summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2011-03-23s3: Fix a (invalid) uninitialized variable warningVolker Lendecke1-1/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Wed Mar 23 11:13:14 CET 2011 on sn-devel-104
2011-03-16s3: Fix Coverity ID 1018, CHECKED_RETURNVolker Lendecke1-3/+5
2011-03-10Quite some callers of sid_split_rid do not care about the ridVolker Lendecke1-3/+1
2011-03-05s3: Fix a memory leak in check_sam_security_info3Volker Lendecke1-10/+12
Abartlet, this commit makes check_sam_security_info3 use talloc_tos() and also cleans up the temporary talloc stackframe. The old code created a temporary talloc context off "mem_ctx" but failed to clean up the tmp_ctx in all but one return paths. talloc_stackframe()/talloc_tos() is designed as a defense against exactly this error: Even if we failed to free the frame when returning from the routine, it would be cleaned up very soon, in our main event loop. Please check this patch! Thanks, Volker Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sat Mar 5 14:08:37 CET 2011 on sn-devel-104
2011-02-28s3-rpc_client: Move client pipe functions to own header.Andreas Schneider2-0/+2
2011-02-23s3-waf: move some parts of auth to AUTH_COMMON to avoid duplicate symbols ↵Günther Deschner1-7/+13
with winbindd. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Feb 23 02:16:23 CET 2011 on sn-devel-104
2011-02-22s3-includes: move some chgpasswd related defines to the locations where they ↵Günther Deschner1-0/+6
are used. Guenther
2011-02-22s3:auth: change num_groups to from size_t to uint32_tStefan Metzmacher2-5/+5
This will help with the change from UNIX_USER_TOKEN to security_unix_token metze
2011-02-22s3-auth Rename auth_serversupplied_info varaiables: server_info -> session_infoAndrew Bartlett2-21/+21
These variables, of type struct auth_serversupplied_info were poorly named when added into 2001, and in good consistant practice, this has extended all over the codebase in the years since. The structure is also not ideal for it's current purpose. Originally intended to convey the results of the authentication modules, it really describes all the essential attributes of a session. This rename will reduce the volume of a future patch to replaced these with a struct auth_session_info, with auth_serversupplied_info confined to the lower levels of the auth subsystem, and then eliminated. (The new structure will be the output of create_local_token(), and the change in struct definition will ensure that this is always run, populating local groups and privileges). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-02-20s3: NO_SUCH_USER is a lot more likely than NO_MEMORYVolker Lendecke1-1/+1
2011-02-20s3: Convert init_system_info to NTSTATUSVolker Lendecke1-4/+3
2011-02-18s3-waf: use SAMBA3_*() build rules in source3/buildAndrew Tridgell1-11/+11
this brings the s3 waf build much closer to the proposed s3build top level build, using the same bld.SAMBA3_*() rules There are a few renames of subsystems in here, with a 3 suffix where it would create a conflict. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-16s3-auth Fix memory leak in security=share and force user =Andrew Bartlett1-1/+1
In these cases, the server_info was not stolen onto a long term memory context, and so remained on the NULL context where it was created. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Feb 16 01:08:19 CET 2011 on sn-devel-104
2011-02-10s3-auth Remove unused pam_handleAndrew Bartlett1-1/+0
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10s3-auth Rename cryptic 'ptok' to security_tokenAndrew Bartlett1-18/+18
This will allow the auth_serversupplied_info struct to be migrated to auth_session_info easier. Adnrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-08pam: share pam errors in a common location.Günther Deschner1-0/+1
Guenther
2011-02-06s3: Use the right credentials in check_netlogond_securityVolker Lendecke1-1/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Feb 6 20:43:03 CET 2011 on sn-devel-104
2011-02-06s3: Fix auth_netlogond to cope with netlogon_creds_CredentialStateVolker Lendecke1-20/+69
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Feb 6 17:30:48 CET 2011 on sn-devel-104
2011-02-06s3: Fetch the machinepw via ldapi in pdb_adsVolker Lendecke1-41/+112
2011-02-04s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945)Günther Deschner2-0/+2
The benefit of this that it makes us more robust to secure channel resets triggered from tools outside the winbind process. Long term we need to have a shared tdb secure channel store though as well. Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 4 18:11:04 CET 2011 on sn-devel-104
2011-02-04s3-auth: add copy_netr_SamBaseInfo().Günther Deschner1-56/+6
Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-01-17s3: Make sure we call wbcAuthenticateUserEx correctlyVolker Lendecke2-8/+29
