summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_netlog_nt.c
AgeCommit message (Collapse)AuthorFilesLines
2001-11-25Unless the error is exactly NT_STATUS_OK, we might not have a server info, soAndrew Bartlett1-1/+1
we need to bail here. (This used to be commit ea0331354e5968aa0a25c0b12379a56c72d7946b)
2001-11-24This is another rather major change to the samba authenticaionAndrew Bartlett1-4/+22
subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-08Change to guest logon code.Andrew Bartlett1-1/+8
This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)
2001-11-07Initilising these variables before appending the domain groups to themAndrew Bartlett1-1/+3
(This used to be commit 8004cfea19e10ad942c59f2f6a6bd992791017ba)
2001-11-01Various post AuthRewrite cleanups, fixups and tidyups.Andrew Bartlett1-5/+5
Zero out some of the plaintext passwords for paranoia Fix up some of the other passdb backends with the change to *uid_t rather than uid_t. Make some of the code in srv_netlog_nt.c clearer, is passing an array around, so pass its lenght in is definition, not as a seperate paramater. Use sizeof() rather than magic numbers, it makes things easier to read. Cope with a PAM authenticated user who is not in /etc/passwd - currently by saying NO_SUCH_USER, but this can change in future. Andrew Bartlett (This used to be commit 514c91b16baca639bb04638042bf9894d881172a)
2001-10-31Fix up domain logons. Tested with NT4.Andrew Bartlett1-5/+4
(This used to be commit c8b2718adfe114b74a155116c5e74f014d6df887)
2001-10-31This is a farily large patch (3300 lines) and reworks most of the AuthRewriteAndrew Bartlett1-144/+53
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
2001-10-31Added some extra fields to the auth_serversupplied_info structure.Tim Potter1-0/+2
To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
2001-10-29This commit is number 4 of 4.Andrew Bartlett1-1/+1
In particular this commit focuses on: Actually adding the 'const' to the passdb interface, and the flow-on changes. Also kill off the 'disp_info' stuff, as its no longer used. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes introduces a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username --- This finishes this line of commits off, your tree should now compile again :-) Andrew Bartlett (This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29This commit is number 1 of 4.Andrew Bartlett1-0/+6
In particular this commit focusses on: Adding the new 'pass changed now' helper function. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. (This used to be commit a8971a5448cf6d203b379c3ed01e331d5263c9ee)
2001-10-18Merge the become_XXX -> change_to_XXX fixes from 2.2.2 to HEAD.Jeremy Allison1-1/+1
Ensure make_conection() can only be called as root. Jeremy. (This used to be commit 8d23a7441b4687458ee021bfe8880558506eddba)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter1-2/+0
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
2001-09-29Fix up a number of intertwined issues:Andrew Bartlett1-10/+22
The big one is a global change to allow us to NULLify the free'ed pointer to a former passdb object. This was done to allow idra's SAFE_FREE() macro to do its magic, and to satisfy the input test in pdb_init_sam() for a NULL pointer to start with. This NULL pointer test was what was breaking the adding of accounts up until now, and this code has been reworked to avoid duplicating work - I hope this will avoid a similar mess-up in future. Finally, I fixed a few nasty bugs where the pdb_ fuctions's return codes were being ignored. Some of these functions malloc() and are permitted to fail. Also, this caught a nasty bug where pdb_set_lanman_password(sam, NULL) acheived precisely didilly-squat, just returning False. Now that we check the returns this bug was spotted. This could allow different LM and NT passwords. - the pdbedit code needs to start checking these too, but I havn't had a chance to fix it. I have also fixed up where some of the password changing code was using the pdb_set functions to store *internal* data. I assume this is from a previous lot of mass conversion work... Most likally (and going on past experience) I have missed somthing, probably in the LanMan password change code which I havn't yet been able to test, but this lot is in much better shape than it was before. If all this is too much to swallow (particularly for 2.2.2) then just adding a sam_pass = NULL to the particular line of passdb.c should do the trick for the ovbious bug. Andrew Bartlett (This used to be commit 762c8758a7869809d89b4da9c2a5249678942930)
2001-09-26More updates to prevent account-guessing.Andrew Bartlett1-12/+10
This moves the check that ensures that the account being looked up is the same account as the machine logged in as to the front, before we even start with passdb. Merge for 2.2.2? Andrew Bartlett (This used to be commit f7ed0ecc14aeba5ad260f24a76ced70cf52f8e48)
2001-09-16Minor tidy-up.Andrew Bartlett1-1/+1
(This used to be commit dbb21aedbf10ebc4ef0d549c4f919cf91459eef7)
2001-09-16Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c whereAndrew Bartlett1-35/+5
