summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2003-04-28Merge compile warning fixes from 3.0Andrew Bartlett1-1/+1
(This used to be commit c0903951a144b1f0502e77437ea166d7a26393ba)
2003-04-16Add some static and #ifdef DEVELOPERAndrew Bartlett1-3/+5
(This used to be commit 3bdbd320b001ea5881573f6c6a4c2259a60e2bb3)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett1-2/+8
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-04-16Cause the winbind auth module to call the ntdomain module if winbind is notAndrew Bartlett2-42/+65
running. This causes Samba not to contact the NT domain controller if Winbind is there, but the user had the wrong password. Andrew Bartlett (This used to be commit 119a1c276a05d0017f39cc0b7118f12a4f51886e)
2003-04-07We never actually got an 'ads' auth module, so don't send the auth subsystemAndrew Bartlett1-1/+1
off on a wild probing spree looking for it. Andrew Bartlett (This used to be commit 7c7c5594b3dfd460d09bccd409ccbf64c6b42338)
2003-04-05some more idmapping :)Simo Sorce1-5/+7
(This used to be commit 5ac94535d7b7ce0cc0d44b9a77d6e42ddfd0cd26)
2003-04-02Map a useless error code to a useful one...Andrew Bartlett1-0/+5
(This used to be commit 1afb2695a020424d014c4dee9c6a73620281aaa8)
2003-03-25- Support building all auth modules as .so'sJelmer Vernooij1-1/+1
- Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>) (This used to be commit 71b05cd14ae6df8340730e7bad1c783dc278c5d3)
2003-03-25Make auth.c compile again. I'm not sure what this does though...Volker Lendecke1-2/+3
Volker (This used to be commit 8e3f300f21e23b7e6b68ddcc45d581a962cd8aa4)
2003-03-24- Add support to auth/ for the new modules systemJelmer Vernooij8-81/+103
- Quite some small fixes (also fixes the build) (This used to be commit 3defbd5e0633acfa4631531b49601c7706072d86)
2003-03-23Fix compile.Andrew Bartlett1-2/+2
(This used to be commit 6fbee12a8170e0bce4e94806105786b38160ada5)
2003-03-23NTLM Authentication:Andrew Bartlett2-7/+3
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-19Fix some comment typosJelmer Vernooij1-2/+2
(This used to be commit 41ea416adbc074f3a34b66c18ed63c7d44ea28fc)
2003-03-15Now that mimir has done the grunt work, I'll fix up the commentAndrew Bartlett1-4/+1
(This used to be commit 7154fe10969a34b97ddc8321bfb5271b8e6d4795)
2003-03-14Extending code to work both in case of domain membershipRafal Szczesniak1-1/+1
and domain controller respecting interdomain trust relationships. In the latter case we need to find DC of remote domain instead of ours. In the former 'domain' is our domain name. Rafal (This used to be commit 0cd45d5d3b3e3ec5a589c3ee9f0e369901eefe8f)
2003-03-14Fresh meat in trusted domains code:Rafal Szczesniak1-20/+6
- packing/unpacking utility functions for trusted domain password struct; can be used to prepare buffer to store in secrets.tdb or (soon) passdb backend - similiar functions for DOM_SID - respectively modified secrets_(fetch|store) routines - new auth mapping code utilising introduced is_trusted_domain function - added tdb (un)packing of single bytes Rafal (This used to be commit 5281ee7e84421b9be746aed2f1718ceaf2a2fe3d)
2003-03-08Make sure that the 'remote' machine name can only be set once. For some weirdAndrew Bartlett1-1/+1
reason, during a Win2003 installation, when you select 'domain join' it sends one machine name in the name exchange, and litraly 'machinename' during the NTLMSSP login. Also fix up winbindd's logfile handling, so that it matches smbd and nmbd. (This helps me, by seperating the logs by pid). Andrew Bartlett (This used to be commit afe5a3832f79131fb74461577f1db0e5e8bf4b6d)
2003-02-28Doxygen janitor: rpc_resolve_dc parameter is spelled "trust_passwd"Martin Pool1-1/+1
(This used to be commit 9dbc3dcfe0bccf1f76930ae86970b48ba5ed1e91)
2003-02-28Doxygen janitor: check_domain_match parameter is spelledMartin Pool1-2/+2
"auth_context". (This used to be commit 571c3ce19344276aac1af56d2f69fcc5523f36eb)
2003-02-22Make sure we set the error code to indicate failure...Andrew Bartlett1-2/+11
Andrew Bartlett (This used to be commit 5a472e2a3cffe175ac4341e19c153a931505a2e8)
2003-02-22See if I can make this look slightly like C. It compiled locally, honest...Andrew Bartlett1-3/+4
Andrew Bartlett (This used to be commit cfc4cc776899da92a5c9a17f0ea36c7cb65d7a80)
2003-02-22First check if the user is in the passdb, then check Get_Pwnam().Andrew Bartlett2-31/+61
We check passdb becouse the user might have things like a logon script set, but we have to check the passdb becouse the user might not be in smbpasswd at all. This is in preperation for the removal of unixsam as an assuption. Andrew Bartlett (This used to be commit 61e3e2695860c58f9b0e8d1856972318666682c8)
2003-02-20For a number of months now, support for being a domain member without alsoAndrew Bartlett1-25/+14
running winbind has been broken. This fixes that, by removing assumptions about being able to call sid_to_uid() at will. This whole area needs revising when we get groups into the PDB. Andrew Bartlett (This used to be commit 980eda74b7df347c38b567ce976197826963324a)
2003-02-17If we didn't make the server_info correctly, then don't segfault trying toAndrew Bartlett1-1/+3
set the 'guest' bit. Andrew Bartlett (This used to be commit 960c53bf952de4431da4e90da035fcfbe98f1bd7)
2003-02-16Add the 'session key' output of the NTLMSSP exchange to the cli struct, soAndrew Bartlett2-3/+23
it can be used for 'net rpc join'. Also fix a bug in our server-side NTLMSSP code - a client without any domain trust links to us may calculate the NTLMv2 response with "" as the domain. Andrew Bartlett (This used to be commit ddaa42423bc952e59b95362f5f5aa7cca10d1ad4)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-2/+2
