summaryrefslogtreecommitdiff
path: root/source4/auth/auth.h
AgeCommit message (Collapse)AuthorFilesLines
2011-05-03s4-messaging Rename messaging -> imessagingAndrew Bartlett1-5/+5
This avoid symbol and structure conflicts between Samba3 and Samba4, and chooses a less generic name. Andrew Bartlett
2011-03-14Fix public header not to include private (not installed) ones.Simo Sorce1-0/+1
Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Mar 14 17:01:20 CET 2011 on sn-devel-104
2011-03-04s4-nterr: move auth_nt_status_squash to nt_status_squash and move to nterr.cGünther Deschner1-1/+0
Guenther
2011-02-22s4-auth Move libcli/security/session.c to the top levelAndrew Bartlett1-0/+1
This code is now useful in common, as the elements of the auth_session_info structure have now been defined in common IDL. Andrew Bartlett
2011-02-18s4-auth: rename 'auth' subsystem to 'auth4'Andrew Tridgell1-1/+1
this prevents conflicts with the s3 auth modules. The auth modules in samba3 may appear in production smb.conf files, so it is preferable to rename the s4 modules for minimal disruption. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-57/+22
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-09s4-auth Add auth.idl to encode auth subsystem structures in IDLAndrew Bartlett1-0/+1
This is not only a useful way to encode stuff, it also allows python to handle the structures, and natrually allows them to be NDR encoded. Andrew Bartlett
2011-01-20s4-auth Remove special case for account_sid from auth_serversupplied_infoAndrew Bartlett1-5/+2
This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-18s4-auth Extend python bindings to allow ldb and message to be specifiedAndrew Bartlett1-0/+1
This will allow for some more tokenGroups tests in future. Andrew Bartlett
2010-12-21s4-auth Remove duplicate copies of session_info creation codeAndrew Bartlett1-2/+3
We now just do or do not call into LDB based on some flags. This means there may be some more link time dependencies, but we seem to deal with those better now. Andrew Bartlett
2010-11-05s4/auth: Add logon_parameters to authenticate_username_pwAnatoliy Atanasov1-7/+8
We need to be able to set the logon parameters in the same way as in the ntlm server so we can handle openldap simple authentication call correctly. Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org> Autobuild-Date: Fri Nov 5 06:32:43 UTC 2010 on sn-devel-104
2010-09-26s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell1-1/+0
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
2010-08-14s4:auth Move struct auth_usersupplied_info to a common locationAndrew Bartlett1-42/+1
This also changes the calling convention slightly - we should always allocate this with talloc_zero() to allow some elements to be optional. Some elements may only make sense in Samba3, which I hope will use this common structure. Andrew Bartlett
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett1-0/+5
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Add dependency from the operational module onto authAndrew Bartlett1-0/+1
We had to split up the auth module into a module loaded by main deamon and a subsystem we manually init in the operational module. Andrew Bartlett
2010-05-20s4:auth Allow the operational module to get a user's tokenGroups from authAndrew Bartlett1-4/+9
This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
2010-05-20s4:auth Move BUILTIN group addition into session.cAndrew Bartlett1-5/+3
The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-14s4:auth Change auth_generate_session_info to take an auth contextAndrew Bartlett1-0/+8
The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-03-04s4:sam.c - make "authsam_expand_nested_groups" publicMatthias Dieter Wallnöfer1-0/+6
This is needed by the "tokenGroups" work in the operational LDB module.
2010-02-22Spelling fixes for source4/auth.Brad Hards1-2/+2
The comment for USER_INFO_INTERACTIVE_LOGON looks like a cut-n-paste from the line above. Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-01-12Strip trailing spacesSimo Sorce1-20/+20
2009-12-29s4:auth: add auth_get_server_info_principal() prototype to auth.hStefan Metzmacher1-0/+5
metze
2009-12-29s4:auth: make auth_challenge_may_be_modified() publicStefan Metzmacher1-1/+1
metze
2009-12-24s4:auth: change auth_check_password_send/recv to tevent_reqStefan Metzmacher1-5/+7
metze
2009-12-22s4:auth Change 'get_challenge' API to be more like Samba3Andrew Bartlett1-3/+3
It is just easier to fill in the known to be 8 byte challenge than stuff about with allocated pointers. Andrew Bartlett
2009-12-16s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.Andreas Schneider1-1/+1
2009-10-23s4-dsdb: create a static system_session contextAndrew Tridgell1-1/+1
This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-07-17s4:kdc Rework KDC to pull in less attributes for krbtgt lookupsAndrew Bartlett1-0/+2
Each attribute we request from LDB comes with a small cost, so don't lookup any more than we must for the (very) frequent krbtgt lookup case. Similarly, we don't need to build a PAC for a server (as a target), so don't ask for the PAC attributes here either. Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-1/+2
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-3/+5
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-02-13Push sam_get_server_info_principal into the auth subsystemAndrew Bartlett1-1/+11
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-0/+24
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-4/+4
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-04s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher1-1/+2
metze
2008-08-28Heimdal provides Kerberos PAC parsing routines. Use them.Andrew Bartlett1-0/+4
This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-1/+58
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2007-12-21r26228: Store loadparm context in auth context, move more loadparm_contexts ↵Jelmer Vernooij1-0/+3
up the call stack. (This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166)
2007-12-21r26221: Add loadparm_context parameter to auth_context_create.Jelmer Vernooij1-0/+1
(This used to be commit a9a9634df8f3137ecb308adb90a755f12af94972)
2007-12-21r26127: Move session code out of auth_util.c. No longer making it part of ↵Jelmer Vernooij1-7/+2
auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-10-10r24712: No longer expose the 'BOOL' data type in any interfaces.Jelmer Vernooij1-3/+3
(This used to be commit 1ce32673d960c8b05b6c1b1b99e1976a402417ae)
2007-10-10r24061: Anther part of bug #4823, which is that until now Samba4 didn't parseAndrew Bartlett1-0/+2
the logon hours, even if set. This code happily stolen from the great work in Samba3 :-) Andrew Bartlett (This used to be commit a4939ab629e0af0615bcecf63c7cd55e6e833505)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19614: fix compiler warningsStefan Metzmacher1-0/+2
metze (This used to be commit 1ca8651a59e95eeca2942e5e66c2141e3f65dd9f)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-4/+1
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher1-0/+3
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r17273: add an async version of auth_check_password() on the publicStefan Metzmacher1-0/+1
auth interface and implement the sync version as wrapper to auth_check_password_send/recv() as next all callers need to be converted to the async interface and then the modules metze (This used to be commit ed40bb3c16279f9727be67e889270da5efb8ddb9)
2007-10-10r17270: split the logic of saying this auth backend wants to handle thisStefan Metzmacher1-1/+7
request from the password checking. This will help to make the password checking hook async later metze (This used to be commit 5b26cbc3428b4c186235cc08c9ace1c23f59dd7f)
2007-10-10r15298: Fix the build using a few hacks in the build system.Jelmer Vernooij1-0/+1
Recursive dependencies are now forbidden (the build system will bail out if there are any). I've split up auth_sam.c into auth_sam.c and sam.c. Andrew, please rename sam.c / move its contents to whatever/wherever you think suits best. (This used to be commit 6646384aaf3e7fa2aa798c3e564b94b0617ec4d0)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett1-1/+1
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)