summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2013-04-09BUG 9139: Fix the username map optimization.Andreas Schneider1-4/+8
If we successfully map a user. We call set_last_from_to(user_in, unixname); in the while loop reading the map file. After a successfull map we don't stop and continue the loop to check all other mappings in the username mapfile. But when we hit the end of the file and leave the loop we call: set_last_from_to(user_in, user_in); This overwrites the successful mapping, and the next time we call map_username() we skip the username and no mapping is done. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2013-02-28Fix bug #9039 'map untrusted to domain' treats WORKSTATION as bogus domain.Daniel Kobras1-1/+2
s3: never try to map global SAM name Do not treat the global SAM name as a BOGUS domain, and exempt local users from mapping, instead. This change reinstates the exact mapping behaviour of Samba 3.2 if parameter 'map untrusted to domain' is set. Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-05s3:auth small optimization in create_token_from_sidChristian Ambach1-3/+5
save some calls to lp_idmap_default_range(), calling it once is enough Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Feb 5 19:14:25 CET 2013 on sn-devel-104
2013-02-05s3:auth: use new lp_idmap_default_range() instead of lp_idmap_gid() in ↵Michael Adam1-2/+2
create_token_from_sid() Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-02-01s3:auth: wbcAuthenticateEx gives unix times (bug #9625)Stefan Metzmacher1-3/+3
We also need to convert last_logon, last_logoff and acct_expiry from unix time to nt time. Otherwise a windows member server will reject clients using CAP_DYNAMIC_REAUTH or smb2) with STATUS_NETWORK_SESSION_EXPIRED, if the logoff and kickoff time is expired. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Feb 1 18:42:42 CET 2013 on sn-devel-104
2012-12-12s3-auth: Make sure we work on valid data_blobs.Andreas Schneider1-2/+2
Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
2012-12-11s3:auth: Tidy up some of the API confusion in create_token_from_XXX() calls.Jeremy Allison1-6/+9
Based on Michaels example, split out the return of NT_STATUS_NO_MEMORY on talloc fail from other possible errors. Allow the NTSTATUS return to be the only valid indication of success in these calls. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Dec 11 20:04:25 CET 2012 on sn-devel-104
2012-12-11s3:auth: fix dereference level in talloc checks in create_token_from_sid()Michael Adam1-2/+2
Commit c5b150b33fc54ed97dbd0736cc6f4c15977d6e70 introduced these checks. The current check "found_username == NULL" is wrong (we would segfault earlier in this case). We need to check *found_username == NULL instead as noted by Günter. Reported-by: Günter Kukkukk <linux@kukkukk.com> Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2012-12-11s3:auth: fix function header comment for user_sid_in_group_sid()Michael Adam1-1/+1
This is embarrassing: the commit 0770a4c01bef26ec51321cd5b97aea4eab9e00a8 which intended to fix an earlier copy'n'paste error, contained another typo, fixed with this commit... Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
2012-12-10s3:auth: fix create_token_from_sid() to not fail in the winbindd caseMichael Adam1-2/+10
Commit 1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored the sid-based variant out of create_token_from_username() broke the case of a user handled by winbindd in that the "found_username" was set to NULL which caused the function to fail with NT_STATUS_NO_MEMORY further down. This patch fixes the function so that the case of found_username == NULL is cleanly separated from the NO_MEMORY case and the caller can provide the username in this case, if required. This fixes bug #9457. Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
2012-12-10s3:auth: fix header comment for user_sid_in_group_sid()Michael Adam1-2/+2
This function was created in 1c3c5e2156d9096f60bd53a96b88c2f1001d898a and the header comment contained copy'n'paste errors from the original function user_in_group_sid() that took the user name. Signed-off-by: Michael Adam <obnox@samba.org>
2012-12-09s3-auth: remove crypto from serverinfo_to_SamInfoX calls.Günther Deschner3-29/+1
All crypto is dealt with within the netlogon samlogon server now. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09s3-auth: session keys in validation level 6 samlogon replies are *not* ↵Günther Deschner1-8/+0
encrypted. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-09s3-rpc_server: support AES for interactive netlogon samlogon password ↵Günther Deschner2-35/+2
decryption. Still need to fix AES support for the returned validation info. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-11-12Use work around for 'winbind use default domain' only if it is setSumit Bose1-1/+2
