summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2012-06-19auth: Use only security_token_is_system to determine that a user is SYSTEMAndrew Bartlett1-4/+0
This removes the duplication on how to detect that a user is system in Samba now that the smbd system account is also only SID_NT_SYSTEM we can use the same check everywhere. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19s3-auth: Fix system token as just being SID_NT_SYSTEMAndrew Bartlett1-0/+3
This removes the SID matching the sec_initial_uid(). Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-16s3-auth: Remove auth_netlogondAndrew Bartlett3-459/+0
auth_netlogond was an important module in the development of the combined Samba 4.0, and was the first module to link smbd with the AD authentication store, showing that it was possible for NTLM authentication to be offloaded to the AD server components. We now have auth_samba4, which provides the full GENSEC stack to smbd, which also matches exactly the group membership and privileges assignment and which is supported and tested as part of the official Samba 4.0 release configuration. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
2012-06-15s3-auth: rework default auth methods around the lp_server_role() parameterAndrew Bartlett1-17/+23
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER is mapped to the samba4 auth module, and this is no longer required to be specified in fileserver.conf. Andrew Bartlett
2012-06-15s3-auth: Merge SEC_DOMAIN and SEC_ADS cases in creating the default auth ↵Andrew Bartlett1-7/+2
module list
2012-06-15s3-auth: Fix system info3 return to be just SID_NT_SYSTEMAndrew Bartlett1-11/+17
The SID for the SYSTEM token should be a fixed value, and not the administrator. Note however that it will be replaced by the SID of sec_initial_uid() by the create_local_token() code. Fixing this requires fixes the other parts of the code that cannot cope with a token of just SID_NT_SYSTEM. Andrew Bartlett
2012-06-15s3-auth: Fix system token generation not to dereference pointer as an integerAndrew Bartlett1-1/+1
This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9 which is marked as being part of bug #8944, ldapsam:trusted and ipasam and an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9). The problem here was that the primary_gid was simply the pointer result of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on the build farm). Andrew Bartlett
2012-06-15s3-auth: Give the SYSTEM token all privilegesAndrew Bartlett1-0/+4
2012-05-23Introduce system MIT krb5 build with --with-system-mitkrb5 option.Alexander Bokovoy1-2/+2
System MIT krb5 build also enabled by specifying --without-ad-dc When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level configure in WAF build we are trying to detect and use system-wide MIT krb5 libraries. As result, Samba 4 DC functionality will be disabled due to the fact that it is currently impossible to implement embedded KDC server with MIT krb5. Thus, --with-system-mitkrb5/--without-ad-dc build will only produce * Samba 4 client libraries and their Python bindings * Samba 3 server (smbd, nmbd, winbindd from source3/) * Samba 3 client libraries In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture. This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
2012-05-15s3-auth: Rename to init_system_session_info().Andreas Schneider2-2/+2
Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
2012-05-15s3-auth: Don't lookup the system user in pdb.Andreas Schneider1-4/+95
This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
2012-05-15s3:auth: remove unused auth_server.cStefan Metzmacher3-500/+0
metze
2012-05-15s3-auth: remove "security=server" (depricated since 3.6)Stefan Metzmacher1-6/+0
"security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-05-09s3:auth/server_info: the primary rid should be in the groups rid array (bug ↵Alejandro Escanero Blanco1-5/+0
#8798) Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed May 9 19:36:01 CEST 2012 on sn-devel-104
2012-05-04s3: remove some unused codeVolker Lendecke2-28/+0
2012-05-02s3:passdb: rename sids_to_unix_ids() --> sids_to_unixids() for consistencyMichael Adam1-1/+1
2012-05-02s3-passdb: Use struct unixid in sids_to_unix_idsAndrew Bartlett1-6/+7
This avoids the union in the struct wbcUnixId and moves us to using only struct unixid internally. Andrew Bartlett Signed-off-by: Michael Adam <obnox@samba.org>
2012-04-30s3-auth_samba4: use new_server_id_task() to allocate server id valuesAndrew Bartlett1-6/+27
This is rather than just picking a random number out of the air. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Apr 30 11:29:34 CEST 2012 on sn-devel-104
2012-04-12auth-krb: Move pac related util functions in a single place.Simo Sorce1-1/+1
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-03s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSPAndrew Bartlett1-2/+3
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client) will not select krb5. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-03-30More strlcat/strlcpy truncate checks.Jeremy Allison1-10/+45
2012-03-24lib/util: Remove obsolete sys_getpid() and sys_fork().Jelmer Vernooij1-2/+2
The performance of these is minimal (these days) and they can return invalid results when used as part of applications that do not use sys_fork(). Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
