summaryrefslogtreecommitdiff
path: root/source3/smbd/password.c
AgeCommit message (Collapse)AuthorFilesLines
2001-07-08This removes unused paramaters from various authtication functions, and shouldAndrew Bartlett1-21/+14
not change behaviour. This should make my later diffs smaller, where I actualy start cleaning up this mess... Andrew Bartlett (This used to be commit 04f090c224bb7ac3b53c430a591fce1fc939a81c)
2001-07-04The big character set handling changeover!Andrew Tridgell1-1/+1
This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a)
2001-06-25Fixed stupid typo that would stop trusted domains working.Jeremy Allison1-4/+3
Jeremy. (This used to be commit fa721b4adfbcac4827251b02f6af7f0b5211c104)
2001-06-22Andrew - please look this over. I've fixed a long standing (maybe 4-5Jeremy Allison1-136/+147
years old) bug when chainging a sessionsetup_and_X and tcon together. The wrong username was being entered into the tdb, even though the correct user was used for accessing files. This is related to the fact that authorise_login() is not used for sessionsetup, but only for tcon auths. Jeremy. (This used to be commit 0187cd6aef7586d7ad4bdc70c50f3f2e7c69519c)
2001-06-14Fixed some return code checks for cli_initialise() from False to NULL.Tim Potter1-1/+1
Spotted by Joe Doran <joed@interlude.eu.org> (This used to be commit 3e3b9bc5380652d882c02e7286258f0aabcaf395)
2001-05-31Fix debug statement so it doesn't use lp_workgroup() either.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 18e652a5e0d30d033be70e512cd94bf867507f64)
2001-05-25i18n fix for domain_client_validate()Tim Potter1-1/+1
(This used to be commit d6dcca7cc9bc5a1948c1b6126ca4f6cb9ccacc52)
2001-05-17Fixes to get pam_auth() functionality working again.Tim Potter1-10/+11
(This used to be commit 083b74c743f0026693fa0fbe665ed08a3ac706b8)
2001-05-07Patch from Simo:Gerald Carter1-9/+9
o sed 's/pdb_clear_sam/pdb_free_sam/g' o add pdb_reset_sam() o password changing should be ok now as well. (This used to be commit 96d0e7c3301ad990f6c83b9c216720cb32661fb5)
2001-05-06Patch from David_Tiller@ccnotes.ccity.com finally applied now I've thoughtJeremy Allison1-70/+77
about it to stop account lockouts with "security=server" mode. Sorry for the delay David. Jeremy. (This used to be commit e8819715038ed49b07ed5639b1b88ad12e994b53)
2001-05-04Big cleanup of passdb and backends.Jean-François Micouleau1-5/+19
I did some basic tests but I have probably broken something. Notably the password changing. So don't cry ;-) J.F. (This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719)
2001-05-04merge from 2.2 in password_ok() to ensure that we check theGerald Carter1-1/+1
return code from smb_pam_accountcheck() (This used to be commit d5d6f01aaf8d344bb44dbe047c2f760ca220529e)
2001-04-30Based on an original PAM patch by Andrew Bartlett, re-written by me toJeremy Allison1-25/+19
remove global static PAM variables, and to tidy up the PAM internals code. Now looks like the rest of Samba. Still needs testing. Jeremy. (This used to be commit 1648ac64a75de74d1a1575eb49cccc4f75488bfa)
2001-04-23Added smb_ prefix to all Samba wrapper pam functions.Jeremy Allison1-1/+1
Fixed off by one bug using StrnCpy instead of strdup(). Jeremy. (This used to be commit d4b1c0be2e700c86a4338bb497777f97e3c960a7)
2001-04-22Commit of a modified version of Andrew Bartlett's patch that removes theJeremy Allison1-5/+14
horrid utmp hostname parameter - now uses the client name instead. Also tidies up some of the unencrypted password checking when PAM is compiled in. FIXME ! An pam_accountcheck() is being called even when smb encrypted passwords are negotiated. Is this the correct thing to do when winbindd is running ! This needs *SEVERE* testing.... Jeremy. (This used to be commit 071c799f479dd25efdb9c41745fc8f2beea7b568)
2001-04-18merge from 2.2Andrew Tridgell1-13/+37
(This used to be commit f52a5014ee325f9d91f266f88eac51b6136a75b9)
