summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2001-11-11Fix up some DEBUG()sAndrew Bartlett1-17/+37
Add and fix comments Add 'const' to some more input paramaters. (This used to be commit 0c7eefcb5c5db63294d0584029e0d32cd1523e80)
2001-11-11Add back the not null checks in a better place.Andrew Bartlett1-1/+7
Check the pdb_init_sam() for failure. (This used to be commit 1808cd5210258bddc349f13a7bcf20a3f46aa672)
2001-11-11make sam_account_ok static.Andrew Bartlett1-32/+29
remove rudundent not null checks fix indenting (This used to be commit 3eada888fddb1f0cb7c0ed7037eb1c60e7988ad9)
2001-11-11This extra check isn't needed, we can only get here if secuirty=domainAndrew Bartlett1-3/+0
(This used to be commit 600d83e43f61eb138115731ce089ba42d63e0924)
2001-11-11Minor updates. A small dose of const.Andrew Bartlett2-2/+2
(This used to be commit 80667cb0dd1a2cdef17711c8580af9f524971cea)
2001-11-11Remove built-in support for clear-text kerberos authentication.Andrew Bartlett1-123/+3
This should remove some confusion from the ./configure, but does not affect the 'real' kerberos support currently residing in smbd/sesssetup.c. This code is vunerable to a spoofed KDC, and is best replaced by --with-pam and the pam_krb5 module. This module includes measures to prevent such spoofing. Andrew Bartlett (This used to be commit 3235880b41ee5dd5ef171195489fb9254f5d89b0)
2001-11-09This change updates lp_guestaccount() to be a *global* paramater, rather thanAndrew Bartlett1-1/+1
per-share. I beleive that almost all the things that this could have done on a per-share basis can be done with other tools, like 'force user'. Almost all the user's of this paramater used it as a global anyway... While this is one step at a time, I hope it will allow me to considerably simplfy the make_connection() code, particularly for the user-level security case. This already removes an absolute truckload of extra attempted password lookups on the guest account. Andrew Bartlett (This used to be commit 8e708332eded210c1d1fe0cebca3c9c19f054b71)
2001-11-08Change to guest logon code.Andrew Bartlett2-26/+94
This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)
2001-11-05Renamed make_user_info_for_winbindd() to be more consistent with theTim Potter1-4/+4
names of the other functions in this file. (This used to be commit 4880f37e4ee08b6363314a3fb67051a6708988d0)
2001-11-03Added NT_USER_TOKEN into server_info to fix extra groups problem.Jeremy Allison1-12/+58
Got "medieval on our ass" about const warnings (as many as I could :-). Jeremy. (This used to be commit ee5e7ca547eff016818ba5c43b8ea0c9fa69b808)
2001-11-03Minor cleanups/fixes in the NTLMv2 codeAndrew Bartlett1-6/+2
(This used to be commit 253790f6d71653b572c0174113b8559820de6bdd)
2001-11-01Various post AuthRewrite cleanups, fixups and tidyups.Andrew Bartlett2-22/+31
Zero out some of the plaintext passwords for paranoia Fix up some of the other passdb backends with the change to *uid_t rather than uid_t. Make some of the code in srv_netlog_nt.c clearer, is passing an array around, so pass its lenght in is definition, not as a seperate paramater. Use sizeof() rather than magic numbers, it makes things easier to read. Cope with a PAM authenticated user who is not in /etc/passwd - currently by saying NO_SUCH_USER, but this can change in future. Andrew Bartlett (This used to be commit 514c91b16baca639bb04638042bf9894d881172a)
2001-10-31Fix up domain logons. Tested with NT4.Andrew Bartlett1-1/+1
(This used to be commit c8b2718adfe114b74a155116c5e74f014d6df887)
2001-10-31This is a farily large patch (3300 lines) and reworks most of the AuthRewriteAndrew Bartlett7-273/+868
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
2001-10-31Small 'const' updates ahead of some AuthRewrite merging.Andrew Bartlett1-5/+5
(This used to be commit 3b5e72bda3263c6bdf81dfface4fae4f06b71032)
2001-10-31Added some extra fields to the auth_serversupplied_info structure.Tim Potter1-1/+13
To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
2001-10-30Spnego on the 'server' end of security=server just does not work, so set theAndrew Bartlett1-0/+3
flags so we just do a 'normal' session setup. Also add some parinoia code to detect when sombody attempts to do a 'normal' session setup when spnego had been negoitiated. Andrew Bartlett (This used to be commit 190898586fa218c952fbd5bea56155d04e6f248b)