2012-03-24lib/util: Remove dummy wrapper for getpwuid().Jelmer Vernooij1-2/+2
2012-03-24lib/util: Remove dummy wrapper for getpwnam().Jelmer Vernooij1-2/+2
2012-03-15s3-krb5: Remove GSS_WRAP_IOV conditionalAndrew Bartlett1-1/+1
We already confirm that we have this functionality before we set HAVE_KRB5 at configure time. Andrew Bartlett
2012-03-13s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.Alexander Bokovoy2-0/+29
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
2012-03-08s3-auth: Remove single-implementation plugin layerAndrew Bartlett3-11/+48
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context were only ever initialised to a single value. Make it easier to follow by just calling the function directly. Andrew Bartlett
2012-03-08s3-auth: Follow auth_ntlmssp and use auth4_context for Session SetupAndrew Bartlett1-10/+10
This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett
2012-03-04s3-auth Add make_session_info_from_pw to avoid multiple getpwnam() callsAndrew Bartlett1-12/+34
2012-03-04s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett4-193/+1
This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-02-24s3-auth: Provide helper routine to check password and return session_infoAndrew Bartlett2-0/+31
2012-02-24auth: Rename some elements of auth4_contextAndrew Bartlett1-3/+3
These operate on NTLM authentication, so make that clear. Andrew Bartlett
2012-02-24s3-auth: Add a way to get an auth4_context from the auth stackAndrew Bartlett4-11/+108
This will allow us to use the same layer that auth_ntlmssp does in the non-SPNEGO session setup, which will in turn make the authentication code more consistent in the AD server case. Andrew Bartlett
2012-02-18auth: Reorder arguments to generate_session_infoAndrew Bartlett2-4/+4
This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-17s3-auth: Use common gensec_ntlmsspAndrew Bartlett2-38/+3
There is no longer any samba3-specific code left here. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use common gensec_ntlmssp_server_startAndrew Bartlett1-127/+1
This is now identical code, so there is no need to duplicate it. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use the gensec-supplied DNS domain name and hostname.Andrew Bartlett2-28/+76
Also have a reasonable fallback for when it is not set. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Allow NTLMSSP features to be disabled with smb.conf options for testingAndrew Bartlett1-9/+23
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use the lpcfg_ wrapper calls to set some variablesAndrew Bartlett1-31/+10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Remove a layer of indirection and reorder to match ↵Andrew Bartlett1-18/+15
gensec_ntlmssp_server_start()
2012-02-17s3-auth: Only allow LM_KEY cryptography when extra options are setAndrew Bartlett1-1/+6
This crypto is incredibly poor, and can technically be enabled on an otherwise more secure connection that uses NTLM for the actual authentication leg. Therefore disable it by default. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Inline ntlmssp_server_start() into gensec_ntlmssp3_server_start()Andrew Bartlett1-9/+60
This will help syncing this rotuine up with gensec_ntlmssp_server_start(). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth Use the common gensec_ntlmssp_update in gensec_ntlmssp3_serverAndrew Bartlett1-21/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Use common gensec_ntlmssp server functions for more of ↵Andrew Bartlett1-182/+2
gensec_ntlmssp3_server This is possible because we now supply the auth4_context abstraction that this code is looking for. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth: Add extra error messages on authentication or authorization failureAndrew Bartlett1-0/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17s3-auth Hook checking passwords and generating session_info via the ↵Andrew Bartlett3-59/+259
auth4_context This avoids creating a second auth_context, as it is a private pointer in the auth4_context that has already been passed in, and makes the gensec_ntlmssp code agnostic to the type of authentication backend behind it. This will in turn allow the ntlmssp server code to be further merged. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16Rename obscure defined constants.Christopher R. Hertel (crh)1-2/+2
Replaced the undescriptive SMB_PORT1 and SMB_PORT2 defined constants with the slightly more descriptive names NBT_SMB_PORT and TCP_SMB_PORT. Also replaced several hard-coded references to the well-known port numbers (139 and 445, respectively) as appropriate. Small changes to clarify some comments regarding the two transport types. Signed-off-by: Simo Sorce <idra@samba.org> Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Thu Feb 16 08:29:41 CET 2012 on sn-devel-104
2012-02-13s3-auth: On successful user mapping set mapped_to_guest to false.Sumit Bose1-0/+1
Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Mon Feb 13 13:09:10 CET 2012 on sn-devel-104
2012-02-08s3-auth Add const to make_user_info_mapAndrew Bartlett2-4/+4
2012-02-02s3:auth: fill the sids array of the info3 in ↵Stefan Metzmacher1-0/+53
wbcAuthUserInfo_to_netr_SamInfo3() (bug #8739) Originally, only the rid array was filled and foreign domain sids were omitted. Pair-Programmed-With: Michael Adam <obnox@samba.org> metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Feb 2 12:59:32 CET 2012 on sn-devel-104