summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2011-10-21s3-auth remove auth_ntlmssp_session_info()Andrew Bartlett2-14/+0
Instead, call gensec_session_info() directly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18s3-auth move the s3 auth context onto gensec_ntlmssp once we startAndrew Bartlett1-2/+2
We do not need it on the auth_ntlmssp_state any longer. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 18 13:54:36 CEST 2011 on sn-devel-104
2011-10-18s3:auth_util: add the uid with WBC_ID_TYPE_BOTH also to the group arrayStefan Metzmacher1-2/+4
This will help with having "sidHistory" support in future. metze
2011-10-18gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett1-1/+2
This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18s3-ntlmssp Implement the server-side auth_ntlmssp code as a GENSEC moduleAndrew Bartlett2-85/+228
This uses the top level gensec_ntlmssp helper functions which are identical to the parts of ntlmssp_wrap.c that are now not called. (Includes formatting and correctness fixes from Metze) Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18ntlmssp: Move ntlmssp code to auth/ntlmsspAndrew Bartlett1-1/+1
This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18s3-auth Add my copyrightAndrew Bartlett1-1/+1
I have done plenty of work here, I deserve some of the blame :-) Andrew Bartlett
2011-10-17Fix uninitialized memory problem in group_sids_to_info3 (fixes bug #8455).Wilco Baan Hofman1-2/+2
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Oct 17 23:32:58 CEST 2011 on sn-devel-104
2011-10-17s3-auth: remove dead prototype.Günther Deschner1-1/+0
Guenther
2011-10-14s3-auth: token_util needs system/passwd.h.Günther Deschner1-0/+1
Guenther
2011-10-13s4-messaging: Pass the loadparm context, not just the messaging pathAndrew Bartlett1-1/+1
This will allow the TDB layer to get at the lp_ctx for tdb options. Andrew Bartlett
2011-10-11auth: move credentials layer to the top levelAndrew Bartlett1-1/+1
This will allow gensec_start.c to move to the top level. This does not change what code uses the cli_credentials code, but allows the gensec code to be more broadly. Andrew Bartlett
2011-09-23s3-winbindd: add support for idmap type WBC_ID_TYPE_BOTHAndrew Tridgell1-1/+2
this allows the s3 code to understand and cache responses from the s4 winbindd which may include a single SID mapped to both a uid and a gid Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Fri Sep 23 01:47:54 CEST 2011 on sn-devel-104
2011-09-19s4:auth - remove unused variablesMatthias Dieter Wallnöfer1-1/+0
Reviewed-by: Jelmer
2011-09-17s3: Fix bug 8455 -- Samba PDC is looking up only primary user groupVolker Lendecke1-7/+7
group_sids_to_info3 does a sid_peek_check_rid on the domain sid before adding the rids to the array. If the domain sid is 0x0, then the check will always fail. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sat Sep 17 00:51:27 CEST 2011 on sn-devel-104
2011-09-15s3:auth_server: make use of cli_state_server_challenge()Stefan Metzmacher1-7/+5
metze
2011-09-15s3:libsmb: pass max_protocol to cli_negprot()Stefan Metzmacher1-1/+1
metze
2011-09-13s3:auth_server: make use of cli_state_security_mode()Stefan Metzmacher1-3/+9
metze
2011-09-12Move the talloc_move call until *after* the check on status. Don't want to ↵Jeremy Allison1-3/+3
move something that might be invalid. Makes the code match what is currently in 3.6.x. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Sep 12 22:21:24 CEST 2011 on sn-devel-104
2011-09-12s3-auth: fix uninitialized server_infoSumit Bose1-0/+4
Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Sep 12 17:44:46 CEST 2011 on sn-devel-104
2011-09-08s3:libsmb: pass CLI_FULL_CONNECTION_* flags via cli_connect_nb()Stefan Metzmacher1-4/+3
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Sep 8 10:21:50 CEST 2011 on sn-devel-104
2011-08-03s3-ntlmssp Remove a level of nesting in if/else statementAndrew Bartlett1-3/+2
2011-08-03selftest: test plugin_s4_dc against all ncacn_np testsAndrew Bartlett4-1/+41
Changes to the s3 epmapper behaviour seem to have fixed the rest of these tests. Andrew Bartlett
2011-08-03s3-ntlmssp clarify session key behaviour after create_local_token() changesAndrew Bartlett1-2/+1
2011-08-03s3-ntlmssp Remove auth_ntlmssp_state_destructor, use the talloc tree insteadAndrew Bartlett1-16/+5
2011-08-03s3-auth directly return the result of make_server_info_guest()Andrew Bartlett1-2/+2
2011-08-03s3-auth rename auth_ntlmssp_steal_session_info()Andrew Bartlett2-6/+6
There is no longer any theft of memory as the underlying routines now produce a new auth_session_info for this caller, allocating it on the supplied memory context. Andrew Bartlett
