| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator
character is always added to the user name returned by Get_Pwnam_alloc() if it
does not contain the winbind separator character. As comments in the code
indicates this is done as a work around if 'winbind use default domain' is set
to yes in the samba configuration.
This make sense if the option is set because otherwise the domain information is
lost from the user name. But it causes errors if other services than winbind are
used for user lookup, e.g. sssd. sssd can handle different kind of fully
qualified user names as input, e.g. user@domain.name or DOM\user, but returns a
canonical name, by default user@domain.name.
While it would be possible to get around this issue with a special configuration
either on the sssd or samba side I think the cleaner solution is to use the work
around only if 'winbind use default domain' is set to yes which is what this
patch does.
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
smb_pam_close_session
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
|
posix_acls
When a user owns a file, but does not have specific permissions on that file, we need to
make up the user permissions. This change ensures that the first thing that we do
is to look up the SID, and confirm it is a user. Then, we avoid the getpwnam()
and directly create the token via the SID.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
|
|
|
|
This is in preperation for the parameter table being made common.
Andrew Bartlett
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
|
|
This was incorrect in commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd
as the RID was from the BUILTIN domain, but this creates a guest
account token for the real domain.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jul 19 05:56:28 CEST 2012 on sn-devel-104
|
|
This reverts commit 00089fd74af740f832573d904312854e494a869e.
The issue with this patch, which I did sign off on, is that for the
domain member case, we already know that the SID is reasonable and
valid, and we indeed rely on that, because we keep it as an additonal
group anyway. The primary group is not so special that we need to do
extra validation.
Calling this function may put a user into the domain 'domain users'
group, even if they are not in that group to start with.
Andrew Bartlett
|
|
They use talloc_tos() internally: hoist that up to the callers, some
of whom don't want to us talloc_tos().
A simple patch, but hits a lot of files.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|
|
Because of the evolution in the way the auth handling has been done, we do not
need this code any more. Raw NTLM Session setup & X is done via the auth4 context
which returns a full session info.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 13 10:04:05 CEST 2012 on sn-devel-104
|
|
This boolean was only set if the old machine account store (with an
MD4 hash in it) was returned. We have not set that password type for
years. If this call ever worked, it would store a plaintext password,
so we could only ever be here if we had set a password using a version
of Samba so old as not to store plaintext, and then never honered the
flag anyway.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 13 07:52:40 CEST 2012 on sn-devel-104
|
|
This is in the trusted domain codepath, not the primary domain code path.
Andrew Bartlett
|
|
This does not check whether the given sid is in our domain, but
but whether it belongs to the local sam, which is a different
thing on a domain member server.
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
|
|
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge,
so if we ever did use a module that needed this functionlity, we would
downgrade to just NTLM.
Now that security=server has been removed, we have no such module.
This will make it easier to make the auth subsystem async, as we will
not need to consider making .get_challenge async.
Andrew Bartlett
|
|
This helps clarify the role of this structure and wrapper function.
The purpose here is to provide helper functions to the lib/param
loadparm_context that point back at the s3 lp_ functions. This allows
a struct loadparm_context to be passed to any point in the code, and
always refer to the correct loadparm system. If this has not been
set, the variables loaded in the lib/param code will be returned.
As requested by Michael Adam.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
|
|
This is important in some situations where these queries might be
costly LDAP queries and is just not required for the system token.
This is because the system token should be just the NT
AUTHORITY\SYSTEM user and just enough unix info to allow the token to
be used.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 19 13:34:28 CEST 2012 on sn-devel-104
|
|
This is important in some situations where these queries might be
costly LDAP queries and is just not required for the system token.
This is because the system token should be just the NT
AUTHORITY\SYSTEM user and just enough unix info to allow the token to
be used.
We query only NSS to get the name of sec_initial_uid()
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
With the split up to handle system specially, there is no need for these
static helper functions any more.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
This removes the duplication on how to detect that a user is system in Samba
now that the smbd system account is also only SID_NT_SYSTEM we can use the same
check everywhere.
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
This removes the SID matching the sec_initial_uid().
Andrew Bartlett
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
auth_netlogond was an important module in the development of the
combined Samba 4.0, and was the first module to link smbd with the AD
authentication store, showing that it was possible for NTLM
authentication to be offloaded to the AD server components.
We now have auth_samba4, which provides the full GENSEC stack to smbd,
which also matches exactly the group membership and privileges
assignment and which is supported and tested as part of the official
Samba 4.0 release configuration.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
|
|
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER
is mapped to the samba4 auth module, and this is no longer required to
be specified in fileserver.conf.
Andrew Bartlett
|
|
module list
|
|
The SID for the SYSTEM token should be a fixed value, and not the
administrator. Note however that it will be replaced by the SID of
sec_initial_uid() by the create_local_token() code. Fixing this
requires fixes the other parts of the code that cannot cope with a
token of just SID_NT_SYSTEM.
Andrew Bartlett
|
|
This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9
which is marked as being part of bug #8944, ldapsam:trusted and ipasam
and an additional fix for bug #8567
(0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
The problem here was that the primary_gid was simply the pointer result
of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on
the build farm).
Andrew Bartlett
|
|
|
|
System MIT krb5 build also enabled by specifying --without-ad-dc
When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.
Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
* Samba 4 client libraries and their Python bindings
* Samba 3 server (smbd, nmbd, winbindd from source3/)
* Samba 3 client libraries
In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
|
|
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
|
|
This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional
fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
|
|
metze
|
|
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!
Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).
metze
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SERVER |
| security=server |
| |
| |
| 12 May |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
|
|
#8798)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed May 9 19:36:01 CEST 2012 on sn-devel-104
|
|
|
|
|
|
This avoids the union in the struct wbcUnixId and moves us to using only struct unixid
internally.
Andrew Bartlett
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
This is rather than just picking a random number out of the air.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Apr 30 11:29:34 CEST 2012 on sn-devel-104
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client)
will not select krb5.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
The performance of these is minimal (these days) and they can return
invalid results when used as part of applications that do not use
sys_fork().
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
|
|
|
|
|
|
We already confirm that we have this functionality before we set HAVE_KRB5 at
configure time.
Andrew Bartlett
|
|
On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption.
However, this was not done for trusted domain-related modifying operations.
As result, Samba 4 client libraries do not work against Samba 3 while working
against Windows 2008 r2.
Solved this by introducing "session_extract_session_key()" function that allows to specify
intent of use of the key.
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User: Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
|
|
The ->get_ntlm_challenge and ->check_ntlm_password elements of struct auth_context
were only ever initialised to a single value. Make it easier to follow by
just calling the function directly.
Andrew Bartlett
|