2001-03-27Bail out early if null passwords and lp_null_passwords not set.Jeremy Allison1-0/+5
Jeremy. (This used to be commit 7c718fc85e3dbfaf0195e352d06a8c682a6036fc)
2001-03-11Moved cruft out of smb.h into ntdomain.h where it belongs. dc structJeremy Allison1-2/+0
now in pipe struct (where used) rather than user_struct. Secured machine account password changing in srv_netlog_nt.c - ensure that only the given machine can change its own password. May need to free this up later for NT admin tools, but this is a fail-safe secure position for now. Jeremy. (This used to be commit 46b12f2275dcd4b3114085160cd456441f9e921e)
2001-03-11Remove "BYTE" - we already have uint8 - don't need more conflicts withJeremy Allison1-1/+1
system header files... Jeremy. (This used to be commit 31e0ce310ec38b3a3a05b344d6450d442c6be471)
2001-03-11Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMRJeremy Allison1-4/+0
RPC code to merge with new passdb code. Currently rpcclient doesn't compile. I'm working on it... Jeremy. (This used to be commit 0be41d5158ea4e645e93e8cd30617c038416e549)
2001-02-08replaced inet_aton() with inet_addr() to keep Solaris from complaining.Gerald Carter1-3/+9
jerry (This used to be commit 2b18c4484313e77d98c8a7524cf9f5cc2c924dc2)
2001-01-25Fixes from appliance-head for pdc searches.Jeremy Allison1-1/+16
Jeremy. (This used to be commit d04ed97ecab846def8467f313a71ef0e5c4005f6)
2001-01-04Changes from APPLIANCE_HEAD:David O'Neill1-0/+8
source/Makefile.in - changes to ctags and etags rules that somehow got lost along the way. source/include/proto.h - make proto source/smbd/sec_ctx.c source/smbd/password.c - merge debugs for debugging user groups and NT token stuff. source/lib/util_str.c - capitalise domain name returned from parse_domain_user() source/nsswitch/wb_client.c - fix broken conditional in debug statement. source/include/rpc_secdes.h source/include/rpc_spoolss.h source/printing/nt_printing.c source/lib/util_seaccess.c - fix printer permission bugs related to ACE masks for printers. This adds mapping of generic access rights to object specific rights for NT printers. Still need to work out whether or not to ignore ACEs with certain flags set, though. See comments in util_seaccess.c:check_ace() for details. source/printing/nt_printing.c source/printing/printing.c - use PRINTER_ACCESS_ADMINISTER instead of JOB_ACCESS_ADMINISTER until we sort out printer/printjob permission stuff. (This used to be commit 1dba9c5cd1e6389734c648f6903abcb7c8d5b2f0)
2000-12-19Fixed bug found by Gerald. If a Samba server joins a domain and is setJeremy Allison1-4/+18
to search for a DC to authenticate to using the "*" syntax than ensure that for the first hour after the password change is searches for the PDC using the 1B name not the 1C name as domain replication may not have occured. Jeremy. (This used to be commit c25533de9918ed9b0c79fd039e11d1b79f513db0)
2000-12-12Fixed bug noticed by JF. se_access_check needs user SID as first in token.Jeremy Allison1-10/+23
Jeremy. (This used to be commit f0d7867801e3f78bfc55fdb36ca965e35457f51b)
2000-12-12Removed the special casing of SIDs in se_access_check. This is now done ↵Jeremy Allison1-9/+28
(correctly) when the NT_USER_TOKEN is *created*. Jeremy. (This used to be commit 27d72ed1cf8ece2bede812341279ba5a7262ace4)
2000-12-08Removed unused auto (IRIX compiler warning).Jeremy Allison1-2/+1
Jeremy. (This used to be commit 63e2ebc4272cd8bc52ea80e1e12996ab273b8ea4)
2000-12-07file_lines_load/file_lines_pload can now optionally convert unix_to_dos()Jeremy Allison1-1/+1
on read. Jeremy. (This used to be commit 76b8dd376d13eb4469417be217c966d54d333367)
2000-12-06Print debug if domain_client_validate() cannot fetch the trust accountTim Potter1-1/+2
password (say for example if the tdb file format has changed). (-: (This used to be commit 447fbb38a857a7e97cf2a99022576521c71a4512)
