summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2004-02-21Add calls to password lockout functions. Should now work against tdbsam only.Jim McDonough1-0/+38
(This used to be commit 6ccb90acfd8591f6ef0d91b4ada89c5ad8ac98d5)
2004-02-02Remove bogus check. Cosmetics.Volker Lendecke1-5/+0
Volker (This used to be commit 3768b64c81879231a88c0f3235bfe8ecf29f3af8)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-4/+9
to winbindd_cm about this (This used to be commit c1174cf57b1b6fad03de23f6a4ff952671dc87d7)
2004-01-13sync HEAD with recent changes in 3.0Gerald Carter1-2/+2
(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)
2004-01-07Fixes to doxygen comment.Rafal Szczesniak1-2/+5
(This used to be commit 4f92db99be8feaccebe654103dd6c227c66e5bdc)
2004-01-06(merge from 3.0)Andrew Bartlett1-2/+5
Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
2004-01-05(merge from 3.0)Andrew Bartlett1-1/+1
auth/auth_util.c: - Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. -- Jerry rightly complained that we can't assume that the first domain is our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). -- Forgot to commit this for the 'get our primary domain' change. Andrew Bartlett (This used to be commit acacd27ba25f7ebfec40bfa66d34ece543569e23)
2004-01-05(merge from 3.0)Andrew Bartlett1-345/+1
Move our basic password checking code from inside the authentication subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 2f196bb31ac83cf7922583063c74a5f679ca5be7)
2004-01-05(merge from 3.0)Andrew Bartlett1-148/+219
Refactor our authentication and authentication testing code. The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 0d97b10248347398fbee66767baac0c7adf6889d)
2003-12-19* add a few useful debug linesGerald Carter2-9/+30
* fix bug involving Win9x clients. Make sure we save the right case for the located username in fill_sam_account() (This used to be commit d22b4097d4c2bde7989af31ccb572871c6e63424)
2003-12-09Final part of fix for #445. Don't add user for machine accounts.Jeremy Allison1-0/+4
Jeremy. (This used to be commit 0785295fe067093ea1483fc19e30c63512018db3)
2003-12-06Fix for bug #445 (missing unix user on kerberos auth doesn't call add userJeremy Allison1-3/+13
script). Jeremy. (This used to be commit 881c5c60977d15b5d4b34fde8743deac80f11a99)
2003-11-23(Merge from 3.0)Andrew Bartlett2-2/+15
Patch by emil@disksites.com <Emil Rasamat> to ensure we always always free() each auth method. (We had relied on the use of talloc() only, despite providing the free() callback) Andrew Bartlett (This used to be commit 58c4963a8389dff4d925548217fabed1c9932abd)
2003-11-22(merge from 3.0)Andrew Bartlett4-30/+142
Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... Andrew Bartlett (This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
2003-11-10Patch from Andrew Bartlett <abartlet@samba.org> for security=server coreJeremy Allison1-6/+8
dump if server goes away. Jeremy. (This used to be commit a646cb60a24498451d379967a1da272fcd40875f)
2003-11-09From 3_0:Volker Lendecke1-0/+1
Skip over the winbind separator when looking up a user. Volker (This used to be commit efe36a44d3d35f2bbb3381916dfdfda80560b67c)
2003-11-06run krb5 logins through the username map if the winbindd lookup fails; bug 698Gerald Carter1-4/+9
(This used to be commit f7798571178d18aae9c0be5f437838222bfc25b9)
2003-10-24Andrew Bartlett patch to cope with Exchange 5.5 cleartext pop password auth.Jeremy Allison1-0/+16
Jeremy. (This used to be commit 2d09d8c9d973f5f414d31f749db12328ff315de7)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-1/+1
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit 5c050a735f86927c7ef2a98b6f3a56abe39e4674)
2003-10-20more 2.2.x compatibility fixes - allow user looksup in the kerb5Gerald Carter1-1/+25
sesssetup to fall back to 'user' instaed of failing is REA.LM\user doesn't exist. also fix include line in smb_acls.h as requested by metze (This used to be commit 5ccf6baad7ffb1f992aaf24b41ef5c83362cf613)
2003-10-07make sure to call get_user_groups() with the full winbindd name for a user ↵Gerald Carter2-11/+22
if he;she has one; bug 406 (This used to be commit 19925e3a04f421f4dcc469b701f3cc51ef98ac2c)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter7-108/+128
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce5-14/+13
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter11-518/+498
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-05-28Spelling.Tim Potter1-1/+1
(This used to be commit e063c95bd5609e6aeade2d88e5cd9286d033971c)
2003-05-27volker's fix for crash when my_private_data == NULLGerald Carter1-2/+8
(This used to be commit 63bb1e21ebac68f904c01fb58ac7c06a9bcb8ab0)
2003-05-26Correctly initialize winbind auth method.Volker Lendecke1-0/+3
(This used to be commit 55cdb6b87850b483939a5d3edcd5be80be6f7493)
2003-05-15Patch from Luke Howard <lukeh@PADL.COM> that fixes some weird handling ofJelmer Vernooij1-9/+17
