summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2008-12-19Make cli_negprot return NTSTATUS instead of boolVolker Lendecke1-3/+6
2008-12-04Fix bug #1254 - write list not working under share-level securityJeremy Allison1-1/+1
A somewhat more elegant fix than I could use for 3.2.x or 3.0.x. Turns out the only part of check_user_ok() that needs to change for share level security is the VUID cache pieces, so I can just always use check_user_ok() for all lp_security() cases. Jeremy
2008-11-14Make memcache_add_talloc NULL out the source pointerVolker Lendecke1-2/+4
This is an orthogonality measure to make clear this pointer now belongs to the cache. (cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
2008-11-06Make us clean under valgrind --leak-check=full by using ↵Jeremy Allison1-1/+1
talloc_autofree_context() instead of NULL. Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should be deleted when their parent context is deleted, so freeing them at some arbitrary point later will be a double-free. Jeremy.
2008-11-06Add wrapper str_list_make_v3() to replace the old S3 behavior ofJeremy Allison1-8/+8
str_list_make(). From Dan Sledz <dan.sledz@isilon.com>: In samba 3.2 passing NULL or an empty string returned NULL. In master, it now returns a list of length 1 with the first string set to NULL (an empty list). Jeremy.
2008-10-23Use sockaddr_storage only where we rely on the size, use sockaddrJelmer Vernooij1-1/+1
otherwise (to clarify we can also pass in structs smaller than sockaddr_storage, such as sockaddr_in).
2008-10-13Add data_blob_string_const_null() function that includes the terminatingJelmer Vernooij1-2/+2
null byte and use it in Samba 3. This matches the behaviour prior to my data_blob changes.
2008-10-12Use common strlist implementation in Samba 3 and Samba 4.Jelmer Vernooij1-2/+2
2008-10-11Cope with changed signature of http_timestring().Jelmer Vernooij1-1/+1
2008-10-06Add netlogond auth methodVolker Lendecke1-0/+321
This authenticates against a local running samba4 using SamLogonEx. We retrieve the machine password using samba4's mymachinepwd script and store the schannel key for re-use in secrets.tdb.
2008-10-03Simply our main loop processing. A lot :-). Correctly use events for all the ↵Jeremy Allison1-0/+65
previous "special" cases. A step on the way to adding signals to the events and being able to merge the S3 event system with the S4 one. Jeremy.
2008-09-03Revert "Split lookup_name() and create a new functiong called"Simo Sorce2-7/+17
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
2008-08-26Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-develSimo Sorce1-2/+3
(This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
2008-08-25auth: Fix build warning.Günther Deschner1-2/+3
Guenther (This used to be commit 4661ef625a6522d6f859b83e3e3702f01d0b952f)
2008-08-17Split lookup_name() and create a new functiong calledSimo Sorce2-17/+7
lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
2008-08-14Fix show-stopper for 3.2. Smbd depends on group SIDJeremy Allison1-0/+34
position zero being the primary group sid. Authenicating via winbindd call returned a non-sorted sid list. This fixes is for both a winbindd call and a pac list from an info3 struct. Without this we mess up the primary group associated with created files. Found by Herb. Jeremy. (This used to be commit cb925dec85cfc4cfc194c3ff76dbeba2bd2178d7)
2008-08-14Make it clear that this is a temporary context byusing a talloc stackframe ↵Jeremy Allison1-22/+16
instead. Jeremy (This used to be commit 7f7dd5e8883e23d7fe3f9cb804905c5b23a5a41c)
2008-07-30Removed redundant logging from create_builtin_users and ↵Tim Prouty1-16/+4
create_builtin_administrators The Debug messages in create_builtin_users and create_builtin_users have now been encapsulated in add_sid_to_builtin. (This used to be commit ca153139b1dced07c196aac93dbc9d9428d98124)
