summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-12Add become_root/unbecome_root around one call of getsampwsid()Michael Adam1-1/+6
in create_token_from_username(). This caused set_nt_acl to partially fail in certain circumstances. This is expected to bring an improvement to bug #4308. Michael (This used to be commit e68671b59500d7e1b645c80ee264c49893f8df84)
2007-10-10Add start of IPv6 implementation. Currently most of this is avoidingJeremy Allison1-1/+1
IPv6 in winbindd, but moves most of the socket functions that were wrongly in lib/util.c into lib/util_sock.c and provides generic IPv4/6 independent versions of most things. Still lots of work to do, but now I can see how I'll fix the access check code. Nasty part that remains is the name resolution code which is used to returning arrays of in_addr structs. Jeremy. (This used to be commit 3f6bd0e1ec5cc6670f3d08f76fc2cd94c9cd1a08)
2007-10-10[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch.Gerald (Jerry) Carter1-9/+4
(This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab)
2007-10-10r25598: Add missing become_root/unbecome_root around calls of add_aliases.Michael Adam1-0/+4
This triggered a "cannot access LDAP when not root"-bug with "passdb backend = ldap" and "winbind nested groups = yes". This *might* be a step towards fixing bug #4308, since the failure was observerd when triggered by acl code. Michael (This used to be commit ba8c48244e140403b728d9a2ca297b40e8888964)
2007-10-10r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.Gerald Carter1-1/+1
The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
2007-10-10r25401: BUG 4982: Don't delete lanman hashes on invalid logins whenGerald Carter1-4/+6
using the "lanman auth = no". Tested by Guenter Kukkukk. (This used to be commit 611fdd95a583ebd22ffa17e2f39c5a1bb0936c63)
2007-10-10r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,Gerald Carter1-1/+1
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>. (This used to be commit 8304ccba7346597425307e260e88647e49081f68)
2007-10-10r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a ↵Günther Deschner1-32/+6
sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57)
2007-10-10r23801: The FSF has moved around a lot. This fixes their Mass Ave address.Andrew Tridgell1-2/+1
(This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell13-26/+13
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison14-14/+14
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23554: Fix bug #4711 by makeing cli_connect return an NTSTATUS.Jeremy Allison1-1/+6
Long overdue fix.... Jeremy. (This used to be commit 073fdc5a58139796dbaa7ea9833dca5308f11282)
2007-10-10r23530: Fix bugs #4678 and #4697 which had the same root cause.Jeremy Allison1-0/+54
In make_server_info_pw() we assign a user SID in our authoritative SAM, even though this may be from a pure "Unix User" that doesn't exist in the SAM. This causes lookups on "[in]valid users" to fail as they will lookup this name as a "Unix User" SID to check against the user token. Fix this by adding the "Unix User"\unix_username SID to the sid array. The correct fix should probably be changing the server_info->sam_account user SID to be a S-1-22 Unix SID, but this might break old configs where plaintext passwords were used with no SAM backend. Jeremy (This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db)
2007-10-10r23485: This checkin consists mostly of refactorings in preparation of theMichael Adam1-41/+0
activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-10-10r23358: Fix from Justin Maggard <jmaggard@infrant.com> - ensure we don'tJeremy Allison1-1/+1
expire a password if it's explicitly set as ACB_PWNOTREQ. Jeremy. (This used to be commit 2ea5a6bd334e31201aa6f93f5c51e42924d36ebd)
2007-10-10r23095: Support systems that have their PAM headers in /usr/include/pam.James Peach1-0/+4
(This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4)
2007-10-10r22956: Fix security=server (bug #4622). Volker's patchJeremy Allison1-6/+0
(slightly truncated by me). Will be in 3.0.25a. Jeremy. (This used to be commit 039fb906af883a7ca1a68955f1b36b583fe1b698)
