08-31s3-auth: remove unused variable in check_sam_security().Günther Deschner1-1/+1
Guenther
2010-08-31s3-auth Rename NT_USER_TOKEN privileges -> privilege_maskAndrew Bartlett1-3/+3
This is closer to the struct security_token from security.idl Andrew Bartlett