summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r14634: Many bug fixes thanks to train rides and overnight stays in airportsGerald Carter1-2/+2
* Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f)
2007-10-10r14578: fix incorrect comment in fill_sam_account(). This function is ↵Gerald Carter1-4/+1
called from multiple places now (krb5, winbindd auth and domain_client_validate() (This used to be commit ddad66ec58d09f89105ceb822b7bea534dafd9e6)
2007-10-10r14421: This does two thingsGerald Carter1-0/+49
* Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-38/+97
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r14130: Remove make_server_info_pac alltogether, make_server_info_info3 doesGünther Deschner1-89/+0
already do what we need. Guenther (This used to be commit 773e33c9717ae04f48983ddc49f7619a97523603)
2007-10-10r14129: Add the group sids from the Kerberos PAC to the user token.Günther Deschner1-1/+28
Guenther (This used to be commit 1280d79111ae56c6a1b4daf7a1d6d413d1f4df64)
2007-10-10r14112: * fix checks on return code from register_vuid() which could actuallyGerald Carter1-2/+0
fail and we would still return success in the SMBsesssetup reply :-( * Make sure to create the local token for the server_fino struct in reply_spnego_kerberos() so that register_vuid() does not fail. (how did this ever work?) (This used to be commit 8dafa45b97020d1aceb027a85e18401c965bf402)
2007-10-10r14042: check that create_local_nt_token() succeeds before dereferncing the ↵Gerald Carter1-0/+4
NT_USER_TOKEN* (This used to be commit 4e5df4cb643886144d0fff4cac303e493c825955)
2007-10-10r13981: Fix Coverity bug # 138Volker Lendecke1-1/+1
(This used to be commit 303067ba3bdf34ab501f0d99e386cfdb6ab10233)
2007-10-10r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.Günther Deschner2-2/+7
* Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10r13706: Fix typo in typo fix. (-:Tim Potter1-1/+1
(This used to be commit 06be7711269acbcd481ebdef5b9493dab138c81c)
2007-10-10r13705: Fix a typo (and janitor for myself).Tim Potter1-1/+1
(This used to be commit 37b0166d3f15bfcf155b0c3d927cc838b8f55c3c)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-5/+9
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new()Gerald Carter4-39/+46
* replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f)
2007-10-10r13576: This is the beginnings of moving the SAM_ACCOUNT data structureGerald Carter5-54/+55
to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter4-18/+18
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13541: we have to wrap pen_enum_group_memberships() in become/unbecome_root()Gerald Carter1-1/+5
blocks. This fixes the problem I had with missing groups in the net_samlogon() reply from a Samba PDC. (This used to be commit 06b83fe35048c84dfd68be2ee656317c51e89bce)
2007-10-10r13494: Merge the stuff I've done in head the last days.Volker Lendecke1-0/+66
Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10r13460: by popular demand....Gerald Carter1-46/+8
* remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2007-10-10r13382: added server affinity cache stores for 'net rpc join' and trusted ↵Gerald Carter1-0/+4
domain code (This used to be commit 9eb743584d32cdb67e0512ac915c34565bce1c01)
2007-10-10r13316: Let the carnage begin....Gerald Carter12-825/+979
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12522: Try and fix bug #2926 by removing setlocale(LC_ALL, "C")Jeremy Allison1-2/+2
and replace calls to isupper/islower/toupper/tolower with ASCII equivalents (mapping into _w variants). Jeremy. (This used to be commit c2752347eb2deeb2798c580ec7fc751a847717e9)
2007-10-10r12313: Introduce yet another copy of the string_sub function:Volker Lendecke1-12/+15
talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2007-10-10r12279: unix_mask_match has been broken for *ever*... (How).Jeremy Allison1-2/+2
Ensure it returns a BOOL. Jerry (and anyone else) please check this, I think all uses are now correct but could do with another set of eyes. Essential for 3.0.21 release. Jeremy. (This used to be commit 0c7b8a7637e760fcb6629092f36b610b8c71f5c9)
2007-10-10r12174: Simple patch to work around the current lack of BUILTINGerald Carter1-3/+53