2008-07-30Enabled domain groups to be added to builtin groups at domain join timeTim Prouty1-2/+2
Previously this was done at token creation time if the Administrators and Users builtins hadn't been created yet. A major drawback to this approach is that if a customer is joined to a domain and decides they want to join a different domain, the domain groups from this new domain will not be added to the builtins. It would be ideal if these groups could be added exclusively at domain join time, but we can't rely solely on that because there are cases where winbindd must be running to allocate new gids for the builtins. In the future if there is a way to allocate gids for builtins without running winbindd, this code can be removed from create_local_nt_token. - Made create_builtin_users and create_builtin_administrators non-static so they can be called from libnet - Added a new function to libnet_join that will make a best effort to add domain administrators and domain users to BUILTIN\Administrators and BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be running to allocate new gids, but if the builtins already exist, the domain groups will be added even if winbindd is not running. In the case of a failure the error will be logged, but the join will not be failed. - Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing. (This used to be commit e92faf5996cadac480deb60a4f6232eea90b00f6)
2008-07-30Refactored the code that adds Domain Admins to BUILTIN\Administrators to use ↵Tim Prouty1-26/+30
the new helper functions. - Modified create_builtin_administrators and add_builtin_administrators to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_administrators to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_administrators and handle the new error that can be returned. - Made it more explicit that add_builtin_administrators is only called when winbindd can't be pinged. (This used to be commit f6411ccb4a1530034e481e1c63b6114a93317b29)
2008-07-30Refactored the code that adds Domain Users to BUILTIN\Users to use the new ↵Tim Prouty1-17/+22
helper functions. - Modified create_builtin_users to take in the domain sid to reduce the number of times it needs to be looked up. - Changed create_builtin_users to call the new helper functions. - Changed create_local_nt_token to call the new version of create_builtin_users and handle the new error that can be returned. (This used to be commit 8d75d40b9f6d22bae7430211f8a1fe99051b756c)
2008-07-30Helper functions to enable domain groups to be added to builtin groups at ↵Tim Prouty1-0/+59
domain join time Added two new helper functions which wrap the raw pdb alias functions so they can be more conveniently called while adding domain groups to builtin groups. (This used to be commit 668ef314559df40f1b8aa0991539adcd8d35ffe3)
2008-07-22Fix various build warningsZach Loafman1-1/+1
This fixes various build warnings on our platform. I'm sure I haven't caught them all, but it's a start. (This used to be commit 6b73f259cb67d9dda9127907d706f9244a871fa3)
2008-07-20Refactoring: Change calling conventions for cli_rpc_pipe_open_schannelVolker Lendecke1-2/+3
Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 1fcfca007f33a2c4e979abf30c2ea0db65bac718)
2008-07-20Refactoring: Change calling conventions for cli_rpc_pipe_open_noauthVolker Lendecke1-2/+3
Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 9abc9dc4dc13bd3e42f98eff64eacf24b51f5779)
2008-06-26Fix the non-LDAP, non-krb5 build, fix gcc -O3 warnings.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 9e2ab30d3cf6950fc79152b2169e7aeae8d6a366)
2008-06-26Add server_info to pipes_structVolker Lendecke1-0/+16
(This used to be commit d621867bb8767e1c4236d28dd9294a61db6cbb10)
2008-06-24Fix for bug #5551, smbd recursing back into winbindd from a winbindd call.Jeremy Allison1-13/+66
Jeremy. (This used to be commit a07fe72538e8e724b9736d5a85cc590864c5cab2)
2008-06-24Fix bug #5555. Don't return NT_STATUS_PASSWORD_MUST_CHANGE error on machine ↵Jeremy Allison1-2/+3