2007-10-10r22953: Well, this apparently has never been tested. But *this* code never saw aVolker Lendecke1-6/+5
release yet .... ;-)) (This used to be commit f93b6353fe18e2c992a3dad96afd1a4c16032c55)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke5-13/+13
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22819: Fix Bug 4613. We just dumped the must change & friends. With theVolker Lendecke1-0/+24
pass_last_changed == 0 we now return "Change now!" instead of "Change never" (This used to be commit 450e4d94f64f86a3dd709265d15ed5082d4b53e8)
2007-10-10r22740: Move debug_*_user_token to token_utils.cVolker Lendecke2-47/+47
(This used to be commit 4ad9f8aa61cef94be8d38c6e91aac3a5c848f81f)
2007-10-10r22589: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-5/+9
Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10r22542: Move over to using the _strict varients of the tallocJeremy Allison1-5/+5
calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592)
2007-10-10r22390: Patchset sent to samba-technical to address the winbindGerald Carter1-38/+10
loop when allocating a new id for a SID: auth_util.patch Revert create_local_token() to the 3.0.24 codebase idmap_type.patch Have the caller fillin the id_map.xid.type field when resolving a SID so that if we allocate a new id, we know what type to use winbindd_api.patch Remove the WINBINDD_SIDS_TO_XIDS calls from the public winbindd interface for the 3.0.25 release idmap_rid.patch Cleanup the idmap_rid backend to not call back into winbindd to resolve the SID in order to verify it's type. (This used to be commit 3b24dae9e73b244540a68b631b428a4d0f57440b)
2007-10-10r22135: Check in most of Michael Adam's net conf utility. A good share of ↵Volker Lendecke2-432/+458
this patch is moving functions around to fix some linker dependencies for the registry. Michael, I've renamed your auth_utils2.c to token_utils.c. Thanks! Volker (This used to be commit 9de16f25c1c3e0b203da47391772ef2e2fe291ac)
2007-10-10r22022: - Clarify the commentsAndrew Bartlett2-3/+3
- make sure never to free an uninitialised variable - ensure to free result on getpwnam_alloc failure Andrew Bartlett (This used to be commit 5fe3328e66661371182cc1c3b6e239797c3b4f93)
2007-10-10r22020: Make it more clear that both the vuser struct and it's contents areAndrew Bartlett2-8/+12
talloc_free()'ed at the end of a session. Rework the passwd cache code to use talloc_unlink and talloc_reference, to more carefully manage the cache. Andrew Bartlett (This used to be commit e3e0ec25e67308de314aa61852905ee42aa2c8fe)
2007-10-10r22001: change prototype of dump_data(), so that it takes unsigned char * now,Stefan Metzmacher3-7/+7
which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
2007-10-10r21999: remove useless castsStefan Metzmacher1-6/+6
metze (This used to be commit f948005ca69c50b07fdbcf7801975676d19d1486)
2007-10-10r21940: Sorry Volker, I have to revert your revert in r21935.Gerald Carter1-1/+2
We can talk about this later if you still feel that strongly but I need to fix the build for now. (This used to be commit c7df0cad8257333c6a8dfd98818269a783ba7a26)
2007-10-10r21935: Revert obviously not sufficiently tested code -- sorry for the pain. ↵Volker Lendecke1-2/+1
I am afraid I was basically off the net for the day (This used to be commit 08c29abc03267b0dfb41cec3734653a536027a10)
2007-10-10r21878: Fix a bug with smbd serving a windows terminal server: If winbind ↵Volker Lendecke1-1/+2
decides smbd to be idle it might happen that smbd needs to do a winbind operation (for example sid2name) as non-root. This then fails to get the privileged pipe. When later on on the same connection another authentication request comes in, we try to do the CRAP auth via the non-privileged pipe. This adds a winbindd_priv_request_response() request that kills the existing winbind pipe connection if it's not privileged. Volker (This used to be commit e5741e27c4c22702c9f8b07877641fecc7eef39c)
2007-10-10r21870: Move sending auth_server keepalives out of the main loop into an ↵Volker Lendecke2-29/+61
idle event. Volker (This used to be commit 6226b30f38cd82531422815ba66a687aab50028d)