2000-11-28include/dlinklist.h: Added '{' '}' around DLIST_PROMOTE so it can be used as ↵Jeremy Allison1-60/+81
a single statement after an 'if'. Tracking this down took 4 hours from my life and ANDREW I WANT THEM BACK !!!!! :-). include/smb.h smbd/password.c: Fixed the bug veritas reported with realloc of the validated_users array growing without bounds. This is now a linked list as god (Andrew) intended :-). Jeremy. (This used to be commit 346f2f9206b9b4ed123e2a61c0a48de630397b8a)
2000-11-21combined 2 if statments which used the same conditionGerald Carter1-3/+5
-- jerry (This used to be commit 445fd1dbd8bb93f56f20b5dd9e9d5b018147b21d)
2000-11-13Large commit which restructures the local password storage API.Gerald Carter1-47/+57
Currently the only backend which works is smbpasswd (tdb, LDAP, and NIS+) are broken, but they were somewhat broken before. :) The following functions implement the storage manipulation interface /*The following definitions come from passdb/pdb_smbpasswd.c */ BOOL pdb_setsampwent (BOOL update); void pdb_endsampwent (void); SAM_ACCOUNT* pdb_getsampwent (void); SAM_ACCOUNT* pdb_getsampwnam (char *username); SAM_ACCOUNT* pdb_getsampwuid (uid_t uid); SAM_ACCOUNT* pdb_getsampwrid (uint32 rid); BOOL pdb_add_sam_account (SAM_ACCOUNT *sampass); BOOL pdb_update_sam_account (SAM_ACCOUNT *sampass, BOOL override); BOOL pdb_delete_sam_account (char* username); There is also a host of pdb_set..() and pdb_get..() functions for manipulating SAM_ACCOUNT struct members. Note that the struct passdb_ops {} has gone away. Also notice that struct smb_passwd (formally in smb.h) has been moved to passdb/pdb_smbpasswd.c and is not accessed outisde of static internal functions in this file. All local password searches should make use of the the SAM_ACCOUNT struct and the previously mentioned functions. I'll write some documentation for this later. The next step is to fix the TDB passdb backend, then work on spliting the backends out into share libraries, and finally get the LDAP backend going. What works and may not: o domain logons from Win9x works o domain logons from WinNT 4 works o user and group enumeration as implemented by Tim works o file and print access works o changing password from Win9x & NT ummm...i'll fix this tonight :) If I broke anything else, just yell and I'll fix it. I think it should be fairly quite. -- jerry (This used to be commit 0b92d0838ebdbe24f34f17e313ecbf61a0301389)
2000-10-11Remove duplicate group initialisation function.Tim Potter1-22/+0
Don't initialise groups twice. (This used to be commit 5375261152b28a65de18e817c75cab79c2f556b8)
2000-10-05Fix for null passwords being allowed bug.Jeremy Allison1-4/+8
Jeremy. (This used to be commit d4d55488397832df35b558564c263a307b0bb629)
2000-09-12With John Reilly help tracking it down - fixed a *nasty* bug whenJeremy Allison1-1/+0
authorising logins. If a user connected to a share as guest, then the snum was getting flagged as "force guest", meaning that all subsequent connections to it, even under a different vuid, would be bounced to guest. This explains several very hard to reproduce access denied bugs, and as the NT client also has bugs in that it will sometimes erroneously use guest instead of the correct vuid on an IPC$ connection lead to a *very* hard problem to find. This fix should be propagated into all branches (TNG/Applience take note) and I'll also make a separate patch availalble on the samba-technical list. Jeremy. (This used to be commit 0264fdafe909cf9e995df3ae7b64bedbe0b4e8a1)
2000-09-07Hopefully this should fix the primary group permission problem.Tim Potter1-2/+0
(This used to be commit 2f33ec41ac1d3243340455b6c3a6cea22d267f14)
2000-09-06Fix for the SID history problem when using a Win2k domain controllerJeremy Allison1-7/+4