2011-08-03s3-auth Add function to start any GENSEC mech by OIDAndrew Bartlett2-5/+22
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth remove sanitized_username from auth_serversupplied_infoAndrew Bartlett2-23/+1
This structure element was only written to, not read. It is filled into the companion structure, auth_session_info() by create_local_token(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth set session_info->sanitized_username in create_local_token()Andrew Bartlett4-15/+15
Rather than passing this value around the callers, and eventually setting it in register_existing_vuid(), we simply pass it to create_local_token(). This also removes the need for auth_ntlmssp_get_username(). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Split auth_ntlmssp_start into two functionsAndrew Bartlett2-13/+17
This helps map on to the GENSEC semantics better, and ensures that the full set of desired features are set before the mechanism starts. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Split calls to gensec plugin into prepare and startAndrew Bartlett3-17/+18
GENSEC has the concept of starting the GENSEC subsystem before starting the actual mechansim. Between these two stages is when most context methods are called, to specify credentials and features. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Add hook to start a GENSEC mech to auth_samba4Andrew Bartlett2-1/+89
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-ntlmssp Add hooks to optionally call into GENSEC in auth_ntlmsspAndrew Bartlett1-13/+36
This allows the current behaviour of the NTLMSSP code to be unchanged while adding a way to hook in an alternate implementation via an auth module. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Allow auth modules to provide an initialised GENSEC contextAndrew Bartlett1-2/+9
This will allow auth plugins such as auth_samba4 to provide an initialised GENSEC context to auth subsystem callers. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Use else if in do_map_to_guest_server_infoAndrew Bartlett1-3/+1
This means we can't ever call make_server_info_guest() twice. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03s3-auth Move map to guest to directly after the check_password callsAndrew Bartlett3-0/+40
This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-02s3:auth_server: make use of cli_state_protocol()Stefan Metzmacher1-1/+1
metze
2011-07-23Fix bug 8314] - smbd crash with unknown user.Jeremy Allison1-4/+11
All other auth modules code with being called with auth_method->private_data being NULL, make the auth_server module cope with this too. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Jul 23 02:55:01 CEST 2011 on sn-devel-104
2011-07-22s3:auth_server: make use of cli_state_remote_name()Stefan Metzmacher1-6/+7
metze
2011-07-22s3:auth_domain: we already have the dc_name, it's the same as cli->desthostStefan Metzmacher1-1/+1
metze
2011-07-22s3:auth_domain: add some const to sockaddr_storageStefan Metzmacher1-2/+2
metze
2011-07-22Fix const warning.Jeremy Allison1-2/+5
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jul 22 01:58:39 CEST 2011 on sn-devel-104
2011-07-20s3-auth fix dummy function in the not-with-kerberos caseAndrew Bartlett1-1/+1
2011-07-20s3-auth Replace False with false in auth_util.cAndrew Bartlett1-10/+10
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jul 20 02:31:15 CEST 2011 on sn-devel-104
2011-07-20s3-auth Replace True with true in auth_util.cAndrew Bartlett1-12/+12
2011-07-20s3-auth Fix spellingAndrew Bartlett1-7/+7
2011-07-20s3-auth Remove pointless destructor in make_server_infoAndrew Bartlett1-10/+0
All the callers allocate ->info3 as a talloc child already. As regardes the TALLOC_ZERO(), I added this originally out of parinoia many years ago. We do not consistantly zero session keys in memory, and for NTLMv2 and Kerberos they are random for each sesssion, so breaking into smbd far enough to read an old session key isn't a particularly interesting attack, compared with (say) reading the keytab or the password database. (NTLM and LM session keys are fixed derivitives of the passwords however). Andrew Bartlett
2011-07-20s3-auth inline make_auth_session_info into only callerAndrew Bartlett3-25/+1
2011-07-20s3-auth Remove seperate guest booleanAndrew Bartlett1-3/+2
Instead, we base our guest calculations on the presence or absense of the authenticated users group in the token, ensuring that we have only one canonical source of this important piece of authorization data Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>