nested group support. Always add the BUILTIN\Administrators SID to a Domain Admins token. This solves the extra steps of establishing a group map for the local Administrators SID in order to control services. Windows also tends to expect the Administrators group to be usable when setting up security permissions on shares. Volker's work will probably fix this long term, but this gets us past some of the setup hurdles for 3.0.21. (This used to be commit 170b6a68bcbd66bae322c5b1b8c8501ca96acab2)
2007-10-10r12051: Merge across the lookup_name and lookup_sid work. Lets see how the ↵Volker Lendecke1-5/+2
build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10r11916: auth_get_sam_account is only used in auth_rhosts.c -- move it thereVolker Lendecke2-30/+30
(This used to be commit 8e5bea3f84c61ea312278cbbb70542664be7bd14)
2007-10-10r11886: Fix 3187: logon hours restrictions were off corresponding to our ↵Jim McDonough1-2/+3
offset from GMT. Use gmtime() instead of localtime() in the calc, but still use localtime() in displaying it. (This used to be commit 9b34f2d0f4bfc623eaec9c1334e34fa3965ba25b)
2007-10-10r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.Gerald Carter1-1/+1
Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
2007-10-10r11652: Reinstate the netsamlogon_cache in order to workGerald Carter1-0/+2
around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison5-17/+36
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r11492: Fix bug #3224 (I hope). Correctly use machine_account_nameJeremy Allison1-3/+4
and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison3-7/+7
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter5-101/+208
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10234: Add new auth module "auth_script" to allow valid users toJeremy Allison1-0/+155
be provisioned on demand - calls script with domain, username, challenge and LM and NT responses - passing the info through a pipe. Jeremy. (This used to be commit 67be4ee41cd244bcc0445cac7c9e1e2d40e93c9b)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-1/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r9252: 2 type fixes from Luke Mewburn <lukem@NetBSD.org>. Bugid #2934.Jeremy Allison1-1/+3
Jeremy. (This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)
2007-10-10r8889: Another warningVolker Lendecke1-1/+1
(This used to be commit 9ae1098d211f5e687786abb8474b1c4210413f0f)
2007-10-10r8432: Fix #2077 - login to trusted domain doesn't allow home drive map and ↵Jim McDonough1-0/+3
login scripts to be executed. We were filling in our name as the server which processed the login, even when it was done by a trusted DC. Thanks to John Janosik <jpjanosi@us.ibm.com> for the fix. (This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c)
2007-10-10r7956: Spelling mistake.Jeremy Allison1-1/+1
Jeremy. (This used to be commit f318c371077f28ace52f7d2b1517df0d15a0f05a)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-1/+1
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7450: fix my bone head mistake with ntlm authentcation and 'map to guest = ↵Gerald Carter2-9/+12
bad uid'; make sure the authentication suceeds (This used to be commit 5de1ffce2f2a0a340f6591939b8f63a3d96a627e)
2007-10-10r7395: * new feature 'map to guest = bad uid' (based on patch fromGerald Carter1-5/+15
aruna.prabakar@hp.com). This re-enables the Samba 2.2 behavior where a user that was successfully authenticated by a remote DC would be mapped to the guest account if there was not existing UNIX account for that user and we could not create one. (This used to be commit b7455fbf81f4e47c087c861f70d492a328730a9b)
2007-10-10r7372: abartet's patch for BUG 2391 (segv caused by free a static pointer)Gerald Carter2-4/+8
(This used to be commit 4cda2bd035276bd090bf0fbd4e3b2eff657a80cb)
2007-10-10r7243: Don't look at gencache.tdb for the trusted domains if winbind is around.Volker Lendecke1-4/+19
Volker (This used to be commit 94acb93f57b963bf137c6ddd644a147f4d0b5175)
2007-10-10r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter1-30/+2
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10r7024: reverting mistaken commitGerald Carter1-13/+5
(This used to be commit c70c5c4ee9b14fbdb174f542607aceebe0e88470)
2007-10-10r7020: fixing printer ace values and getting rid of false compiler warning ↵Gerald Carter1-5/+13
about unitialized variable (This used to be commit 3a91b20e4bcc78c91932e6c4394b3f6f153b2ff5)
2007-10-10r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that forVolker Lendecke2-6/+6
--enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-5/+0
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)