summaryrefslogtreecommitdiff
path: root/source3/utils/ntlm_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2004-01-05(merge from 3.0)Andrew Bartlett1-11/+25
Try to gain a bit more consistancy in the output of usernames from ntlm_auth: Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. -- Get the DOMAIN\username around the right way (I had username\domain...) Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 4c2e1189ff84d254f19b604999d011fdb17e538d)
2004-01-05(merge from 3.0)Andrew Bartlett1-4/+2
Remove testing hack Make the name of the NTLMSSP client more consistant before we lock it in stone. Andrew Bartlett (This used to be commit 273dcda9ce62eb04c9cce673bb49b41982b26d98)
2004-01-05(merge from 3.0)Andrew Bartlett1-54/+254
Move our basic password checking code from inside the authentication subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 2f196bb31ac83cf7922583063c74a5f679ca5be7)
2004-01-05(merge from 3.0)Andrew Bartlett1-342/+181
Refactor our authentication and authentication testing code. The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 0d97b10248347398fbee66767baac0c7adf6889d)
2003-12-24(merge from 3.0)Andrew Bartlett1-4/+9
Thanks to Serassio Guido for noticing issues in our Squid NTLMSSP implementation. We were not resetting the NTLMSSP state for new negotiate packets. Andrew Bartlett (This used to be commit ada064af72e120aacd733245292e988dd696d059)
2003-11-22(merge from 3.0)Andrew Bartlett1-72/+112
Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... Andrew Bartlett (This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter1-142/+332
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce1-2/+507
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter1-29/+558
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-05-10Reverse previous patch from Stefan and me after comments by Andrew Bartlett.Jelmer Vernooij1-2/+0
(This used to be commit d31509fe88da8727521586dced1da2c73bfee2bc)
2003-05-10Patch from metze and me that adds dummy smb_register_*() functionsJelmer Vernooij1-0/+2
(This used to be commit 367a5cad1edf6a49783806d5a8b59a62d8856706)
2003-04-28Merge compile and other fixes from 3.0 to HEAD.Andrew Bartlett1-1/+1
Including smbtorture bugfixes, and a better TCONDEV test. Andrew Bartlett (This used to be commit 52c5806004022f153af7d022afdb3ec7cc0d2548)
2003-04-28Fix compiler warning.Tim Potter1-1/+1
(This used to be commit 6a783ca81cead3eed556570152608fd7a224f1ee)
2003-04-02Print out the 'freindly' error message from winbind. Also print usefulAndrew Bartlett1-4/+6
information into it re the privilaged pipe. Also clean up some bugs in winbindd_pam.c Andrew Bartlett (This used to be commit e73b01204a8625946ff0fb5f9fc99dd959eb801c)
2003-04-02error_string, not error_message...Andrew Bartlett1-1/+1
(This used to be commit ce197eae8d254114a295142b522cc028c375ae88)
2003-04-02Clean up ntlm_auth a bit, and add a --diagnositics swtich, to check thatAndrew Bartlett1-111/+417
the returned session key is the one that we expect to get for that each of login. Andrew Bartlett (This used to be commit fa47e44b9caba98e0b85782f3057e6cb8a5763ff)
2003-03-31Remove useless popt optionsJelmer Vernooij1-2/+0
(This used to be commit 861b2a464fed3a16f050972feed1900298fb0bcb)
2003-03-24Revoke some of the popt patch from metze I applied earlier today. It addedJelmer Vernooij1-1/+2
some double options and broke some parameters. (This used to be commit d5f9b0275c91512e1926504f22aaeec2d104430d)
2003-03-24Patch from metze to generalise POPT_COMMON_SAMBA, with some minor changesJelmer Vernooij1-6/+4
(This used to be commit 2ddfed298d7f0b6e690275725a39c3ef107077ae)
2003-03-23NTLM Authentication:Andrew Bartlett1-82/+82
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-02-18Add -V option (to print out version) to utilities where possibleJelmer Vernooij1-0/+1
(pdbedit already has a -V option..) (This used to be commit 5de622968d95c1436dbd34edc8d0a9bbff68916b)
2003-01-17the 'static' keyword here is useless as we are not declaring aAndrew Tridgell1-1/+1
variable or function (This used to be commit f2c9c64900c4da24f73b188deb0f57271e3bf3e7)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-29/+150
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-02Add a dash of static.Andrew Bartlett1-3/+3
(This used to be commit 6d201c9616c5c30234c0d0d6cd9e2ca60bf736c5)
2003-01-02BIG patch...Andrew Bartlett1-1/+1
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-11-24Add support to switch between Squid 2.4 and 2.5 protocols - squid doesn'tAndrew Bartlett1-7/+20
encode the username, so don't decode it (users could play HTTP escaping games on usernames). Andrew Bartlett (This used to be commit 71e24d0200e71ffcf52eaa77edc89175f31a45cd)
2002-11-24Add ntlm_auth, a new program to provide a stable interface to winbind'sAndrew Bartlett1-0/+416
authentication code. In particular, ntlm_auth is designed to replace the winbind authentication 'helpers' currently supplied by Squid. I have added support for the current plaintext password protocol used by Squid, and will add the real guts (NTLMSSP support) shortly. I'll merge this into 3.0 when I've got the interface more stable (error message format etc) and got the important NTLMSSP support added. Also move SWAT's URL decoding code into util_str.c, for use in both utilities. Andrew Bartlett (This used to be commit 82dbf838879e8a2d2d3f9dd5be6eda50b780b787)