Age | Commit message (Collapse) | Author | Files | Lines |
|
This will allow a gradual conversion of the required elements from the
current struct auth_serversupplied_info.
This commit adds the structure definition and some helper functions to
copy between the two structures.
At this stage these structures and functions are IDENTICAL to the
existing code, and so show the past history of that code. The plan is
to slowly modify them over the course of the patch series, so that the
changes being made a clear.
By using a seperate structure to auth_serversupplied_info we can
remove elements that are not needed after the authentication, and we
can choose a layout that best reflects the needs of runtime users,
rather than the internals of the authentication subsystem.
By eventually using the auth_session_info from auth.idl, we will gain
a single session authorization structure across the whole codebase,
allowing more code to be shared, and a much more transparent process
for forwarding authorization credentials over the named pipe proxy.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
Guenther
|
|
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This will allow the auth_serversupplied_info struct to be migrated
to auth_session_info easier.
Adnrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
The all UPPER case typedef is no longer the preferred Samba style
and this makes it easier to see that this is the IDL-derivied structure
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Turn the freeing function into a destructor and attach it to the
auth_context.
Make all callers TALLOC_FREE() the auth_context instead of calling
the free function.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
|
|
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
|
|
|
|
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
|
|
This is closer to the structure I want for a common struct
auth_usersupplied_info.
Andrew Bartlett
|
|
sids are now completely handled using info3, remove dead code that fills
server info sids and the structure members themselves
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
When we generate a user out of thin air we may end up adding sids
that are not part of the sam domain (unix domain sids).
Handle the case and preserve these sids as extra sids.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Guenther
|
|
typedefs are no longer preferred Samba style.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This makes it a little easier for it to writen in terms of GENSEC in future.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Explain why we have what looks like a duplicate of session keys.
It is in fact not a duplicate.
|
|
It is not used anymore, we have that information in
info3->base.logon_server already
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This helps with the upcoming NTLMSSP merge, and allows errors to be returned.
Andrew Bartlett
|
|
Remove "mem_ctx" from "struct auth_context"
|
|
|
|
|
|
|
|
|
|
No functional change, this is a preparation for more current_user ref removal
(This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445)
|
|
"nss_token" from my point of view much better reflects what this flag actually
represents
(This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d)
|
|
(This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
idle event.
Volker
(This used to be commit 6226b30f38cd82531422815ba66a687aab50028d)
|
|
changing the token generation. I *hate* this code!
Jerry, you have been looking at this as well, can you double-check that I did
not screw it up?
Thanks,
Volker
(This used to be commit 2765c4ff8d44c970db3e075b0a2412662f1936c6)
|
|
to make full use of the new talloc() interface. Discussed with Volker
and Jeremy.
* remove the internal mem_ctx and simply use the talloc()
structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
upcoming changes. Groups will most likely be replaced with a
'struct samg' in the future.
Note that there are now passbd API changes. And for the most
part, the wrapper functions remain the same.
While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs. The code also needs more testing under valgrind to
ensure it's not leaking memory.
But it's a start......
(This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
Jeremy.
(This used to be commit 1ca4abffd04bcc46b61acdc12444f3e2aad0afed)
|
|
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
|
|
login
scripts to be executed.
We were filling in our name as the server which processed the login, even
when it was done by a trusted DC.
Thanks to John Janosik <jpjanosi@us.ibm.com> for the fix.
(This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c)
|
|
that only acheive as much as 'security=server' does.
Andrew Bartlett
(This used to be commit fb694f2b1a809d221f48f9b9b0e54e9512325bae)
|
|
key could
be anything, and may not be based on anything 'NT'. This is also what microsoft
calls it.
(This used to be commit 724e8d3f33719543146280062435c69a835c491e)
|
|
For a (very) long time, we have had a bug in Samba were an NTLMv2-only
PDC would fail, because it converted the password into NTLM format for
checking.
This patch performs the direct comparison required for interactive
logons to function in this situation. It also removes the 'auth flags', which
simply where not ever used.
Natrually, this plays with the size of structures, so rebuild, rebuild
rebuild...
Andrew Bartlett
(This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|