summaryrefslogtreecommitdiff
path: root/source3/smbd/password.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r15589: While trying to understand the vuid code I found that security=share ↵Volker Lendecke1-3/+2
is broken right now. r14112 broke it, in 3.0.22 register_vuid for security=share returns UID_FIELD_INVALID which in current 3_0 is turned into an error condition. This makes sure that we only call register_vuid if sec!=share and meanwhile also fixes a little memleak. Then I also found a crash in smbclient with sec=share and hostmsdfs=yes. There's another crash with sec=share when coming from w2k3, but I need sleep now. Someone (jerry,jra?) please review the sesssetup.c change. Thanks, Volker (This used to be commit 8059d0ae395604503cad3d9f197928305923e3f5)
2007-10-10r15583: Add a comment while trying to understand this codeVolker Lendecke1-0/+5
(This used to be commit 7945c935bf197afb61286ddeb0e579078362a1fc)
2007-10-10r14112: * fix checks on return code from register_vuid() which could actuallyGerald Carter1-1/+1
fail and we would still return success in the SMBsesssetup reply :-( * Make sure to create the local token for the server_fino struct in reply_spnego_kerberos() so that register_vuid() does not fail. (how did this ever work?) (This used to be commit 8dafa45b97020d1aceb027a85e18401c965bf402)
2007-10-10r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison1-1/+1
realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-5/+5
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13494: Merge the stuff I've done in head the last days.Volker Lendecke1-0/+129
Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-54/+89
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12311: ReformattingVolker Lendecke1-15/+23
(This used to be commit 23f5be1dcbb9e5a1e7f24813c67009056b07d59c)
2007-10-10r12305: ReformattingVolker Lendecke1-8/+20
(This used to be commit f574e980aac5bae5e1e3cc23ec648b69a87eb04a)
2007-10-10r8472: abartlet's patch for parallel ntlmssp ↵Gerald Carter1-1/+36
supporttrunk/source/smbd/sesssetup.c (This used to be commit aab17a7095a18b243a271f8f3f824facd6932f23)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-2/+2
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-4/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r2899: Change some #if DEBUG_PASSWORD's to #ifdef DEBUG_PASSWORD.Tim Potter1-1/+1
Bugzilla #1903. (This used to be commit 1327d83d902b6a39096d387d734e73d85ed53f85)
2007-10-10r2082: lp_path should be lp_pathname.Jeremy Allison1-1/+1
Paranoia fix on mangle prefix. Jeremy. (This used to be commit cc91bbe20d9cb26e52ad417f279e2d60c85af2dc)
2007-10-10r2077: fix logic bug in the check for creating a user's home directory in ↵Gerald Carter1-10/+13
register_vuid(); add a few extra debug lines (This used to be commit 02571e7f5040a577840c969ff9c46a1e533edc21)
2007-10-10r1506: Fix inspired by patches from Michael Collin Nielsen ↵Jeremy Allison1-11/+15
<michael@hum.aau.dk> - ensure home directory service number is correctly reused. Jeremy. (This used to be commit 9d6347be8580d092cda0357b5d1a81fc6876ac1f)
2007-10-10r519: fix bug in authorise_login() that broke security = shareGerald Carter1-0/+2
(This used to be commit b27192d8e7a4a1fd0cd737b4fd9190bcecfbb507)
2007-10-10r486: BUG 1309: fix seg fault caused by trying to strdup() a NULL pointerGerald Carter1-1/+5
(This used to be commit 0e1a6b34f2690da32bf568330575651988d0c965)
2007-10-10r225: Patch from Pat.Hayward@propero.net to make the session_users list dynamic.Jeremy Allison1-8/+28
I restricted it to 128k max to prevent DOS attacks. Jeremy. (This used to be commit 70fb2a196d83c4bde11d27608da27f956f3f19b8)
2004-03-27Merge from HEAD the SMB signing patch that I developed a couple of weeksAndrew Bartlett1-1/+1
ago. This patch re-adds support for 'optional' SMB signing. It also ensures that we are much more careful about when we enable signing, particularly with on-the-fly smb.conf reloads. The client code will now attempt to use smb signing by default, and disable it if the server doesn't correctly support it. Andrew Bartlett (This used to be commit e27b5cbe75d89ec839dafd52dd33101885a4c263)
2004-03-19BUG 417: fix %UuGg variables expansion in include lines setging the ↵Gerald Carter1-0/+4
current_user_info struct in register_vuid() -- shouldn't be any more broken than we were (This used to be commit a90c3bd281e7a62bb8482e42aa3b674eeeb5995a)
2004-01-31cleanup patch for bug 977 so we don't display incorrect debug messagesGerald Carter1-8/+12
(This used to be commit 11093ecfb7bab1ecb16d19ac00b3e7e38dff43e2)
2004-01-27bug 977 - don't create a homes share for a user if a static share already ↵Gerald Carter1-1/+7
exists by the same name (This used to be commit 6b89a76aa7efaa0ad7a0139aeb3e4ebf5c01cdcb)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-4/+19
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-09-26Fix for valid users = %S in homes share.Jeremy Allison1-3/+7
Jeremy. (This used to be commit c7f4e56ad5c25d477f20944e5b404ebafda9e1a8)
2003-09-05fix bug 397: use a variant of alloc_sub_basic() for string lists.Gerald Carter1-1/+4
(This used to be commit 62d5611df0cf86c267d7fe820822d4d019ae28bd)
2003-07-18Signing so far... the client code fails on a SMBtrans2 secondary transactionJeremy Allison1-5/+3
I think (my changes haven't affected this I believe). Initial support on the server side for smbclient. Still doesn't work for w2k clients I think... Work in progress..... (don't change). Jeremy. (This used to be commit e5714edc233424c2f74edb6d658f32f8e0ec9275)
2003-07-17Formatting tidyups to match the rest of the source.Jeremy Allison1-23/+33
Jeremy. (This used to be commit 86c5ebcf8f5eb57e9885627b3da4e486ee3f62d9)