Needed to move to disk based i/o later. Jeremy. (This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
2003-02-10Some cleanups:Andrew Bartlett4-5/+12
- Don't use pstrcpy into an allocated string - use safe_strcpy() directly instead. - Keep a copy of the 'server_info' attached to the vuid. In future use this for things like the session key, homedir and full name instead of current copies. - Try to avoid memory leak/segfault on Realloc failure - clear up #endif comments Andrew Bartlett (This used to be commit 162477bb086827950b6cb71afa9bef62c2753c2e)
2003-02-04Actually checking both the account and password tests would be a good idea...Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 49640635b15f53be6bb28d3d79255abe10c207dd)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-4/+5
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-15Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett1-225/+78
challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
2003-01-15Crash fixes:Andrew Bartlett1-0/+1
- fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett (This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d)
2003-01-13Missing indirect in final free.Jeremy Allison1-2/+2
Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)
2003-01-13Always initialise this variable - and don't set the 'must change now' if it wasAndrew Bartlett1-1/+2
last changed at '0'. We need to actually change this password sometime... Andrew Bartlett (This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b)
2003-01-13Patch from metze to add what he feels is the correct semantics for a DomainAndrew Bartlett2-0/+44
Controller. As we have had a number of attempts at this over the last little while, I need to get my test rig going, and give this whole area a poke... Meanwhile, if you want to use this, just adjust your 'auth methods' line to use samstrict_dc... Andrew Bartlett (This used to be commit 18e598ec24493026008fcfe486057555b8832108)
2003-01-13Updates to our NTLMSSP code:Andrew Bartlett2-1/+293
This tries to extract our server-side code out of sessetup.c, and into a more general lib. I hope this is only a temporay resting place - I indend to refactor it again into an auth-subsystem independent lib, using callbacks. Move some of our our NTLMSSP #defines into a new file, and add two that I found in the COMsource docs - we seem to have a double-up, but I've verified from traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real. This code also copes with ASCII clients - not that we will ever see any here, but I hope to use this for HTTP, were we can get them. Win2k authenticates fine under forced ASCII, btw. Tested with Win2k, NTLMv2 and Samba's smbclient. Andrew Bartlett (This used to be commit b6641badcbb2fb3bfec9d00a6466318203ea33e1)
2003-01-13Fix to debian bug #171071 - we had the wrong dereference on the pointer to beAndrew Bartlett1-4/+4
Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and valgrind traces! Andrew Bartlett (This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e)
2003-01-11Use size_t for the counter vars, to match the type they are assigned fromAndrew Bartlett1-3/+3
(signed/unsigned mixup). Andrew Bartlett (This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3)
2003-01-05Clear up the auth_sam password checking code (the core of our password checkingAndrew Bartlett1-33/+58
routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd)
2003-01-02We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett1-5/+5
don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
2003-01-02BIG patch...Andrew Bartlett2-4/+4
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-23Finish adding strings to all talloc_init() calls.Jeremy Allison1-2/+1
Jeremy. (This used to be commit 784d15761c3271bfd602866f8f9f880dac77671c)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-4/+4
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-12-12merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-90/+10
server = DC1 * (This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
2002-12-11Fixed auth module code. Added VALGRIND defines to reduce spurious warnings.Jeremy Allison2-68/+58
Jeremy. (This used to be commit ff3a8d37289216a2cb808406044a7abef1e564d0)
2002-12-01Make it clear that we might not be talking to a PDC here.Andrew Bartlett1-1/+1
(This used to be commit 7d099e9a5b7164e8cdbdb93d8c4527f02c8bdefd)
2002-11-23[merge from APP_HEAD]Gerald Carter1-2/+3
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
2002-11-15Small auth updates:Andrew Bartlett4-11/+6
- add static remove unnneded prototype - move become_root() to just around pdb calls, so as to make it easier to remove when we kill off this silly idea - Change auth_sam to do 'account before password' rather than 'password before account'. This means that we match Win2k in giving 'account disabled' instead of 'wrong password' if the wrong password to a disabled account is used. Andrew Bartlett (This used to be commit e6d2debaf6064c3229f41c06545a1ccb83695a77)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison5-17/+15
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-09Fix bug found by tpot with given password server.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 90ac8184a0ae1f702d39f947ef5267765f3d2f88)
2002-11-08Don't set global_machine_password_needs_changing ifTim Potter1-4/+6
lp_machine_password_timeout() is set to zero. (This used to be commit 0fa87a68fea8b12242f644605aab7c2f81c1a4df)