summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2002-10-17Added new error codes. Fix up connection code to retry in the same wayJeremy Allison1-10/+23
that app-head does. Jeremy. (This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049)
2002-10-12Nice *big* patch from metze.Andrew Bartlett2-10/+10
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-10-04merge of new client side support the Win2k LSARPC UUID in rpcbindGerald Carter1-1/+1
from APP_HEAD (This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437)
2002-09-28Second stab at Volker's 'make shadow passwords work' patch.Andrew Bartlett1-4/+4
Basicly, the password and the salt must be taken from the same place in both passwd and shadow based systems. Taking salt from one, and password from the other just doesn't work. So pull them from passwd, then overwrite them if need be. When modifying this file, watch the #ifdef hell - as vl found out, some variables are globals - but only with #ifndef WITH_PAM, and the code jumps all over the place with the password cracker. Getting double-reviews of any change to this file highly advised, it is one of our most system-specifc areas of code. (So now I get to take the blame for this one... :-) Andrew Bartlett (This used to be commit f39f167900db3f06ec3c52c3ddf61e8bf3d57f56)
2002-09-27Back our volker's patch as was breaking the build.Andrew Bartlett1-7/+2
Volker, I would like to understand what you are trying to do here... I'll trust that it's broken (this code is certainly not well tested) but I do want to keep a close eye on the fixes... Andrew Bartlett (This used to be commit 4b72f84cf9bc3f7583318d5dff97257f9dc5b87f)
2002-09-27Sorry to touch such an internal function. But I was quite surprised thatVolker Lendecke1-2/+7
'security = user', 'encrypt passwords = no' did not work anymore. This is on quite a standard SuSE 7.3, ./configure.developer --with-tdbsam. I can provide a config.log / config.h on demand. Please re-check for consequences, I don't really oversee that file. Thanks, Volker (This used to be commit ba754b57ddb78dadedcb7b5877cbee5bab08181e)
2002-09-25Move to common user token debugging, and ensure we always print both theAndrew Bartlett1-6/+24
NT_TOKEN and the unix credentials - as we incresingly use the NT stuff we want to make it easy to check they don't get out of wack. Andrew Bartlett (This used to be commit a3882a19254811ace2f9545580c14ce3bd588095)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-1/+1
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-15Don't display debugs of the nt user token twice.Tim Potter1-4/+0
(This used to be commit 2011a38f3bd1e51aa1ca0219a9e46da12426cbc3)
2002-09-15Merge of 'other_sids' patch from appliance.Tim Potter1-4/+19
(This used to be commit 7decd4b3a9e6900ab35f7bf5b266361f308aa58d)
2002-09-06This is the 'easy' parts of the trusted domains patch n+3 patch fromAndrew Bartlett2-54/+70
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl> It includes a conversion of make_user_info*() to NTSTATUS and some minor changes to other files. It also picks up on a nasty segfault that can occour in some security=domain cases. Andrew Bartlett (This used to be commit d1e1fc3e4bf72717b3593685f0ea5750d676952a)
2002-08-30off by one in writing to malloced array. this fixes smbd crash I saw atHerb Lewis1-2/+2
the CIFS conference - finally got purify working (This used to be commit cf9bb66aa9c3217cb8394058c65c84ffc6ae269a)
2002-08-30added cli_net_auth_3 client code.Jean-François Micouleau1-1/+2
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch. pass also the negociation flags all the way. all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient. in the future we will be able to call auth_2 or auth_3 as we want. J.F. (This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)
2002-08-29We don't need the RTLD_GLOBAL.Andrew Bartlett1-1/+1
(This used to be commit 0d562b81bfd176111a1046560c39b03d986f90ec)
2002-08-26Updates!Andrew Bartlett1-1/+4
- Don't print an uninitialised buffer in service.c - Change some charcnv.c functions to take smb_ucs2_t ** instead of void ** - Update NTLMv2 code to use dynamic buffers - Update experimental SMB signing code - still more work to do - Move sys_getgrouplist() to SAFE_FREE() and do a DEBUG() on initgroups() failure. Andrew Bartlett (This used to be commit de1964f7fa855022258a84556b266100b917444b)