2003-07-03Missed this in the previous patch - we now have a seperate idea of theAndrew Bartlett1-1/+1
'unix username' from the NT username, in the auth subsystem at least. Andrew Bartlett (This used to be commit df1aa2a669edc9f26007595411720742d7dff5d9)
2003-06-07Don't assume that the SAM knows the unix home directory - look it up byAndrew Bartlett1-6/+14
getpwnam() if need be. Fixes bug #130 Andrew Bartlett (This used to be commit a4bc789a3993be4b25955c729b533b86dba666f4)
2003-05-13Restore a number of fixes that idra removed when he merged hisAndrew Bartlett1-0/+1
idmap-and-the-rest from HEAD. These are correctness fixes that were already in 3.0, and a memory leak fix. The pdb_ldap changes are held back at jerry's request (he is also playing with pdb_ldap ATM). Andrew Bartlett (This used to be commit c7d5e336bd91514a02974044742b058be387e490)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-9/+2
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12fixing typos in debug statementsGerald Carter1-1/+1
(This used to be commit f59bcb51cfe4e268ba43245d401d212aefdf2b72)
2003-04-23Merge the 'safe' parts of my StrnCpy patch - many of the users really wantedAndrew Bartlett1-3/+3
a pstrcpy/fstrcpy or at most a safe_strcpy(). These have the advantage of being compiler-verifiable. Get these out of the way, along with a rewrite of 'get_short_archi' in the spoolss client and server. (This pushes around const string pointers, rather than copied strings). Andrew Bartlett (This used to be commit 32fb801ddc035e8971e9911ed4b6e51892e9d1cc)
2003-04-23Don't leak the session identifier string when we shut down a vuid.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit 33189b4be0ac79d5e7bc2606f40187118ee506a4)
2003-02-24Merge of server-side authentication changes to 3.0:Andrew Bartlett1-19/+40
- user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-5/+7
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-02Merge passdb from HEAD -> 3.0Andrew Bartlett1-1/+1
The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-121/+41
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17Sync 3.0 branch with headJelmer Vernooij1-29/+7
(This used to be commit 42615b945e2e48e53a21ea47f2e45407913a6a1e)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-109/+73
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-20Kill off another ugly wart from the side of the passdb subsystem.Andrew Bartlett1-0/+2
This time its the pdb_getsampwuid() function - which was only being used by the SAMR rpc subsystem to gain a 'user session key'. This 'user session key' is actually generated at login time, and the other changes here simply move that data around. This also means that (when I check some details) we will be able to use the user session key, even when we are not actually the DC, becouse its one of the components of the info3 struct returned on logon. Andrew Bartlett (This used to be commit 799ac01fe08a338e4e94289f5d6767ebf905c1fa)
2002-01-17A nice *big* change to the fundemental way we do things.Andrew Bartlett1-0/+16
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
2002-01-02Actually enforce the passdb API.Andrew Bartlett1-1/+1
Thou shalt not reference SAM_ACCOUNT members directly - always use pdb_get/pdb_set. This is achived by making the whole of SAM_ACCOUNT have a .private member, where the real members live. This caught a pile of examples, and these have beeen fixed. The pdb_get..() functions are 'const' (have been for some time) and this required a few small changes to constify other functions. I've also added some debugs to the pdb get and set, they can be removed if requested. I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb interface, but I need the flags info to do it properly. The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result. Finally, any and all testing is always appriciated - but the basics seem to work. Andrew Bartlett (This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
2001-12-27moving SAM_ACCOUNT to include a bit field for initializedGerald Carter1-8/+8
members (such as uid and gid). This way we will be able to keep ourselves from writing out default smb.conf settings when the admin doesn't want to, That part is not done yet. Tested compiles with ldap/tdb/smbpasswd. Tested connection with smbpasswd backend. oh...and smbpasswd doesn'y automatically expire accounts after 21 days from the last password change either now. Just ifdef'd out that code in build_sam_account(). Will merge updates into 2.2 as they are necessary. jerry (This used to be commit f0d43791157d8f04a13a07d029f203ad4384d317)
2001-11-26Got medieval on another pointless extern. Removed extern struct ipzeroTim Potter1-2/+0
and replaced with two functions: void zero_ip(struct in_adder *ip); BOOL is_zero_ip(struct in_addr ip); (This used to be commit 778f5f77a66cda76348a7c6f64cd63afe2bfe077)
2001-11-19Cosmetic fix for debug statement.Tim Potter1-2/+1
(This used to be commit 507ef80f48a8fca762e41be5cdb80ce86544da3f)
2001-11-09This change updates lp_guestaccount() to be a *global* paramater, rather thanAndrew Bartlett1-5/+6
per-share. I beleive that almost all the things that this could have done on a per-share basis can be done with other tools, like 'force user'. Almost all the user's of this paramater used it as a global anyway... While this is one step at a time, I hope it will allow me to considerably simplfy the make_connection() code, particularly for the user-level security case. This already removes an absolute truckload of extra attempted password lookups on the guest account. Andrew Bartlett (This used to be commit 8e708332eded210c1d1fe0cebca3c9c19f054b71)
2001-11-08Change to guest logon code.Andrew Bartlett1-9/+9
This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)