summaryrefslogtreecommitdiff
path: root/source3/auth
AgeCommit message (Collapse)AuthorFilesLines
2003-05-26Correctly initialize winbind auth method.Volker Lendecke1-0/+3
(This used to be commit b9e7ce9d85c4203779d6b9bfb2e65a4ed5fe33ff)
2003-05-26Spelling.Tim Potter1-1/+2
(This used to be commit eda897306896b729129582fdf4fdd26af555f014)
2003-05-26Add samstrict_dc from metze (been sitting in HEAD for way to long waiting forAndrew Bartlett1-0/+46
me to review it). This patch works well for a DC running with trusted domains, becouse it lets you check the local SAM first, but only for this domain's users. Andrew Bartlett (This used to be commit e0bd4d2844e6073a83b72925bca1aec007a8dd0b)
2003-05-25Get 'add user script' working again for Samba 3.0.Andrew Bartlett3-47/+52
I'm still not convinced that sharing the option name with the administrative code is the best idea, but anyway... Tested by vl, bug #41. Andrew Bartlett (This used to be commit 9d78f064c5e4e6b340f994204977aaac6513320b)
2003-05-16add metze's patch for smb_register functionsSimo Sorce1-1/+1
(This used to be commit 1480c7e8c7a84c34181118c449c50ca99fdcbc6b)
2003-05-15Patch from Luke Howard <lukeh@PADL.COM> that fixes some weird handling ofJelmer Vernooij1-9/+17
modules in auth/ (This used to be commit 4b6785a6c0fe0aebb1cc69bfc9937d19bc692642)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9)
2003-05-12And finally IDMAP in 3_0Simo Sorce2-29/+33
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-11When we have a NT4SP0 PDC trust us, we first have to check theVolker Lendecke1-2/+2
password. On NT4, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT means the password was correct. So the PDC believed that he had his trust account correctly added. Later the auth2 naturally failed. BTW, setting up an interdom trust account is not what I would call well documented and easy to handle... Working on that now :-) Volker (This used to be commit e4e44cf3b18231ec5d7326fb42edec741caa147b)
2003-05-09Cleanups. My NTLMv2 changes also changed the preference from using an implicitAndrew Bartlett1-42/+42
structure-memcpy for DATA_BLOB parameters to using a pointer to that DATA_BLOB. auth_sam calls some of these functions, so I've cleaned it all up to use this format now. Also clean up some debug statements to make them easier to read. Andrew Bartlett (This used to be commit 0c355c274a6ac084e4bf15a15613dfc007d6c5fc)
2003-05-09Make sure we always have some client data, not just the hash. An NTLMv2 orAndrew Bartlett1-2/+3
LMv2 response less than 24 bytes is just silly. Andrew Bartlett (This used to be commit b4ecdb2e582376d2713f81e8e32a668014905d70)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-2/+2
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-04-30Make the version numbers ints (patch from metze)Jelmer Vernooij1-1/+1
(This used to be commit dbe36b4c43dceddea9f14161c6cf7b34709287c8)
2003-04-28Use NTSTATUS as return value for smb_register_*() functions and init_module()Jelmer Vernooij8-35/+42
function. Patch by metze with some minor modifications. (This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d)
2003-04-28Add cast for compilerAndrew Bartlett1-1/+1
(This used to be commit 456eb5d05a442ee380cfa756be54619b1d68fa48)
2003-04-24Merge auth changes from HEAD:Andrew Bartlett5-70/+83
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-2/+8
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-16Add support for the new modules system to auth/ (merge from HEAD)Jelmer Vernooij8-84/+105
(This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9)
2003-04-14Fix typoJelmer Vernooij1-1/+1
(This used to be commit 738a2b055a0757002e8cdcbf744c8663e0e26bc2)
2003-03-24(merge from HEAD)Andrew Bartlett2-7/+3
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-03-19Fix some comment typosJelmer Vernooij1-2/+2
(This used to be commit 051b33e98f94ad09b4d8816a88e78715e7dc2a5e)
2003-03-18Add an extra parameter to our 'set_remote_machine_name' andAndrew Bartlett1-1/+1
'set_local_machine_name' so that the client can't change it from under us. (.NET RC2 and WinXP install calls the machine 'machinename' during NTLMSSP on the domain join). Andrew Bartlett (This used to be commit 4c7163e7c2cc09bd95faa05156ee480957a7a4d8)
2003-03-17Merge from HEAD - doxygenAndrew Bartlett1-2/+2
(This used to be commit 7a2566f2e922191e691b6dafb1a09e22913cccd6)
2003-03-17Mege from HEAD - doxygen.Andrew Bartlett1-1/+1
(This used to be commit 04a5cbc8964386774acdca759b4cfaded068c8f2)
2003-02-24Merge of server-side authentication changes to 3.0:Andrew Bartlett3-56/+87
- user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
2003-02-16Merge from HEAD - allow "" as a domain in the NLTMv2 hash calculations. FixesAndrew Bartlett1-2/+22
interop with clients not in our domain. Andrew Bartlett (This used to be commit 6aa3aba3db604d481dc96c3befe066938cb1b0f3)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-2/+2
Needed to move to disk based i/o later. Jeremy. (This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5)
2003-02-10Cleanups: (merge from HEAD)Andrew Bartlett4-5/+12
