summaryrefslogtreecommitdiff
path: root/source3/smbd/sesssetup.c
AgeCommit message (Collapse)AuthorFilesLines
2001-11-24This is another rather major change to the samba authenticaionAndrew Bartlett1-38/+85
subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-11-20add a hook to save the krb5 PACAndrew Tridgell1-0/+8
(This used to be commit 1cbc18ae732671d9a60528f8300ca7609e124d11)
2001-11-12Spelling fixes.Tim Potter1-6/+6
(This used to be commit 5c486bd28a5d4194b7cd50fd0fe3430d0d2eaa9b)
2001-11-12Code duplication is bad. So add an add_signiture() function and just refernceAndrew Bartlett1-23/+17
that. (This used to be commit a82c8638576b2c2164eaf046aa529e233ffb71d6)
2001-11-11Kill off 'restrict anonymous' becouse it is useless in its current form.Andrew Bartlett1-47/+0
To be replaced with a real restriction in consultation with jra. (Hence why I've not touched loadparm.c). Andrew Bartlett (This used to be commit 95901449158a4ef7f95f75b22f63f6f8d43a01fe)
2001-11-09This change updates lp_guestaccount() to be a *global* paramater, rather thanAndrew Bartlett1-2/+2
per-share. I beleive that almost all the things that this could have done on a per-share basis can be done with other tools, like 'force user'. Almost all the user's of this paramater used it as a global anyway... While this is one step at a time, I hope it will allow me to considerably simplfy the make_connection() code, particularly for the user-level security case. This already removes an absolute truckload of extra attempted password lookups on the guest account. Andrew Bartlett (This used to be commit 8e708332eded210c1d1fe0cebca3c9c19f054b71)
2001-11-09fix the tree so it compiles againAndrew Tridgell1-1/+1
grumble, mumble, ... (This used to be commit 72c1af6f8d9893dd5b8b4d105b301d8c621749c6)
2001-11-08Change to guest logon code.Andrew Bartlett1-58/+62
This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)
2001-11-03anonymous logins are guest logins, so mark them as such. (Otherwise they canAndrew Bartlett1-1/+1
browse non-guest shares). (This used to be commit 7131fe3be4eb2c652f3afe2f3cd99d3f82e09654)
2001-11-03Move the test for non-SPNEGO session setups when using SPNEGO, becouse its aAndrew Bartlett1-5/+5
perfectly vailid behaviour for guest logins. (This used to be commit 4db8d70ad74cdbd74c0578e66377fd0233195aaa)
2001-11-01Various post AuthRewrite cleanups, fixups and tidyups.Andrew Bartlett1-3/+3
Zero out some of the plaintext passwords for paranoia Fix up some of the other passdb backends with the change to *uid_t rather than uid_t. Make some of the code in srv_netlog_nt.c clearer, is passing an array around, so pass its lenght in is definition, not as a seperate paramater. Use sizeof() rather than magic numbers, it makes things easier to read. Cope with a PAM authenticated user who is not in /etc/passwd - currently by saying NO_SUCH_USER, but this can change in future. Andrew Bartlett (This used to be commit 514c91b16baca639bb04638042bf9894d881172a)
2001-10-31This should fix up the compile with krb5.Andrew Bartlett1-7/+9
This needs to use the auth interface at some stage, but for now this will do. (This used to be commit 8dc4f2e44b150cdcdecd2f6028bf06907ff90cad)
2001-10-31This is a farily large patch (3300 lines) and reworks most of the AuthRewriteAndrew Bartlett1-197/+159
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
2001-10-30Spnego on the 'server' end of security=server just does not work, so set theAndrew Bartlett1-1/+7
flags so we just do a 'normal' session setup. Also add some parinoia code to detect when sombody attempts to do a 'normal' session setup when spnego had been negoitiated. Andrew Bartlett (This used to be commit 190898586fa218c952fbd5bea56155d04e6f248b)
2001-10-23get rid of compiler warnings (casts and delete unused variables)Herb Lewis1-1/+1
(This used to be commit 51cb4411df61d1caec9d84809b1a53a6a632f808)
2001-10-22- fixed link order of krb5 libsAndrew Tridgell1-19/+5
- accept a wide range of principal names in session setup (This used to be commit 672df66296f540b606aa43effab5f021b8978e4b)
2001-10-21Ok, I know it's a language thing and it shouldn't matter.... but a kerberosJeremy Allison1-6/+6
name is a "principal", not a principle. English majors will complain :-). Jeremy. (This used to be commit b668d7d656cdd066820fb8044f24bcd4fda29524)
2001-10-21change smbd to use HOST/hostname principle form until I work out howAndrew Tridgell1-22/+18
to use the other form in netjoin smb_wct is a char, not a word (This used to be commit 3dbb48b188980cf6c869dc762e3039dd375bf392)
2001-10-21fixed the spnego detection code in session setupAndrew Tridgell1-2/+8
this gets share mode working again (This used to be commit 8286e5307ca47f14d27ee0d9bc9700d52151d56a)
2001-10-20crude fix for anonymous session setup with extended securityAndrew Tridgell1-1/+62
negotiated (This used to be commit b3caf2109090cb2b97a829913bee7e50e7eacba8)
2001-10-20better krb5 error handling (thanks andrewb!)Andrew Tridgell1-1/+6
(This used to be commit fd3a3daef3b8f7140e7006d30d23d739ac3aad2f)
2001-10-20finished auth when we get a valid kerberos ticketAndrew Tridgell1-8/+58
smbd now works with kerberos authentication if you use a MIT KDC and smbclient. Next step is to make it work with a windows client (This used to be commit e0c99e1f3708b155b8db99950f9ac6e27763368f)
2001-10-18the beginnings of kerberos support in smbd. It doesn't work yet, butAndrew Tridgell1-9/+91
it should give something for others to hack on and possibly find what I'm doing wrong. (This used to be commit 353c290f059347265b9be2aa1010c2956da06485)
2001-10-17removed some debug codeAndrew Tridgell1-2/+2
(This used to be commit b9e1f05393aaadf1fbe09338417977e2a3cb4559)
2001-10-17added basic NTLMSSP support in smbd. This is still quite rough, andAndrew Tridgell1-0/+258
loses things like username mapping. I wanted to get this in then discuss it a bit to see how we want to split up the existing session setup code (This used to be commit b74fda69bf23207c26d8b2af23910d8f2eb89875)
2001-10-15split session setup code out of reply.c in preparation for addingAndrew Tridgell1-0/+355
NTLMSSP and kerberos support in smbd (This used to be commit 38a43d75e25bbebe0f6cdfcf389129a842ede842)