2002-08-26Try to support non-root-mode systems without getgrouplist().Andrew Bartlett2-8/+10
Andrew Bartlett (This used to be commit 17096315a0f30f946ddecb79708604a111c37011)
2002-08-22Spelling fixes.Tim Potter1-4/+4
(This used to be commit 24fa84bda49a3a77fbc092652a0b6b132f06ff7c)
2002-08-21Cope with non-unix accounts - we just won't get the groups for those users.Andrew Bartlett1-2/+4
Andrew Bartlett (This used to be commit 7cad7814555645aa3bee95fb48fbd694e6a9e313)
2002-08-20Based orginally by work by Kai, this patch moves our NT_TOKEN generation intoAndrew Bartlett5-107/+408
our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902)
2002-08-19fix typo auth/auth_server.cJelmer Vernooij1-1/+1
remove unused 'max packet' and 'packet size' options (This used to be commit 6a787a695db65688916464a9b0e2a9024b131eee)
2002-08-11Make 'remote_machine' private to lib/substitute.c, and fix all the user to useAndrew Bartlett1-3/+2
the new accessor functions. Andrew Bartlett (This used to be commit f393de2310e997d05674eb7f1268655373e03647)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-2/+4
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-31Let everybody enjoy my new toy - make it the default!Andrew Bartlett1-2/+2
Authenticaions will now attempt to use winbind, and only fall back to 'ntdomain' (the old security=domain) code if that fails (for any reason, including wrong password). I'll fix up the authenticaion code to better handle the different types of failures in the near future. Andrew Bartlett (This used to be commit 78f0d4337bd263d26d7b349eaf8148e863c62f69)
2002-07-31Winbind updates!Andrew Bartlett1-21/+49
This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett (This used to be commit 167f122b670d4ef67d78e6f79a2bae3f6e8d67df)
2002-07-31the ads_connect() here doesn't need to actually succeed, as its onlyAndrew Tridgell1-3/+1
needed to find the DC IP. Just don't check its return value! (This used to be commit ab144cd8af1622894d446ce48dde99babeb30bd6)
2002-07-30Fix the build for now..Jim McDonough1-1/+1
Tridge, please look at this. Did you mean to take out the last parm? (This used to be commit f70886df942e8b37fecb503b2d87f39f19c9bdab)
2002-07-30net ads info now reports the IP of the LDAP server as well as its name - ↵Andrew Tridgell1-4/+6
very useful in scripts (This used to be commit fc0d5479b575c1f495b9251413eed18ec1e37e02)
2002-07-30a couple more minor tweaks. This now allows us to operate in ADS modeAndrew Tridgell1-4/+3
without any 'realm =' or 'ads server =' options at all, as long as DNS is working right. (This used to be commit d3fecdd04241ed7b9248e52415693cd54a1faecf)
2002-07-302nd try at a fix for netbiosless connections to a ADS DC. This alsoAndrew Tridgell1-31/+90
make the code a fair bit cleaner as it splits up the ADS and RPC cases, which really are very different. (This used to be commit 5a11c432afebe84b17820396476f48a6a6f6411b)
2002-07-30removed a gratuitous standard_sub_basic() on the 'password server'Andrew Tridgell1-2/+0
field. This has got to be pointless. (This used to be commit fd02adab54b66a19c1b81b8ae91e66713691b060)
2002-07-30- if we are in ADS mode then avoid an expensive netbios lookup to findAndrew Tridgell1-7/+16
the servers netbios name when we don't need it. This also fixes ADS mode when the DC has netbios disabled. - if the password server is specified as an IP then actually use that IP, don't do a lookup for the servers name :) (This used to be commit 72042e94ef0f6841afcfa48eafb9809545860725)
2002-07-28found nasty bug in intl/lang_tdb.c tdb structure was not tested to not be ↵Simo Sorce1-7/+7
null before close this one fixes swat not working with browsers that set more then one language. along the way implemented language priority in web/neg_lang.c with bubble sort also changet str_list_make to be able to use a different separator string Simo. (This used to be commit 69765e4faa8aaae74c97afc917891fc72d80703d)
2002-07-21Renamed all the new_cli_netlogon_* functions to cli_netlogon_*Tim Potter1-1/+1
as they're no longer new! (This used to be commit 277f6bbb9a63541a473a80a7994e9bde5c6f22dc)
2002-07-20Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett1-1/+1
distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
2002-07-20Add support for a weird behaviour apparently used by Win9X pass-throughAndrew Bartlett1-2/+17