2001-10-29Fix up auth_smbpasswd.c to use the password interface, rather than theAndrew Bartlett1-8/+8
structures directly. Andrew Bartlett (This used to be commit c2dc24ab6370236437b72b929e2a56e174163d78)
2001-10-29This commit is number 4 of 4.Andrew Bartlett2-16/+19
In particular this commit focuses on: Actually adding the 'const' to the passdb interface, and the flow-on changes. Also kill off the 'disp_info' stuff, as its no longer used. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes introduces a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username --- This finishes this line of commits off, your tree should now compile again :-) Andrew Bartlett (This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29This commit is number 3 of 4.Andrew Bartlett2-3/+3
In particular this commit focuses on: Changing the Get_Pwnam code so that it can work in a const-enforced environment. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes allow for 'const' in the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username (This used to be commit e7634f81c5116ff4addfb7e495f54b6bb78e8f77)
2001-10-23more compiler warningsHerb Lewis2-2/+2
(This used to be commit 12c10e876ea528fdf33e8ecfe42ab0ebb346b143)
2001-10-19print in a human readable format when the password expired.Jean-François Micouleau1-1/+1
J.F. (This used to be commit 255b197a5c92bfc18a567613bbffb013fd0a834d)
2001-10-18Merge the become_XXX -> change_to_XXX fixes from 2.2.2 to HEAD.Jeremy Allison1-1/+1
Ensure make_conection() can only be called as root. Jeremy. (This used to be commit 8d23a7441b4687458ee021bfe8880558506eddba)
2001-10-06Fix up indenting in out SAM password check code.Andrew Bartlett1-46/+49
(This used to be commit ac11a23125270dd136290370b1cf0124e943a101)
2001-10-02Fixed up the change password bug when not using PAM.Jeremy Allison1-2/+2
The problem is we were trying to use mask_match as a generic wildcard matcher for UNIX strings (like the password prompts). We can't do that - we need a unix_wild_match (re-added into lib/util.c) as the ms_fnmatch semantics for empty strings are completely wrong. This caused partial reads to be accepted as correct passwd change responses when they were not.... Also added paranioa test to stop passwd change being done as root with no %u in the passwd program string. Jeremy. (This used to be commit 9333bbeb7627c8b21a3eaeae1683c34e17d14bf0)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter9-33/+1
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
2001-10-01honor the ACB_PWNOEXP flag in smbpasswdAndrew Tridgell1-2/+1
(This used to be commit 70b7c900c907c4620faa7d82845296298b3820ff)
2001-10-01- fix handling of 0 last_change_time and must_change_timeAndrew Tridgell1-31/+32
- move the arbitrary 21 day timeout to local.h (This used to be commit 11075f543470c3283accce0246d0b2983420695a)
2001-09-29Fix up a number of intertwined issues:Andrew Bartlett3-10/+30
The big one is a global change to allow us to NULLify the free'ed pointer to a former passdb object. This was done to allow idra's SAFE_FREE() macro to do its magic, and to satisfy the input test in pdb_init_sam() for a NULL pointer to start with. This NULL pointer test was what was breaking the adding of accounts up until now, and this code has been reworked to avoid duplicating work - I hope this will avoid a similar mess-up in future. Finally, I fixed a few nasty bugs where the pdb_ fuctions's return codes were being ignored. Some of these functions malloc() and are permitted to fail. Also, this caught a nasty bug where pdb_set_lanman_password(sam, NULL) acheived precisely didilly-squat, just returning False. Now that we check the returns this bug was spotted. This could allow different LM and NT passwords. - the pdbedit code needs to start checking these too, but I havn't had a chance to fix it. I have also fixed up where some of the password changing code was using the pdb_set functions to store *internal* data. I assume this is from a previous lot of mass conversion work... Most likally (and going on past experience) I have missed somthing, probably in the LanMan password change code which I havn't yet been able to test, but this lot is in much better shape than it was before. If all this is too much to swallow (particularly for 2.2.2) then just adding a sam_pass = NULL to the particular line of passdb.c should do the trick for the ovbious bug. Andrew Bartlett (This used to be commit 762c8758a7869809d89b4da9c2a5249678942930)