with security=domain. Also fixed to dynamically allocate the SIDs and GIDs. Jeremy. (This used to be commit 2b1f66eb82f05fe0b85ac5b4916e32847b8de675)
2000-08-28smbd/password.c: Fixed typo in Tim's new code that caused insure overrun error.Jeremy Allison1-1/+0
smbd/reply.c: Fixed lowercasing UNIX character set problem. Jeremy. (This used to be commit 2b6e3ed7a6447d40d9dd7e9b5c286b1aabe4730d)
2000-08-28Merge bug - still getting used to dirdiff.Tim Potter1-1/+0
(This used to be commit cb717b4a2bb55eb2ff008e59203ebfeac6c5ab9f)
2000-08-28Merge from appliance branch.Tim Potter1-0/+10
(This used to be commit 567b0095b1b8393b3b1e32533aa2860ab3dbfa47)
2000-08-08Found the sec_ctx_stack overflow - a become_root() should have been anJeremy Allison1-1/+1
unbecome_root() - typo. Jeremy. (This used to be commit ebb160663ed55e44e44f1c3d17eb077a32c2ffb9)
2000-08-04Fixed up the user/group contexts when using authenticated pipes.Jeremy Allison1-3/+6
Added a become_root()/unbecome_root() (push/pop security context) around the initgroups() call to ensure it would succeed. Hmmm - I wonder if this call being done as non-root might explain any "group access" bugs we've had in the past.... Jeremy. (This used to be commit 06a65972e872f37d88b84f22ea714feebd38f6c0)
2000-08-03Added an NT_USER_TOKEN structure that is copied/passed around associatedJeremy Allison1-15/+12
with the current user. This will allow se_access_check() to quickly do a SD check without having to translate uid/gid's to SIDs. Still needs work on pipe calls. Jeremy. (This used to be commit e28d01b744b3dbd33e0e54af4e7f426fa8c082b8)
2000-08-02Started to canonicalize our handling of uid -> sid code in order toJeremy Allison1-67/+46
get ready and fix se_access_check(). Added cannonical lookup_name(), lookup_sid(), uid_to_sid(), gid_to_sid() functions that look via winbind first the fall back on local lookup. All Samba should use these rather than trying to call winbindd code directly. Added NT_USER_TOKEN struct in user_struct, contains list of NT sids associated with this user. se_access_check() should use this (cached) value rather than attempting to do the same thing itself when given a uid/gid pair. More work needs to be done to preserve these things accross security context changes (especially with the tricky pipe problem) but I'm beginning to see how this will be done..... probably by registering a new vuid for an authenticated RPC pipe and not treating the pipe calls specially. More thoughts needed - but we're almost there... Jeremy. (This used to be commit 5e5cc6efe2e4687be59085f562caea1e2e05d0a8)
2000-08-01Tidyup removing many of the 0xC0000000 | NT_STATUS_XXX stuff (only need ↵Jeremy Allison1-2/+2
NT_STATUS_XXX). Removed IS_BITS_xxx macros as they were just reproducing "C" syntax in a more obscure way. Jeremy. (This used to be commit c55bcec817f47d6162466b193d533c877194124a)
2000-07-10Spelling fixes.Tim Potter1-3/+3
(This used to be commit c1d242f1dd5b6addbe5d2df22e4759f6682fd9ef)
2000-06-23Delete OriginalDir stuff.Tim Potter1-3/+3
(This used to be commit 3d0f1845c8cefccfabcfd35694264c1e5f52c3af)
2000-06-14ZERO_STRUCT() of info3 structure before using it.Tim Potter1-0/+2
(This used to be commit efe7f818c927a925f2dee1ef4f6040c137e0c84e)
2000-06-09Luke, I am moving the code back into passdb/passdb.c, this the correctJeremy Allison1-52/+14
place to do this, not in smbd/passwd.c Please don't change this without asking first, I have run this past Andrew so talk to him (I'm on vacation next week). I also removed the g_newXXX macros. There are essentially a private C extension, not used anywhere else in the code, and add no functionality over malloc(XX) and make the code harder to understand (everyone knows what malloc does). Jeremy. (This used to be commit e1b1b6fb6794ba02e1fea510a981fa0ce0d12b58)
2000-06-09free NET_USER_INFO_3 gids when vuser invalidated.Luke Leighton1-0/+4
(This used to be commit 2f056c2aadd2e16d89b66aabd1c166ab8d5abd76)