Currently in smb_getpwnam() the NetBIOS domain name and the winbind separator character is always added to the user name returned by Get_Pwnam_alloc() if it does not contain the winbind separator character. As comments in the code indicates this is done as a work around if 'winbind use default domain' is set to yes in the samba configuration. This make sense if the option is set because otherwise the domain information is lost from the user name. But it causes errors if other services than winbind are used for user lookup, e.g. sssd. sssd can handle different kind of fully qualified user names as input, e.g. user@domain.name or DOM\user, but returns a canonical name, by default user@domain.name. While it would be possible to get around this issue with a special configuration either on the sssd or samba side I think the cleaner solution is to use the work around only if 'winbind use default domain' is set to yes which is what this patch does. Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Nov 12 15:54:15 CET 2012 on sn-devel-104
2012-10-19s3: Fix a typoVolker Lendecke1-1/+1
2012-10-19s3:auth: use const in smb_pam_xxx_session()Gregor Beck2-6/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19s3:auth: remove duplicate propotypes for smb_pam_claim_session and ↵Michael Adam1-2/+0
smb_pam_close_session Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-18BUG #9295: Build standard auth modules as internal modules.Andreas Schneider1-8/+4
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-09-16s3:auth fix a compiler warningChristian Ambach1-3/+2
2012-08-10s3-smbd: Create a shortcut for building the token of a user by SID for ↵Andrew Bartlett2-47/+143
posix_acls When a user owns a file, but does not have specific permissions on that file, we need to make up the user permissions. This change ensures that the first thing that we do is to look up the SID, and confirm it is a user. Then, we avoid the getpwnam() and directly create the token via the SID. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
2012-08-09Correctly check for errors in strlower_m() returns.Jeremy Allison5-7/+17
2012-08-09Check error returns from strupper_m() (in all reasonable places).Jeremy Allison1-1/+3
2012-07-24lib/param: Move all enum declarations to lib/paramAndrew Bartlett3-0/+3
This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-19s3-auth Use correct RID for domain guests primary groupAndrew Bartlett1-1/+1
This was incorrect in commit 9dd7e7fc2d6d1aa7f3c3b741ac134e087ce808fd as the RID was from the BUILTIN domain, but this creates a guest account token for the real domain. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jul 19 05:56:28 CEST 2012 on sn-devel-104
2012-07-19Revert "s3:auth make sure the primary group sid is usable"Andrew Bartlett1-30/+13
This reverts commit 00089fd74af740f832573d904312854e494a869e. The issue with this patch, which I did sign off on, is that for the domain member case, we already know that the SID is reasonable and valid, and we indeed rely on that, because we keep it as an additonal group anyway. The primary group is not so special that we need to do extra validation. Calling this function may put a user into the domain 'domain users' group, even if they are not in that group to start with. Andrew Bartlett
2012-07-18loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *.Rusty Russell3-7/+7
They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-07-13s3-auth_samba4: Explain that check_samba4_security is actually unusedAndrew Bartlett1-0/+10
Because of the evolution in the way the auth handling has been done, we do not need this code any more. Raw NTLM Session setup & X is done via the auth4 context which returns a full session info. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 13 10:04:05 CEST 2012 on sn-devel-104
2012-07-13s3-auth Remove unused global_machine_account_needs_changingAndrew Bartlett1-66/+0
This boolean was only set if the old machine account store (with an MD4 hash in it) was returned. We have not set that password type for years. If this call ever worked, it would store a plaintext password, so we could only ever be here if we had set a password using a version of Samba so old as not to store plaintext, and then never honered the flag anyway. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 13 07:52:40 CEST 2012 on sn-devel-104
2012-07-13s3-auth Remove confusing reference to global_machine_password_needs_changingAndrew Bartlett1-8/+0
This is in the trusted domain codepath, not the primary domain code path. Andrew Bartlett
2012-07-12s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()Michael Adam1-1/+1
This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
2012-07-06auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt1-26/+2
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-03auth: Remove .get_challenge (only used for security=server)Andrew Bartlett4-116/+6
With NTLMSSP, for NTLM2 we need to be able to set the effective challenge, so if we ever did use a module that needed this functionlity, we would downgrade to just NTLM. Now that security=server has been removed, we have no such module. This will make it easier to make the auth subsystem async, as we will not need to consider making .get_challenge async. Andrew Bartlett
2012-06-27s3-param: Rename loadparm_s3_context -> loadparm_s3_helpersAndrew Bartlett2-4/+4
This helps clarify the role of this structure and wrapper function. The purpose here is to provide helper functions to the lib/param loadparm_context that point back at the s3 lp_ functions. This allows a struct loadparm_context to be passed to any point in the code, and always refer to the correct loadparm system. If this has not been set, the variables loaded in the lib/param code will be returned. As requested by Michael Adam. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
