summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2011-09-08s3:libsmb: pass CLI_FULL_CONNECTION_* flags via cli_connect_nb()Stefan Metzmacher1-4/+3
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Sep 8 10:21:50 CEST 2011 on sn-devel-104
2011-08-03s3-ntlmssp Remove a level of nesting in if/else statementAndrew Bartlett1-3/+2
2011-08-03selftest: test plugin_s4_dc against all ncacn_np testsAndrew Bartlett4-1/+41
Changes to the s3 epmapper behaviour seem to have fixed the rest of these tests. Andrew Bartlett
2011-08-03s3-ntlmssp clarify session key behaviour after create_local_token() changesAndrew Bartlett1-2/+1
2011-08-03s3-ntlmssp Remove auth_ntlmssp_state_destructor, use the talloc tree insteadAndrew Bartlett1-16/+5
2011-08-03s3-auth directly return the result of make_server_info_guest()Andrew Bartlett1-2/+2
2011-08-03s3-auth rename auth_ntlmssp_steal_session_info()Andrew Bartlett2-6/+6
There is no longer any theft of memory as the underlying routines now produce a new auth_session_info for this caller, allocating it on the supplied memory context. Andrew Bartlett
2011-08-03s3-auth Add function to start any GENSEC mech by OIDAndrew Bartlett2-5/+22
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth remove sanitized_username from auth_serversupplied_infoAndrew Bartlett2-23/+1
This structure element was only written to, not read. It is filled into the companion structure, auth_session_info() by create_local_token(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth set session_info->sanitized_username in create_local_token()Andrew Bartlett4-15/+15
Rather than passing this value around the callers, and eventually setting it in register_existing_vuid(), we simply pass it to create_local_token(). This also removes the need for auth_ntlmssp_get_username(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Split auth_ntlmssp_start into two functionsAndrew Bartlett2-13/+17
This helps map on to the GENSEC semantics better, and ensures that the full set of desired features are set before the mechanism starts. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Split calls to gensec plugin into prepare and startAndrew Bartlett3-17/+18
GENSEC has the concept of starting the GENSEC subsystem before starting the actual mechansim. Between these two stages is when most context methods are called, to specify credentials and features. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Add hook to start a GENSEC mech to auth_samba4Andrew Bartlett2-1/+89
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmsspAndrew Bartlett1-13/+36
This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Allow auth modules to provide an initialised GENSEC contextAndrew Bartlett1-2/+9
This will allow auth plugins such as auth_samba4 to provide an initialised GENSEC context to auth subsystem callers. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Use else if in do_map_to_guest_server_infoAndrew Bartlett1-3/+1
This means we can't ever call make_server_info_guest() twice. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Move map to guest to directly after the check_password callsAndrew Bartlett3-0/+40
This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-02s3:auth_server: make use of cli_state_protocol()Stefan Metzmacher1-1/+1
metze
2011-07-23Fix bug 8314] - smbd crash with unknown user.Jeremy Allison1-4/+11
All other auth modules code with being called with auth_method->private_data being NULL, make the auth_server module cope with this too. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Jul 23 02:55:01 CEST 2011 on sn-devel-104
2011-07-22s3:auth_server: make use of cli_state_remote_name()Stefan Metzmacher1-6/+7
metze
2011-07-22s3:auth_domain: we already have the dc_name, it's the same as cli->desthostStefan Metzmacher1-1/+1
metze
2011-07-22s3:auth_domain: add some const to sockaddr_storageStefan Metzmacher1-2/+2
metze
2011-07-22Fix const warning.Jeremy Allison1-2/+5
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jul 22 01:58:39 CEST 2011 on sn-devel-104
2011-07-20s3-auth fix dummy function in the not-with-kerberos caseAndrew Bartlett1-1/+1
2011-07-20s3-auth Replace False with false in auth_util.cAndrew Bartlett1-10/+10
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jul 20 02:31:15 CEST 2011 on sn-devel-104
2011-07-20s3-auth Replace True with true in auth_util.cAndrew Bartlett1-12/+12
2011-07-20s3-auth Fix spellingAndrew Bartlett1-7/+7
2011-07-20s3-auth Remove pointless destructor in make_server_infoAndrew Bartlett1-10/+0
All the callers allocate ->info3 as a talloc child already. As regardes the TALLOC_ZERO(), I added this originally out of parinoia many years ago. We do not consistantly zero session keys in memory, and for NTLMv2 and Kerberos they are random for each sesssion, so breaking into smbd far enough to read an old session key isn't a particularly interesting attack, compared with (say) reading the keytab or the password database. (NTLM and LM session keys are fixed derivitives of the passwords however). Andrew Bartlett
2011-07-20s3-auth inline make_auth_session_info into only callerAndrew Bartlett3-25/+1
