summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2003-02-04Actually checking both the account and password tests would be a good idea...Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 49640635b15f53be6bb28d3d79255abe10c207dd)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-4/+5
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-15Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett1-225/+78
challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
2003-01-15Crash fixes:Andrew Bartlett1-0/+1
- fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett (This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d)
2003-01-13Missing indirect in final free.Jeremy Allison1-2/+2
Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)
2003-01-13Always initialise this variable - and don't set the 'must change now' if it wasAndrew Bartlett1-1/+2
last changed at '0'. We need to actually change this password sometime... Andrew Bartlett (This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b)
2003-01-13Patch from metze to add what he feels is the correct semantics for a DomainAndrew Bartlett2-0/+44
Controller. As we have had a number of attempts at this over the last little while, I need to get my test rig going, and give this whole area a poke... Meanwhile, if you want to use this, just adjust your 'auth methods' line to use samstrict_dc... Andrew Bartlett (This used to be commit 18e598ec24493026008fcfe486057555b8832108)
2003-01-13Updates to our NTLMSSP code:Andrew Bartlett2-1/+293
This tries to extract our server-side code out of sessetup.c, and into a more general lib. I hope this is only a temporay resting place - I indend to refactor it again into an auth-subsystem independent lib, using callbacks. Move some of our our NTLMSSP #defines into a new file, and add two that I found in the COMsource docs - we seem to have a double-up, but I've verified from traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real. This code also copes with ASCII clients - not that we will ever see any here, but I hope to use this for HTTP, were we can get them. Win2k authenticates fine under forced ASCII, btw. Tested with Win2k, NTLMv2 and Samba's smbclient. Andrew Bartlett (This used to be commit b6641badcbb2fb3bfec9d00a6466318203ea33e1)
2003-01-13Fix to debian bug #171071 - we had the wrong dereference on the pointer to beAndrew Bartlett1-4/+4
Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and valgrind traces! Andrew Bartlett (This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e)
2003-01-11Use size_t for the counter vars, to match the type they are assigned fromAndrew Bartlett1-3/+3
(signed/unsigned mixup). Andrew Bartlett (This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3)
2003-01-05Clear up the auth_sam password checking code (the core of our password checkingAndrew Bartlett1-33/+58
routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd)
2003-01-02We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett1-5/+5
don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
2003-01-02BIG patch...Andrew Bartlett2-4/+4
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-23Finish adding strings to all talloc_init() calls.Jeremy Allison1-2/+1
Jeremy. (This used to be commit 784d15761c3271bfd602866f8f9f880dac77671c)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-4/+4
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-12-12merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-90/+10
server = DC1 * (This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
2002-12-11Fixed auth module code. Added VALGRIND defines to reduce spurious warnings.Jeremy Allison2-68/+58
Jeremy. (This used to be commit ff3a8d37289216a2cb808406044a7abef1e564d0)
2002-12-01Make it clear that we might not be talking to a PDC here.Andrew Bartlett1-1/+1
(This used to be commit 7d099e9a5b7164e8cdbdb93d8c4527f02c8bdefd)
2002-11-23[merge from APP_HEAD]Gerald Carter1-2/+3
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
2002-11-15Small auth updates:Andrew Bartlett4-11/+6
- add static remove unnneded prototype - move become_root() to just around pdb calls, so as to make it easier to remove when we kill off this silly idea - Change auth_sam to do 'account before password' rather than 'password before account'. This means that we match Win2k in giving 'account disabled' instead of 'wrong password' if the wrong password to a disabled account is used. Andrew Bartlett (This used to be commit e6d2debaf6064c3229f41c06545a1ccb83695a77)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison5-17/+15
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-09Fix bug found by tpot with given password server.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 90ac8184a0ae1f702d39f947ef5267765f3d2f88)
2002-11-08Don't set global_machine_password_needs_changing ifTim Potter1-4/+6
lp_machine_password_timeout() is set to zero. (This used to be commit 0fa87a68fea8b12242f644605aab7c2f81c1a4df)
2002-11-06Merge of get_dc_list() api change. This was slightly more intrusiveTim Potter1-2/+17
than the version in APPLIANCE so watch out for boogs. (This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686)
2002-11-04Move to the use of the 'initialised' flag, rather than the fact the pointer isAndrew Bartlett1-8/+9
NULL. Andrew Bartlett (This used to be commit 2115335857acd2c4f5c89b95227b3762f4c052b0)
2002-11-03make_server_info_guest() can need root for the ldapsam backendAndrew Tridgell1-1/+4
(This used to be commit 918099f09618136c371e199803f5895f9cb702be)
2002-10-17Added new error codes. Fix up connection code to retry in the same wayJeremy Allison1-10/+23
that app-head does. Jeremy. (This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049)
2002-10-12Nice *big* patch from metze.Andrew Bartlett2-10/+10