2007-10-10r21642: Fix bug 4365. Please note that this was only tested with Vista so ↵Volker Lendecke1-1/+1
far, it needs testing with other clients as well. I'm afraid I'm visiting a conference tomorrow and saturday, so I'd be happy to get support in this. Thanks, Volker (This used to be commit 2186e276a0f15457ee6b29ecf2d109d812628ff9)
2007-10-10r21536: Fix copy/paste typo.Günther Deschner1-1/+1
Guenther (This used to be commit 7edbb636f7caf43135f0320cc08ff18a34a80594)
2007-10-10r21383: More possible "security=share" fixes. If a clientJeremy Allison1-0/+3
is sending LMv2 make sure we test with the password blob in the LM field as well as the NT field. Jeremy. (This used to be commit a6b55beae7ae0c70cf955d01f51f881f9f962910)
2007-10-10r21128: Fix Vista connecting to Samba in share level security.Jeremy Allison1-4/+9
Vista sends the NTLMv2 blob by default in the tconX packet. Make sure we save off the workgroup the user was logged into on the client in the sessionsetupX and re-use it for the NTLMv2 calc. Jeremy. (This used to be commit 45dcf62960c2815c4d8e0c5f4a2d0af24df83290)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke2-4/+3
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r20774: I thought I committed this before Xmas holidays ...Simo Sorce1-1/+1
This change is needed to make it possible to not expire caches in disconnected mode. Jerry, please can you look at this and confirm it is ok? Simo. (This used to be commit 9e8715e4e15d9cede8f4aa9652642995392617e6)
2007-10-10r20268: merge -r 20261:20263 from samba_3_0_24Herb Lewis1-0/+1
get rid of previous prototype warnings (This used to be commit 90265c83ff1c7f11672694ff005d8ecc5d4a867f)
2007-10-10r20237: Replace exit_server with exit_server_cleanly where appropriate. AllJames Peach1-1/+1
send_smb failures should be clean exits. All times when we exit as a matter of policy should also be clean exits. (This used to be commit d6382092e72120a3c89ffe81975e8898d454bf06)
2007-10-10r20169: Support for fallback to legacy mapping code was not completely tested.Simo Sorce1-10/+24
Add necessary fixes. (This used to be commit 4a81ee9608d45f95eaaccc78a080e717cb7d4682)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-7/+20
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r20098: Properly fix issues with create_token_from_username()Jeremy Allison1-6/+11
reported by James. Ensure that this function allocates everything on the temporary context except the return memory. Never call this with a null mem context, and now use conn->mem_ctx instead in smbd/service.c. Remove separate free functions for conn->ngroups and conn->nt_user_token as they are now always talloc'ed off the conn->mem_ctx. Future optimization will be to remove conn->mem_ctx and make all objects pointed to in the conn struct talloc'ed off conn itself. Easy to free then :-). Jeremy. (This used to be commit f83b6de44f1058811ff94ac72a8a71bd8e49e4e8)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-40/+77
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r19991: Sorry for this 2000-liner...Volker Lendecke1-1/+1
The main thing here is a rewrite of srv_winreg_nt.c. The core functionality has moved to registry/reg_api.c which is then usable by the rest of Samba as well. On that way it fixes creating keys with more than one element in the path. This did not work before. Two things that sneaked in (sorry :-) is the change of some routines from NTSTATUS to WERROR the removed "parent" argument to regkey_open_internal. Volker (This used to be commit fea52801de8c7b85c578d200c599475680c5339f)
2007-10-10r19980: Implement pam account stack checks when obey pam restrictions is true.Simo Sorce4-3/+29
It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82)
2007-10-10r19773: TALLOC_FREE checks for NULL itselfVolker Lendecke1-4/+1
(This used to be commit fb3983ae1fdd1935333ffee80bceb747228ac0f3)
2007-10-10r19058: Implement "user cannot change password", and complete "user must changeJim McDonough1-1/+1
password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
2007-10-10r19008: Fix a segfaultVolker Lendecke1-0/+1
(This used to be commit adfc82f0e6b12f8ccfe00f3ff49a089a4c936239)