- use safe_strcpy() instead of pstrcpy() for malloc()ed strings - CUPS: a failure in an attempt to automaticly add a printer is not level 0 stuff. - Fix up a possible Realloc() failure segfault Andrew Bartlett (This used to be commit c1cfc296c2efdb2b5972202146e80f0e3b6a3da4)
2003-02-04Merge HEAD: check both the account and password...Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 830de56bf2f47412acfebf6c6353ab4b98c8517e)
2003-01-28Merge from HEAD:Andrew Bartlett1-1/+9
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
2003-01-28This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+139
used to be commit b741abd496621586040081c04674ae53cb5db47c)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-4/+5
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-15Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett1-225/+78
challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
2003-01-15Crash fixes:Andrew Bartlett1-0/+1
- fix a crash when a second NTLMSSP session tried to free the first - fix a crash due to some NULL pointers in the Add Printer Wizard (or read printer code too it appears). As far as I can tell it's just that the GUID just might not exist. Andrew Bartlett (This used to be commit 51b1413056b0d001076ff47a755eb35baa2d9e6d)
2003-01-14Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD.Andrew Bartlett2-5/+6
Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f)
2003-01-13Missing indirect in final free.Jeremy Allison1-2/+2
Jeremy. (This used to be commit faf443e5198e270f1a60d7a0939074efca750a94)
2003-01-13Merge of indirection fixes from HEAD.Jeremy Allison1-5/+5
Jeremy (This used to be commit 67a0b30f50aa323185cbcf3a9d39804239222480)
2003-01-13Always initialise this variable - and don't set the 'must change now' if it wasAndrew Bartlett1-1/+2
last changed at '0'. We need to actually change this password sometime... Andrew Bartlett (This used to be commit 740bf439d2d1512127c873cf0e57697161d6566b)
2003-01-13Patch from metze to add what he feels is the correct semantics for a DomainAndrew Bartlett2-0/+44
Controller. As we have had a number of attempts at this over the last little while, I need to get my test rig going, and give this whole area a poke... Meanwhile, if you want to use this, just adjust your 'auth methods' line to use samstrict_dc... Andrew Bartlett (This used to be commit 18e598ec24493026008fcfe486057555b8832108)
2003-01-13Updates to our NTLMSSP code:Andrew Bartlett2-1/+293
This tries to extract our server-side code out of sessetup.c, and into a more general lib. I hope this is only a temporay resting place - I indend to refactor it again into an auth-subsystem independent lib, using callbacks. Move some of our our NTLMSSP #defines into a new file, and add two that I found in the COMsource docs - we seem to have a double-up, but I've verified from traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real. This code also copes with ASCII clients - not that we will ever see any here, but I hope to use this for HTTP, were we can get them. Win2k authenticates fine under forced ASCII, btw. Tested with Win2k, NTLMv2 and Samba's smbclient. Andrew Bartlett (This used to be commit b6641badcbb2fb3bfec9d00a6466318203ea33e1)
2003-01-13Fix to debian bug #171071 - we had the wrong dereference on the pointer to beAndrew Bartlett1-4/+4
Realloc()ed, causing it to fail. Big thanks to Sandor Sonfeld <sonf@linuxmail.org> for the debug, stack and valgrind traces! Andrew Bartlett (This used to be commit 7abca6d281da6388899f78e3440d7ce37bf2094e)
2003-01-11Use size_t for the counter vars, to match the type they are assigned fromAndrew Bartlett1-3/+3
(signed/unsigned mixup). Andrew Bartlett (This used to be commit f42cf0783fa3aeddc4992021df9ee6f3b1aa58f3)
2003-01-05Merge from HEAD - updates to correctly recognise LMv2, and NT# in LM feild.Andrew Bartlett1-33/+58
Andrew Bartlett (This used to be commit 32a1802a99a51b033eee034d3d2ce5cf409441dc)
2003-01-05Clear up the auth_sam password checking code (the core of our password checkingAndrew Bartlett1-33/+58
routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd)
2003-01-04Make it clear that the credentials are being setup on the NETLOGON channel, andAndrew Bartlett1-3/+3
may not be to our PDC (might be BDC, or trusted DC). Andrew Bartlett (This used to be commit 610be8d483f335226386f92b5e85ddeb07846d41)
2003-01-04Merge from HEAD - we already have one function for converting a unistr2 to aAndrew Bartlett1-5/+5
static 'unix' string, so we don't need a second pdb specific version. Andrew Bartlett (This used to be commit 91ca4771c6b834747b06fff21822a14e929de2c1)
2003-01-03Merge from HEAD - make Samba compile with -Wwrite-strings without additionalAndrew Bartlett2-4/+4
warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2003-01-02We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett1-5/+5
don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
2003-01-02BIG patch...Andrew Bartlett2-4/+4
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-23Finish adding strings to all talloc_init() calls.Jeremy Allison1-2/+1
Jeremy. (This used to be commit aa8439a49ec4b9f433745fefa1e769e45398f4df)