summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2003-02-04Merge HEAD: check both the account and password...Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 830de56bf2f47412acfebf6c6353ab4b98c8517e)
2003-01-28Merge from HEAD:Andrew Bartlett1-1/+9
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
2003-01-28This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+139
used to be commit b741abd496621586040081c04674ae53cb5db47c)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-4/+5
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-15Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett1-225/+78
challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
2003-01-15Crash fixes:Andrew Bartlett1-0/+1
- fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett (This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d)
2003-01-14Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD.Andrew Bartlett2-5/+6
Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f)
2003-01-13Missing indirect in final free.Jeremy Allison1-2/+2
Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)
2003-01-13Merge of indirection fixes from HEAD.Jeremy Allison1-5/+5
Jeremy (This used to be commit 67a0b30f50aa323185cbcf3a9d39804239222480)
2003-01-13Always initialise this variable - and don't set the 'must change now' if it wasAndrew Bartlett1-1/+2
last changed at '0'. We need to actually change this password sometime... Andrew Bartlett (This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b)
2003-01-13Patch from metze to add what he feels is the correct semantics for a DomainAndrew Bartlett2-0/+44
Controller. As we have had a number of attempts at this over the last little while, I need to get my test rig going, and give this whole area a poke... Meanwhile, if you want to use this, just adjust your 'auth methods' line to use samstrict_dc... Andrew Bartlett (This used to be commit 18e598ec24493026008fcfe486057555b8832108)
2003-01-13Updates to our NTLMSSP code:Andrew Bartlett2-1/+293
This tries to extract our server-side code out of sessetup.c, and into a more general lib. I hope this is only a temporay resting place - I indend to refactor it again into an auth-subsystem independent lib, using callbacks. Move some of our our NTLMSSP #defines into a new file, and add two that I found in the COMsource docs - we seem to have a double-up, but I've verified from traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real. This code also copes with ASCII clients - not that we will ever see any here, but I hope to use this for HTTP, were we can get them. Win2k authenticates fine under forced ASCII, btw. Tested with Win2k, NTLMv2 and Samba's smbclient. Andrew Bartlett (This used to be commit b6641badcbb2fb3bfec9d00a6466318203ea33e1)
2003-01-13Fix to debian bug #171071 - we had the wrong dereference on the pointer to beAndrew Bartlett1-4/+4
Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and valgrind traces! Andrew Bartlett (This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e)
2003-01-11Use size_t for the counter vars, to match the type they are assigned fromAndrew Bartlett1-3/+3
(signed/unsigned mixup). Andrew Bartlett (This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3)
2003-01-05Merge from HEAD - updates to correctly recognise LMv2, and NT# in LM feild.Andrew Bartlett1-33/+58
Andrew Bartlett (This used to be commit 32a1802a99a51b033eee034d3d2ce5cf409441dc)
2003-01-05Clear up the auth_sam password checking code (the core of our password checkingAndrew Bartlett1-33/+58
routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd)
2003-01-04Make it clear that the credentials are being setup on the NETLOGON channel, andAndrew Bartlett1-3/+3
may not be to our PDC (might be BDC, or trusted DC). Andrew Bartlett (This used to be commit 610be8d483f335226386f92b5e85ddeb07846d41)
2003-01-04Merge from HEAD - we already have one function for converting a unistr2 to aAndrew Bartlett1-5/+5
static 'unix' string, so we don't need a second pdb specific version. Andrew Bartlett (This used to be commit 91ca4771c6b834747b06fff21822a14e929de2c1)
2003-01-03Merge from HEAD - make Samba compile with -Wwrite-strings without additionalAndrew Bartlett2-4/+4
warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2003-01-02We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett1-5/+5
don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
2003-01-02BIG patch...Andrew Bartlett2-4/+4
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-23Finish adding strings to all talloc_init() calls.Jeremy Allison1-2/+1
Jeremy. (This used to be commit aa8439a49ec4b9f433745fefa1e769e45398f4df)
2002-12-23Finish adding strings to all talloc_init() calls.Jeremy Allison1-2/+1