authentication - we can have an NT hash in the LM hash feild. (I need to double-check this fix with tpot, who discovered it). Also remove silly casts back and forth between uchar and char. Andrew Bartlett (This used to be commit 07e2b36311f91d7a20865a2ccc94716772e53fd7)
2002-07-20NT_STATUS_UNSUCCESSFUL just gets clients confused - move to NO_LOGON_SERVERSAndrew Bartlett1-11/+11
becouse thats what Win2k gives when the PDC is down. Some of these might better go to other errors, but the Win2k text message for 'unsuccessful' is not particularly useful. (A device attached to the system is not functioning...) Andrew Bartlett (This used to be commit 656f1d68e8579f1bd0a7118caf9e0373d5980a69)
2002-07-09Make it clear that the debug comment is the same as the command being testedAndrew Bartlett1-1/+1
for failure. Andrew Bartlett (This used to be commit 6e22f39df8c386781a4f51207a3ccd9c94d151f1)
2002-07-02Address the string_sub problem by changing len = 0 to mean "no expand".Jeremy Allison3-3/+3
Went through and checked all string_subs I could to ensure they're being used correctly. Jeremy. (This used to be commit 17cae0d683be404be69554cd0e84117bdcc56c87)
2002-06-25Update cli_full_connection() to take a 'flags' paramater, and try to get aAndrew Bartlett1-1/+1
few more places to use it. Andrew Bartlett (This used to be commit 23689b0746d5ab030d8693abf71dd2e80ec1d7c7)
2002-06-24Try to get security=domain at least slightly working.Andrew Bartlett2-8/+13
The previous code both had basic logic flaws in it, and some subtle issues regarding the Win2k info3 response. I've tested this against Samba (it looks like that was missed last time due to the 'called name' corruption - which broke my testsuite) and accomidated what I've seen from a info3 printout jmcd gave me. I'll get this tested fully as soon as I get my VMware going again. Andrew Bartlett (This used to be commit 87eba4c811293d2428bfb9bc36de22e66dce7f8b)
2002-06-15This patch does 2 things:Andrew Bartlett3-96/+225
It extends the 'server mutex' to conver security=server, becouse the connection race condition exists here too, and while people *should* use security=domain, some sites don't.... (This probably should be done in 2.2 as well). Also, start to actually extract and use the information that the remote server returns in the info3 struct. The server mutex code is now in a new file. Andrew Bartlett (This used to be commit 9b0dabdf4ec3bb45879caae76e03b57ccdad8b4b)
2002-06-15Add another 'trivial' built in authentication module - this one is aAndrew Bartlett1-0/+50
deveopers hack to always send a fixed challange, for the benifit of tutorials and packet sniffing etc. Enabling this module removes all security, so its a --enable-developer option. Andrew Bartlett (This used to be commit 622e6b64dfb0a2c53d2c9dbd7b8ff438492eaf02)
2002-06-15It appears that to match NT we should not use the 'samstrict' behaviour,Andrew Bartlett1-3/+5
and that local accounts are perfectly fine. (This used to be commit 9fe8da6dd1b7fecfee0a2778fec0b7dd0fd40bfb)
2002-06-14moved lp_list_* functions away from param/loadparm.c, put int lib/util_str.cSimo Sorce1-10/+10
and renamed to str_list_* as it is a better name. Elrond should be satisfied now :) (This used to be commit 4ae260adb9505384fcccfb4c9929cb60a45f2e84)
2002-06-12Spelling.Tim Potter1-1/+1
(This used to be commit bfd8a33c68a3747cbad21667d7515aebd61ec537)
2002-06-12Spelling fixes.Tim Potter1-1/+1
(This used to be commit de18c785ab9a253cc8bf8d7e4066de0133225c6c)
2002-06-01More cleanup work preparing for SMB signing.Jeremy Allison1-3/+3
Jeremy. (This used to be commit 3c05f7c06fc8c45307ea75128b160a5945fc5197)
2002-05-28Spelling fixes.Tim Potter1-7/+7
(This used to be commit 3d0f4acad2f0c57d0a255e90e5f674ba582251e2)
2002-05-25Clean up a few unused functions, add a bit of static etc.Andrew Bartlett1-28/+0
Importantly: The removal of the silly 'delete user script' behaviour when secuity=domain. I have left the name the same - as it still does the (previously documented, but not in smb.conf(5)) sane behaviour of deleting users on request. When we decide what to do with the 'add user' functionality, we might rename it. Andrew Bartlett (This used to be commit cdcfe3671eb7570e15649b77f708e6579055e7bc)
2002-05-24Name the authentication modules, and therfore fix up both the build farmAndrew Bartlett4-0/+6
and secuirty=server. I *love* automated testing... Andrew Bartlett (This used to be commit c92f4f4d72ffd307ca2d4d792b5e4154f1b85b91)