summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r5528: Expand the invalid-workstation-scheme. Workstation-Names with leadingGünther Deschner1-1/+13
'@'-sign are expanded on-the-fly as posix-groups of workstations. This allows optional, more flexible login-control in larger networks. Guenther (This used to be commit 8f143b6800e0b6964c8ba4ba9607dc74da12ae59)
2007-10-10r5431: couple of cimpile fixes from Jason Mader <jason@ncac.gwu.edu> -- BUGS ↵Gerald Carter1-2/+0
2341 & 2342 (This used to be commit 0edcfc7fa20fd8e3273b29c8f1a97cb7c7179fb6)
2007-10-10r5385: when operating in security = domain, allow domain admins to manage ↵Gerald Carter1-1/+13
rigths assignments (This used to be commit fec9cb7daa9b780aab019c0e0d7f2692c168019f)
2007-10-10r5331: Support SIDs as %s replacements in the afs username map parameter.Volker Lendecke1-0/+33
Add 'log nt token command' parameter. If set, %s is replaced with the user sid, and %t takes all the group sids. Volker (This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54)
2007-10-10r5264: Log with loglevel 0 when account-administration scripts fail.Günther Deschner1-1/+1
Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
2007-10-10r4972: Fix a warning and some debugging-outputs.Günther Deschner1-1/+1
Guenther (This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter1-12/+3
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-15/+39
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4579: small changes to allow the members og the Domain Admins group on the ↵Gerald Carter1-0/+29
Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-3/+4
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4236: More *alloc fixes.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 6b25a6e088390d33314ca69c8f17c869cec3904b)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison3-17/+17
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-36/+16
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3616: Merge for 3.0.8.Andrew Bartlett1-3/+3
In auth_winbind, remove the push_utf8 calls, as this is no longer a UTF8 interface. (Removed from everywhere else earlier). Tested with ASCII - I tried to load the weird charset for testing, but it doesn't seem to work any more. Andrew Bartlett (This used to be commit cb27c197ee44d2be09014598e3928642b59ef956)
2007-10-10r3563: During a typical logon a modern workstation makes a lot of anonymous ↵Volker Lendecke1-1/+44
session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
2007-10-10r3140: * try to ensure consistent usage of the username map.Gerald Carter1-11/+23
Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
2007-10-10r2899: Change some #if DEBUG_PASSWORD's to #ifdef DEBUG_PASSWORD.Tim Potter1-1/+1
Bugzilla #1903. (This used to be commit 1327d83d902b6a39096d387d734e73d85ed53f85)
2007-10-10r2703: Fix typo noticed by Igor Belyi <sambauser@katehok.ac93.org>Jeremy Allison1-1/+1
Jeremy. (This used to be commit ba69c7229c27e917a24e6d608d59e7c0bdd47551)
2007-10-10r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling ↵Gerald Carter1-1/+1
in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f)
2007-10-10r1780: Remove the UTC comment as it isn't.Jeremy Allison1-2/+2
Jeremy. (This used to be commit f454821ff5545a34704b149514da9064f73ca3ad)
2007-10-10r1778: Fix based on code from Richard Renard <rrenard@idealx.com> toJeremy Allison1-0/+42
enforce logon hours. ldap fixes to follow. Jeremy. (This used to be commit 9ce273ed662bd34987eaeedeeeb7cb1c99cd50a4)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-1/+1
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1414: Memory leak fixes found by valgrind whilst checking the password ↵Jeremy Allison1-0/+6
history code. Error code paths were not freeing up some memory. Jeremy. (This used to be commit 7c4666e56c2c281e023c6483459cb9e8d4787d36)
2007-10-10r1370: BUG 1297 - prevent map_username() from being called twice during logonGerald Carter1-15/+17
(This used to be commit e1364ff774b62f46c0f50864695da49972352126)
2007-10-10r1175: Nowadays we actually do have local groups, so add the corresponding ↵Volker Lendecke1-8/+11