Jeremy. (This used to be commit 784d15761c3271bfd602866f8f9f880dac77671c)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-4/+4
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-4/+4
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
2002-12-13merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-88/+8
server = DC1 * (This used to be commit f49de4c5176bf635ac080e082fda412066b466c8)
2002-12-12merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-90/+10
server = DC1 * (This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
2002-12-11Fixed auth module code. Added VALGRIND defines to reduce spurious warnings.Jeremy Allison2-68/+58
Jeremy. (This used to be commit ff3a8d37289216a2cb808406044a7abef1e564d0)
2002-12-11Fixed auth module code. Added VALGRIND defines to reduce spurious warnings.Jeremy Allison2-68/+58
Jeremy. (This used to be commit ec4ed45563f9d8e25fcfd88840944a90b3139c3e)
2002-12-01Make it clear that we might not be talking to a PDC here.Andrew Bartlett1-1/+1
(This used to be commit 7d099e9a5b7164e8cdbdb93d8c4527f02c8bdefd)
2002-11-29Merge a bunch of trivial changes from HEAD. The difference remainingTim Potter1-1/+2
should actual functional differences between HEAD and 3.0. - Mostly reformatting - Removal of unecessary #include "smb.h" - Merge of dyn_DRIVERFILE removal - Silly bug fix for python code (This used to be commit d3998307adc50ba50defe610cb656c73799ae3b9)
2002-11-23[merge from APP_HEAD]Gerald Carter1-2/+3
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit 016ef8b36b30846311a5321803298f8e28719244)
2002-11-23[merge from APP_HEAD]Gerald Carter1-2/+3
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
2002-11-15Updates from HEAD:Andrew Bartlett3-9/+6
- const for PACKS() in lanman.c - change auth to 'account before password' - add help to net rpc {vampire,samsync} - configure updates for sun workshop cc - become_root() around pdb_ calls in auth_util for guest login. Andrew Bartlett (This used to be commit 43e90eb6e331d478013a9c038292f245edc51bd0)
2002-11-15Small auth updates:Andrew Bartlett4-11/+6
- add static remove unnneded prototype - move become_root() to just around pdb calls, so as to make it easier to remove when we kill off this silly idea - Change auth_sam to do 'account before password' rather than 'password before account'. This means that we match Win2k in giving 'account disabled' instead of 'wrong password' if the wrong password to a disabled account is used. Andrew Bartlett (This used to be commit e6d2debaf6064c3229f41c06545a1ccb83695a77)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison5-17/+15
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison5-17/+15
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-09Fix bug found by tpot with given password server.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 90ac8184a0ae1f702d39f947ef5267765f3d2f88)
2002-11-09Fix bug found by tpot with given password server.Jeremy Allison1-1/+1
Jeremy. (This used to be commit d46b4cb563850c77ee23b95df35a7f752a235d35)
2002-11-08Merge from HEAD:Andrew Bartlett1-8/+9
- change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1)
2002-11-08Don't set global_machine_password_needs_changing ifTim Potter1-4/+6
lp_machine_password_timeout() is set to zero. (This used to be commit 3692919aee186498848715505047a1cde83758b7)
2002-11-08Don't set global_machine_password_needs_changing ifTim Potter1-4/+6
lp_machine_password_timeout() is set to zero. (This used to be commit 0fa87a68fea8b12242f644605aab7c2f81c1a4df)
2002-11-06Merge of get_dc_list() api change from HEAD.Tim Potter1-2/+17
(This used to be commit 6ba7847ce2756fde94e530fd0bf2a055f3e27373)
2002-11-06Merge of get_dc_list() api change. This was slightly more intrusiveTim Potter1-2/+17
than the version in APPLIANCE so watch out for boogs. (This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686)
2002-11-04Move to the use of the 'initialised' flag, rather than the fact the pointer isAndrew Bartlett1-8/+9
NULL. Andrew Bartlett (This used to be commit 2115335857acd2c4f5c89b95227b3762f4c052b0)
2002-11-03make_server_info_guest() can need root for the ldapsam backendAndrew Tridgell1-1/+4
(This used to be commit 918099f09618136c371e199803f5895f9cb702be)
2002-11-02Merge passdb from HEAD -> 3.0Andrew Bartlett2-10/+10
The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-10-17Added new error codes. Fix up connection code to retry in the same wayJeremy Allison1-10/+23
that app-head does. Jeremy. (This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049)
2002-10-17Added new error codes. Fix up connection code to retry in the same wayJeremy Allison1-10/+23
that app-head does. Jeremy. (This used to be commit ec7953f20145799f6286a295472df4826bfdfb8f)
2002-10-12Nice *big* patch from metze.Andrew Bartlett2-10/+10
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)