account logon. Jeremy. (This used to be commit 10da498a2349bf5944183adf5a9284eafa2b8b74)
2008-06-19Wrap the unix token info in a unix_user_token in auth_serversupplied_infoVolker Lendecke1-23/+25
No functional change, this is a preparation for more current_user ref removal (This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445)
2008-05-30Fix security=server, bug 5502Volker Lendecke1-2/+4
This has brown paper bag quality and is definitely needed for 3.2.0. Thanks to Orion Poplawski for reporting this! Volker (This used to be commit 3b31f8cce3703645a57778bc752bc9b9e853df5d)
2008-05-11Make sure we have serversupplied_info->sanitized_username everywhereVolker Lendecke1-10/+53
(This used to be commit 88423a17b966652eba4085e88f7ddb5c86b463dd)
2008-05-10Add function make_serverinfo_from_username()Volker Lendecke1-0/+38
This will be used for 'security=share' and 'force user' (This used to be commit 88e43097cafcd2849d9f1200a377357fde4cce99)
2008-05-10Add a mem_ctx argument to make_server_info_guest()Volker Lendecke2-5/+6
(This used to be commit e4a9492967f3d2b64f27943f99414608e0c03d21)
2008-05-10Make copy_serverinfo non-static, add mem_ctxVolker Lendecke1-3/+4
(This used to be commit a3651ced9e0859578df8cc44da64e7a8066bde76)
2008-05-07Rename server_info->was_mapped to server_info->nss_tokenVolker Lendecke5-11/+7
"nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d)
2008-05-05Remove "userdom_struct user" from "struct user_struct"Volker Lendecke1-0/+10
(This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805)
2008-05-05Fix a typoVolker Lendecke1-1/+1
(This used to be commit 964bd02220c04030d8cb0f97ca9b409400d1238c)
2008-05-05Remove unused set_current_user_guest()Volker Lendecke1-33/+0
(This used to be commit a33e8d2ffa4daea1deba13b3571cb0b36d521476)
2008-04-30BUG 5429: Clarify log msgs re: failure to create BUILTIN\{Administrators,Users}Gerald W. Carter1-7/+9
Raise the debug msgs from Lvl 0 in the create_builtin_XX() functions to prevent unnecessary panic from people reading the logs. (This used to be commit 2983b9dc790e0f90ec1e6add131438c6bfd361b4)
2008-04-15auth: add SeDiskOperatorsPrivilege to get_root_nt_token to fix registry shares.Michael Adam1-0/+2
Michael (This used to be commit 6bb107b17d557c27d035ca518ab61296814a3cea)
2008-04-09Fix typos.Karolin Seeger1-1/+1
Karolin (This used to be commit 6cee34703503fbf3629057345fe221b866560648)
2008-04-04Use sid_array_from_info3 in lookup_usergroups_cached().Günther Deschner1-1/+1
Guenther (This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce)
2008-04-02Fix NETLOGON credential chain with Windows 2008 all over the place.Günther Deschner1-1/+1
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
2008-03-26Add debug statement in auth_winbind to display wbcAuthenticateUserEx error code.Günther Deschner1-0/+5
Guenther (This used to be commit 0ad00a452f03d8af6e6b6fabd4a05ca26a9910d0)
2008-03-20Fix crash bug in check_sam_security() when make_server_info_sam() did aGünther Deschner1-1/+0
talloc_steal and talloc_free on the sam account already. Guenther (This used to be commit dbc7237a8a566f3e86bd6e4b48593b93c5bfb94e)
2008-03-14Fix bug 5317Volker Lendecke1-1/+1
Thanks to oster@cs.usask.ca (This used to be commit f18a80575921a241c7243c5af5a0101a2956ff17)
2008-03-10Use a separate tdb for mutexesVolker Lendecke2-14/+18
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC mutex is needed per-node anyway, so it is perfectly fine to use a local mutex only. (This used to be commit f94a63cd8f94490780ad9331da229c0bcb2ca5d6)
2008-03-06Be more verbose why create local token has failed duringGünther Deschner1-1/+2
NTLMSSP and Kerberos session setup Guenther (This used to be commit 18b8c2c19e50aee8fc900c7507244cb95014a4fa)
2008-02-17Use netr_SamInfo3 in remaining places.Günther Deschner1-5/+5
Guenther (This used to be commit 92fca97951bf7adf8caaeabdaff21682b18dd91f)