summaryrefslogtreecommitdiff
path: root/source3/utils/ntlm_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-0/+2
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r11232: Added ab's POSIX statvfs vfs call. Sorry for the delay ab.Jeremy Allison1-1/+1
Jeremy. (This used to be commit af8545806770a7530eecc184bdd230ca14999884)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-2/+2
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-13/+18
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r9198: Convert hex_encode and strhex_to_data_blob to take a talloc context.Volker Lendecke1-22/+20
Volker (This used to be commit c7d10e2c834d8d5136e2d01dea1ad286757deddb)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-6/+6
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r6450: * fix typo in htlm_auth help messageGerald Carter1-2/+2
* add synonym for idmap_rid in better lining with other idmap backend names * remove old debug messages when idmap {uid|gid} options are not defined (This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
2007-10-10r4259: Fix cast in SMB_XMALLOC_ARRAY. Bugzilla #2168.Tim Potter1-1/+1
(This used to be commit 0c3bb181e8f4d10d446f9211904d53f42ddcbaeb)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-14/+14
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3377: Merge in first part of modified patch from Nalin Dahyabhai ↵Jeremy Allison1-1/+1
<nalin@redhat.com> for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)
2007-10-10r3273: Ensure we're consistent in the use of strchr_m for '@'.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 0f3f7b035b37bfc51d3a59d0472003c3d4ac1511)
2007-10-10r2835: Since we always have -I. and -I$(srcdir) in CFLAGS, we can get rid ofTim Potter1-1/+1
'..' from all #include preprocessor commands. This fixes bugzilla #1880 where OpenVMS gets confused about the '.' characters. (This used to be commit 7f161702fa4916979602cc0295919b541912acd6)
2007-10-10r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix theAndrew Bartlett1-28/+16
naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett (This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
2007-10-10r2147: Fix utility name in error message (pre-emptivly merged to trunk ;-)Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 657bb14789bcec65668d072fec0f954d1e5322ef)
2007-10-10r1582: On failure, print the length of the right variable.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 5bd6abb54e12aee2031d48bc5b240bb4f127bf5a)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-1/+1
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1128: The end-of-file is not the end of the world, so don't make a load ↵Andrew Bartlett1-3/+7
DEBUG() about it. Andrew Bartlett (This used to be commit 4da976dbd07e70726055cc4251fd1c26f63b3b2c)
2007-10-10r1126: Allow more flexible GSS-SPENGO client and server operation. TheAndrew Bartlett1-16/+18
client now falls back to NTLMSSP, and the server allows the client to start, without first asking for a mech list. Andrew Bartlett (This used to be commit feccc3daca7b2e9091b81fbbb93dc7284baedb99)
2007-10-10r1124: ntlm_auth memory leak fixes by James Wilkinson - ↵Andrew Bartlett1-0/+4
jwilk@alumni.cse.ucsc.edu Andrew Bartlett (This used to be commit 94c0827ce20d8d1084703f6f5e4ad3b3c33151f8)
2007-10-10r517: Remove wrong commit I did by mistakeAlexander Bokovoy1-6/+0
(This used to be commit 72d30ea06612461bdf19916fa40ca459f0c37acc)
2007-10-10r516: On GNU/Linux distributions which allow to use both 2.4 and 2.6 kernelsAlexander Bokovoy1-0/+6
there is SYS_utimes syscall defined at compile time in glibc-kernheaders but it is available on 2.6 kernels only. Therefore, we can't rely on syscall at compile time but have to check that behaviour during program execution. An easy workaround is to have replacement for utimes() implemented within our wrapper and do not rely on syscall at all. Thus, if REPLACE_UTIME is defined already (by packager), skip these syscall shortcuts. (This used to be commit e278e2e6e095b1c01eab307d55edf2cde48dcba2)
2007-10-10r240: I'm pretty happy with the 'ntlm-server-1' helper protocol now, and asAndrew Bartlett1-2/+0
there is now a public patch that uses it, make it always available. (It was #ifdef DEVELOPER) Andrew Bartlett (This used to be commit aa3bc79835c79652199ce5aaf2f3981f8211c9bd)
2007-10-10r201: Fix bugs in the --helper-protocol=ntlm-server-1 implementation.Andrew Bartlett1-8/+9
(allow the use of base64 encoded strings, LM or NT passwords) Andrew Bartlett (This used to be commit 57a5563b421b0684e7bb40d10c2168916c59c89d)
2007-10-10r191: Only send the ntlm_auth 'ntlm-server-1' helper client a '.' after theAndrew Bartlett1-2/+1
server had said something (such as an error). Andrew Bartlett (This used to be commit c05016a2f750960c40387c1d6aba9f6841f66a3b)
2007-10-10r188: Add a new 'helper protocol' to ntlm_auth.Andrew Bartlett1-2/+202
