summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.Gerald Carter1-1/+1
Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
2007-10-10r11652: Reinstate the netsamlogon_cache in order to workGerald Carter1-0/+2
around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison5-17/+36
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r11492: Fix bug #3224 (I hope). Correctly use machine_account_nameJeremy Allison1-3/+4
and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison3-7/+7
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter5-101/+208
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10234: Add new auth module "auth_script" to allow valid users toJeremy Allison1-0/+155
be provisioned on demand - calls script with domain, username, challenge and LM and NT responses - passing the info through a pipe. Jeremy. (This used to be commit 67be4ee41cd244bcc0445cac7c9e1e2d40e93c9b)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-1/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r9252: 2 type fixes from Luke Mewburn <lukem@NetBSD.org>. Bugid #2934.Jeremy Allison1-1/+3
Jeremy. (This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)
2007-10-10r8889: Another warningVolker Lendecke1-1/+1
(This used to be commit 9ae1098d211f5e687786abb8474b1c4210413f0f)
2007-10-10r8432: Fix #2077 - login to trusted domain doesn't allow home drive map and ↵Jim McDonough1-0/+3
login scripts to be executed. We were filling in our name as the server which processed the login, even when it was done by a trusted DC. Thanks to John Janosik <jpjanosi@us.ibm.com> for the fix. (This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c)
2007-10-10r7956: Spelling mistake.Jeremy Allison1-1/+1
Jeremy. (This used to be commit f318c371077f28ace52f7d2b1517df0d15a0f05a)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-1/+1
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7450: fix my bone head mistake with ntlm authentcation and 'map to guest = ↵Gerald Carter2-9/+12
bad uid'; make sure the authentication suceeds (This used to be commit 5de1ffce2f2a0a340f6591939b8f63a3d96a627e)
2007-10-10r7395: * new feature 'map to guest = bad uid' (based on patch fromGerald Carter1-5/+15
aruna.prabakar@hp.com). This re-enables the Samba 2.2 behavior where a user that was successfully authenticated by a remote DC would be mapped to the guest account if there was not existing UNIX account for that user and we could not create one. (This used to be commit b7455fbf81f4e47c087c861f70d492a328730a9b)
2007-10-10r7372: abartet's patch for BUG 2391 (segv caused by free a static pointer)Gerald Carter2-4/+8
(This used to be commit 4cda2bd035276bd090bf0fbd4e3b2eff657a80cb)
2007-10-10r7243: Don't look at gencache.tdb for the trusted domains if winbind is around.Volker Lendecke1-4/+19
Volker (This used to be commit 94acb93f57b963bf137c6ddd644a147f4d0b5175)
2007-10-10r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter1-30/+2
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10r7024: reverting mistaken commitGerald Carter1-13/+5
(This used to be commit c70c5c4ee9b14fbdb174f542607aceebe0e88470)
2007-10-10r7020: fixing printer ace values and getting rid of false compiler warning ↵Gerald Carter1-5/+13
about unitialized variable (This used to be commit 3a91b20e4bcc78c91932e6c4394b3f6f153b2ff5)
2007-10-10r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that forVolker Lendecke2-6/+6
--enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-5/+0
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis2-3/+5
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison1-1/+7
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5647: Caches are good for performance, but you get a consistency problem.Volker Lendecke1-0/+1
Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687)
2007-10-10r5562: * bump version to 3.0.12pre2Gerald Carter1-1/+1
* change special character in gd's valid workstation check to a '+' to be more in line with the characters used by valid users (This used to be commit 8bff0486508b9952c192345302b9313ac0b2270e)
2007-10-10r5528: Expand the invalid-workstation-scheme. Workstation-Names with leadingGünther Deschner1-1/+13
'@'-sign are expanded on-the-fly as posix-groups of workstations. This allows optional, more flexible login-control in larger networks. Guenther (This used to be commit 8f143b6800e0b6964c8ba4ba9607dc74da12ae59)
2007-10-10r5431: couple of cimpile fixes from Jason Mader <jason@ncac.gwu.edu> -- BUGS ↵Gerald Carter1-2/+0
2341 & 2342 (This used to be commit 0edcfc7fa20fd8e3273b29c8f1a97cb7c7179fb6)
2007-10-10r5385: when operating in security = domain, allow domain admins to manage ↵Gerald Carter1-1/+13
rigths assignments (This used to be commit fec9cb7daa9b780aab019c0e0d7f2692c168019f)
2007-10-10r5331: Support SIDs as %s replacements in the afs username map parameter.Volker Lendecke1-0/+33
Add 'log nt token command' parameter. If set, %s is replaced with the user sid, and %t takes all the group sids. Volker (This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54)
2007-10-10r5264: Log with loglevel 0 when account-administration scripts fail.Günther Deschner1-1/+1
Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
2007-10-10r4972: Fix a warning and some debugging-outputs.Günther Deschner1-1/+1
Guenther (This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter1-12/+3
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-15/+39
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4579: small changes to allow the members og the Domain Admins group on the ↵Gerald Carter1-0/+29
Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-3/+4
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4236: More *alloc fixes.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 6b25a6e088390d33314ca69c8f17c869cec3904b)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison3-17/+17
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-36/+16
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3616: Merge for 3.0.8.Andrew Bartlett1-3/+3
In auth_winbind, remove the push_utf8 calls, as this is no longer a UTF8 interface. (Removed from everywhere else earlier). Tested with ASCII - I tried to load the weird charset for testing, but it doesn't seem to work any more. Andrew Bartlett (This used to be commit cb27c197ee44d2be09014598e3928642b59ef956)
2007-10-10r3563: During a typical logon a modern workstation makes a lot of anonymous ↵Volker Lendecke1-1/+44
session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
2007-10-10r3140: * try to ensure consistent usage of the username map.Gerald Carter1-11/+23
Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
2007-10-10r2899: Change some #if DEBUG_PASSWORD's to #ifdef DEBUG_PASSWORD.Tim Potter1-1/+1
Bugzilla #1903. (This used to be commit 1327d83d902b6a39096d387d734e73d85ed53f85)
2007-10-10r2703: Fix typo noticed by Igor Belyi <sambauser@katehok.ac93.org>Jeremy Allison1-1/+1
Jeremy. (This used to be commit ba69c7229c27e917a24e6d608d59e7c0bdd47551)
2007-10-10r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling ↵Gerald Carter1-1/+1
in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f)
2007-10-10r1780: Remove the UTC comment as it isn't.Jeremy Allison1-2/+2
Jeremy. (This used to be commit f454821ff5545a34704b149514da9064f73ca3ad)
2007-10-10r1778: Fix based on code from Richard Renard <rrenard@idealx.com> toJeremy Allison1-0/+42
enforce logon hours. ldap fixes to follow. Jeremy. (This used to be commit 9ce273ed662bd34987eaeedeeeb7cb1c99cd50a4)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-1/+1
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1414: Memory leak fixes found by valgrind whilst checking the password ↵Jeremy Allison1-0/+6
history code. Error code paths were not freeing up some memory. Jeremy. (This used to be commit 7c4666e56c2c281e023c6483459cb9e8d4787d36)
2007-10-10r1370: BUG 1297 - prevent map_username() from being called twice during logonGerald Carter1-15/+17
(This used to be commit e1364ff774b62f46c0f50864695da49972352126)