There are cases where we fill in params.password.response.lm_data with non-NULL where params.password.response.lm_length is 0. wbcAuthenticateUserEx does not like that. I haven't been able to reproduce this with smbclient yet, I've seen it with a proprietary smb client implementation. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Mon Jan 17 16:30:11 CET 2011 on sn-devel-104
2011-01-17s3: Avoid a few calls to cli_errstrVolker Lendecke1-3/+3
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Mon Jan 17 08:47:25 CET 2011 on sn-devel-104
2010-12-20s3: Remove unused "retry" from cli_full_connectionVolker Lendecke1-1/+1
2010-12-20s3: Always retry the DC connection in auth_domainVolker Lendecke1-8/+4
The only condition that cli_full_connection marks as non-retryable is the basic name lookup and TCP connect. To me this is pretty fishy. For example if the negprot fails, this is supposed to be more retryable than a NetBIOS name lookup failure? I'd rather think the opposite is true. Jeremy, this is code from 2002, 389a16d9d533. If you have any comments from back then, let me know :-) Volker
2010-12-19s3: Fix bug 7066 -- wbcAuthenticateEx gives unix timesVolker Lendecke1-3/+5
We might eventually want to change this, but right now we get unix times out of the winbind pipe struct
2010-12-01s3-waf: avoid module name uppercasing.Günther Deschner1-18/+18
This finally allows mixed case module names like the classic build (./configure --shared_modules=charset_CP850) Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Dec 1 18:39:14 CET 2010 on sn-devel-104
2010-11-30s3-waf: convert TOKEN_UTIL into a subsystem.Günther Deschner1-2/+6
Guenther
2010-11-10Fix memleak I accidently introduced when reading from tdb.Jeremy Allison1-0/+1
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 10 01:56:21 UTC 2010 on sn-devel-104
2010-11-10Ensure we check the return from make_user_info before dereferencing the ↵Jeremy Allison1-2/+2
value returned by it. Jeremy.
2010-11-10Remove fstring from map_username. Create a more sane interface than the ↵Jeremy Allison4-77/+155
called-parameter-is-modified. Jeremy.
2010-11-09s3: Quieten a bogus error messageVolker Lendecke1-3/+1
This happens if you set "auth methods = winbind" without a fallback method. The return NT_STATUS_LOGON_FAILURE; is not strictly require here, because we fall through to the equivalent statement a few lines down, but it makes the code a bit clearer IMO. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue Nov 9 20:15:59 UTC 2010 on sn-devel-104
2010-11-05s3: Make proper use of sid_check_is_in_xx routinesVolker Lendecke1-2/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Nov 5 15:35:59 UTC 2010 on sn-devel-104
2010-11-05s3: Fix a typoVolker Lendecke1-1/+1
2010-10-20Make getpwnam_alloc() static to lib/username.c, and ensure all username ↵Jeremy Allison3-6/+6
lookups go through Get_Pwnam_alloc(), which is the correct wrapper function. We were using it *some* of the time anyway, so this just makes us properly consistent. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Oct 20 16:02:12 UTC 2010 on sn-devel-104
2010-10-20s3-waf: move RPC_CLIENT_SCHANNEL into a subsystem.Günther Deschner1-0/+1
Guenther
2010-10-15s3-rpc_server: Make auth_serversupplied_info const.Andreas Schneider1-1/+1
2010-10-14s3-auth Use security_token_debug() from common codeAndrew Bartlett2-27/+1
This prints the security token including the privileges as strings instead of just a bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14s3-auth use security_token_has_sid() from the common codeAndrew Bartlett1-9/+2
The wrapper call is left here to avoid changing semantics for the NULL parameter case. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett3-3/+3
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-08s3-waf: slowly getting modules to match how they look like in old build.Günther Deschner1-19/+19
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Fri Oct 8 09:31:01 UTC 2010 on sn-devel-104
2010-09-28s3-waf: add AUTH_SCRIPT module to AUTH subsystem (which is build as sharedGünther Deschner1-0/+7
module by default). Guenther
2010-09-28s3-waf: fix dependencies in most of our module subsystems.Günther Deschner1-6/+2
Guenther
2010-09-28s3-auth_util: make sure the system server info actually contains S-1-5-18.Günther Deschner1-0/+9
Without this, all security descriptor checks for the winreg spoolss backend fail and make our spoolss system in its current shape basically unusable. Andreas, please check. Guenther
2010-09-27s3-waf: move auth subsystem to auth/wscript_build.Günther Deschner1-0/+84
Guenther
2010-09-26s3: Remove talloc_autofree_context() from get_root_nt_token()Volker Lendecke1-1/+1
The memcache_add_talloc() later on steals it anyway
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_fixed()Volker Lendecke1-3/+4
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_subsystem()Volker Lendecke3-6/+11
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_text_list()Volker Lendecke1-3/+6
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context()Volker Lendecke1-3/+7