This protocol looks rather like SMTP headers/LDAP: NT-Domain: TESTWG Username: abartlet ... Password: foo Challenge-response passwords are in hexideciaml, while any 'plain' string can be base64 encoded when like this: Password:: Zm9vCg== (the :: indicates it, just like LDAP - I hope) The protocol is not final, so it is #ifdef DEVELOPER for now (so nobody starts to rely on it until I'm happy), but we may as well get this into subversion. My intention is to use this to power the next version of my PPP/ntlm_auth plugin, and hopefully entice a FreeRadius plugin out of the woods. Andrew Bartlett (This used to be commit 8efdd957ba8310515242ba2979ff07130a0b1a3a)
2007-10-10r177: Split ntlm_auth --diagnostics into a seperate file, so as not to clutterAndrew Bartlett1-599/+30
the main ntlm_auth program. It quite possibly should belong in smbtorture, but relies on the winbind client for now. Andrew Bartlett (This used to be commit 6e1b7a8848062a184ee293cf688135b851f2bd8d)
2007-10-10r171: Continue the 'rename nt_session_key' work. This attempts to renameAndrew Bartlett1-88/+76
this variable to 'user_session_key', where possible. The command line parameter is currently unchanged). Andrew Bartlett (This used to be commit da4177209d1058af8e121c34f9928728f491b22e)
2007-10-10r104: Fix ntlm_auth by adding the new strhex_to_data_blob() call.Andrew Bartlett1-6/+0
Andrew Bartlett (This used to be commit 0693b9e79fabd58491f8aaec11dbbc71fab34f80)
2007-10-10r87: Fix the build that Andrew Bartlett broke. Andrew - don't check ↵Jeremy Allison1-0/+6
*ANYTHING* in unless you have done a make clean; make. Jeremy. (This used to be commit 09d82a0bef2dd5759e5430c4faea413b5a64ac11)
2007-10-10r84: Implement --required-membership-of=, an ntlm_auth option that restrictsAndrew Bartlett1-38/+113
all authentication to members of this particular group. Also implement an option to allow ntlm_auth to get 'squashed' error codes, which are safer to communicate to remote network clients. Andrew Bartlett (This used to be commit eb1c1b5eb086f49a230142ad2de45dc0e9691df3)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett1-22/+22
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2004-04-03Fix most of bug #169.Andrew Bartlett1-0/+1
For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba)
2004-03-24Fix bugzilla # 1208Jim McDonough1-1/+2
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-11Restore the contract on all convert_stringXX() interfaces. Add a ↵Jeremy Allison1-1/+1
"allow_bad_conv" boolean parameter that allows broken iconv conversions to work. Gets rid of the nasty errno checks in mangle_hash2 and check_path_syntax and allows correct return code checking. Jeremy. (This used to be commit 7b96765c23637613f079d37566d95d5edd511f05)
2004-02-08Make this table static const.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 0686bc9e076c722e33dd9b236cf7c33d448c3b34)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-5/+10
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-1/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett1-11/+23
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-30Make the name of the NTLMSSP client more consistant before we lock it in stone.Andrew Bartlett1-2/+2
(This used to be commit 0fa268863b7352343eb7f211181a02f60848bd0c)
2003-12-30Remove testing hackAndrew Bartlett1-2/+0
(This used to be commit 96f3beb462a6d4a489e894c1f05c528107135b3a)
2003-12-30Move our basic password checking code from inside the authenticationAndrew Bartlett1-54/+254
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
2003-12-30Refactor our authentication and authentication testing code.Andrew Bartlett1-342/+181
The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1)
2003-12-24Thanks to Serassio Guido for noticing issues in our Squid NTLMSSPAndrew Bartlett1-4/+9
implementation. We were not resetting the NTLMSSP state for new negotiate packets. Andrew Bartlett (This used to be commit e0a026c9b561893e5534923b18ca748e6177090e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-72/+112
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-06Final round of printf warnings fixes for the moment.Tim Potter1-2/+2
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
2003-08-15get rid of more compiler warningsHerb Lewis1-39/+39
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-15Add the gss-spnego kerberos server side to ntml_auth. This uses theVolker Lendecke1-10/+68
same ads_verify_ticket routine that smbd uses, so in the current state we have to be have the host password in secrets.tdb instead of the keytab. This means we have to be an ADS member, but it's a start. Volker (This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
2003-08-14Fix the build for non-kerberos environments.Volker Lendecke1-0/+8
Volker (This used to be commit c8f4d7952ffbe0438e33c37ae1365e5dd4f1734a)
2003-08-12This adds *experimental* kerberos gss spnego client support to ntlm_auth.Volker Lendecke1-12/+110
(This used to be commit 5522c79045dd9ee6804bc2bf2114178cbed6df48)
2003-08-12Some more shuffling around gss-spnego serverVolker Lendecke1-34/+37
(This used to be commit f2c85595dae81e119d0f7f9ec769ff865916a052)