2012-06-19s3-auth: make_new_system_info_session() now does not query nssAndrew Bartlett1-1/+3
This is important in some situations where these queries might be costly LDAP queries and is just not required for the system token. This is because the system token should be just the NT AUTHORITY\SYSTEM user and just enough unix info to allow the token to be used. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jun 19 13:34:28 CEST 2012 on sn-devel-104
2012-06-19s3-auth: make_new_system_info_session() not query passdbAndrew Bartlett1-47/+39
This is important in some situations where these queries might be costly LDAP queries and is just not required for the system token. This is because the system token should be just the NT AUTHORITY\SYSTEM user and just enough unix info to allow the token to be used. We query only NSS to get the name of sec_initial_uid() Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19s3-auth: inline make_session_info functions into only callersAndrew Bartlett1-74/+35
With the split up to handle system specially, there is no need for these static helper functions any more. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19auth: Use only security_token_is_system to determine that a user is SYSTEMAndrew Bartlett1-4/+0
This removes the duplication on how to detect that a user is system in Samba now that the smbd system account is also only SID_NT_SYSTEM we can use the same check everywhere. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-19s3-auth: Fix system token as just being SID_NT_SYSTEMAndrew Bartlett1-0/+3
This removes the SID matching the sec_initial_uid(). Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
2012-06-16s3-auth: Remove auth_netlogondAndrew Bartlett3-459/+0
auth_netlogond was an important module in the development of the combined Samba 4.0, and was the first module to link smbd with the AD authentication store, showing that it was possible for NTLM authentication to be offloaded to the AD server components. We now have auth_samba4, which provides the full GENSEC stack to smbd, which also matches exactly the group membership and privileges assignment and which is supported and tested as part of the official Samba 4.0 release configuration. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Jun 16 10:13:20 CEST 2012 on sn-devel-104
2012-06-15s3-auth: rework default auth methods around the lp_server_role() parameterAndrew Bartlett1-17/+23
To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER is mapped to the samba4 auth module, and this is no longer required to be specified in fileserver.conf. Andrew Bartlett
2012-06-15s3-auth: Merge SEC_DOMAIN and SEC_ADS cases in creating the default auth ↵Andrew Bartlett1-7/+2
module list
2012-06-15s3-auth: Fix system info3 return to be just SID_NT_SYSTEMAndrew Bartlett1-11/+17
The SID for the SYSTEM token should be a fixed value, and not the administrator. Note however that it will be replaced by the SID of sec_initial_uid() by the create_local_token() code. Fixing this requires fixes the other parts of the code that cannot cope with a token of just SID_NT_SYSTEM. Andrew Bartlett
2012-06-15s3-auth: Fix system token generation not to dereference pointer as an integerAndrew Bartlett1-1/+1
This continues on from commit caaebb455cf955f66c2f662c53998c480cb2d6c9 which is marked as being part of bug #8944, ldapsam:trusted and ipasam and an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9). The problem here was that the primary_gid was simply the pointer result of dom_sid_parse_talloc() cast to a uint32_t (found by the IRIX cc on the build farm). Andrew Bartlett
2012-06-15s3-auth: Give the SYSTEM token all privilegesAndrew Bartlett1-0/+4
2012-05-23Introduce system MIT krb5 build with --with-system-mitkrb5 option.Alexander Bokovoy1-2/+2
System MIT krb5 build also enabled by specifying --without-ad-dc When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level configure in WAF build we are trying to detect and use system-wide MIT krb5 libraries. As result, Samba 4 DC functionality will be disabled due to the fact that it is currently impossible to implement embedded KDC server with MIT krb5. Thus, --with-system-mitkrb5/--without-ad-dc build will only produce * Samba 4 client libraries and their Python bindings * Samba 3 server (smbd, nmbd, winbindd from source3/) * Samba 3 client libraries In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture. This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
2012-05-15s3-auth: Rename to init_system_session_info().Andreas Schneider2-2/+2
Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue May 15 13:56:00 CEST 2012 on sn-devel-104
2012-05-15s3-auth: Don't lookup the system user in pdb.Andreas Schneider1-4/+95
This fixes bug #8944, ldapsam:trusted and ipasam. It is an additional fix for bug #8567 (0528cb5f3a15b72dcb34ece21a3ffb3e7b8d6eb9).
2012-05-15s3:auth: remove unused auth_server.cStefan Metzmacher3-500/+0
metze
2012-05-15s3-auth: remove "security=server" (depricated since 3.6)Stefan Metzmacher1-6/+0
"security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______