summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2003-03-23NTLM Authentication:Andrew Bartlett1-7/+6
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-1/+2
Needed to move to disk based i/o later. Jeremy. (This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
2003-01-15small merges from SAMBA_3_0; mostly typos, renames, etc...Gerald Carter1-3/+3
(This used to be commit 9ac196dad4893b0ceef13281a140be5d85391e6c)
2003-01-14Added a comment in case anyone is thinking of doing a SMB_ASSERT in winbindd.Tim Potter1-0/+2
(This used to be commit c64e2308bae31d48171685b3b67b8cace1b003b5)
2003-01-11Return the 'freindly' NT error message if at all possible.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 90d05176534cfd97ed3827bddfeb3a0cb7f22683)
2003-01-02Becouse these functions return a size_t, they can't return negitive numbers.Andrew Bartlett1-3/+3
So a < 0 check is pointless, instead check against -1, which will be cast to unsigned. Andrew Bartlett (This used to be commit c7e5797a95804d5779cdfc93795adcdf2fe82a59)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-2/+2
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-11/+11
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-10-26Updates to winbind's PAM client and server - make the debug logsAndrew Bartlett1-0/+7
work a bit better for password changing. Andrew Bartlett (This used to be commit 425782ba32554b90d592493a1928a926e492bb2a)
2002-09-12Merge undone cleanups.Tim Potter1-12/+19
(This used to be commit d87c1f507d38444e627bce59b6c765d9c9479ac6)
2002-09-12Merge of winbind auth cleanups from appliance.Tim Potter1-19/+12
(This used to be commit 26d486aa740e283f546efc1f2ca40af3452a4f52)
2002-09-12Merge of cut&paste fix from appliance.Tim Potter1-1/+1
(This used to be commit f75d61b03a3377f3a791b56fc307dc7e56e4707a)
2002-09-12Spelling fix.Tim Potter1-2/+2
(This used to be commit d9fa865e5ce8ba0b7539f9a218fc7dd132eb3d38)
2002-07-31Winbind updates!Andrew Bartlett1-28/+107
This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett (This used to be commit 167f122b670d4ef67d78e6f79a2bae3f6e8d67df)
2002-07-20Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett1-2/+2
distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
2002-06-18more debug classess activatedSimo Sorce1-0/+3
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
2002-04-07Spelling.Tim Potter1-1/+1
(This used to be commit 423985ed569ac9692f3cb5872a15c74f983121b6)
2002-03-23Various winbind updates:Andrew Bartlett1-1/+1
- pam_winbind updates from vance, fixing a typo and making some the options work properly. - Extra parinoia in the winbind connection loop - Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do). - Fix up configure.in to use the same method for building the test .so as the Makefile uses. Andrew Bartlett (This used to be commit 8e705dd9215b1cb3f44d6348094679d7dc6a7fbd)
2002-03-17Renamed get_nt_error_msg() to nt_errstr().Tim Potter1-6/+6
(This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302)
2002-02-15Winbind cleanup.Andrew Bartlett1-2/+2
This patch fixes the segfaults I introduced in the previous conneciton caching patch. It cleans up the connection cache a *lot* - in particular it adds significant robustness to the operation. If a the DC goes down, we no longer fail the next operation - the code checks if the connection died during one of its own operations on the socket, and restarts the conneciton as required. There is still a memory leak in here somewhere - but this code also cleans up a number of these. Also added is the abilty to sepecify the domain of the 'get around restrict anonymous' user that winbind uses. Andrew Bartlett (This used to be commit 92cbefdf2783bf9dbbb2179c1b2f7cdb802d84a9)
2002-02-11A few small winbind updates:Andrew Bartlett1-10/+5
Add a connection cache to the netlogon pipe. This makes a *massive* difference to the time-per-auth. Also fix up *some* of the memory leaks in other connection caches. Add some debugging messages for the is_connected() code. I'm thinking we should get a client implementation of SMBecho and call it here - as it would allow us to always know the DC is around before we start. Down the debug level for some of the pam_winbind code - I'll probably down it further when I'm finished debugging. Andrew Bartlett (This used to be commit 49d3e476662220775ef8da7db01ea17e77e11b0b)
2002-02-08Fix up some of the DEBUG lines in winbind_pam.cAndrew Bartlett1-8/+10
(This used to be commit dfc8883305abf7630e6446a0b865bae99ec2f5a4)
2002-02-05Drastic impromvents to pam_winbind.Andrew Bartlett1-30/+69
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-01-31Removed unused variables.Tim Potter1-2/+0
(This used to be commit 703d06fee03b6b6a37b9f64cdc313a0d59c41597)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-30Fix for password change from Samuel Ziegler <sam@xpedion.com>Tim Potter1-11/+11
(This used to be commit 418bdd5919265bc74844401901d91edc84076314)
2002-01-18This is the 'winbind default domain' patch from Alexander BokovoyAndrew Bartlett1-2/+19
<a.bokovoy@sam-solutions.net>. The idea is the domain\username is rather harsh for unix systems - people don't expect to have to FTP, SSH and (in particular) e-mail with a username like that. This 'corrects' that - but is not without its own problems. As you can see from the changes to files like username.c and wb_client.c (smbd's winbind client code) a lot of assumptions are made in a lot of places about lp_winbind_seperator determining a users's status as a domain or local user. The main change I will shortly be making is to investigate and kill off winbind_initgroups() - as far as I know it was a workaround for an old bug in winbind itself (and a bug in RH 5.2) and should no longer be relevent. I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters to determine a user/groups's 'local' status, rather than the presence of the seperator. As such, this functionality is recommended for servers providing unix services, but is currently less than optimal for windows clients. (TODO: remove all references to lp_winbind_seperator() and lp_winbind_use_default_domain() from smbd) Andrew Bartlett (This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