2001-09-26Process the workstation trust account code INSIDE the authenticaion subsystem,Andrew Bartlett1-5/+20
just like any other logon. Matching code removal in reply.c to follow. Andrew Bartlett (This used to be commit da4873d889928e9bd88e736e26e4e77e87bcd931)
2001-09-26Rearrange the order of the checks in auth_smbpasswd.c, always check passwordsAndrew Bartlett1-73/+111
first. Add password expiry and 'must change before first logon' support. - This requires that the passdb be up to the job to supply the info. (This used to be commit 53c1c5091ea4e3ccc294f8b6f132be78c11c431f)
2001-09-20Move pass_check.c over to NTSTATUS, allowing full NTSTATUS from PAM to wire!Andrew Bartlett2-83/+121
Add the ability for swat to run in non-root-mode (ie non-root from inetd). - we still need some of the am_root() calls fixed however. (This used to be commit 2c2317c56ee13abdbdbc866363c3b52dab826e3c)
2001-09-20We are not meant to touch the username, so use the pass->pw_name output ratherAndrew Bartlett1-6/+6
than Get_Pwnam(user, True). (This used to be commit bf81f0021328da97afe58cc17317b15ec1b3cc96)
2001-09-20Fix for MiXed and UPPER case usernames with plaintext PAM passwords.Andrew Bartlett1-1/+1
(This used to be commit ba1b411f556bfac8b953c44c81257c7d8fb9817d)
2001-09-20Revert this one: The NTLMv2 checks need the original username as foundAndrew Bartlett1-1/+1
on the wire. (This used to be commit 7c9ae76b3ff4f1ba88ddad570648f32f99e38944)
2001-09-19- Fix up to use sampass->username insted of user_info->smb_usernameAndrew Bartlett1-7/+7
- Fix initial lookup to use the mapped username. (This used to be commit 162b88e2313dbcf0b95300b8f18a3e9b6b6b29bd)
2001-09-19Remove the ugly hacks to get around the Get_Pwnam() calls in pass_check.c byAndrew Bartlett2-9/+16
simply not doing Get_Pwnam() calls in pass_check.c We now make *one* sys_getpnam() call in cgi.c and we always call PAM no matter what it returns. We also no longer run the password cracker for these logins. The truly parinod will note the slight difference in call paths, in that we only call crypt for valid password structs (if not --with-pam). The truly parinoid don't run SWAT either, so I don't think this is an issue. Andrew Bartlett (This used to be commit 9020d884935243f28c19cedc88f076f0709e12cb)
2001-09-17move to SAFE_FREE()Simo Sorce2-3/+3
(This used to be commit a95943fde0ad89ae3f2deca2f7ba9cb5ab612b74)
2001-09-17move to SAFE_FREE()Simo Sorce1-12/+9
(This used to be commit 64d35e94fe6f7e56353b286162f670c8595a90e6)
2001-09-16Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c whereAndrew Bartlett2-13/+55
they can have general effect. Fixed up workstaion support in the rest of samba, so that we can do these checks. Pass through the workstation for cli_net_logon(), if supplied. (This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a)
2001-09-14Now that we always get back an NTSTATUS code actually pass it on to theAndrew Bartlett2-17/+5
auth subsytem. Also kill off the (unneeded) wrapper fuction. Andrew Bartlett (This used to be commit 96f06b490ac5e9fd86debccf8d41675fa41f7726)
2001-09-12Some patches to authentication:Tim Potter4-17/+26
- the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547)
2001-09-10made a couple of local fns staticAndrew Tridgell1-1/+1
(This used to be commit f0851202a852bed28fbd2446b44ce2b977ddacd8)
2001-09-04cope with pam being offAndrew Tridgell1-1/+1
(This used to be commit 5f6e7bbce76c85571ee10a3f8b5bbbd0beadb632)
2001-09-04the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but ↵Andrew Tridgell9-44/+44
the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66)
2001-08-30Fixed silly typo.Jeremy Allison1-3/+3
Jeremy. (This used to be commit 6ee2b41429e43f6a9a58eba3cb01b952be3d5ca5)
2001-08-30Fix from Paul Green to set correct lengths.Jeremy Allison1-3/+3
Jeremy. (This used to be commit 52b9b6d519c38b2a3e524d098a09fb996e8a2047)
2001-08-27converted another bunch of stuff to NTSTATUSAndrew Tridgell8-27/+27
(This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-27started converting NTSTATUS to be a structure on systems with gcc in order ↵Andrew Tridgell1-8/+9
to make it type incompatible with BOOL so we catch errors sooner. This has already found a number of bugs (This used to be commit 1b778bc7d22efff3f90dc450eb12baa1241cf68f)
2001-08-24get rid of compiler warningsHerb Lewis3-8/+8
(This used to be commit 0768991d04ea03e774ca8662c9cae5e1951b88e0)