SIDs to the NT token we build. Thanks to Guenther Deschner <gd@sernet.de>. Volker (This used to be commit 2f9143dee901f7fc9e5ff0218527f1f4cff1991e)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter1-1/+3
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2007-10-10r786: Memory leak fixes in (mostly) error code paths fromJeremy Allison2-3/+5
kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in mainline code paths though :-). Jeremy. (This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646)
2007-10-10r86: This function was moved to lib/nterr.hAndrew Bartlett1-28/+0
Andrew Bartlett (This used to be commit 1c6d0399d67c9206baf7d4173cc00540146fa897)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett3-11/+11
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2004-04-03Fix most of bug #169.Andrew Bartlett3-100/+90
For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba)
2004-03-16fix overlapping memory bug when copying usernameGerald Carter1-2/+5
(This used to be commit a7cac639c2cf0e2606d9cfbdb08e961212ee3bfa)
2004-03-16BUG 1165, 1126: Fix bug with secondary groups (security = ads) and winbind ↵Gerald Carter3-72/+88
use default domain = yes (This used to be commit f2eaa14b1eb7e89c945b2b06a48e17998c75d620)
2004-02-21Add calls to password lockout functions. Should now work against tdbsam only.Jim McDonough1-0/+38
(This used to be commit 3e8a9c3584ff2a3c2e120c97569676ac45ec8e59)
2004-02-02Remove bogus check. No functional change, just cosmetics.Volker Lendecke1-5/+0
Volker (This used to be commit e3a5e2d9c23e8ba6bc817e433e596f535644c862)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-4/+9
to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427)
2004-01-07Doxygen comment fix.Rafal Szczesniak1-2/+5
rafal (This used to be commit b5e492b8eaf7cefe185d44b6c708f96ff61bd27b)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-2/+5
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-12-31auth/auth_util.c:Andrew Bartlett1-1/+1
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-30Move our basic password checking code from inside the authenticationAndrew Bartlett1-345/+1
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
2003-12-30Refactor our authentication and authentication testing code.Andrew Bartlett1-148/+219
The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1)
2003-12-19* add a few useful debug linesGerald Carter2-9/+30
* fix bug involving Win9x clients. Make sure we save the right case for the located username in fill_sam_account() (This used to be commit 850e4be29e185ebe890f094372aa8c2cc86de76a)
2003-12-09Final part of fix for #445. Don't add user for machine accounts.Jeremy Allison1-0/+4
Jeremy. (This used to be commit 3684cffbd269389d14b37edd5959e29912c13a60)
2003-12-06Fix for bug #445 (missing unix user on kerberos auth doesn't call add userJeremy Allison1-3/+13
script). Jeremy. (This used to be commit 5d9f06bdae4e7b878a87fb97367cf10afbc5f6b2)
2003-11-23Patch by emil@disksites.com <Emil Rasamat> to ensure we always alwaysAndrew Bartlett2-2/+15
free() each auth method. (We had relied on the use of talloc() only, despite providing the free() callback) Andrew Bartlett (This used to be commit 5872c0e26e3407c7c1dcf2074a36896a3ca1325a)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett4-30/+142
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-10Patch from Andrew Bartlett <abartlet@samba.org> for security=server coreJeremy Allison1-6/+8
dump if server goes away. Jeremy. (This used to be commit e61324cc6a222ca714530827068104f7a74c0911)
2003-11-09Skip over the winbind separator when looking up a user.Volker Lendecke1-0/+1
Volker (This used to be commit 6b457d0c5c1a18b6e09c2c4cc489ce791aac3c6b)
2003-11-06run krb5 logins through the username map if the winbindd lookup fails; bug 698Gerald Carter1-4/+9
(This used to be commit efe257bce2020e94d00946a27e2e586c82a1480f)
2003-10-24Andrew Bartlett patch to cope with Exchange 5.5 cleartext pop password auth.Jeremy Allison1-0/+16
Jeremy. (This used to be commit 46e66ee950eee035ad008c189cd2378f734af605)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-1/+1
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)