2002-01-14Initialise cli variables and try not to do a cli_shutdown() of uninitialsedAndrew Bartlett1-4/+10
memory. The winbind connection caching code isn't exactly a plesent beast, and there is more work that needs to be done to nail this properly. Andrew Bartlett (This used to be commit dd40ce54b7f170854d63e08ac737f1b4306bd95b)
2002-01-12Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>.Andrew Bartlett1-0/+2
This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-10This changes the winbind protcol a bit:Andrew Bartlett1-21/+13
It adds a 'ping' request, just to check winbind is in fact alive It also changes winbindd_pam_auth_crap to take usernames and domain seperatly. (backward incompatible change, needs merge to 2.2, but this is not yet released code, so no workarounds) Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do it). Andrew Bartlett (This used to be commit 6df29bfe335144a968f5367f624ef2b4cf9e69b0)
2002-01-01Further rpc_client removal, this time from winbindd.Andrew Bartlett1-38/+60
Also removed the dependency on auth_util.o, which makes things nicer. Finally, this kills off the NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ makefile variable - becouse Samba dependencies are starting to be sane again! Andrew Bartlett (This used to be commit 4609edcac3b70c11025f0c5aa0ddbeed93369c84)
2001-12-10added some commentsAndrew Tridgell1-2/+1
(This used to be commit 5ab2c8b8214236b4cd028f791e9ddb76a9973d74)
2001-12-05Fixed parse_domain_user to be bool.Jeremy Allison1-28/+27
Jeremy. (This used to be commit 9563de2ef8c1197f4941671d2fdade7d933c32d0)
2001-11-24This is another rather major change to the samba authenticaionAndrew Bartlett1-5/+7
subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-23Got rid of that stupid parse_domain_user() warning when compilingTim Potter1-22/+0
winbindd. (This used to be commit 72060a6f5af505d597f372d550d7f3fe559e5550)
2001-11-23Fixed check machine account function.Tim Potter1-6/+12
(This used to be commit 8f01a8b07883d18f44da665cbc8e5fba04d3bc91)
2001-11-05Use cli_nt_login_network() instead of domain_client_validate() to performTim Potter1-41/+55
pam authentication. This allows us to link in less other crap. Authenticating with a challenge/response doesn't seem to work though - we always get back NT_STATUS_WRONG_PASSWORD. (This used to be commit d85aa1ce83327dda6aa3dcd9bbab9cf6979dda1e)
2001-10-31Removed unneeded extern.Tim Potter1-2/+0
(This used to be commit c80641b6f335aa706a2e384b7cfe7912be4a41b1)
2001-10-31This is a farily large patch (3300 lines) and reworks most of the AuthRewriteAndrew Bartlett1-72/+15
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
2001-10-31Added some extra fields to the auth_serversupplied_info structure.Tim Potter1-0/+4
To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
2001-10-05This is the start of a bit of a rewrite of winbindd's connection handling.Tim Potter1-4/+16
I've wrapped up all the decisions about managing, making and closing connections into a connection manager in nsswitch/winbindd_cm.c. It's rather incomplete at the moment - only querying basic user info works at the moment (i.e finger -m DOMAIN/user) and everything else is broken. Jeremy, please take a look and I'll start moving across the rest of winbindd to this new system. (This used to be commit c369cf5af787ed9c642778d21f162716fbf0620e)
2001-09-12Some patches to authentication:Tim Potter1-4/+4
- the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547)
2001-09-05more warning fixes on solarisAndrew Tridgell1-2/+2
(This used to be commit c04c67fec85b1c81ef0b3cebacde304a1de0d854)
2001-09-04the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but ↵Andrew Tridgell1-4/+4
the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66)
2001-08-27converted another bunch of stuff to NTSTATUSAndrew Tridgell1-2/+2
(This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-24Make domain_client_validate return a status code instead of a boolean.Tim Potter1-10/+10
(This used to be commit b4e79ab34b7df4687966f4ca81b575dce8503775)
2001-08-23Added copyright for me and AB.Tim Potter1-0/+2
(This used to be commit 19cd6a1dc446830c1448f4a21a915ea8994dc268)
2001-08-22Added another authentication interface to winbindd. The Challenge ResponseTim Potter1-1/+72
Authentication Protocol (CRAP) takes a tuple of (username, random challenge, encrypted lm password, encrypted nt password) where the passwords are encrypted with the random challenge ala ntlmssp. (This used to be commit 11f72a78e3a16bbb17b576d80b47a9eb818ee428)
2001-08-12This patch does a number of things, mostly smaller than they look :-)Andrew Bartlett1-1/+14
In particuar, it moves the domain_client_validate stuff out of auth_domain.c to somwhere where they (I hope) they can be shared with winbind better. (This may need some work) The main purpose of this patch was however to improve some of the internal documentation and to correctly place become_root()/unbecome_root() calls within the code. Finally this patch moves some more of auth.c into other files, auth_unix.c in this case. Andrew Bartlett (This used to be commit ea1c547ac880def29f150de2172c95213509350e)
2001-08-03This is my 'Authentication Rewrite' version 1.01, mostly as submitted toAndrew Bartlett1-8/+48
samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)