2011-07-20s3-auth Remove seperate guest booleanAndrew Bartlett1-3/+2
Instead, we base our guest calculations on the presence or absense of the authenticated users group in the token, ensuring that we have only one canonical source of this important piece of authorization data Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20auth: Set NETLOGON_GUEST and use it to determine guest statusAndrew Bartlett1-0/+3
These additional measures should help ensure we do not accidentily upgrade a guest to an authenticated user in the future. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20auth: Split out make_user_info_SamBaseInfo and add authenticated argumentAndrew Bartlett1-13/+5
This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use the common auth_session_infoAndrew Bartlett5-40/+40
This patch finally has the same structure being used to describe the authorization data of a user across the whole codebase. This will allow of our session handling to be accomplished with common code. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth use auth_user_info not netr_SamInfo3 in auth3_session_infoAndrew Bartlett1-7/+20
This makes auth3_session_info identical to auth_session_info The logic to convert the info3 to a struct auth_user_info is essentially moved up the stack from the named pipe proxy in source3/rpc_server to create_local_token(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth reimplement copy_session_info via NDR pull/pushAndrew Bartlett1-57/+23
This ensures we do not miss elements. Pattern copied from auth_netlogond. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Remove pointless destructorAndrew Bartlett1-10/+0
All the users of this structure allocate info3 on the session_info Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Avoid redundant copies in create_local_token()Andrew Bartlett1-20/+20
These values were not read before being overwritten again. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Add comments to copy_session_info_serverinfo_guest()Andrew Bartlett1-2/+5
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth inline copy_serverinfo_session_info into only callerAndrew Bartlett1-72/+56
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth use a cached auth_serversupplied_info in make_server_info_guest()Andrew Bartlett1-11/+19
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth remove extra from auth3_session_infoAndrew Bartlett1-4/+5
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Clarify inputs and ouptuts by using elements from server_infoAndrew Bartlett1-5/+5
This allows us not the put all of these elements into the auth3_session_info if they are only used as inputs to these functions. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth assert that security_token is present in the copy, and explain why ↵Andrew Bartlett1-7/+16
nss_token can be skipped Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth: Remove unused lm_session_key from auth3_session_infoAndrew Bartlett1-10/+5
The long term authorization state needs only the final, negotiated session key, and not the original LM key that may possibly have been an input. The special case of the guest account simply needs both values filled back in with the zeros to avoid changing behaviour in the cached server_info. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth remove unused copy_serverinfoAndrew Bartlett2-61/+0
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use system boolean in auth_user_info_unixAndrew Bartlett1-6/+4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use guest boolean in auth_user_info_unixAndrew Bartlett1-7/+10
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use struct auth_user_info_unix for unix_name and sanitized_usernameAndrew Bartlett1-18/+34
This is closer to the layout of struct auth_session_info in auth.idl Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use *unix_token rather than utok in struct auth3_session_infoAndrew Bartlett2-38/+56
This brings this structure one step closer to the struct auth_session_info. A few SMB_ASSERT calls are added in some key places to ensure that this pointer is initialised, to make tracing any bugs here easier in future. NOTE: Many of the users of this structure should be reviewed, as unix and NT access checks are mixed in a way that should just be done using the NT ACL. This patch has not changed this behaviour however. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20s3-auth Use struct auth3_session_info outside the auth subsystemAndrew Bartlett4-24/+33
This seperation between the structure used inside the auth modules and in the wider codebase allows for a gradual migration from struct auth_serversupplied_info -> struct auth_session_info (from auth.idl) The idea here is that we keep a clear seperation between the structure before and after the local groups, local user lookup and the session key modifications have been processed, as the lack of this seperation has caused issues in the past. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>