they can have general effect. Fixed up workstaion support in the rest of samba, so that we can do these checks. Pass through the workstation for cli_net_logon(), if supplied. (This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a)
2001-09-12Some patches to authentication:Tim Potter1-1/+1
- the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547)
2001-09-06got rid of USE_TDB_MMAP_FLAG as its not needed any moreAndrew Tridgell1-1/+1
(This used to be commit c26e0d3f27a05ecc8bd2390f9aab7f9451524e47)
2001-09-06Logon workstation checks from Toomas Soome <tsoome@ut.ee>Tim Potter1-9/+42
Fixed compile warning. (This used to be commit 3eee66516596835c70c8d652ca633d2e1158fbb7)
2001-08-28Send a MSG_SMB_SAM_SYNC when a netlogon_ctrl2 message is received.Tim Potter1-6/+35
(This used to be commit 73e1b708d0ab7a6e612f8910c5815a6ab6de66cd)
2001-08-27converted another bunch of stuff to NTSTATUSAndrew Tridgell1-25/+25
(This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-24get rid of compiler warningsHerb Lewis1-3/+3
(This used to be commit 0768991d04ea03e774ca8662c9cae5e1951b88e0)
2001-08-12Kill of idra's extra become_root()/unbecome_root() now I have fixed the actualAndrew Bartlett1-2/+0
problem. Andrew Bartlett (This used to be commit 895d1cd317d0838d711474f2f19186444a88b52c)
2001-08-12This patch does a number of things, mostly smaller than they look :-)Andrew Bartlett1-20/+5
In particuar, it moves the domain_client_validate stuff out of auth_domain.c to somwhere where they (I hope) they can be shared with winbind better. (This may need some work) The main purpose of this patch was however to improve some of the internal documentation and to correctly place become_root()/unbecome_root() calls within the code. Finally this patch moves some more of auth.c into other files, auth_unix.c in this case. Andrew Bartlett (This used to be commit ea1c547ac880def29f150de2172c95213509350e)
2001-08-11Without this become_root()/unbecome_root() pair I was not able to loginSimo Sorce1-3/+3
when samba acting as a PDC. I also removed a pdb_free_sam(sampass), because it sampass was never initialized before... Please abartlet can you check this patch is ok? I feel like this was a bad check-in (This used to be commit f25a5dab6012ebbe83435b06650d6ab92432760a)
2001-08-03This is my 'Authentication Rewrite' version 1.01, mostly as submitted toAndrew Bartlett1-98/+127
samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
2001-07-04The big character set handling changeover!Andrew Tridgell1-5/+4
This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a)
2001-06-20Fixed W2K SP2 joining a Samba PDC hosted domain.Jeremy Allison1-2/+2
Jermey. (This used to be commit 05a2911403a0710d994a618e72743205a3b0b87a)
2001-05-24Added server side reponse to net_logon_ctrl rpc. We can now respondTim Potter1-3/+27
to NLTEST /BDC_QUERY:DOMAIN when acting as a BDC. Reverse engineered a couple of status constants. (This used to be commit 0678c302825afef521ae2b80958a1d7c5aa76d23)
2001-05-07Patch from Simo:Gerald Carter1-10/+10
o sed 's/pdb_clear_sam/pdb_free_sam/g' o add pdb_reset_sam() o password changing should be ok now as well. (This used to be commit 96d0e7c3301ad990f6c83b9c216720cb32661fb5)
2001-05-04Big cleanup of passdb and backends.Jean-François Micouleau1-32/+58
I did some basic tests but I have probably broken something. Notably the password changing. So don't cry ;-) J.F. (This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719)
2001-04-23Fix "proc num out of range" error. Missing rpc call.Jeremy Allison1-12/+56
Jeremy. (This used to be commit 6248fb22926d72fddaecad5af117af1bdd08fda3)
2001-03-15AS/U on a sparc now joins and authenticates against a Samba PDC !Jeremy Allison1-5/+5
Jeremy. (This used to be commit 28a0bc5f5710aa732db662caa38f9da2138b5db2)
2001-03-13rpc_parse/parse_samr.c: Removed unneeded deubg.Jeremy Allison1-15/+10
rpc_server/srv_netlog_nt.c: Ensure we marshall a bad password return correctly to a w2k client. Jeremy. (This used to be commit 500c7bc0fed16713401643bdede67cc0c8044d52)
2001-03-13Fixed reading of strings from big-endian RPC clients.Jeremy Allison1-5/+5
Jeremy. (This used to be commit e7ecb9410ff2e4fcd33bca9f82e14c060590942a)
2001-03-11Moved cruft out of smb.h into ntdomain.h where it belongs. dc structJeremy Allison1-38/+48
now in pipe struct (where used) rather than user_struct. Secured machine account password changing in srv_netlog_nt.c - ensure that only the given machine can change its own password. May need to free this up later for NT admin tools, but this is a fail-safe secure position for now. Jeremy. (This used to be commit 46b12f2275dcd4b3114085160cd456441f9e921e)
2001-03-11Remove "BYTE" - we already have uint8 - don't need more conflicts withJeremy Allison1-2/+2
system header files... Jeremy. (This used to be commit 31e0ce310ec38b3a3a05b344d6450d442c6be471)
2001-03-11Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMRJeremy Allison1-123/+61
RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-02-27Implementation module for netlog pipe. Can't be easily integrated intoJeremy Allison1-0/+663
HEAD right now due to passdb changes - placeholder added. Jeremy. (This used to be commit eb88512cff67200f95213db5c1340ceb448af57c)