modules in auth/ (This used to be commit 3d804efe76335cd09640a82c0326dbf3eb83fe04)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 249a6974702d050644d6d61f33f0034ce2a689ee)
2003-05-01*id_to_*id call reshape to return NTSTATUS errorsSimo Sorce2-12/+14
plus internal fixes 1st stage (This used to be commit 6d036761e565bc93964bb3c939d5b7d78d5778a3)
2003-05-01Use ints for the version numbers in the smb_register_*() functions (patch by ↵Jelmer Vernooij1-1/+1
metze) (This used to be commit 3895571eeef81db7ce4c71e85b0be5c235b16efd)
2003-04-29This is a nice rewrite:Simo Sorce2-18/+18
SAM_ACCOUNT does not have anymore uid and gid fields all the code that used them has been fixed to use the proper idmap calls fix to idmap_tdb for first time idmap.tdb initialization. auth_serversupplied_info structure has now an uid and gid field few other fixes to make the system behave correctly with idmap tested only with tdbsam, but smbpasswd and nisplus should be ok have not tested ldap ! (This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
2003-04-28Use NTSTATUS as return value for smb_register_*() functions and init_module()Jelmer Vernooij8-36/+43
function. Patch by metze with some minor modifications. (This used to be commit f4576757d1d52a8f1b96894c869bb76450003fd1)
2003-04-28Merge compile warning fixes from 3.0Andrew Bartlett1-1/+1
(This used to be commit c0903951a144b1f0502e77437ea166d7a26393ba)
2003-04-16Add some static and #ifdef DEVELOPERAndrew Bartlett1-3/+5
(This used to be commit 3bdbd320b001ea5881573f6c6a4c2259a60e2bb3)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett1-2/+8
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-04-16Cause the winbind auth module to call the ntdomain module if winbind is notAndrew Bartlett2-42/+65
running. This causes Samba not to contact the NT domain controller if Winbind is there, but the user had the wrong password. Andrew Bartlett (This used to be commit 119a1c276a05d0017f39cc0b7118f12a4f51886e)
2003-04-07We never actually got an 'ads' auth module, so don't send the auth subsystemAndrew Bartlett1-1/+1
off on a wild probing spree looking for it. Andrew Bartlett (This used to be commit 7c7c5594b3dfd460d09bccd409ccbf64c6b42338)
2003-04-05some more idmapping :)Simo Sorce1-5/+7
(This used to be commit 5ac94535d7b7ce0cc0d44b9a77d6e42ddfd0cd26)
2003-04-02Map a useless error code to a useful one...Andrew Bartlett1-0/+5
(This used to be commit 1afb2695a020424d014c4dee9c6a73620281aaa8)
2003-03-25- Support building all auth modules as .so'sJelmer Vernooij1-1/+1
- Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>) (This used to be commit 71b05cd14ae6df8340730e7bad1c783dc278c5d3)
2003-03-25Make auth.c compile again. I'm not sure what this does though...Volker Lendecke1-2/+3
Volker (This used to be commit 8e3f300f21e23b7e6b68ddcc45d581a962cd8aa4)
2003-03-24- Add support to auth/ for the new modules systemJelmer Vernooij8-81/+103
- Quite some small fixes (also fixes the build) (This used to be commit 3defbd5e0633acfa4631531b49601c7706072d86)
2003-03-23Fix compile.Andrew Bartlett1-2/+2
(This used to be commit 6fbee12a8170e0bce4e94806105786b38160ada5)
2003-03-23NTLM Authentication:Andrew Bartlett2-7/+3
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-19Fix some comment typosJelmer Vernooij1-2/+2
(This used to be commit 41ea416adbc074f3a34b66c18ed63c7d44ea28fc)
2003-03-15Now that mimir has done the grunt work, I'll fix up the commentAndrew Bartlett1-4/+1
(This used to be commit 7154fe10969a34b97ddc8321bfb5271b8e6d4795)
2003-03-14Extending code to work both in case of domain membershipRafal Szczesniak1-1/+1
and domain controller respecting interdomain trust relationships. In the latter case we need to find DC of remote domain instead of ours. In the former 'domain' is our domain name. Rafal (This used to be commit 0cd45d5d3b3e3ec5a589c3ee9f0e369901eefe8f)
2003-03-14Fresh meat in trusted domains code:Rafal Szczesniak1-20/+6
- packing/unpacking utility functions for trusted domain password struct; can be used to prepare buffer to store in secrets.tdb or (soon) passdb backend - similiar functions for DOM_SID - respectively modified secrets_(fetch|store) routines - new auth mapping code utilising introduced is_trusted_domain function - added tdb (un)packing of single bytes Rafal (This used to be commit 5281ee7e84421b9be746aed2f1718ceaf2a2fe3d)
2003-03-08Make sure that the 'remote' machine name can only be set once. For some weirdAndrew Bartlett1-1/+1
reason, during a Win2003 installation, when you select 'domain join' it sends one machine name in the name exchange, and litraly 'machinename' during the NTLMSSP login. Also fix up winbindd's logfile handling, so that it matches smbd and nmbd. (This helps me, by seperating the logs by pid). Andrew Bartlett (This used to be commit afe5a3832f79131fb74461577f1db0e5e8bf4b6d)