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-10-04merge of new client side support the Win2k LSARPC UUID in rpcbindGerald Carter1-1/+1
from APP_HEAD (This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437)
2002-09-28Second stab at Volker's 'make shadow passwords work' patch.Andrew Bartlett1-4/+4
Basicly, the password and the salt must be taken from the same place in both passwd and shadow based systems. Taking salt from one, and password from the other just doesn't work. So pull them from passwd, then overwrite them if need be. When modifying this file, watch the #ifdef hell - as vl found out, some variables are globals - but only with #ifndef WITH_PAM, and the code jumps all over the place with the password cracker. Getting double-reviews of any change to this file highly advised, it is one of our most system-specifc areas of code. (So now I get to take the blame for this one... :-) Andrew Bartlett (This used to be commit f39f167900db3f06ec3c52c3ddf61e8bf3d57f56)
2002-09-27Back our volker's patch as was breaking the build.Andrew Bartlett1-7/+2
Volker, I would like to understand what you are trying to do here... I'll trust that it's broken (this code is certainly not well tested) but I do want to keep a close eye on the fixes... Andrew Bartlett (This used to be commit 4b72f84cf9bc3f7583318d5dff97257f9dc5b87f)
2002-09-27Sorry to touch such an internal function. But I was quite surprised thatVolker Lendecke1-2/+7
'security = user', 'encrypt passwords = no' did not work anymore. This is on quite a standard SuSE 7.3, ./configure.developer --with-tdbsam. I can provide a config.log / config.h on demand. Please re-check for consequences, I don't really oversee that file. Thanks, Volker (This used to be commit ba754b57ddb78dadedcb7b5877cbee5bab08181e)
2002-09-25Move to common user token debugging, and ensure we always print both theAndrew Bartlett1-6/+24
NT_TOKEN and the unix credentials - as we incresingly use the NT stuff we want to make it easy to check they don't get out of wack. Andrew Bartlett (This used to be commit a3882a19254811ace2f9545580c14ce3bd588095)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-1/+1
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-15Don't display debugs of the nt user token twice.Tim Potter1-4/+0
(This used to be commit 2011a38f3bd1e51aa1ca0219a9e46da12426cbc3)
2002-09-15Merge of 'other_sids' patch from appliance.Tim Potter1-4/+19
(This used to be commit 7decd4b3a9e6900ab35f7bf5b266361f308aa58d)
2002-09-06This is the 'easy' parts of the trusted domains patch n+3 patch fromAndrew Bartlett2-54/+70
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl> It includes a conversion of make_user_info*() to NTSTATUS and some minor changes to other files. It also picks up on a nasty segfault that can occour in some security=domain cases. Andrew Bartlett (This used to be commit d1e1fc3e4bf72717b3593685f0ea5750d676952a)
2002-08-30off by one in writing to malloced array. this fixes smbd crash I saw atHerb Lewis1-2/+2
the CIFS conference - finally got purify working (This used to be commit cf9bb66aa9c3217cb8394058c65c84ffc6ae269a)
2002-08-30added cli_net_auth_3 client code.Jean-François Micouleau1-1/+2
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch. pass also the negociation flags all the way. all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient. in the future we will be able to call auth_2 or auth_3 as we want. J.F. (This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)
2002-08-29We don't need the RTLD_GLOBAL.Andrew Bartlett1-1/+1
(This used to be commit 0d562b81bfd176111a1046560c39b03d986f90ec)
2002-08-26Updates!Andrew Bartlett1-1/+4
- Don't print an uninitialised buffer in service.c - Change some charcnv.c functions to take smb_ucs2_t ** instead of void ** - Update NTLMv2 code to use dynamic buffers - Update experimental SMB signing code - still more work to do - Move sys_getgrouplist() to SAFE_FREE() and do a DEBUG() on initgroups() failure. Andrew Bartlett (This used to be commit de1964f7fa855022258a84556b266100b917444b)
2002-08-26Try to support non-root-mode systems without getgrouplist().Andrew Bartlett2-8/+10
Andrew Bartlett (This used to be commit 17096315a0f30f946ddecb79708604a111c37011)
2002-08-22Spelling fixes.Tim Potter1-4/+4
(This used to be commit 24fa84bda49a3a77fbc092652a0b6b132f06ff7c)
2002-08-21Cope with non-unix accounts - we just won't get the groups for those users.Andrew Bartlett1-2/+4
Andrew Bartlett (This used to be commit 7cad7814555645aa3bee95fb48fbd694e6a9e313)
2002-08-20Based orginally by work by Kai, this patch moves our NT_TOKEN generation intoAndrew Bartlett5-107/+408
our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902)
2002-08-19fix typo auth/auth_server.cJelmer Vernooij1-1/+1
remove unused 'max packet' and 'packet size' options (This used to be commit 6a787a695db65688916464a9b0e2a9024b131eee)
2002-08-11Make 'remote_machine' private to lib/substitute.c, and fix all the user to useAndrew Bartlett1-3/+2
the new accessor functions. Andrew Bartlett (This used to be commit f393de2310e997d05674eb7f1268655373e03647)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-2/+4
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-31Let everybody enjoy my new toy - make it the default!Andrew Bartlett1-2/+2
Authenticaions will now attempt to use winbind, and only fall back to 'ntdomain' (the old security=domain) code if that fails (for any reason, including wrong password). I'll fix up the authenticaion code to better handle the different types of failures in the near future. Andrew Bartlett (This used to be commit 78f0d4337bd263d26d7b349eaf8148e863c62f69)
2002-07-31Winbind updates!Andrew Bartlett1-21/+49
This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett (This used to be commit 167f122b670d4ef67d78e6f79a2bae3f6e8d67df)